Conficker Computer Worm Hits April 1st or Not?

Jim Cohen · From: Philadelphia, PA

Got this in the email today. Should I worry about it? Do something? Or worry about the email itself!?
~~~~~~~~~~~~

SAN FRANCISCO (March 30) - The fast-moving Conficker computer worm, a scourge of the Internet that has infected at least 3 million PCs, is set to spring to life in a new way on Wednesday — April Fools' Day.

That's when many of the poisoned machines will get more aggressive about "phoning home" to the worm's creators over the Internet. When that happens, the bad guys behind the worm will be able to trigger the program to send spam, spread more infections, clog networks with traffic, or try and bring down Web sites.

What Is It? Conficker, a computer worm, has already infected 3 million Windows PCs and is expected to receive new instructions that would make it more aggressive on Wednesday, which is April Fools' Da y. The virus could steal passwords, credit card and bank information from infected computers.

How to Prevent Conficker Infection
Technically, this could cause havoc, from massive network outages to the creation of a cyberweapon of mass destruction that attacks government computers. But researchers who have been tracking Conficker say the date will probably come and go quietly.

More likely, these researchers say, the programming change that goes into effect April 1 is partly symbolic — an April Fools' Day tweaking of Conficker's pursuers, who for now have been able to prevent the worm from doing significant damage.

"I don't think there will be a cataclysmic network event," said Richard Wang, manager of the U.S. research division of security firm Sophos PLC. "It doesn't make sense for the guys behind Conficker to cause a major network problem, because if they're breaking parts of the Internet they can't make any money."

Previous Internet threats were designed to cause haphazard destruction. In 2003 a worm k nown as Slammer saturated the Internet's data pipelines with so much traffic it crippled corporate and government systems, including ATM networks and 911 centers.

Far more often now, Internet threats are designed to ring up profits. Control of infected PCs is valuable on the black market, since the machines can be rented out, from one group of bad guys to another, and act as a kind of illicit supercomputer, sending spam, scanning Web sites for security holes, or participating in network attacks.

The army of Conficker-infected machines, known as a "botnet," could be one of the greatest cybercrime tools ever assembled. Conficker's authors just need to figure out a way to reliably communicate with it.

Infected PCs need commands to come alive. They get those commands by connecting to Web sites controlled by the bad guys. Even legitimate sites can be co-opted for this purpose, if hackers break in and use the sites' servers to send out malicious commands.

Conficker Worm Warning

So far, Conficker-infec ted machines have been trying to connect each day to 250 Internet domains — the spots on the Internet where Web sites are parked. The bad guys need to get just one of those sites under their control to send their commands to the botnet. (The name Conficker comes from rearranging letters in the name of one of the original sites the worm was connecting to.)

Conficker has been a victim of its success, however, because its rapid spread across the Internet drew the notice of computer security companies. They have been able to work with domain name registrars, which administer Web site addresses, to block the botnet from dialing in.

Now those efforts will get much harder. On April 1, many Conficker-infected machines will generate a list of 50,000 new domains a day that they could try. Of that group, the botnet will randomly select 500 for the machines to actually query.

The bad guys still need to get only one of those up and running to connect to their botnet. And the bigger list of possibilities increases the odds they'll slip something by the security community.

Researchers already know whi ch domains the infected machines will check, but pre-emptively registering them all, or persuading the registrars to neutralize all of them, is a bigger hurdle.

"We expect something will happen, but we don't quite know what it will look like," said Jose Nazario, manager of security research for Arbor Networks, a member of the "Conficker Cabal," an alliance trying to hunt down the worm's authors.
"With every move that they make, there's the potential to identify who they are, where they're located and what we can do about them," he added. "The real challenge right now is doing all that work around the world. That's not a technical challenge, but it is a logistical challenge."

Conficker's authors also have updated the worm so infected machines have new ways to talk to each other. They can share malicious commands rather than having to contact a hacked Web site for instructions.

That variation is important because it shows that even as security researchers have neutralized much of what the botnet might do, the worm's authors "didn't lose control of their botnet," said Michael La Pilla, manager of the malicious code operations team at VeriSign Inc.'s iDefense division.

The20Conficker outbreak illustrates the importance of keeping current with Internet security updates. Conficker moves from PC to PC by exploiting a vulnerability in Windows that Microsoft Corp. fixed in October. But many people haven't applied the patch or are running pirated copies of Windows that don't get the updates.

Unlike other Internet threats that trick people into downloading a malicious program, Conficker is so good at spreading because it finds vulnerable PCs on its own and doesn't need human involvement to infect a machine.

Once inside, it does nasty things. The worm tries to crack administrators' passwords, disables security software, blocks access to antivirus vendors' Web sites to prevent updating, and opens the machines to further infections by Conficker's authors.
Someone whose machine is infected might have to reinstall the operating system.
_________________
www.JimCohen.com
www.RonstadtRevue.com
www.BeatsWalkin.com

Wiz Feinberg · From: Mid-Michigan, USA

Funny you should post this information today. It is a good read!

Earlier tonight I published a blog article about the Conficker.C Worm reaching out for new updates on April 1. In it I provide links to an online scanner and downloadable removal tool, to detect and remove all variants of the Downadup/Conficker Worm.

In most cases it is NOT necessary to format C and reload the OS, to clean out the Conficker Worm. Many people are downloading removal tools and burning them onto CD-R media, write protecting it, then inserting it into an infected machine. Also, by using my TinyURL link to the download page, one can even disinfect an already "Confickered" PC!
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog

Brint Hannay · From: Maryland, USA

EDIT: Wiz's post appeared while I was typing!

I believe the e-mail is legit--I heard the Conficker info on major mainstream news media.

It's April 1 where I am, and nothing seems to be wrong with my computer (knocks wood). I've got what is, as far as I know, a quality and complete array of security programs in place and updated.

I'll be interested to check the news and see what happens out there!

Jim Cohen · From: Philadelphia, PA

In other words, Wiz, we shouldn't worry about it and just come see you for your tinyurl if we have a problem?
_________________
www.JimCohen.com
www.RonstadtRevue.com
www.BeatsWalkin.com

Wiz Feinberg · From: Mid-Michigan, USA

I want to point out that if you have been allowing Windows Updates to be downloaded and installed automatically, you are already protected from the Server Service/Malformed RPC Request vulnerability patched with MS08-067, on October 23, 2008.

You could still be at risk from an infected USB device containing a specially crafted Autorun.inf file pointing to a hidden .dll file in the device's Recycler folder, activated via Rundll32. Or, if you are on a LAN, an infected PC could try to crack the passwords of all the ADMIN$ shares on all Windows computers on the subnet.

Microsoft has supplied excellent guidance on disabling unneeded services and shares, to prevent these Conficker exploits from taking hold of your networks.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog

Brint Hannay · From: Maryland, USA

Geez, now I'm concerned! I read your blog, Wiz, then checked my Add Or Remove Programs list, where a long list of Windows XP Security Updates appears, and KB 958644 isn't on the list! Funny thing is, I feel like I remember installing that "out-of-the-ordinary" patch around that time. I'm set to Automatic Update, but the computer isn't on continuously--could I have missed it that way?

Wiz Feinberg · From: Mid-Michigan, USA

Brint;
Use the scanner available from the link near the end of my Blog article. It takes you to Bit Defender, via their numeric IP. This is to get past the Worm's defenses. The scanner will tell you whether you are infected with the Downadup/Conficker Worm. If you are infected they provide a downloadable removal tool for all current variants of Conficker. Use my TinyURL link to go to that page also, as the Worm may be blocking it by its domain name.

Let me know if you are infected and help will be provided to clean your computer.

eEye has just posted their version of a Conficker detection scanner, at http://tinyurl.com/c6dlwa. Most AV vendors have one online, including Trend Micro's HouseCall online scanner/remover.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog

Brint Hannay · From: Maryland, USA

I ran the QuickScan from the BitDefender site, and it says "No infection found, but one warning raised".

The warning appears to be "c:\Program Files\McAfee\Site Advisor\saHook.dll is monitoring your applications". I have the Site Advisor add-on. Is this "warning" something to worry about?

Meanwhile, Dell Support Center popped up and directed me to the patch, KB 958644, which I now have installed.

John Floyd · From: R.I.P.

Nothing Yet, Except a Prank Animitaed Gif Which doesn't work here

Bob Hickish · From: Port Ludlow, Washington, USA, R.I.P.

Wiz
I see there is a program for Mac , is it recommended that Mac users do this as well ?

Hick

Macintosh support requires the following minimum system components:

* Macintosh Computer with PowerPC G4 or G5 Processor
* MAC OS X 10.4 (Tiger)
* 512MB of RAM
* At least 30MB of available disk space
* Firefox Mozilla Firefox 1.5.0.1 and later

Jim Cohen · From: Philadelphia, PA

Bob Hickish · From: Port Ludlow, Washington, USA, R.I.P.

Got It !!

Wiz Feinberg · From: Mid-Michigan, USA

YES. Contact me if you have a reasonable suspicion that you have a PC infected with the Conficker - Downadup Worm.

I have a warning on my blog article for people who have recently reinstalled Windows XP, or newer. You should go to/have gone straight to Windows Updates upon validating your reinstallation, obtaining all available updates, including MS08-067/KB958644, which patches the vulnerability exploited by Conficker.A.

You will know if you are infected by this, or a similar Worm/Virus, if you are now unable to open the Windows Update webpage, or Symantec.com, or TrendMicro.com, or McAfee.com, or are now unable to update your installed security software. The Conficker ficks with your configuration (did he really say that?) and blocks access to websites known to be able to detect and remove this threat. That is why I provided a TinyURL to a scanner tool. I can do the same for the MSRT and other scanning sites and downloads also.

As of mid-afternoon on April 1, 2009, nothing has been heard from the criminals behind the Conficker Worm. They are laying low, waiting to ambush infected PCs once the heat dies down. Keep your guard up and scan all of your Windows PCs for any evidence of the Conficker.

Another mode of infection can occur in a PC that has MS08-067 installed, plus all other patches. This is if you have not disabled AutoPlay/AutoRun for USB devices and mapped drives. Should you inadvertently plug in an infected device, with AutoPlay enabled on the PC, you could become infected, unless you have fully up-to-date anti-malware protection, with realtime monitoring loaded (like Pc-cillin).

People running networks and domains are still at risk if they have weak passwords for admin level accounts. Conficker/Downadup contains a list of about 250 common passwords to be used in a brute force attack it launches against all the computers it "sees" on a network. It does this by polling the standard ADMIN$ shares that are enabled by default in most networks. Strong, unusual passwords will block such brute force/dictionary attacks on accounts.

One way to know that your network has been infiltrated by the Conficker worm is if most of your workstations and servers suddenly enforce user lockout policies, after too many failed login attempts on the network.
_________________
"Wiz" Feinberg, Moderator SGF Computers Forum
Security Consultant
Twitter: @Wizcrafts
Main web pages: Wiztunes Steel Guitar website | Wiz's Security Blog | My Webmaster Services | Wiz's Security Blog

Wiz Feinberg · From: Mid-Michigan, USA

Bob Hickish · From: Port Ludlow, Washington, USA, R.I.P.

Thanks Wiz
With the news I come to this section to get informed .

Hick

Forum Index > Computers		Next oldest topic :: Next newest topic

All times are GMT - 8 Hours	Jump to: