1. Home
  2. General Telecommunications Forum
  3. Tricky Windows Worm Wallops Millions [Telecom]

Tricky Windows Worm Wallops Millions [Telecom]

Tricky Windows Worm Wallops Millions

By Brian Krebs January 16, 2009

A sneaky computer worm that uses a virtual Swiss army knife of attack techniques has infected millions of Microsoft Windows PCs, and appears to be spreading at a fairly rapid pace, security experts warn.

Also, while infected PCs could be used for a variety of criminal purposes -- from relaying spam to hosting scam Web sites -- there are signs that this whole mess may be an attempt to further spread so-called "scareware," which uses fake security alerts to frighten consumers into purchasing bogus computer security software.

The worm, called "Downadup" and "Conficker" by different anti-virus companies, attacks a security hole in a networking component found in most Windows systems. According to estimates from Finnish anti-virus maker F-Secure Corp., the worm has infected between 2.4 million and

8.9 million computers during the last four days alone.

If accurate, those are fairly staggering numbers for a worm that first surfaced in late November. Microsoft issued an emergency patch to fix the flaw back in October, but many systems likely remain dangerously exposed.

One reason for this is because businesses will generally test patches before deploying them on internal networks to ensure the updates don't break custom software applications. In the meantime, an infected laptop plugged into a vulnerable corporate network can quickly spread the contagion to all unpatched systems inside that network.

But the worm also has methods for infecting systems that are already patched against the Windows vulnerability. According to an analysis last week by Symantec, the latest versions of Downadup copy themselves to all removable or mapped drives on the host computer or network. This means that if an infected system has a USB stick inserted into it, that USB stick will carry the infection over to the next Windows machine that reads it. That's an old trick, but apparently one that is apparently still very effective.

...

formatting link

***** Moderator's Note *****

I guess I'm out of date on the Windows OS: why does a file on a USB stick pose a threat? This may seem an obvious question, but I trained in the days when a program could only be started by operator command or by an already-running program. Yet, with this and other worms, it seems that executable files magically start themselves just by the fact that they're located in the Windows file system.

Does Windows automatically start certain types of files, no matter where they're found? Are these worm files started by "Internet Exploder" or other commonly used applications? Or are the reports just glossing over something that users are doing?

Bill Horne Temporary Moderator

Please put [Telecom] at the end of your subject line, or I may never see your post! Thanks!

We have a new address for email submissions: telecomdigestmoderator atsign telecom-digest.org. This is only for those who submit posts via email: if you use a newsreader or a web interface to contribute to the digest, you don't need to change anything.

Reply to
Monty Solomon
Loading thread data ...

Know how an Audio CD or a video DVD or a software installation disk just start themselves right up when you stick 'em in the tray?

You can add an autostart.inf file to a USB stick to make it, too, start itself right up when you plug it into a USB socket.

Of course, the paranoid will always be holding down a [Shift] key to prevent such unexpected start-ups -- if they've been bitten before (like I've been -- explains why I'm paranoid :-) ), but others ... .

Yup. So does MacOS. I'd be surprised if other OSes don't as well. Autostart.inf is one mechanism -- I bet there are others, too.

Nope, it's the OS itself that detects, reads, and obeys the commands of the Autostart.inf files.

I suspect others with a better grasp of the mechanism at play here will be able to provide further enlightenment.

Cheers, -- tlvp

Reply to
tlvp

The truly paranoid will have permanently disabled a "feature" that never should have existed in the first place.

Start, Run, "gpedit.msc" (leave out the quotes) Under "Local Computer Policy" Under "Computer Configuration" Under "Administrative Templates" Highlight "System" In the right pane, double-click on "Disable Autoplay" On the Policy tab, select the "Enabled" button. In typical Windows user-friendly fashion "Enabled" enables the "Disable Autoplay". I.E.: "Enable" disables autoplay. In the box below for "Disable Autoplay", select the "All drives" from the pulldown. Now, click OK.

Reply to
Ron

[...]

From today's US-CERT Technical Cyber Security Alert TA09-020A -- Microsoft Windows Does Not Disable AutoRun Properly:

  • The Dangers of Windows AutoRun -
  • US-CERT Vulnerability Note VU#889747 -
  • Nick Brown's blog: Memory stick worms -
  • TR08-004 Disabling Autorun -
  • How to Enable or Disable Automatically Running CD-ROMs -
  • NoDriveTypeAutoRun -

  • Autorun.inf Entries -

  • W32.Downadup -

  • MS08-067 Worm, Downadup/Conflicker -

  • Social Engineering Autoplay and Windows 7 -
  • The Dangers of Windows AutoRun -
  • US-CERT Vulnerability Note VU#889747 -
  • Nick Brown's blog: Memory stick worms -
  • TR08-004 Disabling Autorun -
  • How to Enable or Disable Automatically Running CD-ROMs -

Regards, Colin

***** Moderator's Note *****

Colin, thanks for the URL's.

Here's another question: does Autorun work on _all_ drives/media by default, or only on "removable" media? In other words, does this worm spread by putting Autorun files on network shares as well as USB sticks?

Bill Horne Temporary Moderator

Please put [Telecom] at the end of your subject line, or I may never see your post! Thanks!

We have a new address for email submissions: telecomdigestmoderator atsign telecom-digest.org. This is only for those who submit posts via email: if you use a newsreader or a web interface to contribute to the digest, you don't need to change anything.

Reply to
Colin

[Moderator snip]

[Moderator snip]

To add to Colin's long and exhaustive list of relevant URLs, let me offer the recent Woody Leonhard {Windows Secrets} article

formatting link
(horribly long URL, that) which I think is another good read on the subject.

Cheers, -- tlvp

Reply to
tlvp

I keep my customers' computers up to date by making sure that Windows auto-update is enabled for automatic patch installation. Over the past 7 years I've had hundreds of customers. They all have my phone number. None --- NONE -- have contacted me about problems with either of these worms.

There is nothing wrong with autorun. What people tend to do is click "yes" to any and all installations without thinking about what they're doing.

Now, one of the problems with Windows on a network platform is also one of its benefits: mass deployment of software. By allowing mass deployment, a Windows sysadmin is also opening Windows to vulnerabilities from being open. This is likely why the reports on these latest infections is that they're hitting the bigger networked computers in business environments.

***** Moderator's Note *****

There's nothing wrong with deploying software over the network. The problem is that network admins don't want to go to the trouble of learning how to deploy and maintain the PKI infrastructure that would allow them to sign applications and thus prevent unauthorized software from being installed.

Bill Horne Temporary Moderator

Please put [Telecom] at the end of your subject line, or I may never see your post! Thanks!

We have a new address for email submissions: telecomdigestmoderator atsign telecom-digest.org. This is only for those who submit posts via email: if you use a newsreader or a web interface to contribute to the digest, you don't need to change anything.

Reply to
David Kaye

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.