backtop


Print 92 comment(s) - last by Pirks.. on Jan 23 at 5:45 PM


The new virus can infect USB storage devices, in addition to attack over corporate ethernet networks. While a patch from Microsoft will protect against the ethernet attacks, currently no patch can stop the USB-side attacks. Only antivirus software can block it.  (Source: IoCell)
New worm is very sophisticated and spreading fast

Last week the international community was hit by one of the worst viral internet attacks to take over the corporate world in recent years.  The worm -- which goes by the names Downadup, Conficker, or Kido -- had infected 8 million computers, almost all on corporate networks, by Friday.  Describes Mikko Hypponen, chief research officer at anti-virus firm F-Secure, "On Tuesday there were 2.5 million, on Wednesday 3.5 million and today [Friday], eight million.  It's getting worse, not better."

As of today, an estimated 8.9 million machines are infected with the virus.  The very sophisticated worm exploits multiple secure flaws in Microsoft's Windows OS's.  It injects itself into services.exe, a common system process.  It creates a new DLL file in Windows system folder with a random five letter name.  It makes registry edits referencing this DLL as a service, so it’s automatically run on restart.

Once it has its grips on the system, it proceeds to create an HTTP server and download malware onto the computer from hacker web sites.  It also wipes out the system restore with a reset, making it harder to recover the system.  While many viruses download malware remotely from a handful of web sites, allowing for easy removal of the installed files, this one is much trickier.  Every day hundreds of dummy domain names are generated by an algorithm coded in the worm, with only one being the actual malware site.  This makes it extremely difficult to find exactly what is being installed each day.

The virus's main method of transmission is via local networks.  Once a computer is infected on the network it scans for other computers on the network, and then it uses the aforementioned Windows security flaw to attempt to gain access to them.  While the computers are typically password protected, the virus can guess shorter passwords by a brute force method of random guessing.  Once it finds the right password, it infects the next computer, which joins the attacking ranks.

Microsoft has a patch which protects against the Ethernet side of the attack -- MS08-067.  Companies are strongly recommended to get this patch as the virus is rapidly spreading across Europe, the United States, and Asia.

Describes Graham Culley, senior technology consultant with anti-virus firm Sophos, "Microsoft did a good job of updating people's home computers, but the virus continues to infect business who have ignored the patch update.  A shortage of IT staff during the holiday break didn't help and rolling out a patch over a large number of computers isn't easy.  What's more, if your users are using weak passwords - 12345, QWERTY, etc - then the virus can crack them in short order.”

However, while the patch may slow the spread of the virus it may not be enough to stop it.  The most recent variant of the worm, which is the one that was released two weeks ago and caused the number of infections to skyrocket, can transmit itself via USB, an attack route that currently no Windows patch blocks.  While properly patched antivirus software may block the attack, relying on such a software block is a risky proposition.

Kaspersky Lab's security analyst, Eddy Willems describes the virus's nightmarish spread, stating, "The replication methods are quite good. It's using multiple mechanisms, including USB sticks, so if someone got an infection from one company and then takes his USB stick to another firm, it could infect that network too. It also downloads lots of content and creating new variants though this mechanism."

Thus far the virus has only been used to inject malware into PCs.  But security experts warn that attackers could use their foothold on the system to start stealing users' and customers' credit card numbers and personal information.  It could also be used to completely hijack the computer, adding it to a botnet.

Ultimately the only current solution is for companies to patch their machines, quarantine and remove malware from infected machines, and disallow use of USB storage devices.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

RE: Disallow use of USB storage devices? Why?
By Pirks on 1/19/2009 5:12:42 PM , Rating: 0
quote:
It would literally take minutes to turn off autorun
Which won't help according to http://www.windowssecrets.com/2007/11/08/02-One-qu...

You disable autorun, user double clicks on a thumb drive icon after that and voila :-P


RE: Disallow use of USB storage devices? Why?
By RubberJohnny on 1/19/2009 6:40:01 PM , Rating: 2
quote:
It would literally take minutes to turn off autorun and usb drive access


Can you read? or did you stop after the word autorun cause it suits your argument?


RE: Disallow use of USB storage devices? Why?
By Pirks on 1/19/09, Rating: 0
By amandahugnkiss on 1/19/2009 10:17:39 PM , Rating: 2
No one should have to disable USB drive access (I think Jason Mick should be the one to give you your answer, he's the one that put the comment into the article).

Any company that has halfway decent IT shouldn't have users running unpatched machines, or using accounts with weak passwords, and if possible not running as admins (though it is understood that some older apps require this). Had they met these conditions then they would not be in a position to even consider needing to disable USB.

The article states that they are using brute force attacks to gain access on machines with simple to guess passwords, anyone who doesn't practice using strong passwords pretty much deserves what they get as brute force attacks are about as simple as they get, and the most simple to circumvent as well.

The title of this article should read more like "Dumb IT Guys Refuse to Update Machines with Security Patches and Cause Widespread Infection by Worm".


RE: Disallow use of USB storage devices? Why?
By Pirks on 1/19/2009 11:08:56 PM , Rating: 1
quote:
No one should have to disable USB drive access
Exactly my point!

I just can't get it why one should disable a useful feature such as USB thumb drive access when the real solution is to plug a huge security hole created by braindead idiots from Redmond.

Would you heal a bruise on your arm or would you chop your arm off instead of healing it? ;-)


By amandahugnkiss on 1/20/2009 12:55:21 AM , Rating: 1
yawn.


RE: Disallow use of USB storage devices? Why?
By mailtrust on 1/21/2009 1:13:47 AM , Rating: 2
I will answer the question for you.. as well as anyone else who works in any corporation that has any sort of competition (lo and behold, even Apple).

You should disable USB drive access because... users [you know, the people who sit in front of the computer] can buy a cheap USB drive.. put it into the computer [because that's what you do with USB drives.. you plug them into computers].. and what do you think will happen next?

POP QUIZ!!
Any IT administrator will..
1) Assume the worst.
2) Smile and say go right ahead.
3) Look up what a USB drive does.

Here's a hint: Think disgruntled underpaid employee who is looking to be hired by the competition.


By Pirks on 1/21/2009 5:30:39 PM , Rating: 3
Remove all PCs and all the internet access from the company. Hint: think disgruntled, inventive and underpaid employee who is looking to be hired by the competition.


"My sex life is pretty good" -- Steve Jobs' random musings during the 2010 D8 conference














botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki