The current outbreak of the polymorphic worm Downadup, aka Conficker and Kido, and all its variants make very clear that many users don’t act in a responsable and secure way. After all, at the moment 9 (nine) million PCs are contaminated by that worm for reason of a missing Microsoft Security Update for Windows (KB958644). At the same time numerous users don’t posses safe computing and surfing habits, ignore standard precautions, haven’t the slightest idea how to prevent malware and in case they have a PC contaminated by malware they are trying to clean the PC by themselves or by self-declared “security experts”. Keep in mind that malware cleaning/removal isn’t a job for amateurs, it is a dedicated job for well trained and full qualified malware hunters.
Safe computing/surfing and preventing malware is a matter of education. Only well educated users have the reasonable possibilty to remain “clean”. The sole aim of me and my staff on Smokey’s Security Forums is to fulfill this aim by providing the user for free with Education, Support, Help and Advice, and in case the PC of the user is infected by malware to offer malware cleaning/removal by real security experts: comprehensive trained, full qualified HJT/OTListIt2 Analysers/Malware Hunters.
Some basic rules for safe computing, related links at the end of this post:
– Activate the automatic update function in Windows. Always accept and install all updates offered by Microsoft.
– If you don’t like automatic updates, consider to use the Microsoft Baseline Security Analyzer (MBSA). MBSA is an easy to use free tool that helps individuals, small and medium businesses to determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. It will improve your security management process by using MBSA to detect common administrative vulnerabilities and missing security updates on your computer systems.
– Always install all Service Packs offered by Microsoft.
– Educate and protect yourself, e.g. by visiting my board and reading the FAQs, How-To’s and Advisories concerning Safe Computing and Preventing Malware.
– In case your PC is infected by malware, adware or any other undesired badware or nasties visit my board to get rid of such crap. Only full qualified HijackThis & OTListIt2 Log Analysers/Malware Hunters will care about these infections and help you in a professional way, of course for free, to get rid of it. Note: only registered board members will receive malware removal/cleaning help, registering on my board is also for free.
Update 2010-14-03: Guests allowed to post on Smokey’s for Log Analysis and Malware Removal help
Links
– Smokey’s Security Forums
– FAQs, How-To’s and Advisories concerning Safe Computing and Preventing Malware
– HijackThis (HJT) & OTListIt2 Log Analysis and Malware Removal/Cleaning Assistance and Services
– Microsoft Baseline Security Analyzer (MBSA) Frequently Asked Questions
– Download Microsoft Baseline Security Analyzer
Safe computing!
.
Smokey’s Security Forums is Site Member ASAP
January 17, 2009
Posted by Smokey |
Advisories, Anti-Spyware, Anti-Virus, Bundleware, Downloads, Friends, Phishing, Recommended External Security Related Links, Toolbarware, Uncategorized, Vulnerabilities | Advisories, adware, ASAP - Alliance of Security Analysis Professionals, badware, Conficker, contaminations, crapware, Download Microsoft Baseline Security Analyzer (MBSA), Drive-by downloads, FAQs, HijackThis (HJT) and OTL Log Analyzing, HijackThis Log Analysis and Malware Removal, HJT Analyzers, How-To's, KB958644, Kido, malware hunters, Microsoft Security Bulletin MS08-067, Microsoft Service Packs, OTListIt2, PC infections, Polymorphic worm Downadup, Preventing Malware, Prevention, privacy issues, rootkits, Safe Computing, Security related Education - Support - Help - Advice, Security risks, spyware, virusen |
Leave a comment
Posted Jan 15, 2009
– Revision v1.00, Jan 16, 2009: The number of Downadup infections are skyrocketing based on F-Secure’s calculations. From an estimated 2.4 million infected machines to over 9 (nine) million during the last four days…
– Revision v1.01, Jan 16, 2009: Blog post updated for reason of actual occurances.
– Revision v1.02, Jan 17, 2009: Added worm symptoms and a link to the infection calculations performed by F-Secure.
– Revision v1.03, Jan 17, 2009: Added effective protection measures against the worm.
– Revision v1.04, Jan 23, 2009: Worm/malware removal/disinfection tools updated.
– Revision v1.05, Feb 08, 2009: OpenDNS/Kasperky Lab tracking and blocking services added.
The Downadup worm that exploits a months-old Windows bug/vulnerability has infected more than a million PCs in the past 24 hours, a security company said today. Aliases of the worm are Worm.Conficker [PCTools], W32.Downadup [Symantec], Net-Worm.Win32.Kido.ih [Kaspersky Lab], W32/Conficker.worm [McAfee], W32/Confick-A [Sophos], Worm:Win32/Conficker.A [Microsoft], Worm.Win32.Conficker [Ikarus]
Early Wednesday the in Finland-based security firm F-Secure Corp. estimated that 3.5 million PCs have been compromised by the “Downadup” worm, an increase of more than 1.1 million since Tuesday.
“[And] we still consider this to be a conservative estimate,” said Sean Sullivan, a researcher at F-Secure, in an entry to the company’s Security Lab blog. Yesterday, F-Secure said the worm had infected an estimated 2.4 million machines.
The worm, which several security companies have described as surging dramatically during the past few days, exploits a bug in the Windows Server service used by all supported versions of Microsoft Corp.’s operating system, including Windows 2000, XP, Vista, Server 2003 and Server 2008.
The worm disables system restore, blocks access to security websites, and downloads additional malware to infected machines.
The neat thing about Downadup is the way it “phones home”. As Mikko Hyppönen, chief research officer at anti-virus company F-Secure explains:
It uses a complicated algorithm which changes daily and is based on timestamps from public websites such as Google.com and Baidu.com. With this algorithm, the worm generates many possible domain names every day. It concern hundreds of names such as: qimkwaify .ws, mphtfrxs .net, gxjofpj .ws, imctaef .cc, and hcweu .org. This makes it impossible and/or impractical to shut them all down — most of them are never registered in the first place. The bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website — and they then gain access to all of the infected machines.
Anybody can register one of the unused domains and gain access to all of the infected machines. Pretty dumb. However, everyone will sit by and watch the infections happen, because nobody can interfere: unauthorised use of a PC may even be illegal. It’s like watching a small child wandering onto a motorway….
Downadup can also spread by using an autorun file on a USB memory stick, so if you autorun thumb drives on an unpatched machine, you could be vulnerable.
Almost all the infections are of Windows XP machines and, as Microsoft notes, plenty of corporate customers (who are usually not using AutoUpdate) have been caught. F-Secure says:
“A very large part of that traffic is coming from corporate networks, through firewalls, proxies, and NAT routers. Meaning that one unique IP address that we see could very well be 2,000 infected workstations in real life.”
Either way, security experts are anxiously awaiting the attackers’ next move. They suspect a massive botnet is in the works, but so far the attackers haven’t completely tipped their hand. The mere infection of so many machines that could then be controlled by a third party indicates it is indeed a botnet-in-progress, according to Damballa, a computer security company devoted to disrupting botnets. “It’s a close call. If it has the potential for a remote, malicious third party to do whatever they want, that makes it a botnet,” says Paul Royal, chief scientist for the antibotnet company.
“Whoever is behind this is not ready to deploy his or her code just yet. Maybe they first need to figure out how to get their botnet controller to scale to handle [millions of] nodes,” Stewart, director of malware research for SecureWorks, notes.
One thing that is certain: The worm is spreading like wildfire, and its creators appear to be trying to beat the clock and infect as many machines as they can that haven’t yet patched for the Windows bug/vulnerability. The perpetrators have been cranking out new variants of the worm to evade detection, and, so far, its main mission has been pushing rogue antivirus software.
According to Damballa, Confickr/Downadup spreads fast like a Slammer, but this one has a command and control channel: “It propagates like a worm and can act like a bot. Perhaps it’s representative of a hybrid that may represent a new class of malware” rather than the social networking or email lures of old.
Urgent advice: users are strongly recommended to ensure their antivirus databases are up to date. A patch for the windows bug/vulnerability is available from Microsoft: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx It concern Microsoft Security Bulletin MS08-067 – Critical / Vulnerability in Server Service Could Allow Remote Code Execution (958644). Complete and effective protection measures against the worm at the end of this post.
Sources/references of this outbreak alert and background information:
Kaspersky Lab
Guardian.co.uk
Microsoft
ThreatExpert
F-Secure
Symantec
NetworkWorld
DarkReading
Symptoms of the worm:
– http://www.bitdefender.fr/VIRUS-1000462-fr–Win32.Worm.Downadup.Gen.html
– http://www.ca.com/gb/securityadvisor/virusinfo/virus.aspx?id=76852
Removal and disinfection tools:
Kaspersky Lab – http://support.kaspersky.com/faq/?qid=208279973
Symantec – http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99
List of domains that are currently distributing the Downadup worm and its variants: http://www.f-secure.com/weblog/archives/downadup_domain_blocklist.txt
Complete/effective protection measures against the worm, apply all 3 measures:
1. Apply Microsoft patch MS08-067: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
2. Provide the administrator account of the computer with a strong password (brute force dictionary attack against administrator password is used): http://www.safepasswd.com/
3. Completely disable the AutoRun function, this is a brutal but highly effective hack: http://nick.brown.free.fr/blog/2007/10/memory-stick-worms.html
Free Support, Help and Assistance if your PC is infected by this worm and/or any other piece of malware: http://www.smokey-services.eu/forums/index.php/board,5.0.html
Update Feb 08, 2009: OpenDNS/Kasperky Lab offer free tracking and blocking services.
January 15, 2009
Posted by Smokey |
Advisories, Alerts, Anti-Virus, Friends, Malware, News, Recommended External Security Related Links, Vulnerabilities | Botnets, Downadup Domain Blocklist, Effective protection measures, HijackThis Log Analysis and Malware Removal, KB958644, Microsoft Security Bulletin MS08-067, Net-Worm.Win32.Kido.ih, Number of Downadup infections are skyrocketing, OpenDNS tracking and blocking services, Outbreak polymorphic worm Downadup, patch, pushing rogue antivirus software, remote code execution, Removal and disinfection tools, solution, Support - Help - Assistance, symptoms, USB memory stick, W32.Downadup, W32/Confick-A, W32/Conficker.worm, Windows bug, Windows Server service, Worm.Conficker, Worm.Win32.Conficker, Worm:Win32/Conficker.A |
6 Comments
As follow up on this post I can betray that Smokey’s Security Forums Seasonal Competition 2008 is now “Live”.
Like I told before, only registered board members can join the competition. If you are not a member of my board you are invited to register for free and obtain the opportunity to win one of the free security software licenses.
Several top-notch security vendors have participated in the Competiton and provided my board wih free licenses: AVG, Avira, Comodo, Jetico, Kaspersky, MBAM – MalwareBytes AntiMalware, Tall Emu – Online Armor, Prevx, Sunbelt Vipre and SUPERantispyware. My gratitude to all these vendors!
Good luck to you all with the Competition!
On behalf of Smokey’s Team,
Smokey
November 30, 2008
Posted by Smokey |
Alerts, Downloads, Friends, News, Recommended External Security Related Links | adequate security cover, all for free, anti-malware programs, AntiVirus programs, bargains, Firewalls, HijackThis Log Analysis and Malware Removal, Internet Security Suites, lottery, security software companies, security software licenses for free, Smokey’s Security Forums Seasonal Competition 2008 Li, tombola, top notch security programs, win free licenses security software |
Leave a comment
Smokey’s Security Forums is pleased to announce Smokey’s Seasonal Competiton 2008.
This competition will give you a chance to upgrade to the full paid for versions of security software, all licenses will be valid for a minimum of 12 months.
It’s our way of trying to help a few members by making sure they have adequate security cover for the coming year, obviously by having a license they would receive better protection than the ‘free’ versions offer. Several of the top security companies have donated licenses for this competition.
The competition will start on Monday 1st December 2008 and will run until Sunday 21st December 2008, A list of all winners will be published on Tuesday 24th December. All times are in GMT.
All registered forum members have a chance to win ‘free’ licenses for a lot of top notch security programs, e.g.:
– Internet Security Suites
– Firewalls
– Anti Virus programs
– Anti Malware programs
If you want to join this competition you are invited to register for free on Smokey’s Security Forums. Keep in mind that only valid email addresses will be accepted, so no temporary and/or so called 10-minutes accounts.
Please login on Sunday 30th November to Smokey’s Security Forums for full details on how to get your hands on these free security software licenses and participating security software companies.
On behalf of Smokey’s Team,
Smokey
Site Owner Smokey’s Security Forums
Smokey’s is Site Member ASAP – Alliance of Security Analysis Professionals™
November 28, 2008
Posted by Smokey |
Alerts, Downloads, Friends, Malware, News, Recommended External Security Related Links | adequate security cover, all for free, Anti Virus programs, anti-malware programs, ASAP - Alliance of Security Analysis Professionals, bargains, Firewalls, HijackThis Log Analysis and Malware Removal, Internet Security Suites, lottery, security software companies, Smokey's Seasonal Competition 2008, tombola, top notch security programs, win free licenses security software |
1 Comment
Sunbelt Blog
Smokey's Security Weblog 