Neeris worm variant imitates methods of Conficker

The Neeris worm, which has been circulating for about four years, now is copycatting the infectious Conficker worm, according to a Friday blog post from researchers Ziv Mador and Aaron Putnam. The Neeris variant began popping up last week -- this one customised to exploit the same Windows Server service vulnerability as Conficker. That flaw was patched last October by security bulletin MS08-067.

The similarities between Neeris and Conficker don't end there. The researchers said Neeris, like Conficker, also can spread via AutoRun, a Windows feature that enables files or programs to immediately run when a removable media device, such as a USB stick or CD-ROM, is connected to a computer. Many experts attribute this propagation method to the precipitous rise of Conficker infections earlier this year.

"It is possible that these miscreants somehow collaborate or at least are aware of each other's 'products,'" the researchers wrote.

While Neeris is nowhere close to Conficker in terms of infected nodes, at least one major US-based company has experienced a massive outbreak, Jimmy Kuo, principal architect of the Microsoft Malware Response Center, told SCMagazineUS.com. He did not know which one.

"It is definitely in the wild," Kuo said.

Neeris' earliest variants mostly spread via MSN Messenger, an instant messaging application, and by exploiting another server service vulnerability, patched in August 2006 by the MS06-040 bulletin. Later variants, though, began propagating through other means, such as removable drives and SQL servers with weak passwords.

The newest bot variant spreads via the latest server service vulnerability and leverages port 449 to attempt to contact a command-and-control server.

However, security experts told SCMagazineUS.com that Neeris' variant does not figure to pose much of a problem because most people have applied MS08-067.

"That's a pretty well worn-out issue," said Ken Dunham, director of global response for security firm iSight Partners. "It's not really a hot vector anymore for spreading."

He said he is more concerned about cybercrooks using the so-called sneakernet vector, in which a thief transfers malicious code from one machine to the next, usually by way of removable media.

To protect against the worm, organisations should take the same steps as they did with Conficker, according to Microsoft. That includes installing MS08-067 and disabling AutoRun, if possible.

See original article on scmagazineus.com