Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Conficker.C Worm - Major Update targeted for April Fools Day


  • Please log in to reply
43 replies to this topic

#1 harrywaldron

harrywaldron

    Security Reporter


  • Members
  • 509 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Roanoke, Virginia
  • Local time:06:28 AM

Posted 24 March 2009 - 03:49 PM

Posted Image The Conficker worm is one of the most dangerous malware threats in years, especially for corporate users. A new "C" variant has been developed that's even more potent and stealthier than the two prior variants. It's imperative that Microsoft's MS08-067 patch be applied to all servers and workstations, while the worm is currently dormant.

If it establishes a foothold anywhere in the network, it can even spread to systems that are patched with the MS08-067, if they are insecure in other areas, (i.e., it uses multiple attack methods).

Please take precautions now, as this one will be even more difficult than "B" was to clean.

Posted Image Conficker.C Worm - Major Update targeted for April Fools Day
http://techfragments.com/news/629/Software..._to_Spread.html
http://arstechnica.com/security/news/2009/...-activation.ars
http://www.maximumpc.com/article/news/this...april_fools_day
http://news.cnet.com/8301-1009_3-10196122-83.html
http://www.ca.com/us/securityadvisor/virus...s.aspx?id=77976

QUOTE: Just when you might have thought it was safe to start using USB flash drives at work again, the third, and by all accounts, most fiendish version of the Conficker worm that's infected millions of PCs already is set to attack on April 1st, Ars Technica reports. Conficker.C's designed to hide itself even more thoroughly than its older siblings Conficker.A and Conficker.B, using tricks such as:

Inserting itself into as many as five Windows-related folders such as System, Movie Maker, Internet Explorer, and others (under a random name, of course)
• Creating access control entries and locking the file(s)
Registers dummy services using a "one (name) from column A, one from column B, and two from column C" method
To find out what happens when Conficker.C strikes, join us after the jump.

Conficker.C's payload makes it harder than ever to recover from being infected:

Deactivates Windows Security Center notifications
Prevents restart in Safe Mode
Prevents Windows Defender from running at system startup
Deletes all system restore points
Disables various error-reporting and security services
Terminates over twenty security-related processes
Blocks DNS queries
Blocks access to security and antivirus websites
• And, to top it all off, Conficker.C can choose from a list of 500 domains to contact out of a pool of 50,000 (way up from Conficker.B's 32 out of 250).

Conficker.C - Detailed Evaluation by SRI
http://mtc.sri.com/Conficker/addendumC/

QUOTE: Variant C represents the third major revision of the Conficker malware family, which first appeared on the Internet on 20 November 2008. C distinguishes itself as a significant revision to Conficker B. In fact, we estimate that C leaves as little as 15% of the original B code base untouched

Posted Image Below are some resources for information and cleaning tools for the Conficker worm:

Conficker - Cleaning tips for corporate users
http://msmvps.com/blogs/harrywaldron/archi...rate-users.aspx

Internet Storm Center - Conficker Resource Center
http://isc.sans.org/diary.html?storyid=5860

Microsoft Resources
http://support.microsoft.com/kb/962007
http://www.microsoft.com/technet/security/...n/ms08-067.mspx

Posted Image Conficker.c - April 1st payload still a mystery to researchers
http://www.computerworld.com/action/articl...ticleId=9130228

QUOTE: PCs infected with Conficker.c, the third version of the worm that first appeared late last year, will use a new communication scheme on April 1 to establish a link to the command-and-control servers operated by the hackers who seeded the malware. The date is hard-coded into the worm, which in turn polls any of a number of major Web sites, including Yahoo, for the date, said Stewart.

"So far, we haven't seen any evidence [on those machines] of what it will do April 1," added Stewart, although that's to be expected. "It's not April 1 yet, so they're not going to put something online, where it might be found. In fact, it's almost a little risky for us to try to look for those sites, since it might give away that we have some bots in their network." Symantec Corp.'s Vincent Weafer, vice president of the company's security response group, agreed with Stewart that it's impossible to know ahead of time what stunt Conficker's controllers will pull next week. "Nobody has any real idea," said Weafer. "There's no indication of what it will do April 1."

Weafer characterized the Conficker.c update as one to "armor and harden the existing infections," and noted that the variant, unlike its predecessors, cannot spread to other PCs. "This variant is very defensive-oriented," said Weafer, "to make it less visible and more resilient." Like Weafer, Stewart sees Conficker.c as a move by the worm's maker or makers to consolidate what's already infected. "The big question is what's the end game?" he said. "Is it just as big as they want it to get?"

Edited by harrywaldron, 01 April 2009 - 12:09 PM.


BC AdBot (Login to Remove)

 


#2 samuel3

samuel3

  • Members
  • 2,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:28 AM

Posted 25 March 2009 - 01:05 PM

So then.. whats the best way to defend our self from it?

#3 TheLazyComic

TheLazyComic

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Location:Atlanta, GA
  • Local time:06:28 AM

Posted 26 March 2009 - 12:36 AM

How about I just don't turn on my PC on April 1st? Will it get me the next day?

#4 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:28 AM

Posted 26 March 2009 - 04:06 PM

Hello.

So then.. whats the best way to defend our self from it?

The links harrywaldron provided shows how this infections works and if you read some of them and links those links lead to, there are some prevention tips. Also, if you know how this infection works then you will know how to prevent it from occuring. :thumbsup:

How about I just don't turn on my PC on April 1st? Will it get me the next day?

Perhaps.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#5 tokeno

tokeno

  • Members
  • 13 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:toronto
  • Local time:04:28 AM

Posted 27 March 2009 - 01:29 PM

I also heard it may be in the beta versions of windows 7 . The beta testers I know are dumping seven paritions in there dual boot config untill the days after .
Tokeno :thumbsup:
A learned blockhead is a greater blockhead than an ignorant one.
Benjamin Franklin

#6 n_nikers

n_nikers

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 27 March 2009 - 01:55 PM

MY PC WAS INFECTED BY CONFICKER C :thumbsup:

----

I downloaded that BitDefender Removal Tool and after the scan, the result was clean. (How did it happen? It's not working anymore?)

But I also scanned with Panda Active Scan, and it detected Conficker C on my PC and other vulnerabilities too,but it doesn't include MS08-067. It's the one which is connected to Conficker C right? why was it not on the list?
It also said that it doesn't detect any Security on my PC but that's not true since I have Avira Free AV.

I had (conficker c) removed by Panda. But i haven't downloaded the patches yet. What do i have to do next?

--

Can i save my files on an external hard drive without infecting it too?

--

I'm confused. Do i need to experience all these if the PC is infected?

# Deactivates Windows Security Center notifications
# Prevents restart in Safe Mode
# Prevents Windows Defender from running at system startup
# Deletes all system restore points
# Disables various error-reporting and security services
# Terminates over twenty security-related processes
# Blocks DNS queries
# Blocks access to security and antivirus websites

#7 shoregeek

shoregeek

  • Members
  • 1 posts
  • OFFLINE
  •  
  • Location:Lewes, Delaware
  • Local time:06:28 AM

Posted 27 March 2009 - 02:27 PM

What I do, for my Windows-based computers, is have my network using OpenDNS and make sure my anti-virus is up to date. I can sleep fine through April 1th. :thumbsup:

#8 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:06:28 AM

Posted 27 March 2009 - 03:15 PM

http://www.avertlabs.com/research/blog/ind...-about-nothing/
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#9 extremeboy

extremeboy

  • Malware Response Team
  • 12,975 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:06:28 AM

Posted 27 March 2009 - 03:48 PM

Hello.

If you think you may be infected post in the Am I Infected, what do I do forum first and see what we can do there. If needed we will move you to another forum.

I'm confused. Do i need to experience all these if the PC is infected?

No. Those are just some signs/symptoms of someone that is infected with this. Not necessarily mean you have to have all those signs to be infected. How do you know you are infected? If you think you are then post in the AII (Am I Infected) forum as mentioned above.

With Regards,
Extremeboy
Note: Please do not PM me asking for help, instead please post it in the correct forum requesting for help. Help requests via the PM system will be ignored.

If I'm helping you and I don't reply within 48 hours please feel free to send me a PM.

The help you receive here is always free but if you wish to show your appreciation, you may wish to Posted Image.

#10 buddy215

buddy215

  • BC Advisor
  • 12,876 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:West Tennessee
  • Local time:05:28 AM

Posted 30 March 2009 - 02:24 PM

http://www.computerworld.com/action/articl...mp;pageNumber=1

Researchers exploit Conficker flaw to find infected PCs
Three researchers, including Dan Kaminsky, created a scanner to quickly detect worm on networks


...Just days before the Conficker worm is set to contact its controllers for new instructions, security researchers have discovered a flaw in the worm that makes it much easier for users to detect infected PCs....

......The scanner, in turn, has been modified and added to enterprise-grade detection systems from companies such as McAfee, nCircle and Qualys, which plan to release updates today. The free open-source Nmap scanner is also slated to include the new detection capability......

For more info, read the article in the link above.

“Every atom in your body came from a star that exploded and the atoms in your left hand probably came from a different star than your right hand. It really is the most poetic thing I know about physics...you are all stardust.”Lawrence M. Krauss

A 1792 U.S. penny, designed in part by Thomas Jefferson and George Washington, reads “Liberty Parent of Science & Industry.”


#11 samuel3

samuel3

  • Members
  • 2,349 posts
  • OFFLINE
  •  
  • Gender:Male
  • Local time:11:28 AM

Posted 30 March 2009 - 04:00 PM

How can you get the Conflicker?

What are the best programs to prevent it?

If my ISP got it would i get it?

#12 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:06:28 AM

Posted 30 March 2009 - 05:26 PM

Hi samuel3,

How can you get the Conflicker?

There's actually no "l" in the spelling, it's "Conficker". The Conficker aka Downadup worm can infect a Microsoft Windows system from a thumb drive, a network share, or directly across a corporate network, if the network servers are not patched with the MS08-067 patch from Microsoft (which was released last October).

What are the best programs to prevent it?

Home users can apply a simple test for the presence of a Conficker/Downadup infection on their home computers. The presence of a Conficker/Downadup infection may be detected if a user is unable to surf to their security solution website or if they are unable to connect to the websites, by downloading detection/removal tools available free from those sites:
If a user is unable to reach any of these websites, it may indicate a Conficker/Downadup infection. The most recent variant of Conficker/Downadup interferes with queries for these sites, preventing a user from visiting them. If a Conficker/Downadup infection is suspected, the system or computer should be removed from the network or unplugged from the Internet - in the case for home users.

The U.S. Computer Emergency Readiness Team (US-CERT) encourages users to prevent a Conficker/Downadup infection by ensuring all systems have the MS08-067 patch (see http://www.microsoft.com/technet/security/...n/MS08-067.mspx), disabling AutoRun functionality (see http://www.us-cert.gov/cas/techalerts/TA09-020A.html), and maintaining up-to-date anti-virus software.

What we do know is almost all the security vendors have thoroughly analyzed Conficker/Downadup worm–and have good generic detection and cleaning in place. Uploading a couple of randomly selected Conficker binaries to the VirusTotal site consistently shows an overall anti-virus detection rate of 90 percent or above. And these high detection rates are across vendors–small or big.

If my ISP got it would i get it?

No, if you installed the Microsoft patch, disabled autorun functionaily, and kept antivirus and malware scanner definitions up to date, as described in the bold paragraph above.

Sources:
http://www.avertlabs.com/research/blog/ind...-about-nothing/
http://www.us-cert.gov/cas/techalerts/TA09-088A.html

Edited by jntkwx, 30 March 2009 - 05:28 PM.

Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#13 tia08

tia08

  • Members
  • 191 posts
  • OFFLINE
  •  
  • Local time:05:28 AM

Posted 31 March 2009 - 03:28 AM

I am trying to install that on my system, but it said it's not supported on my computer.
I am trying to install it on my window vista 32-bit.

editt:: it actually says "this update doesn't apply to your system".

Edited by tia08, 31 March 2009 - 04:23 AM.


#14 jntkwx

jntkwx

  • Malware Response Team
  • 4,339 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:New England, U.S.A.
  • Local time:06:28 AM

Posted 31 March 2009 - 07:18 AM

I am trying to install that on my system, but it said it's not supported on my computer.
I am trying to install it on my window vista 32-bit.

editt:: it actually says "this update doesn't apply to your system".


Hi tia08,

Try scrolling down the page and clicking on Windows Vista and Windows Vista Service Pack 1, to download KB958644. You could also check in Programs and Features under the Control Panel to see if you have KB958644 already installed. Better yet, if you haven't/don't know if you've updated Windows in a while, go to the Start orb, click on Windows Updates, and check for new updates to download and install all the latest updates (not just this one update). :thumbsup:
Regards,
Jason

 

Simple and easy ways to keep your computer safe and secure on the Internet

If I am helping you and have not returned in 48 hours, please feel free to send me a PM with a link to the topic.
My help is free... however, if you wish to show appreciation and support me personally fighting against malware, please consider a donation: btn_donate_SM.gif


#15 Lloyd T

Lloyd T

  • Members
  • 853 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Canada
  • Local time:06:28 AM

Posted 31 March 2009 - 02:46 PM

Might be interesting:

http://www.f-secure.com/weblog/archives/00001636.html




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users