Conficker Wakes Up

Internet Worm Carrying Damaging Software Is Updating, Researchers Say

(CNET)  This story was written by CNET's Elinor Mills.

---

The Conficker worm is finally doing something - updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday.

Researchers were analyzing the code of the software that is being dropped onto infected computers but suspect that it is a keystroke logger or some other program designed to steal sensitive data off the machine, said David Perry, global director of security education at Trend Micro.

The software appeared to be a .sys component hiding behind a rootkit, which is software that is designed to hide the fact that a computer has been compromised, according to Trend Micro. The software is heavily encrypted, which makes code analysis difficult, the researchers said.

The worm also tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com as a way to test that the computer has Internet connectivity, deletes all traces of itself in the host machine, and is set to shut down on May 3, according to the TrendLabs Malware Blog.

Because infected computers are receiving the new component in a staggered manner rather than all at once there should be no disruption to the Web sites the computers visit, said Paul Ferguson, advanced threats researcher for Trend Micro.

"After May 3, it shuts down and won't do any replication," Perry said. However, infected computers could still be remotely controlled to do something else, he added.

Last night Trend Micro researchers noticed a new file in the Windows Temp folder and a huge encrypted TCP response from a known Conficker P2P IP node hosted in Korea.

"As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP," the blog post says. "The Conficker/Downad P2P communications is now running in full swing!"

In addition to adding the new propagation functionality, Conficker communicates with servers that are associated with the Waledac family of malware and its Storm botnet, according to a separate blog post by Trend Micro security researcher Rik Ferguson.

The worm tries to access a known Waledac domain and download another encrypted file, the researchers said.

Conficker.C failed to make a splash a week ago despite the fact that it was programmed to activate on April 1. It has infected between 3 million and 12 million computers, according to Perry.

Initially, researchers thought they were seeing a new variant of the Conficker worm, but now they believe it is merely a new component of the worm.

The worm spreads via a hole in Windows that Microsoft patched in October, as well as through removable storage devices and network shares with weak passwords.

The worm disabled security software and blocks access to security Web sites. To check if your computer is infected you can use this Conficker Eye Chart or this site at the University of Bonn.

For more information, listen to Larry Magid's audio interview with Perry.

[brianbwb-2009]

"The software is heavily encrypted, which makes code analysis difficult, the researchers said. "

Maybe the researchers should hire me, I use Softice 32 (one of those neat little programs that was made illegal by stupid anti-"piracy" idiots, because it allows code circumvention) on a test-bed box to watch code execution, and therefore know exactly what the encrypted code does, so analyzing it is simple. I, a self-taught programmer (assembler, and C++) trapped the downadup rootkit months ago, which, by the way plants keyloggers, opens ports, and logs the infected box into a "bot-net" awaiting data to spread. It also installs itself in the Restore folder, so if you wipe it, it re-installs itself on the next boot. It then allows back door monitoring of passwords and other private info by anyone who chooses to look, and knows the port numbers (or for that matter, owns a port sniffer).

I was writing a piece to kill it when M$ put their malicious software removal kit out, which saved me time and trouble.

To "Posted by tmittelstaed", you are sadly mistaken if you think that a "'nix box" or a "nix-based Mac running Leopard is immune, this particular rootkit is written in dual binary, so it can infect even older Macs, and rooting Linux has been a script kiddie hobby for years.

[far_point200]

Hmmm...... This virus is a weany compared to the DNC socialist brainwashing program!

[fasttreker]

Worms and viruses got you down, never fear, Big Brother is here, with the new improved-Internet 2-comming soon!!!

[toolmangler-2009]

Not to worry. Big Brother is poised to cure all your ills

[remarkor]

Actually, if your identity is stolen thru a keypunch monitoring virus, you will be dead to your creditors for a long time, and you'll wish you were dead instead of having to go thru all the BS you need to do to fix your stolen identity, because banks and credit bureaus can't get their Sh|t together to deal with this, just like foreclosures, but that's another post.

More online institutions need to start using the mouse-click password interfaces. You see a keyboard graphic on your screen and mouse-click your password. This way the keypunch reading viruses get nothing but your silly rantings on these boards.



What!, more garbage to deal with?, Please, give me a break here!
So what if my computer gets infected!!!, so long as it doesn't kill me, LOL!!!!!!!!!!
Who cares! do you?
Posted by valentin73 at 1:54 PM : Apr 9, 2009

[cs4466]

My computer is clean. The best way to prevent infection is to pray to God. If you are faithful and live by good conservative Christian values, you will never have to worry about viruses and worms again.
Posted by bblthmpr at 12:23 PM : Apr 9, 2009

I'd think GW Bush himself was posting here if two or more of those words were spelled wrong, but alas, they're all spelled correctly.

[valentin73]

What!, more garbage to deal with?, Please, give me a break here!
So what if my computer gets infected!!!, so long as it doesn't kill me, LOL!!!!!!!!!!
Who cares! do you?

[cheetah-man7]

NOW, IF ONLY SOMEONE WOULD WAKE UP THE REPUBLI 'CON' PARTY AND TURN

THEM, BACK INTO AMERICAN'S

THEY HAVE BECOME NOTHING BUT ANTI AMERICAN FASCISTS,


STEALING ELECTIONS, STEALING MONEY, STEALING THE COUNTRY, FOR GREED
Posted by pythoncharly at 8:05 AM : Apr 9, 2009

what does this have to do with a computer virus?
Posted by WITHINMEANS
__________________________

Just another viral variant....The Republicans are the more dangerous types though! They need their own anti-virus software.... They need to be Obama-ized!

[remarkor]

Mmmmm, worms.

[tmittelstaed]

"...The Conficker Worm is just a foreshadowing of what is possible and one day will storm the Internet...." -ed_c_in_ok

Conficker doesn't infect Macs or Linux systems, and a critical mass of a specific OS with a specific version is needed on the Internet for worms to work at all. The number of Linux and Mac systems on the Internet has not yet reached this critical mass which is why worms that are written for those OS's (and there have been a few written in research labs) cannot gain a foothold on the Internet and start spreading.

At this point we don't know exactly what the critical mass would need to be for ANY operating system, we just know if we have reached it or not - and we know we have reached it for Windows.

It may be that in future years as more and more people switch away from Windows and to MacOS and Linux, that the number of Windows systems on the Internet will fall below critical mass and the worms will stop.

It also may be that newer versions of Windows will actually be truly new versions and not just brush-over rewrites of old Windows versions - haven't you ever wondered why these worms infect Windows 2K, XP & Vista? It's because underneath the exterior differences it's just the same old boring Win32 code. These worms certainly don't infect Win 3.1 If Microsoft stopped cheating the public by just repackaging Windows and charging more money for it, and actually supported their OS versions for more than 5-6 years, then critical mass of the SAME TYPES of Windows systems would fall below that needed to support worm programs.

In the meantime, anyone who wants to keep their data private can go to Apple Mac's and or Linux and not have to put up with this nonsense.

[magoo2u1]

My computer is clean. The best way to prevent infection is to pray to God. If you are faithful and live by good conservative Christian values, you will never have to worry about viruses and worms again."
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
Hey, are you my mother -in-law? Miriam , is that you? Praying won't solve every problem you ninny.............

[fedup12]

I am absolutely certain I am infection free.
Posted by thinkharder- at 10:40 AM : Apr 9, 2009

The article says this is a rootkit which is much more dificult for antivirus software to detect. Many ppl including myself may have this without knowing.

The way I understand root kits is they rewrite part or add to your operating system which makes them harder to detect.

Maybe someone else out there has better information than this. I know just enuf to make me dangerous lol

[bblthmpr]

My computer is clean. The best way to prevent infection is to pray to God. If you are faithful and live by good conservative Christian values, you will never have to worry about viruses and worms again.

[barbaram99]

McAfee does work. Ye have to keep it updated. I know McAfee works as I haved used it since 06. I think we all have to be careful. The poster who say McAfee don't work needs to right click the red M icon and open it and go down the list. Ye have to keep it updated. I buy it every year. i write down when I need to buy it and INSTALL it. We all have to use common sense. .

[ed_c_in_ok]

The Conficker Worm is just a foreshadowing of what is possible and one day will storm the Internet. The advances within high technology and a devious sector of sophisticated users is ripe to reek havoc, i.e. technological terrorism, on the world. I suspect there are plenty of attempts being orchestrated to seize confidential information that can be used one day for financial gain. Once the information has been acquired, the system sits idle until one day when the order is given to capitalize on the criminal possibilities facilitated through information theft. A worm which could use millions of computers in a peer to peer network could easily flood any server and shut down many websites to create distraction away from the actual perpetration of a lucrative crime. We can only hope that the conficker incident sparks interest enough within the antivirus techies to begin effectively writing code which can rapidly detect even the deepest most subtle programs that target windows based operating systems so that subsequent attacks can be more rapidly contained and thwarted.

[rhs648]

Does anyone know of freeware software that scans the windows operating system file to detect and/or replace corrupt or missing files. I don't mean registry cleaners or virus programs. Something similar to scannow. Speakung of scannow, does it work if xp service pack 3 is installed?

[antoniof123]

In addition, I have wholly abandoned internet explorer and use Firefox exclusively...much fewer security loopholes. I also run the free AVG scan every once in a while, and keep an updated Adaware from Lavasoft.de to scan with once or twice a month. I download like crazy and don't really do much to temper my web surfing habits, and contrary to what cs4466 has to say, I am absolutely certain I am infection free.
Posted by thinkharder- at 10:40 AM : Apr 9, 2009

Until more and more people start using it then it will be exploited like Mircosoft. The problem is that when you have a very large base of user it means more bang for the buck. I can explote Mircosoft becasue so many use it once firefox is used by companies as well then hold on to your hat. They said the same thing about other software.

[thinkharder-]

Like what if you don't mind sharing?
Posted by tx_doughboy at 9:34 AM : Apr 9, 2009

I use AVG from Grisoft. They try to sell you the whole security package but you can get the AV software alone for free.

I then trust the built in Microsoft firewall.

Best protection is to only go to web sites u trust and dont download or install software from questionable software. In other words common sense.
Posted by fedup12 at 10:20 AM : Apr 9, 2009

In addition, I have wholly abandoned internet explorer and use Firefox exclusively...much fewer security loopholes. I also run the free AVG scan every once in a while, and keep an updated Adaware from Lavasoft.de to scan with once or twice a month. I download like crazy and don't really do much to temper my web surfing habits, and contrary to what cs4466 has to say, I am absolutely certain I am infection free.

[apitaly]

The Conficker Eychart site is probably overloaded now. I had had wait for a few minutes and then is checked me no problems......

[searcher911]

Rhs64z you are right, those Republicans should buy Senate seats like any respectable Democrat would do.