Computers infected with this worm are being updated with a stronger variant. The variant is designed to sidestep security measures attempting to cut the connection between infected machines and it’s hacker controllers. An estimated 20 technology companies, including Microsoft, have joined together to try and counter the stronger variant.

They are attempting to stop the worm by pre-registering domains that they believe the worm will use. According to Symantec and others in the group the worm can register up to 50,000 domain names a day. The domains are used to band together the infected computers and route the worm to other computers for infection.

The new worm is also better at resisting eradication. “It’s turning off a variety of security services,” Weafer said, as well as tools often used by security companies to dig into malware.

Weafer also believe that the number of infected computers has peaked. “The number of infected machines is constantly dropping, so we’re dealing with a much smaller pool [of devices] that are potentially getting this update,” Weafer said.

There is bright side to all of this. Linux users don’t have to worry about this. We don’t need to download Microsoft’s patch to fix our machines. What is really glaring is that so far as I know there are no open source companies joined to the group to protect the Windows computer. Maybe they should consult with them and teach them how to write software that is not so susceptible to attacks like this.

This whole thing started because of a security vulnerability in the Microsoft OS. When are Microsoft users and companies going to wake up and realize how expensive it is to continue using this brain dead OS? FWIW my definition of brain dead is an OS that has users, administrators and anyone else who uses the machine pointing and clicking to set up the OS and not knowing what they just did. No wonder that OS gets attacked so much.

If you have a Microsoft machine that is infected what you need is the MS08-067 security update. You’ll have to look it up yourself – I have no need for it. You can read more about this fiasco here.

I’ll stick with my Linux and Open Source software thank you very much.

-j

Apparently Microsoft feels that not enough is being done by Windows administrators to stop the infestation and propagation of this worm. F-Secure, an anti-virus software vendor, reported in January of this year that almost 9 million PCs had been infected. The worm was released in the fall of 2008.

The worm exploits a buffer overflow in the Windows Server Service. By doing so it attacks the Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting services. Afterwards it connects to an external server where it receives instructions to further propagate. While connected to the external server it downloads more malware that affects other Windows processes including svchost.exe, explorer.exe and services.exe.

Microsoft released a patch (MS08-067) in the fall of 2008 to fix the vulnerability. Microsoft, Symantec and Kaspersky Labs also have patches to repair systems. McAfee offers an on demand scan to remove the worm. The virus can spread via any drive that uses autorun including USB drives. Many vendors are recommending disabling the AutoRun feature for external media through modifying the Windows Registry. Note that if you are using anything earlier than Windows XP Service Pack 2 or Windows 2000 SP4 a patch is not available. Sorry.

Linux and Mac computers are not affected by this worm. It is designed to exploit only computers running the Windows operating system.

Now that we have the background two questions come to mind. Why are the adminstrators not repairing these systems and, an even bigger question, how in the world are these infected machines able to provide the network services that they have been set up to perform?

I think that I’ll stick with my Linux and Solaris machines where the chances of something like this happening are slim. And if it does the patches generally aren’t limited to a certain version of the operating system especially if you are using enterprise grade software such as Red Hat, CentOS, Ubuntu, SuSE or Solaris. These companies all offer 5 to 7 years of security patches on their enterprise versions.

-j