Print 92 comment(s) - last by Pirks.. on Jan 23 at 5:45 PM

The new virus can infect USB storage devices, in addition to attack over corporate ethernet networks. While a patch from Microsoft will protect against the ethernet attacks, currently no patch can stop the USB-side attacks. Only antivirus software can block it.  (Source: IoCell)
New worm is very sophisticated and spreading fast

Last week the international community was hit by one of the worst viral internet attacks to take over the corporate world in recent years.  The worm -- which goes by the names Downadup, Conficker, or Kido -- had infected 8 million computers, almost all on corporate networks, by Friday.  Describes Mikko Hypponen, chief research officer at anti-virus firm F-Secure, "On Tuesday there were 2.5 million, on Wednesday 3.5 million and today [Friday], eight million.  It's getting worse, not better."

As of today, an estimated 8.9 million machines are infected with the virus.  The very sophisticated worm exploits multiple secure flaws in Microsoft's Windows OS's.  It injects itself into services.exe, a common system process.  It creates a new DLL file in Windows system folder with a random five letter name.  It makes registry edits referencing this DLL as a service, so it’s automatically run on restart.

Once it has its grips on the system, it proceeds to create an HTTP server and download malware onto the computer from hacker web sites.  It also wipes out the system restore with a reset, making it harder to recover the system.  While many viruses download malware remotely from a handful of web sites, allowing for easy removal of the installed files, this one is much trickier.  Every day hundreds of dummy domain names are generated by an algorithm coded in the worm, with only one being the actual malware site.  This makes it extremely difficult to find exactly what is being installed each day.

The virus's main method of transmission is via local networks.  Once a computer is infected on the network it scans for other computers on the network, and then it uses the aforementioned Windows security flaw to attempt to gain access to them.  While the computers are typically password protected, the virus can guess shorter passwords by a brute force method of random guessing.  Once it finds the right password, it infects the next computer, which joins the attacking ranks.

Microsoft has a patch which protects against the Ethernet side of the attack -- MS08-067.  Companies are strongly recommended to get this patch as the virus is rapidly spreading across Europe, the United States, and Asia.

Describes Graham Culley, senior technology consultant with anti-virus firm Sophos, "Microsoft did a good job of updating people's home computers, but the virus continues to infect business who have ignored the patch update.  A shortage of IT staff during the holiday break didn't help and rolling out a patch over a large number of computers isn't easy.  What's more, if your users are using weak passwords - 12345, QWERTY, etc - then the virus can crack them in short order.”

However, while the patch may slow the spread of the virus it may not be enough to stop it.  The most recent variant of the worm, which is the one that was released two weeks ago and caused the number of infections to skyrocket, can transmit itself via USB, an attack route that currently no Windows patch blocks.  While properly patched antivirus software may block the attack, relying on such a software block is a risky proposition.

Kaspersky Lab's security analyst, Eddy Willems describes the virus's nightmarish spread, stating, "The replication methods are quite good. It's using multiple mechanisms, including USB sticks, so if someone got an infection from one company and then takes his USB stick to another firm, it could infect that network too. It also downloads lots of content and creating new variants though this mechanism."

Thus far the virus has only been used to inject malware into PCs.  But security experts warn that attackers could use their foothold on the system to start stealing users' and customers' credit card numbers and personal information.  It could also be used to completely hijack the computer, adding it to a botnet.

Ultimately the only current solution is for companies to patch their machines, quarantine and remove malware from infected machines, and disallow use of USB storage devices.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

By MadMan007 on 1/19/2009 10:38:14 AM , Rating: 2
So does this require an Admin account on XP to execute?

Does UAC catch it on Vista?

RE: admin/UAC?
By Lord 666 on 1/19/2009 11:05:27 AM , Rating: 2
Appears that the Vista based code (Vista and Server 2008) reduces the risk for the issue; its listed as important versus critical here

Seem to remember that UAC was listed as a reason for the reduced risk.

RE: admin/UAC?
By Josh7289 on 1/19/2009 1:37:42 PM , Rating: 2
It's hard to tell, but they don't say if the Windows 7 beta is affected or not.

RE: admin/UAC?
By BikeDude on 1/19/2009 2:34:46 PM , Rating: 2
A few weeks ago, after visiting an internet cafe, my USB key suddenly had a few new files on it. "autorun.inf" (of course) plus a hidden executable... (1+1 = trouble)

So, to answer your question: If Win7 makes it easy to execute autorun.inf, then it is vulnerable.

UAC will of course help, because running in regular user mode will make it much harder for the malware to disguise itself and spread further. Simply re-creating the user account will get rid of it.

And for those advocating antivirus software: in 2008 antivirus software caused more problems than they cured. Deleting system files important to Windows is something a virus rarely does, but antivirus software seemed to develop a nack for it.

If you have an unpatched hole, then no amount of antivirus software will help you. (with an unpatched hole, you are vulnerable to new variants of all malware -- your signature files may not update fast enough... I strongly suspect most of those infected this time HAD up to date signatures... Just like last time... And the time before that... etc...)

Much more important then is to run IE with DEP enabled. But to do that, you still have to disable Java VM (unless Sun fixed their old sins recently).

(Me? I am never infected. Sure, my USB memory stick got a broadside, but I noticed it immediately, and did of course not let autorun launch on my own computer)

RE: admin/UAC?
By Smilin on 1/19/2009 2:49:41 PM , Rating: 1
Executing autorun.inf is not itself a vulnerability. The user could just as easily double click something on the drive.

Taking that function out would detract from ease of use without enhancing security.

You still have to have admin rights to break a machine. With Windows 6+ you don't have this unless you are running as an admin and have also disabled UAC.

As for your USB stick getting infected...maybe you should rethink your advice about antivirus software. It would have saved your bacon here.

RE: admin/UAC?
By Smilin on 1/19/2009 2:52:32 PM , Rating: 2
Pretty sure Win7 has the october update included already.

RE: admin/UAC?
By bluemagic on 1/19/2009 5:15:07 PM , Rating: 2
1)Windows 7 is affected.(cant say for sure 100% that it is able to transmit commands though but i reckon it does)
2)Windows defender does not detect it
3)avg does not detect it

Windows vista would probably not stop it if you have UAC because the user will already have opened the file so most likely will just say go ahead to the UAC prompt. UAC is utterley pointless in most circumstances.

To my knowledge there is no known solution to it yet because every time you install it the file name and filesize and content is slightly different. At least in my limited experience with it.

One of THE best ways to defend against this and other attacks is to use VMware with a virtual copy of XP or whatever and install a monitoring programme like spy the spy which can detect whenever a file is modified or added to the windows system 32 folder for example.

This method detected this virus for me and i could go in and delete the .dll files it added to the windows 32 directory with no problems. Or indeed just delete xp and use a fresh copy of xp or windows 7 in vmware.

RE: admin/UAC?
By Lord 666 on 1/19/2009 5:50:53 PM , Rating: 2
#3 - avg as in Avast?

RE: admin/UAC?
By 7Enigma on 1/20/2009 9:26:05 AM , Rating: 2
No AVG as in AVG antivirus, previously a very good free virus detecting software, no longer unfortunately (bloated, detects less). Avira Antivirus (also free) is the one I personally use as it is highly rated and frequently updated (practically on a daily basis). Avast is another one recommended frequently, but I prefer Avira.

"We can't expect users to use common sense. That would eliminate the need for all sorts of legislation, committees, oversight and lawyers." -- Christopher Jennings

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki