|
We're all careful about not clicking on links in suspect Web sites. We don't open emails from strangers. You might think that only networked computers are at risk, but new computer worms, viruses and Trojan horses are getting so sophisticated, you may not even know that your home computer is being recruited to join a malicious botnet. What's a typical computer user to do?
It's easy to succumb to the FUD (fear, uncertainty, doubt) being spread about. Conflicting reports abound. Some said April 1, 2009 was to be Armageddon day for the PC when Conficker C kicked into action. Others said if you take sensible precautions, your computer would probably emerge unscathed.
Most people have heard of the Conficker virus by now. The original version of Conficker reared its head on November 20, 2008. Conficker has undergone several variations since its inception. Conficker B arose in December, and in early February, 2009, became B++, which was able to download software, giving its creators greater freedom to use infected computers. As of this writing, the latest variant is Conficker C. Previously infected computers miraculously started updating from the B variant to the C by means of a new dynamically linked library (DLL) that is suspected to have come through Conficker's Internet rendezvous point mechanism and began spreading on March 4, 2009.
This third iteration is a major restructuring, adding a new peer-to-peer (P2P) coordination channel, and a revised domain generation algorithm. It cloaks its functions under a layer of code that hinders analysis. Very clever, and very vicious.
Conficker spreads by exploiting a Windows loophole to attack networked computers. But it can also spread by USB devices (cameras, iPods, portable drives, etc.). More than 10 million computers are alleged to have been infected by Conficker as of February, 2009.
The infected machines could be used to send spam or log keystrokes in addition to the denial-of-service attacks. Thanks to a group known as the Conficker Cabal, the worm has been kept in check so far, by cracking the algorithm the B++ version uses to find rendezvous points on the Internet where it gets new code. See www.hostexploit.com for more information on tracking the Conficker (also known as "Downadup") worm.
In response to the Conficker Cabal's blocking of the worm's domain registration points, Conficker C arose. Now, it uses points taken from a pool of more than 50,000 randomly generated domain name candidates each day. This poses a major challenge to the Cabal.
Conficker C cloaks its presence on the host computer. Thus, even an attentive user won't notice it. It then deletes all restore points prior to its infection so you can't go back to the time before C appeared. It also sets NTFS file permissions on its stored file image to prevent write and delete privileges. Every time it begins, Conficker C starts a thread to disable security services and terminate Conficker removal software. This thread also disables Windows services that deliver security patches and software updates. If you have set your computer to automatically update Windows software, Conficker simply won't allow it. If you've had trouble getting updates for your Windows programs, chances are, your computer is a victim of Conficker.
Who is responsible for the Conficker worm? No one knows for sure. Researchers at the University of Michigan are busy tracking down the first victim in hopes of finding out where it came from, using darknet sensors gathering more than 50 terabytes of data from all over the world. The U.S. Department of Homeland Security is funding this activity. CNET reports that BKIS, a Vietnamese security firm that makes the BKAV antivirus software, has found evidence that the worm originated in China, rather than in Russia or Europe, as was previously rumored. BKIS bases its conclusion on a similarity in code to 2001's Nimda virus (no one, however, has verified that Nimda originated in China). Chinese analysts dispute this assertion, claiming it is politically motivated.
But what is the purpose of Conficker C? To be blunt, it gives its controllers the ability to instantly control millions of computers all over the world. It keeps other worms from uploading anything to the Conficker "drone" or "zombie" computers, giving these criminals a virtually indestructible army of computing power. The implications of such control are staggering. Imagine how quickly the economy would collapse if suddenly all bank transfers stopped. An army of 10 million networked computers is greater than those used in a denial-of-service attack that brought down Estonian government computers. A large Internet site, such as Google or Amazon for instance, could easily be brought down or blackmailed by such a large botnet. A bank account (or all of a bank's accounts) could be emptied overnight, resulting in worldwide panic.
On the other hand, Dean Turner, director of Global Intelligence Network Symantec Security Response, says we should relax. "The sky is definitely not falling," says Turner. Hmm…that's reassuring! Experts say the worm has stopped propagating, and that tools exist to remove it from computers. These experts say that Conficker C has infected the fewest number of computers. What's strange is that the B variant is not set to a particular date, yet hasn't done anything malicious so far. Turner thinks the worm's creators have stopped spreading it because they have enough infected machines to suit their purpose, whatever it is.
next page »
|
