Conficker worm spikes, infects 1.1 million PCs in <24 hours

The Conficker worm is back with a vengeance, infecting over one million systems in the past 24 hours. The refined version of this malware scans networks for weakly protected machines and actively attempts to spread itself via USB thumb drives. Neither feature was present in the original version, and so far, the attack is working.


It has been over a month since we heard much about Conficker, but the worm has reappeared with a vengeance over the past seven days. According to Finnish security company F-Secure, more than one million PCs have been infected with the worm (also known as Kido or Downadup) in the past 24 hours, with a total of 3.52 million machines infected worldwide. According to F-Secure, that 3.52 million is a conservative estimate.

The problem isn't so much with the older version of Conficker (now known as Conficker.A) but with a new flavor, dubbed Conficker.B. Ars spoke with Roger Halbheer, Chief Security Advisor of Microsoft's EMEA (Europe, Middle East, and Africa); he's been monitoring (and writing) about the current spread of infections. The skyrocketing infection rate is actually being caused by several factors; Roger describes Conficker.B as a "beast," and Microsoft has built the following diagram to demonstrate how the worm functions.

Once run or given access to an unprotected machine, Conficker.B begins searching for other systems or shares within the local network that it can infect. Shared systems, removable drives, or unpatched systems are all eligible targets, as are machines with weak passwords. This last bit is an important new feature of Conficker.B; a complete list of the passwords it checks for can be found here. If Conficker.B manages to successfully guess a password, it moves in and continues hunting for new targets. Microsoft summarizes the new strain as follows:

Worm:Win32/Conficker.B is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.

Roger confirmed that the Malicious Software Removal Tool (MSRT) has checked for and removed Conficker.B since December 29, 2008, but it's not possible to access any Microsoft website once Conficker.B has infected a system; the worm blocks access to multiple domains based on string identification. If you've got a system that's infected, you'll need to download the latest MSRT from Microsoft on a clean system and run it manually.

Not all AV scanners currently detect Conficker.B, even if they've been updated to detect Conficker.A—I don't have a list of specific solutions that can't currently catch the new worm, but all of Microsoft's antimalware/antivirus products—Forefront, OneCare, and the Online Safety Scanner—will find Conficker.B if it's present (and you somehow haven't noticed). If there's a scrap of good news in all this, it's that Conficker.B is not a subtle worm.

Roger has provided some additional coverage on the worm that may be useful. First and foremost, he recommends installing MS08-067—this will not remove an existing infection, but it will guard against attack from either version of the agent, provided you aren't using weak passwords.

When Conficker.A first appeared, we raised the question of whether or not Microsoft should force updates in certain situations, and what those situations might be. In this case, even unilaterally enforced updates wouldn't solve the problem of weak passwords, but it would have undoubtedly cut the number of new infections we are seeing today. The size of that reduction would be the point on which the value of forced updates would turn, and of course, that's the one thing we can't predict; there are holes in existing AV products that would allow Conficker.B through, and the worm will attack and infect machines using weak passwords. Depending on how you view the situation; this second strain could reinforce the need for mandatory updates or blow a hole in the argument.

Part of the reason for the problem, however, must inevitably come back upon the users, IT administrators, or managers that opted not to install the patch. As Roger writes: "If you decide not to roll out a security update which is so critical that we decide to go out of band, you play Russian Roulette with your network...The same is actually true if you do not run and maintain an appropriate Anti-Malware solution...Now, if we look at Conficker.B: This is really an ugly beast: You need just one infected machine in your network in order to have it spread across your network fast and aggressively. You can get it even through a USB-stick...it just needs one unpatched/infected machine."

Indeed. Based on the characteristics of a worm such as this, even mandatory updates would only be one facet of prevention.

Purpose of Conficker Worm Uncovered

Late yesterday, members of the Internet Information Security Consortium (I2SecC) working in conjunction with a cadre of white-hat hackers from around the globe were able to identify the purpose of the Conficker worm, which has been able to infect a large number of unprotected computers. Starting today, April 1, this network of compromised hosts will begin a massive denial-of-service attack on Web sites that do not pass validation as being fully standards compliant.

In order to ensure you do not fall victim to the worm’s botnet, I2SecC recommends immediate validation of the markup and supporting stylesheets for any Web site that you maintain and correcting any errors that are uncovered. As yet, it is unclear whether the worm will target sites that make use of non-standard DOM scripting; however, a message found by I2SecC researchers in an online forum believed to be from the worm’s creator or a close associate hints that it will: “your document.all are belong to us.”

Computer experts brace for ‘Conficker’ worm

Boston: A malicious software program that has infected millions of computers could enter a more menacing phase on Wednesday, from an outright attack to a quiet mutation that would further its spread.
Computer security experts who have analyzed the Conficker worm’s code say it is designed to begin a new phase on 1 April, and while it’s unclear whether it will unleash havoc or remain dormant, its stubborn presence is rattling businesses with multimillion-dollar budgets to fight cyber crime.
Conficker, believed to reside on 2 million to 12 million computers worldwide, is designed to turn an infected PC into a slave that responds to commands sent from a remote server that controls an army of slave computers known as a botnet.
“It can be used to attack as well as to spy. It can destroy files, it can connect to addresses on the Internet and it can forward your e-mail,” said Gadi Evron, an expert on botnets who helps governments protect against cyber crime.
But like many security experts, he doubts Wednesday will see a big attack.
The virus has been powerful enough to attack infected computers for months by exploiting weaknesses in Microsoft’s Windows operating system. Evron and several other analysts said Wednesday’s change could simply give Conficker enhanced functionality, possibly making it more dangerous.
“This is the electronic equivalent of being told there is a major storm that has a 20 percent chance of hitting,” said Mark Rasch, an executive at Secure IT Experts who spent 25 years prosecuting computer crimes at the U.S. Department of Justice.
“It’s not time to hide in the bunker. But it might be prudent to look out the window,” he added.
In February, Microsoft announced it was offering a $250,000 reward for information leading to the arrest and conviction of whoever is responsible for creating Conficker, saying the worm constituted a “criminal attack.”
FEARS OF ID THEFT
Botnets are a major worry because they can surreptitiously steal identities, log sensitive corporate information, credit card numbers, online banking passwords or other key data users of infected PCs type on their keyboards.
The information is often sold to criminal rings.
“Most malware we see in this day and age is very concerned with stealing information and making money for the author,” said Dave Marcus, a researcher with security-software maker McAfee Inc’s Avert Labs.
Experts said Conficker’s authors might gradually change the way it communicates to avoid attention and to prevent companies from putting in place safeguards such as those used to fight the worm since it first surfaced last year.
Microsoft released a patch to protect against the worm late last year, while anti-virus software companies offer software to sniff it out and destroy it. Such tools can be expensive.
Technology research firm Gartner Inc estimates businesses will spend $13.6 billion on security software this year excluding costs for related labor, services and hardware. While some consumer anti-virus software packages are available for free, others run as high as $80 each.
Security experts suspect Conficker originated in the Ukraine, based on its code. The FBI is working to shut it down but a spokesman declined to comment on its investigation.
“The public is once again reminded to employ strong security measures on their computers,” said Shawn Henry, assistant director of the Federal Bureau of Investigation’s cybercrimes division.
Independent security firms such as McAfee, Symantec Corp and Trend Micro Inc say they will closely monitor cyberspace on Wednesday to see how the worm mutates but will also watch closely over coming weeks as the hype fades.
“I don’t expect much to happen on April 1st. That’s the one day I would not do it. That’s the one day everybody is watching for something to drop,” said Joe Stewart, director of malware research at SecureWorks. “It’s just another small step in whatever the end game is.”

McAfee, Inc. speaks on Conficker worm

In response to growing concerns from the public and the media about the possible threat that may be unleashed by the Conficker worm on April 1st, McAfee, Inc. (NYSE: MFE), the leading Internet security company, today took steps to allay fears and offer some simple guidelines for consumers and businesses to ensure they are fully protected.

What is the Conficker worm?
Conficker first surfaced late last year, taking advantage of a security flaw in Microsoft’s Windows operating system to spread itself. Microsoft provided an emergency fix for the vulnerability last October with Security Update MS08-067. However, because many systems were not patched or properly protected with security software, Conficker has slithered onto as many as 12 million Windows computers, according to some estimates.

Some experts believe that one variant of the worm, Conficker.C, may activate on April 1 and start another assault on Windows computers. Computers infected with Conficker become part of an army of compromised computers and could be used to launch attacks on Web sites, distribute spam, host phishing Web sites or other criminal activities. Additionally, once it is on a computer, Conficker digs itself in by attempting to deactivate security software and sabotaging tools to remove it.

How do I know if I’m affected?
“One of the symptoms of this worm is that it blocks access to Web sites of Internet security companies,” says Dave Marcus, of McAfee Avert Labs. “A pretty good indication of whether your computer has been infected is to try and visit McAfee’s Web site: www.mcafee.com. If the site won’t load, you will need to clean your infected computer by searching for McAfee® Avert® Labs Stinger tool on the Internet. You should also install Microsoft’s patch to prevent the worm from reinstalling itself.”

As Conficker blocks popular security Web sites, including www.mcafee.com, users should search for “stinger virus removal” on the Internet, if they are unable to obtain it from McAfee’s Web site. Alternatively, users may transport the Stinger tool via a USB stick from an uninfected computer.

McAfee has released a free tool that will help assess multiple computers for the presence of Conficker. This new tool, termed ConTest, may be downloaded at no charge at http://www.mcafee.com/us/enterprise/confickertest.html.

Removing Conficker and preventing re-infection
Anti-malware solutions will clean the infection and use behavioral detections techniques like buffer overflow protection to prevent future infections. This is important because Conficker can propagate via portable media such as an infected USB drive. As the drive is accessed, the system processes autorun.inf and executes the attack. And finally, ensure all computers have Microsoft Security Update MS08-067 installed.

For more information on the Conficker worm and how users can protect themselves, visit http://www.mcafee.com/us/threat_center/conficker.html.

McAfee, Inc., headquartered in Santa Clara, California, is the world's largest dedicated security technology company. McAfee is relentlessly committed to tackling the world's toughest security challenges. The company delivers proactive and proven solutions and services that help secure systems and networks around the world, allowing users to safely connect to the Internet, browse and shop the web more securely. Backed by an award-winning research team, McAfee creates innovative products that empower home users, businesses, the public sector and service providers by enabling them to prove compliance with regulations, protect data, prevent disruptions, identify vulnerabilities, and continuously monitor and improve their security. http://www.mcafee.com

Conficker Domain Information

I wanted to follow up our recent Conficker post from last Friday where we posted new pages to consolidate our information on Conficker for enterprises and consumers. We’ve also made the easy-to-remember URL www.microsoft.com/conficker available that will take you directly to the Conficker page for enterprises.

We’ve shared some additional information today with our Microsoft Active Protections Program (MAPP) partners and our Microsoft Security Response Alliance (MSRA) partners. We believe that this information can be helpful for some of you as well, so we’re posting it here on the MSRC weblog as well.

We’ve seen that the Conficker worm will try every three hours to connect to specific domains over HTTP, a behavior sometimes referred to as “phoning home.” Conficker doesn’t carry a list of static domains, instead the domains that it connects to are generated by the malware through a specific algorithm. Because our Microsoft Malware Protection Center (MMPC) colleagues and others in the security community have successfully reverse-engineered this algorithm we can share what we’ve learned from that with you and others in the industry more broadly.

Most importantly, understanding this behavior and the algorithm gives us (and you) some additional options in combating Conficker.

First, it may be possible to identify infected hosts on your network if you’re able to log outbound traffic and then analyze those logs. If you see an entry in your logs for one of your systems connecting to one of these domains, that system may be infected by Conficker.

Second, you can also use this information that to block access to those domains at your network perimeter by adding these domains to any “block lists” you might have.

To help make it easier to use this domain information, we’ve gone ahead and made a list of domains available in a zipped text file available at the bottom of this post.

The text file is a list of domains that a system infected with Worm:Win32/Conficker.A or Worm:Win32/Conficker.B may try to contact. It is a list of comma-separated values (CSV) and lists out the specific Conficker variant that will try to use that domain, the date it will attempt to contact the domain, an arbitrary index number, and finally the domain itself.

As an example, here is an excerpt from the list of domains that Conficker may try to contact today, Feb. 12, 2009:

Variant, Date, Index, Hostname
A, 02/12/2009, 0, puxqy.net
A, 02/12/2009, 1, elvyodjjtao.net
A, 02/12/2009, 2, ltxbshpv.net
A, 02/12/2009, 3, ykjzaluthux.net
A, 02/12/2009, 4, lpiishmjlb.net
A, 02/12/2009, 5, arpsyp.com
A, 02/12/2009, 6, txkjngucnth.org
A, 02/12/2009, 7, vhslzulwn.org
A, 02/12/2009, 8, jcqavkkhg.net
A, 02/12/2009, 9, dmszsyfp.info
. . .

B, 02/12/2009, 0, tvxwoajfwad.info
B, 02/12/2009, 1, blojvbcbrwx.biz
B, 02/12/2009, 2, wimmugmq.biz
B, 02/12/2009, 3, fwnvlja.org
B, 02/12/2009, 4, umgrzaybbf.ws
B, 02/12/2009, 5, btgoyr.cc
B, 02/12/2009, 6, zboycplmkhc.cc
B, 02/12/2009, 7, qsqzphbn.biz
B, 02/12/2009, 8, xqdvmavs.cn
B, 02/12/2009, 9, wgrrrr.biz

So, if you have logging that includes the domain names being resolved externally, you can scan those logs for entries with these domain names in them.

Additionally, you can also look for log entries that match the following patterns. An example of entry from a system infected by Worm:Win32/Conficker.A where the domain ykjzaluthux.net resolves to 192.168.1.34 might look like:

http://192.168.1.34/search?q=1003&aq=7

and an example of entry from a system infected by Worm:Win32/Conficker.B where the domain qsqzphbn.biz resolves to 192.168.1.35 might look like:

http://192.168.1.35/search?q=328924

We hope you find this information helpful.

Christopher

*This posting is provided "AS IS" with no warranties, and confers no rights*

Updated 3/2/2009 to clarify how the domain list can be used to scan logs and the format for log entries for infected systems

Protecting Yourself From Conficker

There are three crucial steps that you need to take to protect your computer from Conficker (and other viruses). The first step is to make sure that your Windows Operating System is fully patched. The second step is to disable Autoplay. The third is to make sure that you are running antivirus software that is up to date.
Patching your Windows Operating System
Microsoft has responded to some of Conficker's techniques for infecting computers by patching the Windows operating system. If you are completely up to date with all of your Windows Updates, then you have already put these protections in place. If you aren't up to date, you need to make sure that you have installed the patches discussed in KB958644 and KB967715. The easiest way to get all of the updates needed to stop Conficker is to visit http://update.microsoft.com and make sure that the latest updates have all been installed. For future updates, simply enabling Automatic Updates ensures that your computer stays patched.

Disabling Autoplay
Because the Conficker virus masks itself in the Autoplay window that appears when a new disk is inserted, disabling Autoplay also helps protect you from the Conficker virus. For this reason, CITES Security strongly recommends disabling the Autoplay feature in Windows.
For more information about how to disable Autoplay, see:
Vista instructions (simple)
XP instructions (simple)
Microsoft Knowledge Base (advanced, with patch links)

Running up-to-date Antivirus Software
Security companies that make antivirus software are doing their best to keep up with Conficker and its mutations. If your computer is acting oddly, or if you just want to double check that your computer is free from Conficker, you should download the latest antivirus update and then run a full scan of your computer.

Experts are warning that hackers have yet to activate the payload of the Conficker virus.

The worm is spreading through low security networks, memory sticks, and PCs without current security updates.
The malicious program - also known as Downadup or Kido - was first discovered in October 2008.
Although the spread of the worm appears to be levelling off, there are fears someone could easily take control of any and all of the 9.5m infected PCs.
Speaking to the BBC, F-Secure's chief research officer, Mikko Hypponen, said there was still a real risk to users.
"Total infections appear to be peaking. That said, a full count is hard, because we also don't know how many machines are being cleaned. But we estimate there are still more than 9m infected PCs world wide.
"It is scary thinking about how much control they [a hacker] could have over all these computers. They would have access to millions of machines with full administrator rights.
"But they haven't done that yet, maybe they're scared. That's good news. But there is also the scenario that someone else figures out how to activate this worm. That is a worrying prospect."
Experts say users should have up-to-date anti-virus software and install Microsoft's MS08-067 patch. The patch is known as KB958644.

Speaking to the BBC, Graham Cluley, senior technology consultant with anti-virus firm Sophos, said the outbreak was of a scale they had not seen for some time.
"Microsoft did a good job of updating people's home computers, but the virus continues to infect business who have ignored the patch update.
"A shortage of IT staff during the holiday break didn't help and rolling out a patch over a large number of computers isn't easy.
"What's more, if your users are using weak passwords - 12345, QWERTY, etc - then the virus can crack them in short order," he added.
"But as the virus can be spread with USB memory sticks, even having the Windows patch won't keep you safe. You need anti-virus software for that."
Method
According to Microsoft, the worm works by searching for a Windows executable file called "services.exe" and then becomes part of that code.
It then copies itself into the Windows system folder as a random file of a type known as a "dll". It gives itself a 5-8 character name, such as piftoc.dll, and then modifies the Registry, which lists key Windows settings, to run the infected dll file as a service.
Once the worm is up and running, it creates an HTTP server, resets a machine's System Restore point (making it far harder to recover the infected system) and then downloads files from the hacker's web site.
Most malware uses one of a handful of sites to download files from, making them fairly easy to locate, target, and shut down.
But Conficker does things differently.

Anti-virus firm F-Secure says that the worm uses a complicated algorithm to generate hundreds of different domain names every day, such as mphtfrxs.net, imctaef.cc, and hcweu.org. Only one of these will actually be the site used to download the hackers' files. On the face of it, tracing this one site is almost impossible.
Variant
Speaking to the BBC, Kaspersky Lab's security analyst Eddy Willems said that a new strain of the worm was complicating matters.
"There was a new variant released less than two weeks ago and that's the one causing most of the problems," said Mr Willems
"The replication methods are quite good. It's using multiple mechanisms, including USB sticks, so if someone got an infection from one company and then takes his USB stick to another firm, it could infect that network too. It also downloads lots of content and creating new variants though this mechanism.
"Of course, the real problem is that people haven't patched their software," he added.
Microsoft says that the malware has infected computers in many different parts of the world, with machines in China, Brazil, Russia, and India having the highest number of victims.

Conficker virus quiet on deadline day, but threat remains

San Francisco - Conficker, the April Fool's worm, began contacting pre-designated websites for instructions on Wednesday, and while no malicious instructions had been downloaded, security researchers warned that the virus could still wreak havoc at any time.
"It's like a loaded gun that could go off anytime," said Patrik Runald, chief security advisor of technology security firm F-Secure.
The virus allows its creators to take control of the machines and was programmed to start contacting a random selection of 500 of 50,000 new websites on Wednesday.
"Infected machines are now actively reaching out but there's nothing there," Runald said. "But just because nothing has happened so far doesn't mean the danger is over."
Researchers feared that the websites would upload new instructions to the infected computers that could turn them into a botnet, which would launch coordinated attacks flooding inboxes with spam and crippling internet sites.
Another danger, according to Runald, was that the computers would be programmed to steal users' sensitive data such as passwords and credit card numbers.
Runald told dpa, the German news agency, that researchers still had no real indication who was behind the worm. But he said that a coalition of security organizations, the Conficker Working Group, had succeeded in cutting down the number of infected computers from 10 million at the start of the year to between 1 million and 2 million now.
Runald advised people who suspected that their computers are infected to check confickerworkinggroup.org where a variety of free tools are available to identify and neutralize the Conficker virus. He warned against searching the internet for such tools, since many of the results offered on popular sites such as Google are in fact malware that can infect computers with other viruses.
Despite the success in reducing the number of infected computers Runald said that researchers were still in the dark about the virus.
"We are not even close to identifying who is behind the virus. There is no indication of who they are or what their motive is," he said. "We don't know why they are developing something so sophisticated and they are not even trying to make money from it."

Conficker Virus update and helpful hints

Conficker is scheduled to go "live" on April 1, but whoever's controlling it could choose not to wreak havoc but instead do absolutely nothing, waiting for a time when there's less heat. They can do this because the way Conficker is designed is extremely clever: Rather than containing a list of specific, static instructions, Conficker reaches out to the web to receive updated marching orders via a huge list of websites it creates. Conficker.C -- the latest bad boy -- will start checking 50,000 different semi-randomly-generated sites a day looking for instructions, so there's no way to shut down all of them. If just one of those sites goes live with legitimate instructions, Conficker keeps on trucking.
Conficker's a nasty little worm that takes serious efforts to bypass your security defenses, but you aren't without some tools in your arsenal to protect yourself.
Your first step should be the tools you already have: Windows Update, to make sure your computer is fully patched, and your current antivirus software, to make sure anything that slips through the cracks is caught.
But if Conficker's already on your machine, it may bypass certain subsystems and updating Windows and your antivirus at this point may not work. If you are worried about anything being amiss -- try booting into Safe Mode, which Conficker prevents, to check -- you should run a specialized tool to get rid of Conficker.
Microsoft offers a web-based scanner (note that some users have reported it crashed their machines; I had no trouble with it), so you might try one of these downloadable options instead: Symantec's Conficker (aka Downadup) tool, Trend Micro's Cleanup Engine, or Malwarebytes. Conficker may prevent your machine from accessing any of these websites, so you may have to download these tools from a known non-infected computer if you need them. Follow the instructions given on each site to run them successfully. (Also note: None of these tools should harm your computer if you don't have Conficker.)
As a final safety note, all users -- whether they're worried about an infection or know for sure they're clean -- are also wise to make a full data backup today.
What won't work? Turning your PC off tonight and back on on April 2 will not protect you from the worm (sorry to the dozens of people who wrote me asking if this would do the trick). Temporarily disconnecting your computer from the web won't help if the malware is already on your machine -- it will simply activate once you connect again. Changing the date on your PC will likely have no helpful effect, either. And yes, Macs are immune this time out. Follow the above instructions to detect and remove the worm.
My helpful hints
Windows users we are safe from the upcoming virus happening tomorrow if all of you have updated your computer since March. Apparently Microsoft and our friend Bill Gates has sent updates to their security center on all computers to protect us from the virus that is happening tomorrow. So we are safe for now unless those idiots find a way to get around the Security measures.
If you have not protected your computer against this virus I advise you all to update immedately that way your computer will not be taken out by those douches who don't have nothing better to do than to screw around with our computers.
To update your computer go to Start Menu and then Mircosoft Update. It shouldn't take but 15 minutes-1 hour unless you ignore the updates.
MySpace and Facebook Users: Do not answer any messages or click any links like the ones that appeared here on DA. Thoes are the ones which starts the virus. Also people with Macs protect yourselves by keeping away from those sites for a while.
Don't download music from music sharing places such as Napster, Limewire or Kazza. Those are high risk areas at the moment. This virus will kill your computer.
The Windows updates are the only ways to make sure your computer can ride out any virus.
For laptop users and ones who are planning on getting a laptop make sure when you set them up to have Automatic updates always on. This way it'll update automatically and you won't have to update manually. It's a pain in the butt to update over 100 updates that you've ignored thinking it's not important to update.
The best virus scanning software to use are the followingMcAfeeNorton Antivirus
These two offer a 90 day free trial and you can also purchase them for a reasonable price after the trial runs out.
Those of you who are on the Comcast Cable internet service you will get Mcafee for free and it'll last forever.
Avoid online banking as much as possible. It is pretty dangerous since many banks have had security problems in the past and you do not want to lose your account numbers or money.
Online shopping is ok but check the security certificate on the sites. To do this you can right click and then scroll down to properties in the menu that pops up once you right click. If you have the Mcafee Tool bar and Site Advisor it will help as well.
Green sites mean they are valid and ok to browseRed Sites mean Get the hell out of there before your computer is hit hard.White sites mean they are unknown.

Conficker virus grounds French fighter planes

According to a report in the Daily Telegraph, translating earlier coverage from Ouest France, the Conficker bug infected French military computers so severely that in mid-January that navy's Rafale aircraft were grounded. The aircraft were apparently eventually fed their data through a secondary system. Meanwhile, the Navy -- which said through a spokesperson that it's thought the non-secured internal network was infected accidentally, via a thumb drive -- relied on fax, phone and snail mail to conduct many tasks.
The vulnerability Conficker exploits is in Windows Server. It was patched in an out-of-band fix from Microsoft back in October. The French Navy detected the infection on January 21 and began patching procedures, at one point instructing staff not to start their computers at all.

What is the Conficker Virus?

What is the Conficker Virus? The Conficker virus (aka Downup virus, Downandup virus, Conflicker virus, and Kido virus) is a worm. A worm is a type of virus that spreads itself through networks. Basically someone starts it up and it starts looking around a network that it is connected to - including the Internet - to find computers that are vulnerable to infection.
What computers are vulnerable to the Conficker virus? Any computer that is or has been connected to a network (including the Internet) and running the following version of Windows:
1. Windows 2000 (very vulnerable)2. Windows XP (very vulnerable)3. Windows Server 2003 (very vulnerable)4. Windows Vista (less vulnerable)5. Windows Server 2008 (less vulnerable)
Microsoft put out a patch to fix the vulnerability: Microsoft Security Bulletin MS08-067 - Critical. Computers that have had the patch applied, providing that the Conficker virus was not already on it, are not vulnerable to attack via a network.
What is the "vulnerability"? How can the Conficker virus gain access to a computer over a network? All computers that are able to share information over a network have programs running on as part of the operating system that "listen" for communications from the network. For instance, if a co-worker on another computer wants to access a folder on your computer they (through their computer) send a message to your computer asking to access the folder. The appropriate operating system component on your computer handles the request and gives access or denies access to the file based on whether you shared the file and gave the requestor permission to see it. The important thing to understand is that a program on the requesting computer makes contact with a program on the listening computer and gets the listening program to do something for it.
If the listening program mentioned above has a bug in it that can enable the requesting program to make it do unsavory things - like give the requesting program access to install itself on the receiving computer - then that would be a "vulnerability". In the case of the Conficker virus that is basically what was discovered - the program that lets you share folders and printers and other things on a Windows computer, called the Windows Server service, had a bug in it that would allow another program to get it to do things that would then allow a program to be installed over the network without anyone knowing about it.
What would protect me from the Conficker virus or similar viruses? If your network and computer are being protected by a properly configured firewall then you were really never at risk. If you applied the patch Microsoft put out for this vulnerability by running Windows updates then your Windows computer was not vulnerable for long and is no longer vulnerable. If you are running Windows Vista and have the UAC turned on (the thing that asks you "Confirm or Deny" whenever you try to install anything) then you are minimally at risk.
There are many ways to make a system more secure but basic security practices would have minimized your risk to this virus as well as similar ones:
1. Use a firewall - this will stop almost any worm attack.2. Stay on top of updating your operating system.3. Use an up-to-date antivirus program.
The above go a long way toward keeping you productive and safe from viruses.

Conficker virus test and worm continues to evolve

Here is a simple test to see if you have the Conficker worm virus, also known as Downadup, Kido. This worm that blocks access to more than 100 anti-virus and security websites. If you find that you are blocked from loading the remote images on the top table of those antivirus websites but not blocked from loading the images on the second row, chances are your Windows XP or Vista PC could be infected with the Conficker worm. For more information on this test, please visit The H security.
Back on April 1, 2009, the Conficker worm was meant to bring the Internet to its knees, but it did not turn out to be as bad as that. The virus continues to evolve in ways that have left security experts wondering what is going on, and what the worm’s maker’s goals could be.
Business Week said that just yesterday Symantec and Trend Micro issued an updated report of the Conficker worm. Symantec said that the most recent modifications to the worm, also known as W32.Downadup had given itself instructions to disable itself on May 3.

The Conficker virus scare graph

The Conficker virus was supposed to start working its sinister magic on April 1. Were people really worried? Sure looks like it.
Check out this graph from Google Insights for Search. It includes the terms “virus” and “conficker” for the last 30 days. (We’ve done some highly advanced editing with Snagit to make it even clearer.)

Considering the anti-climax that was Conficker (at least so far, knock on wood), we’re tempted to draw parallels with the Y2K bug build-up…

Conficker virus evolves to spam and steal data

The Conficker worm (also known as Downadup and Kido) has been with us since October 2008. Yet we still don’t know what the ultimate aim of the virus is. However, a new variant is now spreading via peer-to-peer that suggests Conficker is set to evolve and start spamming and stealing sensitive data. In other words, it’s a nasty little thing to have on your computer.
Conficker is a particularly nasty worm which works by exploiting a bug in the Windows operating system. Microsoft issued an urgent security update to fix the problem and plug the hole soon after the worm was discovered. The problem is that once infected the virus prevents you from updating your system, either Windows or in a lot of cases anti-virus software too.
Once installed on a system Conficker communicates with various domains on the Internet and updates itself. There was intense speculation that the Conficker worm would deliver its payload and start wreaking havoc on April 1. However, that date came and went without incident.
Here we are a week later and the thing has come alive with a vengeance. According to CNET, things started to happen on April 8, the result of which has helped security analysts connect Conficker with a botnet called Waledac. If the two are linked as supposed it would mean Conficker is likely to be intended to both spam infected users and to steal their data such as bank details.
The new Conficker Variant.E updates Variant.C with encrypted software. The update is being rolled-out gradually so as not to alert people to the presence of the virus or of the new installations. Researchers aren’t yet aware of what the payload is but they have concluded it’s linked to the well-known Waledac virus.
Waledac is a malicious program that turns PCs into spam relays, steals data, and opens up the computer to remote operation. This suggests the two programs were created and are being spread by the same people and gives clues Conficker’s ultimate aim.
Despite the publicity surrounding Conficker, how to detect it, and to remove it, an estimated one to two million PCs are thought to be infected. With the virus starting to evolve in order to do the damage that’s been planned, now is the time to safeguard yourself. Download and install Security Update MS08-067 and run the latest Malicious Software Removal Tool to ensure your system hasn’t been compromised.

Conficker virus strengthens defences but hasn't attacked

COMPUTER security experts around the world watched warily as the dreaded Conficker worm squirmed deeper into infected machines with the arrival of the trigger date, April 1st.
The malicious software evolved, as expected, from East to West, beginning in time zones first to greet April Fool's Day.
"Planes are not going to fall out of the sky and the internet is not going to melt down," said threat analyst Paul Ferguson of Trend Micro.
"The big mystery is what those behind Conficker are going to do. When they have this many machines under their control it is kind of scary. With a click of a mouse they could get thousands of machines to do whatever they want."
Microsoft has formed a task force to stamp out the worm, known as Conficker or DownAdUP, and put a bounty of $US250,000 on the heads of those responsible for it.

Mutating code

The worm was programmed to modify on April 1, becoming harder to stop by generating bigger daily lists of websites and reaching out to 500 of those each day. Some infected machines will get cues from websites with Greenwich Mean Time and others based on local clocks.

Conficker task force members tracking today's internet traffic in Asia and Europe said there was no sign that the worm was doing anything other than modifying itself to be harder to exterminate.
Computer security specialists warn that the Conficker threat will remain even if April 1 passes without it causing trouble.
"It doesn't seem to be doing anything right now," Mr Ferguson said.
"I hope April 1st comes and goes with no trouble. But, there is this loaded pistol looming large out there even if no one has pulled the trigger."
The hackers behind the worm have yet to give it any specific orders. An estimated one to two million computers worldwide are infected with Conficker.
Addressing the threat
The FBI said it is working with the Department of Homeland Security and other US agencies to "identify and mitigate" the Conficker threat.
It can infect machines from the internet or by hiding on USB memory sticks carrying data from one computer to another.
Malware could be triggered to steal data or turn control of infected computers over to hackers amassing "zombie" machines into "botnet" armies.
Microsoft has modified its free Malicious Software Removal Tool to detect and get rid of Conficker, which was first detected in November 2008.
The infection rate has slowed from a fierce pace earlier this year, but computers that are not updated with a Microsoft software patch remain vulnerable, according to security specialists.
One of the ways to tell if a computer is infected is that the worm will block efforts to connect with security firm websites such as Trend Micro or Symantec where there are online tools for removing the virus.
Cyber-criminals have taken advantage of Conficker hype by promising information or cures to lure users to websites booby-trapped with malicious software.
Lying in wait
The publicity surrounding the predicted April 1 attack date had likely caused Conficker’s creators to hold back on unleashing any malware, Robert Pregnell of Symantec Security Response said.
“In order to be successful these attacks need to stay under the radar and the profile given to it runs contrary to that,” he said.
“Everybody was waiting for it so it is fair to say it would be better, in the interest of the virus writers, to let this focus pass over and pull the lever when people least expect it.”
Mr Pregnall warned against complacency saying the infected computers were still vulnerable to attack.
“If you let this virus onto your computer it’s like you’ve logged into your PC and said to a stranger ‘Do whatever you want to do on it,’” he said.
Microsoft Australia’s Strategic Security Advisor Stuart Strathdee said Conficker was not predicted to be a broad threat to the internet.
He said any Microsoft users concerned about Conficker should visit http://www.microsoft.com/protect or call 132 058.

What does the Conficker worm do?

We don’t know the purpose of the Conficker worm. Today the worm has created an infrastructure that the creators of the worm can use to remotely install software on infected machines. What will that software do? We don’t know. Most likely the worm will be used to create a botnet that will be rented out to criminals who want to send SPAM, steal IDs and direct users to online scams and phishing sites.

The Conficker worm mostly spreads across networks. If it finds a vulnerable computer, it turns off the automatic backup service, deletes previous restore points, disables many security services, blocks access to a number of security web sites and opens infected machines to receive additional programs from the malware’s creator. The worm then tries to spread itself to other computers on the same network.

When executed on a computer, Conficker disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting. It receives further instructions by connecting to a server. The instructions it receives may include to propagate, gather personal information and to download and install additional malware onto your computer. The worm also attaches itself to certain Windows processes such as svchost.exe, explorer.exe and services.exe.

The Conficker worm has infected millions of Windows computers—and one variant is set to be unleashed on April 1st, 2009. Here’s what you need to know to keep yourself safe.

What is the Conficker Worm?

Microsoft released an update in October to resolve a critical security hole in the Windows “Server” service. Since people aren’t as diligent about patching as they should be, hackers created a new worm that spread like wildfire, leaving systems completely under their control. Security researchers have determined that one variant of the virus is expected to go “live” and start trying to download new payloads on April 1st, 2009, potentially causing your computer to do bad things—but since the worm uses a P2P protocol it’s nearly impossible to identify the source.

How Does It Spread?

The worm originally started spreading using a network attack against the file sharing services in Windows, but since it can automatically update itself, it adapted to spread through the autoplay feature on removable media like USB thumb drives, by adding a new option to open where you see “publisher not specified”. This allows the worm to spread to systems already patched against the original vulnerability, so using anti-virus software is even more important, because once it’s on your computer it can spread further.

Is My Computer Affected?

Most anti-virus software has already been able to detect and remove the Conficker worm for a while now, so you are probably not at risk as long as you keep up with your updates and have real-time scanning enabled.

To actually detect and remove the worm, you can use the freely available Microsoft Windows Malicious Software Removal Tool that can remove a large number of viruses—for a full guide, I’ve also written an article on how to scan and remove malicious viruses.

How Do I Stay Safe?

Staying safe from this, and many other viruses and worms, requires a combination of keeping your computer updated and using anti-virus software. Here’s a couple of quick tips to follow:

• Make sure your system is fully patched using Windows Update, and update MS08-067 has been applied.
• Make sure your anti-virus is fully updated, enabled, and you’ve run a full scan.
• Make sure you are using strong passwords.
• Disable the AutoPlay feature—which Conficker uses to infect systems.
• Make sure your firewall is enabled when you are on untrusted networks.
• Make sure your data is backed up—if you aren’t sure what to use, see our five best Windows backup tools.

Keeping your system and your data safe is extremely important, so make sure to take some time out of your day to keep your system patched, updated, and virus-free. Hit the link for Microsoft’s explanation of the situation, or check out my article on scanning and removing malicious viruses for the walk-through approach. Protect yourself from the Conficker computer worm [Microsoft]

Conficker Worm Threat Still There

April 1 has passed and no major cyber attacks from the Conficker worm occurred yet. However, most experts said the threat is still there. What you need to know is that you don’t need to panic. You can do something to prevent your computer from being infected and you should do it.

The Conficker worm has been called the largest worldwide computer infection since the SQL Slammer which hit the Internet in 2003. This was said by the Conficker Working Group, which includes 27 major tech companies such as AOL, F-Secure, Facebook, ICANN, Kaspersky, McAffee, Microsoft, Symantec and several others.

Estimations on the number of computers that have been infected are various. According to the aforementioned group, the number could be somewhere between 3 and 15 million worldwide and it would most likely grow because only 30 percent of the computers running on Windows are updated with the latest patches that would prevent them from being infected.

Now that on April 1 the infected computers began using a sample of 500 out of pre-programmed 50,000 domains a day to search for upgrades, the number of infected PC’s was much easier to estimate. According to Vietnamese antivirus firm Bkis, about 1.3 million machines have the first type of Conficker and the overall number of infected computers is somewhere around 2.2 million, The Register reported.

According to IBM Internet Security Systems' X-Force team, one out of every 25 Internet addresses that send potentially dangerous data over the Internet is infected with Conficker.c.

Protect Your Computer Before Conficker Worm Attacks

ATLANTA -- The fast-moving Conficker computer worm, a scourge of the Internet that has infected at least 3 million PCs, is set to spring to life in a new way on Wednesday — April Fools' Day.That's when many of the poisoned machines will get more aggressive about "phoning home" to the worm's creators over the Internet. When that happens, the bad guys behind the worm will be able to trigger the program to send spam, spread more infections, clog networks with traffic, or try and bring down Web sites.

Technically, this could cause havoc, from massive network outages to the creation of a cyberweapon of mass destruction that attacks government computers. But researchers who have been tracking Conficker say the date will probably come and go quietly.

More likely, these researchers say, the programming change that goes into effect April 1 is partly symbolic — an April Fools' Day tweaking of Conficker's pursuers, who for now have been able to prevent the worm from doing significant damage.

"I don't think there will be a cataclysmic network event," said Richard Wang, manager of the U.S. research division of security firm Sophos PLC. "It doesn't make sense for the guys behind Conficker to cause a major network problem, because if they're breaking parts of the Internet they can't make any money."

Previous Internet threats were designed to cause haphazard destruction. In 2003 a worm known as Slammer saturated the Internet's data pipelines with so much traffic it crippled corporate and government systems, including ATM networks and 911 centers.

Far more often now, Internet threats are designed to ring up profits. Control of infected PCs is valuable on the black market, since the machines can be rented out, from one group of bad guys to another, and act as a kind of illicit supercomputer, sending spam, scanning Web sites for security holes, or participating in network attacks.

The army of Conficker-infected machines, known as a "botnet," could be one of the greatest cybercrime tools ever assembled. Conficker's authors just need to figure out a way to reliably communicate with it.

Infected PCs need commands to come alive. They get those commands by connecting to Web sites controlled by the bad guys. Even legitimate sites can be co-opted for this purpose, if hackers break in and use the sites' servers to send out malicious commands.

So far, Conficker-infected machines have been trying to connect each day to 250 Internet domains — the spots on the Internet where Web sites are parked. The bad guys need to get just one of those sites under their control to send their commands to the botnet. (The name Conficker comes from rearranging letters in the name of one of the original sites the worm was connecting to.)

Conficker has been a victim of its success, however, because its rapid spread across the Internet drew the notice of computer security companies. They have been able to work with domain name registrars, which administer Web site addresses, to block the botnet from dialing in.

Now those efforts will get much harder. On April 1, many Conficker-infected machines will generate a list of 50,000 new domains a day that they could try. Of that group, the botnet will randomly select 500 for the machines to actually query.

The bad guys still need to get only one of those up and running to connect to their botnet. And the bigger list of possibilities increases the odds they'll slip something by the security community.

Researchers already know which domains the infected machines will check, but pre-emptively registering them all, or persuading the registrars to neutralize all of them, is a bigger hurdle.

"We expect something will happen, but we don't quite know what it will look like," said Jose Nazario, manager of security research for Arbor Networks, a member of the "Conficker Cabal," an alliance trying to hunt down the worm's authors.

"With every move that they make, there's the potential to identify who they are, where they're located and what we can do about them," he added. "The real challenge right now is doing all that work around the world. That's not a technical challenge, but it is a logistical challenge."

Conficker's authors also have updated the worm so infected machines have new ways to talk to each other. They can share malicious commands rather than having to contact a hacked Web site for instructions.

That variation is important because it shows that even as security researchers have neutralized much of what the botnet might do, the worm's authors "didn't lose control of their botnet," said Michael La Pilla, manager of the malicious code operations team at VeriSign Inc.'s iDefense division.

The Conficker outbreak illustrates the importance of keeping current with Internet security updates. Conficker moves from PC to PC by exploiting a vulnerability in Windows that Microsoft Corp. fixed in October. But many people haven't applied the patch or are running pirated copies of Windows that don't get the updates.

Unlike other Internet threats that trick people into downloading a malicious program, Conficker is so good at spreading because it finds vulnerable PCs on its own and doesn't need human involvement to infect a machine.

Once inside, it does nasty things. The worm tries to crack administrators' passwords, disables security software, blocks access to antivirus vendors' Web sites to prevent updating, and opens the machines to further infections by Conficker's authors.

Someone whose machine is infected might have to reinstall the operating system.

Conficker worm quiet so far

Computer hackers are playing an evil prank this April Fool's Day. They've unleashed a computer worm called Conficker, that is no joke.

So far, the worm hasn't done much. But Conficker has a feature that makes it worse than other worms, and April Fool's Day was when it was supposed to do 'something.' Nobody knows exactly what.

A worm is a form of computer virus, a program that automatically makes copies of itself, that are sent on to other computers.

A worm could burrow into your computer and steal your bank account information, use your computer to launch attacks on others, or do other nasty things.

What will Conficker do?

Security experts at SecureWorks, Inc in Horry County aren't sure, but they do know April Fool's Day is the date the worm was programmed to get new instructions.

"The April 1st time is basically just a change in when it's trying to reach one set of computers to get this new set of instructions to try to reach out to a new set of computers," said Joe Stewart, SecureWorks, Inc.

Stewart isn't convinced Conficker will be all that bad.

He says there's always media hype about computer bugs that come attached to a specific date.

What does make this worm a little worse than others, is that it blocks your ability to reach Microsoft or other anti-virus web sites that have potential fixes for the worm.

But, that feature also makes it easier to tell if your computer is infected.

"If you can still get to Microsoft, then you're probably fine and nothing is going to happen at all for you," said Stewart.

Stewart says Microsoft and other big names in the computer security business are watching Conficker closely, and if this worm emerges or heads back into its hole, they'll know it right away. "All the attention is focused. Everybody is looking for something to happen April 1st, and it probably won't."

If your computer is infected and you can't reach an anti-virus web site for a fix, find a friend whose computer isn't infected. Ask that friend to e-mail you a link to one of those web sites.

From there, it's pretty easy to kill that worm.

The Conficker worm has infected up to 10 million computers worldwide.

Conficker Worm: Not Finished Yet

April 1 has come and gone, and the Internet has not disintegrated and no major cyber-attacks were reported. But Conficker still remains a threat. Now don't panic, this doesn't mean cyber-Armageddon could strike at any minute, it just means you need to make sure your computer is fully updated if it isn't already. Feel better? Good, then let's take a look at what's going on.

Why It Ain't Over Yet

The Conficker Working Group -- which is made up of 27 tech companies and agencies including AOL, F-Secure, Facebook, ICANN, Kaspersky, McAffee, Microsoft, Symantec -- says that Conficker, also known as Downup, Downadup, and Kido, is the largest worldwide computer infection since the SQL Slammer in 2003. The CWG estimates anywhere from 3 to 15 million computers are infected worldwide, and says 30 percent of Windows computers across the globe are not updated with the latest patches to protect against Conficker. The virus authors are also still at large and able to communicate with Conficker, although that capability has been significantly reduced.

Problem Spots

As you can see from this map provided by the CWG, Conficker infections in the United States are happening pretty much everywhere you can find an Internet connection. However, despite all that ominous-looking red, only 6 percent of Conficker infections are in North America. The biggest problem areas are actually concentrated in Asia and South America including Vietnam, Brazil, the Philippines, and Indonesia, as well as Algeria.

The hardest hit areas may also have a correlation to the number of unpatched Windows computers since Asia, Eastern Europe, and South America are areas known to have widespread use of pirated Windows software.

Since most Windows users with pirated software have automatic updates turned off to avoid Microsoft's piracy detection, those users typically remain vulnerable to Conficker. So the risk from Conficker continues, even though Microsoft allows critical updates for pirated copies of Windows.

What Conficker is Doing

Yesterday, Conficker began its daily exercise of contacting 500 Web sites from a randomly generated list of 50,000 sites. Conficker will continue to do this every day until it receives instructions to do something else. Further instructions could be a simple software update or the infected computers could work as a botnet to commit theft or attack other computer networks. The problem is that while security and IT professionals are working to block Conficker from getting further instructions, they haven't been able to block all Conficker traffic. So some infected machines have gotten through, but luckily further instructions haven't been issued, yet. Conficker's authors may be laying low until publicity surrounding Conficker dies down before contacting their creation.

If Conficker is updated or receives further instructions, that capability could pass between infected machines without further need of a server or Web site, because Conficker uses a peer-to-peer (p2p) protocol to communicate with other infected machines. That's right, Conficker is file-sharing. With p2p, the worm can distribute software updates much faster than if every infected machine had to communicate with a main server.

The Final Countdown?

Does this mean the world could still end? Probably not, and that was never the concern with Conficker despite the doomsday scenarios you may have read. The fact is that most security experts believe that Conficker is just a typical botnet worm that can be used for identity theft or to commit other forms of cybercrime. Conficker is most likely controlled by an organized crime syndicate in Asia, Eastern Europe, or South America, and the group may even rent out Conficker's capabilities if the botnet every becomes active.

Conficker is a threat only if your computer does not have the latest security patches from Microsoft and an up-to-date antivirus program.

A few simple steps can protect you against Conficker Worm

Advice to Stay Safe from the Downadup Worm:

1. Run a good security suite (we are partial to Norton Internet Security 2009 and Norton 360 Version 3.0).
2. Keep your computer updated with the latest patches. If you don’t know how to do this, have someone help you set your system to update itself.
3. Don’t use “free” security scans that pop up on many web sites. All too often these are fake, using scare tactics to try to get you to purchase their “full” service. In many cases these are actually infecting you while they run. There is reason to believe that the creators of the Conficker worm are associated with some of these fake security products.
4. Turn off the “autorun” feature that will automatically run programs found on memory sticks and other USB devices.
5. Be smart with your passwords. This includes

- Change your passwords periodically
- Use complex passwords – no simple names or words, use special characters and numbers
- Using a separate, longer password for each site that has sensitive personal information or access to your bank accounts or credit cards.
- Use a passwords management system such as Identity Safe

FAQ
Q: What should I do if my PC is infected?

A: If you have a computer that is infected, you will need to use an uninfected computer to download a specialized Conficker removal tool from. The tool is available here.

Q: Am I safe if I don’t go to questionable web sites?

A: No. The Conficker worm seeks out computers on the same network. You can be in a coffee shop, an airport or in the office and the worm will quietly try to attach to your computer and run itself.

Q: How do I know if I am infected?

A: The best way to know if you are infected is to run a good antivirus product. One symptom that may indicate you are infected is finding that your computer is blocked from accessing the web sites of most security companies.

Q: Can’t I just run free antivirus software?

A: Yes, but free products often aren’t thorough or comprehensive. Worse, the internet is overflowing with fake free security scanners that actually infect your computer. Fake scanners such as “Antivirus 2008” are difficult to identify and have plagued hundreds of thousands of users around the world.