Finally a solution for Downadup

Bit Defender

Downadup is second to the notorius SQL slammer worm that devastated the Internet in 2003 . It exploits a bug in the Windows Server service used by Windows 2000, XP, Vista, Server 2003 and Server 2008. It spreads primarily through a buffer overflow vulnerability in Windows Server Service where it disables the operating system update service, security center, including Windows Defender, and error reporting.  Its difficult to remove because of its in-built update service .

Its devastation was so terrible that Microsoft had to implement a hotline to enable people to report about Conficker developers .

Finally , BitDefender seems to have come with a solution .It claims to have made the first vaccination tool to remove the Conficker virus .

The downadup removal tool is available here .

Microsoft serious on “Downadup” issue

worm

This is a followup of my article on win32/conficker worm that has grabbed  attention through its widespread infection.
Even Microsoft seems to be hit by its spread. Recently , it has come forward to offer $250,000 to anyone who “catches” the worm authors.

One of the worst scenario of this worm affecting day to day operation ,is the incident where the Houston police department was forced to stop arresting people with traffic warrants because the worm spread its way through the police and city court’s computer systems.There also was a Conficker outbreak among French military computers,which led to several fighter planes being grounded until everything could be fixed.

Microsoft has joined hand with ICANN (Internet Corporation for Assigned Names and Numbers) and other experts like VeriSign,AOL, F-Secure etc . to trace out the worm creators .

The best way to defeat potential botnets like Conficker/Downadup is by the security and domain name system communities working together..”  : ICANN chief Internet security advisor Greg Rattray.

Microsoft has implemented an Antivirus Reward Hotline at 1-425-706-1111,
and an Antivirus Reward Mailbox at avreward@microsoft.com to share tips.

  • Advice about defending against Conficker is available online here.
  • Interested in learning more about staying safe online then visit .

To date, Conficker has  infected at least 10 million PCs since first being introduced into the wild.

Meanwhile ,  my “Linux is virus free ”  notion has broken down. I came across an article by Foobar ,which explains  “How to write a Linux virus in 5 easy steps”. You  can read it here .

Additional readings :



The Conficker threat grows

downadup

The conficker threat is growing day by day .The latest variants of Conficker has spread to over 9 million PCs and Servers worldwide as it uses multiple techniques to spread to vulnerable systems.This dangerous worm has also been named as Downadup , WORM_DOWNAD.A and even Net-Worm.Win32.Kido.l

The worm initially spread to systems unpatched against MS08-067, but has since evolved and is now able to spread to patched computers through portable USB drives through brute-force password-guessing.The malware first tries to use the credential of the logged-on user. If that fails, it attempts to obtain a list of user accounts on the target machine and then tries to connect using each user name and to a list of weak passwords, such as “1234″ or “password.” The first variant of the Conficker worm appeared in November 2008.Security researchers began to see the second variation of the malware in late December 2008.

Many experts have compared the Conficker attack to Nimda, another bug that hit corporations in 2001, which spread quickly as well. Others have speculated the bug may be the beginning stages of a new botnet.

Downadup contains a number of features designed to make it harder for security pros to shut down.The worm, which was first reported by Panda and other security companies on Dec. 31, 2008, exploits a vulnerability in the Windows Server service that’s part of all currently supported versions of Microsoft’s operating system, including Windows 2000, XP, Vista, Server 2003 and Server 2008.

Some of the activities is takes up once in your system :

  • Connects to external sites to download additional files.
  • Deletes the user’s Restore Points.
  • Registers a services called Netsvcs.
  • Creates it’s own simple HTTP server on the infected computer and spreads the worm to other computers in the network through file shares.
  • Creates an Autorun.inf file in file shares to execute the warm files once the share is accessed by another computer.

Few reasons why conficker is spreading rapidly :

  • It infects removable devices and network shares  by creating a special autorun.inf file  and dropping its own DLL on the device.
  • It exploits the MS08-067 vulnerability,
  • It brute forces Administrator passwords  on local networks and spreads through ADMIN$ shares .


The major  strength of Conficker is USB sticks.Downadup creates its own Autorun.inf file and transports itself to all systems where it is inserted . I would suggest that you disable AutoPlay in your environments, unless it’s really necessary.


INFECTED IPs WORLDWIDE (Source: F-Secure)

  • China 38,277
  • Brazil 34,814
  • Russia 24,526
  • India 16,497
  • Ukraine 14,767
  • Italy 13,115
  • Argentina 11,675
  • Korea 11,117
  • Romania 8,861
  • United States 3,958
  • United Kingdom 1,789

Once interesting fact related to this worm is that, Microsoft blog noted that the variant avoids infecting computers that use Ukrainian keyboard layout, raising suspicions that the malware authors are located in the Ukraine. So the conficker worm is expected to have orginated from Ukraine .

Additional Readings :

Related post

Win32/Conficker exploits Windows vulnerability

worm

Win32/Conficker is a new worm out there ,which seems to be a headache for Windows users these days.It seems to exploit a vulnerability in the system which has been addressed in  MS08-067, a Microsoft security update.

”   It opens a random port between port 1024 and 10000 and acts like a Web server. It propagates to random computers on the network by exploiting MS08-067. Once the remote computer is exploited, that computer will download a copy of the worm via HTTP using the random port opened by the worm. The worm often uses a .JPG extension when copied over and then it is saved to the local system folder as a random named dll,….It is also interesting to note that the worm patches the vulnerable API in memory so the machine will not be vulnerable anymore. It is not that the malware authors care so much about the computer as they want to make sure that other malware will not take it over too, ….  ” : Microsoft

Additional readings :

Avira security

Worm/Conficker

Ad :

This post has been viewed over 1000 times around the globe. To place your text ads / simple banners here ,mail me at : micman.manoj at gmail.com

top posts