Posted 05/01/09 at 07:04:35 PM by Mark Edward Soper

AutoRun and AutoPlay, Microsoft's "dangerous duo" for launching programs from CD/DVD and other removable media types, have become among malware authors' favorite infection vectors - and Microsoft has finally said, "enough already!"

A research study by Forefront Client Security cited by the Engineering Windows 7 blog determined that infections that can be started with AutoRun amounted to 17.7% of detected infections in the second half of 2008.

Although AutoRun was originally designed strictly for optical media, it can be used for other types of media. For example, you can create an autorun.inf file that adds the program on the media to the AutoPlay menu Windows displays, and change the default icon to make the malware program mimic a legitimate program. Conficker used this method to spread, as illustrated here.

Starting in Windows 7 RC, Microsoft has changed how both AutoRun and AutoPlay work:

1. AutoPlay no longer supports AutoRun on non-optical removable media. An autorun.inf file on a USB or other type of non-optical removable media will be disregarded. Only AutoPlay options that pertain to the types of files on the media will be listed.
2. When AutoPlay displays programs present on the media, the dialog now states that those programs will be run from the media.

To learn more about these changes, and to find out what other Microsoft operating systems will eventually get similar protection, join us after the jump. 

Read More

Posted 04/14/09 at 06:47:08 PM by Mark Edward Soper

Over Easter weekend, many Twitter fans were getting worms instead of finding Easter Eggs, as the developer of a rival microblogging site (StalkDaily), one 17-year-old Michael "Mikeyy" Mooney, was busy drawing Twitter users to his site through infected links and Twitter profiles. According to PCWorld and the Twitter status page, the infection has now been brought under control. But inquiring minds want to know, "what happened?" and "how can we stop a future attack?" 

Doing a Google search for "Mikeyy" or "TwitterWorm" isn't the best way to find out, though, as the F-Secure security blog points out that fake news sites are being used to infect curious searchers with (unrelated) malware. To get the real scoop, join us after the jump.

Read More

Posted 03/16/09 at 05:06:59 PM by Mark Edward Soper

Just when you might have thought it was safe to start using USB flash drives at work again, the third, and by all accounts, most fiendish version of the Conficker worm that's infected millions of PCs already is set to attack on April 1st, Ars Technica reports. Conficker.C's designed to hide itself even more thoroughly than its older siblings, using tricks such as:

• Inserting itself into as many as five Windows-related folders such as System, Movie Maker, Internet Explorer, and others (under a random name, of course)
• Creating access control entries and locking the file(s)
• Registers dummy services using a "one (name) from column A, one from column B, and two from column C" method

To find out what happens when Conficker.C strikes, join us after the jump.

Read More

Posted 02/13/09 at 05:13:54 PM by Mark Edward Soper

The folks in Redmond are tired of hearing about the Conficker (aka Downadup) worm. Although Microsoft issued a patch back in October, Conficker's infected over 9 million PCs and crippled French and British military assets. Redmond's answer: a cool $250,000 reward for information leading to the arrest and conviction of Conficker's creators.

And, that's not all Microsoft has up its sleeve. To find out the rest of Microsoft's anti-Conficker strategy, join us after the jump.

Read More

Posted 02/10/09 at 09:51:47 PM by Mark Edward Soper

The London Telegraph reports that the Conficker (aka Downadup and Kido) worm virtually shut down both the French naval air force and Great Britain's RAF and Royal Navy for some time last month.

Ironically, the French had been warned as far back as October to harden their systems, but as we reported last month, millions of PCs hadn't yet been protected by installing KB958644. How bad was the infection, and how was it spread? Hit your afterburners and join us after the jump for details.

Read More

Posted 01/21/09 at 05:22:17 PM by Mark Edward Soper

Remember Microsoft's rare out-of-band security update from last October, MS08-067? Microsoft warned us then that Windows XP, Windows Server 2003, and Windows 2000 SP4 were especially vulnerable to being attacked. Windows Update probably took care of patching your home computer. However, companies and individuals that were slow to patch their fleets of PCs with KB958644 could find their computers now infected by a nasty worm called Conficker, Downadup or Kido.

How big a deal is Conficker/Downadup? According to F-Secure, the number of infected machines went from 2.4 million to 8.9 million in just four days as of last Friday.  Panda Security now estimates that as many as one in every 16 PCs may be infected. F-Secure wraps up its analysis by saying "The situation with Downadup is not getting better. It's getting worse." Panda compares the outbreak with the legendary Kournikova (2001) and Blaster (2003) outbreaks.

How does Conficker/Downandup spread, and what can you do about it? Join us after the jump to learn more.

Read More

Posted 09/02/08 at 08:30:18 PM by Pulkit Chandna

A computer worm primarily targeted at online gamers has found a very odd prey in form of the International Space Station. NASA confirmed last week that a computer worm had boarded the International Space Station and infected at least one laptop. Fortunately, though, none of the mission-critical systems were affected by the password-grabbing worm. NASA hasn’t revealed the name of the worm, but a website says that it is W32.Gammima.AG. Most of you might find the entire episode quite surprising and amusing, but the folks at NASA seem to be inured to computer worms aboard the ISS because this is not the first such instance.

Read More

Posted 08/04/08 at 03:07:27 PM by Mark Edward Soper

MySpace and Facebook users now have bigger worries than whether Wordscraper will stay online: two new worms, known as the Koobface family, are attacking Windows users of these popular social networking (or "Notworking" sites, as our friends at The Inquirer call them). These new worms pose a threat to the peace of mind of people like Zac Koobface (a real Facebook user, by the way).

Kapersky Labs was the first to detect these worms: Net-Worm.Win32.Koobface.a (targets MySpace) and Net-Worm.Win32.Koobface.b (targets Facebook). McAfee refers to both worms as W32/Koobface.worm, while Symantec uses the terms W32.Koobface.A and W32.Koobface.B.

Both worms send comments or messages to other users of the service. The messages or comments contain alleged links to humorous YouTube files (such as "Paris Hilton Tosses Dwarf On The Street"). When the user clicks on the link, the link redirects to a website that displays an error message claiming the user needs an updated codec to enable the Adobe Flash player to play the video. The alleged Flash player update (codecsetup.exe) contain the worm.

When the Koobface.A worm runs, it configures itself to run automatically when the system starts, checks for MySpace cookies, and if it finds them, modifies the user's profile by adding links to malicious sites that contain the worm. To learn more about Koobface.A and Koobface.B, check the McAfee and Symantec links earlier in this article.

If you use Kapersky, McAfee, or Symantec antivirus, the latest virus definitions will detect and stop these worms. If you use other antivirus or anti-malware programs, check for updates daily - and don't click on funny video links from other MySpace or Facebook users. The results just aren't very funny.

Been bugged by these or other social-networking worms? Tell us your story after the jump!

Read More