Is this fact or fiction?

My windows folks seem to think it's fact. They've been tres busy patching for the past several days. Plus I keep getting those CERT auto-gen emails about it.

And I just got an action plan from our IS Security folks laying out steps to initiate SWAT lol. So glad I'm a Unix'er :D



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


National Cyber Alert System

Technical Cyber Security Alert TA09-088A


Conficker Worm Targets Microsoft Windows Systems

Original release date: March 29, 2009
Last revised: March 30, 2009
Source: US-CERT


Systems Affected

* Microsoft Windows


Overview

US-CERT is aware of public reports indicating a widespread
infection of the Conficker/Downadup worm, which can infect a
Microsoft Windows system from a thumb drive, a network share, or
directly across a corporate network, if the network servers are not
patched with the MS08-067 patch from Microsoft.


I. Description

Home users can apply a simple test for the presence of a
Conficker/Downadup infection on their home computers. The presence
of a Conficker/Downadup infection may be detected if a user is
unable to surf to their security solution website or if they are
unable to connect to the websites, by downloading detection/removal
tools available free from those sites:

* http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm&inid=us_ghp_link_conficker_worm
* http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx
* http://www.mcafee.com

If a user is unable to reach any of these websites, it may indicate
a Conficker/Downadup infection. The most recent variant of
Conficker/Downadup interferes with queries for these sites,
preventing a user from visiting them. If a Conficker/Downadup
infection is suspected, the system or computer should be removed
from the network or unplugged from the Internet - in the case for
home users.


II. Impact

A remote, unauthenticated attacker could execute arbitrary code on
a vulnerable system.


III. Solution

Instructions, support and more information on how to manually
remove a Conficker/Downadup infection from a system have been
published by major security vendors. Please see below for a few of
those sites. Each of these vendors offers free tools that can
verify the presence of a Conficker/Downadup infection and remove
the worm:

Symantec:
http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99

Microsoft:
http://support.microsoft.com/kb/962007

http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

Microsoft PC Safety hotline at 1-866-PCSAFETY, for assistance.

US-CERT encourages users to prevent a Conficker/Downadup infection by
ensuring all systems have the MS08-067 patch (see
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx),
disabling AutoRun functionality (see
http://www.us-cert.gov/cas/techalerts/TA09-020A.html), and
maintaining up-to-date anti-virus software.


IV. References

* Microsoft Windows Does Not Disable AutoRun Properly -
<http://www.us-cert.gov/cas/techalerts/TA09-020A.html>

* Virus alert about the Win32/Conficker.B worm -
<http://support.microsoft.com/kb/962007>

* Microsoft Security Bulletin MS08-067 - Critical -
<http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx>

* MS08-067: Vulnerability in Server service could allow remote code
execution -
<http://support.microsoft.com/kb/958644>

* The Conficker Worm -
<http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm>

* W32/Conficker.worm -
<http://us.mcafee.com/root/campaign.asp?cid=54857>

* W32.Downadup Removal Tool -
<http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99>

__________________________________________________ __________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA09-088A.html>
__________________________________________________ __________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-088A Feedback VU#827267" in
the subject.
__________________________________________________ __________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
__________________________________________________ __________________

Produced 2009 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
__________________________________________________ __________________

Revision History

March 29, 2009: Initial release
March 30, 2009: Included additional details

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBSdEYX3IHljM+H4irAQIYGQgAiYr6a3OCj8JFRPhDWw wampacVHYxW2o+
fKkXtHu093UYd8tXWv/crvQzMfMPaH/+zwXhO/pEPqyAh+916EvqVpsMnvhOOJzw
1y7y+aCYtxlS+B8/TXbI0GGjzv8HmmlCOoxg4jz9BggR+fnjVC+gqq0Ml16Z539J
2/TRiidVh+QwIUB7KtsPZU0DZgCFkXBoAWEurd2kpqGP8xkK2M3/N6PN2GfftqSg
Apzc80ikWUCXcA2ppbk0V85bRw3NhIiXmN5EBgQr28ZF2WByaS nCE6irTKN0eTX1
E2q21qIdfjd09BVLWgXRa0kXG8eqZBgt6uulf/yfd9S5pPquz4Cyuw==
=zSHY
-----END PGP SIGNATURE-----

Thanks for that information Fild!

Cheers,

There were some emails sent about this at work as well, which is why I was asking. Still, its not an event where we were informed that we should stay home or not use our computers, so it seems like bunk to me.

It's definitely real. Hard to say what level of threat it really is though (as always).

The hysteria over it made me wonder if they'd found some way to run Visual Basic on moron's brains via airborne infection.

That being said it's a very real threat, particularly if you're stupid enough to leave a Windows machine on the internet to begin with, but provided you have a firewall and patched the specific vulnerability you're not any less safe than usual.

It's great they're getting mass awareness on these problems, but leaves me to wonder what superlatives will be left for use when something really bad happens.

Well, it seems the IT community has this handled. No big deal. Its why they pay you all the big bucks.