Three million hit by Windows worm
2 posters
www.VUE DES ISLES.com :: UK & World News,Business & Sports Latest :: Current World & UK Affairs :: Old Bits & Bobs
Page 1 of 1
Three million hit by Windows worm
by GD Fri 16 Jan 2009, 2:04 pm
A worm that spreads through low security networks, memory sticks, and PCs without the latest security updates is posing a growing threat to users.
The malicious program, known as Conficker, Downadup, or Kido was first discovered in October 2008.
Although Microsoft released a patch, it has gone on to infect 3.5m machines.
Experts warn this figure could be far higher and say users should have up-to-date anti-virus software and install Microsoft's MS08-067 patch.
Right now, we're seeing hundreds of thousands of [infected]unique IP addresses
Toni Koivunen, F-Secure
According to Microsoft, the worm works by searching for a Windows executable file called "services.exe" and then becomes part of that code.
It then copies itself into the Windows system folder as a random file of a type known as a "dll". It gives itself a 5-8 character name, such as piftoc.dll, and then modifies the Registry, which lists key Windows settings, to run the infected dll file as a service.
Once the worm is up and running, it creates an HTTP server, resets a machine's System Restore point (making it far harder to recover the infected system) and then downloads files from the hacker's web site. INFECTED IPs WORLDWIDE
China 38,277
Brazil 34,814
Russia 24,526
India 16,497
Ukraine 14,767
Italy 13,115
Argentina 11,675
Korea 11,117
Romania 8,861
United States 3,958
United Kingdom 1,789
Source: F-Secure
Most malware uses one of a handful of sites to download files from, making them fairly easy to locate, target, and shut down.
But Conficker does things differently.
Anti-virus firm F-Secure says that the worm uses a complicated algorithm to generate hundreds of different domain names every day, such as mphtfrxs.net, imctaef.cc, and hcweu.org. Only one of these will actually be the site used to download the hackers' files. On the face of it, tracing this one site is almost impossible.
However, technicians have reverse engineered the worm so they can predict one of the possible domain names. This does not help them pinpoint those who created Downadup, but it does give them the ability to see how many machines are infected.
"Right now, we're seeing hundreds of thousands of unique IP addresses connecting to the domains we've registered," F-Secure's Toni Kovunen said in a statement.
"We can see them, but we can't disinfect them - that would be seen as unauthorised use."
Microsoft says that the malware has infected computers in many different parts of the world, with machines in China, Brazil, Russia, and India having the highest number of victims.
The malicious program, known as Conficker, Downadup, or Kido was first discovered in October 2008.
Although Microsoft released a patch, it has gone on to infect 3.5m machines.
Experts warn this figure could be far higher and say users should have up-to-date anti-virus software and install Microsoft's MS08-067 patch.
Right now, we're seeing hundreds of thousands of [infected]unique IP addresses
Toni Koivunen, F-Secure
According to Microsoft, the worm works by searching for a Windows executable file called "services.exe" and then becomes part of that code.
It then copies itself into the Windows system folder as a random file of a type known as a "dll". It gives itself a 5-8 character name, such as piftoc.dll, and then modifies the Registry, which lists key Windows settings, to run the infected dll file as a service.
Once the worm is up and running, it creates an HTTP server, resets a machine's System Restore point (making it far harder to recover the infected system) and then downloads files from the hacker's web site. INFECTED IPs WORLDWIDE
China 38,277
Brazil 34,814
Russia 24,526
India 16,497
Ukraine 14,767
Italy 13,115
Argentina 11,675
Korea 11,117
Romania 8,861
United States 3,958
United Kingdom 1,789
Source: F-Secure
Most malware uses one of a handful of sites to download files from, making them fairly easy to locate, target, and shut down.
But Conficker does things differently.
Anti-virus firm F-Secure says that the worm uses a complicated algorithm to generate hundreds of different domain names every day, such as mphtfrxs.net, imctaef.cc, and hcweu.org. Only one of these will actually be the site used to download the hackers' files. On the face of it, tracing this one site is almost impossible.
However, technicians have reverse engineered the worm so they can predict one of the possible domain names. This does not help them pinpoint those who created Downadup, but it does give them the ability to see how many machines are infected.
"Right now, we're seeing hundreds of thousands of unique IP addresses connecting to the domains we've registered," F-Secure's Toni Kovunen said in a statement.
"We can see them, but we can't disinfect them - that would be seen as unauthorised use."
Microsoft says that the malware has infected computers in many different parts of the world, with machines in China, Brazil, Russia, and India having the highest number of victims.
GD-
Number of posts : 10122
Location : Channel Islands
Job/hobbies : Website Forums...lol
Humor : Anything that makes me laugh
Registration date : 2008-03-06 -
Re: Three million hit by Windows worm
by Digger Mon 19 Jan 2009, 4:27 pm
Infections of a worm that spreads through low
security networks, memory sticks, and PCs without the latest security
updates is "skyrocketing".
The malicious program, known as Conficker, Downadup, or Kido was first discovered in October 2008.
Anti-virus firm F-Secure estimates there are now 8.9m machines infected.
Experts warn this figure could be far higher and say users
should have up-to-date anti-virus software and install Microsoft's
MS08-067 patch.
In its security blog, F-Secure said that the
number of infections based on its calculations was "skyrocketing" and
that the situation was "getting worse".
Speaking to the BBC, Graham Cluley, senior technology consultant
with anti-virus firm Sophos, said the outbreak was of a scale they had
not seen for some time.
"Microsoft did a good job of updating people's home computers,
but the virus continues to infect business who have ignored the patch
update.
"A shortage of IT staff during the holiday break didn't help
and rolling out a patch over a large number of computers isn't easy.
"What's more, if your users are using weak passwords - 12345,
QWERTY, etc - then the virus can crack them in short order," he added.
"But as the virus can be spread with USB memory sticks, even
having the Windows patch won't keep you safe. You need anti-virus
software for that."
Method
According to Microsoft, the worm works by searching for a
Windows executable file called "services.exe" and then becomes part of
that code.
It then copies itself into the Windows system folder as a
random file of a type known as a "dll". It gives itself a 5-8 character
name, such as piftoc.dll, and then modifies the Registry, which lists
key Windows settings, to run the infected dll file as a service.
Once the worm is up and running, it creates an HTTP server,
resets a machine's System Restore point (making it far harder to
recover the infected system) and then downloads files from the hacker's
web site.
Most malware uses one of a handful of sites to download files from, making them fairly easy to locate, target, and shut down.
But Conficker does things differently.
Anti-virus firm F-Secure says that the worm uses a complicated
algorithm to generate hundreds of different domain names every day,
such as mphtfrxs.net, imctaef.cc, and hcweu.org. Only one of these will
actually be the site used to download the hackers' files. On the face
of it, tracing this one site is almost impossible.
Variant
Speaking to the BBC, Kaspersky Lab's security analyst, Eddy
Willems, said that a new strain of the worm was complicating matters.
"There was a new variant released less than two weeks ago and that's the one causing most of the problems," said Mr Willems
"The replication methods are quite good. It's using multiple
mechanisms, including USB sticks, so if someone got an infection from
one company and then takes his USB stick to another firm, it could
infect that network too. It also downloads lots of content and creating
new variants though this mechanism."
"Of course, the real problem is that people haven't patched their software," he added.
Technicians have reverse engineered the worm so they can predict
one of the possible domain names. This does not help them pinpoint
those who created Downadup, but it does give them the ability to see
how many machines are infected.
"Right now, we're seeing hundreds of thousands of unique IP
addresses connecting to the domains we've registered," F-Secure's Toni
Kovunen said in a statement.
"We can see them, but we can't disinfect them - that would be seen as unauthorised use."
Microsoft says that the malware has infected computers in many
different parts of the world, with machines in China, Brazil, Russia,
and India having the highest number of victims.
security networks, memory sticks, and PCs without the latest security
updates is "skyrocketing".
The malicious program, known as Conficker, Downadup, or Kido was first discovered in October 2008.
Anti-virus firm F-Secure estimates there are now 8.9m machines infected.
Experts warn this figure could be far higher and say users
should have up-to-date anti-virus software and install Microsoft's
MS08-067 patch.
In its security blog, F-Secure said that the
number of infections based on its calculations was "skyrocketing" and
that the situation was "getting worse".
with anti-virus firm Sophos, said the outbreak was of a scale they had
not seen for some time.
"Microsoft did a good job of updating people's home computers,
but the virus continues to infect business who have ignored the patch
update.
"A shortage of IT staff during the holiday break didn't help
and rolling out a patch over a large number of computers isn't easy.
"What's more, if your users are using weak passwords - 12345,
QWERTY, etc - then the virus can crack them in short order," he added.
"But as the virus can be spread with USB memory sticks, even
having the Windows patch won't keep you safe. You need anti-virus
software for that."
Method
According to Microsoft, the worm works by searching for a
Windows executable file called "services.exe" and then becomes part of
that code.
It then copies itself into the Windows system folder as a
random file of a type known as a "dll". It gives itself a 5-8 character
name, such as piftoc.dll, and then modifies the Registry, which lists
key Windows settings, to run the infected dll file as a service.
Once the worm is up and running, it creates an HTTP server,
resets a machine's System Restore point (making it far harder to
recover the infected system) and then downloads files from the hacker's
web site.
Most malware uses one of a handful of sites to download files from, making them fairly easy to locate, target, and shut down.
But Conficker does things differently.
Anti-virus firm F-Secure says that the worm uses a complicated
algorithm to generate hundreds of different domain names every day,
such as mphtfrxs.net, imctaef.cc, and hcweu.org. Only one of these will
actually be the site used to download the hackers' files. On the face
of it, tracing this one site is almost impossible.
Variant
Speaking to the BBC, Kaspersky Lab's security analyst, Eddy
Willems, said that a new strain of the worm was complicating matters.
"There was a new variant released less than two weeks ago and that's the one causing most of the problems," said Mr Willems
"The replication methods are quite good. It's using multiple
mechanisms, including USB sticks, so if someone got an infection from
one company and then takes his USB stick to another firm, it could
infect that network too. It also downloads lots of content and creating
new variants though this mechanism."
"Of course, the real problem is that people haven't patched their software," he added.
Technicians have reverse engineered the worm so they can predict
one of the possible domain names. This does not help them pinpoint
those who created Downadup, but it does give them the ability to see
how many machines are infected.
"Right now, we're seeing hundreds of thousands of unique IP
addresses connecting to the domains we've registered," F-Secure's Toni
Kovunen said in a statement.
"We can see them, but we can't disinfect them - that would be seen as unauthorised use."
Microsoft says that the malware has infected computers in many
different parts of the world, with machines in China, Brazil, Russia,
and India having the highest number of victims.
 | |
Digger-
Number of posts : 7134
Location : Up yer me la.
Job/hobbies : Motorsport, Photography, Gardening.
Humor : Absolutely !!
Registration date : 2008-03-07
www.VUE DES ISLES.com :: UK & World News,Business & Sports Latest :: Current World & UK Affairs :: Old Bits & Bobs
Page 1 of 1
Permissions in this forum:
You cannot reply to topics in this forum|
|
|