[Patrician]

Windows worm trickery for Vista


The "Open folder" option appears in the "Install or run program" list

The Conficker virus has opened a new can of worms for security experts.

Drives such as USB sticks infected with the virus trick users into installing the worm, according to researchers.

The "Autoplay" function in Vista and early versions of Windows 7 automatically searches for programs on removable drives.

However, the virus hijacks this process, masquerading as a folder to be opened. When clicked, the worm installs itself.

It then attempts to contact one of a number of web servers, from which it could download another program that could take control of the infected computer.

Bad guys
The worm is unusually clever in the way that it determines what server to contact, according to F-Secure's chief research officer Mikko Hypponen.

"It uses a complicated algorithm which changes daily and is based on timestamps from public websites such as Google.com and Baidu.com," said Mr Hypponen in a blog post.

"This makes it impossible and/or impractical for us good guys to shut them all down — most of them are never registered in the first place.

"However, the bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website — and they then gain access to all of the infected machines," he added.

It has also emerged that the virus automatically disables the automatic updates to Windows that would prevent further infection.

As the virus - also known as Downadup - has spread to an estimated 9m computers globally, a number of high-profile instances of the virus have arisen.

The Ministry of Defence has been battling an outbreak of the virus across its network for more than two weeks, and on Tuesday a network of hospitals across Sheffield told technology website The Register that more than 800 of their computers had been infected.

Users are urged to download the KB958644 Security Update from Microsoft to mitigate the risk of infection.

http://news.bbc.co.uk/2/hi/technology/7842013.stm

[Brenton]

It looks pretty easy to tell theres something suspicious about that run program window, if thats the only way it can be spread too then i doubt it would get the oppurtunity to infect a large ammount of computers anyway.

[Patrician]

ummmm. I think approximately 9,000,000 infections would indicate there is a pretty good opportunity

"As the virus - also known as Downadup - has spread to an estimated 9m computers globally, a number of high-profile instances of the virus have arisen."

[Brenton]

Most of the infections have been in China, Russia and South America and are on pcs where users rarely update windows or their anti virus software.

The nature of the virus means that it spreads fast through small bussiness operations and some larger operations, for example 1000s of computers in one hospital have been infected.

It turns out that that isnt the only way it is spread, this variant affects vista and the windows 7 beta (shouldnt be in use by home users anyway) but majority of the infections were on Windows XP. This virus is also very old, all the secruity patches were released in octiober last year. Sure the virus is big but i dont think is as notable as the Sasser worm, mydoom, sobig etc.

Infact mydoom and sobig each infected over 300m pcs, 30x the ammount this "huge" virus did.

[Patrician]

Gotcha.

However, with all due respect I would not encourage a cavalier attitude about this threat, or any of the other myriad of Microsoft BREACHES -

Too many people have the attitude that 'it can't happen to me', 'it only happens in Timbuktu', 'it only happens to that other version', etc. - as they say in this article this thing is mutating daily -

So bottom line is set your PC for automatic updates from BOTH Microsoft AND your 3rdparty security.

Cheers, Mate!

[Kooza]

It looks pretty easy to tell theres something suspicious about that run program window, if thats the only way it can be spread too then i doubt it would get the oppurtunity to infect a large ammount of computers anyway.

I worked in IT support for a while and you would be surprised how naive some people can be when it comes to what is normal and what isn't. I'd say only a small percentage of people actually know how to spot a potential virus. Probably 95% of home computers are riddled with them for that very reason.

The nature of the virus means that it spreads fast through small bussiness operations and some larger operations, for example 1000s of computers in one hospital have been infected.

How ironic...

Mike.

[GT]

I hear what Mike is saying about naive people. So true.

I would like to add to that the element of confusion and uncertainty when it comes to knowing how to deal with protection software ... never mind the threats that that software is designed to deal with.

I have up-to-date and comprehensive protection from a couple of sources (in my computer) and I put my entire faith in that protection.

In the past, I have tried to go to Microsoft (or wherever) to download "patches" or updates or whatever, and I have never once been able to do that successfully.

Call me dumb, but here is what happens. I get the message (from Microsoft, or fellow marketers) to go to a trusted, authoritative site to download the update or the patch.

I get there expecting some clear direction saying, "If you have this kind of computer, running this kind of operating system and this kind of (whatever), then you need to click this link to get the proper patch."

But instead of those directions, I get a list of confusing choices and I have to decide which one applies to me. Several of them look the same, so I don't know which one. But if I DO click one, then I get another set of choices that don't give enough clues to know which one I need. But if I do click one, then I get ANOTHER set of choices ... etc.

In some cases, I have tried clicking on the "Help" links or "get more info" links to try to determine which choices I need to make. But I keep hitting roadblocks or deadends that require me to make more choices that I have no technical knowledge or insight to be able to make, comfortably.

So, I give up because I do not want to download something that could potentially cause more trouble for me than it is worth.

And I default to simply trusting my existing protection software (which I always keep updated anyway because they show and tell you exactly how to do that without confusion.)

lol ... What a whiner I am! But that's my story. There are some things I can figure out, and other things I am willing to put some effort into figuring out, but downloading patches and updates from the Internet is something that continues to mystify me. lol

GT

[Patrician]

GT - what you need to do is go to 'Windows Update' and just follow the directions - SET UP TO GET AUTOMATIC DOWNLOADS - their middle name should be Swiss Cheese there are so many holes and breaches in Windows.

You need up to the minute protection.

If you follow my directions (Windows Update is in your start menu - either on the first page or under 'all programs')

You will go there and they will scan your computer for critical updates - then just click 'download'.

You will also see there the button to set up automatic updates. THIS IS CRITICAL.

(or you can do this from your control panel under System - click the tab that says automatic updates.)

Would you like some cheese with your whine, deary?

[iddigger]

Thanks for the info Patrician,

Don't know if this is a new threat but I just checked my PC and it updated
(KB958644) back on 10/25/08 so if regular updates are done I'm hoping were safe.

[GT]

Hi, Patricia:

Thanks for the recommendations and your concern. The "automatic updates/downloads" that you described is one of the things I do have as part of my ongoing protection.

I also subscribe to a full protection suite from a recognized, popular and dependable provider.

In the case of each of the above, they are running continually in my computer, including daily scans, reports, etc.

So, that is why I believe that I am adequately protected. I consider it to be up to the minute, as you have wisely recommended.

It's just that ... (whine and cheese coming here) ... every once in a while I get paranoid (though I have never had any known virus problems) that I may be missing something, so I go to the MS site and try to download an update or patch like other people seem to do, but it has alway ended in frustration and failure for me.

(Okay. MAYBE I have only attempted it two or three times - not "always"), but obviously, I am making the wrong choices when I go there.

(My dear spouse would say that I just like to make things more complicated than they are.)

Thanks again, Patricia. (Loved that "Swiss Cheese" reference, too!)

GT

[Patrician]

Actually being hyper-vigilant, although cousin to paranoia, is sometimes wise.

Case in point. The second to the last SCARE from Microsoft the press made such an issue because MS actually did an 'out of cycle' patch.

This means usually they are leaving us vulnerable AFTER they learned about certain breaches, until the regular in-cycle security patches would be installed automatically.

To my mind, why take the risk? (and shame on them since it is their breach and they should be more conscientious about their possible victims - half the world).

So when I read about something like this I am going to Windows Update to see what is there AND NOT WAITING.

Hackers have nothing better to do than sit and think of ways to harm others. So if they come out with something on Tuesday morning, neither your 3rdparty security OR MS may know about it until Wednesday morning or Friday afternoon (after they get reports from victims) - leaving a window of opportunity for your life to become a nightmare.

So sometimes being a scardey cat is better than foolish over-confidence.

It costs nothing to go to Windows Update to see what is available.

[godisgood]

Hi,

Thank you so much for the information.

We need to be vigilant about all this viruses. I remember last year i was a victim of a virus also. Normally when you turned on the automatic updates in your windows every now and then you will see a pop up notification that updates are ready for you to download. One day i saw this notification so i clicked on it only to find out that virus is already spreading like wild fire on my computer.

Cheers,
Jennifer

[Blue Blaster]

I plan to skip Vista and go straight to Win7 - after the first service pack is released. There's a reason why XP has lasted nearly a decade and I'm hoping Win7 will follow the legacy of XP.

[Patrician]

Researchers wait for Downadup worm's second act

The 'well-engineered' worm was written by hackers who know their stuff

Gregg Keizer


January 23, 2009 (Computerworld) The worm that has infected millions of Windows PCs is a "very well-engineered" piece of malware, according to one security expert. But researchers still have no clear idea what the hackers plan to do with the collection of computers they've compromised with "Downadup."

"This is a very well-engineered piece of software," said Alfred Huger, vice president of development at Symantec Corp.'s security response group. "It's very well thought out. Whoever wrote it, it's not their first time writing malware. It looks as if the author has had a great deal of experience writing software, and is fully versed in writing network-level code."

Downadup, also called "Conficker," has infected an estimated 6% of PCs worldwide. The worm spreads by exploiting a four-month-old vulnerability in Windows, by brute-force password attacks and by hitchhiking on USB devices like flash drives.

Huger was impressed by the technical chops of Downadup's maker, or makers. "The worm itself is very complex," he said. "At the byte level, it implements [things] in some novel ways." Compared to most malware, which Huger said is "written off the cuff," Downadup is downright elegant.

And effective. Most researchers, including those at Symantec, have said the worm is the most invasive seen in the last six years. "At a basic level, it tends to perform well, and that's helped it spread," said Huger.

But much more than hacker craft made Downadup a success, Huger maintained. Other elements, including timing, the countries at the top of the attack list and even software piracy rates contributed.

"They put this together in a very brief period of time," Huger said, referring to the spotting of the worm's first variant just three weeks after Microsoft issued an emergency patch.

The faster hackers can come up with an exploit and put it on the street, the better luck they usually have, for fewer users patch their machines in the first days or weeks after a vulnerability is fixed.

"Software piracy also plays a role," said Huger, noting that the countries that Symantec has seen Downadup at its most successful -- in China, for instance, the worm has accounted for nearly a quarter of all recent infections -- also have historically high rates of running counterfeit software. People running Windows illegally are believed to patch their machines less rigorously than users with legitimate copies, for fear that Microsoft's antipiracy technology will detect and mark the operating system as stolen.

Patching habits have played a part, too, at least in keeping Downadup from infecting PCs through the bug Microsoft patched last October. "We feel that consumers in North America and western Europe are better educated about remaining patched," said Huger, pointing to the relatively low Downadup infection rates in those regions.

"Worms travel the path of least resistance," he added.

Although some researchers now say that Downadup seems to have peaked -- F-Secure Corp. today noted that its "growth ... has been curbed" -- researchers remained worried about the next step in the attack.

Most malware infects PCs so that hackers can then use the collected machines, dubbed a botnet, to send spam, attack Web sites or compromise more computers. To do that, the original attack code directs the now-controlled PC, a "bot" in security parlance, to download additional software.

But Downadup has yet to trigger such second-stage downloads.
"Why is it taking so long?" asked Huger. "That's what we're all asking." He couldn't recall an attack of this size with such a long lag time between the initial attacks and follow-on downloads of more malware to the hijacked systems.

The people behind Downadup will eventually follow through, Huger's convinced. "They've obviously put a lot of thought into the worm. They've been very methodical," he said.

But he also pointed out that the clock is ticking. "If they don't hurry up and do it, someone else will," he said, explaining that hackers must fend off not only security researchers, but also other criminals, who would like nothing better than to pinch a ready-to-use botnet.

"They're trying to keep the other bad guys at bay, too," Huger said. "So I would guess that they would act soon."

http://www.computerworld.com/action/...icleId=9126691