0 Members and 1 Guest are viewing this topic.
A worm that spreads through low security networks, memory sticks, and PCs without the latest security updates is posing a growing threat to users. The malicious program, known as Conficker, Downadup, or Kido was first discovered in October 2008. Although Microsoft released a patch, it has gone on to infect 3.5m machines. Experts warn this figure could be far higher and say users should have up-to-date anti-virus software and install Microsoft's MS08-067 patch. Right now, we're seeing hundreds of thousands of [infected]unique IP addresses said Toni Koivunen, F-SecureAccording to Microsoft, the worm works by searching for a Windows executable file called "services.exe" and then becomes part of that code. It then copies itself into the Windows system folder as a random file of a type known as a "dll". It gives itself a 5-8 character name, such as piftoc.dll, and then modifies the Registry, which lists key Windows settings, to run the infected dll file as a service. Once the worm is up and running, it creates an HTTP server, resets a machine's System Restore point (making it far harder to recover the infected system) and then downloads files from the hacker's web site. Most malware uses one of a handful of sites to download files from, making them fairly easy to locate, target, and shut down. But Conficker does things differently. Anti-virus firm F-Secure says that the worm uses a complicated algorithm to generate hundreds of different domain names every day, such as mphtfrxs.net, imctaef.cc, and hcweu.org. Only one of these will actually be the site used to download the hackers' files. On the face of it, tracing this one site is almost impossible. However, technicians have reverse engineered the worm so they can predict one of the possible domain names. This does not help them pinpoint those who created Downadup, but it does give them the ability to see how many machines are infected. "Right now, we're seeing hundreds of thousands of unique IP addresses connecting to the domains we've registered," F-Secure's Toni Kovunen said in a statement. "We can see them, but we can't disinfect them - that would be seen as unauthorised use." Microsoft says that the malware has infected computers in many different parts of the world, with machines in China, Brazil, Russia, and India having the highest number of victims.
'Amazing' worm attack infects nine million PCs - 6.5 million Windows PCs infected in the last four daysCalling the scope of the attack "amazing," security researchers at F-Secure say that 6.5 million Windows PCs have been infected by the "Downadup" worm in the last four days, and that nearly nine million have been compromised in just over two weeks. Early on Friday, the Finnish firm revised its estimate of the number of computers that had fallen victim to the worm, and explained how it came to the figure. "The number of Downadup infections [is] skyrocketing," Toni Koivunen, an F-Secure researcher, said in an entry to the company's Security Lab blog. "From an estimated 2.4 million infected machines to over 8.9 million during the last four days. That's just amazing."On Tuesday, Koivunen put the number of infected systems at 2.4 million, then updated the estimate Wednesday to 3.5 million, an increase of 1.1 million in just 24 hours. "We haven't seen outbreaks of this scale in many years," said Mikko Hypponen, chief research officer at F-Secure, in an email reply to questions. "[It] reminds me of the old Loveletter/Melissa/Sasser/Blaster cases size-wise," he added, ticking off some of history's biggest malware attacks.In his Friday blog post, F-Secure's Koivunen also provided some background on the company's estimate, in part because some people had expressed disbelief in the number. According to Koivunen, F-Secure came to its 8.9 million-machine estimate by spying on the worm's communication with hacker-controlled servers. Once it's gotten onto a PC, Downadup generates a list of possible domains, selects one, then uses that URL to reach a malicious server from which it downloads additional malware to install on the hijacked computer. F-Secure, however, has registered some of those domains, and has been able to monitor traffic through those URLs. By examining logs of connection attempts to the domains, F-Secure discovered several hundred thousand different IP addresses -- over 350,000 as of today -- as well as a counter embedded in each that spells out the number of additional PCs that the infected machine has compromised. "So this number tells us how many other computers this machine has exploited since it was last restarted," explained Koivunen. A sample log provided by F-Secure showed 12 Downadup-infected PCs, which collectively had infected 186 additional systems. Just one of the originally-infected computers successfully attacked 116 other machines.Earlier this week, the already-high number of Downadup infections prompted Microsoft to add detection for the worm to its Malicious Software Removal Tool (MSRT), the anti-malware utility that the company updates and redistributes each month to Windows machines. Microsoft released the latest edition of the MSRT with anti-Downadup capabilities last Tuesday. Like other security researchers, those from Microsoft have put some of the blame on users slow to patch their PCs. "Either Security Update MS08-067 was not installed at all or was not installed on all the computers," a pair of security researchers who work for Microsoft said Tuesday. Microsoft has recommended that Windows users install the emergency update, then run the January edition of the MSRT to scrub the worm from compromised computers.
Experts are warning that hackers have yet to activate the payload of the Conficker virus. The worm is spreading through low security networks, memory sticks, and PCs without current security updates. Although the spread of the worm appears to be levelling off, there are fears someone could easily take control of any and all of the 9.5m infected PCs. "It is scary thinking about how much control they [a hacker] could have over all these computers. They would have access to millions of machines with full administrator rights. "But they haven't done that yet, maybe they're scared. That's good news. But there is also the scenario that someone else figures out how to activate this worm. That is a worrying prospect." Speaking to the BBC, Graham Cluley, senior technology consultant with anti-virus firm Sophos, said the outbreak was of a scale they had not seen for some time. "Microsoft did a good job of updating people's home computers, but the virus continues to infect business who have ignored the patch update. "A shortage of IT staff during the holiday break didn't help and rolling out a patch over a large number of computers isn't easy. "What's more, if your users are using weak passwords - 12345, QWERTY, etc - then the virus can crack them in short order," he added. "But as the virus can be spread with USB memory sticks, even having the Windows patch won't keep you safe. You need anti-virus software for that." Right now, we're seeing hundreds of thousands of [infected] unique IP addresses. Anti-virus firm F-Secure says that the worm uses a complicated algorithm to generate hundreds of different domain names every day, such as mphtfrxs.net, imctaef.cc, and hcweu.org. Only one of these will actually be the site used to download the hackers' files. On the face of it, tracing this one site is almost impossible.VariantSpeaking to the BBC, Kaspersky Lab's security analyst Eddy Willems said that a new strain of the worm was complicating matters. "There was a new variant released less than two weeks ago and that's the one causing most of the problems," said Mr Willems. "The replication methods are quite good. It's using multiple mechanisms, including USB sticks, so if someone got an infection from one company and then takes his USB stick to another firm, it could infect that network too. It also downloads lots of content and creating new variants though this mechanism. "Of course, the real problem is that people haven't patched their software," he added.
The Conficker virus has opened a new can of worms for security experts. Drives such as USB sticks infected with the virus trick users into installing the worm, according to researchers. The "Autoplay" function in Vista and early versions of Windows 7 automatically searches for programs on removable drives. However, the virus hijacks this process, masquerading as a folder to be opened. When clicked, the worm installs itself. It then attempts to contact one of a number of web servers, from which it could download another program that could take control of the infected computer.Bad guysThe worm is unusually clever in the way that it determines what server to contact, according to F-Secure's chief research officer Mikko Hypponen. "It uses a complicated algorithm which changes daily and is based on timestamps from public websites such as Google.com and Baidu.com," said Mr Hypponen in a blog post. "This makes it impossible and/or impractical for us good guys to shut them all down — most of them are never registered in the first place. "However, the bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website — and they then gain access to all of the infected machines," he added. It has also emerged that the virus automatically disables the automatic updates to Windows that would prevent further infection. As the virus - also known as Downadup - has spread to an estimated 9m computers globally, a number of high-profile instances of the virus have arisen. The Ministry of Defence has been battling an outbreak of the virus across its network for more than two weeks, and on Tuesday a network of hospitals across Sheffield told technology website The Register that more than 800 of their computers had been infected.Users are urged to download the KB958644 Security Update from Microsoft to mitigate the risk of infection.
