Posted on 02/01/2009 11:42:01 PM PST by Swordmaker
This is the biggest worm attack for years, and in theory could hit 350 million PCs or thereabouts. However, in spite of this “amazing” worm “skyrocketing,” F-Secure says: “Downadup infections appear to have peaked during the week.” Its latest reported estimate is only 15 million, which is not all that impressive for something that was first seen last November, and should be able to double every day.
Maybe the next version(s) will do better. But let's hope not.
Of course, there's no real reason why anyone should have Downadup/Conflickr: Microsoft patched that security hole last October with Microsoft Security Update MS08-067 (KB958644), and on October 25, I posted Microsoft releases critical patch, extra to Windows update to tell you to install it. I'm sure there are a few unlucky souls among the estimated 15m victims, but I suspect most have got Downadup/Conflickr because they are too lazy or too dim to install Windows Updates, or they're running pirated copies of Windows.
I just grabbed the first one on Google. There were so many to choose from.
Here then, here's one from December.
“Users of Windows Vista and Server 2008 can breathe easy as those packages are unaffected by the flaw. XP - running SP3 - is also clear of trouble.”
So the bottom line is that people who are running pirated versions of Windows that are not updated run some risk. OK.
Or perhaps it's because previous updates have hosed their computers (see post #30 above) or because something they installed happened to uninstall the patch.
Oh wait, that could never happen!
Er, well...maybe it could, since it's happened before.
And those users that have installed the SP blocker built by Microsoft to get around all the problems associated with SP3.
If you browse the internet of open email without having security updates and without having a virus scanner, you should probably be doing something else with your time.
There is another free and relatively painless preventive, which I use with my business clients.
I do occasional backups of System State. It takes about two minutes and can be scheduled.
Restoring System State after a virus attack takes about ten minutes — including a reboot and reinstallation of updates.
I recovered four machines by this procedure. It’s a lot less painful than tracking down spyware removers, and a lot faster than reformatting. Unfortunately I need tricks like this, because the companies I work with do not restrict internet access, and given enough users, some will install almost anything.
Or you could just run an operating system that isn't a cheap whore for every virus, worm and other bit of malware around.
I recovered four machines by this procedure.
Well, you hope so.
The problem with "restoring" owned machines is that you can't ever be sure that you got everything.
Security best practice for a compromised machine is format and re-install from known, clean media.
Unfortunately I need tricks like this, because the companies I work with do not restrict internet access, and given enough users, some will install almost anything.
No, the unfortunate part is that you think this kind of thing is necessary.
Simple solution: just stick with notebook paper and pencil. Never fails.
Old school prevails!
If Mac ever does they'd end up being as lazy & bloated as MSFT.
I don't :-)
OK, I'm pretty good about security updates.
“attacks would take the form of tricking users into opening an attachment, so it’s not an auto-execute risk,”
Don't worry, it's only a zero-day exploit and although it requires the user to do exactly what Vista's UAC has trained users to do, there will be an auto-execute zero-day exploit along soon.
Microsoft security holes, death and taxes.
My experience is otherwise. I don't completely trust malware scanners, but restoring executables and the registry removes active malware. You can then clean any infected files, because they're orphaned.
The plural of "anecdote" is not "facts".
Besides, Microsoft disagrees with you.
You can’t clean a compromised system by removing the back doors. You can never guarantee that you found all the back doors the attacker put in. The fact that you can’t find any more may only mean you don’t know where to look, or that the system is so compromised that what you are seeing is not actually what is there.
The only way to clean a compromised system is to flatten and rebuild. That’s right. If you have a system that has been completely compromised, the only thing you can do is to flatten the system (reformat the system disk) and rebuild it from scratch (reinstall Windows and your applications).
Depending on what you mean by compromised, I could agree. But all the machines I have any control over have up-to-date anti-virus, anti-spyware, and the latest patches. The internet is accessed through a hardware firewall with all incoming ports blocked.
The cases where I had to reinstall were not successfully infected. Basically the duel between the protective software and the attempt to install malware resulted in an unbootable machine.
If the user isn't an Administrator, there isn't any remote rooting.
But that's true of any executable that a user downloads and runs within their user space - the executable can f*** with that user's files, but it can't touch the rest of the system.
Windows privilege escalation bugs are a dime a dozen. Here's the first one that came up on a search...
Privilege escalation vulnerability affects Windows Vista SP1, XP
That exploit, while not yet seen in the wild, was due to an inherent problem in all modern versions of Windows known as Token Kidnapping. It's a design flaw in Windows. It's not something that you can just patch, to fix it would require a complete re-design of the Windows architecture.
The gist of it is: Any user can make certain system calls that allow that unprivileged user to run processes as any other user, including the administrator.
Details here.
Matters not one bit.
Once a system has been compromised, unless you are running (and properly running) a file verification system like Tripwire, ALL files on the machine are now suspect.
Detection software only catches stuff that is well known. J. Random Attacker may not use well-known exploits. He might use a well-known trojan to install something he wrote, in which case all of your third-party software won't do a thing to detect it.
The internet is accessed through a hardware firewall with all incoming ports blocked.
How about outbound ports? Are you aware of how a bot net works?
The bot software gets installed on a machine. It can be by trojan or worm. The bot software sits there quietly and then contacts a server on the Internet. That's how it gets it's instructions. Many of them are spam bots. They download a list of addresses and spam messages and start sending spam out.
The bot gets controlled not by someone sending messages to the bot, but by the bot communicating outbound.
Unless you are blocking outbound traffic, and snooping the outbound traffic with an intrusion detection system, a firewall that only blocks inbound traffic does little to help.
Bottom line, once a machine has been infected you can never be sure you got everything. And much of the new malware isn't like the old stuff. It doesn't bother the user and it doesn't hog up your bandwidth. It's quiet and unobtrusive. It joins up with millions of its brothers and that's where the power comes from.
Just "cleaning" the systems is insufficient. And it's not just me saying that. Wipe and reinstall is industry best practice for a reason.
My firewall logs outgoing traffic, and I read it occasionally.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.