Kaizer
Platinum Member
- Sep 16, 2008
- 25,320
- 17,823
Windows virus infects 9m computers
Charles Arthur
guardian.co.uk,
Monday 19 January 2009 15.16 GMT
The number of Windows computers infected with the new "downadup" worm also known as "Conficker" and "Kido" has exploded to almost 9 million worldwide, from roughly 2.4m last Thursday, according to the computer security company F-Secure.
The growth in the number of infected machines which the company's researchers called "just amazing" makes it one of the worst malware outbreaks of the past five years. The principal targets are corporate Windows servers belonging to small businesses who have not installed security updates released by Microsoft last October. F-Secure estimates that a third of all potentially vulnerable systems have not had the update.
But antivirus researchers are still unsure of the precise purpose of the malware, which is spreading via the internet, through unpatched corporate networks and through USB memory sticks attached to infected computers.
First discovered last October, downadup loads itself on to a computer by exploiting a weakness in Windows servers. Although the weakness was noticed and fixed by Microsoft last October, not enough people with vulnerable machines including those running Windows XP and Vista have installed it.
The worm can infect USB sticks and any corporate laptop that gets infected could then launch attacks if it was later connected to a home network.
The reason for the explosion in infected machines seems to be a new variant which appeared last week, updated by the hackers who wrote the original. The new one attempts to crack the passwords of machines on a network using the computing power of the infected machine to apply a "brute force" approach so that passwords such as "admin", "password" or "123456" on potential target machines will quickly be broken.
Once it has infected a machine, the software also tries to connect to up to 250 different domains with random names every day. Researchers reckon that one of them will be the intended "control" domain, and that when the computers connect to it they will download a fresh program that will take over the infected computer.
"This makes it impossible and/or impractical for us good guys to shut them all down most of them are never registered in the first place," the F-Secure team noted on its weblog. "However, the bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website and they then gain access to all of the infected machines. Pretty clever."
So far, nobody knows when that domain will become active or whether it already is. Some have tried registering the domains that the worm tries to connect to (by advancing the clock on an infected PC by a day or two, to see which ones it will connect to) but gave up because the cost of registering domains grew too high.
McAfee, another antivirus company, points out that weaknesses in Windows are being exploited more and more quickly. In 2001, it took 335 days for a worm to appear that exploited a vulnerability already patched by Microsoft. That worm, called Nimda, nevertheless did serious damage.
Since then, the length of time between patches appearing which hackers can use to "reverse engineer" a piece of malware that will attack the weakness has shortened, until the latest patch appeared on the same day that an "exploit" against it was found online.
Source Windows virus infects 9m computers | Technology | guardian.co.uk
Charles Arthur
guardian.co.uk,
Monday 19 January 2009 15.16 GMT
The number of Windows computers infected with the new "downadup" worm also known as "Conficker" and "Kido" has exploded to almost 9 million worldwide, from roughly 2.4m last Thursday, according to the computer security company F-Secure.
The growth in the number of infected machines which the company's researchers called "just amazing" makes it one of the worst malware outbreaks of the past five years. The principal targets are corporate Windows servers belonging to small businesses who have not installed security updates released by Microsoft last October. F-Secure estimates that a third of all potentially vulnerable systems have not had the update.
But antivirus researchers are still unsure of the precise purpose of the malware, which is spreading via the internet, through unpatched corporate networks and through USB memory sticks attached to infected computers.
First discovered last October, downadup loads itself on to a computer by exploiting a weakness in Windows servers. Although the weakness was noticed and fixed by Microsoft last October, not enough people with vulnerable machines including those running Windows XP and Vista have installed it.
The worm can infect USB sticks and any corporate laptop that gets infected could then launch attacks if it was later connected to a home network.
The reason for the explosion in infected machines seems to be a new variant which appeared last week, updated by the hackers who wrote the original. The new one attempts to crack the passwords of machines on a network using the computing power of the infected machine to apply a "brute force" approach so that passwords such as "admin", "password" or "123456" on potential target machines will quickly be broken.
Once it has infected a machine, the software also tries to connect to up to 250 different domains with random names every day. Researchers reckon that one of them will be the intended "control" domain, and that when the computers connect to it they will download a fresh program that will take over the infected computer.
"This makes it impossible and/or impractical for us good guys to shut them all down most of them are never registered in the first place," the F-Secure team noted on its weblog. "However, the bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website and they then gain access to all of the infected machines. Pretty clever."
So far, nobody knows when that domain will become active or whether it already is. Some have tried registering the domains that the worm tries to connect to (by advancing the clock on an infected PC by a day or two, to see which ones it will connect to) but gave up because the cost of registering domains grew too high.
McAfee, another antivirus company, points out that weaknesses in Windows are being exploited more and more quickly. In 2001, it took 335 days for a worm to appear that exploited a vulnerability already patched by Microsoft. That worm, called Nimda, nevertheless did serious damage.
Since then, the length of time between patches appearing which hackers can use to "reverse engineer" a piece of malware that will attack the weakness has shortened, until the latest patch appeared on the same day that an "exploit" against it was found online.
Source Windows virus infects 9m computers | Technology | guardian.co.uk
