Neeris worm reappears and uses Conficker tactics to attack Windows

News by Dan Raywood

The Neeris worm has reappeared to exploit the same Windows bug that Conficker was utilising.

The Neeris worm has reappeared to exploit the same Windows bug that Conficker was utilising.


Ziv Mador and Aaron Putnam from the Microsoft Malware Protection Centre, claimed to have found a new exploit of MS08-067 other than Conficker that it has detected and protected users against.


Mador and Putnam claimed that the new variant of Neeris has been updated to exploit MS08-067, and after a successful exploitation, the victim's machine downloads a copy of the worm from the attacking machine using HTTP.


As Neeris spreads via autorun, the new variant adds the same ‘Open folder to view files' AutoPlay option that Conficker does and uses a driver to patch the TCP/IP layer of the system in order to remove the outgoing connection limits from XPSP2.


Mador and Putnam wrote in an advisory: “Neeris is a worm that has been active for a few years. Some of its variants used to exploit MS06-040, which addressed a vulnerability in the same server service as MS08-067.


“It is interesting to note that this new variant of Neeris spiked on late March 31st and during April 1st. However it was not downloaded by any Conficker variant and there's no evidence that it's related to Conficker.D's 1st April domain algorithm activation.”


They claimed that as the earliest samples of Neeris date back to May of 2005, it could be that the Conficker authors may be the copycats here, but the Neeris authors added the MS08-067 vector later. Therefore it is possible that these miscreants somehow collaborate or at least are aware of each other's ‘products'.


Mador and Putnam said: “It still operates as an IRC bot, but over time, new spreading methods have been added. The latest variants can spread via removable drives, SQL servers with weak passwords, exploiting MS06-040, and finally exploiting MS08-067 in the latest variant.”


They explained that the malware adds itself to start every time Windows starts, and even adds itself to the Safe Boot configuration. However due to the similarities to Conficker, most of the mitigations that were mentioned then apply here, and they encouraged installation of MS08-067 to only use AutoPlay options when you are familiar with or consider disabling the autorun altogether.



Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews