Maximum PC worm RSS Feed

Redmond Reins in AutoRun, AutoPlay to Help Make Windows More Secure

Mark Edward Soper — Fri, 01 May 2009 19:04:35 -0500

AutoRun and AutoPlay, Microsoft's "dangerous duo" for launching programs from CD/DVD and other removable media types, have become among malware authors' favorite infection vectors - and Microsoft has finally said, "enough already!"

A research study by Forefront Client Security cited by the Engineering Windows 7 blog determined that infections that can be started with AutoRun amounted to 17.7% of detected infections in the second half of 2008.

Although AutoRun was originally designed strictly for optical media, it can be used for other types of media. For example, you can create an autorun.inf file that adds the program on the media to the AutoPlay menu Windows displays, and change the default icon to make the malware program mimic a legitimate program. Conficker used this method to spread, as illustrated here.

Starting in Windows 7 RC, Microsoft has changed how both AutoRun and AutoPlay work:

AutoPlay no longer supports AutoRun on non-optical removable media. An autorun.inf file on a USB or other type of non-optical removable media will be disregarded. Only AutoPlay options that pertain to the types of files on the media will be listed.
When AutoPlay displays programs present on the media, the dialog now states that those programs will be run from the media.

Microsoft's Security Research and Defense blog provides sample dialogs and more details of how these changes work. The best news? Microsoft is planning to extend these security improvements to Windows Vista and XP users as well.

Are there any downsides? For a vigorous discussion of programs and devices that might not work after this change, see the comment thread at the Engineering Windows 7 blog. To start a MaximumPC-style discussion, you know what to do: click Comment and sound off!

Twitter Users Hope Cure for Mikeyy Worm Lasts

Mark Edward Soper — Tue, 14 Apr 2009 18:47:08 -0500

Over Easter weekend, many Twitter fans were getting worms instead of finding Easter Eggs, as the developer of a rival microblogging site (StalkDaily), one 17-year-old Michael "Mikeyy" Mooney, was busy drawing Twitter users to his site by using the so-called "Mikeyy" or "StalkDaily" worm to infect links and Twitter profiles. According to PCWorld and the Twitter status page, the infection has now been brought under control. But inquiring minds want to know, "what happened?" and "how can we stop a future attack?"

Doing a Google search for "Mikeyy" or "TwitterWorm" isn't the best way to find out, though, as the F-Secure security blog points out that fake news sites are being used to infect curious searchers with (unrelated) malware. So what really happened?

Mikeyy/StalkDaily used XSS (Cross-Site Scripting) and CSRF (Cross Site Request Forgery) attacks (we've discussed XSS a number of times here at MaximumPC.com). Website developer and Twitter expert Lynne Pope offers an excellent analysis of how the Mikeyy/StalkDaily attacks worked, and how you can protect yourself from similar exploits in the future:

The very first thing you must do to protect yourself is this - do not browse to any sites while logged on to another site. Leaving authentication cookies exposed is dangerous. Log off, then navigate away.

Ms. Pope also recommends:

Firefox fans should use NoScript to prevent scripts from running without explicit permission.
Use the Hosts file to block domains pointed to by malware.
Use tools available at LongURL.org to determine where short URLs are actually pointing to (Mikeyy/StalkDaily used bit.ly and tinyurl.com to conceal the actual websites used for spreading the worm).

Were you affected by the Mikeyy/StalkDaily worm? Hit Comment and tell us your war stories.

Twitter logo courtesy of a MESS of commentary.

This is No Joke: Conficker.C to Strike on April Fools' Day

Mark Edward Soper — Mon, 16 Mar 2009 17:06:59 -0500

Just when you might have thought it was safe to start using USB flash drives at work again, the third, and by all accounts, most fiendish version of the Conficker worm that's infected millions of PCs already is set to attack on April 1st, Ars Technica reports. Conficker.C's designed to hide itself even more thoroughly than its older siblings Conficker.A and Conficker.B, using tricks such as:

Inserting itself into as many as five Windows-related folders such as System, Movie Maker, Internet Explorer, and others (under a random name, of course)
Creating access control entries and locking the file(s)
Registers dummy services using a "one (name) from column A, one from column B, and two from column C" method

To find out what happens when Conficker.C strikes, join us after the jump.

Conficker.C's payload makes it harder than ever to recover from being infected:

Deactivates Windows Security Center notifications
Prevents restart in Safe Mode
Prevents Windows Defender from running at system startup
Deletes all system restore points
Disables various error-reporting and security services
Terminates over twenty security-related processes
Blocks DNS queries
Blocks access to security and antivirus websites
And, to top it all off, Conficker.C can choose from a list of 500 domains to contact out of a pool of 50,000 (way up from Conficker.B's 32 out of 250).

See the Win32/Conficker.C writeup at CA's website for complete technical details.

Microsoft, Panda Software, Symantec, and McAfee are just a few of the vendors that have now updated their threat encyclopedias to include Conficker.C (it's sometimes listed as Conficker.B++). Since Conficker.B and the new Conficker.C are designed to block access to antivirus websites, you might want to download removal tools now - just in case. You can get one developed by BitDefender from the Downadup.org website (Downadup is the alternative name for Conficker); however, keep in mind that ArsTechnica isn't certain if it will remove Conficker.C (it will remove older versions).

Naturally, prevention's way better than curing a nasty worm outbreak. To learn more about preventing infections, and for links to additional removal tools, see our previous Conficker articles.

Have you been hit by any Conficker version? Any tips for the rest of us? Hit Comment and pass them along.

USB flash drives illustration courtesy of BBC.

Microsoft Hopes It Has a Winning Hand to Stop Conficker Worm

Mark Edward Soper — Fri, 13 Feb 2009 17:13:54 -0600

The folks in Redmond are tired of hearing about the Conficker worm. Although Microsoft issued a patch back in October, Conficker's infected over 9 million PCs and crippled French and British military assets. Redmond's answer: a cool $250,000 reward for information leading to the arrest and conviction of Conficker's creators.

And, that's not all Microsoft has up its sleeve.

Ace number two: it's formed a posse to help stop Conficker in its tracks. Members of the Microsoft posse include antivirus, domain name providers, and research organizations such as the Internet Corporation for Assigned Names and Numbers (ICANN), VeriSign, NeuStar, CNNIC, Afilias, Public Internet Registry, Global Domains International, M1D Global, AOL, Symantec, F-Secure, ISC, Georgia Tech, the Shadowserver Foundation, Arbor Networks, and Support Intelligence.
Ace number three: a special Conficker website that provides more information about the Conficker (aka Downadup), including manual removal tools.

What's the fourth ace in Redmond's hand? You. If you are managing home or office systems that aren't yet protected against Conficker, get busy. Microsoft's Conficker website provides the links and tools you need to protect your PCs, but they don't work unless you use them.

Illustration by the author.

Conficker Worm Shuts Down French and UK Air Forces

Mark Edward Soper — Tue, 10 Feb 2009 21:51:47 -0600

The London Telegraph reports that the Conficker (aka Downadup and Kido) worm virtually shut down both the French naval air force and Great Britain's RAF and Royal Navy for some time last month.

Ironically, the French had been warned as far back as October to harden their systems, but as we reported last month, millions of PCs haven't yet been protected by installing KB958644. As with other infections, the culprit appears to have been an infected USB flash memory key, and the infection prevented the French Navy's Rafael multi-role combat aircraft from being flown for several days in mid-January. The non-secured Intramar French navy computer network was also infected - users of Intramar were even told not to use their PCs!

Across the English Channel, the British were having problems of their own with a variant of Conficker. The Fujitsu-supplied NavyStar (N*) email and computer support system was the target of the outbreak. More than 24 RAF bases and 75% of the Royal Navy fleet, including the aircraft carrier Ark Royal, were infected by Conficker.

Any idea why the IT managers forgot to protect their systems? What about the possibility that an attack like this could be the first wave of a major war? Hit Comment and tell us what you think (or fear).

French Naval Aviation and RAF roundels courtesy Wikimedia Commons. USB flash drives image courtesy BBC.

Conficker Worm's Infected Over 9 Million PCs - Is Your Work or Home PC One of Them?

Mark Edward Soper — Wed, 21 Jan 2009 17:22:17 -0600

Remember Microsoft's rare out-of-band security update from last October, MS08-067? Microsoft warned us then that Windows XP, Windows Server 2003, and Windows 2000 SP4 were especially vulnerable to being attacked. Windows Update probably took care of patching your home computer. However, companies and individuals that were slow to patch their fleets of PCs with KB958644 could find their computers now infected by a nasty worm called Conficker, Downadup or Kido.

How big a deal is Conficker/Downadup? According to F-Secure, the number of infected machines went from 2.4 million to 8.9 million in just four days as of last Friday. Panda Security now estimates that as many as one in every 16 PCs may be infected. F-Secure wraps up its analysis by saying "The situation with Downadup is not getting better. It's getting worse." Panda compares the outbreak with the legendary Kournikova (2001) and Blaster (2003) outbreaks.

The Conficker/Downadup family of worms is a nasty bunch for several reasons:

According to F-Secure, recent variants of Conficker attach themselves to several processes, disable Windows security services such as Windows Defender, Windows Error Reporting Services, and others, and create a registry entry for faster propagation across a network.

As Symantec points out, the W32.Downadup.B variant not only exploit the original Windows Server Service RPC Handling Remote Code variation, but can also spread through infected USB flash memory drives and by cracking weak network passwords. These latter methods are widely used by Conficker/Downadup to attack corporate networks.

Conficker/Downadup.B also infects mapped drives with autorun.inf files that spread the worm and blocks DNS requests to security sites to prevent downloading of updated antivirus and antimalware programs.

Perhaps the scariest facts about Conficker, though, are these:

Conficker generates hundreds of domain names daily, but will only use a single one of the domains listed for downloading malicious files, making it very difficult to trace the actual infection sites.
Conficker's payload - what it was designed to do - has not been triggered and is not yet known. What the developers of Conficker could do with millions of compromised PCs, the majority of which are on corporate networks, is frightening.

Stopping Conficker

If you depend upon USB flash memory drives (and who doesn't?), get the low-down from the US-CERT website on how to effectively disable Autorun. Look for TA09-020A; unfortunately, Microsoft's advice (cited i the article) doesn't do the job.

Already infected? To get rid of Conficker/Downadup/Kido, see Microsoft Knowledge Base article KB962007, check with your favorite antimalware vendor for updated virus/malware signatures or download these free removal tools:

F-Secure's Downadup removal page
Symantec's Conficker removal page
Microsoft's Malicious Software Removal Tool page

USB flash drives illustration courtesy of BBC.

Worm Targeted at Online Gamers Infects Laptop in Space

Pulkit Chandna — Tue, 02 Sep 2008 20:30:18 -0500

A computer worm primarily targeted at online gamers has found a very odd prey in form of the International Space Station. NASA confirmed last week that a computer worm had boarded the International Space Station and infected at least one laptop. Fortunately, though, none of the mission-critical systems were affected by the password-grabbing worm. NASA hasn’t revealed the name of the worm, but a website says that it is W32.Gammima.AG. Most of you might find the entire episode quite surprising and amusing, but the folks at NASA seem to be inured to computer worms aboard the ISS because this is not the first such instance.

MySpace and Facebook Users Targeted by New Koobface Worm

Mark Edward Soper — Mon, 04 Aug 2008 15:07:27 -0500

MySpace and Facebook users now have bigger worries than whether Wordscraper will stay online: two new worms, known as the Koobface family, are attacking Windows users of these popular social networking (or "Notworking" sites, as our friends at The Inquirer call them). These new worms pose a threat to the peace of mind of people like Zac Koobface (a real Facebook user, by the way).

Kapersky Labs was the first to detect these worms: Net-Worm.Win32.Koobface.a (targets MySpace) and Net-Worm.Win32.Koobface.b (targets Facebook). McAfee refers to both worms as W32/Koobface.worm, while Symantec uses the terms W32.Koobface.A and W32.Koobface.B.

Both worms send comments or messages to other users of the service. The messages or comments contain alleged links to humorous YouTube files (such as "Paris Hilton Tosses Dwarf On The Street"). When the user clicks on the link, the link redirects to a website that displays an error message claiming the user needs an updated codec to enable the Adobe Flash player to play the video. The alleged Flash player update (codecsetup.exe) contain the worm.

When the Koobface.A worm runs, it configures itself to run automatically when the system starts, checks for MySpace cookies, and if it finds them, modifies the user's profile by adding links to malicious sites that contain the worm. To learn more about Koobface.A and Koobface.B, check the McAfee and Symantec links earlier in this article.

If you use Kapersky, McAfee, or Symantec antivirus, the latest virus definitions will detect and stop these worms. If you use other antivirus or anti-malware programs, check for updates daily - and don't click on funny video links from other MySpace or Facebook users. The results just aren't very funny.

Original illustration by the author.