Monday, January 19, 2009

Millions effected with windows worm - Conficker, Kido or Downadup

The worm Conficker was discovered in October 2008. Anti-virus firm F-Secure estimates there are now 8.9m machines infected.

According to Microsoft, the worm works by searching for a Windows executable file called "services.exe" and then becomes part of that code. It then copies itself into the Windows system folder as a random file of a type known as a "dll". It gives itself a 5-8 character name, such as piftoc.dll, and then modifies the Registry, which lists key Windows settings, to run the infected dll file as a service.

Once the worm is up and running, it creates an HTTP server, resets a machine's System Restore point (making it far harder to recover the infected system) and then downloads files from the hacker's web site.

Anti-virus firm F-Secure says that the worm uses a complicated algorithm to generate hundreds of different domain names every day, such as mphtfrxs.net, imctaef.cc, and hcweu.org. Only one of these will actually be the site used to download the hackers' files. On the face of it, tracing this one site is almost impossible.

Once the worm is running on the computer, it makes it very hard for users to restore their machine to a safe point before their operating system was infected, and automatically starts to download more malicious programs, that further compromise the PC, from hackers’ websites.

It’s using multiple replication mechanisms, including USB sticks, so if someone got an infection from one company and then takes his USB stick to another firm, it could infect that network too.

Computers users are advised to ensure their anti-virus software, operating system and firewall is up to date, and that they have installed a Microsoft patch designed to combat the problem, MS08-067, which is available from the Microsoft site.

Read More from BBC...

No comments: