The Conficker worm shut down the Manchester UK police station for 3 days earlier this month. It forced police officers to rely on other jurisdictions to access the country’s criminal data base as the Manchester station was disconnected from the UK Police National Computer Network. Investigators blame an infected USB stick for the incident. Endpoint security is fast becoming one of the most important and sought after security measures in organizations to prevent the spreading of viruses via USB ports.

          “Virus scanning has to extend beyond the PC to all types of removable storage”, Jason Holloway, Northern European sales manager with SanDisk said .”Better still, employees should only be able to use authorised flash drives that include on-board antivirus scanning. This ensures that users cant turn off, disable or work around the protection, and would stop these infections from spreading.”

Conficker has spread like wildfire across the net and has infected over 7 million computers. It was first spotted in 2008. Experts still aren’t sure what its purpose is since its botnet is seldom used.

A year ago Manchester council’s computers were attacked by Conficker, forcing the town to write off parking tickets and spend over $1 million pounds to fix the infection. It’s not yet known if the Manchester police will have to overlook any violations or void any arrests because of their infection.

Security researchers have discovered a vicious new virus. Dubbed Win32.Worm.Zimuse.A, it appears to have originated in Slovakia but has been quickly making its way around the world with the highest rate of infection now in the United States, followed by Slovakia, Thailand, and Italy.  The virus and its variant, Win32.Worm.Zimuse.B, both work in the same destructive way. Once the system is infected, Zimuse creates between 7-11 copies of itself, installs a rootkit, alters system registry entries, and creates several driver files.  After a pre-determined number of days (40 for A, 20 for B) it springs to life with a poorly written fake Windows Defender warning:

          “System Defender – Kernel Error 0xC00000005

This problem is unambigously cause by malicious contents in IP packers in transport layer from website: www.offroad-lm.szm.sk. To bee patient, Windows Defender scan your hard drive(s) for bugs caused by system incompatible code. To recovery of system press OK button. Wait to successfull end of scanning. Inform about this administrator on www.szm.sk and incriminated web site.”

Once that appears, the system is doomed. The next time the user restarts the computer they will be greeted with the heart stopping error “FATAL: No bootable medium found.” This is because the virus overwrites the Master Boot Record, which permanently damages the drive. What makes this virus even more dangerous is that until the message pops up it’s nearly impossible to know the system is infected.

Win32.Worm.Zimuse A and B distribute themselves in very different ways. The first variant embeds itself on legit sites, possibly by poisoning an ad network, and pretends to be an IQ test. The second spreads via exchangeable media like USB flash drives. Experts think it was a malicious prank intended only for fans of a Slovakian motorcycle gang but it has gone far beyond that, destroying data wherever it lands. This could be especially devastating if it hit a critical government or business network.

It is extremely important to make sure your data is backed up safely and to be more cautious than ever about sharing storage media and clicking on links. All IQ tests should be avoided, and web surfing should be confined to familiar sites. If you aren’t sure if your system’s anti-virus programs are up to date, contact your IT department.

Worm turns ugly for iPhone.

The first smartphone malware began innocently enough. A Dutch cracker discovers a way to penetrate modified, or “jailbroken,” iPhones using their default root password “alpine.” “You want to protect this phone from more attacks?” he asks his victims. “Pay me five Euros, and I’ll tell you how to do it.”

Not to be outshone by the Dutch, an Australian writes a virus, ikee, that makes its presence known by changing the background on the mobile to a photo of Rick Astley, who became a one-shot wonder in 1987 with the hit song “Never Gonna Give You Up,” and displaying the message “ikee is never going to give you up.”

More important, though, was that ikee could replicate itself. Once it infects an iPhone, it begins searching for other jailbroken devices on a mobile network that use alpine as their root password and infects them. In other words, it’s a good old fashioned ego-centric virus–annoying but not very harmful and designed to spread the name of its creator, ikee.

But as White Hats discovered this week, those initial efforts were just a prelude to a nastier variant of the ikee worm. Like its predecessor, it takes advantage of modified iPhones with the SSH protocol turned on and unchanged default passwords. This variant, however, is designed to  steal banking information from the phone.

What’s more, it has botnet characteristics. It connects to a Web-based command and control server located in Lithuania, effectively turning infected phones into zombies that will do the bidding of the crackers without the knowledge of the mopho’s owner.

Continue reading Virus variant turns iPhone into zombie»

A new malicious spam attack is exploiting the popular site Craigslist. The messages arrive with the subject line “Re: Car For Sale on Craigslist” and with a message that look like a reply to an inquiry about a car for sale on the site. A link within it claims to direct the recipient to photos of the vehicle on Picasa. The link instead leads to a malicious site that downloads a Trojan on to the visitor’s computer.

It’s not yet known who’s responsible for this latest wave of malicious spam, but experts are warning people to be very cautious. Only 13 out of 41 virus scanners caught the virus, meaning that having an up to date virus program may not be enough to protect you. Obviously if you or your company hasn’t inquired about a car for sale on Craigslist you should immediately delete any such messages.

Continue reading New Malicious Spam Exploits Craigslist»

Indy.com reported in early April 2009 about the waledec bot riding along with Conficker virus. “Conficker, for the first time, moved beyond sitting quietly on millions of Windows computers worldwide to infecting other vulnerable computers.

This means many more consumers could end up with a variant of Conficker. You also could catch a worm that’s now tagging along for the ride.

This new worm, called Waledec, can open a back door to your computer to steal information or to allow an outsider to control it, security experts warn.”  Waledec’s goal is to make money by harnessing the power of an infected computer and millions of other computers to create a massive “bot network,” or “botnet,” to send out spam.

Continue reading Meet Waledec, Conficker’s Child»

This story is near and dear to me.  One day I went into a frenzy, because a good friend sent me an email that she was stranded in Ghana and needed me to send her some money.  She never mentioned she was going to Ghana.  I was taken off guard at first, because I had a couple of other friends who had gone to Ghana to work, about the same time. Common sense came to my rescue again. I finally collected my thoughts and called my friend’s boyfriend. He confirmed my friend’s Gmail account was hijacked and she was safe at home in New Jersey.  It only goes to show email administrators must constantly remind our email users not to open email from unknown people.

Continue reading Virus Cracks Open Email Scam»