The Conficker Worm

From software to hardware, breakthough to disaster, it all belongs here!

Moderator: CricketMX Forum Moderators

Post Reply
User avatar
moongirl
Moderator
Moderator
Posts: 19016
Joined: Mon Jan 12, 2004 8:07 am

The Conficker Worm - Spreading Rapidly
Matthew Hines - January 21, 2009
Security researchers are reporting that the Conficker worm virus, which preys on a recently reported vulnerability (MS08-067) in the Microsoft Windows server service, is spreading rapidly even as we speak.

According to a warning issued today by PandaLabs, some six percent (115,000-plus) of the two million computers that it has scanned for the virus in the last week or so have tested positive for Conficker, which is propagated via infected USB memory devices, including MP3 players.

PandaLabs said that the spread of the attack has been fairly ubiquitous worldwide as well, with infections showing up on machines in 83 countries. Over 18,000 machines carrying the threat were found inside the U.S. alone. The company said there were concentrated pockets of affected computers in Brazil, Mexico, Spain and Taiwan as well.

Based the results found within its test group, the company is speculating that Conficker is potentially resident on millions of machines in total. The scope of the attack harkens back to the heyday or massive worm outbreaks in years past, the experts observed.

"Of the two million computers analyzed, around 115,000 were infected with this malware, a phenomenon we haven't seen since the times of the great epidemics of Kournikova or Blaster," Luis Corrons, Technical Director of PandaLabs, said in a report summary.

"This is no doubt an epidemic and the worst may still be to come, as the worm could begin to download more malware onto computers or to spread through other channels. The outbreak of this worm really highlights the need for users to establish strong passwords both on personal computers and corporate networks, as otherwise, an infection could spread across an entire company leaving computers at the mercy of attackers," Corrons said.

In addition to the tainted USB angle, PandaLabs said it has also discovered that some variants of the threat are launching brute force attacks that can lift passwords from infected computers, and from internal networks.

The researchers highlighted the fact that the attack is also using an innovative social engineering tactic to spread via USB. After someone attaches an infected device and the Windows options menu appears, Conficker is launched when someone merely attempts to open the folder to see what files the USB holds.

Pointing to the relevance of a Roger Thompson argument I blogged about yesterday, PandaLabs is speculating that "the frequency of weak passwords (common words, own names, etc.) has aided the distribution of this worm."
http://securitywatch.eweek.com/virus_an ... ickly.html
Protecting Against the Rampant Conficker Worm
Erik Larkin, PC World Jan 17, 2009


Businesses worldwide are under attack from a highly infectious computer worm that has infected almost 9 million PCs, according to antivirus company F-Secure.

That number has more than tripled over the last four days alone, says F-Secure, leaping from 2.4 million to 8.9 million infected PCs. Once a machine is infected, the worm can download and install additional malware from attacker-controlled Web sites, according to the company. Since that could mean anything from a password stealer to remote control software, a Conflicker-infected PC is essentially under the complete control of the attackers.

According to the Internet Storm Center, which tracks virus infections and Internet attacks, Conficker can spread in three ways.

First, it attacks a vulnerability in the Microsoft Server service. Computers without the October patch can be remotely attacked and taken over.

Second, Conficker can attempt to guess or 'brute force' Administrator passwords used by local networks and spread through network shares.

And third, the worm infects removable devices and network shares with an autorun file that executes as soon as a USB drive or other infected device is connected to a victim PC.

Conficker and other worms are typically of most concern to businesses that don't regularly update the desktops and servers in their networks. Once one computer in a network is infected, it often has ready access to other vulnerable computers in that network and can spread rapidly.

Home computers, on the other hand, are usually protected by a firewall and are less at risk. However, a home network can suffer as well. For example, a laptop might pick up the worm from a company network and launch attacks at home.

The most critical and obvious protection is to make sure the Microsoft patch is applied. Network administrators can also use a blocklist provided by F-Secure to try and stop the worm's attempts to connect to Web sites.

And finally, you can disable Autorun so that a PC won't suffer automatic attack from an infected USB drive or other removable media when it's connected. The Internet Storm Center links to one method for doing so at http://nick.brown.free.fr/blog/2007/10/ ... worms.html, but the instructions involve changing the Windows registry and should only be attempted by adminstrators or tech experts. Comments under those instructions also list other potential methods for disabling autorun.
http://www.pcworld.com/article/157876/p ... _worm.html
Image
That's not the man in the moon...that's me ;)
Post Reply