Saturday, March 14, 2009

Downadup/Conficker Worm Disables Computer Security

If you were a hacker or a e-scam artist with malicious intent, would it be valuable to disable a machine's security system? Most of them find it relatively easy to take command and control of unprotected machines, but fully patched and protected machines pose more of a challenge.

Since late last year, hackers have developed a new tool that attacks protected machines, known as the Downadup/Conficker worm. This worm is being called a complex piece of malicious code that is able jump network hurdles, hide in the shadows and even defend itself against security measures, according to a recent report by Symantec.

Symantec has documented its blog posts on this subject in this report, which are available on their site. They also have a blog post by Ben Nahorney that attempts to put this complex threat into terms that can be understood by the general public.

Just this month, Symantec identified the third version of Downadup/Conficker, which has an even more powerful punch designed to take down computer security systems. This version has been dubbed the W32.Downadup.C variant and is still under analysis. The payload from W32.Downadup.C is set is to be triggered on April 1st, and if it is, the damage from it could be huge. SC Magazine aptly summed this up in an article called, "No Joke — Conficker Worm set to explode on April Fool's Day."

Since Downadup/Conficker has the ability to replicate itself — even on USB drives and network shares — by cracking passwords, it can spread like wildfire and wreak havoc on systems.
The report concludes that this is only the beginning of the Downadup/Conficker threat. If you take the time to read through the report, it shows how this malware is evolving and changing to avoid attempts to stop the spread of it.

It is being reported that Downadup Conficker has enabled one of the largest botnets to be formed on the Internet because of the number of systems that aren't protected from it. Of course, it appears that once infected, the worm itself might prevent the patches from be downloaded on a machine.

Botnets generate all the spam we see in our in boxes and are the vehicle of most fraud, phishing and financial misdeeds seen on the Internet. They consist of infected computers that have been taken over and form a super computer capable of spreading a lot of garbage. Of course, becoming infected can also mean that all your personal and financial information will be data-mined and used by less than honest people to steal money or commit other types of crimes.

Information can be stolen to commit espionage or even provide a fake identities, which are then used to support other more serious criminal activity. Although a lot of espionage is industrial, it is on record already that Downadup/Conficker infected computers at the U.K. Ministry of Defence and the Houston Municipal Courts which suggest a more sinister intent than merely committing financial crimes.

Since the beginning of the year, there are different estimates of how many computers are infected, but all them seem to agree it's somewhere around nine million.

Microsoft has announced a $250,000 reward for information leading to the arrest of the authors of this code. It has also announced an industry-wide coalition to fix the threat that Downadup/Conficker poses. Included in this coalition are ICANN, NeuStar, Symantec, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, Verisign, F-Secure, ISC, researchers from Georgia Tech, the Shadowserver Foundation, Arbor Networks and Support Intelligence.

Microsoft also provides information on patches and the latest developments on Conficker/Downadup on its site. It also has another page where you can learn more about these types of threats and how to stay safe online.

No comments: