Skip to content

*UPDATE*Conficker Countdown: Experts Urge Caution

28-3-2009

The dreaded Conficker botnet may have been an April Fools Day bust, but months later it is still an active threat according to security researchers. At the Black Hat security conference in Las Vegas, Mikko Hypponen, chief research officer at security firm F-Secure, told attendees why Conficker represents an unprecedented threat.

Hypponen also revealed some details on the current number of active Conficker nodes and where the hotspots are. The final analysis is that Conficker is still something that IT users and administrators need to be concerned about, while the true motives and culprits behind the botnet remain at large.

Hypponen showed the audience some data to prove his point. As off July 24th, his data (from the Conficker Working Group) showed that there were over 5.5 million active unique IPs that had Conficker, with most of the infections in Brazil, China and Vietnam.

“The gang behind Conficker are no fools,” Hypponen said. “They know their stuff, they know coding, development cycles, crypto and they are clever and they are watching us, their enemy in the security industry.”

Hypponen said that there were a number of techniques, first seen in Conficker, that make it a unique threat. Among them is that on infection it shut down the wireshark open source packet sniffer, which is a tool that many security researcher use to monitor traffic.

As well the virus that carries Conficker had its own cryptographic signature, using the most advanced MD6 hash.

“Conficker was using MD6,” Hypponen said. “The first time I saw it (MD6) anywhere and this was a damned virus.”

Tricking users

Conficker was also unique in how it spreads via USB sticks. Hypponen detailed how Conficker’s code triggered an autorun on Windows, even when a user might have had autorun disabled for USB media. What Conficker does is the binary code actually tricks the user by getting Windows to show the icon for, open folder – to actually run and execute the code. Hypponen noted that particular technique debuted with Conficker.

In terms of how he knew the Conficker gang was watching the security industry’s response, Hypponen gave one solid example. The initial Conficker virus was set to not deploy on the IP space of a number of security vendors, including F-Secure. Additionally, the virus, once it infects users, blocks a victim’s machine for accessing security Web sites, including F-secure.com. In response, F-secure published an FAQ telling users to go to a different Web site – fsecure.com. Hypponen noted that worked a few days and then the new address got blocked by Conficker.

Who is behind Conficker and what do they want? That’s one question that Hypponen wanted to talk about but wasn’t permitted to do so.

“The whole point of my talk was to drill down into what we know about the Conficker gang and what we know about their motives,” Hypponen said. “But I got called last week and was asked that because it was an ongoing investigation, that I should end my talk here. Thank you very much, I will not be taking any questions.”

While Hypponen might not have been willing to talk about the authors of Conficker, Roel Schouwenberg, senior anti-virus researcher at security firm Kaspersky, was able to shed a little more light.

“The botnet is currently growing, but the authors do not seem to be doing much of anything with it,” Schouwenberg told InternetNews.com.

In April, Schouwenberg noted that the botnet was leased out to the Waledac spam bot and it also installed fake anti-virus software. Beyond that, Schouwenberg said nothing much has happened.

“The Conficker botnet is autonomous, that is very strange in itself that they made Conficker replicate by itself,” Schouwenberg said. “Now it seems like the authors have abandoned the project but because it is autonomous it can do whatever it wants and it keeps on trying to find new hosts to infect.”

The multi-vendor Conficker Working Group is currently making sure that no one can take over the botnet from a command and control point of view, according to Schouwenberg.

“The latest variant have a peer-to-peer functionality and in that way commands can be passed from one machine to the next,” Schouwenberg said. “But for the moment nothing is happening except that the botnet continues to grow.”

Posted earlier…….

In just a few minutes it will be April 1st at the International Date Line. Over the next 24 hours Conficker will change the way it communicates, but we don’t expect much of anything else to happen. There has been quite a bit of media hype about Conficker, and we’ve seen dozens of new domain names registered to “help” those who are confused. There are also several reports of malicious software masquerading as detection and cleaning tools for Conficker-infected computers. Our official Conficker page is at http://www.dshield.org/conficker, that’s where we have links to all of the software and analysis that we know is trustworthy.

Mikko Hypponen and Patrik Runald from F-Secure talk about the Conficker (Downadup) worm.

A Conficker removal tool is available for download here.

Conficker Countdown: Experts Urge Caution

Malware code has infected millions of PCs and will activate on April 1. What do security insiders say users need to know?

This is just another example to be sure you get your updates from Microsoft every Second Tues of EACH MONTH.

   The presence of a Conficker infection may be detected if a user is
   unable to  surf to the following websites:

If a user is unable to reach either of these websites, a Conficker
   infection may be indicated (the most current variant of Conficker
   interferes with queries for these sites, preventing a user from
   visiting them).  If a Conficker infection is suspected, the user
   should run the Microsoft Windows Malicious Software Removal Tool
   and install updates available from the Microsoft Update site.

References
  • Microsoft Windows Malicious Software Removal Tool -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356>
  • Microsoft Updates Website -
<http://update.microsoft.com/microsoftupdate/>
  • US-CERT Technical Cyber Security Alert TA09-088A -
<http://www.us-cert.gov/cas/techalerts/TA09-088A.html>
  • Virus alert about the Win32/Conficker.B worm -
<http://support.microsoft.com/kb/962007>
  • The Conficker Worm -
<http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm>
  • W32/Conficker.worm -
<http://us.mcafee.com/root/campaign.asp?cid=54857>
  • Microsoft Automatic Updates -
<http://www.microsoft.com/windows/downloads/windowsupdate/automaticupdate.mspx> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/alerts/SA09-088A.html> ____________________________________________________________________

Thanks to Donna from COU for find this………..

............................................
Questions and Answers: Conficker and April 1st

Q: I heard something really bad is going to happen on the Internet on April 1st! Will it?
A: No, not really.

Q: Seriously, the Conficker worm is going to do something bad on April 1st, right?
A: The Conficker aka Downadup worm is going to change it's operation a bit, but that's
unlikely to cause anything visible on April 1st.

Q: So, what will it do on April 1st?
A: So far, Conficker has been polling 250 different domain names every day to download
and run an update program. On April 1st, the latest version of Conficker will start to poll
500 out of 50,000 domains a day to do the same thing.

Q: The latest version? There are different versions out there?
A: Yes, and the latest version is not the most common. Most of the infected machines are
infected with the B variant, which became widespread in early January. With B variant, nothing
happens on April 1st.

Q: I just checked, and my Windows machine is clean. Is something going to happen to me on
April 1st?
A: No.

Q: I'm running a Mac, is something going to happen to me?
A: No.

More from http://www.f-secure.com/weblog/archives/00001636.html (http://www.f-secure.com/weblog/archives/00001636.html)

March 27, 2009
By Alex Goldman

Conficker and Downadup

As the code also known as Conficker, Downadup, Kido, Confick and the April Fool’s Day worm starts its countdown, security vendors are cautioning users that if they’ve implemented basic security on your home computer or network, they’ll be fine.Others, however, face risk from a worm that’s spread rapidly and without a clear indication of its purpose, they told InternetNews.com.

“It’s important for users to apply the known, basic, common-sense steps to protect themselves, even in light of increasing and increasingly sophisticated attacks,” said Jenko Hwong, director of security products for security appliance vendor Mirapoint. “Conficker.C and April 1st won’t bring Armageddon.”

For most users, that involves using up-do-date software and security tools.

RELATED ARTICLES

Microsoft Rounds Up Posse to Nab Conficker
Microsoft Starts The Year With Modest Fix List
Experts See Shortfall in Cybersecurity Research
Why Exploitability is Key to Risk
PWN2OWN: What’s a Vulnerability Worth?
“If you have a legal copy of Microsoft Windows, you have invested … in antivirus software, or you pay your service provider for secured Internet access — most likely you are safe,” said Ron Meyran, product manager for security for application delivery and network security vendor Radware. “The same applies for enterprise networks: Your corporate policy should cover such cases.”

Nevertheless, the worm has still managed to spread widely. David Perry, global director of education at antivirus firm Trend Micro, told Internetnews.com several months ago that he believes about 10 million PCs have been hit.

Many of the infected PCs are inadequately defended. “If you run an illegal copy of Windows, your antivirus (if any) is a freeware, you are a DSL or cable subscriber and you never disconnect — then you are the ideal target for self propagating viruses such as Conficker,” Radware’s Meyran said.

“And it will not be he first time your computer is recruited into a botnet, he said. “In fact, there is a good chance that you already host malware of more than one botnet.”

Owners of many infected PCs won’t know they’re infected until April 1, added Trend Micro’s Perry. “It’s hard to spot Conficker’s work.”

Experts don’t know what the worm will do on April 1, but they have some educated guesses. Tal Golan, founder and CTO of antispam appliance vendor Sendio, said that the worm will likely send out e-mail containing spam or malware, but that the e-mail will be a “smoke screen masking the real targets of the worm or virus.”

All of the experts that InternetNews.com contacted agreed that Conficker’s spread shows that many organizations are not up to date on their patches: The worm exploits a well-known vulnerability, published by Microsoft on Oct. 23, 2008. Anyone who applied the necessary patches since then is safe.

Security experts urged users who suspect they’re infected to scan their PCs. Trend Micro’s Perry recommended using security software based in the cloud, such as his company’s Trend Micro Smart Protection Network for enterprise users. The company also offers a Web-based scanning service called House Call for home users.

Radware’s Meyran said that one sign you’re infected could be if some Windows system services have been disabled on your PC

The worm might be visible to any user: “It connects to a remote server in order to receive further instructions such as gathering personal information and downloading additional malware to the victim’s computer. It also disables a number of system services such as Windows Automatic Update, Windows Security Center and Windows Defender — all to prevent disinfection.”

Related article….

Warning signs

No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: