Tricky Windows Worm Wallops Millions
By Brian Krebs January 16, 2009
A sneaky computer worm that uses a virtual Swiss army knife of attack techniques has infected millions of Microsoft Windows PCs, and appears to be spreading at a fairly rapid pace, security experts warn.
Also, while infected PCs could be used for a variety of criminal purposes -- from relaying spam to hosting scam Web sites -- there are signs that this whole mess may be an attempt to further spread so-called "scareware," which uses fake security alerts to frighten consumers into purchasing bogus computer security software.
The worm, called "Downadup" and "Conficker" by different anti-virus companies, attacks a security hole in a networking component found in most Windows systems. According to estimates from Finnish anti-virus maker F-Secure Corp., the worm has infected between 2.4 million and
8.9 million computers during the last four days alone.If accurate, those are fairly staggering numbers for a worm that first surfaced in late November. Microsoft issued an emergency patch to fix the flaw back in October, but many systems likely remain dangerously exposed.
One reason for this is because businesses will generally test patches before deploying them on internal networks to ensure the updates don't break custom software applications. In the meantime, an infected laptop plugged into a vulnerable corporate network can quickly spread the contagion to all unpatched systems inside that network.
But the worm also has methods for infecting systems that are already patched against the Windows vulnerability. According to an analysis last week by Symantec, the latest versions of Downadup copy themselves to all removable or mapped drives on the host computer or network. This means that if an infected system has a USB stick inserted into it, that USB stick will carry the infection over to the next Windows machine that reads it. That's an old trick, but apparently one that is apparently still very effective.
...
I guess I'm out of date on the Windows OS: why does a file on a USB stick pose a threat? This may seem an obvious question, but I trained in the days when a program could only be started by operator command or by an already-running program. Yet, with this and other worms, it seems that executable files magically start themselves just by the fact that they're located in the Windows file system.
Does Windows automatically start certain types of files, no matter where they're found? Are these worm files started by "Internet Exploder" or other commonly used applications? Or are the reports just glossing over something that users are doing?
Bill Horne Temporary Moderator
Please put [Telecom] at the end of your subject line, or I may never see your post! Thanks!
We have a new address for email submissions: telecomdigestmoderator atsign telecom-digest.org. This is only for those who submit posts via email: if you use a newsreader or a web interface to contribute to the digest, you don't need to change anything.