Conficker Worm Still Wreaking Havoc on Windows Systems

Users of Windows Server service that haven't patched a previously disclosed worm hole (MS08-067) are taking a big risk. More and more enterprises continue to get hit by a Conficker worm variant, according to Roger Halbheer, chief security adviser for Microsoft's Europe, Middle East and Africa Group, in a blog post on Wednesday.

Microsoft on Tuesday released its January security update. However, the company is still trying to get Windows pros to fix an issue that first appeared as an out-of-band bulletin back in October. That patch was supposed to take care of a remote code execution (RCE) exploit in remote procedure call requests (RPC) that could affect a whole network if harnessed by hackers.

These stepped-up warnings from Microsoft come after independent ITSec shop Panda Security said in several reports that Windows users haven't seen the last of the RCE exploit. Both Panda and Symantec officials have said they've seen increased attacks, as well as a growth in malware, deriving from Conficker attacks.

In cases where the security patch hasn't been applied, Conficker-type bugs can ding Windows-based PCs with malicious RPC packets. Specifically, the bug allows corrupt subroutines on a network to be executed automatically. The worm can affect Windows 2000, XP and Vista operating systems, as well as Windows Servers 2003 and 2008.

Because this month's patch cycle was so thin, now might be the moment to look seriously at the October fix, experts say.

"For administrators who failed to patch the RPC vulnerability that was reported back in October 2008, this is the best time to go back and patch the issue," said Paul Henry, security and forensic analyst for endpoint security outfit Lumension. "Security experts are starting to see new variants appearing in the wild for this. We're seeing more widespread use of the vulnerability today than we did back in October."

The fact that so many Windows systems seem to be at risk raises questions about security patch turnaround times in the enterprise. A Qualys survey found that more than 50 percent of machines get patched after approximately 30 days.

"After that period, we see the patch rates go down and the overall number of machines that are attackable only slowly diminishing," said Wolfgang Kandek, chief technology officer of Qualys Inc. "Unfortunately this leaves enough machines to be exploited by the "Conficker" worm types even today, over 45 days later."

Kandek sees a general lack of alarm among IT pros.

"We would have liked to see a faster reaction by the computer users given the significance of the patch but there still seems to be a barrier to reach everybody and make them understand the urgency of patching."

About the Author

Jabulani Leffall is a business consultant and an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others. He consulted for Deloitte & Touche LLP and was a business and world affairs commentator on ABC and CNN.