5 ответов в этой теме

[malcontent70]

Report: 2.5 million PCs infected with Conficker worm

According to F-Secure, there are already almost 2.5 million PCs infected with the Conficker worm, also known as Downadup. Since the worm has the ability to download new versions of itself, it is expected that the infection could spread much further. The new code is downloaded from domain names generated with a complex algorithm, making it hard to predict what domains will be used to spread the worms updates.

F-Secure has managed to predicted some of the new domains and registered them itself. This has allowed them to analyse the connections that the worm is making. While this puts them in a position to attempt to remotely disinfect Conficker on mass, for legal reasons the company has decided not to do so. However, the information gathered from their registered domains has allowed them to estimate the size of the worm infection.

Many of the calls to the domains are from infected machines within corporate networks, through firewalls or NAT implementations, which means that although F-Secure may only see one IP address, there could be thousands of machines behind that address that are infected with Conficker. Allowing for that and using "some additional tricks", the F-Secure team have estimated that there are 2,395,963 infections worldwide, and call this figure a conservative estimate.

There are three variants of Conficker out there. The A version exploits an RPC vulnerability in Windows. The B and C versions do that too, but also attempt to find weak administrator passwords using a built in list of passwords. This means that not only should administrators install Microsoft's security updates, but also ensure that they are using strong passwords.

Tuesday's Microsoft Patch included updates to the Malicious Software Removal Tool which is able to recognised and eliminate the worm.

[malcontent70]

The Confricker Worm now attacks (and most likely infects):

* Shared Computers with weak passwords (home users in workgroups)
* Computers without the latest security updates. Go here to download all your critical Microsoft patches!
* USB sticks and external hard drives
* Computers with open shares (common in corporate networks)
* Computers with weak passwords. Confricker is actually hacking weak passwords. Once it does I'm assuming it jumps onto a share or admin share (like c$).

To prevent your computers at home or on a corporate network from becoming infected please download and install:

http://www.microsoft.com/technet/security/...n/MS08-067.mspx


Confricker is detected as:

Win32/Conficker.A (CA)
W32.Downadup.B (Symantec)
Mal/Conficker-A (Sophos)
Trojan.Win32.Agent.bccs (Kaspersky)

Description Per Microsoft:

Worm:Win32/Conficker.B is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.

To remove this worm you can run the latest Malicious Software Removal Tool (MSRT)

[malcontent70]

http://www.computerworld.com/action/articl...ticleId=9126038

In related news, a researcher at McAfee Inc. today said that the author of Downadup/Conficker worm took a shortcut when crafting the malware by grabbing functional exploit code from Metasploit, the open-source penetration testing framework.

"By using the exploit from the Metasploit module as the code base, a virus/worm programmer only needs to implement functions for automatic downloading and spreading," said Xiao Chen, a McAfee security researcher, in an entry to the company's blog. "We believe that this can be accomplished by an average programmer who understands the basics of exploitation and has decent programming skills.

"It's obvious that worm writers are abusing open-source tools to their advantage to make their work easier," Chen added.

[risl]

Known as Win32.HLLW.Shadow from Dr.Web

[Borka]

Known as Win32.HLLW.Shadow from Dr.Web

As I understand it also known as Win32.HLLW.Autoruner.5555
But today I heared another quantity of PCs infected - over 3.5 million PCs.

[malcontent70]

Superworm seizes 9 million PCs, 'stunned' researchers say

http://www.theregister.co.uk/2009/01/16/9m...dup_infections/

By Dan Goodin in San Francisco

Downadup, the superworm that attacks a patched vulnerability in Microsoft Windows, is making exponential gains if estimates from researchers at F-Secure are accurate. They show 6.5 million new infections in the past four days, bringing the total number of machines it has compromised to almost 9 million.

Not all security watchers are convinced there really are 9 million machines infected by Downadup. Paul Royal, chief scientist with anti-botnet company Damballa, said his researchers have counted only about 500,000 unique IP addresses connecting to Downadup's master control server. That would imply an average of 18 infected machines behind each address, a number he says is unlikely.
The skepticism prompted F-Secure researchers to explain its methodology for the mind-boggling number. By infiltrating Downadup's control channel and analyzing logs of machines that connected, researchers discovered a counter believed to show the number of other PCs the compromised machine has infected.

After creating a script that totaled all those numbers together, F-Secure deduced 8.97 million machines have been compromised, up from 2.4 million on Tuesday.