Conficker plans to make a comeback
Posted by: Wild MissingNo. appeared
Date: 2009-09-04 15:57:54
Conficker borks London council
Updated An Ealing council employee infected the UK local authority's IT systems with the Conficker-D worm after he plugged an infected USB into a work computer, causing tens of thousands of pounds in damages in the process.
The May incident took several days to clean-up and landed the west London council with a bill of ?500,000 in lost revenue and repairs, The Guardian reports. Because IT systems were borked, the council was unable to process more than 1,800 parking tickets, at an estimated cost of ?90,000, libraries lost out on ?25,000 in fines and booking fees, council property rent went uncollected, and ?14,000 was spent in overime sorting out delayed housing benefit claims.
The infection was eventually traced back to the unfortunate housing department worker's PC, the Press Association adds.
Ealing council defended the council's handling of the incident in a statement (below).
Like many other organisations, Ealing Council?s computer and telephone network was attacked by a sophisticated virus.
The council acted immediately to protect all data and ensure that essential frontline services could continue to operate. Costs to the council included urgent work to recover computer systems and prevent the virus from spreading.
The outbreak bears the hallmarks of the Conficker worm, which affected Manchester City Council in February to much the same effect. A detailed report on he incident, compiled by the council, blamed the infection on he use of a USB stick contaminated by Conficker-D. The worm exploited a Windows Autorun security weakness in Windows 2000 machines used by the council to upload itself and spread
Connections to remote sites were blocked during the clean-up operations. That left staff in outlying offices without telephony (because the council relies on a VoIP-based system). It also left staff in the main council office without voicemail for days for the same reason.
IT chiefs have put in a bid for a council-wide XP upgrade and extra end point and anti-virus defences at a potential cost of ?600K. The upgrade would give the ability o lock down ports on PCs.
Jason Holloway, regional sales manager Northern Europe for flash disk vendor SanDisk, commented: "It underlines the fact that conventional USB flash drives have become a key method for spreading infections stealthily, as the US Army found last year."
"It also shows that virus scanning has to extend beyond the PC to all types of removable storage or - better still - that employees should be issued with company flash drives that include on-board antivirus scanning," he added. ?
Bootnote
Ealing is best known for the film studio that gave birth to the classic Ealing comedies of the late 40s and 50s, including Kind Hearts and Coronets and The Lavender Hill Mob. More recently the studios were brought back to life for an ill-advised remake of St Trinian's.
W32.Dozer:
Fireworks weren't the only thing going off on the 4th of July. Several U.S. and South Korean government, financial, and media websites were attacked and at different times, were offline. There's been a lot of speculation about the source of the attacks, but here is what we know so far.
We've observed a number of malware components that are responsible for the attacks. W32.Dozer, Trojan.Dozer, W32.Mydoom.A@mm, and W32.Mytob!gen work in tandem to both spread and attack. W32.Dozer, a dropper that contains all the other components within it, is sent by W32.Mytob!gen to email addresses it gathers from the compromised computer. If a user executes the attachment, W32.Dozer drops Trojan.Dozer and W32.Mydoom.A@mm on the compromised computer. W32.Mydoom.A@mm in turn drops W32.Mytob!gen and a removal tool built by the threat authors, allowing them to uninstall W32.Mytob!gen if they so prefer. W32.Mytob!gen gathers email addresses, sends the W32.Dozer dropper to them, and the cycle continues.
Trojan.Dozer acts as a backdoor and connects to IPs through certain ports. We have activity on the following IP addresses and ports:
213.33.116.41 through TCP port 53
216.199.83.203 through TCP port 80
213.23.243.210 through TCP port 443
These commands allow the Trojan to update itself and show the status of the DDoS. Performing DDoS attacks on predetermined sites from a component file is also one of the commands the Trojan receives. The Trojan may start an HTTP protocol session with GET or POST, UDP, ICMP, TCP ACK, or TCP SYN flood to perform the DDoS attacks.
While these attacks are ongoing, you can do your part by keeping your security software updated as often as possible. Worthy to note: filtering email attachments and blocking the IP addresses noted above in your firewall can help take the boom out of Mydoom and the bull out of Dozer.
W32.Dozer: South Korea botnet attack not finished yet
The denial-of-service attacks against Web sites in the U.S. and South Korea that started last weekend may have stopped for now, but code on the infected bots was set to wipe data on Friday, security experts said.
There were no immediate reports of any of the compromised PCs in the botnet having files deleted, but that doesn?t mean it wasn?t happening or won?t in the future, said Gerry Egan, a product manager in Symantec?s Security Technology Response group.
There are only about 50,000 infected PCs around the world being used in the attacks, which is relatively small compared to the millions that were infected with Conficker, he said.
The attacks started over the July 4 weekend launching distributed DOS attacks on dozens of government and commercial sites in the U.S. and South Korea. The attacks, which resurged during the week at least twice, affected sites including the White House, the Federal Trade Commission, the Secret Service, and The Washington Post.
One of the files dropped on infected PCs is programmed to wipe out files on the PC, including a master boot record, which will render the system inoperable when the PC is rebooted, Symantec said. ?Basically, your system is in trouble if this executes,? Egan said.
Botnet expert Joe Stewart of SecureWorks told The Washington Post that he tested the self-destruct Trojan and found it capable of erasing the hard drive on an infected system, but that that function wasn?t being triggered. He speculated that either there is a bug in the code or that the feature is set to activate at a later date.
Researchers are finding that the botnets launching the attacks are infected with several types of malware. The MyDoom worm is being used to spread infections between computers via e-mail, Symantec and other antivirus vendors have reported.
A dropper program called W32.Dozer that contains the other components is sent by W32.Mytob!gen to e-mail addresses it gathers from the compromised computer, the Symantec Response Blog says. If a user executes the attachment, W32.Dozer drops Trojan.Dozer and W32.Mydoom.A@mm on the system.
The Dozer Trojan serves as a backdoor and connects to IPs through certain ports, allowing it to update itself and to receive instructions on sites to attack, according to Symantec. It?s unclear if the DOS attacks will happen again because the infected PCs can receive new instructions at any time, Egan said.
?There is nothing new or novel in the technology,? he said. Judging by the high-profile sites attacked it?s likely the attackers are just trying to get attention, he added.
South Korea officials told reporters on Friday that the DOS attacks used 86 IP addresses in 16 countries, including South Korea, the U.S., Japan, and Guatemala, but not North Korea, according to an Associated Press report.