Tuesday, January 27, 2009

Obama worm? ... nah, surely not

I don't often get to work at the coal face much anymore (which is a shame, because I'm a coal-face kind of guy), but today I had that privilege. One of our resellers, Walling Data, called me and asked if I knew of any malcode that displayed a picture of President Obama. While I could see the funny side of that, no matter what your political persuasion might be, I had to admit that I had not, but here's a screen shot to show you what these folks were seeing....




I'd be happy to think it was just someone's prank, except for these facts...
(1) The victim is a school, with about 100 pcs
(2) It appeared on all pcs at about the same time
(3) The pcs have fielsharing enabled
(4) It's not clear if all pcs are patched.

We're still investigating it, but Occam would suggest that it is what it seems ... a worm. Probably not a conficker variant, because as far as we can tell, the source code is not available for Conficker, but probably something exploiting ms08-067.

Anyway, we'll keep investigating, and will let you know what we find.

Cheers

Roger


PS: Note to school admins: Given that Conficker source is probably not available, and if no one else ends up reporting this, there's some chance one of your students wrote it. Find your smartest, geekiest, dweebiest kid, and look hard at him. Remember, the geek shall inherit the earth.

PPS: Despite all the press, and the large number of victims that Conficker has recently gained, it's worth noting that this is probably a corporate and edu problem rather than a consumer problem. The only people this should really have caught are those that (1) haven't patched a two month old vulnerability and (2) allow filesharing. These are corporates and edus. Consumers, for the most part, allow automatic patching each month, and any consumer naive enough to allow filesharing got nailed a long time ago. This assertion is supported by the fact that, within our client base (mostly consumer and smb), we've had very little detection of it. It's also worth noting that if the perps really did nail 9 million victims, they defeated their own purpose anyway, because they dd0sed themselves instantly. Have you got any idea how long it would take to enumerate 9 million pcs over the Internet? They're still on the first pass, for sure.

4 comments:

mberenis said...
This comment has been removed by a blog administrator.
Vess said...

Judging from the icons in the tray, at least the machine from which the screenshot is taken is not fully patched. Seems to have the firewall turned off, too. ;)

Anonymous said...

The icons in the tray are from the host computer which is connecting using RDC or whatever to a compromised one.

MikeS (Rambo) said...

The machine you're looking at is a client machine used by Roger Thompson to RDP into the school machine...
Funny worm though. Must've been fun for that student to see it in action.