14 DAY TRIAL // Old pieces of malware can and do learn new tricks. It is the case of the Neeris family of worms, which is following in Conficker's footsteps. In this regard, the Redmond company informs that the authors of Neeris have now upgraded their 2005 malicious code, tweaking the worm so that it can exploit the same Critical vulnerability as Conficker, namely MS08-067, a security flaw in Server Service. Released four years ago, Neeris was initially designed to take advantage of a vulnerability also affecting the Windows Server Service, but the latest variant, generically dubbed by Microsoft Worm:Win32/Neeris.gen!C, also exploits the vulnerability patched with the MS08-067 security bulletin in 2008.
“The new variant of Neeris has been updated to exploit MS08-067. Also, after the successful exploitation, the victim machine downloads a copy of the worm from the attacking machine using HTTP. Neeris spreads via autorun. The new Neeris variant even adds the same ‘Open folder to view files’ AutoPlay option that Conficker does. Neeris uses a driver to patch the TCP/IP layer of the system in order to remove the outgoing connection limits from XPSP2,” Microsoft's Ziv Mador and Aaron Putnam revealed.
The software giant revealed that, although the malicious activity of Neeris grew in intensity at the end of March/the start of April, no connection could be made with the April 1, 2009 evolution of Conficker. However, the Redmond company did not dismiss the possibility of Neeris' and Conficker's authors collaborating, or at least copying each other. Microsoft is currently offering a $250,000 reward for any information that will lead to the arrest of Conficker's authors.
“Our current definition files were already detecting this new variant with a generic signature: Worm:Win32/Neeris.gen!C. Neeris began as an IRC bot which spreads itself by sending links through MSN Messenger. It still operates as an IRC bot, but over time, new spreading methods have been added. The latest variants can spread via removable drives, SQL servers with weak passwords, exploiting MS06-040, and finally exploiting MS08-067 in the latest variant,” Mador and Putnam added.