Waiting for the zombie army

Somewhere out there more than 9 million Windows computers are about to wake up and do something - but no one knows precisely what will happen. These machine have been infected by a software worm known as Conficker which first appeared late last year; and although it has yet to do much damage is causing real concern to computer security experts.

A worm is a computer program which spreads by copying itself from machine to machine over a computer network. Computer viruses are a different type of program, which are spread by attaching themselves to other pieces of data such as screensavers, graphics and email messages. Worms, viruses and trojan horse programs can all be described as malware.

Worms have been around for decades now and have been becoming increasingly dangerous. The first really dangerous worm was the Morris worm released in 1988 by Robert Morris, a student at Cornell University in the United States. Morris' worm did not contain any malicious code, but as it replicated across the Internet, the worms consumed ever-increasing amounts of computer power; making machines sluggish or completely unresponsive. The American government later estimated the Morris worm had cost between $10 million and $100 million to clear up, Morris himself was convicted and heavily fined.

Since then, programmers have been coming up with ever-more sophisticated worms that exploit loopholes and bugs in computer software. Microsoft Windows is the most commonly exploited program in part because it can be found on nine in every ten computers, but also because Windows is an enormously complex piece of software. Microsoft tries to ensure that new versions of Windows are compatible with previous versions so that users don't have to throw away applications when they upgrade their operating systems. Consequently, newer versions of Windows may contain several chunks of code that all perform more or less the same task. Even more complexity is introduced by software and hardware manufacturers who write software to work with Windows. Many of Windows' problems are actually nothing to do with Microsoft, but are instead created by the writers of software drivers who either fail to follow Microsoft's guidelines or inadequately test their programs. The result has been an enormous number of weaknesses in Windows and software running on PCs. It is estimated that the most common version of Windows (XP) contains approximately 50 million lines of programming code; with millions more in all of the applications and drivers installed on an average computer. Identifying and fixing bugs and loopholes is a monumental and never-ending task.

Conficker creeps on to Windows machines using a bug that existed in the so-called Server service which ticks away quietly in the background on all computer running Windows 2000, Windows XP, Windows Vista and Windows Server. Microsoft announced the weakness in October 2008 along with a software patch that eliminated the security flaw. During the last three months, all Windows machines should have picked up the security patch and protected themselves from infection, but it is estimated that at least one third of machines are still unprotected from Conficker.

Shamefully, many large organisations including the NavyStar/N* desktops found on Royal Navy warships and the Sheffield Teaching Hospitals Trust had not performed the updates to their Windows systems and have been infected in the last few days. Huge amounts of time have been spent clearing up the infection and serious questions must be asked about these organisations' computer policies. The Sheffield infection was made possible after automatic updates to Windows machines were switched off on all computers belonging to the Trust. This decision was made when a PC used in an operating theatre, performed an update and rebooted during surgery (this did not threaten the life of the patient). Rather than disable or modify the update procedure for machines in critical areas, a blanket decision was made that eventually caused even more damage.

Conficker can find its way on to a computer either through a network connection, or by being carried on a USB memory stick. When the  worm infects a computer it immediately sets to work disabling the built-in protection. The automatic update service which would normally download the protective patch is switched off, as are the features that prevent malicious software running on the machine and all the warnings. Once Conficker is sure it can't be tracked, it makes a call to its creators (believed to be in Ukraine) informing them that the machine has been compromised. The PC has become what is known as a zombie.

Conficker is meanwhile busy running a tiny Web server program (just like the one which sent you this page) whose sole purpose is to deliver more copies of the worm. The worm scans nearby computers looking for others that are vulnerable to infection, if it finds one, that machine is directed to Conficker's Web server, downloads the worm and the infection spreads.

Remember Conficker's call home? Well the reply to that call is a bundle of other malicious software which (amongst other things) try to weasel personal data from the infected machine by cracking passwords. If this wasn't worrying enough, each of these infected machines is ready and waiting to receive additional commands from Conficker's creators in the future. They could all receive copies of software designed to record key presses in the hope of discovering passwords or credit card numbers; or they could be turned into spam machines, each disgorging thousands of spam emails an hour on to the Internet.

Perhaps most worrying, the infected machines could be used to create a denial of service attack on a Web site with the intention of forcing it offline. Denial of service attacks are incredibly simple to perform, almost impossible to prevent. Every time a computer requests some information from a Web server, it requires a tiny amount of processor time and bandwidth. Send sufficient requests in a short enough time and the server can do nothing more than respond to these requests - eventually they either saturate the bandwidth of its network connection or they consume all of its processor time. The site is no longer available to legitimate users and remains offline until the attack subsides.

In recent years, actual, or threatened denial of service attacks have been used to extort money from companies. They are informed that unless a large sum of money is paid, their servers will be targeted for an attack and they will lose business. It is believed that many of these extortions have links to Eastern European criminal gangs.

Denial of service attacks have been used to target the very root of the Internet. In 2002 and 2007 attacks were made on the DNS root servers which are ultimately responsible for turning the URLs you type into your web browser into machine-readable numbers. In 2002, nine of the thirteen servers were completely immobilised for approximately one hour; the attack in 2007 lasted longer but did not crash any of the servers. The culprits were never caught.

What if I've been infected by Conficker?

The first thing to do is remove the software itself. Microsoft have a Malicious Software Remover tool which has been updated to deal with the worm. You can download it from and following the link to the program. Symantec have a similar tool at  which is also free to use. Run the tools and follow any instructions you receive.

Once your machine is free of infection the first thing you must do is to manually connect to Microsoft's Windows Update Server. If your machine has been infected, Conficker will have switched automatic updating off so you will need to do the update by hand. The link to Windows Update can be found on the Start menu at the bottom left of the screen or on the Tools menu in Microsoft Internet Explorer. Alternatively you can go to the update page at (this only works in Internet Explorer). Follow the instructions to download all the updates for your machine. If there are any, install them and restart your machine, then repeat the process until there are no more applicable updates.

Next, you have to ensure your machine continues to receive updates as and when they are released. The settings for this are found in the Control Panel (go to the Start menu, then Settings and choose Control Panel, then Automatic Updates). Make sure the Automatic (recommended) setting is selected. Tell the computer to look for updates every day and choose a time when the machine is likely to be on, finally click OK.

After that, return to the Control Panel and choose Windows Security Center. Make sure each of Firewall, Automatic Updates and Virus Protection are ON.

Next, make sure your antivirus software is up-to-date. If you don't have an anti-virus program, or if your software is out-of-date, you can download a free version of Anti Virus Guard from - this is an excellent program which should give you adequate protection from further infections. Once your anti-virus program is installed and up-to-date, run a complete scan of your computer to look for any infections and remove them.

Now all you have to do is make sure all your other computers are equally protected.

Although Conficker cannot infect computers running Apple Mac OS X or one of the versions of Linux, it can infect emulated versions of Windows running on those computers using software such as VM Ware or Wine. If you use Windows under emulation on a Mac or Linux computer, you will also need to check it is not infected. And it is worth pointing out, that there are malicious software developers who are trying to attack Mac OS X and Linux. Although there are no major threats at the current time, there is no reason to believe that either operating system is immune to potentially devastating attacks. If you run one of these operating systems you must be equally diligent in applying software updates as and when they become available.

So we're still waiting to find out what, if anything, will happen when Conficker finally wakes up. All we can be sure of is that this will not be the last time it happens; the next generation of malware is already being hatched in computers around the world.

About the author

Mike Richards joined the Open University in 1996 to help trial teaching over the Internet. Since then he has taught courses ranging from an introduction to robots to the engineering works of Leonardo da Vinci; but has spent most of his time writing about security - everything from the Enigma machines to e-shopping. He is currently working on a new course exploring the world of ubiquitous computers; imagine a world where computers so small and cheap they can be put in everyday objects - smartphones today, smartclothes tomorrow.

Subscribe to Mike Richards's posts

 

We have a long term research project at active volcanoes in Central America. Our primary goal is a better understanding of the environmental and ecological hazards posed by gas emissions at persistently active volcanoes. Armed with this understanding, our second goal is to develop strategies to mitigate the environmental and ecological risk at these sites. We have chosen to conduct this interdisciplinary study at Masaya (Nicaragua) and Poás (Costa Rica) volcanoes because of the contrasting environmental conditions at each and the persistent, low level of eruptive activity. The aim is to track and quantify the volatile flux at each volcano from the source magma, through the volcanic plume, to the local environmental sinks in the soil and water, and the flora and fauna.

The local environmental effects of pyroclastic flows and lavas are obvious in their coverage and destruction of the land surface. Persistently active volcanoes by their very nature erupt in a regular manner and effects over time are not so obvious. These volcanoes may erupt magma - for example Stomboli (Italy) and Arenal (Costa Rica) typically erupt explosively every 20-30 minutes throwing magma tens to hundreds of metres into the air. For the most part however, persistently active volcanoes emit gases rather than rock.

We are investigating the processes that control volatile flux from magma and quantifying the long-term environmental and ecological effects of background degassing at these two persistently active volcanoes. The aim is to identify the relationship between acid rain and dry deposition of sulphur and to find out how this varies with local climate, soil type and volcanic activity. The idea is to uncover the path and ultimate fate of volatiles erupted at Masaya and Poás volcanoes from their magmatic source, through the gas plume and into the ecosystem. This will lead to a better understanding of the hazards posed by gas emissions at persistently and intermittently active volcanoes. Information on the transport mechanisms of pollutants will allow for more effective mitigation procedures to be adopted including (i) cultivation of acid tolerant crops to neutralise soil, (ii) evacuation of livestock and (iii) advice on the full evacuation or time-limited exposure for the human population as necessary.

As part of the monitoring programme, we are currently in Costa Rica and on 8^th January 2009 there was a 6.2 magnitude earthquake at Poás volcano while we were working on the crater rim. We were making gravity and biological diversity measurements at the time.

There was intense shaking of the ground for several seconds and it was very hard to remain standing. New fractures opened up around the crater rim and there were several rock slides as parts of the crater wall crashed down to the crater floor. We moved back away from the rim and sheltered behind boulders to wait for aftershocks or in case there was an eruption. The degassing from the crater increased in intensity and the landslides and shaking caused sulphur pools in the crater bottom to be disturbed so that the lake changed colour on the surface as yellow sulphur streaks appeared on it.

We climbed out of the crater area and felt a few more aftershocks. Colleagues in the crater bottom also emerged safely. The visitor centre at Poás suffered some damage with broken windows. Further down from the summit, local villages were severely affected. Houses were destroyed, some completely disappeared in landslides and floods. More than 40 people lost their lives in these events and emergency services were hampered by blocked roads due to fallen trees, landslides and collapsed bridges. After shocks are still occurring more than 24 hours after the main event.

We will be going back to the volcano over the next few days to resume our work. The gravity measurements demonstrate that there has been an increase in sub-surface mass, which we interpret to be shallow intrusions of magma beneath the active crater. We are also measuring the rate of deposition of sulphur around the crater area and also the effect on biodiversity.

Hazel Rymer talking to a group of students on the crater rim of Poás volcano.
[image by Michelle Spinosa © copyright Michelle Spinosa]

About the author

Dr Hazel Rymer is Senior Lecturer In Environmental Geophysics at the Open University. A founder member of the OU’s Volcano Dynamics Group, her research is focussed on identifying the processes that trigger eruptions.

Subscribe to Hazel Rymer's posts

 

Blogging about

Breaking Science

The Breaking Science team come to BBC Radio Five Live to break open this week's science stories.

The chances of an individual human sperm fertilising an egg are miniscule. A man may produce up to half a billion – 500,000,000 – sperm every time he ejaculates; for every one that fertilises an egg, there are dozens of “also-rans” that reach it only just too late. Scientists have been puzzling for decades over the molecular changes that instantly erect a “keep out” sign when the first sperm penetrates the egg, preventing genetic chaos. But now, thanks to a technique called X-ray crystallography, pieces of this jigsaw puzzle are beginning to fall into place.

Sperm swimming for the egg.
[Image © copyright Photos.com]

Mammalian eggs are surrounded by a coat called the zona pellicula that has two jobs: to bind the first sperm, but then prevent others from binding. It contains filaments formed from many copies of each of two proteins, ZP2 and ZP3. What we know now is the exact shape of – the positions of the atoms in – just one part of the ZP3 protein. The scientists who solved the structure were able to use this to predict that ZP2 contains parts with similar shapes. We already know that sperm binding causes the egg to release enzymes called proteases which cut up ZP2, and we can now guess how this might trigger a shape change allowing the zona pellicula to wrap itself tighter round the egg and turn itself into a barrier for sperm.

This development should interest those women who find the Pill difficult to take, as a molecule that binds to ZP2 or ZP3 preventing it from working normally might make a different, effective chemical contraceptive.

Find out more about this development in episode 12 of Breaking Science.

About the author

Dr. Clare Sansom is a part time lecturer at the School of Crystallography, Birkbeck College, London, and an Associate Lecturer with the Open University. She also works as a freelance consultant and science journalist, specialising in bioinformatics, molecular medicine and drug discovery.

Subscribe to Clare Sansom's posts