Worm infects millions of computers worldwide

[Al-khiyal]

Worm infects millions of computers worldwide

January 23, 2009 -- A new digital plague has hit the Internet, infecting millions of personal and business computers in what seems to be the first step of a multi-stage attack. The world's leading computer security experts do not yet know who programmed the infection, or what the next stage will be.

In recent weeks a worm, a malicious software program, has swept through corporate, educational and public computer networks around the world. Known as Conficker or Downadup, it is spread by a recently discovered Microsoft Windows vulnerability, by guessing network passwords and by hand-carried consumer gadgets like USB keys.

Experts say it is the worst infection since the Slammer worm exploded through the Internet in January 2003, and it may have infected as many as nine million personal computers around the world.

Worms like Conficker not only ricochet around the Internet at lightning speed, they harness infected computers into unified systems called botnets, which can then accept programming instructions from their clandestine masters. "If you're looking for a digital Pearl Harbor, we now have the Japanese ships steaming toward us on the horizon," said Rick Wesson, chief executive of Support Intelligence, a computer security consulting firm based in San Francisco.

Many computer users may not notice that their machines have been infected, and computer security researchers said they were waiting for the instructions to materialize, to determine what impact the botnet will have on PC users. It might operate in the background, using the infected computer to send spam or infect other computers, or it might steal the PC user's personal information.

"I don't know why people aren't more afraid of these programs," said Merrick Furst, a computer scientist at Georgia Tech. "This is like having a mole in your organization that can do things like send out any information it finds on machines it infects."

Microsoft rushed an emergency patch to defend the Windows operating systems against this vulnerability in October, yet the worm has continued to spread even as the level of warnings has grown in recent weeks.

Earlier this week, security researchers at Qualys, a Silicon Valley security firm, estimated that about 30 percent of Windows-based computers attached to the Internet remain vulnerable to infection because they have not been updated with the patch, despite the fact that it was made available in October. The firm's estimate is based on a survey of nine million Internet addresses.

Security researchers said the success of Conficker was due in part to lax security practices by both companies and individuals, who frequently do not immediately install updates.

A Microsoft executive defended the company's security update service, saying there is no single solution to the malware problem.

"I do believe the updating strategy is working," said George Stathakopoulos, general manager for Microsoft's Security Engineering and Communications group. But he added that organizations must focus on everything from timely updates to password security.

"It's all about defense in depth," Stathakopoulos said.

Alfred Huger, vice president of development at Symantec's security response division, said, "This is a really well-written worm." He said security companies were still racing to try to unlock all of its secrets.

Unraveling the program has been particularly challenging because it comes with encryption mechanisms that hide its internal workings from those seeking to disable it.

Most security firms have updated their programs to detect and eradicate the software, and a variety of companies offer specialized software programs for detecting and removing it.

The program uses an elaborate shell-game-style technique to permit someone to command it remotely. Each day it generates a new list of 250 domain names. Instructions from any one of these domain names would be obeyed. To control the botnet, an attacker would need only to register a single domain to send instructions to the botnet globally, greatly complicating the task of law enforcement and security companies trying to intervene and block the activation of the botnet.

Computer security researchers expect that within days or weeks the bot-herder who controls the programs will send out commands to force the botnet to perform some as yet unknown illegal activity.

Several computer security firms said that although Conficker appeared to have been written from scratch, it had parallels to the work of a suspected Eastern European criminal gang that has profited by sending programs known as "scareware" to personal computers that seem to warn users of an infection and ask for credit card numbers to pay for bogus antivirus software that actually further infects their computer.

One intriguing clue left by the malware authors is that the first version of the program checked to see if the computer had a Ukrainian keyboard layout. If it found it had such a keyboard, it would not infect the machine, according to Phillip Porras, a security investigator at SRI International who has disassembled the program to determine how it functioned.

The worm has reignited a debate inside the computer security community over the possibility of eradicating the program before it is used by sending out instructions to the botnet that provide users with an alert that their machines have been infected.

"Yes, we are working on it, as are many others," said one botnet researcher who spoke on the grounds that he not be identified because of his plan. "Yes, it's illegal, but so was Rosa Parks sitting in the front of the bus."

This idea of stopping the program in its tracks before it has the ability to do damage was challenged by many in the computer security community.

"It's a really bad idea," said Michael Argast, a security analyst at Sophos, a British computer security firm. "The ethics of this haven't changed in 20 years, because the reality is that you can cause just as many problems as you solve."

[Al-khiyal]

Virus strikes 15 million PCs

LONDON, January 26, 2009 (UPI) -- A virulent computer virus has infected more than 15 million computers around the world so far, British experts say.

The Independent on Sunday reported the worm - known as Downadup, Conficker or Kido - had contaminated 6 million PCs in the past three days alone.

The newspaper said more than 3,000 British organizations, including hospitals and the Ministry of Defense, have been hit by the virus.

Officials in Britain, the United States, Russia, China and India say they are waiting to see what the virus's effects will be, if anything.

The newspaper reported there is a possibility the virus has no function other than to demonstrate its originator's skill, but some security experts think it unlikely a worm so sophisticated as this one would have no ulterior purpose.

Tom Gaffney, technical manager of F-Secure, says the virus could be designed to capture confidential information, such as online account details and passwords. He said it is likely the worm is a "rootkit," which gives the virus designer administrative access to remote computers.

[Al-khiyal]

Microsoft offers $250,000 reward for Conficker worm author(s)

February 12, 2009 -- Microsoft Corp. today said it is offering a $250,000 reward for information that leads to the arrest and conviction of those responsible for launching the "Conficker" computer worm, a threat that has infected millions of Microsoft Windows PCs over the past two months.

The reward is the most public acknowledgment yet of the damage inflicted by the Conficker worm - known to some anti-virus companies as "Downadup" - which wiggles into Microsoft systems primarily through a security hole in the Windows operating system.

Microsoft issued a software update in late October to help customers guard against the attack, but Conficker can spread even to systems that have already been patched, by piggybacking on removable media - such as USB drives - that launch the worm when connected to a Windows system.

"As part of Microsoft's ongoing security efforts, we constantly look for ways to use a diverse set of tools and develop methodologies to protect our customers," said George Stathakopoulos, general manager of Microsoft's Trustworthy Computing Group. "By combining our expertise with the broader community we can expand the boundaries of defense to better protect people worldwide."

Microsoft created the reward program in 2003, funding it with $5 million to help law enforcement agencies bring computer virus and worm authors to justice. But this is the first time in four years that Microsoft has issued a reward in response to a worm outbreak.

In July 2005, Microsoft paid a $250,000 bounty to two individuals who helped identify the creator of the notorious "Sasser" worm, whose author was arrested in 2004 and subsequently sentenced to prison by German authorities. Microsoft also has offered $250,000 reward offers for information leading to the arrest and conviction of the author(s) behind three other major computer worm threats, including the "Blaster," "MyDoom," and "Sobig" worms. To date, those responsible for unleashing those worms remain at large.

[Al-khiyal]

Conficker worm draws a counter-attack

February 13, 2009 -- In response to the Conficker worm's massive infection of millions of PCs worldwide, industry heavyweights including Microsoft, Symantec and others today announced they're forming a new team to fight back against the worm.

In addition to the team's mission to grab domain names Conficker (aka Downadup) might try to use, Microsoft is offering a fat $250,000 reward for information that leads to the arrest and conviction of those responsible for the worm. The reward is available to residents of any country, Microsoft says.

Conficker's Achilles heel is its need to receive orders from a server on the Internet. The worm checks a list of up to 250 different domain names each day for instructions.

Normally, cycling through 250 different names would likely be enough to ensure that the good guys would be unable to keep up, as Conficker's controllers would theoretically only have to register one of those domains per day to control their massive herd of malware. But Conficker's notoriety has prompted the companies to coordinate their efforts and try to nab all the potential domain registrations before the bad guys can.

Doing so would restrict the worm to receiving updates or instructions only through its secondary peer-to-peer capability, according to Symantec. From the description, that secondary ability would likely limit the worm to making a peer-to-peer connection only with infected PCs on the same local network.

According to Symantec's announcement, the team includes "Microsoft, ICANN, Neustar, Verisign, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, F-Secure, ISC, researchers from Georgia Tech, The Shadowserver Foundation, Arbor Networks, and Support Intelligence."

If anyone does manage to register one of the domains before the team does, the team will investigate its owner.

This is a good step, and one I'd sure like to see taken further. This team should stick around after Conficker and continue to work to deny the bad guy's use of domain names, hosting providers and other infrastructure required by the malware black market.

I do wonder, though, why Microsoft didn't set up a phone number or other central point of contact for collecting information about Conficker. The company says that "individuals with information about the Conficker worm should contact their international law enforcement agencies."

[Cheba_Mami]

WHYYYYY do they design such rotten worms and virusses? WHYYY what do they gain from it?

[Al-khiyal]

Conficker virus could be deadly threat – or April Fool's joke

March 30, 2009 -- It could be the biggest April Fool's joke ever played on the internet, or it could be one of the worst days ever for computers connected to the network. Security experts can't work out whether the Conficker virus – which has infected more than 10m Windows PCs worldwide – will wreak havoc on Wednesday , or just let the day pass quietly.

Experts have worked out that from midnight on 1 April, the Conficker program will start scanning thousands of websites for a new set of instructions telling it what to do next. The infected machines thus comprise one of the biggest "botnets" – a network of "robot" computers – in internet history. And if they were all given a target, such as simultaneously sending search queries to Google or trying to connect to a gambling site, they could knock it offline through the sheer volume of connections – a "denial of service". Victims usually discover that they have been locked out of their computers or have very slow-running internet connections.

Botnets have been used in the past to generate millions of pieces of spam email and to blackmail gambling sites that need to stay online during sports events with the threat that they will be deluged by a "denial of service" attacks.

Careful study of infected machines has revealed that from midnight on Wednesday they will seek new instructions from a randomly generated list of thousands of websites that changes every day. Just one needs to be under the virus writers' control to turn Conficker into a newly configured botnet – making the task of catching the exact site a search for a needle in a computing haystack.

Experts admit that they have little idea of where Conficker might be headed next. "It's a brave man who puts his neck out like that," said Graham Cluley, an analyst with internet security company Sophos. "For what it's worth, we have never seen earlier versions of the Conficker worm downloading a malicious payload."

He added that the April Fool's Day deadline could be an attempt to misdirect the attention of security professionals and computer users – or that the activation date could even indicate a prank.

"There is no reason to believe that there will be any instructions for Conficker to receive on 1 April," he said. "They could just as easily be delivered on 2 April, 4 April, 25 May or never."

Others agree that Conficker may not activate immediately, preferring to lie in wait before receiving further orders to avoid scrutiny. "At its core, the main purpose of Conficker is to provide the authors with a secure binary updating service that effectively allows them instant control of millions of PCs worldwide," noted Philip Porras of SRI International. Vincent Weafer, vice-president of Symantec, an internet security company, said: "Most malware these days is designed to be used for some type of criminal monetary gain, and conducting such criminal acts typically requires stealth measures to be successful.

"This makes the odds that a major event will take place on 1 April even less likely, since there is so much attention being paid to that day."

Conficker – also known among security experts as "Downadup" – was first discovered in November last year, being sold as part of a "kit" by a Chinese hacker. Since then, two variants have been spotted as the virus has gone on to infect more than 10m PCs.

Despite being tracked for several months, however, the truth about Conficker's motivations and origins remain clouded. Last weekend, one team of researchers suggested that they may have discovered a "fingerprint" inside the worm which should make it possible to scan computers for the infection, making removal easier.

The identity of its creator remains unknown, despite Microsoft offering a bounty of $250,000 (£176,000) for the information. Usual methods of unpacking the virus code to examine its workings have been thwarted because the authors have encrypted it, using algorithms that render it almost uncrackable.

In the meantime, Conficker has gone on to become one of the most widespread internet worms in recent years.

Last week a leaked memo revealed that the House of Commons computer system had become infected, leading to concerns that confidential or highly sensitive material could be stolen when the virus next updates.

In the document, Joan Miller, the director of parliamentary computer services, said that her team were "continuing to work with our third party partners to manage its removal and we need to act swiftly to clean computers that are infected".

Ordinary PC users are being advised to keep their anti-virus software up to date and watch for news about the worm. Cluley suggested that the widespread coverage could help lessen the potential impact. "Most businesses appear to have Conficker under control," he said. "They've applied patches and updated their anti-virus software to stem the spread of the worm. Some firms struggled to clean it up quickly – but most have now used some of the free Conficker removal tools available for download from security vendors."

[amalgamate]

Security experts can't work out whether the Conficker virus ... will wreak havoc on Wednesday , or just let the day pass quietly.

hmmm... quite a concern. Just like the one I have about the Bent and her ELUSIVE deeds


be VERY careful tomorrow- watch your backs, DON'T let her catch you off guard!!