January 15, 2009 2:03 PM PST

Expert: Worm spreading in many ways becoming an epidemic

by Elinor Mills
  • Font size
  • Print
  • 49 comments

A worm that spreads via removable devices, network shares, and weak administrator passwords--in addition to exploiting a critical Windows vulnerability--is spreading so fast it is becoming an epidemic, a security researcher said on Thursday.

The worm, known as Kido, Conficker, or Downadup, initially exploited MS08-067, a vulnerability considered critical for Windows 2000, XP, and Server 2003. It was patched in October.

Newer variants have been configured to give the worm the ability to infect via other means to get onto the network, said Roel Schouwenberg, a senior antivirus researcher at Kaspersky Lab.

"The Kido authors are trying to get into these networks by infected removable devices and by using other Trojans to install Kido on a computer, which will then try to infect other machines on the local network," he said in an e-mail statement. The worm "is currently causing an epidemic."

An estimated 3.5 million computers are believed to be infected with the worm, ZDNet reports.

Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor.
Recent posts from Security
Q&A: Researcher Karsten Nohl on mobile eavesdropping
RockYou sued over data breach
Hacker Gonzalez pleads guilty in Heartland breach
Microsoft rebuts IIS vulnerability claims
More attacks expected on Facebook, Twitter in 2010
GSM crypto code cracked, engineer says
Web-based Lookout protects mobile devices, data
Hackers claim to crack Kindle copyright armor
Add a Comment (Log in or register) Showing 1 of 2 pages (49 Comments)
by ausernamenoonehaschosen January 15, 2009 2:22 PM PST
Other sites say Vista is vulnerable too. Is this not true?
Reply to this comment
by evolvd-studios-manager January 19, 2009 3:49 PM PST
Well, Vista is pretty much XP with a fancy look, no new stuff. But with this, I think that it should be vulnerable too, unless they have different access codes and software rutes. I am not shure, you should check this out with vista specifications
by ausernamenoonehaschosen January 22, 2009 11:03 AM PST
As noted below, and in other websites, Vista is vulnerable. See here for example:

http://tech.blorge.com/Structure:%20/2009/01/17/beware-the-windows-worm-conficker-downadup-kido-rampant/
http://www.webmasterworld.com/microsoft_windows_os/3827789.htm
by Vegaman_Dan January 15, 2009 2:30 PM PST
For an 'epidemic', is sure doesn't appear to be making itself very well known yet. This is the first notice I've seen of it, actually.

Let's see some details of what it does. I like to stay in the loop when I can.
Reply to this comment
by Penguinisto January 15, 2009 3:39 PM PST
That makes two of us.

So, how many of these 3.5 million infected machines run OSX or Linux?

Okay, that was cheap, but I just had to... :)

Back to the serious note though - I'd like to see what other vulns this thing is trying to exploit. They only list one, but say that others are present... which others?
by Mergatroid Mania January 15, 2009 4:06 PM PST
I agree. Lets hear more about it

Being the #1 o/s by about a million to one sure puts Windoze in the bad guys cross hairs.

Lucky for those marginal operating systems . (sorry, couldn't help it)
by Penguinisto January 15, 2009 4:43 PM PST
1,000,000 to one? Please, let's see the source for that whopper.

(...and while we're at it, if your logic actually held water my dear fanboi, then 10% of all malware out there would be Mac-oriented, and 65% of all web/public server-oriented malware would be targeting Linux... the figure is more like 0% at this time - on either count. Please, explain that if you would ;) ).
by Dalkorian January 16, 2009 9:31 AM PST
It took a few links to get to their sister site's coverage of this, where I found this tidbit:

?This malware mostly spreads within corporations but also was reported by several hundred home users. It opens a random port between port 1024 and 10000 and acts like a web server. It propagates to random computers on the network by exploiting MS08-067. Once the remote computer is exploited, that computer will download a copy of the worm via HTTP using the random port opened by the worm. The worm often uses a .JPG extension when copied over and then it is saved to the local system folder as a random named dll. It is also interesting to note that the worm patches the vulnerable API in memory so the machine will not be vulnerable anymore. It is not that the malware authors care so much about the computer as they want to make sure that other malware will not take it over too.?

Reference link: http://blogs.zdnet.com/security/?p=2228

Keep in mind this vuln (MS08-067) was patched a few months ago, so if you've kept up with the patch cycle you should be ok against this.
by MSSlayer January 16, 2009 9:37 PM PST
"Being the #1 o/s by about a million to one sure puts Windoze in the bad guys cross hairs.

Lucky for those marginal operating systems . (sorry, couldn't help it)"

Could help what? Being an idiot?

This couldn't happen on the higher end OS's because they have a superior architecture.
by facepunch32 January 18, 2009 1:56 PM PST
you apple fans are hilarious, always throwing your 2 cents when windows is talked about here....apple doesnt want to be #1 like microsoft, youve all even said that they are so nice due to the fact they only support thier own hardware, making a synergy with hardware and software. so if they were to really challenge windows, they would have to support all sorts of hardware and software, losing what synergy they claim to have now. yet all of you are always talking about how they are gaining ground on microsoft, which is just plain silly by the sheer numbers world wide. you keep contadicting yourselves, apple isnt trying to outsell microsoft in the computer market.....thats why jobs brought in the ipod, itunes, iphone to make apple a multimedia company.]

and pen...your arguement about 10% market share should have 10% the malware is an absolute joke. why waste time on such small segment, and dont say its due to the fact that osx is harder to crack, cause any user that thinks they are totally secure and without exploit, be it linux or osx is in a dreamworld. any system can be exploited.

and msslayer....superior, then why doesnt everyone have one..................
by ducttape36 January 19, 2009 11:28 AM PST
http://www.infosecurity-us.com/news/090116_SafariBug.shtml
there are security flaws that effect osx. its just that nobody takes advantage of them. windows has the larger marketshare and a stranglehold on the business market. thats where the money is. and to say that because macs have 10 percent market share therefore 10 percent of malware shoud target macs is the logic of a child. pcs are the targets with all the rootkits available and most of the grunt work done when creating malware. there is no reason to take the path less traveled when that path will only lead to a 10 percent of the market.
by dalokster50 January 21, 2009 12:11 PM PST
More details please?
by ducttape36 January 22, 2009 8:31 AM PST
another one, http://www.securityfocus.com/news/11543?ref=rss
by MyRightEye January 15, 2009 2:45 PM PST
OK, let's drop the word "evolved" please. The worm was updated by its CREATOR. It was therefore INTELLIGENTLY DESIGNED to be better and thwart being blocked. Evolution has NOTHING to do with this worm.

An atheist who believes very strong science is near-to-proving ID in biological life. (Flame away evolution believers, you clearly have more faith than I do to believe in the evolution fairy tale.)

Oh, wait, I see now you have updated the story to remove the word EVOLVED. Congrats, common sense prevails.
Reply to this comment
by Mergatroid Mania January 15, 2009 4:09 PM PST
That's because people can intelligently design, fantasies can't.
by Dalkorian January 16, 2009 9:36 AM PST
Let's see - the evolution fairy tale is written throughout Earth's history, preserved in the sediment layers for us to find and study. The intelligent design fairy tale was written by someone who had a meaningful conversation with a bush that was on fire.

I know which fairy tale I'd rather believe.

As for the worm, I don't really care what it worships. It's a bad thing anyway. Will it burn in hades because it's bad or because it doesn't believe in the right deity?
by ballmerisanape January 16, 2009 11:42 AM PST
I don't "believe" in evolution.. just like I don't "believe" in gravity.. it just is.

What's more likely.... that the natural world has order... or that some mystical being known only to us "designed" us.. bad knees and all.
by skillingssucks January 16, 2009 2:03 PM PST
I've got news for you. You don't know the meaning of the word "atheist".
by sjcollins24 January 17, 2009 3:14 AM PST
Right On Brother! Or Sister.........Evolution is too widely used these days........and what about the Life on Mars thing.......Water has not produced life by itself without help that I am aware of!..... Seriously Worms and other Trojans are Man-made, Created not Evolved! Besides Someone or some Group is really trying to slow down and mess up a widely used OS...........and who or what gives them the Right to do that! That makes me angry!!!!!!!! Its called EXPLOITATION! Just my 2 cents
by The_happy_switcher January 15, 2009 3:56 PM PST
'evolved', 'created', what's the difference? They all function well on Windows machines and spread like small pox in a third world country.
Reply to this comment
by Penguinisto January 15, 2009 4:44 PM PST
Of course, expect the raving fanboys to claim it's due to "marketshare" or somesuch...
by MafiaPenguin January 16, 2009 6:21 PM PST
But Small Pox spreads in third world countries because of marketshare!
by SpiritWater January 15, 2009 7:11 PM PST
I don't see Vista on the list of infected computers. That must be due to the superior security of Vista. How many viruses are spreading on Vista? Most all of the viruses and malware infections are still Windows XP.

Windows users please upgrade to Vista or switch to the Mac OS like I did (or Linux if you are adventurous). Vista Home edition is cheap and can install and run on hardware purchased in the last 5 years easy. I have it on my Mac too via Bootcamp and it isn't bad at all.
Reply to this comment
by Lerianis January 16, 2009 4:05 AM PST
Not many, in all honesty. There have been VERY few viruses lately that have been able to get past Windows Vista's protections and actually 'do some damage' to systems.
by MSSlayer January 16, 2009 9:42 PM PST
Just wait Leria, ever single new security mechanism in Vista have been broken.

A storm is brewing because MS is incompetent.

Bedsides the flaw that this worn is using was released for 200, XP, server 2003, and yes Vista.
by Anonymous2345 January 15, 2009 9:53 PM PST
So this is infecting a bunch of people who don't have automatic updates turned on since the patch was released in October. What stupid admins don't have their workstations set to get updates? Even home computers should for the most part have updates turned on since it is the default for quite some time.
Reply to this comment
by Dalkorian January 16, 2009 9:42 AM PST
Uh, the stupid admins who don't have their workstation set to get updates are likely responsible for making sure they are up and running when needed. Risking an untested update in a production environment is the stupidest think you can consider, unless you're trying to get fired. Ever heard the term "compatibility issue" before?

That 'ding' you just heard is telling you the fries are ready.
by Penguinisto January 16, 2009 6:23 AM PST
@Anonymous2345: Any admin who uses automatic updates in an enterprise environment is begging to get fired (for incompetence, stupidity, and the eventual downtime due to a patch gone bad which in turn tears up some custom app).

Hint: Patch management is normally run on its own separate server (e.g. MSFT's System Center Config Manager if you're using 'doze workstations).
Reply to this comment
by Seaspray0 January 16, 2009 8:41 AM PST
@penquin. Even with patch management, admins will automatically push those updates.
by MSSlayer January 16, 2009 9:43 PM PST
Not without testing, they won't. Even the most inept windows admin knows not to do that.
by facepunch32 January 18, 2009 2:05 PM PST
yet pen with all those zero day viruses and exploits, how often are companies brought to their knees and hit hard by viruses.........im waiting......ive done admin work at a large company with windows systems where we test the updates first on a test server and do all the things you said, and our users worldwide were free to surf the net as they please, yet in over 20 years, no real problems, and infected machine once in awhile, but no real issues, and we supported 1000's of users.....

no matter how "secure" youre apple system is and how great you think it is, its not made for large work environments, and not made for wide use applications.
by anewble January 16, 2009 8:57 AM PST
We still haven't heard from the author about the way it DOES infect al these 'puters. Be useful to know how its done - just incase we have auto update turned off . .
Balmesh
Reply to this comment
by ballmerisanape January 16, 2009 11:45 AM PST
More info:


http://macdailynews.com/index.php/weblog/comments/19773/
Reply to this comment
by inog January 16, 2009 5:44 PM PST
It was created by Microsoft to force users upgrade their OS
Reply to this comment
by MafiaPenguin January 17, 2009 7:07 PM PST
What?
MS wouldn't do such a thing!
(I'd sue them!)
by unmdec January 19, 2009 2:42 AM PST
That would not surprise me one bit.Actually i would be more shocked if they didn't do that....Secrete Societies!...i mean Microsoft is great and they don't listen to conversations on Xbox Live and monitor all MSN communications. *runs for life*
by neil1995 January 16, 2009 5:47 PM PST
Just today I was looking through the hidden files on my usb and found m.exe. I wondered what this was so opened it and threatfire warned me about it being malware so i quarantined it. later i google m.exe usb and found out that it is malware pretending to be from skype. It comes with a hidden autorun.inf so every time you plug in your usb, you infect the computer. I wonder if this m.exe is this kido thing, just with a different name?
Reply to this comment
by ace10134 January 17, 2009 2:18 PM PST
Cool, i have vista, and i also have the windows 7 beta, so i'm good.
Reply to this comment
by skymage001 January 17, 2009 11:54 PM PST
everyone one of you who used the word fanboi here needs to take a nice long look in the mirror. ur o/s are fail. why would anybody wanna code a worm for mac? it would only infect like 7 people and those people probably wouldn't tell anyone cuz it would blow their "our OS is kinda good" fantasy.
Reply to this comment
by unmdec January 19, 2009 2:46 AM PST
HA HA HA HA HA......
by ajcarl1994 January 18, 2009 12:01 AM PST
my friend thinks this is the one that infected our school. the teachers cant use the computers. hard time for us to understand the lessons. any more details about it? the pc's freezes after sometime.
Reply to this comment
by jamesr. January 18, 2009 6:44 PM PST
check for malware
by jamesr. January 18, 2009 6:43 PM PST
alot of people get viruses form websites that want to scan your computer for drivers.
Reply to this comment
by zubairshafiq January 20, 2009 2:05 AM PST
"Deadly Conficker detected by our "zero-day" anti-malware product"

A team of security researchers headed by Dr. Muddassar Farooq at Next Generation Intelligent Networks Research Center (nexGIN RC, http://www.nexginrc.org), FAST National University Islamabad, Pakistan have been working on a next-generation anti-malware solution that has the ability to detect a given malware without a priori information about it. Consequently, it successfully detects a "zero-day malware". The product prototype of the solution is expected to be rolled out in near future. Researchers have collected samples of Conficker from a well-known malware consultancy firm OffseniveComputing.Org (based in the US) and scanned it using the developed prototype. Their solution not only detects Conficker and its variants but also provides useful forensic information about its functionality. Researchers believe that this groundbreaking achievement is made possible by a novel approach that--in contrast to the existing antivirus products--does not require any signature updates. They envision that the product, once fully developed, can realize "once-deployed-forever-protected" dream.

The on-going project is funded by National ICT R&D fund, Ministry of Information Technology, Pakistan (http://www.ictrdf.org.pk). The link to project can be found at: http://www.nexginrc.org/index.php?option=com_content&view=article&id=3&Itemid=35
Reply to this comment
by Brutalizar January 23, 2009 9:23 AM PST
Begging pardon, but if I could interrupt the debate here over "mac vs. windows" or "Windows vs. Vista"...
I've got this virus, and could use a little help. I'm on my home computer, and whereas I know enough to install a video card, play around with my configuration settings or set up a proxy server; "MS08-067", "vulnerable API in memory"...Over my head.
I can't get rid of this thing, and would appreciate any ideas you might have.

I've tried numerous anti-viral and anti-spyware programs that you can download here at Cnet, either they won't install, or they won't run. Spyware Terminator runs, detects a "backdoor" and an "affiliated cookie", but says it can't be removed. I can't remove them manually, because the file does not exist where Spyware Terminator says it is.
Microsoft OneCare online scan did the same thing; found some files it declared high risk, but said it could not remove them. I actually did find the indicated files, and recycle bin'd 'em, but the effects of the virus remain: DSL internet connection that gets progressively slower over a short period of time...Google, or other search engines redirecting to "Cyberdefender" or "Stopzilla" when you click on search results for antiviral programs, eventually getting redirected to other sites, no matter what you are searching for..."Connection failed" whenever you directly type in the URL for anti-viral sites, whether using Firefox or Explorer...
Listen, for awhile it got so bad, that when I restarted my computer, it would'nt restart, not even in safe mode! I could only get it to boot up in "directory Services Repair", whatever the hell that is. And I STILL could'nt get antivirus sites to connect or download.
ANyway, I finally got clever, and had my buddy download WIndows Malicious Software removal tool,(which is supposed to remove Conflicker) and AVG 8.0, rename them, and send them to me.
I got them installed, was ecstatic about getting this virus that's been screwing up my computer for a week off my machine, and...
The Windows tool has declared my system clean; Every time I try to update AVG, it won't allow a connection to be established. I could be online already, and it still says that.
Does anybody know of like, maybe a mirror site? One that could update AVG, that dose'nt have the phrase "AVG" in the URL? Would that even work?
I have even tried reloading WIndows itself, (XP, by the way) and risked the loss of all the games I have installed...It won't let me re-install WIndows even!! Whether I try to reload with it already running, or try to reboot from the disk with that "F8" thing, it locks up with only an MS-DOS looking underscore at the top of the screen, and it stays like that, even if you wait for like 30 minutes.
So, like I said, if anyone had any ideas, please let me know

Like I said, I'm no expert, I'll tell you what's in my computer, if that helps to diagnose the problem...
Windows XP sp2 (or 3, the virus screwed that update as well)
Intel Core 2 Duo Processor E6750 2.66GHz 1333MHz 4MB LGA775 CPU

Asus P5B SE LGA775 motherboard

Western Digital WD2500KS 250GB SATA2 7200rpm 16MB Hard Drive

KINGSTON 2GB DDR2 800MHZ PC6400

nVidia GeForce 8600GTS 512MB 2DVI/HDTV PCI-Express Video Card

Creative Labs Sound Blaster Audigy SE 7.1 24-bit Sound Card

ROSEWILL 10/100/1000 Mbps PCI Adapter

I know (I think) that hardware items can't get infected with viruses, but how could this thing evade so many cleaning programs? I just pasted my system specs here, maybe one of these devices is susceptible to a problem? Obviously I'm desperate.
Thanks in advance for any advice you have.
Reply to this comment
by Dayfydd January 25, 2009 3:57 PM PST
WOW! I've never seen so many experts pack up and all leave at the same moment before...
Reply to this comment
by vmlenigma January 25, 2009 5:34 PM PST
Ahhh I love IT, and another Virus....and I guess this would qualify as a Microsoft TAX, its because of things like this, that Im Happy to Pay that APPLE TAX that Microsoft keeps on telling people when they buy a mac, hahaha it would not surprise me if Microsoft is behind this latest virus


Im a PC NOT!!!!!
Reply to this comment
by Brando2494 February 5, 2009 7:35 PM PST
Ok so its clear there is an epidemic. The question is what program will protect my computer!!
Reply to this comment
Showing 1 of 2 pages (49 Comments)
advertisement

15 sites that went kaput in 2009

Web sites launch all the time, but they also shut their doors. We highlight 15 that bit the dust this year.

Top 10 news stories of the decade

Let the debate begin: Was the iPhone more important than iTunes? Was anything bigger than Google finding a great business model? CNET offers its list of the 10 most important stories of the '00s.

About Security

Online security is threatened by more than hacking and phishing attempts. Check here for the latest updates on software vulnerabilities, data leaks, and rapidly spreading viruses--and learn how to protect your systems.

Add this feed to your online news reader

Security topics

advertisement
advertisement

Inside CNET News

Scroll Left Scroll Right