Worm infects millions of computers

* Glenn Chapman, San Francisco
* January 22, 2009

A NASTY "worm" has wriggled into millions of computers and continues to spread, leaving security experts wondering whether the attack is a harbinger of evil deeds to come.

American software protection firm F-Secure says a worm known as "Conficker" or "Downadup" had infected more than 9 million computers by Tuesday and was spreading at a rate of 1 million machines daily.

The malicious software had yet to do noticeable damage, prompting debate as to whether it is impotent, waiting to detonate, or a test run by cyber-criminals intent on profiting from the weakness in future.

"This is enormous, possibly the biggest virus we have ever seen," said software security specialist David Perry of Trend Micro.

"I think the bad guys are field-testing a new technology. If Conficker proves to work well, they could go out and sell 'malware' (malicious software) to people. There is a huge market for selling criminal malware." The worm, a self-replicating program, takes advantage of networks or computers that haven't kept up to date with security patches for Windows Remote Procedure Call Server service.

It can infect machines via the internet or by hiding on USB memory sticks carrying data from one computer to another. Once in a computer it digs deep, setting up defences that make it hard to extract.

Malware could be triggered to steal data or turn control of infected computers over to hackers amassing "zombie" machines into "botnet" armies.

"Here we are with a big, big outbreak and they keep revamping their methodology to increase the size of it," Mr Perry said.

"They could be growing this huge botnet to slice it up and sell it on the criminal market."

Microsoft says it is aware of the Conficker "worm family" and has modified its free Malicious Software Removal Tool to detect and get rid of infections.

AFP

http://www.theage.com.au/world/worm-infects-millions-of-computers-20090121-7mq1.html

yes read this yesterday.... i we have had to format 3 computers in the last couple of days :(

Is this from an as-yet unpatched hole in Windows or was it already fixed in a recent Windows update? I spose that'd be a bit hard for The Age to research, only having a handful of journalists.

Yeah well Ebay sent me an email today saying that my account had been comprimised, and that perhaps my email had been as well if i didn't receive any messages from ebay.

Which, personally I think is either this worm, or a complete load of bulls***.

Have a totally up to date virus scanner/firewall and Windows...and did a scan last night!

Is this from an as-yet unpatched hole in Windows or was it already fixed in a recent Windows update? I spose that'd be a bit hard for The Age to research, only having a handful of journalists.

This worm was around back in October i think, and Microsoft released a patch for it sometime back then. Pretty sure this is old news, and the only reason the article just surfaced is because an anti-virus company released the 9m figure.

Yeah well Ebay sent me an email today saying that my account had been comprimised, and that perhaps my email had been as well if i didn't receive any messages from ebay.

Which, personally I think is either this worm, or a complete load of bulls***.

I get about a million of those emails a day and I don't use ebay and afaik don't have an ebay account. It's usually pretty easy to tell if they're scams, just mouseover the links and see if they go to ebay.com.. picking one ebay email at random from my spamfilter it tries to send me to home.doramail.com/qustion/0099888.html which I DONT THINK IS EBAY!@#

is it an ms issue?

they are obviously aware of the problem

Microsoft says it is aware of the Conficker "worm family" and has modified its free Malicious Software Removal Tool to detect and get rid of infections.

Hasn't seem to hit my unfirewalled unvirusprotected computer which is setup as a dmz :) Mac FTW.

If worms/virii are such a threat there should be an independent dept in Computer Science at some University - asking a commercial company that makes virus scanners for a living if there is a virus threat is a joke and ridiculous reporting on behalf of The Age. I love The Age, I used to work there and it's my preferred news source, however I am noticing more and more sensationalist journalism which irks me. It isn't "reporting" - it's opinion, and there's a section for that.

**EDIT** Correction to above - poor editing on behalf of The Age to include a badly scripted AFP report. My mistake.

I love how the article doesn't point out that the Microsoft Windows Operating System is the vulnerable thing about the infected computers. They only mention it in a backhand kind of way:

takes advantage of networks or computers that haven't kept up to date with security patches for Windows Remote Procedure Call Server service.

The question is whether this was out of ignorance for other operating systems, or from the knowledge that if there is a virus, there is windows.

RPC? Interesting, isn't that what Blaster used to get through? You'd think they would secure the hell out of it after the Blaster crap.

It isn't necessarily Windows fault that it gets ravaged by virii. It is impossible to close every loophole, it's just that Windows is the OS most people use so is obviously the best target for hackers.

MS08-067 is the hole most of the 900+ variants of this virus/worm uses. Its quite difficult to isolate as it uses http and dns traffic to communicate. This makes it difficult to analyze and identify before it infects a machine.

http://isc.sans.org/diary.html?storyid=5695 lists much of the detail about how it works.


http://support.microsoft.com/kb/953252 lists how to disable autorun properly.

This is f***ing awesome. I hope this thing spreads out of control and actually starts doing something.

oh man my work got hammered with this thing the last few days. Good thing we have an IT guy who has worked at the same company for 20 years, has no qualifications and is generally inept at what he does (if google doesn't list a solution, it can't be solved!).

why the f*** is Conficker being so overtalked? any virus that is being talked about MS AND the antivirus companies already know about and therefore if your not one of those tards using a hacked version of win xp without so much as one update (because its hacked) or an antivirus (because your a moron) or firewall (because your less tech savy) then you'll get it... if your not then your fine. out of the 700+ computers we run, not one has got this bloody virus.

if you want to worry about something, worry about the viruses that hackers make that are never talked about. worry about that malware that gets onto your windows box that the av and malware endpoint protection doesnt pickup on.

hell a good 1 hour google around hacking sites will give you the framework code that any year 10 it student can hack around, add a payload, compile and spam to begin his own botnet that he can sell for us $10 per 100 drones per hour. sigh.

cracked os's are fine for updates

howd you get around the windows genuine advantage crap spook?

there are ways around that work permanently

wow thats really fail on microsofts behalf. i was always under the impression if you didnt have a legit key after that last service pack came through you couldnt use the windows update website...

if you mean how you can download a program that downloads all updates and installs them for you then meh... to much effort and not reliable enough (0day) imo

nope, just do a small setup, and get updates as per normal

there are ways around that work permanently

i don't recall having to do anything special to get around, just ran the verification program and it worked. GJ MS lol.

howd you get around the windows genuine advantage crap spook?

In my experience, WGA hasn't been a problem. I was running a cracked version of Vista once, but WGA thought it was legit. I didn't do anything to get around it, it just worked.

On a personal level, virus' are f***en lol.
People can hax my files man, look at my pr0ns and delete my fielz. Nothing a format won't fix.

The thing with conficker is that its main payload has not been released yet. We have some general ideas about what it could contain and none of them are good. So patch up. :]

We have some general ideas about what it could contain and none of them are good.

I thought one of the ideas is that it could contain nothing. That is good.