Important malware warning for April 1st!
Apr 1, 2009 7:03:37 GMT
Post by CharlieChomper on Apr 1, 2009 7:03:37 GMT
Some of you may have already heard this by now, but for those who haven't, there is what is now a third-generation "worm" on the loose that is expected to go "active" on April 1st of this year--it is not an April Fools' Day joke.
The worm, known as "Conficker" (and is sometimes being references as "Downadup") has been regarded as a significant enough threat that it has prompted an alliance between the governing body in control of the internet and domain registration (ICANN) with various security companies and vendors to locate those responsible for it as well as Microsoft's offering of a $250,000 (189,448.20 Euros/2,074,031.36SEK/2,395,598.64 Zar) bounty for information leading to the arrest and conviction of those responsible for it.
As of early February of this year, it was estimated that over 10 million systems running Windows were infected ("zombies"--systems which are infected or compromised, sometimes without the owner knowing it, and then used either for the purposes of further infecting other systems with malware and/or being made use of to commit criminal acts.) since November, at the moment, it's unclear as to what the number may be.
However, there are some noticeable "symptoms" of this worm:
-Disabling of anti-viral and any other malware removal software as well as inability to update it.
-Inability to access websites for anti-viral vendors and other security-related vendors or sites.
-Account lockout policies being reset automatically.
-Unusually "heavy" traffic upon local networks.
-Certain Windows-specific processes (such as Windows update, error reporting services, etc. to name some that most of you might be familiar with) becoming disabled.
-Resetting of restore points, which along with the randomly renaming of the specific file which it latches onto and changing that name upon every reboot, has further made it difficult to attempt to detect and remove it (although, not impossible).
Depending upon the variant of it, it has been spreading itself via Peer-to-Peer (P2P) networks, sometimes latching onto otherwise "legitimate" files being obtained without the user being aware of it until they've sometimes been infected by it.
Another variant (type "B") has been latching onto portable USB devices and going on to infecting more systems (which is also why items such as USB "sticks"/"thumbdrives" and other portable USB devices have sometimes been banned in various workplaces as well as by a number of agencies involved in security). Mainly due to that, some security groups and even Microsoft have advised disabling "Autorun" via the registry (as this method seems to rely upon certain types of USB devices which make use of Autorun in an attempt to spread the malware).
Two of the variants (type "A" and type "B") have also further gone on to infect systems just by way of domains as it circumvents the standard protocol used to connect to websites and randomly generates a domain out of a predetermined set of them (which has prompted ICANN, who are "in charge/control" the internet if you will, and those in the domain registration/transferring business to take measures in an attempt to curb the behavior and bar the registration and transferring of ownership of certain domains).
However, the most recent variant "D" was found able to get around their initial efforts and so they've had to take other measures in hopes of either stopping it or curbing it.
In other words, if someone happens to be unfortunate enough to end up on a domain that was generated by the worm, it could lead their system to become infected by it in that situation.
In response, the Canadian agency that controls domain registration of the .Ca domain has blocked out access to the .ca domain to new registrations as well as transfers of any existing domain that uses the .ca extension until further notice.
The Polish authority took similar action soon thereafter with the .pl domain, but there is some concern it may have led to a recent spike in DDOS (also known as "denial of service") attacks by the worm upon legitimate sites that use the .pl domain.
The worm, known as "Conficker" (and is sometimes being references as "Downadup") has been regarded as a significant enough threat that it has prompted an alliance between the governing body in control of the internet and domain registration (ICANN) with various security companies and vendors to locate those responsible for it as well as Microsoft's offering of a $250,000 (189,448.20 Euros/2,074,031.36SEK/2,395,598.64 Zar) bounty for information leading to the arrest and conviction of those responsible for it.
As of early February of this year, it was estimated that over 10 million systems running Windows were infected ("zombies"--systems which are infected or compromised, sometimes without the owner knowing it, and then used either for the purposes of further infecting other systems with malware and/or being made use of to commit criminal acts.) since November, at the moment, it's unclear as to what the number may be.
However, there are some noticeable "symptoms" of this worm:
-Disabling of anti-viral and any other malware removal software as well as inability to update it.
-Inability to access websites for anti-viral vendors and other security-related vendors or sites.
-Account lockout policies being reset automatically.
-Unusually "heavy" traffic upon local networks.
-Certain Windows-specific processes (such as Windows update, error reporting services, etc. to name some that most of you might be familiar with) becoming disabled.
-Resetting of restore points, which along with the randomly renaming of the specific file which it latches onto and changing that name upon every reboot, has further made it difficult to attempt to detect and remove it (although, not impossible).
Depending upon the variant of it, it has been spreading itself via Peer-to-Peer (P2P) networks, sometimes latching onto otherwise "legitimate" files being obtained without the user being aware of it until they've sometimes been infected by it.
Another variant (type "B") has been latching onto portable USB devices and going on to infecting more systems (which is also why items such as USB "sticks"/"thumbdrives" and other portable USB devices have sometimes been banned in various workplaces as well as by a number of agencies involved in security). Mainly due to that, some security groups and even Microsoft have advised disabling "Autorun" via the registry (as this method seems to rely upon certain types of USB devices which make use of Autorun in an attempt to spread the malware).
Two of the variants (type "A" and type "B") have also further gone on to infect systems just by way of domains as it circumvents the standard protocol used to connect to websites and randomly generates a domain out of a predetermined set of them (which has prompted ICANN, who are "in charge/control" the internet if you will, and those in the domain registration/transferring business to take measures in an attempt to curb the behavior and bar the registration and transferring of ownership of certain domains).
However, the most recent variant "D" was found able to get around their initial efforts and so they've had to take other measures in hopes of either stopping it or curbing it.
In other words, if someone happens to be unfortunate enough to end up on a domain that was generated by the worm, it could lead their system to become infected by it in that situation.
In response, the Canadian agency that controls domain registration of the .Ca domain has blocked out access to the .ca domain to new registrations as well as transfers of any existing domain that uses the .ca extension until further notice.
The Polish authority took similar action soon thereafter with the .pl domain, but there is some concern it may have led to a recent spike in DDOS (also known as "denial of service") attacks by the worm upon legitimate sites that use the .pl domain.