Last week the international community was hit by one of the worst viral internet attacks to take over the corporate world in recent years. The worm -- which goes by the names Downadup, Conficker, or Kido -- had infected 8 million computers, almost all on corporate networks, by Friday. Describes Mikko Hypponen, chief research officer at anti-virus firm F-Secure, "On Tuesday there were 2.5 million, on Wednesday 3.5 million and today [Friday], eight million. It's getting worse, not better."
As of today, an estimated 8.9 million machines are infected with the virus. The very sophisticated worm exploits multiple secure flaws in Microsoft's Windows OS's. It injects itself into services.exe, a common system process. It creates a new DLL file in Windows system folder with a random five letter name. It makes registry edits referencing this DLL as a service, so it’s automatically run on restart.
Once it has its grips on the system, it proceeds to create an HTTP server and download malware onto the computer from hacker web sites. It also wipes out the system restore with a reset, making it harder to recover the system. While many viruses download malware remotely from a handful of web sites, allowing for easy removal of the installed files, this one is much trickier. Every day hundreds of dummy domain names are generated by an algorithm coded in the worm, with only one being the actual malware site. This makes it extremely difficult to find exactly what is being installed each day.
The virus's main method of transmission is via local networks. Once a computer is infected on the network it scans for other computers on the network, and then it uses the aforementioned Windows security flaw to attempt to gain access to them. While the computers are typically password protected, the virus can guess shorter passwords by a brute force method of random guessing. Once it finds the right password, it infects the next computer, which joins the attacking ranks.
Microsoft has a patch which protects against the Ethernet side of the attack -- MS08-067. Companies are strongly recommended to get this patch as the virus is rapidly spreading across Europe, the United States, and Asia.
Describes Graham Culley, senior technology consultant with anti-virus firm Sophos, "Microsoft did a good job of updating people's home computers, but the virus continues to infect business who have ignored the patch update. A shortage of IT staff during the holiday break didn't help and rolling out a patch over a large number of computers isn't easy. What's more, if your users are using weak passwords - 12345, QWERTY, etc - then the virus can crack them in short order.”
However, while the patch may slow the spread of the virus it may not be enough to stop it. The most recent variant of the worm, which is the one that was released two weeks ago and caused the number of infections to skyrocket, can transmit itself via USB, an attack route that currently no Windows patch blocks. While properly patched antivirus software may block the attack, relying on such a software block is a risky proposition.
Kaspersky Lab's security analyst, Eddy Willems describes the virus's nightmarish spread, stating, "The replication methods are quite good. It's using multiple mechanisms, including USB sticks, so if someone got an infection from one company and then takes his USB stick to another firm, it could infect that network too. It also downloads lots of content and creating new variants though this mechanism."
Thus far the virus has only been used to inject malware into PCs. But security experts warn that attackers could use their foothold on the system to start stealing users' and customers' credit card numbers and personal information. It could also be used to completely hijack the computer, adding it to a botnet.
Ultimately the only current solution is for companies to patch their machines, quarantine and remove malware from infected machines, and disallow use of USB storage devices.
quote: Microsoft patches have a habit of breaking compatability or crashing your system
quote: The writer of the program has to write an update and test it thorougly because unless a large amount of people are hit by an MS update, microsoft is not going to solve it unless you are willing to pay a lot of money.
quote: That is 1 of the reasons why IT departments of companies do not or should not use auto update. Updates are applied afcourse but only after testing and the green light is given. Otherwise havoc can happen. You don't want to be an IT admin and find out that you have to solve the problems of for example 100 pc's.
quote: quote: Microsoft patches have a habit of breaking compatability or crashing your system When root cause is determined rarely does an MS patch break compatibility or crash the system. When root cause is actually found it is so rare that MS was the true cause that I'm not sure how you can say "habit". By example there was a software firewall company last year whos software broke after an update. It was determined they were hooking directly into the memory space of a loaded DLL instead of calling the function properly. When the DLL's default load location in memory changed the app broke. No excuse.
quote: First of all, Microsoft fixes bugs free of charge. It doesn't matter if it's a small number of users or large. If you pay to open a support case and it is determined the problem is due to an actual bug and not a misconfig then your support case continues but your money is refunded. This is policy.
quote: Second, if the writer of the program has to fix his program then he has to fix his program. MS isn't going to QQ because you don't know how to write your app. You can't leave systems unsecured indefinately while some craplication writer sorts HIS bug. For this particular update there are mitigation and workarounds available. It also is associated with using RPC without authentication which is horrible programming practice (and not even allowed in Vista/2008). In that DLL example above MS gave the developer a fix the SAME DAY he called (fix = here's a workaround to change dll location until you fix your crap).
quote: 100s? That's chump change. How about 100,0000? Regardless.. IT departments test before they apply. This update came out in October and is listed as a critical update. It is now January. If such an IT staff exists they should be fired. It's a tough economy and plent of good admins are standing by to replace them.
quote: It's nice from you to gice such a throrough explanation. But you forget that company x is making money with that craplication y and thus needs craplication y. That can be a reason not to update untill the craplication becomes less crap. As i have posted above.
quote: Please, keep your manlyhood in your pants. No need to start comparing sizes. I am not an admin and just gave an example. Although i am very capable of analyzing and solving problems with computers i do not enjoy nor do i want to be an IT specialist. But the good IT specialists have my respect.
quote: You're playing quite the devil's advocate here.
quote: My tolerance for excuses from sloppy IT staff just don't go very far. They are the keepers of the data and it's their sole duty to protect it. This particular worm hitting millions of machines is utterly intolerable.
quote: The only things that would be broken by this patch are those things that are using RPC directly (bypassing normal documented API calls) with no authentication. The fix would not be difficult. If someone's software breaks because they are:1. Writing software badly like this to begin with.2. Can't implement what would be an easy fix in 3 months time ..then I think you should look at replacing the software.
quote: Im not against patching security flaws, but if they weren't there in the first place it would be so much better.
quote: Microsoft says that the malware has infected computers in many different parts of the world, with machines in China, Brazil, Russia, and India having the highest number of victims.