 Conficker.E - P2P Updates Have Started for new variant |
Welcome Guest ( Log In | Click here to Register a free account now! )
Register a free account to unlock additional features at BleepingComputer.com
Welcome to Bleeping Computer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.
  Apr 9 2009, 11:30 AM
Post
#1
|
|
 Security Reporter  Group: Members Posts: 509 Joined: 10-April 04 From: Roanoke, Virginia Member No.: 107  |
 Trend is calling the latest variant Conficker "E". As expected it's updating using P2P techniques rather than the 50,000 websites that the CWG has been deactivating.Conficker.E - P2P Updates Have Started for new variant http://blogs.zdnet.com/BTL/?p=16082 http://isc.sans.org/diary.html?storyid=6157 http://news.cnet.com/8301-1009_3-10215678-83.html QUOTE: The Conficker worm is finally active, updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday. The update may include a keylogger and other code to exfiltrate data. The update is delivered using the P2P mechanism and not the (disfunct) web sites. Conficker.E - Trend Micro Information http://blog.trendmicro.com/downadconficker...ant-in-the-mix/ http://blog.trendmicro.com/a-look-inside-c...er-p2p-traffic/ Trend now detects this new Conficker variant as WORM_DOWNAD.E. Some interesting things (well at least in our perspective) found are: -- (Un)Trigger Date – May 3, 2009, it will stop running -- Runs in random file name and random service name -- Deletes this dropped component afterwards -- Propagates via MS08-067 to external IPs if Internet is available, if no connections, uses local IPs -- Opens port 5114 and serve as HTTP server, by broadcasting via SSDP request -- Connects to the following sites: Myspace.com, msn.com, ebay.com, cnn.com, aol.com -- It also does not leave a trace of itself in the host machine. It runs and deletes all traces, no files, no registries etc  McAfee information as AVERT labs has also documented this new threat:DAT release 5579 or higher provides protection. McAfee information http://www.avertlabs.com/research/blog/ind...ficker-variant/ McAfee - Conficker Resource Center http://www.mcafee.com/us/threat_center/conficker.html McAfee Stinger - Can now clean latest variant http://vil.nai.com/vil/stinger/ -------------------- |
 |
 
|
 |
Replies
(1 - 9)
|
Apr 9 2009, 03:40 PM
Post
#2
|
|
|
Member Group: Members Posts: 111 Joined: 31-January 09 Member No.: 289,417 |
Things just keep getting funner and funner with conficker around.
What I'm curious about is the stop running date, May 3, I assume we can only expect something worse happening. |
|
|
|
|
Apr 9 2009, 06:12 PM
Post
#3
|
|
|
New Member Group: Members Posts: 5 Joined: 19-December 08 Member No.: 271,658 |
Any thoughts on conficker being a test run?
Just someone testing out a distro method before releasing the real thing? Or is it possibly doing something that hasn't yet been detected? -------------------- "The very powerful and the very stupid have one thing in common. They don't alter their views to fit the facts. They alter the facts to fit their views. Which can be quite uncomfortably if you happen to be one of the facts which needs altering."
-- Dr. Who (Tom Baker) |
|
|
|
|
Apr 19 2009, 04:40 PM
Post
#4
|
|
 Forum Regular Group: Members Posts: 193 Joined: 21-March 09 From: An unclean desk Member No.: 311,039 |
Get ready for another media hype...
-------------------- Don't mind me, I'm just lurking.
|
|
|
|
|
May 10 2009, 06:54 AM
Post
#5
|
|
 Member Group: HJT Sophomore Classmen Posts: 102 Joined: 9-December 08 From: Perry, FL Member No.: 267,483 |
Found a great audio recording of Steve Gibson (creator of SpinRite) and Leo Laporte (worked for Tech TV back in the day) talk about the different variants of Conficker. Worth listening to to understand how perfectly designed this worm is.
http://www.grc.com/securitynow.htm uByte -------------------- You miss 100% of the shots you don't take. . -Wayne Gretzky
|
|
|
|
|
Jun 26 2009, 08:11 PM
Post
#6
|
|
|
Member Group: Members Posts: 23 Joined: 22-June 09 Member No.: 344,584 |
Is this worm still active in the wild? I thought it terminated itself on May 3rd. Scared the hell out of me, even with patches and proper security. I hope none of my friends were faced with this. This is bad stuff.
|
|
|
|
|
Jun 27 2009, 08:44 AM
Post
#7
|
|
|
Security Reporter Group: Members Posts: 509 Joined: 10-April 04 From: Roanoke, Virginia Member No.: 107 |
Hi - Yes, it's active as a couple of weeks ago I saw where it's still infecting 50,000 users per day. It's less of a threat today, due to patching and MSRTs cleanup tool. As long as you're up-to-date on MS patches and are careful with USB plug-in devices this threat shouldn't impact you
Sharing this recent post below: http://msmvps.com/blogs/harrywaldron/archi...-pcs-daily.aspx Recently, I saw articles stating that the Gumblar website injection attacks were gaining strength and could become worse than Conficker. Gumblar was a very sophisticated malware attack, that took off like wildfire a couple of weeks ago. Thankfully, this new threat has almost faded away, as the malware hosting websites were quickly shutdown by authorities. Experts: Gumblar attack is alive, worse than Conficker http://news.cnet.com/8301-1009_3-10251779-83.html Gumblar Attacks Dying Off http://blogs.pcmag.com/securitywatch/2009/...s_dying_off.php Conficker is still alive and well, as it continues to infect up to 50,000 PCs daily. Users need to stay up-to-date on all security updates and AV protection. We should follow major evolving threats, as sophisticated stealth attacks continue to circulate. Conficker still infects approximately 50,000 PCs daily http://viewfromthebunker.com/2009/05/20/co...nues-to-spread/ http://www.networkworld.com/news/2009/0521...-50000-pcs.html QUOTE: The worm is infecting about 50,000 new PCs each day, according to researchers at Symantec, who reported Wednesday that the U.S., Brazil and India have been hit the hardest.. "Much of the media hype seems to have died down around Conficker/Downadup, but it is still out there spreading far and wide," Symantec said in a blog post. -------------------- |
|
|
|
|
Jun 29 2009, 09:08 AM
Post
#8
|
|
 Member Group: Members Posts: 143 Joined: 6-January 05 Member No.: 8,846 |
So setting your computers date to May 3 2009 will cause it to stop running, seems stupid to me to even include that?
|
|
|
|
|
Jul 3 2009, 09:08 PM
Post
#9
|
|
|
Member Group: Members Posts: 23 Joined: 22-June 09 Member No.: 344,584 |
Hmm, is it even safe to go on the internet anymore? I sometimes wonder that! Lol, even with all this security!!!
|
|
|
|
|
Jul 4 2009, 07:40 AM
Post
#10
|
|
|
Member Group: Members Posts: 143 Joined: 6-January 05 Member No.: 8,846 |
Yes it is pretty bad now, but you can still be safe. Just have to watch what you click on, most people just click okay or yes because they are in a hurry. Half the time they don't even know what they click on, they just say I don't know what happened, I didn't do anything!
|
|
|
|
 |
2 User(s) are reading this topic (2 Guests and 0 Anonymous Users)
0 Members:
| Lo-Fi Version | Time is now: 21st November 2009 - 09:54 PM |
© 2003-2009 All Rights Reserved Bleeping Computer LLC.