Cybercrime experts keep close watch on Internet worm

By Byron Acohido, USA TODAY

Find original copy of  this article here.

The world’s top virus hunters are watching every move made by the attacker in control of a nasty new Internet worm – referred to as “downadup” or “conficker.”

What worries them most is that the person, or group, controlling the worm could at any time direct the PCs to carry out criminal activities on an unprecedented scale. And there’s not much anyone can do to stop them.

The attackers could use the infected PCs to steal data, spread spam or commit other routine cybercrimes.

“We have a lot of people looking at this, and with everybody watching it, hopefully they will be too scared to do anything,” says Patrik Runald, security adviser at F-Secure. “That’s really the only thing we can hope for.”

In less than three weeks, the worm has spread to more than 1 million PCs around the globe, mostly inside companies, according to estimates from F-Secure and Atlanta-based security firm SecureWorks. A worm of that magnitude has not been seen since 2004.

The worm takes advantage of a security hole that exists on hundreds of millions of Windows PCs. Microsoft issued an emergency patch for the hole in October. Because most Windows PCs connected to the Internet were vulnerable without the patch, the security community went on high alert.

The worm first appeared on Jan. 7. Tech security researchers say it probed for and implanted itself on any unpatched Windows PC. It then scanned for, broke into and infected all nearby computer servers. It also implanted itself onto any portable device plugged into the PCs’ USB inputs, such as a thumb drive storage stick, an iPod or a digital camera. When the corrupted device was plugged into another computer, that machine became infected – and began searching for other PCs to infect.

Don Jackson, senior researcher at SecureWorks, says infections have been spreading in bursts inside corporate networks. “It’s like time bombs going off.”

The National Cyber Alert System of US-CERT advises corporations to disable a Windows feature, called autorun, to help cut down infections from USB devices. Microsoft has a cleanup tool available. But the worm blocks Internet traffic trying to get to Microsoft’s tool. “This worm was written by people who know what they’re doing,” Runald says.

Security companies have banded together to block some of the 250 Web addresses that infected PCs are instructed to contact for further instructions. But the list changes once a day.

Vincent Weafer, vice president of Symantec Security Response, says the attackers may have been too successful. “There’s no way they want this much attention,” he says, adding that he expects them to back off.

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someone