20 total posts
thanks for the update and for link, it worked for me and i got rid of that worm
Super _ thanks for letting us know :)
Conficker modified for more mayhem
9 March 2009
According to Symantec the Conficker worm has been modified to cause more damage. Previously the worm had only contacted about 250 domains a day, to look for commands and download new code. Symantec report that there is a new variant of Conficker using an algorithm which will contact up to 50,000 domains a day. The new domain generation algorithm also uses one of a 116 possible domain suffixes.
This is expected to make life harder for anti-virus specialists, ICANN and OpenDNS to block the domains that Conficker will use and makes it much more likely that Conficker will be generating addresses that point to legitimate sites. Although Conficker generates the domain name from a random combination of letters and should be creating domains that point to largely unused addresses, it is possible to find companies who have domains who's names match the generated addresses. For example, the previous generation of the worm is expected to call wnsux.com on March 13th, a domain owned by Southwest Airlines.
I hope it covers the latest Conficker virus as well :)
Interesting Conficker C analysis published
The folks over at SRI have published an interesting additional information on Conficker.C. Worth reading. Link here.
In this addendum report, we summarize the inner workings and practical implications of this latest malicious software application produced by the Conficker developers. In addition to the dual layers of packing and encryption used to protect A and B from reverse engineering, this latest variant also cloaks its newest code segments, along with its latest functionality, under a significant layer of code obfuscation to further hinder binary analysis. Nevertheless, with a careful mixture of static and dynamic analysis, we attempt here to summarize the internal logic of Conficker C.
Hype, April fool's day, and the Conficker worm
"Millions of computers around the world could go into meltdown on April 1 because of a deadly virus."
Those are the words from a report in today's soaraway Sun, a British tabloid newspaper.
With that kind of talk in a national newspaper (and there are plenty of other examples in the media at the moment) you could understand why some companies and home users might be worried about what might happen next Wednesday.
Well, as I've already mentioned on the blog, no-one knows what Conficker might or might not do on April 1st.
It's quite possible that Conficker will not do anything significant on April 1st. Certainly it won't be "deadly" and your computers won't melt.
Websense - Update on Conficker.C
Threat Type: Malicious Web Site / Malicious Code
April's approach has created a lot of chatter about Conficker, a worm largely considered to be one of the most widespread infections in recent years. Some estimates put peak infection at over 10,000,000 hosts.
A large effort has been made by the white-hat community and the Conficker Cabal Group to mitigate Conficker infections, and with success. The current estimate indicates that the number of infected hosts has fallen to 1 to 2 million, which is still a very large number when factored against recent bot counts.
There is a good deal of speculation about what's going to happen on April 1, a special date that is hard coded into the latest variant of the worm's binary file. The wider Internet community is fortunate in that some very good research has been conducted into the different variants of the worm: A, B, B++ & C.
Busted! Conficker's Tell-Tale Heart Uncovered
Security experts have made a breakthrough in their five-month battle against the Conficker worm, with the discovery that the malware leaves a fingerprint on infected machines that is easy to detect using a variety of off-the-shelf network scanners.
The finding means that, for the first time, administrators around the world have easy-to-use tools to positively identify machines on their networks that are contaminated by the worm. As of mid-Monday, signatures will be available for at least half a dozen network scanning programs, including the open-source Nmap, McAfee's Foundstone Enterprise and Nessus, made by Tenable Network Security.
Hope this helps.
Please, the world is NOT ending on April 1
Some people are getting hysterical about Conficker?s deadly payload on April 1.
Randy Abrams at ESET does a nice job of explaining the situation:
Yeah, Conficker is a serious problem, but not for home and corporate users who employ best practices already. The real problem is for the security professionals trying to prevent the worm from impacting the millions of people who fail to learn anything about security.
So, you still want to protect against Conficker? Here is what to do. Make sure that the Windows Security center is functioning and you are up to date on your Microsoft security patches. You can go to http://update.microsoft.com to manually check for updates. Make sure you?re antivirus product is up to date. Your antivirus product should be tested by Virus Bulletin (www.virusbtn.com) and/or certified by ICSA Labs, or have West Coast Labs Checkmark certification. Send me an email at firstname.lastname@example.org if you need help determining this. Exercise caution in what websites you visit and never open attachments unless you have verified that you know the person who sent them and that they really meant to send the attachment and that they also know what it is. These instructions are not specifically for Conficker, this is simply part of how you protect against all of the threats out there.
Conficker World Maps
Thursday, April 2, 2009
Where in the world are the Conficker-infected machines today?
Shadowserver and Conficker Working Group have the maps:
Post April 1st Conficker Q&A
Thursday, April 2, 2009
As we posted Conficker Q&A prior to April 1st it wouldn't be right if we didn't do one after the event.
Q: First off, how do I know if I'm infected?
A: Joe Stewart has created a very simple test that's available at the Conficker Working Group's site. Click here to try it out. If it says you're infected you can find a bunch of removals tools on the same site, including F-Secure's.
Simple Conficker test for end users
3 April 2009
Joe Stewart of SecureWorks has developed a simple test which reveals at a glance whether or not a system has been infected with one of the wide-spread versions of Conficker. The H now offers our own version of this test page.
Once a Conficker infection is suspected on a system, the anti-virus software installed on that system can no longer be trusted. The malware terminates a number of security mechanisms and prevents the start of certain programs. The new test is based on the fact that Conficker blocks access to various security and anti-virus pages. It includes a page that shows images of normal and of blocked sites. If only the images of the AV vendors are missing, there is a high likelihood that the computer has been infected with Conficker ? or with another type of malware that behaves in a similar way.
Conficker botnet stirs to distribute update payload
By John Leyden
9th April 2009
The Conficker superworm is stirring, with the spread of a new variant that spreads across P2P and drops a payload. It is thought to update machines infected by earlier strains of the worm.
Conficker-E (the latest variant) offers potential clues on the origins of the worm, because of possible links to other malware. Trend Micro reports that the new Downadup/Conficker variant is talking to servers associated with the Waledac family of malware, in order to download further unwanted items.
Waledec, in turn, is suspected as the latest item of malware from the gang behind the Storm botnet, sparking speculation that all three strains of botnet client are the work of the same cybercriminal gang.
Experts warn of imminent Conficker attack
New variant begins to stir over peer-to-peer network of infected machines
vnunet.com, 09 Apr 2009
Security experts have uncovered new Conficker activity which could indicate that the hackers behind the worm are finally gearing up for an assault.
Researchers at Trend Micro discovered a new variant of Downad/Conficker last night, called Worm_Downad.E, which is spreading over the peer-to-peer network of infected PCs created by the previous version.
This new variant sheds some interesting light on the origins of the worm, according to the researchers, and its potential link to the Waledac malware family which is responsible for one of the most active spam botnets around.
W32.Downadup.E?Back to Basics
04-09-2009 01:16 PM
Patrick Fitzgerald Patrick Fitzgerald writes...
Once again we find ourselves sucked into a maelstrom of questions and uncertainty surrounding the threat W32.Downadup, which is now a household name (just in case you haven't heard of it, it?s also known as Conficker). I?m sure that the people working in the security industry can marvel at their loved ones finally taking an interest in their job, which for once has gone past feigned interest and polite smiles. So, what have the little scamps behind W32.Downadup been up to this time?
Yesterday, Brian Ewell wrote about new developments regarding W32.Downadup in his blog entry entitled Downadup + Waledac. That blog mentioned some differences in functionality and put forward a possible association with Waledac. Today?s post will provide some more details about these differences.
We observed W32.Downadup downloading a binary over its peer-to-peer mechanism. The downloaded binary incorporates the spreading mechanisms used by W32.Downadup.A. However, this binary is a new variant and is detected by Symantec products as W32.Downadup.E.
1. It patches ?tcpip.sys? in order to increase the number of concurrent network connections available on the system.
2. The exploitation of the MS08-067 vulnerability, which had not featured in W32.Downadup.C, is now included in W32.Downadup.E.
3. This variant also uses the SMB protocol to identify the target system before attempting to exploit it. This is most likely an attempt to increase the chances of successful exploitation.
4. This worm has the UPnP capabilities that we saw in previous versions of Downadup. The threat exploits weaknesses in certain routers to allow access to compromised machines from external networks.
5. W32.Downadup.E will remove itself from the system on or after May 3, 2009.
Conficker still infecting 50,000 PCs per day
By Robert McMillan
May 20, 2009
IDG News Service - The Conficker worm is still infecting systems at a brisk rate and continues to snag computers in Fortune 1000 companies, according to security researchers.
The worm is infecting about 50,000 new PCs each day, according to researchers at Symantec, who reported Wednesday that the U.S., Brazil and India have been hit the hardest.. "Much of the media hype seems to have died down around Conficker/Downadup, but it is still out there spreading far and wide," Symantec said in a blog post.
Conficker began spreading late last year, taking advantage of a recently patched flaw in Microsoft's Windows operating system to infect entire networks and also using removable storage devices to hop from PC to PC. Security experts say it has now infected millions of computers worldwide, which now comprise the world's biggest botnet network.