Virus | iSafe Technologies

Visual Test to Check Conficker Infection

April 7th, 2009

Tags: Conficker, virus
Posted in IT Security | Post a Comment | No Comments »

Techtree News Staff, Apr 07, 2009 1649 hrs IST

Spot whether your PC is infected

The April Fools Day Special Conficker worm and its variants have been dreaded by computer users across the world for some time now.

Even though it may seem that the virus has been maintaining a low profile for the past few days, security experts warn that the virus is still a threat. In reality, it has already attacked thousands of personal computers in India and nearly 15 million computers globally till date.

So how do you protect your PC from this devastating worm? You can, if you are able to spot whether your PC is infected by it. How do you do that?

Thanks to Joe Stewart, director of malware research at SecureWorks, you can now see if your computer is affected by Conficker with a simple eye test. Stewart came up with a Conficker Eye Chart, which is a simple visual test you can use to evaluate a PC just by surfing to that page and looking at the images.

The images are given below; there is a guide on how to interpret the results.

It couldn’t be simpler!

However, the test doesn’t work if you’re behind a web proxy.

The worm is programmed to update itself from domains it randomly generates. For the latest version, Conficker C, this amounts to nearly 50,000 domains a day. The virus author needs to use only one of these domains to host the update, thus making tracking nearly impossible.

Use the test to check whether your PC is infected with Conficker and take the necessary remedial measures. To read more on Conficker, click here.

Alarm sounded over wi-fi networks

January 29th, 2009

Tags: bbc, malware, virus, wifi, worms
Posted in IT Security | Post a Comment | No Comments »

Page last updated at 15:03 GMT, Tuesday, 27 January 2009 – news.bbc.co.uk

Wireless access points could be used by hi-tech criminals to spread viruses and worms, warn US researchers.

Simulation of virus spreading, Steven Myers

Using wi-fi routers, malware could spread very quickly.

Security holes and the popularity of the devices in cities makes them ideal for spreading malware, they found.

Using modelling methods from real diseases the team showed how a worm could gradually infect all access points in urban areas.

They found that the majority of vulnerable access points would be hit in the first 24 hours of an outbreak.

Password cracking

The simulation work showed that within two weeks of an outbreak occurring 55% of wi-fi access points would be compromised. In urban areas this could mean tens of thousands of people were at risk, said the researchers.

Before now malicious attacks carried out via wi-fi routers have been limited in scope. Most revolve around the creation of fake access points that steal login and other details from those using them to get online.

The work by Hao Hu, Steven Myers, Vittoria Colizza, and Alessandro Vespignani from Indiana University shows how the ubiquitous access points could be used in a much more ambitious attack.

The theoretical attack modelled by the team involved attempts to subvert the firmware inside a wi-fi access point or router which keeps the device running.

Hi-tech criminals keen to subvert wi-fi access points could rely on the fact that few people take basic steps to stop unauthorised access to the device, said the researchers.

Surveys of consumer use of wi-fi routers suggest that a maximum of 40% of the machines use encryption to limit who can use them. In addition, most people do not change the default password the device ships with making it easy for attackers to get access.

Also, noted the researchers, few routers have lock out mechanisms that stop endless attempts to guess passwords that have been changed.

The researchers modelled attacks in seven areas including Manhattan in New York and Chicago. The numbers of wi-fi routers in each location were taken from public lists of access points. In the New York simulation about 18,000 access points were infected over a two-week period.

“We note that there is a real concern about the wireless spread of wi-fi-based malware,” wrote the researchers in their paper which appeared in PNAS.

They added: “Action needs to be taken to detect and prevent such outbreaks, and more thoughtful planning for the security of future wireless devices needs to occur, so that such scenarios do not occur or worsen with future technology.”

The team recommended that people be forced to change default passwords and encouraged to use encryption – both of which can limit the ability of wireless-borne malware to spread.

Virus strikes 15 million PCs

January 25th, 2009

Tags: Conficker, Downadup, Kido, virus
Posted in IT Security, Top Stories | Post a Comment | No Comments »

LONDON, Jan. 25 (UPI) — A virulent computer virus has infected more than 15 million computers around the world so far, British experts say.

The Independent on Sunday reported that the worm — known as Downadup, Conficker or Kido — had contaminated 6 million PCs in the past three days alone.

The newspaper said more than 3,000 British organizations, including hospitals and the Ministry of Defense, have received the virus.

Officials in Britain, the United States, Russia, China and India say they are waiting to see what the virus’s effects will be, if anything.

The newspaper reported there is a possibility the virus has no function other than to demonstrate its originator’s skill, but some security experts think it unlikely a worm so sophisticated at this one would have no ulterior purpose.

Tom Gaffney, technical manager of F-Secure, says this could be to capture confidential information, such as online account details and passwords. He said it is likely the worm is a “rootkit,” which gives the virus designer administrative access to remote computers.

Clock ticking on worm attack code

January 20th, 2009

Tags: microsoft, virus, worm
Posted in IT Security | Post a Comment | No Comments »

The worm can also spread via USB flash drives.

Experts are warning that hackers have yet to activate the payload of the Conficker virus.

The worm is spreading through low security networks, memory sticks, and PCs without current security updates.

The malicious program – also known as Downadup or Kido – was first discovered in October 2008.

Although the spread of the worm appears to be levelling off, there are fears someone could easily take control of any and all of the 9.5m infected PCs.

Speaking to the BBC, F-Secure’s chief research officer, Mikko Hypponen, said there was still a real risk to users.

“Total infections appear to be peaking. That said, a full count is hard, because we also don’t know how many machines are being cleaned. But we estimate there are still more than 9m infected PCs world wide.

“It is scary thinking about how much control they [a hacker] could have over all these computers. They would have access to millions of machines with full administrator rights.

“But they haven’t done that yet, maybe they’re scared. That’s good news. But there is also the scenario that someone else figures out how to activate this worm. That is a worrying prospect.”

Experts say users should have up-to-date anti-virus software and install Microsoft’s MS08-067 patch. The patch is known as KB958644.

Even having the Windows patch won’t keep you safe

Graham Cluley
Sophos

Speaking to the BBC, Graham Cluley, senior technology consultant with anti-virus firm Sophos, said the outbreak was of a scale they had not seen for some time.

“Microsoft did a good job of updating people’s home computers, but the virus continues to infect business who have ignored the patch update.

“A shortage of IT staff during the holiday break didn’t help and rolling out a patch over a large number of computers isn’t easy.

“What’s more, if your users are using weak passwords – 12345, QWERTY, etc – then the virus can crack them in short order,” he added.

“But as the virus can be spread with USB memory sticks, even having the Windows patch won’t keep you safe. You need anti-virus software for that.”

Method

According to Microsoft, the worm works by searching for a Windows executable file called “services.exe” and then becomes part of that code.

It then copies itself into the Windows system folder as a random file of a type known as a “dll”. It gives itself a 5-8 character name, such as piftoc.dll, and then modifies the Registry, which lists key Windows settings, to run the infected dll file as a service.

Once the worm is up and running, it creates an HTTP server, resets a machine’s System Restore point (making it far harder to recover the infected system) and then downloads files from the hacker’s web site.

Most malware uses one of a handful of sites to download files from, making them fairly easy to locate, target, and shut down.

But Conficker does things differently.

Right now, we’re seeing hundreds of thousands of [infected] unique IP addresses

Toni Koivunen, F-Secure

Anti-virus firm F-Secure says that the worm uses a complicated algorithm to generate hundreds of different domain names every day, such as mphtfrxs.net, imctaef.cc, and hcweu.org. Only one of these will actually be the site used to download the hackers’ files. On the face of it, tracing this one site is almost impossible.

Variant

Speaking to the BBC, Kaspersky Lab’s security analyst Eddy Willems said that a new strain of the worm was complicating matters.

“There was a new variant released less than two weeks ago and that’s the one causing most of the problems,” said Mr Willems

“The replication methods are quite good. It’s using multiple mechanisms, including USB sticks, so if someone got an infection from one company and then takes his USB stick to another firm, it could infect that network too. It also downloads lots of content and creating new variants though this mechanism.

“Of course, the real problem is that people haven’t patched their software,” he added.

Microsoft says that the malware has infected computers in many different parts of the world, with machines in China, Brazil, Russia, and India having the highest number of victims.

—

Credit Due:

http://news.bbc.co.uk/2/hi/technology/7832652.stm