Conficker Virus Starts to Attack PCs, Experts Say
04.24.09
A malicious software program known as Conficker that many feared would wreak havoc on April 1 is slowly being activated, weeks after being dismissed as a false alarm, security experts said.
BOSTON - A malicious software program known as Conficker that many feared would wreak havoc on April 1 is slowly being activated, weeks after being dismissed as a false alarm, security experts said.
Conficker, also known as Downadup or Kido, is quietly turning an unknown number of personal computers into servers of e-mail spam, they added.
The worm started spreading late last year, infecting millions of computers and turning them into "slaves" that respond to commands sent from a remote server that effectively controls an army of computers known as a botnet.
Its unidentified creators started using those machines for criminal purposes in recent weeks by loading more malicious software onto a small percentage of computers under their control, said Vincent Weafer, a vice president with Symantec Security Response, the research arm of the world's largest security software maker, Symantec Corp.
Conficker installs a second virus, known as Waledac, that sends out e-mail spam without knowledge of the PC's owner, along with a fake anti-spyware program, Weafer said.
The Waledac virus recruits the PCs into a second botnet that has existed for several years and specializes in distributing e-mail spam.
Conficker also carries a third virus that warns users their PCs are infected and offers them a fake anti-virus program, Spyware Protect 2009 for $49.95, according to Russian-based security researcher Kaspersky Lab. If they buy it, their credit card information is stolen and the virus downloads even more malicious software.
Weafer said that while he believes the number of infected machines that have become active is relatively small, he expects a consistent stream of attacks to follow, with other types of malware distributed by Conficker's authors.
"Expect this to be long-term, slowly changing," he said of the worm. "It's not going to be fast, aggressive."
Researchers feared the network controlled by the Conficker worm might be deployed on April 1 for the first time since the worm surfaced last year because it was programed to increase communication attempts from that date.
The security industry formed a task force to fight the worm, bringing widespread attention that experts said probably scared off the criminals who command the slave computers.
That task force thwarted the worm partially by using the Internet's traffic control system to block access to servers that control the slave computers.
Viruses that turn PCs into slaves exploit weaknesses in Microsoft's Windows operating system. The Conficker worm is especially tricky because it can evade corporate firewalls by passing from an infected machine onto a USB memory stick, then onto another PC.
The Conficker botnet is one of many such networks controlled by syndicates that authorities believe are based in eastern Europe, southeast Asia, China and Latin America.
© Thomson Reuters 2008. All rights reserved. Users may download and print extracts of content from this website for their own personal and non-commercial use only. Republication or redistribution of Reuters content, including by framing or similar means, is expressly prohibited without the prior written consent of Reuters. Reuters and the Reuters sphere logo are registered trademarks or trademarks of the Reuters group of companies around the world.
No comments:
Post a Comment