Posted on 01/16/2009 2:11:18 PM PST by Ernest_at_the_Beach
The malicious program, known as Conficker, Downadup, or Kido was first discovered in October 2008.
Although Microsoft released a patch, it has gone on to infect 3.5m machines.
Experts warn this figure could be far higher and say users should have up-to-date anti-virus software and install Microsoft's MS08-067 patch.
(Excerpt) Read more at news.bbc.co.uk ...
ping
Speaking to the BBC, Kaspersky Lab's security analyst, Eddy Willems, said that a new strain of the worm was complicating matters.
"There was a new variant released less than two weeks ago and that's the one causing most of the problems," said Mr Willems
What does it do?
“....users should have up-to-date anti-virus software and install Microsoft’s MS08-067 patch.”
Or install Linux immediately....
Mandatory life in prison for makers of worms, and malware.
Probably turns it into a system the hacker can use for other purposes....
another article:
Outbreak of the polymorphic worm Downadup aka Conficker aka Kido
Posted Jan 15, 2009
- Revision v1.00, Jan 16, 2009: The number of Downadup infections are skyrocketing based on F-Secure’s calculations. From an estimated 2.4 million infected machines to over 9 (nine) million during the last four days…
- Revision v1.01, Jan 16, 2009: Blog post updated for reason of actual occurances.
The Downadup worm that exploits a months-old Windows bug/vulnerability has infected more than a million PCs in the past 24 hours, a security company said today. Aliases of the worm are Worm.Conficker [PCTools], W32.Downadup [Symantec], Net-Worm.Win32.Kido.ih [Kaspersky Lab], W32/Conficker.worm [McAfee], W32/Confick-A [Sophos], Worm:Win32/Conficker.A [Microsoft], Worm.Win32.Conficker [Ikarus]
Early Wednesday the in Finland-based security firm F-Secure Corp. estimated that 3.5 million PCs have been compromised by the “Downadup” worm, an increase of more than 1.1 million since Tuesday.
“[And] we still consider this to be a conservative estimate,” said Sean Sullivan, a researcher at F-Secure, in an entry to the company’s Security Lab blog. Yesterday, F-Secure said the worm had infected an estimated 2.4 million machines.
The worm, which several security companies have described as surging dramatically during the past few days, exploits a bug in the Windows Server service used by all supported versions of Microsoft Corp.’s operating system, including Windows 2000, XP, Vista, Server 2003 and Server 2008.
The worm disables system restore, blocks access to security websites, and downloads additional malware to infected machines.
The neat thing about Downadup is the way it “phones home”. As Mikko Hyppönen, chief research officer at anti-virus company F-Secure explains:
It uses a complicated algorithm which changes daily and is based on timestamps from public websites such as Google.com and Baidu.com. With this algorithm, the worm generates many possible domain names every day. It concern hundreds of names such as: qimkwaify .ws, mphtfrxs .net, gxjofpj .ws, imctaef .cc, and hcweu .org. This makes it impossible and/or impractical to shut them all down — most of them are never registered in the first place. The bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website — and they then gain access to all of the infected machines.
Anybody can register one of the unused domains and gain access to all of the infected machines. Pretty dumb. However, everyone will sit by and watch the infections happen, because nobody can interfere: unauthorised use of a PC may even be illegal. It’s like watching a small child wandering onto a motorway….
Downadup can also spread by using an autorun file on a USB memory stick, so if you autorun thumb drives on an unpatched machine, you could be vulnerable.
Almost all the infections are of Windows XP machines and, as Microsoft notes, plenty of corporate customers (who are usually not using AutoUpdate) have been caught. F-Secure says:
“A very large part of that traffic is coming from corporate networks, through firewalls, proxies, and NAT routers. Meaning that one unique IP address that we see could very well be 2,000 infected workstations in real life.”
Either way, security experts are anxiously awaiting the attackers’ next move. They suspect a massive botnet is in the works, but so far the attackers haven’t completely tipped their hand. The mere infection of so many machines that could then be controlled by a third party indicates it is indeed a botnet-in-progress, according to Damballa, a computer security company devoted to disrupting botnets. “It’s a close call. If it has the potential for a remote, malicious third party to do whatever they want, that makes it a botnet,” says Paul Royal, chief scientist for the antibotnet company.
“Whoever is behind this is not ready to deploy his or her code just yet. Maybe they first need to figure out how to get their botnet controller to scale to handle [millions of] nodes,” Stewart, director of malware research for SecureWorks, notes.
One thing that is certain: The worm is spreading like wildfire, and its creators appear to be trying to beat the clock and infect as many machines as they can that haven’t yet patched for the Windows bug/vulnerability. The perpetrators have been cranking out new variants of the worm to evade detection, and, so far, its main mission has been pushing rogue antivirus software.
According to Damballa, Confickr/Downadup spreads fast like a Slammer, but this one has a command and control channel: “It propagates like a worm and can act like a bot. Perhaps it’s representative of a hybrid that may represent a new class of malware” rather than the social networking or email lures of old.
Urgent advice: users are strongly recommended to ensure their antivirus databases are up to date. A patch for the windows bug/vulnerability is available from Microsoft: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx It concern Microsoft Security Bulletin MS08-067 – Critical / Vulnerability in Server Service Could Allow Remote Code Execution (958644)
Sources/references of this outbreak alert and background information:
Kaspersky Lab
Guardian.co.uk
Microsoft
ThreatExpert
F-Secure
Symantec
NetworkWorld
DarkReading
Kaspersky Lab disinfection/removal tool: http://support.kaspersky.com/faq/?qid=208279973
List of domains that are currently distributing the Downadup worm and its variants: http://www.f-secure.com/weblog/archives/downadup_domain_blocklist.txt
Creates Obamessiah voters/supporters?
MS operating systems are a virus on the entire IT industry.
MS operating systems are a virus on the entire IT industry.
It spreads using a hole in RPC that has been patched months ago. All those people with infected machines have only themselves to blame. Morons.
Spend 10 minutes on a patch install or weeks trying to get stuff like Flash and Java to work correctly.
I’ll take the patch.
Crap! I know Mac is no longet immune from virus’s but glad I’ve got an Apple.
Java works fine on *nix.
I should know, I’m a Java programmer in a Solaris environment, among my many other duties.
“Or install Linux immediately....”
As soon as there are enough networked Linux machines, the creeps will write Linux viruses and worms. Sometimes “nation state” resources are behind these pests, so resources are deep.
They write for Windows and PCs because that’s what, 90% of what’s out there so if you want it to spread, you write for the most interconnects.
*************************excerpt***************************
Either way, security experts are anxiously awaiting the attackers’ next move. They suspect a massive botnet is in the works, but so far the attackers haven’t completely tipped their hand. The mere infection of so many machines that could then be controlled by a third party indicates it is indeed a botnet-in-progress, according to Damballa, a computer security company devoted to disrupting botnets. “It’s a close call. If it has the potential for a remote, malicious third party to do whatever they want, that makes it a botnet,” says Paul Royal, chief scientist for the antibotnet company.
“Whoever is behind this is not ready to deploy his or her code just yet. Maybe they first need to figure out how to get their botnet controller to scale to handle [millions of] nodes,” Stewart, director of malware research for SecureWorks, notes.
You can write as many viruses as you like, but if your Linux system has no listeners running, and you browse the web as yourself and not as root, they cannot harm you.
What they try is social engineering tricks, but usually Unix guys are not dumb enough to type in the root password if requested in an email or web page.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.