|
Virus Alerts
April 2009: Conficker Worm
March 2009: Scribble Virus
Conficker Worm
 Conficker, also known as Downup, Downandup, Conflicker, and Kido, is a computer worm that surfaced November 21st, 2008 with Conficker.A and targets the Microsoft Windows operating system. The worm exploits a known vulnerability (MS08-067) in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 7 Beta.
The latest variant (Conficker.C) will begin checking for a payload to download on March 31st, 2009. Conficker.A and Conficker.B variants continue to check for payloads each with a distinct domain generation algorithm.
(–from: Conficker Work Group web site.)
MICRODYNE’S Recommendations:
- Make sure all antivirus software and Windows O/S updates are kept current!
- Use the links at the bottom of this featured article to
a) check for infection of Conficker,
b) Remove Conficker worm from your computer
Since late in 2008, Conficker has propagated to infect hundreds of thousands, or perhaps even millions of computers. Security researchers note that attacks on massive networks are generally used for money-making schemes and have been baffled by the ‘dormant’ nature (to date) of Conficker.
However, the mystery is revealed as anti-virus companies report seeing Conficker infected systems being updated with “SpywareProtect2009″, a scareware product that uses fake security alerts to frighten consumers into paying for bogus computer security software.
According to Kaspersky Labs, once the scareware is downloaded, the victim will usually see warnings, which naturally ask if you want to ‘remove the threat’ this program has detected. Of course this service comes at a price $49.95. Kaspersky reports that this rogue anti-virus product is being downloaded from a web server in the Ukraine.
The first version of Conficker contained within its coding, instructions telling infected systems to visit a site called TrafficConverter.biz. This was a site that distributors of rogue anti-virus products would go for the latest programs and links to download locations. Many affliliates were making six figure paycheques each month distributing this worthless software.
In Microsoft’s Bi-annual security report, released the first week of April; rogue anti-virus were cited as one of the most prolific and fastest-growing threats facing Windows O/S users today. (See ‘FAKE virus alerts’ in Tech Tips for more details of these issues.)
Researchers at Trend Micro, (PCillin Anti-virus), reported that they also noticed a new file showing up in the ‘temporary directory’ of a number of test machines they’d infected with this worm. They later determined this file had been placed there via Conficker’s built-in Peer to Peer, (P2P) communications capability. This allows large groupings of infected systems to hand off software updates and instructions being ‘pushed’ out by the worm’s authors.
Trend also discovered that the update was a version of the ‘Waledac’ family of spam Trojans. Due to similarities in code and other behaviours, researchers consider Waledac to be an incarnation of ‘Storm Worm’, a spam virus that also used a sophisticated P2P mechanism to spread and share updates.
The Conficker update also sets up a Web server on the infected system, re-enables the ability to spread itself through the Microsoft Windows vulnerability that caused the outbreak in the first place. This spreading capability was absent in the Conficker version prior to this update.
Paul Ferguson, an advanced threat researcher at Trend says, ‘We’ve seen it happen very slow and staggered. We have several nodes that have it and several that don’t.’ There are still several components tucked away in this Conficker update that researchers are struggling to unlock. But Ferguson says it’s evident the worm’s authors are ready to start putting it to work.
Detection and removal links:
-
Removal of Conficker “Verified” F-Secure Site
Conficker blocks infected systems from visiting ‘F-Secure.com’ but not ‘fsecure.com’ which is the same domain. They have a removal tool at this site you should be able to access and use.
(from: Brian Krebs, Computer Security, Washington Post web site.)
Scribble Virus
March 20, 2009….This new threat is emerging in India at the moment, (…but the internet is a global community and we believe it will propagate across the web soon). Please be advised of the following new development; legitimate corporate sites are now being used to distribute viruses and malware….
From “Spamfighter News” (SEE Online Contacts for a direct link to this site.)
According to a new study by security company Symantec, spammers and hackers are chiefly targeting corporate websites to distribute spam, Trojans and other malware. The Symantec researchers state that there has been a dramatic rise in the volume of web-based threats across the Internet. In 2008, web attacks were launched from 8,08,000 distinct domains, with mainstream company websites being their prime targets.
According to Shantanu Ghosh, VP for Product Operations at Symantec (India), initially, viruses and malware were distributed through adult material, pirated software and gaming websites, but now the same is done through corporate websites that are more legitimate, as reported by The Economic Times on March 12, 2009.
Besides, the study also reveals that some of the recent attacks are made by SQL injections into mainstream websites. These attacks involve changes in the websites’ source codes to insert commands that enable the attacker to gain control over the sites. Third-party advertisements or ‘malvertisements’ are also popularly used to divert end-users to malicious websites. Notably, in one instance, the Embassy of the Republic of Azerbaijan in Pakistan and Hungary has been controlled by the hackers who compromised it for infecting visitors with malware.
Commenting on this point, Vishak Raman, Regional Director of Fortinet (India), a threat management firm, said that Indian corporations were being increasingly targeted with malware attacks on their websites, as reported by The Economic Times on March 12, 2009. During January 2009 alone, an aggregate of 291 Indian corporate websites had been defaced. Out of these, 76% had been e-commerce sites like auction sites or those belonging to online retailers, while 24% had been sites for financial services, Raman said.
Meanwhile, organizations are facing another menace i.e. spam. Previously, staff members used to receive 2-3 spam mails per day, but now that has increased to 200-300 per day.
As a result, organizations have increased their expenditure on IT security. Even then, cyber criminals continue to target corporate sites. According to the security researchers, the situation may get worse as these attacks are expected to grow in the coming days since IT security expenditure in 2009 is going to be flat owning to the economic recession.
|
