Print
|
Send on Yahoo!
|
PDF version
|
RSS
|
Filed Under: MISCELLANEOUS
Old worm – new outbreak
The Downloadup (also called Conficker or Kido) worm itself is nothing new. It made its first appearance late November 2008, exploiting the MS08-067 vulnerability to spread unhindered in local area networks.
Its purpose was to install rogue security software on infected computers.
Late December BitDefender Labs has uncovered a new version of the worm. Called Win32.Worm.Downadup.B the malware comes with a list of new features beside the already present spreading routine, which in fact was improved as well.
First of all, the worm can now use USB sticks to spread. By copying itself in a random folder created inside the RECYCLER directory used by Recycle Bin to store deleted files and creating an autorun.inf file in the root folder of the drive, the worm will automatically get executed when the device is plugged in the computer if the Autorun feature is enabled.
Second of all, the worm patched certain TCP functions to block access to security related websites by filtering every address that contains certain strings. This makes it harder to remove since information about it is hard, nearly impossible, to gather from an infected computer. Additionally it removes all access rights of the user except execute and directory traversal to protect its files.
The worm is also built to avoid antivirus detection by working with rarely used APis in order to avoid virtualization technologies. It is also disabling windows update and certain network traffic optimizing vista features to ease its spreading.
To complete the feature list, Win32.Worm.Downadup.B comes with a domain name generation algorithm similar to the one found in botnets like Rustock. It uses date and time to compose 250 domains every day, which it checks for updates or other files to download and install.
Having a state of the art update system, a good protection scheme and many people that don't patch their systems, this worm has great potential to become a rival to already established botnets like Storm or Srizbi.
For more technical details please visit the BitDefender description: Win32.Worm.Downadup.Gen
If you are in a local area network, make sure to disconnect all the computer from the network and scan them with the removal tool separately.
Do not use USB stick to move the tool from one computer to another. You will only spread the worm yourself. Download the removal tool separately for each computer.
I first dealt with it as OOBE in 2007 on a brand new HP. OOBE stands for, "Out of Box Experience".
Thisis true, machines seem to be infected right out of the box before you can even configure any AV SW.
After years of being called crazy and told these feats were impossible, I still have no vindication because the root sources are still inconceivable to people.
First of all, you think your PC is safe until you plug it in. Not so, if you can see your neighbors' open network a block away, what can a high powered search antennae do? So, number one, DISTANCE is not an issue.
Your PC always has a power source, the CMOS battery and the chassis is a great antennae ...no purchase necassary.
Number 2, UNLESS you MAKE a PC in a Faraday cage and use it inside of it, the risk of remote infiltration exists. This is thanks to SW enable disable instead of ol fashion jumpers and non-integrated cards.
You follow these insane instructions and still get hacked. Another problem...YOUR PC can be HACKED through the electrical system . What a great antennae all of that copper makes. Oh, and if you think that electrical outlets can't translate electrons into 1's and 0's, do a search for "Electrical outlet phone jacks and Modems". Also realize that the Bus in your PC is hardwired into the power supply. This is the inverse ingress into your PC as to the aforementioned.
What number is this...UNLESS you use a power supply that was activated inside your Faraday cage...your still hacked. What is the Port number for AC Power anyway?
So, you get a generator and a power conditioner as part of your "Mad PC WORLD" that is free of hackers.
Enjoy talking to yourself because no one else will.
I have experienced all of this and tried everything including BITDefenders removal tool and BETA san tool. Does CMM have a BETA definition for SW that is reactive and recoded weekly or hourly....JK....AV SW coding must be tough.
Really, I proved the electrical outlet thing to a friend by betting the price of the new PC we plugged into AC Power only with AV SW and everything disabled, never on net or any other activity. HACKED, wireless enabled, etc.
The bottom line of this mad rant if it gets posted and guys in black suits don't take me away...or white uniforms.
We feed the cracker community everything it needs to stay ahead of us and use hardware never intended for "Surfing the NET", trying to patch it with logic and then give them motive via recognition and sometimes a worthwhile profit.
The BETA report is actually GREAT information and on the money. Perfect for Crackers to work together in Net Meetings on OUR PCs jumping around so fast and having no standard to keep other than continuity. They now Remotely pull each others BOTS into our PCs when a long time ago they would "Shut each other out".
The diferrence between them and us, only certain licenced, (and they deserve it) professionals are allowed to write AV Code and get paid for it...and not nearly enough$$$$.
Any trusted Cracker can join in. We can only Blog and complain to the poor overworked Coders trying to keep us browsing at insane data rates. The numbers are against us. We fight the most intelligent being on the earth, the collective minds and data on the Net.
The future is coming back, firmware.
Netbooks are fine, but they can be flashed. Unfortunately we will have to learn to live with this activity, stop feeding them because they will never, "Bring the Net Down" as some fear. That is their work medium, they need it.
As technology evolves Man Devolves. Isaac Aimov said, "The future is easy to predict". I wish I had the means to be part of the changes that I think, as I truly know nothing, are coming.
PCs were designed to solve mathematical problems...includes physics, dynamis, blah blah.
They were never meant to open the world to all the data we can handle and do things behind a virtual wall of secrecy.
Dedicated Word Processors, Net Surfing PCs, etc. that can only be changed via DIPs and Jumpers will stopp the remote madness. Allot lost, a great deal gained..but it does not suit big corps.
It would suit companies like BitDefender whom I get the instinct that a hard working group of people dilligantly work for the greater good and the love of the work. They deserve the prize, not a giant corp that wants to see this go on and on.
So, to BIT..5 years from now introduce a line of PCs that can only be changed manually, (yes that means you will have to use jumpers, keyboards, punch cards or something that wilkl limit the Net to have privacy) and other devices such as Engineering level HARD PCS, (I need one to finich a patent). The other stuff will always be around and it wil get real cheap after BIT comes out with the ULTRA SECURE series for online banking and stuff like doing your taxes. Transmission interception you say, if it issimple enoguh, you will know when someoen hacks your favorite TV show.
I have never posted to a Blog a goup, but I had to. As you can see I am almost insa...crap
Good Luck, some things can never be solved in fact nothing is, we only approximate.
Please email, I am lonely in my Faraday home.
How can I escape from them? I reinstall all my programs (in C), but in the D and E local disks they reappear after the formatting. I cannot see this viruses, only when I'm usin WinRAR.
Thanks.
Powered by