A nasty worm, called Conficker or Downadup, infecting millions of computers worldwide is creating havoc in the Middle East and is spreading to one million machines daily.
Already nine million computers are affected. Security experts are wondering whether the attack is a harbinger of evil deeds to come.
The worm, a self-replicating program, takes advantage of networks or computers that have not kept up to date with security patches for Windows RPC Server Service.
"We have seen outbreaks of Downadup in the Middle East, and it reaffirms the fact that an antivirus package alone cannot protect a network against malicious activity," said Bulent Teksoz, Systems Engineering Manager at Symantec. "Attackers are becoming more sophisticated and therefore an organisation's security software needs to be able to provide tiers of protection.
"This virus propogates through multiple ways, including USB media, network connections and fileshares. Therefore, protection must cover multiple layers with total client management."
It can infect machines from the internet or by hiding on USB memory sticks carrying data from one computer to another. Once in a computer it digs deep, setting up defenses that make it hard to extract. Malware could be triggered to steal data or turn control of infected computers over to hackers amassing "zombie" machines into "botnet" armies.
The Symantec response team says it is an extremely interesting piece of malicious code and one of the most prolific worms seen in years. The threat continues to impact mainly SMB and enterprise and most infections are being tracked in East Asia and South America, predominantly China, Argentina and Chile.
Though the virus has had its outbreak in the Middle East, certain vendors such as Fortinet have sent advisory notes to customer since October thereby helping customers to have regular virus and software updates.
Judhi Prasetyo, regional channel manager-Middle East from Fortinet, said: "According to the advisory note we released in October, we had warned our consumers about this worm and have seen it evolving since December. There have been two variants – Conficker (A) and Conficker (B). The former has been around since December but did not behave like the way it should. Therefore a second version called Conficker (B) got released."
He said: "So far it has not affected our customers as we have been asking them to carry software/virus updates, including virus signature. We don't expect this worm to affect enterprises in this region."
This worm also targets windows system, especially the unpatched Windows XP SP2 and Windows 2003 SP1 systems, causing problems for business who have not upgraded these systems. "Because many consumer systems automatically update to the latest patches, we are seeing less infections to home machines. Other worms released over the past few years have largely targeted older system versions, which have an ever decreasing distribution," said the Symantec security response team.
The Symantec Intelligence Analysis Team has recently begun monitoring W32.Downadup.B infections using the same method used to monitor W32.Downadup.A. Basically, both worms use custom date-based algorithms to generate 250 domain names per day.
These domains are then contacted by each infection in an attempt to obtain an update binary. By reverse engineering the algorithms and generating tools to mimic the domain generation routine, Symantec's team is able to predict domains that will be contacted by infected systems on future dates.
Customers can take advantage of this knowledge by preemptively registering domains that will be queried in the future and on the associated day, logging all of the results.