Safe Computing and Preventing Malware Infections
The current outbreak of the polymorphic worm Downadup, aka Conficker and Kido, and all its variants make very clear that many users don’t act in a responsable and secure way. After all, at the moment 9 (nine) million PCs are contaminated by that worm for reason of a missing Microsoft Security Update for Windows (KB958644). At the same time numerous users don’t posses safe computing and surfing habits, ignore standard precautions, haven’t the slightest idea how to prevent malware and in case they have a PC contaminated by malware they are trying to clean the PC by themselves or by self-declared “security experts”. Keep in mind that malware cleaning/removal isn’t a job for amateurs, it is a dedicated job for well trained and full qualified malware hunters.
Safe computing/surfing and preventing malware is a matter of education. Only well educated users have the reasonable possibilty to remain “clean”. The sole aim of me and my staff on Smokey’s Security Forums is to fulfill this aim by providing the user for free with Education, Support, Help and Advice, and in case the PC of the user is infected by malware to offer malware cleaning/removal by real security experts: comprehensive trained, full qualified HJT/OTListIt2 Analysers/Malware Hunters.
Some basic rules for safe computing, related links at the end of this post:
– Activate the automatic update function in Windows. Always accept and install all updates offered by Microsoft.
– If you don’t like automatic updates, consider to use the Microsoft Baseline Security Analyzer (MBSA). MBSA is an easy to use free tool that helps individuals, small and medium businesses to determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. It will improve your security management process by using MBSA to detect common administrative vulnerabilities and missing security updates on your computer systems.
– Always install all Service Packs offered by Microsoft.
– Educate and protect yourself, e.g. by visiting my board and reading the FAQs, How-To’s and Advisories concerning Safe Computing and Preventing Malware.
– In case your PC is infected by malware, adware or any other undesired badware or nasties visit my board to get rid of such crap. Only full qualified HijackThis & OTListIt2 Log Analysers/Malware Hunters will care about these infections and help you in a professional way, of course for free, to get rid of it. Note: only registered board members will receive malware removal/cleaning help, registering on my board is also for free.
Update 2010-14-03: Guests allowed to post on Smokey’s for Log Analysis and Malware Removal help
Links
– Smokey’s Security Forums
– FAQs, How-To’s and Advisories concerning Safe Computing and Preventing Malware
– HijackThis (HJT) & OTListIt2 Log Analysis and Malware Removal/Cleaning Assistance and Services
– Microsoft Baseline Security Analyzer (MBSA) Frequently Asked Questions
– Download Microsoft Baseline Security Analyzer
Safe computing!
.
Smokey’s Security Forums is Site Member ASAP
January 17, 2009 Posted by Smokey | Advisories, Anti-Spyware, Anti-Virus, Bundleware, Downloads, Friends, Phishing, Recommended External Security Related Links, Toolbarware, Uncategorized, Vulnerabilities | Advisories, adware, ASAP - Alliance of Security Analysis Professionals, badware, Conficker, contaminations, crapware, Download Microsoft Baseline Security Analyzer (MBSA), Drive-by downloads, FAQs, HijackThis (HJT) and OTL Log Analyzing, HijackThis Log Analysis and Malware Removal, HJT Analyzers, How-To's, KB958644, Kido, malware hunters, Microsoft Security Bulletin MS08-067, Microsoft Service Packs, OTListIt2, PC infections, Polymorphic worm Downadup, Preventing Malware, Prevention, privacy issues, rootkits, Safe Computing, Security related Education - Support - Help - Advice, Security risks, spyware, virusen | Leave a comment
Outbreak of the polymorphic worm Downadup aka Conficker aka Kido
Posted Jan 15, 2009
– Revision v1.00, Jan 16, 2009: The number of Downadup infections are skyrocketing based on F-Secure’s calculations. From an estimated 2.4 million infected machines to over 9 (nine) million during the last four days…
– Revision v1.01, Jan 16, 2009: Blog post updated for reason of actual occurances.
– Revision v1.02, Jan 17, 2009: Added worm symptoms and a link to the infection calculations performed by F-Secure.
– Revision v1.03, Jan 17, 2009: Added effective protection measures against the worm.
– Revision v1.04, Jan 23, 2009: Worm/malware removal/disinfection tools updated.
– Revision v1.05, Feb 08, 2009: OpenDNS/Kasperky Lab tracking and blocking services added.
The Downadup worm that exploits a months-old Windows bug/vulnerability has infected more than a million PCs in the past 24 hours, a security company said today. Aliases of the worm are Worm.Conficker [PCTools], W32.Downadup [Symantec], Net-Worm.Win32.Kido.ih [Kaspersky Lab], W32/Conficker.worm [McAfee], W32/Confick-A [Sophos], Worm:Win32/Conficker.A [Microsoft], Worm.Win32.Conficker [Ikarus]
Early Wednesday the in Finland-based security firm F-Secure Corp. estimated that 3.5 million PCs have been compromised by the “Downadup” worm, an increase of more than 1.1 million since Tuesday.
“[And] we still consider this to be a conservative estimate,” said Sean Sullivan, a researcher at F-Secure, in an entry to the company’s Security Lab blog. Yesterday, F-Secure said the worm had infected an estimated 2.4 million machines.
The worm, which several security companies have described as surging dramatically during the past few days, exploits a bug in the Windows Server service used by all supported versions of Microsoft Corp.’s operating system, including Windows 2000, XP, Vista, Server 2003 and Server 2008.
The worm disables system restore, blocks access to security websites, and downloads additional malware to infected machines.
The neat thing about Downadup is the way it “phones home”. As Mikko Hyppönen, chief research officer at anti-virus company F-Secure explains:
It uses a complicated algorithm which changes daily and is based on timestamps from public websites such as Google.com and Baidu.com. With this algorithm, the worm generates many possible domain names every day. It concern hundreds of names such as: qimkwaify .ws, mphtfrxs .net, gxjofpj .ws, imctaef .cc, and hcweu .org. This makes it impossible and/or impractical to shut them all down — most of them are never registered in the first place. The bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website — and they then gain access to all of the infected machines.
Anybody can register one of the unused domains and gain access to all of the infected machines. Pretty dumb. However, everyone will sit by and watch the infections happen, because nobody can interfere: unauthorised use of a PC may even be illegal. It’s like watching a small child wandering onto a motorway….
Downadup can also spread by using an autorun file on a USB memory stick, so if you autorun thumb drives on an unpatched machine, you could be vulnerable.
Almost all the infections are of Windows XP machines and, as Microsoft notes, plenty of corporate customers (who are usually not using AutoUpdate) have been caught. F-Secure says:
“A very large part of that traffic is coming from corporate networks, through firewalls, proxies, and NAT routers. Meaning that one unique IP address that we see could very well be 2,000 infected workstations in real life.”
Either way, security experts are anxiously awaiting the attackers’ next move. They suspect a massive botnet is in the works, but so far the attackers haven’t completely tipped their hand. The mere infection of so many machines that could then be controlled by a third party indicates it is indeed a botnet-in-progress, according to Damballa, a computer security company devoted to disrupting botnets. “It’s a close call. If it has the potential for a remote, malicious third party to do whatever they want, that makes it a botnet,” says Paul Royal, chief scientist for the antibotnet company.
“Whoever is behind this is not ready to deploy his or her code just yet. Maybe they first need to figure out how to get their botnet controller to scale to handle [millions of] nodes,” Stewart, director of malware research for SecureWorks, notes.
One thing that is certain: The worm is spreading like wildfire, and its creators appear to be trying to beat the clock and infect as many machines as they can that haven’t yet patched for the Windows bug/vulnerability. The perpetrators have been cranking out new variants of the worm to evade detection, and, so far, its main mission has been pushing rogue antivirus software.
According to Damballa, Confickr/Downadup spreads fast like a Slammer, but this one has a command and control channel: “It propagates like a worm and can act like a bot. Perhaps it’s representative of a hybrid that may represent a new class of malware” rather than the social networking or email lures of old.
Urgent advice: users are strongly recommended to ensure their antivirus databases are up to date. A patch for the windows bug/vulnerability is available from Microsoft: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx It concern Microsoft Security Bulletin MS08-067 – Critical / Vulnerability in Server Service Could Allow Remote Code Execution (958644). Complete and effective protection measures against the worm at the end of this post.
Sources/references of this outbreak alert and background information:
Kaspersky Lab
Guardian.co.uk
Microsoft
ThreatExpert
F-Secure
Symantec
NetworkWorld
DarkReading
Symptoms of the worm:
– http://www.bitdefender.fr/VIRUS-1000462-fr–Win32.Worm.Downadup.Gen.html
– http://www.ca.com/gb/securityadvisor/virusinfo/virus.aspx?id=76852
Removal and disinfection tools:
Kaspersky Lab – http://support.kaspersky.com/faq/?qid=208279973
Symantec – http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99
List of domains that are currently distributing the Downadup worm and its variants: http://www.f-secure.com/weblog/archives/downadup_domain_blocklist.txt
Complete/effective protection measures against the worm, apply all 3 measures:
1. Apply Microsoft patch MS08-067: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
2. Provide the administrator account of the computer with a strong password (brute force dictionary attack against administrator password is used): http://www.safepasswd.com/
3. Completely disable the AutoRun function, this is a brutal but highly effective hack: http://nick.brown.free.fr/blog/2007/10/memory-stick-worms.html
Free Support, Help and Assistance if your PC is infected by this worm and/or any other piece of malware: http://www.smokey-services.eu/forums/index.php/board,5.0.html
Update Feb 08, 2009: OpenDNS/Kasperky Lab offer free tracking and blocking services.
January 15, 2009 Posted by Smokey | Advisories, Alerts, Anti-Virus, Friends, Malware, News, Recommended External Security Related Links, Vulnerabilities | Botnets, Downadup Domain Blocklist, Effective protection measures, HijackThis Log Analysis and Malware Removal, KB958644, Microsoft Security Bulletin MS08-067, Net-Worm.Win32.Kido.ih, Number of Downadup infections are skyrocketing, OpenDNS tracking and blocking services, Outbreak polymorphic worm Downadup, patch, pushing rogue antivirus software, remote code execution, Removal and disinfection tools, solution, Support - Help - Assistance, symptoms, USB memory stick, W32.Downadup, W32/Confick-A, W32/Conficker.worm, Windows bug, Windows Server service, Worm.Conficker, Worm.Win32.Conficker, Worm:Win32/Conficker.A | 6 Comments
Smokey’s Seasonal Competition closes in just over 24 hours…
The competition closes in just over 24 hours.
If you haven’t entered yet…. this is your last chance to win top-notch security software licenses.
The amount of available licenses is raised again, special thanks to Nick Skrepetos of SuperAntiSpyware. Today he provided us with 10 additional SAS licenses!
More info about The Competition here: http://www.smokey-services.eu/forums/index.php/board,159.0.html
December 20, 2008 Posted by Smokey | Alerts, Friends, News, Recommended External Security Related Links | HijackThis Log Analysis and Malware Removal, SuperAntiSpyware, top-notch security software licenses for free, win security software licenses | Leave a comment
Smokey’s Security Forums Seasonal Competition 2008 now “Live”
As follow up on this post I can betray that Smokey’s Security Forums Seasonal Competition 2008 is now “Live”.
Like I told before, only registered board members can join the competition. If you are not a member of my board you are invited to register for free and obtain the opportunity to win one of the free security software licenses.
Several top-notch security vendors have participated in the Competiton and provided my board wih free licenses: AVG, Avira, Comodo, Jetico, Kaspersky, MBAM – MalwareBytes AntiMalware, Tall Emu – Online Armor, Prevx, Sunbelt Vipre and SUPERantispyware. My gratitude to all these vendors!
Good luck to you all with the Competition!
On behalf of Smokey’s Team,
Smokey
November 30, 2008 Posted by Smokey | Alerts, Downloads, Friends, News, Recommended External Security Related Links | adequate security cover, all for free, anti-malware programs, AntiVirus programs, bargains, Firewalls, HijackThis Log Analysis and Malware Removal, Internet Security Suites, lottery, security software companies, security software licenses for free, Smokey’s Security Forums Seasonal Competition 2008 Li, tombola, top notch security programs, win free licenses security software | Leave a comment
Smokey’s Security Forums Seasonal Competition 2008
Smokey’s Security Forums is pleased to announce Smokey’s Seasonal Competiton 2008.
This competition will give you a chance to upgrade to the full paid for versions of security software, all licenses will be valid for a minimum of 12 months.
It’s our way of trying to help a few members by making sure they have adequate security cover for the coming year, obviously by having a license they would receive better protection than the ‘free’ versions offer. Several of the top security companies have donated licenses for this competition.
The competition will start on Monday 1st December 2008 and will run until Sunday 21st December 2008, A list of all winners will be published on Tuesday 24th December. All times are in GMT.
All registered forum members have a chance to win ‘free’ licenses for a lot of top notch security programs, e.g.:
– Internet Security Suites
– Firewalls
– Anti Virus programs
– Anti Malware programs
If you want to join this competition you are invited to register for free on Smokey’s Security Forums. Keep in mind that only valid email addresses will be accepted, so no temporary and/or so called 10-minutes accounts.
Please login on Sunday 30th November to Smokey’s Security Forums for full details on how to get your hands on these free security software licenses and participating security software companies.
On behalf of Smokey’s Team,
Smokey
Site Owner Smokey’s Security Forums
Smokey’s is Site Member ASAP – Alliance of Security Analysis Professionals™
November 28, 2008 Posted by Smokey | Alerts, Downloads, Friends, Malware, News, Recommended External Security Related Links | adequate security cover, all for free, Anti Virus programs, anti-malware programs, ASAP - Alliance of Security Analysis Professionals, bargains, Firewalls, HijackThis Log Analysis and Malware Removal, Internet Security Suites, lottery, security software companies, Smokey's Seasonal Competition 2008, tombola, top notch security programs, win free licenses security software | 1 Comment
Introduction
__________________________________________
Text from the song Spark by Amy Macdonald
I am the light in the dark
I am the march
I am the spark
Just dry your tears and I’ll be there
Don’t live for anger all this pain
Don’t worry, I’m ok, I’m ok now
Always in our hearts – R.I.P. Donna Buenaventura
__________________________________________
.
Welcome to Smokey’s Security Weblog!
Let’s introduce myself: my (nick)name is Smokey aka Smokey Bear.
Like my board Smokey’s Security Forums, this blog is mainly devoted to Security and all related issues. However, other issues like e.g. major occurances on my forum and social topics will be blogged too.
My board offer free security and malware related Support, Help, Advice and Education forums, however is not limited to such issues. Smokey’s have also forums with comprehensive Microsoft Windows related issues like Microsoft and Windows OS Based Products News, MS Download Center, MSDN Developer Information, software reviews, browser and tools forums, Webware, Social Networks info, Hardware- and Gadgets forums and last but not least a dedicated Windows Drivers, Linux Drivers, Firmware and BIOS Survey & Updates section containing (recently) released Drivers, Firmware and BIOSses, Windows 7 releases included. Note: most info on Smokey’s is real-time and therefore always up-to-date.
As extra service we have a OTL (formerly OTListIt2) Log Analyzing and Malware Removal/Cleaning Help Forum, full qualified OTL Log Analysers/Malware Hunters will be pleased to help you for free to clean your malware infected PC.
Smokey’s host and maintain the Official Jetico Inc. Support Forums, including the following products:
– Jetico Personal Firewall V1
– Jetico Personal Firewall V2
– Jetico BestCrypt for Windows
– Jetico BestCrypt for Linux
– Jetico BestCrypt for Mac
– Jetico BestCrypt Volume Encryption
– Jetico BCArchive
– Jetico BCWipe for Windows
– Jetico BCWipe for UNIX
Disclaimer: information in this blog can be based on (not confirmed) statements of (anonymous) sources, Smokey’s Security Weblog don’t take any responsabilty for the credibility of these sources and their statements. Also, statements and opinions expressed in articles, reviews and other materials herein, reproduced by me, are those of the authors.
The posts/articles in this blog can be supplemented with so called “Possibly related posts” links. Because these links are automatically generated by WordPress.com, Smokey’s Security Weblog have no influence on the links itself and/or content of them. Therefore this Weblog don’t take any responsability for these links and all related issues.
About Copyright and this Blog: it is allowed to reproduce (parts of) posts in this blog if this reproduction is provided with a direct link to the original blog post. It is NOT allowed to copy, use and/or reproduce any image or blog banner.
Blog comments policy: to restrain indecent and off-topic comments and spam, comments are reviewed before publishing. Therefore, delay in comment publishing is unavoidable. Obligatory language of comments is English.
.
My main task
* Smokey’s Choice Awards *
Smokey's 2011/2012 Choice Awarded software, Highly Recommended by Smokey and Staff *avast! Mobile Security Android* *F-Secure Internet Security 2012* *Malwarebytes Anti-Malware* *Norton Internet Security 2012* *VIPRE Internet Security 2012* *WinPatrol 'Scotty'*** Smokey’s Hall of Shame **
2008 - 2011: *Matousec's Firewall Challenges* 2009 - 2011: *Trend Micro Incorporated*
2009 - 2011: *HP - Hewlett Packard Company*Recommended: Free network protection with OpenDNS
Recommended: F-Secure PC Health Check
Recommended: Dr.Web CureIt! Free Malware Scan
Recommended: Kaspersky Online Antivirus Scan
Recommended: Online Safe Password Generator
Weblog Top Posts
- ANNOUNCEMENT: Change Siteowner- & Leadership Smokey's Security Forums
- How to defend yourself against Microsoft's never-ending push efforts regarding Windows 10
- Norton Internet Security v22.5.4.24 (patch 22.5.4) update released in all supported languages
- [NEWS] Malwarebytes Acquires Junkware Removal Tool (JRT)
- Review Updated 2015 MateGo MG380G Full HD - SONY CMOS sensor - built-in-GPS Dashcam Car DVR
Weblog Top Clicks
- None
Recent Comments
- Aravind on How to enable LTE/4G on Samsung Galaxy Note 3 (SM-N9005)
- Rajiv Bhalla on How to enable LTE/4G on Samsung Galaxy Note 3 (SM-N9005)
- POOJA AGARWAL on How to enable LTE/4G on Samsung Galaxy Note 3 (SM-N9005)
- Antony on Review Updated 2015 MateGo MG380G Full HD – SONY CMOS sensor – built-in-GPS Dashcam Car DVR
- DevonW on Review Updated 2015 MateGo MG380G Full HD – SONY CMOS sensor – built-in-GPS Dashcam Car DVR
Weblog Archives
- May 2017 (1)
- January 2016 (1)
- October 2015 (1)
- June 2015 (1)
- May 2015 (1)
- March 2015 (2)
- June 2014 (1)
- May 2014 (1)
- April 2014 (1)
- March 2014 (1)
- August 2013 (1)
- May 2013 (1)
- January 2013 (4)
- December 2012 (1)
- August 2012 (1)
- July 2012 (1)
- June 2012 (1)
- February 2012 (2)
- December 2011 (2)
- October 2011 (2)
- May 2011 (3)
- April 2011 (2)
- December 2010 (5)
- September 2010 (1)
- August 2010 (2)
- July 2010 (1)
- June 2010 (1)
- May 2010 (1)
- April 2010 (2)
- March 2010 (2)
- February 2010 (2)
- January 2010 (3)
- December 2009 (7)
- November 2009 (5)
- October 2009 (2)
- September 2009 (1)
- August 2009 (3)
- July 2009 (3)
- June 2009 (2)
- May 2009 (10)
- April 2009 (6)
- March 2009 (2)
- February 2009 (3)
- January 2009 (7)
- December 2008 (14)
- November 2008 (13)
- October 2008 (8)
- September 2008 (7)
- August 2008 (12)
- July 2008 (14)
- June 2008 (13)
- May 2008 (10)
- April 2008 (31)
- March 2008 (21)
Smokey’s is Friend of WOT – Web of Trust
Keywords Smokey's Security Weblog
Smokey’s Weblog Google FeedBurner
Smokey’s Weblog Email Subscription Request
Add Smokey’s Weblog to your Technorati Favorites
Sunbelt Blog
- An error has occurred; the feed is probably down. Try again later.
AV-Comparatives Blog
- An error has occurred; the feed is probably down. Try again later.
Giveaway of the Day: commercial software for FREE
Advertisement: Link Logger from Binary Visons
Your IP and location
Blog Visitor Statistics