Jump to content
Unofficial Mills

Worm hitting Windows users

E*F*4L

By E*F*4L
in The Lounge

 Share

Recommended Posts

E*F*4L

E*F*4L

Posted
Posted

http://news.bbc.co.uk/1/hi/technology/7832652.stm

Infections of a worm that spreads through low security networks, memory sticks, and PCs without the latest security updates is "skyrocketing".

The malicious program, known as Conficker, Downadup, or Kido was first discovered in October 2008.

Anti-virus firm F-Secure estimates there are now 8.9m machines infected.

Experts warn this figure could be far higher and say users should have up-to-date anti-virus software and install Microsoft's MS08-067 patch.

In its security blog, F-Secure said that the number of infections based on its calculations was "skyrocketing" and that the situation was "getting worse".

make sure your connection is secure by using a proper password, read the link below for advice

http://www.sophos.com/blogs/gc/g/2009/01/16/passwords-conficker-worm/

:)

Link to comment
Share on other sites
Timsk

Timsk

Posted
Posted

To be honest it shouldn't be a problem. The advisory for MS08-067 was released way back in October, and anyone with Automatic Updates turned on or that occasionally manually updates would have got the patch well before Christmas. It's mostly corporate machines that can't be patched directly from the Windows Update servers (and there are good reasons why they shouldn't be in many cases), or that are failing to update from internal update servers for some reason that are being affected. I think every sizeable corporate environment will have had at least a few infections.

Basically, so long as your copy of Windows is genuine and activated, along with having Automatic Updates turned on and a regularly updated anti-virus package (and that's everyone, right? ;)), there's little to worry about from this one.

Oh, and if you want to check if you are patched, look in your update history for KB958644...

http://www.google.com/webhp?hl=xx-hacker
Link to comment
Share on other sites
kitty

kitty

Posted
Posted
In XP - Control Panel | Add/Remove Programs, tick the 'show updates' checkbox at the top and scroll through the list until you find the updates. In Vista - Control Panel | Windows Update | View update history.

Cheers Tim, found it in there, think have gone slightly cross-eyed from looking at the numbers though!

caitlynmac.png

Link to comment
Share on other sites
  • 2 months later...
Timsk

Timsk

Posted
Posted

Old thread resurrection...

Ok, so tomorrow (1st April) is apparently the day that Conficker (aka Kido) comes live. There is some truth in the media scare-mongering in that the latest variant of it - the 3rd or 4th depending on who you ask - has a trigger for April 1st which will cause some further activity in that a currently infected (or possibly even previously infected but cleaned up) machine will attempt to contact 500 random internet urls or other locally networked machines to possibly download further distribution code, some sort of destructive payload or who knows what else...

What a lot of anti-virus vendors have missed is that a previously infected machine that has been cleaned up might have left code in place to allow this distribution to still be successful. This is how it's been possible to become reinfected from previously cleared infections, something I've seen a number of times myself.

For anyone interested in the fine detail - have a look here (major geek alert though): http://mtc.sri.com/Conficker

Anyhow, it could be worth grabbing the attached file and unzipping it somewhere (say c:\temp or somewhere easy to get at); opening a command prompt (Start | Run 'cmd' on XP, Start 'cmd' in the search box on Vista) changing to the directory you extracted it to (e.g. 'cd \temp') and running it as follows 'kkiller -x -z -f -v -r'... Do this WITH your memory stick inserted and it'll check that too, which is really worth doing. Unfortunately it's unclear at the moment if this covers all possible attack vectors...

If you have a genuine copy of Windows, routinely get all Critical Updates, and keep your usual anti-virus software up to date you've done what's best and shouldn't worry too hard.

The thing that concerns me about all this is that noone actually knows precisely what's going to happen tomorrow, if anything at all. I can see it could be a fun day for some of us :rolleyes:

Let's hope it all turns out to be another Y2k..!

KKiller_v3.4.1.zip

http://www.google.com/webhp?hl=xx-hacker
Link to comment
Share on other sites
YoppaDo

YoppaDo

Posted
Posted

I'm actually eager to see what happens tomorrow. I believe this virus had already effected my machine before because of some of the symptons:

- Autorun not functioning

- Couldn't access the registry

- Couldn't gain Windows Updates

Tried with the removal programmes but nothing was working, so I backed up my essentials and used factory settings recovery. Hopefully it won't touch me anymore, fingers crossed.

Link to comment
Share on other sites
E*F*4L

E*F*4L

Posted
  • Author
Posted

yeah, i think im ok on all my comps, but i have been looking in to it :|

useful info here

Want to quickly find out if your PC might be one of the millions infected by Conficker? Try clicking to Microsoft.com. Next try Symantec.com. Now try McAfee.com.

If you can get to these sites, you're cool. But if your browser will not let you access any of these websites, then you very likely are infected with Conficker.

That’s because Conficker blocks you from reaching any web address that includes Microsoft, Symantec, McAfee, AVG, Kaspersky, Trend Micro, F-Secure, Panda, Sophos, SecureWorks or Sunbelt in the URL. It also blocks URLs that contain 103 other names and phrases that relate to security. You can see the full list by clicking to SRI International's report here and scrolling down to the table listed under "domain lookup prevention."

To get a full understanding of how jammed-packed Conficker is with sophisticated self-spreading and self-preserving features see this FAQ and this timeline.

You definitely want to check -- and disinfect -- before April 1. On that date all Conficker-infected PCs will begin trying to connect to 50,000 web domains to receive further instructions. Two schools of thought exist about what Conficker will do next.

Some experts, such as WinPatrol creator Bill Pytlovany, are sensing that the worm’s controllers will run circles around the Microsoft-led “cabal” of security groups trying to block some 3 million to 12 million Conficker-infected PCs from phoning home next week.

“How Conficker will mutate is anyone's guess," say Ptylovany. "It could be anything from turning a machine into a spam-bot or launching a widespread cyberterror attack. My guess is it will be something designed to make money.”

But Sophos researcher Chet Wisnieswski notes that Conficker's controllers can now reach each infected PC several different ways, thanks to a customized peer-to-peer network the bad guys have set up and organized the infected PCs into.

F-Secure researcher Patrik Runald notes that if Conficker's controllers wanted to send updates or instructions to any infected machine they can do that at any time. "It's unlikely anything major will happen on April 1st," says Runald.

So how can you get an infected machine to a Conficker clean-up tool? You have a couple of options. One is to use Enigma Software's free Conficker-specific scan-and-cleanup tool. Enigma is obscure enough that the bad guys did not include it on the list of blocked URLs. http://www.enigmasoftware.com/

But be aware: Enigma could not pass up the opportunity to attach a promotion to buy a $30 subscription directly alongside its free tool. Several readers have gotten misled into thinking that they must buy the subscription to activate the clean-up tool. An Enigma spokesman insists that the Conficker tool is completely free; he supplied this video showing what a free clean-up session should look like.

Another option is to click to this Microsoft malicious software removal site, which doesn't contain "Microsoft" in the URL. You'll find a free all-purpose malicious software scanner. However, I could not get it to work on my Firefox 3 browser, nor on my Internet Explorer 7 browser.

Microsoft says they are checking into this and suggested this last-ditch option: contact Microsoft Customer Service and Support at no charge, using the PC Safety hotline at 1-866-PCSAFETY.

http://blogs.usatoday.com/technologylive/2009/03/how-to-diagnose.html

& more info from McAfee here http://www.avertlabs.com/research/blog/index.php/2009/03/27/w32conficker-much-ado-about-nothing/?cid=54857 also has link to their conficker removal tool 'Stinger'

:)

Link to comment
Share on other sites
phoenix

phoenix

Posted
Posted

I was wondering if it was safe to be online today cause I didnt know how it was infecting.

I use a low security network with a not fancy password.

I installed my patch! *is proud*

yesterday I got a lot of alerts but I dont know if they were popup ads. my antivirus softwore I dont think has been updated. ran a full 2 and a half hour scan online via Kapersky and it stopped at 89% which is no big deal cause I lose my connection kinda a lot and I figured that was it. nothing bad in my hard drive

no downloading for me today (except security updates) and no opening emails unless sender is familiar. and no clicking on weird things while googling. in fact I think googling is probably not good either

http://mcafee.com/us/threat_center/conficker.html

more info

myspace.com/phoenixstarr21

Link to comment
Share on other sites
Cheat King

Cheat King

Posted
Posted

Argh, nothing was supposed to happen yesterday. The virus just updated itself so that it now generates throusands of websites, instead of the previous 50 or so that it did before (which have been shut down). It is now almost impossible to shut the virus, as a whole, down. Try Googling OpenDNS. Then, even if you have got the virus, it can't update itself or do anything to your computer (stealing info and such).

redlinksigresize-1.png
Link to comment
Share on other sites
Tom.

Tom.

Posted
Posted

From the BBC News website

Conficker begins stealthy update

<!-- S BO --> <!-- S IIMA --> <table align="right" border="0" cellpadding="0" cellspacing="0" width="226"> <tbody><tr><td> _45648578_wakeup-bbc226.jpg.jpg Experts believe that the mystery update will record users' keystrokes

</td></tr> </tbody></table> <!-- E IIMA --> <!-- S SF --> The Conficker worm has started to update infected machines with a mystery package of data.

Computer security firms watching the malicious program noticed that it sprang into life late on 8 April.

The activity on its update system delivered encrypted software to compromised machines. It is not yet clear what the payload contains.

The Conficker virus variants are thought to be present on millions of PCs around the world.

<!-- E SF --> Spam connection

The updating activity has begun about a week later than expected. Analysis of the "C" variant of Conficker (aka Downadup) revealed that its updating mechanism was due to go live on 1 April.

The belated updates were spotted by researchers for Trend Micro following the arrival of a new file in one of the directories in so-called "honeypot" machines deliberately seeded with Conficker C.

Analysis showed that the file had arrived via the peer-to-peer file transfer system that infected machines use to communicate.

In a bid to avoid alerting people to its activity, the update is slowly being trickled across the population of machines harbouring the C variant. Exact figures for the number of Conficker-infected machines are hard to determine, but the minimum is widely believed to be three million.

<!-- S IBOX -->

<!-- E IBOX --> "The Conficker/Downad P2P communications is now running in full swing," wrote Ivan Macalintal from Trend Research on the company's security blog.

Once it arrives on a machine, the package of data randomly checks one of five different websites - MySpace, MSN, eBay, CNN and AOL - to ensure its host still has net access and to confirm the current time and date.

Following this check the data package removes all traces of its installation.

The strong encryption on the payload has, so far, prevented detailed analysis of what it actually does. However, security experts speculate that it is a "rootkit" that will bury itself deep in Windows in order to steal saleable data such as bank website login details.

Security researchers are continuing to analyse the payload to get a better idea of what it is intended to do.

Symantec said it too had noticed the increased activity of Conficker and its analysis suggested a link with another well-known virus called Waledac. This malicious program steals sensitive data, turns PCs into spam relays and opens up a backdoor so the machine can be controlled remotely.

The security firm noticed that the update also included an instruction to the worm to remove itself on 3 May, 2009. However, the Waledac imposed backdoor on the machine will remain open, so its creators can still control compromised PCs.

etheridge_tom.png
Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...