Tuesday, February 3, 2009

Penangan Worm DOWNAD

Baru-baru ini satu serangan worm telah mengganas di mana banyak komputer di seluruh dunia sudah kena. Di Malaysia begitu juga. Sebagai seorang yang terlibat dalam dunia ICT, GiLoCatur terlibat secara lansung dalam usaha mengawal dan membersihkan komputer2 yang telah diserang terutamanya di pejabat-pejabat pelanggan.

Diharap peminat2 catur di Malaysia dapat mengambil berat tentang hal ini dan scan komputer masing2 bagi membantu membendung serangan worm tersebut. Sila pastikan juga komputer masing2 dipatchkan dengan patches terkini. Kepada mereka yang masih tidak tahu tentang worm tersebut, sila baca artikel di bawah.

What is DownAd


DownAd is a Worm. A deadly worm, which is causing nightmares to the security experts and spreading very fast these days.

And the magnitude of the infection is big. An estimate suggests that more than 8 million users are already infected with DownAd. Initially thought to be working in conjunction with a NETWORM variant, WORM_DOWNAD.A is now believed to be an updated version of an attack from the same criminal botnet gang.


How does DownAd Operate


Downadup worms attempt to call home. They do this by trying to connect to various Web addresses. And if the worm finds an active Web server at one of these domains, it will download and run a particular executable — thus giving the malware gang a free hand to do whatever they want with all of the infected machines.


They could build a large botnet for example. The framework is in place. Normally malware uses only one or maybe a handful of websites. Such sites are generally easy to locate and shut down.


Then there is Downadup. It uses a complicated algorithm which changes daily and is based on timestamps from public websites such as Google.com and Baidu.com. With this algorithm, the worm generates many possible domain names every day.


Hundreds of names such as: qimkwaify .ws, mphtfrxs .net, gxjofpj .ws, imctaef .cc, and hcweu .org.


This makes it impossible and/or impractical for us good guys to shut them all down — most of them are never registered in the first place. However, the bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website — and they then gain access to all of the infected machines. Pretty clever.


So why is DownAd so successful? Simple - poor security policies.


The first propagation technique is really exploiting poor patch management. A patch for this vulnerability has been available since late last year, but still some administrators (or the safety representatives) have not properly rolled this out to all machines on their network.


Remember even one unpatched machine is enough to have this worm spread through the entire network. Patch management is a critical component of any IT department’s job today, and it is vitally important that it is applied in a timely fashion across ALL of the company’s machines, including laptops and other mobile devices. Companies also need to have very clear policies on patch levels of external parties who access their network (e.g. partner companies, contractors, etc). Like so many aspects of security, it only takes one hole to bring down an entire network.

No comments:

Post a Comment