Kido Worm Keeps On Truckin' via USB Thumb Drives

A new method of propagation has given a computer worm a fresh lease on life. The Win32.Worm.Downadup, aka "Conficker" or "Kido," first hit the world last year by exploiting the MS08-067 vulnerability that let it spread in loosely secured networks.

Microsoft (Nasdaq: MSFT) issued a patch for the vulnerability, but a large number of PCs have remained unpatched. Now, security researchers believe the worm can spread via USB thumb drives. In addition, 8.9 million PCs have been infected, according to F-Secure. At least one-third of PCs that should be patched have not been.

The vulnerability affects Microsoft Windows 2000, Windows XP, and Windows Server 2003. The latest variant of the worm now lets it spread via thumb drives, reported security software firm BitDefender. It operates by copying itself in a random folder created inside the Recycler directory, BitDefender said, which is used by the Recycle Bin to store deleted files, and creating an autorun.inf file in the root folder. The worm executes automatically if the Autorun feature is enabled.

Certain TCP functions are also patched to block access to security-related Web sites by filtering every address that contains certain strings, BitDefender reported. This makes it harder to remove because information about it is difficult to gather from an infected computer. Additionally, the sneaky little worm removes all access rights of the user, except execute and directory usage, to protect its files.

Using Open Source for Easier Programming

Perhaps adding insult to injury, McAfee security researcher Xiao Chen, posting on the McAfee Avert Labs Blog, noted that the programmer used the Metasploit open source penetration testing framework as a code base.

"By using the exploit from the Metasploit module as the code base, a virus/worm programmer only needs to implement functions for automatic downloading and spreading," Chen wrote.

"We believe that this can be accomplished by an average programmer who understands the basics of exploitation and has decent programming skills," he added.

At Home or at Work?

Security researchers say the worm is widespread throughout the world, and seems to have had the most success in loosely secured business networks. But what about home users -- are they any less likely to become infected?

"I don't believe there's anything about it that specifically targets business systems -- it's indiscriminate about what systems it hits. That said, it's exploiting a network vulnerability, and businesses typically have large and complex network structures, so businesses that haven't deployed the Microsoft patch will find themselves in choppy waters," Richard Cohen, malware research manager of SophosLabs, told TechNewsWorld.

"Similarly, the worm spreads across networks with weak passwords and via USB, both of which you're likely to see on a larger scale on business systems, so the end result is they're likely to be affected more than individual users, even though that's not necessarily something the worm was aiming for explicitly," he explained.

Thumb Drive Delivery?

For those who love the ease and ubiquity of USB thumb drives, they may hide a lurking danger.

"USB delivery is really quite common -- we have a whole raft of W32/Autorun and W32/SillyFDC worms that do exactly this," Cohen said.

"Spreading via removable medium was always mildly popular in the days of the floppy disc, but has undergone a real resurgence with the rise of cheap USBs and other removable media," he added.

What's Next?

If the Microsoft vulnerability patch has been available since October, what gives with the new rise of infections?

"People are still very resistant to patching machines, and we're constantly seeing people ask whether they really need to apply this patch. It doesn't explain the increased prevalence, but I'd say the patch being available since October by no means indicates that everybody is patched," Cohen said, noting that the increased media interest and information available online has likely made more people aware of their infected machines.

To fix the problem, Sophos recommends that users:

• Ensure Windows is fully updated to fix the MS08-067 vulnerability that Mal/Conficker-A uses to spread.
• Ensure that writable shares on networked computers have strong passwords.
• Ensure that all removable storage devices are scanned after being connected to a computer infected with Mal/Conficker-A.
• Ensure HIPS and buffer overflow prevention are both turned on and that "alert only" mode is turned off.
• Ensure the on-access scanner is turned on and that "on write" scanning is enabled.
• After enabling the above, reboot the computer and run a full scan and cleanup of any remaining items.

BitDefender offers step-by-step instructions and a free removal tool download, and Microsoft's Malicious Software Removal Tool should also snag and remove the worm.