Conficker

University of Utah gets hit by conficker worm

Over 700 computers were hit by the most recent release of the conficker worm at the University of Utah. Computers included those at the University’s three hospitals.

The worm was first detected on Thursday on some of the school’s computers. By Friday it had hit the school’s computers at the three hospitals, medical school, and colleges of nursing, pharmacy and health.

University officials don’t believe that any patient data or medical records were compromised. According to officials those are protected “in a deeper way”. That begs the question of what exactly does that mean? Is that the only data that is virus protected? Is it on Linux or Unix?

The IT staff at the school shut off internet access for up to 6 hours Friday in an effort to isolate the worm. The staff worked over the weekend to cleanup the damage caused by the outbreak. Kind of gives real meaning to the saying “An ounce of prevention is worth a pound of cure” doesn’t it?

Mindy Tueller of the university’s office of information technology said all faculty and students should take steps to make sure they are protected. The virus does not infect Macs.

Or Linux, Unix or any other OS besides Windows

“It can do a lot of bad things,” Tueller said. “Every university member should be concerned about this if they’re using Windows-based devices.”

Interesting. Ms. Tueller and school officials apparently recognize that the problem is the OS but apparently don’t want to do anything about it. How much does that attitude cost the school?

-j

And you thought conficker was dead

The conficker worm that infected millions of computers starting last October was believed to be at bay. Not so according to Vincent Weafer, vice president of Symantec’s security response group.

Computers infected with this worm are being updated with a stronger variant. The variant is designed to sidestep security measures attempting to cut the connection between infected machines and it’s hacker controllers. An estimated 20 technology companies, including Microsoft, have joined together to try and counter the stronger variant.

They are attempting to stop the worm by pre-registering domains that they believe the worm will use. According to Symantec and others in the group the worm can register up to 50,000 domain names a day. The domains are used to band together the infected computers and route the worm to other computers for infection.

The new worm is also better at resisting eradication. “It’s turning off a variety of security services,” Weafer said, as well as tools often used by security companies to dig into malware.

Weafer also believe that the number of infected computers has peaked. “The number of infected machines is constantly dropping, so we’re dealing with a much smaller pool [of devices] that are potentially getting this update,” Weafer said.

There is bright side to all of this. Linux users don’t have to worry about this. We don’t need to download Microsoft’s patch to fix our machines. What is really glaring is that so far as I know there are no open source companies joined to the group to protect the Windows computer. Maybe they should consult with them and teach them how to write software that is not so susceptible to attacks like this.

This whole thing started because of a security vulnerability in the Microsoft OS. When are Microsoft users and companies going to wake up and realize how expensive it is to continue using this brain dead OS? FWIW my definition of brain dead is an OS that has users, administrators and anyone else who uses the machine pointing and clicking to set up the OS and not knowing what they just did. No wonder that OS gets attacked so much.

If you have a Microsoft machine that is infected what you need is the MS08-067 security update. You’ll have to look it up yourself - I have no need for it. You can read more about this fiasco here.

I’ll stick with my Linux and Open Source software thank you very much.

-j

Microsoft offers $250,000 for conviction of Conficker authors

Microsoft has announced a $250,000 reward for the arrest and conviction of the authors of the Conficker worm, also known as Downadup.

Apparently Microsoft feels that not enough is being done by Windows administrators to stop the infestation and propagation of this worm. F-Secure, an anti-virus software vendor, reported in January of this year that almost 9 million PCs had been infected. The worm was released in the fall of 2008.

The worm exploits a buffer overflow in the Windows Server Service. By doing so it attacks the Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting services. Afterwards it connects to an external server where it receives instructions to further propagate. While connected to the external server it downloads more malware that affects other Windows processes including svchost.exe, explorer.exe and services.exe.

Microsoft released a patch (MS08-067) in the fall of 2008 to fix the vulnerability. Microsoft, Symantec and Kaspersky Labs also have patches to repair systems. McAfee offers an on demand scan to remove the worm. The virus can spread via any drive that uses autorun including USB drives. Many vendors are recommending disabling the AutoRun feature for external media through modifying the Windows Registry. Note that if you are using anything earlier than Windows XP Service Pack 2 or Windows 2000 SP4 a patch is not available. Sorry.

Linux and Mac computers are not affected by this worm. It is designed to exploit only computers running the Windows operating system.

Now that we have the background two questions come to mind. Why are the adminstrators not repairing these systems and, an even bigger question, how in the world are these infected machines able to provide the network services that they have been set up to perform?

I think that I’ll stick with my Linux and Solaris machines where the chances of something like this happening are slim. And if it does the patches generally aren’t limited to a certain version of the operating system especially if you are using enterprise grade software such as Red Hat, CentOS, Ubuntu, SuSE or Solaris. These companies all offer 5 to 7 years of security patches on their enterprise versions.

-j