Windows virus spreads quickly, but may be a dud

8:23AM Tuesday Jan 20, 2009
Andrew Vanacore

NEW YORK – A computer virus that may leave Microsoft Windows users vulnerable to digital hijacking is spreading through companies in the U.S., Europe and Asia, already infecting close to nine million machines, according to a private online security firm.

Fortunately, however, it may be a dud.

Though computer bugs have become a common affliction, Finland-based F-Secure says a virus it has been tracking for the past several weeks has surged more rapidly through corporate networks than anything they have seen in years.

But the virus does not appear to be working as its designers intended. F-Secure’s chief security adviser, Patrik Runald, said the virus’s coding suggests a type of bug that alerts computer users to bogus infections on their machines and offers to help by selling them antivirus software.

Instead, the virus is simply spreading to little effect, though it may still pose a threat to infected computers.

“The gang behind this worm haven’t used it yet,” F-Secure’s chief research officer, Mikko Hypponen said by phone. “But they could do anything they like with any of these machines at any time.”

Microsoft issued a security update last week to deal with the so-called “Downadup” or “Conficker” virus, which appears to be a new version of a bug that popped up in October.

“Over the last couple of weeks, a new variant of this worm has been affecting customers,” the company acknowledged in a blog post. Microsoft said the virus is spreading by gaining access to one computer and then guessing at passwords of other users in the same network: “If the password is weak, it may succeed.”

A company representative couldn’t immediately be reached Saturday to comment on F-Secure’s estimate of infected machines.

Most computers with Windows will automatically download Microsoft’s security update, but Hypponen said the virus disables updates on infected machines.

While the origin of the virus is a mystery, F-Secure’s best guess is it came from Ukraine. Hypponen said it is coded to avoid computers there, which may indicate whoever wrote the virus was trying to avoid drawing attention from local authorities.

- AP

from:  http://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&

Securing the Windows 7 beta

Posted by Ina Fried

Despite the fact that security programs are often some of the toughest code to make work with a new operating system, Windows 7 already has several companies ready with products aimed at keeping it safe from attackers.

By comparison, only one antivirus firm–McAfee–had its security software commercially ready by the time Microsoft launched Vista for businesses in November 2006.

That said, it stands to reason, given that Microsoft was making far more dramatic changes to the operating system’s underlying architecture in Vista than it is in Windows 7.

This time around, it is AVG, Kaspersky, and Symantec that have products that are being touted from Microsoft’s site. McAfee said it will have support by the time Windows 7 launches, while Trend Micro is working to have a compatible product in the next month or so.

“It is great to see that these partners were able to have their solutions working so early in our development process,” Microsoft’s Brandon LeBlanc said in a blog posting.

Dave Cole, a senior director of product management at Symantec, said his company decided to offer up a test version of its Norton 360 product for use with Windows 7, even though the company knows there are still a few things left to work out.

“We determined that we could run reasonably well under Windows 7,” Cole said. “There are bugs that we know about, but we’re comfortable enough with the effectiveness of the product that when they called us to participate we took them up on the offer.”

Having the support lined up is important to Microsoft, which built an “action center” into the operating system that warns users if it detects there is no antivirus software installed. The action center then points to a page on Microsoft’s Web site with links to Windows 7-compatible security software.

The page lists Kaspersky, AVG, and Norton, but adds that “Microsoft is actively working with additional security software independent software vendors (ISVs) so that security software solutions will be available for Windows 7 Beta and (the final release of) Windows 7.”

As far as Windows 7’s approach to security, it appears to draw heavily from the investments the company made with Windows Vista.

The most notable change is probably the fact that users now have the option to choose how often they are required to authorize changes to their system. One of the most frequent criticisms of Vista was the annoyance of the User Account Control dialog boxes that forced users to authenticate many types of changes to their systems.

Microsoft spent a fortune securing Vista, both in engineering new features as well as in testing. The software maker corralled a significant chunk of the world’s penetration testers to help poke at Vista ahead of its release.

The software maker plans some penetration testing for Windows 7, but declined to say how much or whether it would be comparable to its Vista effort.

from: http://news.cnet.com/8301-13860_3-10143466-56.html?tag=rtcol;pop

Three million hit by Windows worm

The worm can also spread via USB flash drives.

A worm that spreads through low security networks, memory sticks, and PCs without the latest security updates is posing a growing threat to users.

The malicious program, known as Conficker, Downadup, or Kido was first discovered in October 2008.

Although Microsoft released a patch, it has gone on to infect 3.5m machines.

Experts warn this figure could be far higher and say users should have up-to-date anti-virus software and install Microsoft’s MS08-067 patch.

According to Microsoft, the worm works by searching for a Windows executable file called “services.exe” and then becomes part of that code.

It then copies itself into the Windows system folder as a random file of a type known as a “dll”. It gives itself a 5-8 character name, such as piftoc.dll, and then modifies the Registry, which lists key Windows settings, to run the infected dll file as a service.

Once the worm is up and running, it creates an HTTP server, resets a machine’s System Restore point (making it far harder to recover the infected system) and then downloads files from the hacker’s web site.

Most malware uses one of a handful of sites to download files from, making them fairly easy to locate, target, and shut down.

But Conficker does things differently.

Anti-virus firm F-Secure says that the worm uses a complicated algorithm to generate hundreds of different domain names every day, such as mphtfrxs.net, imctaef.cc, and hcweu.org. Only one of these will actually be the site used to download the hackers’ files. On the face of it, tracing this one site is almost impossible.

Speaking to the BBC, Kaspersky Lab’s security analyst, Eddy Willems, said that a new strain of the worm was complicating matters.

“There was a new variant released less than two weeks ago and that’s the one causing most of the problems,” said Mr Willems

“The replication methods are quite good. It’s using multiple mechanisms, including USB sticks, so if someone got an infection from one company and then takes his USB stick to another firm, it could infect that network too. It also downloads lots of content and creating new variants though this mechanism.”

“Of course, the real problem is that people haven’t patched their software. If people do patch their software, they should have little to worry about,” he added.

Technicians have reverse engineered the worm so they can predict one of the possible domain names. This does not help them pinpoint those who created Downadup, but it does give them the ability to see how many machines are infected.

“Right now, we’re seeing hundreds of thousands of unique IP addresses connecting to the domains we’ve registered,” F-Secure’s Toni Kovunen said in a statement.

“We can see them, but we can’t disinfect them – that would be seen as unauthorised use.”

Microsoft says that the malware has infected computers in many different parts of the world, with machines in China, Brazil, Russia, and India having the highest number of victims.

from:  http://news.bbc.co.uk/2/hi/technology/7832652.stm