[Waverley ARS] I suspect a computer virus

[Henrik Stenstrom]

From SMH today.

Regards,
Henrik.

Internet meltdown threat: Conficker worm refuses to turn
ASHER MOSES
September 22, 2009 - 12:42PM 
The brightest minds in technology and government are finding it "almost impossible" to defeat the Conficker worm, which has infected more than 5 million computers and, experts say, could be used to knock down the internet in entire countries.

The worm, first detected in November last year, spreads rapidly to computers through a flaw in the Windows operating system. 

Infected machines are co-opted into a "botnet" army, which can be controlled and used by the hackers to launch unprecedented cyber attacks.

"The general agreement in the security world is that Conficker is the largest threat facing us from a cyber crime point of view ... it has proven to be extremely resilient. It's almost impossible to remove," said Rodney Joffe, a director of the Conficker Working Group formed to defeat the worm.

"The best minds in the world have not managed to crack the code behind this yet."

The scale of the threat has forced the world's largest computer security companies to join together with government around the world in an unusual alliance to pool their resources and solve the problem. 

Microsoft has offered a $US250,000 ($290,000) reward for information leading to the identification of the individuals - or rogue governments - behind Conficker.

Those behind the worm can do anything they want with the infected machines including stealing users' banking details or flooding government servers to knock them offline.

"This could be used to launch the mother of all DDoS [distributed denial of service] attacks, it could be used as the basis of major financial fraud, it could be used for major spam runs," Joffe said.

"Even a small portion of the infected machines from Conficker have the ability to actually take away the usability of the internet in an entire country like Australia."

So far the international effort to find a solution has yielded few results, and the number of infected machines has remained fairly stable at 5 million. They include home, business and Government computers.

Joffe explained that the remarkable resilience was because Conficker had built-in mechanisms to prevent people from scanning their computers with anti-virus software. Even for those who wipe their computers clean and start fresh, if they back up any important data on a portable hard drive, the clean machine is reinfected when the drive is connected to the computer.

The worm also spreads automatically between computers on a network and infects machines without the user having to do anything other than switch their computers on.

"If you've been able to disinfect 99 machines out of 100 and one is still infected, it will begin to try to reinfect the others," Joffe said.

Most other botnets can be destroyed by disabling the server used to issue commands to infected machines, but with Conficker the location of this sever changes every day and state-of-the-art cryptography means it's impossible to predict.

Every time the security gurus feel they are on to a solution, the hackers send a new version of Conficker to the infected machines that stops them in their tracks.

"Conficker has proven to be the gold standard for botnets. It's rock solid, it's steady and it has mechanisms built in that have made it impossible for us to actually crack," Joffe said.

"As of today we have not been able to crack the cryptography behind it in order to disrupt it by authenticating ourselves as the command and control."

So far the "botnet masters" have been biding their time as the media buzz around Conficker dies down, but they have already sent malicious code to infected machines that co-opts them to send spam emails. Users of infected computers have also been conned with offers to buy fake anti-virus software.

In July, Manchester City Council in Britain was prevented from issuing hundreds of fines after Conficker knocked out parts of its IT system. The infection cost the council £1.5 million in total.

In January, the French Navy had to quarantine its computer network after it was infected with Conficker, forcing aircraft at several air bases to be grounded.

Joffe said that people who are not yet infected and have installed the latest Windows patches and anti-virus software should be safe, as long as yet another version of Conficker is not released. 

But he said it was rare for people to have all the relevant patches installed on their computers, and anti-virus software would be of little use to those already infected.

"We're some ways away from being able to take any action, which is what is really concerning us," Joffe said.


-----Original Message-----
From: members-bounces at us.cactii.net [mailto:members-bounces at us.cactii.net] On Behalf Of Eddie Hanham
Sent: Sunday, 20 September 2009 8:56 PM
To: VK2BV - List
Subject: Re: [Waverley ARS] I suspect a computer virus

Adam is right we need to take proactive precautions against Malware - seems
its an epidemic, see following article from SC Magazine.

73s

Eddie


Security firm sees 600 percent rise in malicious sites.

The growing threat to businesses from the web was put into sharper focus
today, after security vendor Websense reported a whopping 671 percent rise
in the number of malicious sites during the past year.

The firm's biannual State of Internet Security (PDF) report is compiled
using email and web site scanning data collected by Websense Security Labs.
The report found growth not only in the number of malicious sites but in the
continued activity designed to compromise legitimate sites.

In the first half of 2009, over three-quarters of web sites with malicious
code were found to be legitimate sites that had been compromised. Recent
widespread attacks such as NineBall and Gumblar were blamed for injecting
malware into sites on a huge scale.

Australian web hosting companies have told iTnews that shared hosting sites
are seeing alarmingly high levels of malware infections.

"People can do a lot to protect their sites from being exploited, including
examining their code, looking for vulnerabilities in their servers, and
keeping any third-party applications patched," said Websense EMEA threat
manager Carl Leonard.

*Leonard also urged end users to employ real-time web scanning technology
which will prevent them from visiting malicious sites even if they have been
recently infected.
*
Websense also warned firms that encourage user-generated content on their
sites. The report found that 95 percent of user-generated comments on blogs,
chat rooms and message boards are spam or malicious in intent.

"The attack surface area is increasing, and malware authors are targeting
where users will be in their tens of thousands," said Leonard.

"If you have a site with a blog feature or somewhere users can post
comments, it's very likely that malware authors will also want to use the
feature to push out malicious links. They need to be filtered in real time."

Copyright © 2009 v3.co.uk

see:

http://www.securecomputing.net.au/News/155869,websense-warns-of-web-based-malware-epidemic.aspx
_______________________________________________
Members mailing list
Members at us.cactii.net
http://us.cactii.net/cgi-bin/mailman/listinfo/members

___________________________________________________________________________________________________
DISCLAIMER: The information in this document and attachment/s may contain confidential, copyright 
and/or legally privileged information and is intended for the addressee(s) only. Access to this 
message by anyone else is unauthorized. If you are not the intended recipient and have received
this correspondence in error, please notify the sender by return email and delete the email from
your system.   Any review, disclosure, copying, distribution or use of this message or attachment
is unlawful. 
The sender does not accept any responsibility for viruses that might be attached to this e-mail. ___________________________________________________________________________________________________