Thread: Worm Infects Millions of Computers Worldwide

January 23, 2009
Worm Infects Millions of Computers Worldwide
By JOHN MARKOFF
A new digital plague has hit the Internet, infecting millions of personal and business computers in what seems to be the first step of a multistage attack. The world’s leading computer security experts do not yet know who programmed the infection, or what the next stage will be.

In recent weeks a worm, a malicious software program, has swept through corporate, educational and public computer networks around the world. Known as Conficker or Downadup, it is spread by a recently discovered Microsoft Windows vulnerability, by guessing network passwords and by hand-carried consumer gadgets like USB keys.

Experts say it is the worst infection since the Slammer worm exploded through the Internet in January 2003, and it may have infected as many as nine million personal computers around the world.

Worms like Conficker not only ricochet around the Internet at lightning speed, they harness infected computers into unified systems called botnets, which can then accept programming instructions from their clandestine masters. “If you’re looking for a digital Pearl Harbor, we now have the Japanese ships steaming toward us on the horizon,â€

Thanks, vortex!

Article from BBC:


Clock ticking on worm attack code

The worm can also spread via USB flash drives.
Experts are warning that hackers have yet to activate the payload of the Conficker virus.

The worm is spreading through low security networks, memory sticks, and PCs without current security updates.

The malicious program - also known as Downadup or Kido - was first discovered in October 2008.

Although the spread of the worm appears to be levelling off, there are fears someone could easily take control of any and all of the 9.5m infected PCs.

Speaking to the BBC, F-Secure's chief research officer, Mikko Hypponen, said there was still a real risk to users.

"Total infections appear to be peaking. That said, a full count is hard, because we also don't know how many machines are being cleaned. But we estimate there are still more than 9m infected PCs world wide.

"It is scary thinking about how much control they [a hacker] could have over all these computers. They would have access to millions of machines with full administrator rights.

"But they haven't done that yet, maybe they're scared. That's good news. But there is also the scenario that someone else figures out how to activate this worm. That is a worrying prospect."

Experts say users should have up-to-date anti-virus software and install Microsoft's MS08-067 patch. The patch is known as KB958644.

Even having the Windows patch won't keep you safe

Graham Cluley
Sophos

Speaking to the BBC, Graham Cluley, senior technology consultant with anti-virus firm Sophos, said the outbreak was of a scale they had not seen for some time.

"Microsoft did a good job of updating people's home computers, but the virus continues to infect business who have ignored the patch update.

"A shortage of IT staff during the holiday break didn't help and rolling out a patch over a large number of computers isn't easy.

"What's more, if your users are using weak passwords - 12345, QWERTY, etc - then the virus can crack them in short order," he added.

"But as the virus can be spread with USB memory sticks, even having the Windows patch won't keep you safe. You need anti-virus software for that."

Method

According to Microsoft, the worm works by searching for a Windows executable file called "services.exe" and then becomes part of that code.

It then copies itself into the Windows system folder as a random file of a type known as a "dll". It gives itself a 5-8 character name, such as piftoc.dll, and then modifies the Registry, which lists key Windows settings, to run the infected dll file as a service.

Once the worm is up and running, it creates an HTTP server, resets a machine's System Restore point (making it far harder to recover the infected system) and then downloads files from the hacker's web site.

Most malware uses one of a handful of sites to download files from, making them fairly easy to locate, target, and shut down.

But Conficker does things differently. Right now, we're seeing hundreds of thousands of [infected] unique IP addresses

Toni Koivunen, F-Secure

Anti-virus firm F-Secure says that the worm uses a complicated algorithm to generate hundreds of different domain names every day, such as mphtfrxs.net, imctaef.cc, and hcweu.org. Only one of these will actually be the site used to download the hackers' files. On the face of it, tracing this one site is almost impossible.

Variant

Speaking to the BBC, Kaspersky Lab's security analyst Eddy Willems said that a new strain of the worm was complicating matters.

"There was a new variant released less than two weeks ago and that's the one causing most of the problems," said Mr Willems

"The replication methods are quite good. It's using multiple mechanisms, including USB sticks, so if someone got an infection from one company and then takes his USB stick to another firm, it could infect that network too. It also downloads lots of content and creating new variants though this mechanism.

"Of course, the real problem is that people haven't patched their software," he added.

Microsoft says that the malware has infected computers in many different parts of the world, with machines in China, Brazil, Russia, and India having the highest number of victims.

http://news.bbc.co.uk/2/hi/technology/7832652.stm

Ok can someone remind me how to check and make sure I have the correct updates. I have done them but I need to check. I know there is a way but not sure.

We've been hit a few times just yesterday but we think Norton got it stopped. Also, our spyware caught something last night but it couldn't repair it so we removed it and it hit in the icon restore program.

Looks like a good time for an iMAC.

Originally Posted by Gogo

Ok can someone remind me how to check and make sure I have the correct updates

Gogo, you can download the patch from:

http://www.microsoft.com/downloads/deta ... laylang=en

You might also want to see if other updates are needed by clicking the following located on the right side of the download page:

'Microsoft Update
Scan your computer for Windows and Office updates that you need'

You might also consider turning on 'Automatic Updates'

Originally Posted by carolinamtnwoman

Originally Posted by Gogo

Ok can someone remind me how to check and make sure I have the correct updates

Gogo, you can download the patch from:

http://www.microsoft.com/downloads/deta ... laylang=en

You might also want to see if other updates are needed by clicking the following located on the right side of the download page:

'Microsoft Update
Scan your computer for Windows and Office updates that you need'

You might also consider turning on 'Automatic Updates'

Thanks Carolina but I meant how to check what I've got on my computer in my computer. I know there is a way to do it, maybe My Computer, program files, MS, and it would be listed in there. ???