The Eight Things You Need to Know about 'Conficker' Worm

[1cooldude]

On Wednesday, April 1, the latest variant of the Conficker (also known as Downadup and Kido) work will download new instructions. The sophistication of this worm and its botnet have many concerned, although the amount of legitimate concern is a matter of debate.

If you're concerned, then here are the eight most important things to know about Conficker, updated on Monday morning:

1. Researchers have discovered what they're calling a signature for Conficker, and developed a scanner based upon the technology.

2. The overwhelming majority of systems infected with Conficker were infected through a vulnerability in the Windows RPC facilities. This vulnerability was patched in October. If you installed that patch before Conficker came out (late December '08) then you were protected and still are. If you haven't installed the update then it's essential that you do so. Windows Vista is technically vulnerable in this way, but the exploit is almost impossible to execute on it. Conficker is basically an XP problem.

3. Conficker can also spread through network shares, including those that have weak passwords; the worm executes a "dictionary attack" in which a list of common passwords (think "password", "asdf", etc) are used to gain access to the share. So if you find new executables on such drives they may be infected. Treat them as you would a program that got e-mailed to you unsolicited, and we hope that means you'll avoid it and report it to a network admin if you have one. A good anti-malware program will detect it at this stage.

4. It follows from this advice that you are also better off by using complex and unobvious passwords, especially those that use both numerals and letters and especially if they include punctuation.

5. Conficker can also spread by putting itself on removable drives like USB drives. When it does so it sets the Autorun on those drives to run itself. So if you insert such a drive you could, at the least, get a standard Windows Autoplay menu offering Conficker among its options. Sometimes it will disguise itself as the Windows option for opening Windows Explorer for the inserted drive. Once again, a good anti-malware program will detect it at this stage.

6. Anti-malware software isn't perfect but it has a very high rate of success. Conficker is about as high-profile as malware gets; all the companies have it and understand it well, and so if you have anti-virus software and keep it up to date it's hard for you to get attacked.

7. Conficker can interfere with the ability of Windows and anti-malware programs to update themselves. Ensure that they are doing so by checking the last update date/time of your anti-malware software and by checking Windows Update manually. Leave no critical updates uninstalled.

8. Free Conficker/Downadup Cleaning Tools:


* McAfee Stinger

* ESet EConfickerRemover

* Symantec W32.Downadup Removal Tool

* F-Secure F-Downadup, FSMRT, more tools

* BitDefender single PC and network removal tools

* Kaspersky KKiller

* Trend Micro

If you use one of these tools to remove Conficker immediately install the MS08-067 patch afterwards.


* BitDefender

* Symantec

[Drew Wilson]

Isn't this just another MyDoom virus? I remember a couple of bugs floating around every year and it would cause global chaos.. and nothing ever really happened.

[drtoker]

Not sure about this one, but there have been several big worms that reeked hav0k on the web, from codered to nimda. Don't write it off before the time comes.

[Drew Wilson]

Then I suggest that posting links to these solutions be in order here. :)

[1cooldude]

Isn't this just another MyDoom virus? I remember a couple of bugs floating around every year and it would cause global chaos.. and nothing ever really happened.

Virus Types and Origin

[Drew Wilson]

Now that the trigger date has passed, looks like it's business as usual.

[Drew Wilson]

Conficker worm still a threat despite lack of April Fool's action: security firms

An internet worm that has computer and internet organizations worldwide up in arms against it had not yet revealed its next move by mid-Wednesday, but it should still be considered a threat, security firms say.

Conficker C, the latest version of a worm also known as the "Downandup" worm, was scheduled to start using infected computers on April 1 to contact servers on the internet for further instructions or updates from its masters.

As of noon, computer security firms Symantec and Websense reported that there had been limited activity from the worm Wednesday.

"Conficker should still be considered a serious threat, however," said a statement from Websense. "There are millions of machines that are infected and the capability is definitely there for attackers to use the network for nefarious purposes."

More...

Yup, I was right. Another MyDoom virus.

[1cooldude]

Microsoft is offering $250,000 for information on the individual(s) who developed the worm.

[Drew Wilson]

It's their right to do so. I'm thinking this worm was blown spectacularly out of proportion is all.

[carpefile]

NAT router ftw. Everyone should have one.

[Mels_Smileys45]

I wonder why they thought it was gonna get out of hand. How did they know its was supposed to receive instructions today? These people can not be dumb enough to design a very well engineered virus and then make it predictable. They don't even seem to know exactly what its going to do. Its either going to send all the collected data somewhere or is going to use all the drone PC'c to launch an attack on the backbone of the internet and bring it down.

One day there will be a virus that will launch a coordinated attack that will try and take a few key targets out but I don't know if this is it. I did see a news story on how they have found out China is planting a lot of virus' and they think they could be planning some sort of assault. The U.S. reported that millions of attacks are occurring a day trying to get into their systems. We are all gonna die!


:Thinkingof_::nutkick::Eyecrazy::fart:

[1cooldude]

After just over a week after its announced "wake-up call," the rumored "Conficker" worm comes out of its dormancy and storms right into the spotlight.

Researchers at Trend Micro have been tracking the worm since its discovery, and found that yesterday, the worm had awakened, and was dumping mysterious payloads on to victim's computers. The payloads, suspected to be keyloggers of some sort, comes in the form of a .sys file, hidden behind a complex rootkit. Due to heavy encryption, researchers are having a difficult time analyzing the code of the program.

After locating a file in the Windows Temporary Files folder that contained a uge encrypted TCP response from a known Conficker host, they determined that the worm is most likely being transferred via P2P networks, making it nearly impossible to stop, but at the same time, limiting the disruption it will cause on the websites that victims visit.

With between 3 and 12 million infected machines discovered, the creator(s) could have incredible control over a huge number of computers. By blocking security websites and security applications, it's also very difficult to remove if discovered.

If you're one of the unlucky ones that have been infected, try your security applications first for removal. If you got even more unlucky and your security applications and websites have been blocked, there are manual removal instructions. The best guide available so far appears to be here: 411-Spyware's Conficker Removal Guide

The best way to keep safe is to avoid going on 'sketchy' websites - stick to what you know, and don't download anything you don't have to. Always run an antivirus and antispyware application - run scans regularly in case the worm wasn't detected upon installation. Keep your wits about you; use common sense. Don't do anything you don't think is safe, and you'll more than likely stay safe.