Friday, 16 January 2009

It made the news!

A new sleeper virus that could allow hackers to steal financial and personal information has now spread to more than eight million computers in what industry analysts say is one of the most serious infections they have ever seen.

Been battling this one constantly since Jan 7th.

Fun, it is not. In terms of tenacity and difficulty of removal, this is the worst I've seen in 18 years.


Saskboy said...

What are the telltale signs of infection? Changes DNS or something?

Catelli said...

It overrides DNS, such that you cannot access any website. Makes patching fun. This is the easiest check.

Overall system slowness, random rebooting due to svchost.exe crashes are also signs (though not always occurring).

If you look in the task scheduler you may see one or more AT# (AT1, AT2, AT3, etc.) scheduled tasks.

If you use Wireshark, you'll see it attempt NetBIOS connections to random IP addresses in attempts to spread the infection. This one is hard to filter on a domain, or a large workgroup, but sometimes the packets are misformed by the virus. So on a switched network a third machine will see NetBIOs communication between two other machines as broadcast traffic.

Lastly, (if you use a sniffer or other monitoring tool) you will see HTTP connection attempts to random domain names (eg., etc. etc.) Apparently the virus generates the domain requests using a mathematical formula using date/time as variables.

On powerful machines, the user may not even know they are infected. Overall performance doesn't degrade enough to be noticed. Since the virus isn't malicious towards any files or a particular program (other than websites) you wouldn't even know it was there.