Print    Email

Email To		[Close]
		You must make entries in all fields
Your Email
Your Name
Send to Email
		Send

The notorious computer worm conficker (also called kido or downadup), which was only few days ago dubbed as the most potent virus since the infamous ‘Slammer’ of 2003, has reportedly infected more than 9 million Windows-based personal computers worldwide. It is spreading at an alarming rate of a million machines a day. China, Brazil, Russia and India are among the worst hit areas.

According to Microsoft, the worm disables several important system services (including email) and security products and downloads arbitrary files (making it difficult to detect).The worm operates by tracking down a Windows executable file called "services.exe" and getting converted into a part of that code. Subsequently, it merges itself into the Windows system folder in form of a random file of a type known as a "dll". It fashions for itself a 5-8 character name (such as piftoc.dll) and manipulates the Registry, which lists key Windows settings, into running the infected dll file as a service.

Once the worm is active and functional, it creates an HTTP server, resets a machine's System Restore point (making it far harder to recover the infected system) and then downloads files from the hacker's web site. Now, most malware download from among a select handful of websites. This makes the tracking process fairly simple. But, Conficker uses a complex algorithm to produce hundreds of different domain names every day, such as mphtfrxs.net, imctaef.cc, and hcweu.org. Only one among these will actually be the site used to download the hackers' files. As a result, tracing this site is virtually impossible.

Furthermore, the worm keeps on mutating with new variants.� In fact the original version of the Conficker worm was last seen in October 2008 and its current version is barely 3 weeks old. Depending on the specific variant, it may also spread via removable drives� and by exploiting weak passwords (password, 12345 and qwerty etc). Kaspersky Lab's security analyst, Mr Eddy Willems’ commented on the replication techniques of the latest variant of kido. He said that it employs multiple mechanisms, including USB sticks, so if someone got an infection from one company and then takes his USB stick to another firm, it could infect that network too. He also maintained that it downloaded content and created new variants via this mechanism.

Meanwhile, Microsoft says it is aware of the impending dangers of Conficker "worm family" and has modified its free Malicious Software Removal Tool to detect and get rid of infections. But, the software giant advices people to keep their systems up-to-date. The worm takes advantage of networks or computers that haven't been updated with the latest security patches for Windows RPC Server Service. Plus, a large number of companies and small businesses have not yet updated their machines with the emergency patch-up (MS08-067) launched by Microsoft in October 2008 as well as this month.

It has been strongly recommended users to protect computers and files with strong passwords. For Conficker harnesses computing power of a botnet to crack passwords and repeated guesses at passwords cause some computers to be locked out of files or machines that automatically disable access after certain numbers of failed tries.

However, Microsoft's guidelines for disabling AutoRun are not fully effective, which could be considered vulnerability as the US Computer Emergency Readiness Team has said that disabling this could help prevent the spread of harmful code. In the interim, anti-virus software firms like Symantec have detailed instructions on how to remove the virus on their websites. McAfee Regional Director (India) Kartik Shahani points out that one way to prevent the attack is with McAfee's host-based Intrusion Protection System, since the solution identifies the vulnerability rather than the signature. He added that if a solution is just looking out for an exact signature which matches a virus, it would be very difficult to spot.

Most malware infects PCs so much so that hackers can exploit the affected machines, dubbed botnets, to send spam, attack websites or compromise more computers. Researchers are now worried about the next step in the attack. Already there have been inputs from New Zealand which proclaimed that the worm was responsible for crashing the Ministry of Health's computer systems.