Millions of Windows-based personal computers worldwide, including thousands in China and India, have been affected by a family of network worms which goes by the name conficker (also called kido or downadup).
The problem has been compounded since the worm keeps on mutating with new variants and a large number of companies and small and medium businesses have not yet fixed their machines with an emergency patch-up (MS08-067) provided by Microsoft in October 2008 as well as this month.
Anti-virus company F-Secure estimates that 15 million machines have been infected till date, making it the worst outbreak of its kind since a worm called Slammer in 2003.
The worm, according to Microsoft, infects computers across a network by exploiting a vulnerable spot in the Windows server service (SVCHOST.EXE) which could allow remote code execution when file sharing is enabled. Depending on the specific variant (said to have numerous variants), it may also spread via removable drives (USB sticks for instance) and by exploiting weak passwords (password, 12345 and qwerty etc).
It disables several important system services (including email) and security products and downloads arbitrary files (making it difficult to detect).
Even the US Computer Emergency Readiness Team has cautioned that ". . .disabling AutoRun on Microsoft Windows systems can help prevent the spread of malicious code.
However, Microsoft's guidelines for disabling AutoRun are not fully effective, which could be considered vulnerability."
"The problem is acute since many companies, especially smaller ones, have not downloaded the patch," noted McAfee regional director (India) Kartik Shahani. He pointed out that many companies 'are hesitant to download patches since it interferes with their legacy and customised applications at times'.
According to him, one way to prevent the attack is with McAfee's host-based Intrusion Protection System "since the solution identifies the vulnerability rather than the signature". He added that if a solution is just looking out for an exact signature which matches a virus, it would be very difficult to spot.
Symantec observed an increase in infections relating to the worm over the holiday period. Managing director Vishal Dhupar admitted that the worm posed a challenge.
He, however, added that solutions 'are pretty robust nowadays so the damage gets limited. People, though, should remember to update their anti-virus definition files'. Anti-virus software firms like Symantec have detailed instructions on how to remove the virus on their websites.
Most malware infects PCs so that hackers can then use the affected machines, dubbed botnets, to send spam, attack websites or compromise more computers.
Researchers are now worried about the next step in the attack. Mahindra Special Services Group CEO Raghu Raman acknowledged: "It's a botnet but not a catastrophe." Besides, companies may take anywhere between 24 hours and a week to remove the virus.
