Tuesday, January 27, 2009

Obama worm? ... nah, surely not

I don't often get to work at the coal face much anymore (which is a shame, because I'm a coal-face kind of guy), but today I had that privilege. One of our resellers, Walling Data, called me and asked if I knew of any malcode that displayed a picture of President Obama. While I could see the funny side of that, no matter what your political persuasion might be, I had to admit that I had not, but here's a screen shot to show you what these folks were seeing....

I'd be happy to think it was just someone's prank, except for these facts...
(1) The victim is a school, with about 100 pcs
(2) It appeared on all pcs at about the same time
(3) The pcs have fielsharing enabled
(4) It's not clear if all pcs are patched.

We're still investigating it, but Occam would suggest that it is what it seems ... a worm. Probably not a conficker variant, because as far as we can tell, the source code is not available for Conficker, but probably something exploiting ms08-067.

Anyway, we'll keep investigating, and will let you know what we find.



PS: Note to school admins: Given that Conficker source is probably not available, and if no one else ends up reporting this, there's some chance one of your students wrote it. Find your smartest, geekiest, dweebiest kid, and look hard at him. Remember, the geek shall inherit the earth.

PPS: Despite all the press, and the large number of victims that Conficker has recently gained, it's worth noting that this is probably a corporate and edu problem rather than a consumer problem. The only people this should really have caught are those that (1) haven't patched a two month old vulnerability and (2) allow filesharing. These are corporates and edus. Consumers, for the most part, allow automatic patching each month, and any consumer naive enough to allow filesharing got nailed a long time ago. This assertion is supported by the fact that, within our client base (mostly consumer and smb), we've had very little detection of it. It's also worth noting that if the perps really did nail 9 million victims, they defeated their own purpose anyway, because they dd0sed themselves instantly. Have you got any idea how long it would take to enumerate 9 million pcs over the Internet? They're still on the first pass, for sure.

No comments: