backtop


Print 92 comment(s) - last by Pirks.. on Jan 23 at 5:45 PM


The new virus can infect USB storage devices, in addition to attack over corporate ethernet networks. While a patch from Microsoft will protect against the ethernet attacks, currently no patch can stop the USB-side attacks. Only antivirus software can block it.  (Source: IoCell)
New worm is very sophisticated and spreading fast

Last week the international community was hit by one of the worst viral internet attacks to take over the corporate world in recent years.  The worm -- which goes by the names Downadup, Conficker, or Kido -- had infected 8 million computers, almost all on corporate networks, by Friday.  Describes Mikko Hypponen, chief research officer at anti-virus firm F-Secure, "On Tuesday there were 2.5 million, on Wednesday 3.5 million and today [Friday], eight million.  It's getting worse, not better."

As of today, an estimated 8.9 million machines are infected with the virus.  The very sophisticated worm exploits multiple secure flaws in Microsoft's Windows OS's.  It injects itself into services.exe, a common system process.  It creates a new DLL file in Windows system folder with a random five letter name.  It makes registry edits referencing this DLL as a service, so it’s automatically run on restart.

Once it has its grips on the system, it proceeds to create an HTTP server and download malware onto the computer from hacker web sites.  It also wipes out the system restore with a reset, making it harder to recover the system.  While many viruses download malware remotely from a handful of web sites, allowing for easy removal of the installed files, this one is much trickier.  Every day hundreds of dummy domain names are generated by an algorithm coded in the worm, with only one being the actual malware site.  This makes it extremely difficult to find exactly what is being installed each day.

The virus's main method of transmission is via local networks.  Once a computer is infected on the network it scans for other computers on the network, and then it uses the aforementioned Windows security flaw to attempt to gain access to them.  While the computers are typically password protected, the virus can guess shorter passwords by a brute force method of random guessing.  Once it finds the right password, it infects the next computer, which joins the attacking ranks.

Microsoft has a patch which protects against the Ethernet side of the attack -- MS08-067.  Companies are strongly recommended to get this patch as the virus is rapidly spreading across Europe, the United States, and Asia.

Describes Graham Culley, senior technology consultant with anti-virus firm Sophos, "Microsoft did a good job of updating people's home computers, but the virus continues to infect business who have ignored the patch update.  A shortage of IT staff during the holiday break didn't help and rolling out a patch over a large number of computers isn't easy.  What's more, if your users are using weak passwords - 12345, QWERTY, etc - then the virus can crack them in short order.”

However, while the patch may slow the spread of the virus it may not be enough to stop it.  The most recent variant of the worm, which is the one that was released two weeks ago and caused the number of infections to skyrocket, can transmit itself via USB, an attack route that currently no Windows patch blocks.  While properly patched antivirus software may block the attack, relying on such a software block is a risky proposition.

Kaspersky Lab's security analyst, Eddy Willems describes the virus's nightmarish spread, stating, "The replication methods are quite good. It's using multiple mechanisms, including USB sticks, so if someone got an infection from one company and then takes his USB stick to another firm, it could infect that network too. It also downloads lots of content and creating new variants though this mechanism."

Thus far the virus has only been used to inject malware into PCs.  But security experts warn that attackers could use their foothold on the system to start stealing users' and customers' credit card numbers and personal information.  It could also be used to completely hijack the computer, adding it to a botnet.

Ultimately the only current solution is for companies to patch their machines, quarantine and remove malware from infected machines, and disallow use of USB storage devices.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Disallow use of USB storage devices? Why?
By Pirks on 1/19/2009 3:58:16 PM , Rating: 4
Isn't it more reasonable to just disable Windows autorun feature? So that it won't start those autorun.inf files automatically when USB stick is inserted. Can it be done with a group policy at once for the whole corporate network?

I just don't get it why cut off the arm or leg instead of curing it by a simple bandaid or something... could someone with Windows network administration experience please explain?




RE: Disallow use of USB storage devices? Why?
By lantr on 1/19/2009 4:33:01 PM , Rating: 2
There are several places to disable autorun and it's kind of a pain. I found this interesting solution:

REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"

Here: http://www.windowssecrets.com/2007/11/08/02-One-qu...


RE: Disallow use of USB storage devices? Why?
By Pirks on 1/19/2009 4:40:46 PM , Rating: 3
So it's impossible to disable autorun feature for USB sticks through the domain group policy, for the whole corporate network at once. Great. That's another nice heavy stick to beat Windows/Microsoft zombies when they start babbling about so called "Vista security". Thanks for the link :-)


RE: Disallow use of USB storage devices? Why?
By Jonesd on 1/19/2009 4:45:16 PM , Rating: 2
You can stop autorun via group policy or disable USB devices or be selective, no thumb drives, only printers and mice etc. The trouble arrives from the format being .admx instead of .adm so quite a few admins who haven't yet sampled Svr2008 or the Vista 70-622 exam won't have a clue.


RE: Disallow use of USB storage devices? Why?
By Pirks on 1/19/2009 5:07:29 PM , Rating: 2
quote:
You can stop autorun via group policy
Which doesn't help according to http://www.windowssecrets.com/2007/11/08/02-One-qu...


RE: Disallow use of USB storage devices? Why?
By gonks on 1/20/2009 1:29:54 AM , Rating: 2
Just create a folder named "Autorun.inf" on your usb stick if you don't want to disable autorun on other devices


RE: Disallow use of USB storage devices? Why?
By Pirks on 1/20/2009 4:16:06 PM , Rating: 2
Like it's gonna help in a corporate environment with 1000s of PCs all equipped with USB :))) *LOL*


RE: Disallow use of USB storage devices? Why?
By lantr on 1/19/2009 4:53:31 PM , Rating: 4
How did you read that and turn it into a Vista bash? You sound a bit biased. You sound like an an IT Zombie. BTW, Please explain Apple or Linux Group policy. Not in regards this, just in general.. How do you configure 1000 boxes in a corporate environment??


RE: Disallow use of USB storage devices? Why?
By Pirks on 1/19/09, Rating: -1
RE: Disallow use of USB storage devices? Why?
By chick0n on 1/20/2009 9:13:22 AM , Rating: 4
No holes in Mac OS ? ROFL !!!!!!!!!

HAHAHAHAHAHAHa

You just made my day.


RE: Disallow use of USB storage devices? Why?
By Pirks on 1/20/09, Rating: -1
RE: Disallow use of USB storage devices? Why?
By Etsp on 1/20/2009 7:55:34 PM , Rating: 3
Wow, you're actually so ignorant it's funny. You want to know why Mac's get less detected infections? It's because no one want's to put the time in to writing viruses for Mac's. There simply isn't a market for it.

Now, if we see a 2 year trend where Mac dominates the Corporate Marketplace, you can bet on Mac's getting broken into, more often, and in worse ways than Windows based Machines do.

So, you're biased and misinformed comment of
quote:
No holes in Mac OS? No holes like "autorun" hole in Windows.
is so untrue it's almost laughable. There are no popular exploits for Mac's quite like this current virus, but that is by no means an indication that there isn't the potential for one.

Let's not forget their recent security hole in how they implemented DNS(granted, several other operating systems were also affected), which allowed for DNS poisoning. Now, other major operating systems patched that MAJOR SECURITY FLAW in days, while Mac took MONTHS to roll out a patch.


RE: Disallow use of USB storage devices? Why?
By Pirks on 1/20/09, Rating: 0
RE: Disallow use of USB storage devices? Why?
By mailtrust on 1/21/2009 1:06:04 AM , Rating: 2
How does OS X read a USB stick? And.. what is that fancy little thing that comes up on the desktop when you put in a USB stick in the drive?

Actually, can you go into exact detail of how OS X handles a USB stick? Heck, can you post the 'code' and all related handles with that? And.. can you give me some names of some large corporate companies that use OS X (besides Apple) as their main structure.. I'd like to be able to shoot that stuff around in my next visit to Apple store and i'm standing next to some bigshot executive.


RE: Disallow use of USB storage devices? Why?
By Pirks on 1/21/2009 5:25:04 PM , Rating: 1
quote:
can you give me some names of some large corporate companies that use OS X
"Large corporate companies" usually don't buy/lease Japanese or German luxury cars for their employees. They provide their employees with cheapo low quality American cars like Chevys. "Large corporate companies" save money by doing this. Got it?
quote:
How does OS X read a USB stick?
Mac OS X DOES NOT automatically execute any code from USB stick when it is inserted into the computer's USB port, but Windows DOES. End of story.


RE: Disallow use of USB storage devices? Why?
By wayout41 on 1/21/2009 5:42:29 PM , Rating: 2
Arg,

And how many luxury have the chassis of honda's and engines made by ford with huge bumped up profit margins and large price tags that make buys feel superior. Some buyers even find the need to join clubs and openly show off about their expensive car. Some mistake the large price tag they paid for actual knowledge of cars when actually as it turns out they are fools.

But hey mac OS is really different to all that. The fact that at the last security convention it was the first to be cracked out of 3 (vista, linux, osx) is not an issue because you paid a lot and Apple arn't just getting rich they really care.


RE: Disallow use of USB storage devices? Why?
By Pirks on 1/21/09, Rating: 0
RE: Disallow use of USB storage devices? Why?
By nilepez on 1/21/2009 11:34:28 PM , Rating: 2
quote:
You just noted an important difference between Mac OS X and Windows - while Mac OS X is getting hacked at security conferences, Windows is getting hacked everywhere else ;-)


Of course not.
Let's say that you're in the business of Crime/malware.

Let's make the following assumptions:

X hours is spent on each of 2 attacks.

Attack 1 targets windows and successfully infects 20% of the user base.

Attack 2 targets OS X and successfully infects 80%

Which system would you attack?

If you answer anything other than Windows, then you fail Math 101.

It's a numbers game, and despite it's growth in the past few years, Apple still doesn't have the numbers to justify the effort. Desktop Linux has even smaller numbers and generally more knowledgeable user base, which is the key to preventing most attacks (though not this one).

Besides, the reason this attack was successful is because Admins didn't patch the machines.

In the 90's, Unix servers were attacked (which brought the internet, in many areas, to it's knees). Why? Because admins hadn't patch known issues months after patches were issued.

In short, IT was too complacent about applying security patches. Some things never change, even if the OS that's attacked does.


RE: Disallow use of USB storage devices? Why?
By Pirks on 1/22/2009 2:32:54 PM , Rating: 1
quote:
the reason this attack was successful is because Admins didn't patch the machines
You forgot the main reason - the EXISTENCE of the autorun hole, created by brainless morons from Redmond. Hopefully they will be fired among the 5000 jobs MS has cut today. See how MS pays for its stupidity? Here's a tough lesson for you, Redmond. Be smarter next time and you won't need any job cuts like today :-P


RE: Disallow use of USB storage devices? Why?
By wayout41 on 1/22/2009 5:45:41 PM , Rating: 2
Wow and I didn't think you could come across as more of an idiot. But then you throw in a binder like that one. You become inconsiderate as well. Did you think for a moment about the fact that these guys are now out of a job? That they can't pay bills? Its not something to use in a argument you failing to make its actually people loosing their jobs. No one wants that, apart from you apparently. Enjoy fighting your corner here, I'm out.


RE: Disallow use of USB storage devices? Why?
By Pirks on 1/22/09, Rating: 0
RE: Disallow use of USB storage devices? Why?
By digimob on 1/23/2009 8:11:18 AM , Rating: 2
Or alternatively they could completely bolox up there OS and then just go buy someone elses... oh wait... Apple did that...

Lets be honest - Vista blows from some points of view, but then again, it's a completely different beast to OSX... It can't only be installed on one device with one spec sold by one vender... but that's the apple business model and they are happy with it and it makes them lots of money... so good luck to them!

But neither of these issues have anything to do with this worm... which is caused by poor administration of networks... as they said in the article, it's not been an issue for home computers because they were updated automatically...


By Pirks on 1/23/2009 5:45:04 PM , Rating: 2
quote:
this worm is caused by poor administration of networks
Why did you conveniently forget the "autorun" hole that has not been EVER patched by MS in Windows XP?


By Jack Ripoff on 1/21/2009 2:18:22 PM , Rating: 2
On Linux and on most Unix systems, the most straightforward (and simple) way is to set up NFS shared /etc folders for your boxes. This works with n boxes, there is no theoretical upper limit. There are other vendor-specific ways to do this though (Novell, Mandriva, Red Hat, etc.).


RE: Disallow use of USB storage devices? Why?
By Jonesd on 1/19/2009 4:41:55 PM , Rating: 2
Usually admins take the quick route, especially new admins that want an MCSE result. They skip the 70-622 exam and head straight for the easy 70-620. If they'd take the 622, they'd realise that the .admx group policy updates cover all of this. Either way, what's an admin doing letting ANY portable USB drive onto the network?

It would literally take minutes to turn off autorun and usb drive access using group policy. Job done. Also takes minutes to initially configure and force all pcs to use WIndows Software Update Servies (WSUS). Lazy.


RE: Disallow use of USB storage devices? Why?
By Pirks on 1/19/09, Rating: 0
RE: Disallow use of USB storage devices? Why?
By RubberJohnny on 1/19/2009 6:40:01 PM , Rating: 2
quote:
It would literally take minutes to turn off autorun and usb drive access


Can you read? or did you stop after the word autorun cause it suits your argument?


RE: Disallow use of USB storage devices? Why?
By Pirks on 1/19/09, Rating: 0
By amandahugnkiss on 1/19/2009 10:17:39 PM , Rating: 2
No one should have to disable USB drive access (I think Jason Mick should be the one to give you your answer, he's the one that put the comment into the article).

Any company that has halfway decent IT shouldn't have users running unpatched machines, or using accounts with weak passwords, and if possible not running as admins (though it is understood that some older apps require this). Had they met these conditions then they would not be in a position to even consider needing to disable USB.

The article states that they are using brute force attacks to gain access on machines with simple to guess passwords, anyone who doesn't practice using strong passwords pretty much deserves what they get as brute force attacks are about as simple as they get, and the most simple to circumvent as well.

The title of this article should read more like "Dumb IT Guys Refuse to Update Machines with Security Patches and Cause Widespread Infection by Worm".


RE: Disallow use of USB storage devices? Why?
By Pirks on 1/19/2009 11:08:56 PM , Rating: 1
quote:
No one should have to disable USB drive access
Exactly my point!

I just can't get it why one should disable a useful feature such as USB thumb drive access when the real solution is to plug a huge security hole created by braindead idiots from Redmond.

Would you heal a bruise on your arm or would you chop your arm off instead of healing it? ;-)


By amandahugnkiss on 1/20/2009 12:55:21 AM , Rating: 1
yawn.


RE: Disallow use of USB storage devices? Why?
By mailtrust on 1/21/2009 1:13:47 AM , Rating: 2
I will answer the question for you.. as well as anyone else who works in any corporation that has any sort of competition (lo and behold, even Apple).

You should disable USB drive access because... users [you know, the people who sit in front of the computer] can buy a cheap USB drive.. put it into the computer [because that's what you do with USB drives.. you plug them into computers].. and what do you think will happen next?

POP QUIZ!!
Any IT administrator will..
1) Assume the worst.
2) Smile and say go right ahead.
3) Look up what a USB drive does.

Here's a hint: Think disgruntled underpaid employee who is looking to be hired by the competition.


By Pirks on 1/21/2009 5:30:39 PM , Rating: 3
Remove all PCs and all the internet access from the company. Hint: think disgruntled, inventive and underpaid employee who is looking to be hired by the competition.


RE: Disallow use of USB storage devices? Why?
By Lord 666 on 1/19/2009 6:57:52 PM , Rating: 2
Sounds odd, but I thought 70-620 was a bit more challenging than anticipated for that level exam. Just cleared 70-625 as well and that was straightforward.

Before you form any opinions on me, I also have MCSA/MCSE 2000/2003, MCDBA 2000, CCVP, and now have to reschedule my CCIE Voice before July. In the process as well for updating to 2008 revs for MCP stuff.


RE: Disallow use of USB storage devices? Why?
By Jonesd on 1/20/2009 2:31:28 AM , Rating: 2
Hello. The 70-620 is a 'fixing a client pc' type exam so it's a quick and easier path to MCSE/SA. Nowhere near as hard as the 70-270 for xp. The 70-622 fills in the blank and reaches the 70-270 level.

Not trying to annoy anyone, it's just that Microsoft should have placed the 70-622 as a required exam as it's a valuable exam for admins. 70-620- Home Clients. 70-622- Enterprise

Recently visited a training company and the 6 general access pcs in the front of the building.. no SP3, no ie7, no new updates then.... ooopsss


By Lord 666 on 1/20/2009 3:12:57 AM , Rating: 2
Also took 70-270 long time ago and will disagree with you on that it is "harder than 70-620." Maybe its the "newness" of Vista versus working with XP for so many years that threw me off.

Used both 70-620 and 70-625 as training elements for my helpdesk; after sitting for both myself to gauge complexity, had to revise the training schedule and push back the Vista one while they sat for the Hyper-V exam before the free exam expired 12/31.

However, will check out 70-622...


By blwest on 1/20/2009 6:03:45 PM , Rating: 2
Anyone who gets an MCS* loses credibility in my book.


RE: Disallow use of USB storage devices? Why?
By MrPoletski on 1/20/2009 7:20:32 AM , Rating: 2
It has to be said, the USB memory stick autorun virus trick is something that should have been killed ages ago.

I mean it's so rubbish even total n00b virus programmers use it. I had a 'virus' on a company PC once that banned you from loading firefox or about 5 websites, thats it. It didn't mask itself or anything, just a hidden folder with the executable and the bloody source code. When you fell foul to it, it just closed ie/firefox and played an mp3 of cackling laughter.

I mean what a crap virus, made by some joker with real basic virus experience probably.

So I guess this is the result of what happens when a dude who knows how to code a decent virus puts his mind to it.


"So, I think the same thing of the music industry. They can't say that they're losing money, you know what I'm saying. They just probably don't have the same surplus that they had." -- Wu-Tang Clan founder RZA














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki