Blog
It’s out there, but it’s widely thought that hackers have yet to activate the payload of the Conficker virus.
Yep, the threats continue. There’s a worm that’s spreading through low security networks, memory sticks, and PC. The really sad thing is that much of this threat could be mitigated by making sure that the appropriate security updates have been applied. This malicious program, also known as Downadup or Kido, has been spreading across networks since October, 2008. Although it’s spread appears to be leveling off, the biggest fears are that someone could easily take control of any and all of the estimated 9.5 million PCs that are currently infected.
A full and accurate count is hard to come by, but it is estimated that there are still more than 9 milllion infected PCs worldwide. And the number isn’t the scariest part. The worst part is just how much control a hacker could have over all these computers. Simply put, they would have access to millions of machines with full administrator rights. With that said, there’s good news and bad news. The good news is they haven’t done that yet. No one is quite sure why they haven’t, but they haven’t! The bad news, they still could or, worse yet, someone else could figure out how to activate this worm and capitalize on the potential. That is a troublesome prospect!
So, what do we do with this knowledge? First, you should have up-to-date, anti-virus software on your computer, and make sure that you have Microsoft’s MS08-067 patch (known as KB958644) installed. Graham Cluley, senior technology consultant with the anti-virus firm Sophos, said the outbreak was of a scale they had not seen for some time. Microsoft did a good job of creating an update, and if your system is fully patched, you may (emphasis is intentional and deliberate) not be under a great risk, but the virus continues to infect computers that have not been patched.
What makes this even worse is that for users with weak passwords, this particular little bug can crack them in short order. Even more troubling, this thing can be spread with a USB memory stick. What that means is that even the Windows patch that I just mentioned won’t keep you safe. You need a good, current, and freshly updated anti-virus software package to help you move closer to the “safe” category.
So, How Does This Thing Work?
According to Microsoft, the worm works by searching for a Windows executable file called “services.exe” and then becomes part of that code. It then copies itself into the Windows system folder as a random file of a type known as a “dll”. It gives itself a 5-8 character name, such as piftoc.dll, and then modifies the Registry, which lists key Windows settings, to run the infected dll file as a service.
Once the worm is up and running, it creates an HTTP server, resets a machine’s System Restore point (making it far harder to recover the infected system) and then downloads files from the hacker’s web site. Most malware uses one of a handful of sites to download files from, making them fairly easy to locate, target, and shut down. Unfortunately, Conficker does things a little differently. Anti-virus firm, F-Secure, says that the worm uses a complicated algorithm to generate hundreds of different domain names every day. One of these will actually be the site used to download the hackers’ files. Under these circumstances, tracing this one site is almost impossible.
It Gets Worse
A new variant was released a few weeks ago, that’s causing most of the problems. The replication methods are quite good. It’s using multiple mechanisms, including USB sticks, so if someone got an infection from one company, and then takes their USB stick to another firm, it could infect that network as well. It also downloads lots of content and creating new variants though this mechanism.
So, do you have a USB memory stick? Does anyone who uses your network have one? And, are you confident about your Antivirus package and its related virus definitions? How about patches, like the one I mentioned earlier? If you’re not confident about your answers to any of these questions, give us a call!