💾 Archived View for gmi.noulin.net › mobileNews › 973.gmi captured on 2023-01-29 at 08:22:01. Gemini links have been rewritten to link to archived content

View Raw

More Information

⬅️ Previous capture (2021-12-05)

➡️ Next capture (2024-05-10)

🚧 View Differences

-=-=-=-=-=-=-

Windows worm numbers 'skyrocket'

2009-01-19 05:47:30

Infections of a worm that spreads through low security networks, memory sticks,

and PCs without the latest security updates is "skyrocketing".

The malicious program, known as Conficker, Downadup, or Kido was first

discovered in October 2008.

Anti-virus firm F-Secure estimates there are now 8.9m machines infected.

Experts warn this figure could be far higher and say users should have

up-to-date anti-virus software and install Microsoft's MS08-067 patch.

In its security blog, F-Secure said that the number of infections based on its

calculations was "skyrocketing" and that the situation was "getting worse".

Speaking to the BBC, Graham Culley, senior technology consultant with

anti-virus firm Sophos, said the outbreak was of a scale they had not seen for

some time.

"Microsoft did a good job of updating people's home computers, but the virus

continues to infect business who have ignored the patch update.

"A shortage of IT staff during the holiday break didn't help and rolling out a

patch over a large number of computers isn't easy.

"What's more, if your users are using weak passwords - 12345, QWERTY, etc -

then the virus can crack them in short order," he added.

"But as the virus can be spread with USB memory sticks, even having the Windows

patch won't keep you safe. You need anti-virus software for that."

Method

According to Microsoft, the worm works by searching for a Windows executable

file called "services.exe" and then becomes part of that code.

It then copies itself into the Windows system folder as a random file of a type

known as a "dll". It gives itself a 5-8 character name, such as piftoc.dll, and

then modifies the Registry, which lists key Windows settings, to run the

infected dll file as a service.

Once the worm is up and running, it creates an HTTP server, resets a machine's

System Restore point (making it far harder to recover the infected system) and

then downloads files from the hacker's web site.

Most malware uses one of a handful of sites to download files from, making them

fairly easy to locate, target, and shut down.

But Conficker does things differently.

Anti-virus firm F-Secure says that the worm uses a complicated algorithm to

generate hundreds of different domain names every day, such as mphtfrxs.net,

imctaef.cc, and hcweu.org. Only one of these will actually be the site used to

download the hackers' files. On the face of it, tracing this one site is almost

impossible.

Variant

Speaking to the BBC, Kaspersky Lab's security analyst, Eddy Willems, said that

a new strain of the worm was complicating matters.

"There was a new variant released less than two weeks ago and that's the one

causing most of the problems," said Mr Willems

"The replication methods are quite good. It's using multiple mechanisms,

including USB sticks, so if someone got an infection from one company and then

takes his USB stick to another firm, it could infect that network too. It also

downloads lots of content and creating new variants though this mechanism."

"Of course, the real problem is that people haven't patched their software," he

added.

Technicians have reverse engineered the worm so they can predict one of the

possible domain names. This does not help them pinpoint those who created

Downadup, but it does give them the ability to see how many machines are

infected.

"Right now, we're seeing hundreds of thousands of unique IP addresses

connecting to the domains we've registered," F-Secure's Toni Kovunen said in a

statement.

"We can see them, but we can't disinfect them - that would be seen as

unauthorised use."

Microsoft says that the malware has infected computers in many different parts

of the world, with machines in China, Brazil, Russia, and India having the

highest number of victims.