April 9, 2009
Conficker Wakes Up
Internet Worm Carrying Damaging Software Is Updating, Researchers Say
-
(AP/CBS/IStockphoto)
-
Play CBS Video Video Correction: Conficker Worm 04.05.09: Lesley Stahl offers a correction to "The Internet Is Infected" in which a photograph was described as "a gang of young Russian hackers." The photograph was not as stated.
-
Video Conficker Worm Warning CNET's Natali Del Conte shares tips with Maggie Rodriguez about the April 1 "Conficker" worm, which could steal financial information from your computer.
-
Video Computer Virus Has Experts Stumped The Conficker Worm computer virus is infecting Windows-based computers worldwide and has experts stumped on how to stop it. It's expected to receive new instructions on April 1st. UTTM Computer Consultant John Quain discusses the virus.
-
Section Tech News All about the digital world, from computers and gadgets to industry news and hot tech trends.
The Conficker worm is finally doing something - updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday.
Researchers were analyzing the code of the software that is being dropped onto infected computers but suspect that it is a keystroke logger or some other program designed to steal sensitive data off the machine, said David Perry, global director of security education at Trend Micro.
The software appeared to be a .sys component hiding behind a rootkit, which is software that is designed to hide the fact that a computer has been compromised, according to Trend Micro. The software is heavily encrypted, which makes code analysis difficult, the researchers said.
The worm also tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com as a way to test that the computer has Internet connectivity, deletes all traces of itself in the host machine, and is set to shut down on May 3, according to the TrendLabs Malware Blog.
Because infected computers are receiving the new component in a staggered manner rather than all at once there should be no disruption to the Web sites the computers visit, said Paul Ferguson, advanced threats researcher for Trend Micro.
"After May 3, it shuts down and won't do any replication," Perry said. However, infected computers could still be remotely controlled to do something else, he added.
Last night Trend Micro researchers noticed a new file in the Windows Temp folder and a huge encrypted TCP response from a known Conficker P2P IP node hosted in Korea.
"As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP," the blog post says. "The Conficker/Downad P2P communications is now running in full swing!"
In addition to adding the new propagation functionality, Conficker communicates with servers that are associated with the Waledac family of malware and its Storm botnet, according to a separate blog post by Trend Micro security researcher Rik Ferguson.
The worm tries to access a known Waledac domain and download another encrypted file, the researchers said.
Conficker.C failed to make a splash a week ago despite the fact that it was programmed to activate on April 1. It has infected between 3 million and 12 million computers, according to Perry.
Initially, researchers thought they were seeing a new variant of the Conficker worm, but now they believe it is merely a new component of the worm.
The worm spreads via a hole in Windows that Microsoft patched in October, as well as through removable storage devices and network shares with weak passwords.
The worm disabled security software and blocks access to security Web sites. To check if your computer is infected you can use this Conficker Eye Chart or this site at the University of Bonn.
For more information, listen to Larry Magid's audio interview with Perry.
© MMIX, CBS Interactive Inc. All Rights Reserved. This material may not be published, broadcast, rewritten, or redistributed.
More From CNET Tech News
The secrets of tennis legend 
- 1
- 2
- next
See all 36 CommentsMaybe the researchers should hire me, I use Softice 32 (one of those neat little programs that was made illegal by stupid anti-"piracy" idiots, because it allows code circumvention) on a test-bed box to watch code execution, and therefore know exactly what the encrypted code does, so analyzing it is simple. I, a self-taught programmer (assembler, and C++) trapped the downadup rootkit months ago, which, by the way plants keyloggers, opens ports, and logs the infected box into a "bot-net" awaiting data to spread. It also installs itself in the Restore folder, so if you wipe it, it re-installs itself on the next boot. It then allows back door monitoring of passwords and other private info by anyone who chooses to look, and knows the port numbers (or for that matter, owns a port sniffer).
I was writing a piece to kill it when M$ put their malicious software removal kit out, which saved me time and trouble.
To "Posted by tmittelstaed", you are sadly mistaken if you think that a "'nix box" or a "nix-based Mac running Leopard is immune, this particular rootkit is written in dual binary, so it can infect even older Macs, and rooting Linux has been a script kiddie hobby for years.
More online institutions need to start using the mouse-click password interfaces. You see a keyboard graphic on your screen and mouse-click your password. This way the keypunch reading viruses get nothing but your silly rantings on these boards.
What!, more garbage to deal with?, Please, give me a break here!
So what if my computer gets infected!!!, so long as it doesn't kill me, LOL!!!!!!!!!!
Who cares! do you?
Posted by valentin73 at 1:54 PM : Apr 9, 2009
Posted by bblthmpr at 12:23 PM : Apr 9, 2009
I'd think GW Bush himself was posting here if two or more of those words were spelled wrong, but alas, they're all spelled correctly.
So what if my computer gets infected!!!, so long as it doesn't kill me, LOL!!!!!!!!!!
Who cares! do you?
THEM, BACK INTO AMERICAN'S
THEY HAVE BECOME NOTHING BUT ANTI AMERICAN FASCISTS,
STEALING ELECTIONS, STEALING MONEY, STEALING THE COUNTRY, FOR GREED
Posted by pythoncharly at 8:05 AM : Apr 9, 2009
what does this have to do with a computer virus?
Posted by WITHINMEANS
__________________________
Just another viral variant....The Republicans are the more dangerous types though! They need their own anti-virus software.... They need to be Obama-ized!
Conficker doesn't infect Macs or Linux systems, and a critical mass of a specific OS with a specific version is needed on the Internet for worms to work at all. The number of Linux and Mac systems on the Internet has not yet reached this critical mass which is why worms that are written for those OS's (and there have been a few written in research labs) cannot gain a foothold on the Internet and start spreading.
At this point we don't know exactly what the critical mass would need to be for ANY operating system, we just know if we have reached it or not - and we know we have reached it for Windows.
It may be that in future years as more and more people switch away from Windows and to MacOS and Linux, that the number of Windows systems on the Internet will fall below critical mass and the worms will stop.
It also may be that newer versions of Windows will actually be truly new versions and not just brush-over rewrites of old Windows versions - haven't you ever wondered why these worms infect Windows 2K, XP & Vista? It's because underneath the exterior differences it's just the same old boring Win32 code. These worms certainly don't infect Win 3.1 If Microsoft stopped cheating the public by just repackaging Windows and charging more money for it, and actually supported their OS versions for more than 5-6 years, then critical mass of the SAME TYPES of Windows systems would fall below that needed to support worm programs.
In the meantime, anyone who wants to keep their data private can go to Apple Mac's and or Linux and not have to put up with this nonsense.
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Hey, are you my mother -in-law? Miriam , is that you? Praying won't solve every problem you ninny.............
Posted by thinkharder- at 10:40 AM : Apr 9, 2009
The article says this is a rootkit which is much more dificult for antivirus software to detect. Many ppl including myself may have this without knowing.
The way I understand root kits is they rewrite part or add to your operating system which makes them harder to detect.
Maybe someone else out there has better information than this. I know just enuf to make me dangerous lol
Posted by thinkharder- at 10:40 AM : Apr 9, 2009
Until more and more people start using it then it will be exploited like Mircosoft. The problem is that when you have a very large base of user it means more bang for the buck. I can explote Mircosoft becasue so many use it once firefox is used by companies as well then hold on to your hat. They said the same thing about other software.
Posted by tx_doughboy at 9:34 AM : Apr 9, 2009
I use AVG from Grisoft. They try to sell you the whole security package but you can get the AV software alone for free.
I then trust the built in Microsoft firewall.
Best protection is to only go to web sites u trust and dont download or install software from questionable software. In other words common sense.
Posted by fedup12 at 10:20 AM : Apr 9, 2009
In addition, I have wholly abandoned internet explorer and use Firefox exclusively...much fewer security loopholes. I also run the free AVG scan every once in a while, and keep an updated Adaware from Lavasoft.de to scan with once or twice a month. I download like crazy and don't really do much to temper my web surfing habits, and contrary to what cs4466 has to say, I am absolutely certain I am infection free.
- 1
- 2
- next
See all 36 Comments