Downadup Worm — When Will the Next Shoe Drop? 295
alphadogg writes "The Downadup worm — also called Conflicker — has now infected an estimated 10 million PCs worldwide, and security experts say they expect to see a dangerous second-stage payload dropped soon. 'It has the potential to infect about 30% of Windows systems online, a potential 300 to 350 million PCs,' says Don Jackson, director of threat intelligence in the counter threat unit at SecureWorks. The worm, first identified in November and suspected to have originated in the Ukraine, is quickly ramping up, and while Downadup today is not malicious in the sense of destroying files — its main trick is to block users from accessing antivirus sites to obtain updates to protect against it — the worm is capable of downloading second-stage code for darker purposes."
its not hard (Score:5, Informative)
And don't forward or respond to chain emails!
Re:Spyware, Adware, Antivirus, Don't use IE, Use a (Score:3, Informative)
When will Windows be ready for the desktop? Srsly.
Microsoft patched this and issued the fix through Windows Update a month before the worm was even in existence. It's only stupid fucks who don't update their OS that've got infected.
Re:Keep spreading lies (Score:3, Informative)
Re:Could it be hijacked... (Score:3, Informative)
I would imagine that it requires signed code.
Technical examination (Score:5, Informative)
Re:Keep spreading lies (Score:4, Informative)
I prefer this [zoy.org] site, its facts are far more accurate ;-)
Don't click that link!
AIDS figures (Score:1, Informative)
You mean Africa, with 20% of population infected with AIDS.
Taiwan has 0.1% of population infected.
This computer worm is indeed trickly. It inserts code via vulnerabilities, guesses passwords, spreads via domains if possible, and so on.
Downadup vs Morris - which one will prevail?
Round One, Fight!
Re:Keep spreading lies (Score:5, Informative)
Be warned - in case you are tempted...
This is a pretty ingenious script that
It works in IE and firefox. It is simply a page with an image, a flash movie, and a javascript that copies your clipboard to a field then 'submit()'s' the form, reloading the page.
Very simple and bypasses popup blockers (at least the ones I have on).
This has got to be a security hole in firefox, both on the ability to open windows/tabs, and copying the clipboard.
If you want to have a look, use:
WARNING: dont click on this link, just copy the wget command to a shell. Dont say I didn't warn you...
Re:And now we rediscover (Score:2, Informative)
Re:Keep spreading lies (Score:1, Informative)
Same here. We couldn't keep my Mom's PC clean when it was running windows. I swear it would get infected with something within a month. Switched her to Linux just over two years ago and haven't had a problem since.
She grumped about "things are changed" for about a week. Now she is happy surfing, emailing, printing, loading music on her MP3 player, and grabbing pics off her camera. She is happy - I am happy!
Re:Could it be hijacked... (Score:3, Informative)
Unfortunately the virus writers already thought of that. The article didn't give details but I would guess that the downloaded payload is digitally signed and the virus code verifies the signature.
Re:Could it be hijacked... (Score:4, Informative)
According to this [symantec.com] analysis, the writers anticipated the daily domain-generation algorithm it uses to check for updates being reverse engineered, and they put in additional protection so that it would only download code from the original authors - presumably using some kind of key signing.
Re:Keep spreading lies (Score:4, Informative)
I don't know where you get your information, but
Error: document.getElementsByTagName("textarea")[0].createTextRange is not a function
Source File: javascript:%20document.getElementsByTagName("textarea")[0].focus();%20alert(document.getElementsByTagName("textarea")[0].createTextRange());%20void(0);
Line: 1
Yah know why? Because "Firefox doesn't let web sites access your clipboard directly. Flash does. The Flash guys consider it a feature, while the Firefox guys consider it a security hole in Flash"
Re:Keep spreading lies (Score:2, Informative)
Re:its not hard (Score:1, Informative)
I'm wondering about the method if infecting a USB stick. Is it filesystem-secific? How does it work?
If I'm not mistaken, Downadup uses the windows autoplay feature (which spawns a box that asks you what to do when a new device is attached). This doesn't actually run the code. What does happen, however, is that it uses a folder icon (and a misleading summary) for an executable on the drive. Thus, clicking "View contents in Explorer" (or somesuch) actually launches a process which is the worm. It probably also opens the browse files window as a side-effect so that the user doesn't catch on immediately.
Re:Remove it script? (Score:3, Informative)
bleepingcomputer.com - combofix.exe. Used this at work to remove it from multiple laptops. Works good and didn't have any trouble with it. Leave the USB thumb drive in while you run it, and it will clean the infection from it as well.
Re:Keep spreading lies (Score:5, Informative)
Linux isn't perfect. There have been any number of security issues that would allow a knowledgeable hacker easy access.
Depending on the methodology of access this is potentially true. There are philosophical differences between the development of Linux, BSD, and Windows.
I've been around the industry for a while and I have seen first hand the systemic differences. At Microsoft, things like adding executable code to TIFF images and metafiles is neither challenged nor audited. On Linux and FreeBSD the developers wouldn't even dream of doing something idiotic like that, and even if they do, there are legions of people who will scream bloody murder.
Then there is the nefarious code purposefully put into Microsoft's proprietary code. Be it the NSA key, WGA, or other methodologies of accessing machines remotely. If these systems are in Windows, they WILL be exploited by external entities.
Re:Keep spreading lies (Score:2, Informative)
It works in IE and firefox. Very simple and bypasses popup blockers
And in Opera everything is fine.
-doesnt open any popups
-doesnt bypass any blockers (no sound/no flash)
Re:Keep spreading lies (Score:3, Informative)
They've also learned to not click on every fool link there is just because they can.
Did you explain to them that it has open login ports they can't see that are by default open to the Internet, and a bot army has immense resources to bang on the default "administrator" account all day until it picks the lock (assuming the admin account even has a password), opening them up to remote control from anonymous badguys, complete loss of private information, keyboard information capture like credit card numbers and online banking access information?
Did you mention that autorun unless carefully disabled, will automatically run programs in the root of any new media they insert, including music CDs, DVD videos, LCD picture frames, pen drives, cameras and so on?
Did you know that most forms of Linux don't have those "features"? This is relevant because those are the precise features being used to spread the worm in TFA.
Re:Keep spreading lies (Score:3, Informative)
bang on the default "administrator" account all day
I set these boxes up myself. All default accounts are disabled. They can bang on those accounts all day, it doesn't matter. They're not on. They're not going to turn on.
Did you mention that autorun unless carefully disabled, will automatically run programs in the root of any new media they insert, including music CDs, DVD videos, LCD picture frames, pen drives, cameras and so on?
Autorun doesn't work specifically like that anymore. It at least asks you what you want to do on XP and Vista. If you just want to explore the contents of the media that's connected to your PC, you can do that instead of it automatically trying to run everything inside of it.
This is relevant because those are the precise features being used to spread the worm in TFA.
Irrelevant for my family as long as they keep their boxes up to date. An up to date Windows system is unaffected by said worm.
Re:Keep spreading lies (Score:2, Informative)
"Autorun doesn't work specifically like that anymore. It at least asks you what you want to do on XP and Vista. If you just want to explore the contents of the media that's connected to your PC, you can do that instead of it automatically trying to run everything inside of it."
Ummm no, if there is an autorun inf it will open it and run whatever program is listed to be run.
You have to turn it off explicitly in more than one place to turn it of on all types of media.
By the way, autorun.inf is also responsible for putting the icon for the device in "my computer" so if you think you have turned it off, but your usb drive still pops up it's icon when you plug it in, your machine is still using autorun.
The behavior you describe is if there is nothing to do in autorun.inf or it does not exist.
Re:Keep spreading lies (Score:1, Informative)
No, that's not how it works at all. XP and Vista default to no autorun without confirmation.
Grabbing the autorun icon and automatically running a program may both be stored in the same file, but are treated as two different entities that are handled completely differently.
Re:Keep spreading lies (Score:3, Informative)
When was the last time you used Windows? It does not work like that anymore. Not for XP or Vista. Just to test this theory I grabbed some really old games and some really new ones. Popped in the discs and sure enough, none of them actually opened the disc, just asked me what I wanted to do with it. My choices were either a.) use autorun, or b.) explore the contents of said disc
The fact that someone modded you informative just shows that they too don't know what they're talking about.