Conficker copycat prowls for victims, says Microsoft

Four-year-old Neeris worm copies Conficker's attack strategies

An old, but little-known worm has copied some of the infection strategies of Conficker, the worm that raised a ruckus last week, Microsoft security researchers said late Friday.

Neeris, which harks to May 2005, is now exploiting the same Windows bug that Conficker put to good use, and is spreading through flash drives, another Conficker characteristic, said Ziv Mador and Aaron Putnam, researchers with the Microsoft Malware Protection Center.

According to Mador and Putnam, Neeris' makers recently added an exploit for the MS08-067 vulnerability that Microsoft patched last October. The emergency update -- one of the rare times Microsoft has issued a patch outside its usual monthly scheduled --- fixed a flaw in the Windows Server service, which is used for file- and print-sharing by Windows PCs.

Conficker, the worm that began using a new communications scheme to receive commands from its hacker controllers last Wednesday, exploited the same MS08-067 vulnerability to devastating effect in late 2008 and early 2009. During January, for instance, Conficker infected millions of machines, many of them by exploiting MS08-067.

"Neeris [also] spreads via Autorun," Mador and Putnam said in an entry to the malware center's blog. "The new Neeris variant even adds the same 'Open folder to view files' AutoPlay option that Conficker does."

Conficker spread from infected PCs by adding an autorun.inf file to the root directory of any USB-based device, primarily flash drives. Later, when the drive was connected to an uninfected computer, the autorun.inf file silently copied the worm to the machine.

Mador and Putnam speculated that the authors of Conficker and Neeris might be in cahoots. "The earliest samples of Neeris date back to May of 2005, so it seems the Conficker authors may be the copycats here," the argued. "But the Neeris authors added the MS08-067 vector later. Therefore it is possible that these miscreants somehow collaborate or at least are aware of each other's 'products.'"

Coincidentally, the newest version of Neeris started appearing late on March 31 and on the following day, April 1. The latter date was when Conficker boosted the number of domains it could use to route instructions from its controllers, a deadline that sparked a frenzy of doomsday warnings.

"However, [Neeris] was not downloaded by any Conficker variant and there's no evidence that it's related to [Conficker.c's] April 1 domain algorithm activation," said Mador and Putnam.

Although Neeris was first identified nearly four years ago, Microsoft has not added a "fingerprint" for the worm to its Malicious Software Removal Tool (MSRT), the anti-malware utility that the company updates and redistributes each month to Windows machines. The MSRT scans for known malware, then scrubs the system of any it finds. Microsoft added Conficker detection to the MSRT in mid-January.

"Due to the similarities to Conficker, most of the mitigations that were mentioned also apply here," said Mador and Putnam. "Make sure to install MS08-067 if you haven't done so yet and be careful to use only AutoPlay options you're familiar with, or consider disabling the Autorun altogether."

Join the newsletter!

Error: Please check your email address.
Rocket to Success - Your 10 Tips for Smarter ERP System Selection

Tags Microsoftsecurityconficker

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Ben Ramsden

Sharp PN-40TC1 Huddle Board

Brainstorming, innovation, problem solving, and negotiation have all become much more productive and valuable if people can easily collaborate in real time with minimal friction.

Sarah Ieroianni

Brother QL-820NWB Professional Label Printer

The print quality also does not disappoint, it’s clear, bold, doesn’t smudge and the text is perfectly sized.

Ratchada Dunn

Sharp PN-40TC1 Huddle Board

The Huddle Board’s built in program; Sharp Touch Viewing software allows us to easily manipulate and edit our documents (jpegs and PDFs) all at the same time on the dashboard.

George Khoury

Sharp PN-40TC1 Huddle Board

The biggest perks for me would be that it comes with easy to use and comprehensive programs that make the collaboration process a whole lot more intuitive and organic

David Coyle

Brother PocketJet PJ-773 A4 Portable Thermal Printer

I rate the printer as a 5 out of 5 stars as it has been able to fit seamlessly into my busy and mobile lifestyle.

Kurt Hegetschweiler

Brother PocketJet PJ-773 A4 Portable Thermal Printer

It’s perfect for mobile workers. Just take it out — it’s small enough to sit anywhere — turn it on, load a sheet of paper, and start printing.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?