Symantec recently detected a computer threat belonging to the ransomware category, a malware that is dangerous because of the way it attacks PCs based on Windows operating systems even though it isn’t particularly complex to defeat. Trojan.Ransomlock.AF, as the malware is named, targets users of the Chinese Internet with an account on Tencent QQ (or “QQ”), an instant messaging service that is very popular within the Asian country.
File sharing platforms abuse by malicious code is a fashionable habit since years now. A malware usually just checks if the infected machine hosts a peer-to-peer software, but the W32.Changeup worm detected by Symantec (among the others) goes beyond and rather than searching for a P2P tool it installs its own “private” eMule copy to replicate itself. The malware is noteworthy for its ability to “assist” downloading and spreading of additional computer threats.
Computer threats are continuously evolving, and there is who would even pretend that they did the leap from the machine to man by infecting RFID microchips installed under the skin. But even though they remain a “simple” IT issue, some malicious codes are a problem difficult to tackle because of their inherent complexity and an intelligent design capable of constantly putting security companies under pressure. A remarkable “intelligent” threat is for instance Sality, the new generation file virus that according to Symantec has practically turned into an “all-in-one” malware incorporating botnet-alike functionalities as well.
One of the things that more took my time, in all these days of guilty and unforgivable absence from the blog, was tinkering with hard disk cloning programs and tools to work with partitions. Actually it would have been better, considering my latest misadventure with magnetic HDDs, to deal with the matter way before - for instance at the beginning of the reinstallation process of my software after having purchased the new laptop. Anyway the fact is that I spent the last week (excluding the weekend) trying backup and partitions manipulation tools, and the previous one integrating the useful documentation already collected about the subject.
File viruses are only a small part of nowadays malicious code diversified landscape, and yet these ancient malware designed to infect legitimate software by parasitizing its executable routines continue, every now and then, to hit the headlines with news worth the attention. The latest couple of examples of this remarkable endurance ability affects an old but still popular development environment and the most known among CAD (Computer Aided Design) programs.
More than a week after the 1st of April, the day when the Internet stood still because according to the press the Conficker/Downup/Downadup/Kido worm could have destroyed the net, the infrastructures, civilized mankind and the entire planet things are going more or less as usual: Internet remains a dangerous place but it hasn’t exploded like a supernova, and bits are flowing quickly from a part to another one of the planet. The true novelty is that the botnet built up by one of the most complex malware ever finally shows what its true purpose is.
Since, in 2005, the nasty commercial policies of Sony BMG uncovered the possibility to seize control on the operating system to hinder the normal working of the PC and peripherals, the evolution of rootkit software went through an unparalleled acceleration. The interest for the matter rose in research and among cyber-criminals gangs, with the result that can be esteemed in these days: rootkits have reached the lowest levels of electronic devices circuitry by infecting network routers, the BIOS and even the most privileged working mode of the x86 processors.
Conficker/Downup/Downadup/Kido malware, Symantec writes in the first edition of The Downadup Codex, “is, to date, one of the most complex worms in the history of malicious code“. At first spread through a flaw within the Windows Server service, the threat has grown immensely because of a combination of elements that facilitated its diffusion and drove the IT industry to unite in the attempt to block its further proliferation.
Conficker (also known as Downup, Downadup or Kido) is the worm that first, after the Sasser outbreak in 2004, was able to exploit a flaw in a Windows remote service, and due to this unusual ability the malware became in turn the target of a large part of the IT industry that, leaded by Microsoft, is trying in these days to defuse the time bomb of an enormous botnet yet with unknown practical outcomes.
As previously highlighted, traditional viruses, the ones that nowadays are generally defined as “file viruses” and target executable programs parasitizing and exploiting them as a medium for their propagation, even though reduced to a marginal component of the crowded zoo of beasties making up modern malware aren’t vanished at all. A confirmation of this is the fact that, after the Sality case, new parasitic viruses families have in the past days caught the attention of experts and security firms.
The Conficker worm, also known as Downup, Downadup or Kido, is floating around since October 2008. Security firms know it pretty well, and in the past days the malware has become known as much well to users too having infected a significant amount of machines all over the world. We have returned to the “good” old times of Sasser, Blaster and Mydoom outbreaks, and the already worrisome proliferation of the worm threatens to get even worse because of some conditions that increasingly support its spreading.