Security researchers at Microsoft last week warned of a significant increase in exploits of the SMB flaw in Windows. The flaw was patched with an emergency fix last month. Microsoft again urged users to install the patch if they have not already done so.

The patch can be found here

Microsoft’s malware protection center said an increase in attacks began last weekend. This is right in line with the rumor I posted a while back that indicated this would happen near the Thanksgiving holiday.

The latest maleware to exploit this flaw is called “Conficker.a” by Microsoft, and “Downloadup” by Symantec. It exploits the flaw in SMB and then installs itself on the target machine. The purpose of the maleware is not clear yet, but it has been studied by security researchers. This is what they have found so far

-It Avoids Ukrainian IP address ranges. This possibly means it was created by someone in this area of the world. It is a common tactic used to reduce the chance of action by local authorities.

-Even more interesting, the worm patches the flaw. This is done so other viruses cannot take the place of it.

-The worm resets the machine’s restore point. Which will make it difficult or impossible to “roll back” windows from a pre-infection state.

It is clear that if you have installed the patch, you are safe. If you have not installed the patch yet I would suggest getting to it as fast as you can. In addition, as a precaution you should always make sure that your SMB services are not available from the public Internet - you never know what other flaws are still hiding in this very old part of Windows.

This entry was posted on Monday, December 1st, 2008 at 6:00 am and is filed under Flaw, Windows. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.