Print 92 comment(s) - last by Pirks.. on Jan 23 at 5:45 PM

The new virus can infect USB storage devices, in addition to attack over corporate ethernet networks. While a patch from Microsoft will protect against the ethernet attacks, currently no patch can stop the USB-side attacks. Only antivirus software can block it.  (Source: IoCell)
New worm is very sophisticated and spreading fast

Last week the international community was hit by one of the worst viral internet attacks to take over the corporate world in recent years.  The worm -- which goes by the names Downadup, Conficker, or Kido -- had infected 8 million computers, almost all on corporate networks, by Friday.  Describes Mikko Hypponen, chief research officer at anti-virus firm F-Secure, "On Tuesday there were 2.5 million, on Wednesday 3.5 million and today [Friday], eight million.  It's getting worse, not better."

As of today, an estimated 8.9 million machines are infected with the virus.  The very sophisticated worm exploits multiple secure flaws in Microsoft's Windows OS's.  It injects itself into services.exe, a common system process.  It creates a new DLL file in Windows system folder with a random five letter name.  It makes registry edits referencing this DLL as a service, so it’s automatically run on restart.

Once it has its grips on the system, it proceeds to create an HTTP server and download malware onto the computer from hacker web sites.  It also wipes out the system restore with a reset, making it harder to recover the system.  While many viruses download malware remotely from a handful of web sites, allowing for easy removal of the installed files, this one is much trickier.  Every day hundreds of dummy domain names are generated by an algorithm coded in the worm, with only one being the actual malware site.  This makes it extremely difficult to find exactly what is being installed each day.

The virus's main method of transmission is via local networks.  Once a computer is infected on the network it scans for other computers on the network, and then it uses the aforementioned Windows security flaw to attempt to gain access to them.  While the computers are typically password protected, the virus can guess shorter passwords by a brute force method of random guessing.  Once it finds the right password, it infects the next computer, which joins the attacking ranks.

Microsoft has a patch which protects against the Ethernet side of the attack -- MS08-067.  Companies are strongly recommended to get this patch as the virus is rapidly spreading across Europe, the United States, and Asia.

Describes Graham Culley, senior technology consultant with anti-virus firm Sophos, "Microsoft did a good job of updating people's home computers, but the virus continues to infect business who have ignored the patch update.  A shortage of IT staff during the holiday break didn't help and rolling out a patch over a large number of computers isn't easy.  What's more, if your users are using weak passwords - 12345, QWERTY, etc - then the virus can crack them in short order.”

However, while the patch may slow the spread of the virus it may not be enough to stop it.  The most recent variant of the worm, which is the one that was released two weeks ago and caused the number of infections to skyrocket, can transmit itself via USB, an attack route that currently no Windows patch blocks.  While properly patched antivirus software may block the attack, relying on such a software block is a risky proposition.

Kaspersky Lab's security analyst, Eddy Willems describes the virus's nightmarish spread, stating, "The replication methods are quite good. It's using multiple mechanisms, including USB sticks, so if someone got an infection from one company and then takes his USB stick to another firm, it could infect that network too. It also downloads lots of content and creating new variants though this mechanism."

Thus far the virus has only been used to inject malware into PCs.  But security experts warn that attackers could use their foothold on the system to start stealing users' and customers' credit card numbers and personal information.  It could also be used to completely hijack the computer, adding it to a botnet.

Ultimately the only current solution is for companies to patch their machines, quarantine and remove malware from infected machines, and disallow use of USB storage devices.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

RE: The March of the Haters
By JediJeb on 1/19/2009 5:21:27 PM , Rating: 5
The only things that would be broken by this patch are those things that are using RPC directly (bypassing normal documented API calls) with no authentication. The fix would not be difficult. If someone's software breaks because they are:
1. Writing software badly like this to begin with.
2. Can't implement what would be an easy fix in 3 months time

..then I think you should look at replacing the software.

This is good only if there is other software to replace what is being used. In out small laboratory we are stuck with software that controls our analytical imstruments that is written by the vendors. I still have a few boxes running Win95 because the instrument manufacturer never wrote newer software for it. I can't afford to replace a $100k piece of equipment that works flawlessly simply because the software is outdated, that would be like replacing your car because the oil needs changing.

With every new piece of equipment we buy, we get the newest computers available to help keep them as future proof as possible, but when equipment last 20 years, it is inevitable that the computers are going to leave them behind.

With these problems it is very important we test every single patch and service pack as any one of them could shut us down and cost us a fortune. We are already to the point of having to manually enter data from some instruments that used to be able to send it across the network to the servers, simply because the software on the servers will no longer talk to that on the instruments, and the server side software had to be updated because it would not work on newer server hardware that came with newer versions of Windows. We just had to update to the newest version of Office because we have clients sending us spreadsheets in the newest version of Excell that we have to fill out, and our older version can't read them. There is nothing in the new version that enhances our work, as any version will handle putting in some numbers and doing simple calculations on them, but if we can't read what our clients send us then we lose clients.

Im not against patching security flaws, but if they weren't there in the first place it would be so much better.

RE: The March of the Haters
By Smilin on 1/19/2009 6:14:18 PM , Rating: 3
Im not against patching security flaws, but if they weren't there in the first place it would be so much better.

I guarantee the airbag sensors never fail on a '57 Chevy.

If all you need to do is a simple task then take the Win95box off of the network and let it do it's thing. Patches aren't needed at all for such things. This isn't all that uncommon of a scenario. If hardware upgrades are needed (face it 486s are getting rare) then use Virtualization.

If for some reason what you are doing requires being on the network then you should expect the software vendor to update. Otherwise what did you really get for your $100k?

These are not insurmountable problems for a good IT dept. They should either patch the box, leave it off the network, secure it some other way or skip all of the above and go look for a different job.

RE: The March of the Haters
By Lord 666 on 1/19/2009 10:34:49 PM , Rating: 2
Any scanners for detecting this virus on a network? Could nmap be used to scan network ranges to find this http server?

Looking to either confirm or deny companies exposure to this problem.

RE: The March of the Haters
By SilthDraeth on 1/20/2009 1:47:37 AM , Rating: 2
I want to jump in and state, that the companies hit by this worm, will quickly find that the "potential cost of implementing the fix, and breaking compatibility of a essential piece of software" would have been far lower than the cost they are paying now with every computer they own being infected.

It is always best to fix the leak and patch the holes than wait for the damn to break and try to rebuild it in the middle of a flood.

"Nowadays, security guys break the Mac every single day. Every single day, they come out with a total exploit, your machine can be taken over totally. I dare anybody to do that once a month on the Windows machine." -- Bill Gates

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki