Posted 08/31/09 at 11:41:03 AM by Mark Edward Soper

AutoRun was originally intended to help automatically start programs stored on optical media. However, once USB drives became popular, AutoRun also became a popular way to launch programs from hard disks and thumb drives by working with Windows' built-in AutoPlay functionality. Unfortunately, AutoRun's ability to provide instant launching for programs has also been widely exploited by malware such as the notorious Conficker/Downadup worm and others. Microsoft changed how AutoRun works in Windows 7 RC, but until now, Windows XP, Windows Vista, and Windows Server 2003 have been wide open to USB-based AutoRun attacks. To find out how Redmond's reining in AutoRun, join us after the jump.

Read More

Posted 08/28/09 at 10:15:50 AM by Paul Lilly

One of the nastiest worms in recent history, the Conficker worm, which first surfaced in October 2008, manage to infect over 9 million PCs, shut down French and British military assets, and prompt a $250,000 reward from Microsoft for information leading to the arrest and conviction of the worm's creators.

Nearly a year later, the hefty reward remains uncollected while security experts continue to try and trace Conficker's origins and erase the threat. But it's still out there, as is the threat of another attack.

"It's using the best current practices and state of the art to communicate and to protect itself," Rodney Joffe, director of the Conficker Working Group, said of the worm. "We have not found the trick to take control back from the malware in any way."

After all this time, researchers are still left speculating what exactly Conficker was ultimately designed to do. It could as be simple as generating large amounts of spam, or it could record keystrokes and steal users' login information. On a larger and more frightening scale, researchers say its possible Conficker was designed by an intelligence agency or another country's military in order to monitor or disable an enemy's computers.

On the bright side, no one is sitting idly by waiting for Conficker to strike again. While security experts continue to work on ways to eradicate the worm, Conficker remains an open investigation with the FBI, who purportedly has a few leads.

More info here.

Read More

Posted 05/01/09 at 07:04:35 PM by Mark Edward Soper

AutoRun and AutoPlay, Microsoft's "dangerous duo" for launching programs from CD/DVD and other removable media types, have become among malware authors' favorite infection vectors - and Microsoft has finally said, "enough already!"

A research study by Forefront Client Security cited by the Engineering Windows 7 blog determined that infections that can be started with AutoRun amounted to 17.7% of detected infections in the second half of 2008.

Although AutoRun was originally designed strictly for optical media, it can be used for other types of media. For example, you can create an autorun.inf file that adds the program on the media to the AutoPlay menu Windows displays, and change the default icon to make the malware program mimic a legitimate program. Conficker used this method to spread, as illustrated here.

Starting in Windows 7 RC, Microsoft has changed how both AutoRun and AutoPlay work:

1. AutoPlay no longer supports AutoRun on non-optical removable media. An autorun.inf file on a USB or other type of non-optical removable media will be disregarded. Only AutoPlay options that pertain to the types of files on the media will be listed.
2. When AutoPlay displays programs present on the media, the dialog now states that those programs will be run from the media.

To learn more about these changes, and to find out what other Microsoft operating systems will eventually get similar protection, join us after the jump. 

Read More

Posted 04/27/09 at 02:42:14 AM by Justin Kerr

Mainstream Media’s fascination with the Conficker virus is somewhat amusing, but the actions of the world’s most famous computer trogan on the other hand are not. According to Fox News, Conficker is finally starting to show signs of life and has begun organizing thousands of machines into a botnet to send email spam and spread malware.

Anybody running anti virus or Windows update is pretty much protected from Conficker at this point, but amazingly this still leaves millions of machines to worry about. It remains to be seen how much longer Conficker will continue to plague the web, but hopefully at the very least this brings computer security to the minds of mainstream users.

So Conficker is spreading spam and spyware? Anyone surprised?

Read More

Posted 04/09/09 at 05:15:00 PM by Paul Lilly

Streetlights didn't stop working, satellites never fell from orbit, and the internet didn't spontaneously combust. So what exactly did the Conficker.c worm manage to accomplish? Up till now, the answer is 'not much,' but Trend Micro warns the worm has started making its move.

It's been just over a week since Conficker.c was supposed to turn machines against man in an epic battle not even Will Smith (the actor, not the Editor-in-Chief) would be able to defeat, and while we can probably put such related fears to rest, Trend Micro security researchers say machines already infected with the worm have begun receiving a new payload through P2P. The payload is being detected as WORM_DOWNAD.E.

"Basically the component it's downloading via peer-to-peer is just a dropper -- so it drops yet another component, which we are in the process of finalizing analysis on now," Trend Micro researcher Paul Ferguson said in a conversation with eWEEK. "It looks like it has some rootkit capabilities, but beyond that right now I can't go into any additional detail, I don't have complete information in front of me."

Conficker.c received much media attention prior to April 1st, when the worm was expected to wreak all kinds of havoc. But April Fool's Day has come and gone without much movement from the worm, which either means the threat was grossly overblown, or its writers are waiting for the dust to settle.

Read More

Posted 04/01/09 at 01:00:00 PM by Paul Lilly

April Fools' Day might be all fun and games for some, but if you manage to fall prey to the Conficker worm, it's no laughing matter. As reported earlier this month by our very own Mark Soper, the third version of Conficker (Conficker.c) is set to wreak havoc tomorrow, April 1st. Here's what you need to know.

What is Conficker?

Conficker is one of the nastiest computer worms in recent history to go on the warpath against Windows-based PCs. First surfacing in October, 2008, Conficker targets Windows 2000, XP, Vista, Server 2003, Server 2008, Server 2008 R2 Beta, and even Windows 7. To date, Conficker has infected over 9 million PCs, shut down French and British military assests, and prompted a $250,000 reward from Microsoft for information leading to the arrest and conviction of the worm's creators.

What Does it Do?

The first two versions of Conficker -- variants A and B -- exploit a vulnerability in the Server Service on Windows-based PCs to take advantage of an already-infected source computer. Once infected, the worm goes to work exploiting the network hole, cracking administrator passwords, prevents access to security websites and services for automatic updates, disables backup services, erases recently saved documents, and among other things, also leaves you vulnerable to other infected machines.

What Happens Tomorrow?

One of the scariest things about Conficker, including Conficker.c, is that its full potential isn't known. Come tomorrow, those infected might be prompted to buy fake sofware products, or it could start monitoring your keystrokes to lift sensitive information like banking passwords. Files could end up deleted, or it might transform your computer into a zombie PC while staying under the radar. Whatever it ends up doing, it won't be good, and you need to take proper precautions right now.

Join us after the jump to find out how to avoid infection, or what you can do if it's already too late. **Now with April 1st Update!**

Read More

Posted 03/16/09 at 05:06:59 PM by Mark Edward Soper

Just when you might have thought it was safe to start using USB flash drives at work again, the third, and by all accounts, most fiendish version of the Conficker worm that's infected millions of PCs already is set to attack on April 1st, Ars Technica reports. Conficker.C's designed to hide itself even more thoroughly than its older siblings, using tricks such as:

• Inserting itself into as many as five Windows-related folders such as System, Movie Maker, Internet Explorer, and others (under a random name, of course)
• Creating access control entries and locking the file(s)
• Registers dummy services using a "one (name) from column A, one from column B, and two from column C" method

To find out what happens when Conficker.C strikes, join us after the jump.

Read More

Posted 02/13/09 at 05:13:54 PM by Mark Edward Soper

The folks in Redmond are tired of hearing about the Conficker (aka Downadup) worm. Although Microsoft issued a patch back in October, Conficker's infected over 9 million PCs and crippled French and British military assets. Redmond's answer: a cool $250,000 reward for information leading to the arrest and conviction of Conficker's creators.

And, that's not all Microsoft has up its sleeve. To find out the rest of Microsoft's anti-Conficker strategy, join us after the jump.

Read More