homepage Welcome to WebmasterWorld Guest from 54.166.108.167
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Microsoft / Microsoft Windows OS (XP/NT/Vista/Windows 7/8/9/10)
Forum Library, Charter, Moderators: bill

Microsoft Windows OS (XP/NT/Vista/Windows 7/8/9/10) Forum

    
Three million hit by Windows worm
Conficker, Downadup, or Kido discovered in Oct 2008
Quadrille




msg:3827791
 1:28 pm on Jan 16, 2009 (gmt 0)

A worm that spreads through low security networks, memory sticks, and PCs without the latest security updates is posing a growing threat to users. The malicious program, known as Conficker, Downadup, or Kido was first discovered in October 2008. Although Microsoft released a patch, it has gone on to infect 3.5m machines.
Anti-virus firm F-Secure says that the worm uses a complicated algorithm to generate hundreds of different domain names every day, such as mphtfrxs.net, imctaef.cc, and hcweu.org. Only one of these will actually be the site used to download the hackers' files. On the face of it, tracing this one site is almost impossible.
Microsoft says that the malware has infected computers in many different parts of the world, with machines in China, Brazil, Russia, and India having the highest number of victims.

From the BBC - Three million hit by Windows worm [news.bbc.co.uk]

[edited by: Quadrille at 1:30 pm (utc) on Jan. 16, 2009]

 

bill




msg:3828147
 10:53 pm on Jan 16, 2009 (gmt 0)

My favorite line from the article:
"Of course, the real problem is that people haven't patched their software. If people do patch their software, they should have little to worry about," he added.

There was a time when waiting and manually applying all MS patches was a good idea. I only do that now on my primary machines. I've started putting all the others on automatic update. The argument for putting Windows into automatic update mode are getting stronger even for experienced users.

Quadrille




msg:3828180
 11:36 pm on Jan 16, 2009 (gmt 0)

Of course you can only do that if you have 'genuine windows', not a pirate version. But those folk aside, it's really no effort to have two hours a week set aside for autoupdate.

kaled




msg:3828250
 2:17 am on Jan 17, 2009 (gmt 0)

I recently had to reinstall Windows XP Home on a system that was badly messed up. Amongst other problems, it had not updated for about three months despite automatic updates being enabled. I doubt that machine is unique.

I'm not sure I understand how this worm can be spread by USB flash drives. So far as I am aware, whilst autoplay is supported in XP from SP2 onwards, a dialog is always displayed first with options. I guess those that get infected this way click Yes to everything. If this does not cover the USB infection method, I think Microsoft have some explaining to do.

Kaled.

kaled




msg:3829515
 2:18 pm on Jan 19, 2009 (gmt 0)

After three days, estimates of infection triple to nearly 9 million.

[news.bbc.co.uk...]

Kaled.

Baruch Menachem




msg:3829598
 4:02 pm on Jan 19, 2009 (gmt 0)

The hacker put a lot of creative effort into this one. It even resets the restore date on you.

what is the goal of this one, a botnet or something?

jsinger




msg:3829680
 5:46 pm on Jan 19, 2009 (gmt 0)

Somehow I got this at midnight Christmas Eve on one of my machines which *is* automatically patched. Displays popups related to "Spyware Guard 2008" and redirects my browser search efforts away from sites offering antivirus info and antivirus downloads. Blocks updating antivirus software. And yes, restore date can't go back before the infection date.

Booting and operation of computer is slow and very erratic. Monitor screen is filled with virus warnings that are generated by the malware. This is a home machine that's not on a network. Uses Windows XP and IE7 (also sometimes FF3.0

Affects machines differently. Some have reported that simply going back with restore eliminates it. But restore generally can't go back before infection date.

What is the goal of this one, a botnet or something?

On the surface it tries to sell antivirus software but some people have said they can't buy it using the method the virus offers. (I certainly haven't tried that!)

My infected machine has important files that I would like to move. Any ideas on whether those data and text files would be safe? Meanwhile I'm just parking the infected computer until more is known.

jsinger




msg:3829696
 6:03 pm on Jan 19, 2009 (gmt 0)

I think Microsoft have some explaining to do.

Agree. I don't buy the line that its the users' fault. My machine WAS automatically updated. This virus is exploiting all sorts of weaknesses.

Quadrille




msg:3829710
 6:30 pm on Jan 19, 2009 (gmt 0)

Interesting that CA defines the overall risk as low [ca.com], and seem pretty confident about dealing with it.

It's not only windows update that's essential, but an antivirus program with frequent updates, too.

CA started charging fees a couple of years ago, but there's several 'free' programs around that offer frequent updates, such as AVG - but be careful, some of them will find viruses, but not remove them eg 'StopSign'. How helpful is that? Just a scam to make you cough up at whatever price when you are in panic mode!

Baruch Menachem




msg:3830043
 2:23 am on Jan 20, 2009 (gmt 0)

Is it just IE that is the hole here? My daughter uses the vista machine with Chrome or firefox. She only uses it every alternate weekend.

And yes, the blasted thing auto updates, usually in the middle of a movie.

Samizdata




msg:3830058
 2:47 am on Jan 20, 2009 (gmt 0)

the blasted thing auto updates, usually in the middle of a movie.

You can set the time for auto updates via the Automatic Updates control panel.

The default is 3am - but if the computer is off it will happen soon after you switch it on.

...

Hugene




msg:3830349
 2:50 pm on Jan 20, 2009 (gmt 0)

I got hit by a trojan about 2 weeks ago, the 1st in over 3 years running XP. It's a known trojan, yet removal tools from Norton can't find it, but Windows Defender does. I wonder if it is related to this attack, but I am surprised that after all these years of careful Firefox browsing, I finally get hit.

kaled




msg:3831213
 12:51 pm on Jan 21, 2009 (gmt 0)

Here's an explanation of how USB sticks are involved...

If the description is accurate (not sure) it is possible to open a program from the autoplay dialog whilst it pretends to merely open a folder - Yikes!.

[news.bbc.co.uk...]

Kaled.

pmells




msg:3831297
 2:44 pm on Jan 21, 2009 (gmt 0)

You've really got to wonder why people spend their time doing this, and if it is particularly "intelligent" why they aren't doing it for a living rather than to cause mayhem.

kaled




msg:3831348
 3:42 pm on Jan 21, 2009 (gmt 0)

Sadly, they are doing it for a living.

This sort of cyber-crime is big business, typically based in Russia but China, India and others also contribute. Western gangs tend to be more direct, concentrating on identity theft, etc. This may be because anti-hacking laws carry severe penalties whilst identity-theft laws carry pretty pathetic penalties.

Kaled.

pageoneresults




msg:3831488
 5:52 pm on Jan 21, 2009 (gmt 0)

Downandup/Conficker worm infects 9 million PCs
2009-01-21 - [tech.yahoo.com...]

The numbers of infected machines are increasing...

How bad has it gotten? Estimates range from 3.5 million infected in the first four days after it began spreading to 9 million impacted... and getting worse. By now I figure the numbers could top 15 or 20 million.

bill




msg:3831960
 5:12 am on Jan 22, 2009 (gmt 0)

The current advice to rid yourself of/prevent this worm:

  • Check your Admin passwords for weak passwords [microsoft.com] (Check under Analysis tab)

  • Make sure you've installed the patch described in MS08-067 [microsoft.com]

  • Run Microsoft's Malicious Software Removal Tool [microsoft.com] (MSRT).

  • Disable AutoPlay for your USB drives

Seb7




msg:3832423
 6:39 pm on Jan 22, 2009 (gmt 0)

Quadrille; something I hadnt considered, these pirate machine are more than likely to be most of the ones hosting this virus. Maybe Mircosoft should consider patching security holes in these machines.

Quadrille




msg:3832605
 10:06 pm on Jan 22, 2009 (gmt 0)

I suspect MS are more than happy to see pirates get wormed; trouble is, they are a reservoir of infection for 'clean machines'.

But I can't see MS changing that policy in a hurry!

kaled




msg:3832682
 12:14 am on Jan 23, 2009 (gmt 0)

Given that security updates can be installed manually even if the copy of XP is not legit (and updates can be installed automatically for Windows 2000) it's hard to understand why WGA validation is required for automatic installation of security updates.

Surely, WGA validation should only be required for non-security updates (such as Media Player).

Kaled.

Quadrille




msg:3832688
 12:20 am on Jan 23, 2009 (gmt 0)

M$ runs on a patent business model; you don't pay, you don't get the service. Anything that undermines sales would break their model.

Piracy of windows is HUGE issue for MS - and they really don't have an answer to it; they have already dropped prices in many developing countries - but AFAIK, that simply reduced their income, it did not have an appreciable effect on piracy.

Tropical Island




msg:3833032
 12:53 pm on Jan 23, 2009 (gmt 0)

It is not true that you have to have validation for auto updates to work.

Quadrille




msg:3833096
 2:14 pm on Jan 23, 2009 (gmt 0)

Are you sure?

It used to be; I had to a have a long conversation with an M$ employee after my computer rebuilding led them to suspect I was using one windows on two machines. That happened after I was blocked.

Tropical Island




msg:3833838
 4:58 pm on Jan 24, 2009 (gmt 0)

Let me put it this way.

I live in a country where almost all PC's here are sold with questionable copies of XP.

A "friend's" computers update regularly the first Tuesday of every month.

Just make sure that you have auto update turned on & don't click any little windows that pop up on the bottom of your screen. That's the validation check. If you accidently click it just cancel it once you get to the first screen.

I do not condone people having illegal copies of MS software & would never do so myself.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Microsoft / Microsoft Windows OS (XP/NT/Vista/Windows 7/8/9/10)
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved