RSS Alerts

Share

More services

Related Stories

  • Information security threats in H1 2009: malware and rogue security software
    Microsoft has just released its Security Intelligence Report volume 7 (SIRv7) for the first half (H1) of 2009 exploring the most prevalent information security threats - malware and rogue security software.
  • Nine lives - when malware becomes self-modifying
    As the Conficker (aka Downadup and Kido) worm proved when it first appeared in October 2008, there's more to a piece of malware code than meets the eye, especially when it is self-updating. But can self-updating also mean self-modifying? Steve Gold investigates whether an IT security manager's nightmare has become programming reality...
  • Windows autorun trojan tops November malware chart
    The latest monthly malware chart from BitDefender claims to show that the largest risk to computer users is currently Trojan.AutorunINF.Gen, a generic family of trojan malware abusing the autorun feature in Windows.
  • Nine Lives - Self-modifying Malware
    As the Conficker worm proved when it first appeared in October 2008, there’s more to a piece of malware code than meets the eye, especially when it is self-updating. But can self-updating also mean self-modifying? Steve Gold investigates whether an IT security manager’s nightmare has become a programming reality
  • Businesses face deluge of patches from Microsoft and Oracle
    IT security administrators will have to deal with more than 10 security patches from Oracle and nine from Microsoft this week.

Top 5 Stories

News

Downadup Gathers Steam Amid Vendor Confusion

26 January 2009

As the Downadup worm continued its inexorable spread across the Internet last week, US-CERT issued an advisory claiming that Microsoft instructions for stopping one of its infection techniques were inadequate.

The US-CERT advisory, issued last Tuesday, concerned Microsoft instructions for disabling the Autorun feature on Windows. "Microsoft's guidelines for disabling Autorun are not fully effective, which could be considered a vulnerability," argued the cyber security team, which is administered by the Department of Homeland Security.

The advisory address Microsoft instructions for changing registry values to disable Autorun. "According to Microsoft, setting the NoDriveTypeAutoRun registry value to 0xFF 'disables Autoplay on all types of drives.' Even with this value set, Windows may execute arbitrary code when the user clicks the icon for the device in Windows Explorer," US-CERT warned. It presented an alternative method for disabling the feature.

Downadup spreads using multiple techniques, but one of its infection vectors is via USB drives, which can be made to automatically install the worm once inserted. Criminals could easily infect a corporate network by simply leaving some USB keys in a company's parking lot or sending a few through the mail and waiting for an individual employee to take the bait. Once on a machine, the malware spreads quickly using an RPC flaw detected and patched by Microsoft last October, if computers on the network have not been updated. The worm continually reinfects machines once installed and is difficult to get rid of.

Microsoft acknowledged the inaccurate instructions in September last year, when it published an article providing links to software updates that correct the problem. However, US-CERT argued that users of Windows 2000, XP, and server 2003 must install the update manually. Only Windows Vista and Server 2008 automatically updated via the Microsoft Update service, it warned.

Security experts were publishing varying estimates off the extent of the Downadup infection last week, and they were all disconcerting. Reports on BBC News on Monday suggested nine million infections, with Shavlik Technologies claiming an infection rate of one million computers each day. "The worm also denies internet access to the websites of many different security vendors," warned the security firm in a statement, adding that it believed the malware also disabled some agent-based patch management systems such as Windows Update: "Attempting to go to your AV security vendor of choice to download detection or removal tools will be blocked by this worm," it said.

 

This article is featured in:
Internet and Network Security

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

Terms & Conditions |Privacy |Website Design|Reed Exhibitions. All rights reserved. Copyright © 2012