[infoshare] Fw: Accessible Devices Are Your Microsoft Updates Current? Win 32 WormRunning Wild
- From: "Luis Guerra" <jerseypalisades@xxxxxxxxxxx>
- To: "ED FEDUSH" <efedush@xxxxxxxxxxx>
- Date: Sat, 17 Jan 2009 15:15:35 -0500
This article is well worth reading.
The Win32.Worm.Downadup is raging across the Internet, using new tricks to
spread
undetected. The worm spreads by exploiting a vulnerability in the Windows
RPC Server
Service and has infected millions of Windows PCs in the last two weeks.
"From an estimated 2.4 million infected machines to over 8.9 million during
the last
four days," Toni Koivunen, an F-Secure researcher, wrote in the company's
log. "That's
just amazing."
According to Koivunen, there are several different variants of Downadup
running wild.
The algorithm to create the domain names changes a bit between the variants.
"We've been tracking the variant we believe to be most common [algorithm].
It creates
250 possible domains each day," he said. "We've registered some selected
domains
out of this pool and are monitoring the connections being made to them."
A Worm by Another Name
Also known as Conficker or Kido, the worm first appeared in late November,
exploiting
a vulnerability in Microsoft software to spread unhindered on local area
networks.
Its goal is to install rogue security software on infected computers.
Microsoft issued a patch for the vulnerability, but many users haven't
installed
it, leaving them open for infection as the worm spreads through portable USB
flash
drives.
"This malware exploits the fact that many people do not patch their
systems," said
Viorel Canja, head of BitDefender Anti-Malware Labs. "With its updated
configuration
and good protection scheme, this worm could become a rival to already
established
botnets like Storm or Srizbi."
Watch Those Thumb Drives
In late December, BitDefender Labs uncovered a new version of the worm
called Win32.Worm.Downadup.B.
The malware features some enhancements along with the distribution routine.
Specifically, the worm uses USB thumb drives to infect other computers. It
does this
by copying itself in a random folder created inside the recycler directory.
The Recycle
Bin uses the recycler directory to store deleted files and create an
autorun.inf
file in the root folder. When the Autorun feature is enabled, the worm
executes automatically.
Certain TCP functions also block access to security-related Web sites by
filtering
every address that contains certain strings. According to BitDefender, this
makes
it harder to remove since information about it is virtually impossible to
gather
from an infected computer. What's more, this worm removes all access rights
of the
user, except execute and directory usage, to protect its files.
Skirting AV Detection
Downadup skirts antivirus protection by working with rarely used APIs
(application
programming interfaces) to circumvent virtualization technologies. The worm
also
disables Windows updates and certain network traffic, optimizing Vista
features to
ease distribution.
According to BitDefender, the Win32.Worm.Downadup.B malware comes with a
domain-name-generation
algorithm similar to the one found in botnets like Rustock. It composes 250
domains
every day and checks some of them for updates or other files to download and
install.
"The situation with Downadup is not getting better," F-Secure's Koivunen
said. "It's
getting worse."
www.vipconduit.com
and
www.accessible-devices.com
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://mail.accessible-devices.com/pipermail/a-d_accessible-devices.com/attachments/20090117/46b617a5/attachment.html>
This is an Announce only list. Subscribers are not able to post to this
list.
To unsubscribe from the Accessible Devices list copy the line below. Paste
it in
the To: line of a blank message and send it.
a-d-unsubscribe@xxxxxxxxxxxxxxxxxxxxxx
Please feel free to pass this message on to a friend who might like to
subscribe.
To subscribe to Accessible Devices send a blank e mail to:
a-d-subscribe@xxxxxxxxxxxxxxxxxxxxxx
Just follow the directions in the confirmation message when it comes.
Please Note: Accessible Devices is not able to provide tech support for
software or products that we supply information about.
Other related posts:
- » [infoshare] Fw: Accessible Devices Are Your Microsoft Updates Current? Win 32 WormRunning Wild - Luis Guerra
