Conficker Worm

master_bates said:

Anyone have anything to report?

My system is clean

Click to expand...

The Internet Is Infected
Lesley Stahl of 60 minutes reports on computer viruses that propagate on the Internet and infect PCs, which enable their creators  often called "cyber gangs"  to learn the information they need to electronically rob bank accounts.

March 29, 2009

If you have about 13 minutes to spare, the following excerpt could save you aggravation:

Click or copy & paste on the following link>



http://www.cbsnews.com/video/watch/?id=4901282n

You are only at risk if you are running an unpatched XP system. Microsoft issued a patch against Conficker way back in Oct 2008. As long as people do their updates and run a decent anti-virus program they should be OK. Or simply run Vista.

http://www.extremetech.com/article2/0,2845,2344094,00.asp

Techman said:

You are only at risk if you are running an unpatched XP system. Microsoft issued a patch against Conficker way back in Oct 2008. As long as people do their updates and run a decent anti-virus program they should be OK. Or simply run Vista.

http://www.extremetech.com/article2/0,2845,2344094,00.asp

Click to expand...

Interesting Techman. Thanks.

You know it's disappointing that for all the talk and writing the press did about the virus they failed (as far as I saw) to mention this... it's too bad.... it would have saved a lot of people a lot of worry.

You may or may not know this, but I understand they thought the virus was somehow going to mutate on April 1st... might just changing the date on your computer to say April 7th have protected you???? or may it was set to mutate on any date after April 1st.

This stuff fascinates me... it was interesting to read how the Canadians tracked down the recently announced Ghost Network... started by checking the Dalai Lama's computers... great work... I don't pretend to know it all but I think they set up a trap and used the attackers' own program against them to discover their locations.

Just read MafiaBoy's book.... not a great read but interesting... might not have been caught if he could have resisted boasting about his feat.

Unfortunately the main stream press don't seem to dig very far when reporting on things like this. They will talk to a few so called 'experts' who are usually people who are more interested in promoting their product or their services than they are in helping to get the truth out.

Changing your date wouldn't help. The worm was set to check if the date is either April 1 or later. It's also entirely possible that it could verify the date with it's own servers, bypassing the system clock altogether. No one seems to really know very much about this worm at the present time.

Mafiaboy was nothing special. He was just a script kiddy, someone who used pre-written code available on the net for anyone to play with, not a real hacker. Pretty much anyone with a little computer knowledge could have done what he did.

Techman,

I think Vista's are also vulnerable.

Porter, from the link I posted:

Windows Vista is technically vulnerable in this way, but the exploit is almost impossible to execute on it. Conficker is basically an XP problem.

Click to expand...

Running Vista with User Account Control or UAC activated, as it is by default, and Internet Explorer 7 (or 8 preferably) in protected mode, as it is by default on Vista, makes it extremely difficult for any virus or malware to infect your system. The very few Vista systems that I have seen with malware problems have all had UAC turned off by the user.

Running Vista with User Account Control or UAC activated, as it is by default, and Internet Explorer 7 (or 8 preferably) in protected mode, as it is by default on Vista, makes it extremely difficult for any virus or malware to infect your system. The very few Vista systems that I have seen with malware problems have all had UAC turned off by the user.

Click to expand...

I agree running Explorer in protected mode is a very good counter measure!

But alot will run Explorer with this feature turn off.

Fortunately in Vista, UAC and protected mode is the default. The majority of users never vary from the default settings their system is delivered with. Most don't know these settings even exist. Unfortunately, IE7 does not run in protected mode by default on XP and again most users don't know it exists and never turn it on. I don't even run an active anti-virus on my Vista system and just scan it once every couple of months without having so much as one malware or virus problem in over 2 years.

Once people start moving to Vista, or the upcoming Windows 7, as they replace their aging systems, I believe there will be much fewer malware/virus problems around. It's sad that Vista got so much bad press, undeserved in my opinion, that has led to XP overstaying it's unsecure welcome.

Windows 7 is great by the way. On an old P4 3.0GHz system it runs faster than XP did, and that's just the beta version. Can't wait to get my hands on the final version in a few months.

PS: By the way...anyone running XP or Vista should upgrade to IE8. It's a much better, faster and secure browser than IE7 and has some great new features. For both IE7 and 8, just look at the status line at the bottom of your browser window to see if it is running in protected mode. If it says that protected mode is off, it just takes a simple double click to turn it on for extra security.

Thanks Doc! It's nice to be appreciated and I hope the info I post is helpful for members.

And just so I'm not accused of being a Microsoft shill ...Firefox, Opera and some other browsers are fine alternatives to IE for those who prefer them. They are more secure than IE if it is not run in protected mode. The reason I focus on IE in this thread is that, as I mentioned in my post above, most users stick with what comes with their system and that is IE.

For those who use another browser you can run it in a 'sandbox' using Sandboxie, a freely available program. This isolates the browser from the operating system effectively preventing any code that may try to execute on it's own from affecting your system in any way. You can also run just about any program using Sandboxie, especially key generators for downloaded programs, to prevent any damage from happening due to possible Malware included in the keygen.

http://www.sandboxie.com/

Let's make those tests easy on you

http://www.joestewart.org/cfeyechart.html

Hey YVO, that is a great test page that is really simple for everyone!

Now I have to say OOPS to everyone...protected mode is NOT available on Windows XP in either IE7 or 8. My bad. Guess I have been using Vista too long. I hope no one lost any time looking for a way to turn it on. If you want the equivalent level of browser security on XP that protected mode provides on Vista, download Sandboxie and run your favorite browser using that option.

Sorry about that.

Conficker wakes up, updates via P2P, drops payload

(CNET) -- The Conficker worm is finally doing something--updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday.
This piece of computer code told the worm to activate on April 1, researchers found.

This piece of computer code told the worm to activate on April 1, researchers found.

Researchers were analyzing the code of the software that is being dropped onto infected computers but suspect that it is a keystroke logger or some other program designed to steal sensitive data off the machine, said David Perry, global director of security education at Trend Micro.

The software appeared to be a .sys component hiding behind a rootkit, which is software that is designed to hide the fact that a computer has been compromised, according to Trend Micro. The software is heavily encrypted, which makes code analysis difficult, the researchers said.

The worm also tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com as a way to test that the computer has Internet connectivity, deletes all traces of itself in the host machine, and is set to shut down on May 3, according to the TrendLabs Malware Blog.

Because infected computers are receiving the new component in a staggered manner rather than all at once there should be no disruption to the Web sites the computers visit, said Paul Ferguson, advanced threats researcher for Trend Micro.

"After May 3, it shuts down and won't do any replication," Perry said. However, infected computers could still be remotely controlled to do something else, he added.

On Tuesday night Trend Micro researchers noticed a new file in the Windows Temp folder and a huge encrypted TCP response from a known Conficker P2P IP node hosted in Korea.

"As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP," the blog post says. "The Conficker/Downad P2P communications is now running in full swing!"

In addition to adding the new propagation functionality, Conficker communicates with servers that are associated with the Waledac family of malware and its Storm botnet, according to a separate blog post by Trend Micro security researcher Rik Ferguson.

The worm tries to access a known Waledac domain and download another encrypted file, the researchers said.

Conficker.C failed to make a splash a week ago despite the fact that it was programmed to activate on April 1. It has infected between 3 million and 12 million computers, according to Perry.

Initially, researchers thought they were seeing a new variant of the Conficker worm, but now they believe it is merely a new component of the worm.

The worm spreads via a hole in Windows that Microsoft patched in October, as well as through removable storage devices and network shares with weak passwords.

The worm disables security software and blocks access to security Web sites.

http://www.cnn.com/2009/TECH/04/09/conficker.activated/index.html?iref=mpstoryview