Endpoint Protection

Another Microsoft vulerability is exposed in a bulletin by Microsoft dated the 16th July 2010.  Microsoft Windows is prone to a vulnerability that allows a file to automatically run when a folder is viewed in Windows Explorer. This vulnerability is being exploited by W32.Temphid to ensure that malicious code executes when an infected USB drive is inserted into a computer. While current attacks involve executing files from USB drives locally connected to targeted computers, attackers may also exploit this issue by setting up remote network or WebDAV shares and enticing a user to visit them. This possibility presents a remote threat to affected users. Microsoft published an advisory describing a workaround for this issue.

Be aware that as this exposure will be exploited with other methods of attach

A worm known as Kido, Conficker or Downadup has quickly replicated across vulnerable Windows computers in a recent outbreak utilising clever tricks to propogate more successfully.

The worm is thought to have moved from 3 million to 10 million infected computers in a short time and is continuing to rise exponentially. The worm is thought to have left a bot-net for its creators to utilise though there appears not to have been any attempt to use it yet.

The register speculates that the MOD may also have become victims of the worm with noticeable disruption for 2 weeks and counting to admin based workstations.

The worm is able to spread via USB sticks and also attempts login and password brute force attacks for access to networks, files and folders etc.  Microsoft has provided updates and a malicious software removal tool to counter its spread.

As attempts to prevent worms from their spread become more advanced so we see the creators use more advanced techniques to circumvent these strategies. Most notably here this worm is utilising vulnerable endpoints as a major tool in its success shining more light on the need for networks and its users to protect themselves against malicious mobile data.

SearchSecurity.com reports on recent Windows vulnerabilities causing certain Endpoint software packages to struggle with the handling of a new exploit. A  zero day exploit affecting Microsoft Windows via an XML flaw was found to return mixed results amongst Endpoint software packages as some failed to contain the attack.

“Only Kaspersky Lab’s Total Space Security 6.0 stopped the exploits cold by blocking URL access. Sophos Endpoint Security and control detected the URL, but only issued a warning without blocking it. However, it did detect and block the exploit.

Symantec’s Endpoint Protection 11.0.2 failed to detect the URL or the exploit, but detected and quarantined the malware payload. Trend Micro’s Officescan 8.0 SP1 R3 performed similarly, but failed to quarantine one of the malware’s two components, apparently because the attack thwarted its ability to gain the necessary permissions.

Both McAfee’s Total Protection for Endpoint and AVG’s Internet Security Network Edition 8.0 failed to detect and stop the attack at any of the three stages.”