While this isn't specifically a virtualization announcement, VI Admins running Microsoft operating systems need to be aware of the following as well. Remember, just because it's inside a guest operating system and virtual, doesn't mean it isn't vulnerable.
Shavlik Technologies commented on this new variant of the Conficker worm known as ‘Downadup.’ The company reports that its NetChk Protect customers can and have protected themselves from this worm, but for organizations that rely on other agent-based patch management solutions, such as Windows Update, if already infected, they may be unable to apply the patch.
Downadup is yet another exploit of a security vulnerability that could be eliminated by application of MS08-067, which Microsoft released out-of-band in October 2008. To protect networks from this potential threat, IT departments must patch and configure all physical systems and virtual machines to ensure MS08-067 is deployed across the network. Continuous or on-demand security configuration assessments can provide additional defensive measures by ensuring that services like firewalls are running and that password and account policies are enforced.
“More than 9 million PCs have already been infected and IT departments cannot afford to take the risk of becoming infected and exposing confidential data,” said Chris Schwartzbauer, VP Worldwide Field Operations, Shavlik Technologies. “For Shavlik customers that use NetChk Protect to scan for and patch their networks, this is a non-event. In a December survey, 90% of our customers reported they had already applied this patch. For organizations who have struggled with applying the patch, Shavlik Technologies is offering to assess their exposure to this worm at no cost, and then immediately fix their systems for a one-time, no-commitment fee.”
How the Conficker and Downadup Worm Works
The worm spreads by more traditional methods of accessing computers over the Internet, but can also infect computers via malicious code on USB devices. Once infected, the worm turns off Windows Update services - thereby preventing the machine from obtaining the very patch that would have prevented the initial exploit.
The worm also denies Internet access to the websites of many different security vendors. Attempting to go to your AV or security vendor of choice to download detection or removal tools will be blocked by this worm. (The Shavlik web site is not blocked by the worm.) The worm is also known to modify the Windows firewall settings to allow access to the computer via specified ports.
Find Out More
You can access detailed commentary and analysis about Downadup from Shavlik’s CTO, Eric Schultze, at: http://www.shavlik.com/desk-of-the-cto.aspx#eighteen.