Tricky virus infects nine million PCs – Downadup†and “Conficker
Anew sleeper virus that could allow hackers to steal financial and personal information has now spread to more than nine million computers in what industry analysts say is one of the most serious infections they have ever seen.Â
    The sneaky worm uses a virtual Swiss army knife of attack techniques to infect Microsoft Windows PCs, and appears to be spreading at a fairly rapid pace. The worm, called “Downadup†and “Conficker†by different anti-virus companies, attacks a security hole in a networking component found in most Windows systems, the Washington Post reported on Saturday. According to estimates from Finnish anti-virus maker F-Secure Corp, the worm has infected between 2.4 million and 8.9 million computers during the last four days alone.Â
    If accurate, those are fairly staggering numbers for a worm that first surfaced in late November. Microsoft issued an emergency patch to fix the flaw back in October, but many systems likely remain dangerously exposed. One reason for this is because businesses will generally test patches before deploying them on internal networks to ensure the updates don’t break custom software applications. In the meantime, an infected laptop plugged into a vulnerable corporate network can quickly spread the contagion to all unpatched systems inside that network.Â
    But the worm also has methods for infecting systems that are already patched against the Windows vulnerability. According to an analysis last week by Symantec, the latest versions of Downadup copy themselves to all removable or mapped drives on the host computer or network. This means that if an infected system has a USB stick inserted into it, that USB stick will carry the infection over to the next Windows machine that reads it. That’s an old trick, but apparently one that is apparently still very effective.Â
    Security experts say the worm instructs infected hosts each day to visit one or more of about 250 potential control servers—basically, pseudo-random domain names—in order to download instructions or malicious software updates from the worm’s authors. With such a system, security experts would have to register all 250 domains each day in order to kill off the worm, a costly and untenable solution. In contrast, the worm authors need only register one of those 250 domains to update all infected systems with new instructions and software. AGENCIESÂ
This article has been posted on Times of India on 13th January 2009
Urgent advice: users are strongly recommended to ensure their antivirus databases are up to date. A patch for the windows bug/vulnerability is available from Microsoft: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx It concern Microsoft Security Bulletin MS08-067 – Critical / Vulnerability in Server Service Could Allow Remote Code Execution (958644). Complete and effective protection measures against the worm at the end of this post.
Sources/references of this outbreak alert and background information:
Kaspersky Lab
Guardian.co.uk
Microsoft
ThreatExpert
F-Secure
Symantec
NetworkWorld
DarkReading
Symptoms of the worm:
- http://www.bitdefender.fr/VIRUS-1000462-fr–Win32.Worm.Downadup.Gen.html
-Â http://www.ca.com/gb/securityadvisor/virusinfo/virus.aspx?id=76852
Kaspersky Lab disinfection/removal tool:
http://support.kaspersky.com/faq/?qid=208279973
List of domains that are currently distributing the Downadup worm and its variants:
http://www.f-secure.com/weblog/archives/downadup_domain_blocklist.txt
Complete/effective protection measures against the worm, apply all 3 measures:
1. Apply Microsoft patch MS08-067:http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
2. Provide the administrator account of the computer with a strong password (brute force dictionary attack against administrator password is used):Â http://www.safepasswd.com/
3. Completely disable the AutoRun function, this is a brutal but highly effective hack:http://nick.brown.free.fr/blog/2007/10/memory-stick-worms.html