1 in 3 Windows PCs vulnerable to worm attack
And open-source exploit code made hacker's job easier
Computerworld - The worm that has infected several million Windows PCs is causing havoc because nearly a third of all systems remain unpatched 80 days after Microsoft Corp. rolled out an emergency fix, a security expert said today.
Based on scans of several hundred thousand customer-owned Windows PCs, Qualys Inc. concluded that about 30% of the machines have not yet been patched with the "out of cycle" fix Microsoft provided Oct. 23 as security update MS08-067.
"The unpatched numbers went down significantly around the 30-day mark," said Wolfgang Kandek, Qualys' chief technology officer, "when less than 50% were unpatched. After that, it went down a little slower. As of yesterday, 30% of the machines are unpatched."
With nearly a third of all Windows systems still vulnerable, it's no surprise that the "Downadup" worm has been able to score such a success, Kandek said. "These slow [corporate] patch cycles are simply not acceptable," he said. "They lead directly to these high-infection rates."
The Downadup worm, called "Conficker" by some researchers, surged dramatically this week and has infected an estimated 3.5 million PCs so far, according to Finnish security company F-Secure Corp. The worm exploits a bug in the Windows Server service used in Windows 2000, XP, Vista, Server 2003 and Server 2008.
Microsoft issued a patch in late October after confirming reports of in-the-wild attacks, most of them against machines in Asia.
On Tuesday, Microsoft laid at least some of the blame for the worm's success at the feet of Windows users. "Either Security Update MS08-067 was not installed at all or was not installed on all the computers," said Cristian Craioveanu and Ziv Mador, researchers at Microsoft's Malware Protection Center, in a Tuesday blog post.
Kandek agreed with them. "This shows that a three-month patch cycle, which some companies use, is unacceptable," he said.
In related news, a researcher at McAfee Inc. today said that the author of Downadup/Conficker worm took a shortcut when crafting the malware by grabbing functional exploit code from Metasploit, the open-source penetration testing framework.
"By using the exploit from the Metasploit module as the code base, a virus/worm programmer only needs to implement functions for automatic downloading and spreading," said Xiao Chen, a McAfee security researcher, in an entry to the company's blog. "We believe that this can be accomplished by an average programmer who understands the basics of exploitation and has decent programming skills.
"It's obvious that worm writers are abusing open-source tools to their advantage to make their work easier," Chen added.
Microsoft has recommended that Windows users install the October update, then run the January edition of the Malicious Software Removal Tool to clean up compromised computers.
"Patch faster," urged Kandek from Qualys.
- Downadup worm now infects 1 in every 16 PCs, says Panda
- US-CERT: Microsoft's advice on Downadup leaves users open to attack
- FAQ: How to protect your PC against the Downadup worm
- 'Amazing' worm attack infects 9 million PCs
- 1 in 3 Windows PCs vulnerable to worm attack
- Researcher: Worm infects 1.1M Windows PCs in 24 hours
- 'Huge increase' in worm attacks plagues unpatched Windows PCs
- Microsoft releases emergency Windows patch to head off worm attack
Read more about Security in Computerworld's Security Topic Center.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts