Kaspersky Lab announces what's needed to be known about Kido

The initial versions of Kido infected computers by exploiting the MS08-067 vulnerability in Windows systems, which Microsoft patched last autumn.

Experts believe that a significant number of machines had still not been patched by January, when the spread of Kido was at its peak.

Failure to install the patch and to use effective antivirus protection has led to an epidemic: it's currently estimated that at least 5-6 million computers with Internet connectivity are infected with various modifications of Kido.

Kido is now in its third generation, with several hundred variants of the malicious program detected. The latest variants implement some of the most sophisticated technologies known to malware authors - they update themselves from website addresses which change every day; they use strong encryption to prevent unauthorized control; they have sophisticated mechanisms for disabling security services and blocking updates to security software.

Costin Raiu, Chief Security Expert for Kaspersky Lab, EEMEA, says:

"The third generation of Kido updates itself by downloading code from 500 domains, chosen from a pool of 50,000 domains which is generated daily."

"The 500 domains are randomly selected and this, together with the large number of domains, makes it extremely difficult to monitor and block the domains used by the malicious program. Because of this, a Kido botnet could become a huge resource, with massive processing power equivalent to the most advanced supercomputers," Raiu concludes.

The gigantic botnet created by the authors of Kido potentially provides cybercriminals with the means to conduct extremely powerful DDoS attacks on any Internet resource, to steal confidential data from infected machines and to spread unwanted content (i.e., huge spam mailings).

As of 1st April 2009, the Kido botnet has started requesting new commands from its creators. Because of the strong encryption algorithms it employs, only Kido's authors can send updates to the botnet. What action the cybercriminals will now take remains a mystery.

Here are a few important facts that users need to know about Kido:
• Q: How do you prevent a Kido infection?
• A: Ensure you have enabled automatic updates for your Antivirus product as well as Windows - make sure the Microsoft MS08-067 update is installed. Disable the Autorun functionality in Windows and make sure you conduct a full antivirus scan of your computer.

• Q: How do I know if my PC is infected?
• A: If you suspect that your computer is infected with Kido, try to open the browser and navigate to your favorite search engine. If the webpage opens, try to open kaspersky website or Microsoft website. If these pages do not open, then the site(s) have/has probably been blocked by a malicious program. The full list of resources blocked by Kido can be found on the Virus List website.

• Q: Help, I think I am infected! How can I remove Kido?
• A: Please go to the website Support Kaspersky and download the Kaspersky "KKiller_v3.4.1.zip" tool and unpack it to a separate folder on the infected PC. Run KKiller.exe. KKiller will attempt to locate and eradicate the infection from your computer. When the scan is finished, a command line window may still be open; simply press any key to close it.

Additionally, Kaspersky Lab products can successfully prevent Kido from penetrating users' computers.