art22ggPremium
join:2005-02-16
Courtenay, BC
kudos:4 Reviews:
 ·Shaw
| Major Attack April Fools Day--Conficker "C" Worm The Conficker worm is one of the most dangerous malware threats in years, especially for corporate users. A new "C" variant has been developed that's even more potent and stealthier than the two prior variants. It's imperative that Microsoft's MS08-067 patch be applied to all servers and workstations, while the worm is currently dormant.
If it establishes a foothold anywhere in the network, it can even spread to systems that are patched with the MS08-067, if they are insecure in other areas, (i.e., it uses multiple attack methods).
Please take precautions now, as this one will be even more difficult than "B" was to clean.
Conficker.C Worm - Major Attack targeted for April Fools Day
»techfragments.com/news/629/Softw···ead.html
»arstechnica.com/security/news/20···tion.ars
»www.maximumpc.com/article/news/t···ools_day
»news.cnet.com/8301-1009_3-10196122-83.html
»www.ca.com/us/securityadvisor/vi···id=77976
QUOTE: Just when you might have thought it was safe to start using USB flash drives at work again, the third, and by all accounts, most fiendish version of the Conficker worm that's infected millions of PCs already is set to attack on April 1st, Ars Technica reports. Conficker.C's designed to hide itself even more thoroughly than its older siblings Conficker.A and Conficker.B, using tricks such as:
• Inserting itself into as many as five Windows-related folders such as System, Movie Maker, Internet Explorer, and others (under a random name, of course)
• Creating access control entries and locking the file(s)
• Registers dummy services using a "one (name) from column A, one from column B, and two from column C" method
To find out what happens when Conficker.C strikes, join us after the jump.
Conficker.C's payload makes it harder than ever to recover from being infected:
• Deactivates Windows Security Center notifications
• Prevents restart in Safe Mode
• Prevents Windows Defender from running at system startup
• Deletes all system restore points
• Disables various error-reporting and security services
• Terminates over twenty security-related processes
• Blocks DNS queries
• Blocks access to security and antivirus websites
• And, to top it all off, Conficker.C can choose from a list of 500 domains to contact out of a pool of 50,000 (way up from Conficker.B's 32 out of 250).
Conficker.C - Detailed Evaluation by SRI
»mtc.sri.com/Conficker/addendumC/
QUOTE: Variant C represents the third major revision of the Conficker malware family, which first appeared on the Internet on 20 November 2008. C distinguishes itself as a significant revision to Conficker B. In fact, we estimate that C leaves as little as 15% of the original B code base untouched
protect.gif Below are some resources for information and cleaning tools for the Conficker worm:
Conficker - Cleaning tips for corporate users
»msmvps.com/blogs/harrywaldron/ar···ers.aspx
Internet Storm Center - Conficker Resource Center
»isc.sans.org/diary.html?storyid=5860
Microsoft Resources
»support.microsoft.com/kb/962007
»www.microsoft.com/technet/securi···067.mspx |
|
 veunadWhat Does This Do?Premium
join:1999-08-06
Alpharetta, GA | I found this quote to be interesting; as that is a doosey of a varient... Hate to see what else they may be working on. I'm in IT for a mid-sized organization and my job is tough enough...
They have infiltrated government sites, military networks, home PCs, critical infrastructure, small networks, and universities, around the world. Perhaps an even greater threat than what they have done so far, is what they have learned and what they will build next.
--
-- When trouble arises and things look bad, there is always one individual who perceives a solution and is willing to take command. Very often, that individual is crazy. -- Author, Dave Barry |
|
 siljalineI'm lovin' that double widePremium
join:2002-10-12
Montreal, QC
kudos:17
 ·Bell Sympatico
2 edits | reply to art22gg
NY Times Bits Blogs
Also:
»mtc.sri.com/Conficker/addendumC/
In an effort to provde YOU the enduser the ability to educate your self on this threat I will be posting as much information as possible, from as many sources as possible. This may lead to redundancies in the data that is avalible but I am hoping that this will allow you to pick and choose the information, removal tool, and more importantly your own path when mitigating Conficker. Please do note that ISC nor SANS is verifying the validity of any of the information or tools present here (you can check our own posts on this topic, or compare against multiple sources).
»www.dshield.org/diary.html?storyid=5860 |
|
| reply to art22gg
From the CA website:
The worm accesses the following websites to test Internet connectivity:
ask.com
baidu.com
facebook.com
google.com
imageshack.us
rapidshare.com
w3.org
yahoo.com
So, if you temporary block access to these websites, would the worm think there's no connection and become dormant? |
|
 DaveDudeNo Fear
join:1999-09-01
New Jersey
kudos:1 | reply to art22gg
If you running in User account mode, can the worm still succeed in the modifications ? |
|
 NerdtalkerWorking Hard, Or Hardly Working?Premium,MVM
join:2003-02-18
Tucson, AZ | reply to Bipolar Bear
said by Bipolar Bear :
So, if you temporary block access to these websites, would the worm think there's no connection and become dormant?
It does more than merely access them for the sake of checking for connectivity, if you read the CA article more closely, you'd notice that it actually uses them to set its own clock; effectively preventing people from simply setting their local time back before April 1.
This way, it goes live April 1 regardless of what trickery you think you're going to do with your clock. An intriguing and relatively new way of doing things too.
--
"Some people never see the light till it shines thru bullet holes." -Bruce Cockburn
I'm testing Gmail's spam filters: Broadbandreports1@gmail.com
Spam: 12900+ messages currently using 406 MB. |
|
premio
join:2002-02-17
Sunnyvale, CA | reply to art22gg
so what are people setting their IDS or snort rules to? |
|
 jefePremium
join:2001-05-19
Northport, NY | reply to art22gg
And what can an individual user, with a small home LAN, do to look for Conficker before 4/1?
Are the usual a/v applications finding and killing this bad boy? |
|
 kcazzieOne Of Jerry's KidsPremium
join:2000-08-13
Morton Grove, IL
3 edits | reply to art22gg
More...
- At this point, you should be extra vigilant about protecting your PC: Patch Windows completely through Windows Update and update your anti-malware software as well. Make sure your antivirus software is actually running too, as Conficker may have disabled it.
-
»tech.yahoo.com/blogs/null/128643···april-1/
- »onecare.live.com/site/en-us/viru···ficker.B
-another that can't hurt (*WUPDATE 10/22/08 so most should have it---KB958644)... »www.microsoft.com/technet/securi···067.mspx
- »www.eweek.com/c/a/Security/Confi···-529249/
- _»onecare.live.com/site/en-us/default.htm (can't hurt) |
|
 Doctor FourMy other vehicle is a TARDISPremium
join:2000-09-05
Dallas, TX | reply to art22gg
Conficker worm infects UK House Of Commons IT Systems: »www.theregister.co.uk/2009/03/27···fection/
--
"The trouble with computers, of course, is that they are very sophisticated idiots." - Doctor Who (from Robot)
|
|
mysecPremium
join:2005-11-29
kudos:4
2 edits | reply to art22gg
said by art22gg:Conficker.C Worm - Major Attack targeted for April Fools Day
Conficker is certainly a welcome story for the media since it is much more sensational than a PDF exploit.
Only one of the first five links you post will open because the URLs are truncated, so I don't know which article has this quote:
QUOTE: Just when you might have thought it was safe to start using USB flash drives at work again, the third, and by all accounts, most fiendish version of the Conficker worm that's infected millions of PCs already is set to attack on April 1st, Ars Technica reports.
Evidently the author is not aware that this latest variant does not spread as the others do, rather, it is installed as an "update" on systems already infected with an earlier variant.
You cited this source, but left out this important point:
Conficker C Analysis
»mtc.sri.com/Conficker/addendumC/
The variant was brought to the attention of the Conficker Working Group when one member reported that a compromised Conficker B honeypot was updated with a new dynamically linked library (DLL).
Since that point, multiple members have reported upgrades of previously infected machines to this latest variant via HTTP-based Internet rendezvous points.
And Microsoft. Their numbering of the variants is different, for when B++ was identified, MS labeled it "C" so that the latest variant everyone is calling "C" is labeled "D" by MS:
Protect yourself from the Conficker computer worm
»www.microsoft.com/protect/comput···ker.mspx
•Win32/Conficker.A was reported to Microsoft on November 21, 2008.
•Win32/Conficker.B was reported to Microsoft on December 29, 2008.
•Win32/Conficker.C was reported to Microsoft on February 20, 2009.
•Win32/Conficker.D was reported to Microsoft on March 4, 2009.
Worm:Win32/Conficker.D
»www.microsoft.com/security/porta···ficker.D
Also Known As:
Win32/Conficker.worm.88064 (AhnLab)
Win32.Worm.Downadup.Gen (BitDefender)
Win32/Conficker.C (CA)
Win32/Conficker.X (ESET)
Trojan.Win32.Pakes.ngs (Kaspersky)
W32/Conficker.worm.gen.c (McAfee)
W32/Conficker.D.worm (Panda)
W32/Confick-G (Sophos)
W32.Downadup.C (Symantec) This variant does not spread to removable drives or shared folders across a network and is installed by previous variants of Win32/Conficker.
Other variants of Win32/Conficker infect computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE)... It may also spread via removable drives and weak administrator passwords.
Another quote you cite:
The Conficker worm is one of the most dangerous malware threats in years, especially for corporate users. A new "C" variant has been developed that's even more potent and stealthier than the two prior variants. It's imperative that Microsoft's MS08-067 patch be applied to all servers and workstations, while the worm is currently dormant.
Please take precautions now, as this one will be even more difficult than "B" was to clean.
Again, a misunderstanding about Variant C. If "B" has already been cleaned, then the system won't get "C" unless reinfected with "B" and is updated to "C"
Conficker timeline
2008 - 2009
»lastwatchdog.com/evolution-confi···ng-worm/
mid Jan. to early Feb. Conficker A and Conficker B population of machines explodes, grabbing news headlines.
Feb. Conficker B++ begins spreading; it adds new ways to spread, as well as new techniques to preserve infected PCs.
Mar. 5. Conficker C begins updating all PCs infected with Conficker B and B++.
Apr. 1. All PCs updated with Conficker C are scheduled to begin checking 500 rendezvous points randomly selected from 50,000 web addresses for further instructions.
________________________________________________________________
said by veunad:I found this quote to be interesting; as that is a doosey of a varient... Hate to see what else they may be working on. I'm in IT for a mid-sized organization and my job is tough enough...
I would think your job would be quite easy if you've installed the MS Patch, and your CEO let you disable AutoRun, and install robust execution prevention that would block the DLL from any attack vector. Variants "A" and "B" would fail to install. End of worries, job not so tough!
________________________________________________________________
For home users, this should have been a NO-THREAT from day one.
Using the time line above:
•Conficker.A attacked through open ports. A properly configured firewall would have prevented access, patch or no patch.
•Conficker.B attacked via USB using Autorun.inf. Did no one learn the lesson from the previous Digital Picture Frame exploits which used AutoRun.inf? Extensive threads in this and other forums covering AutoRun have provided much helpful information.
When conficker made the news, how many here contacted everyone they know to insure that the above protective measures were in place?
Finally, the payload itself: a DLL file, which is an executable file. With all of the many discussions on execution prevention, running as a basic User, Software Restriction Policies -- there are so many ways of stopping this payload, which copies itself to %System%.
Will your protection block an unauthorized DLL from loading? I created a simple test using a macro in a MSWord document to load the hmmapi.dll which launches Windows Live. On my WinXP workstation, I used the Win2K version of the DLL which is not White Listed:
Without prevention against unauthorized executables, the DLL loads and launches IExpore.exe:
With such protection the DLL is blocked from loading:
You can use an Autorun.inf file with this command, which you can test yourself:
shellexecute=Rundll32.exe hmmapi.dll,MailToProtocolHandler %1
Download a version of this DLL which is different from yours and put it on your USB drive with the autorun.inf file and see if it blocks:
If you are set up to block unauthorized executables then the executable payload fails to install no matter what.
Conficker has become a soap opera with everyone eagerly anticipating the next installment. The first episode should have never have made it to the screen in the first place.
----
rich |
|
 CUBS_FANNext Year Again..
join:2005-04-28
Chicago, IL
kudos:1
 ·magicjack.com
·Comcast
·Vonage
| reply to art22gg
said by art22gg:• Deactivates Windows Security Center notifications • Prevents restart in Safe Mode • Prevents Windows Defender from running at system startup • Deletes all system restore points • Disables various error-reporting and security services • Terminates over twenty security-related processes • Blocks DNS queries • Blocks access to security and antivirus websites • And, to top it all off, Conficker.C can choose from a list of 500 domains to contact out of a pool of 50,000 (way up from Conficker.B's 32 out of 250). In other words your computer is a giant paper weight, and you are F.U.B.A.R  |
|
|
|
| reply to art22gg
i never had a worm in my computer not even back in 1998 i had viruses ad ware and spyware but no worms so i can careless. |
|
| reply to art22gg
If I were to just have my computer powered down for the entire day on April 1st, would I be safe or would it just do the same thing on April 2nd when I turned it back on? |
|
 Name GamePremium
join:2002-07-07
North Myrtle Beach, SC
kudos:6 | said by sambisu :
If I were to just have my computer powered down for the entire day on April 1st, would I be safe or would it just do the same thing on April 2nd when I turned it back on?
If you did not patch..be ready to take defensive action. |
|
| reply to sambisu
Re: Major Attack April Fools Day--Conficker "C" Worm You can keep it on but disable your network connection to keep from things downloading on your computer stealthy. |
|
CUBS_FANNext Year Again..
join:2005-04-28
Chicago, IL
kudos:1 Reviews:
·magicjack.com
·Comcast
·Vonage
| said by Agent Smith:You can keep it on but disable your network connection to keep from things downloading on your computer stealthy. Is this "virus" so bad that people who never go to the sites with malicious codes are affected too?
It's almost like this is something spawning from the Windows OS itself and not something you can get from visiting the Pr0n and Warez sites.
Is this nothing but scare tactics? |
|
Reviews:
 ·Verizon FiOS
1 edit | Not really but having worms on peoples computers is not occasional as i haven't or never got a worm on my computer even when i haven't had a anti virus for 3 days straight and browsed many sites.
Its like saying the taliban is going to bomb NYC but never does but america is prepared for the attacks if it happens.
So no need to be scared but have a precautionary measure. |
|
SUMwarePremium
join:2002-05-21
kudos:2 | reply to art22gg
FBI Statement Regarding Conficker Worm From The FBI
March 31, 2009 - quote:
"The FBI is aware of the potential threat posed by the Conficker worm. We are working closely with a broad range of partners, including DHS and other agencies in the U.S. government, as well as throughout the private sector, to fully identify and mitigate the threat.
“The public is once again reminded to employ strong security measures on their computers. That includes the installation of the latest anti-virus software and having a firewall in place. Additionally, the public should be aware of the potential dangers associated with spam e-mail. Opening, responding to, or clicking on attachments contained in unsolicited e-mail is particularly harmful and should be avoided."
Shawn Henry, Assistant Director, FBI Cyber Division
|
|
