Experts are warning that hackers have yet to activate the payload of the Conficker virus.
The worm is spreading through low security networks, memory sticks, and PCs without current security updates.
The malicious program – also known as Downadup or Kido – was first discovered in October 2008.
Although the spread of the worm appears to be levelling off, there are fears someone could easily take control of any and all of the 9.5m infected PCs.
Speaking to the BBC, F-Secure’s chief research officer, Mikko Hypponen, said there was still a real risk to users.
“Total infections appear to be peaking. That said, a full count is hard, because we also don’t know how many machines are being cleaned. But we estimate there are still more than 9m infected PCs world wide.
“It is scary thinking about how much control they [a hacker] could have over all these computers. They would have access to millions of machines with full administrator rights.
“But they haven’t done that yet, maybe they’re scared. That’s good news. But there is also the scenario that someone else figures out how to activate this worm. That is a worrying prospect.”
Experts say users should have up-to-date anti-virus software and install Microsoft’s MS08-067 patch. The patch is known as KB958644.
Speaking to the BBC, Graham Cluley, senior technology consultant with anti-virus firm Sophos, said the outbreak was of a scale they had not seen for some time.
“Microsoft did a good job of updating people’s home computers, but the virus continues to infect business who have ignored the patch update.
“A shortage of IT staff during the holiday break didn’t help and rolling out a patch over a large number of computers isn’t easy.
“What’s more, if your users are using weak passwords – 12345, QWERTY, etc – then the virus can crack them in short order,” he added.
“But as the virus can be spread with USB memory sticks, even having the Windows patch won’t keep you safe. You need anti-virus software for that.”
Method
According to Microsoft, the worm works by searching for a Windows executable file called “services.exe” and then becomes part of that code.
It then copies itself into the Windows system folder as a random file of a type known as a “dll”. It gives itself a 5-8 character name, such as piftoc.dll, and then modifies the Registry, which lists key Windows settings, to run the infected dll file as a service.
Once the worm is up and running, it creates an HTTP server, resets a machine’s System Restore point (making it far harder to recover the infected system) and then downloads files from the hacker’s web site.
Most malware uses one of a handful of sites to download files from, making them fairly easy to locate, target, and shut down.
But Conficker does things differently.
Anti-virus firm F-Secure says that the worm uses a complicated algorithm to generate hundreds of different domain names every day, such as mphtfrxs.net, imctaef.cc, and hcweu.org. Only one of these will actually be the site used to download the hackers’ files. On the face of it, tracing this one site is almost impossible.
Variant
Speaking to the BBC, Kaspersky Lab’s security analyst Eddy Willems said that a new strain of the worm was complicating matters.
“There was a new variant released less than two weeks ago and that’s the one causing most of the problems,” said Mr Willems
“The replication methods are quite good. It’s using multiple mechanisms, including USB sticks, so if someone got an infection from one company and then takes his USB stick to another firm, it could infect that network too. It also downloads lots of content and creating new variants though this mechanism.
“Of course, the real problem is that people haven’t patched their software,” he added.
Microsoft says that the malware has infected computers in many different parts of the world, with machines in China, Brazil, Russia, and India having the highest number of victims.
Read the rest of this entry »
Posted in Hardware, Internet, Security | 1 Comment »
Miscreants have unleashed a new strain of a sophisticated Trojan that targets eBay users by feeding them spoofed web pages containing fraudulent information about high-ticket purchases, The Register has learned. It has already contributed to an $8,600 loss by one eBay member.
The Trojan installs a scaled-down webserver on an infected machine that masquerades as eBay and several third-party destinations frequently used to sniff out fraudulent offerings, including Carfax.com, Autocheck.com and Escrow.com.
When a victim browses to one of these sites, the webserver creates a parallel universe of sorts, in which the victim sees counterfeit pages designed to counter fraud protection mechanisms offered by eBay and third-party sites.
“To think that somehow they got software on their system that managed to spoof all the validation sites – that’s a shit-scary story,” said Roger Thompson, a researcher at Exploit Prevention Labs who specializes in web-based attacks. “It’s fiendishly clever.”
The malware was found on the machine of one eBay Motors user who recently lost $8,650 after trying to buy a 2005 Jeep Liberty advertised for 10 days on the site. Customer representatives have refused to cover the theft because, they said, the transaction was made outside of eBay.
Shortly after making the offer, the victim received a notification in the My Messages section of her eBay account telling her she had won the auction. eBay has long cautioned users not to rely on notifications unless they appear in this official section.
The malware installed on the victim’s machine caused her browser to display a counterfeit version of just such a message. Had she used a non-infected computer to access her account, no such message would have appeared.
“There’s no reason to suspect it’s fraud until its too late,” said the Ohio-based user, who agreed to tell her story on the condition her identity was not revealed. The Register was able to verify the scam by confirming details with eBay and by reviewing screenshots, emails and files pulled from her machine.
The malware appears to be a reworking of Trojan.Bayrob, which first came to light in early March when researchers from Symantec wrote reports about it.
It arrives in an attachment to an email responding to a bid and installs a local proxy server that redirects traffic bound for eBay. The proxy, according to Symantec, spoofs sensitive pages on eBay, including online auction’s “ask a question” messaging feature. The Trojan also inflates the user feedback score of the purported buyer, according to Symantec.
In the intervening seven months, the Trojan has been updated so that, among other things, traffic bound for sites such as Carfax and nine other addresses maintained by third-party companies will also be redirected. This helps thwart victims who try to independently confirm details fed on the falsified eBay pages.
eBay spokeswoman Nichola Sharpe says the company’s security team has forwarded samples of the new strain to anti-virus companies so they can add it to the updates they send to customers.
Read the rest of this entry »
Posted in Security, eCommerce | 1 Comment »
E-mail scams seek to separate people from their money by promising a share of unclaimed lottery riches, bounty from a dead fugitive, work-at-home schemes and other enticements.
But an Ocean County man recently got an e-mail with a darker twist: Gimme your money, and I’ll cancel the contract someone put out to kill you.
Harry E. Whitworth, 72, of the Whiting section of Manchester Township, opened his e-mail Tuesday to find a curious screed supposedly from a man named Eddy.
“I know that this may sound very surprising to you but it’s the situation,” the e-mail began. “I have been paid some ransom in advance to terminate you with some reasons listed to me by my employer.”
The price to call off the hit: $8,000 — half of which is to be paid up front as a sign of good faith. Sort of.
The e-mail also warned him not to tell friends or relatives, since they might be part of the plot to kill, too.
“I kind of knew it was a scam,” said Whitworth, a retired accountant who lives with his wife in a senior citizen development. “The prosecutor’s office came over to see me and asked if I had been involved in anything in the past that might have caused this to happen.”
Whitworth did an Internet research that found someone has been running a similar scam in Arizona, with nearly identical e-mails full of typographical errors and misspellings.
The e-mailer promises to send the recipient a videotape of “his employer” putting out the contract on the recipient’s life.
But there were no instructions on how to comply with the demand for cash, and no timetable on when it had to be paid.
Capt. Michael Mohel, a spokesman for the Ocean County Prosecutor’s Office, said the case remains under investigation but declined further comment.
The FBI received 115 complaints of similar e-mails reaching people across the country in less than a month last winter, according to its website. The e-mails vary only in the amount of money demanded, ranging as high as $80,000.
Some even incorporate personal information about the recipient that is widely available from online databases, the FBI said.
Read the rest of this entry »
Posted in Internet, Security | 1 Comment »
