Mar 27, 4:52 PM (ET)
By JORDAN ROBERTSON
From: Excite Story

SAN FRANCISCO (AP) - The fast-moving Conficker computer worm, a scourge of the Internet that has infected at least 3 million PCs, is set to spring to life in a new way on Wednesday - April Fools' Day.

That's when many of the poisoned machines will get more aggressive about "phoning home" to the worm's creators over the Internet. When that happens, the bad guys behind the worm will be able to trigger the program to send spam, spread more infections, clog networks with traffic, or try and bring down Web sites.

Technically, this could cause havoc, from massive network outages to the creation of a cyberweapon of mass destruction that attacks government computers. But researchers who have been tracking Conficker say the date will probably come and go quietly.

More likely, these researchers say, the programming change that goes into effect April 1 is partly symbolic - an April Fools' Day tweaking of Conficker's pursuers, who for now have been able to prevent the worm from doing significant damage.


Previous Internet threats were designed to cause haphazard destruction. In 2003 a worm known as Slammer saturated the Internet's data pipelines with so much traffic it crippled corporate and government systems, including ATM networks and 911 centers.

Far more often now, Internet threats are designed to ring up profits. Control of infected PCs is valuable on the black market, since the machines can be rented out, from one group of bad guys to another, and act as a kind of illicit supercomputer, sending spam, scanning Web sites for security holes, or participating in network attacks.

The army of Conficker-infected machines, known as a "botnet," could be one of the greatest cybercrime tools ever assembled. Conficker's authors just need to figure out a way to reliably communicate with it.

Infected PCs need commands to come alive. They get those commands by connecting to Web sites controlled by the bad guys. Even legitimate sites can be co-opted for this purpose, if hackers break in and use the sites' servers to send out malicious commands.

So far, Conficker-infected machines have been trying to connect each day to 250 Internet domains - the spots on the Internet where Web sites are parked. The bad guys need to get just one of those sites under their control to send their commands to the botnet. (The name Conficker comes from rearranging letters in the name of one of the original sites the worm was connecting to.)

Conficker has been a victim of its success, however, because its rapid spread across the Internet drew the notice of computer security companies. They have been able to work with domain name registrars, which administer Web site addresses, to block the botnet from dialing in.

Now those efforts will get much harder. On April 1, many Conficker-infected machines will generate a list of 50,000 new domains a day that they could try. Of that group, the botnet will randomly select 500 for the machines to actually query.

The bad guys still need to get only one of those up and running to connect to their botnet. And the bigger list of possibilities increases the odds they'll slip something by the security community.

Researchers already know which domains the infected machines will check, but pre-emptively registering them all, or persuading the registrars to neutralize all of them, is a bigger hurdle.



Conficker's authors also have updated the worm so infected machines have new ways to talk to each other. They can share malicious commands rather than having to contact a hacked Web site for instructions.

That variation is important because it shows that even as security researchers have neutralized much of what the botnet might do, the worm's authors "didn't lose control of their botnet," said Michael La Pilla, manager of the malicious code operations team at VeriSign Inc.'s iDefense division.

The Conficker outbreak illustrates the importance of keeping current with Internet security updates. Conficker moves from PC to PC by exploiting a vulnerability in Windows that Microsoft Corp. (MSFT) fixed in October. But many people haven't applied the patch or are running pirated copies of Windows that don't get the updates.

Unlike other Internet threats that trick people into downloading a malicious program, Conficker is so good at spreading because it finds vulnerable PCs on its own and doesn't need human involvement to infect a machine.

Once inside, it does nasty things. The worm tries to crack administrators' passwords, disables security software, blocks access to antivirus vendors' Web sites to prevent updating, and opens the machines to further infections by Conficker's authors.

Someone whose machine is infected might have to reinstall the operating system.

By Thomas Claburn, InformationWeek
March 27, 2009
URL: http://www.informationweek.com/story/showA...cleID=216401130

In a rare case of calm-mongering, computer security companies are offering reassurance that the world won't end on April 1.

That's when the Conficker/Downadup worm is supposed to get a code update that could make it even more difficult to control.

Since January, when the number of computers affected by the worm jumped from 2.4 million to 8.9 million in just four days, people have been understandably concerned about the botnet being built through Conficker infections. The worm has made enough of a splash to prompt a coordinated industry response and a $250,000 bounty from Microsoft for information leading to the capture of those responsible.

The worm, which attempts to exploit a Microsoft vulnerability that was patched (MS08-067) last October, has been evolving with the help of its creator or creators. Now in its fourth iteration, it has developed multiple avenues of infection, including USB devices. It also uses a variety of sophisticated techniques to evade detection and to maintain its command-and-control channel, including a pseudo-random algorithm for generating the domains it uses to receive commands.

The worm previous polled 250 domains daily for updates. On April 1, security researchers who have analyzed its code say it will start scanning 500 out of 50,000 domains for updates.

In a list of frequently asked questions posted to the blog of security company F-Secure, Mikko Hypponen, the company's chief research officer, says nothing really bad is going to happen on April 1 because of the worm. Most infected machines, he says, are variant B, which won't get updated in April. He adds that Windows users who have made sure their systems have been scanned, and Mac users (who are unaffected), have nothing to worry about.

Luis Corrons, director of PandaLabs, urges people not to get taken in by the panic.

"The infection level of the previous weeks has been reducing to low levels," he said in a blog post. "There [is] probably still malware infecting PCs but not at the levels we were seeing in the previous months."

F-Secure said that between 1 million and 2 million computers are actively infected. Those who think their computer might be among those compromised may wish to run either F-Secure Easy Clean or Panda ActiveScan, both of which recognize Conficker infections.

Conficker now definitely downloading updates

Trend Micro reports that the Conficker.C (or Downad) worm has now indeed begun to download updates – not, however, from the web sites that many have been watching, but through its peer-to-peer function. The experts say they stumbled on this while observing the Windows Temp folder and the network traffic on an infected system. In contrast to Conficker.A and .B, the .C version can establish a P2P network with other infected systems and use it to download further programs and receive commands. Trend Micro says this P2P operation is now going full blast.

In the case under investigation, the system fetched its encrypted update from a P2P node in Korea and installed it. That transformed the worm into the .E variant, which displays new characteristics. Among other things, it attempts to wipe all its tracks from a system by deleting previous registry entries and from then on using random file names and service names. The worm also opens port 5114 and listens out for connection requests with an inbuilt HTTP server. Finally, it connects up to the myspace.com, msn.com, ebay.com, cnn.com and aol.com domains to test whether it has a connection with the internet.

The worm is reported still to be spreading only through the Windows security vulnerability. BitDefender says the new variant is blocking access not only to BitDefender's antivirus web sites, but also to recently announced sites offering tools to remove previous versions of the Conficker worm, including BitDefender's tool page (http://bdtools.net) and internet sites of other providers.

Analyses reportedly show that the latest version of Downad/Conficker will disable itself on 3 May 2009. Whether it will collect a new update before then is unclear. Virus specialists have also observed occasional connections to domains associated with the Waledac botnet. Symantec has made similar observations. One file downloaded by Conficker (484528750.exe) is said to have contained the Waledac bot. So far, however, neither Trend Micro not Symantec wishes to say any more about the connection between Conficker and Waledac.

An overview page giving the main information about the Conficker Windows worm is available at The H, giving links to tests that can diagnose an infection, including a simplified test by The H and heise Security. It also lists cleaning tools and network scanners and summarises The H's most important news reports about Conficker, beginning with the report for the Microsoft Patch Tuesday on which the security vulnerability used by Conficker first became known.


source:

http://www.h-online.com/security/Conficker...s--/news/113044


see also for more information!

The H Security Conficker information site:

http://www.h-online.com/security/The-H-Sec...features/113002


DOWNAD/Conficker Watch: New Variant in The Mix?:

http://blog.trendmicro.com/downadconficker...ant-in-the-mix/


Downadup + Waledac? :

https://forums2.symantec.com/t5/blogs/bloga.../article-id/260



New Downad/Conficker variant spreading over P2P:

http://countermeasures.trendmicro.eu/new-d...ading-over-p2p/


Sabu

Great follow up info Sabu75 Thanks for this. ...been looking for info on these botnets.

Tozz

here we go. the complete links for Conficker i´ve collected.

Report: 2.5 million PCs infected with Conficker worm:

http://www.h-online.com/news/Report-2-5-mi...r-worm--/112416


How Big is Downadup? Very Big.:

http://www.f-secure.com/weblog/archives/00001579.html


more links about Conficker below:

http://www.h-online.com/news/Conficker-in-...pitals--/112403
http://www.h-online.com/news/Microsoft-Cus...ystems--/112370
http://www.h-online.com/news/Windows-worm-...erates--/112077
http://www.h-online.com/news/Microsoft-pat...ervice--/111782


Conficker worm back with a vengeance:

http://www.pcadvisor.co.uk/news/index.cfm?newsid=111098


Conflicker, DNS Security and what ICANN is doing about it:

http://blog.icann.org/2009/02/conflicker-d...ut-it/#more-689



OpenDNS and Kaspersky Lab Team to Fight Massive Windows Conficker Worm, Give Network Admins Visibility Into Malware Operating on Their Network:

http://www.opendns.com/about/announcements/122/


Conficker Collateral Damage for March 2009:

http://www.sophos.com/blogs/sophoslabs/v/post/3457


Conficker becomes a more flexible worm :

http://www.h-online.com/security/Conficker...m--/news/112705



Conficker to disrupt legitimate domains in March:

http://www.h-online.com/security/Conficker...h--/news/112747


Conficker call-backs threaten to swamp legit domains:

http://www.theregister.co.uk/2009/03/02/co...lateral_damage/


Conficker variant dispenses with need to phone home:

http://www.theregister.co.uk/2009/02/23/conficker_variant/


Conficker gets upgraded with defenses:

http://www.theregister.co.uk/2009/03/07/conficker_upgrade/


Conficker modified for more mayhem:

http://www.h-online.com/security/Conficker...m--/news/112802


W32.Downadup.C Digs in Deeper :

https://forums2.symantec.com/t5/blogs/bloga.../article-id/249



Conficker.C primed for April Fool's activation:

http://arstechnica.com/security/news/2009/...-activation.ars


Analysis of Conficker C:

http://www.offensivecomputing.net/?q=node/1120



Researchers hunting for Conficker's Patient Zero:

http://arstechnica.com/security/news/2009/...atient-zero.ars


will look for more information between april 1 and the lastest stuff i posted before.


really worry what are they planning?





Sabu

2 older articles .

Conficker's Domain Routine has Already Started:

http://www.f-secure.com/weblog/archives/00001643.html


Conficker D-Day Arrives; Worm Phones Home (Quietly):

http://www.pcworld.com/article/162381/conf...me_quietly.html



some more actual updates !

Conficker Worm Awakens, Downloads Rogue Anti-virus Software:


http://blogs.washingtonpost.com/securityfix/


The neverending story:

http://www.viruslist.com/en/weblog?weblogid=208187654


Sabu

13 April 2009, 12:32
Is the Conficker worm showing its hand?

People have been speculating, waiting and prognosticating, but until now the extremely cleverly programmed Conficker worm has limited itself to mainly defensive measures, such as opening various communications channels (Conficker.C can set up peer-to-peer networks with other infected systems) in order to transform itself with downloaded code, and to actively combating anti-virus software and security analysis tools.

Even on 1 April, the known date on which Conficker.C would be looking for updates, virtually nothing happened. Now however, money is involved: computers infected with the Conficker worm are downloading the scareware program "SpywareProtect2009".

Swindlers are earning a lot of money with scareware products like "Antivirus 2009", "Malwarecore", "WinDefender", "WinSpywareProtect", "XPDefender" and yes, "SpywareProtect2009". These scareware scams run a small injected program that alarms users by constantly displaying pop-up messages warning that their PCs are infected. Non-expert users can be persuaded to pay money for these bogus anti-virus products, typically bearing familiar-sounding names. In the best case, they've lost their money but nothing more. Worst case, the software they've bought actually loads malware on to the PC that may well transform it into a bot, a conduit for spam. Over a brief period late last year, for example, Microsoft removed scareware from almost a million Windows PCs with its Malicious Software Removal Tool (MSRT). More information is given in the The H article Thieves and Charlatans - Rogue Anti-virus Products.

An analysis by Kaspersky Labs says the infected zombies use their peer-to-peer structures to exchange the Conficker update as well as the address of servers in the Ukraine from which they then download and install "SpywareProtect2009". This then of course "discovers" a variety of threats, and asks users to pay $49.95 (Visa or Mastercard accepted) to get them removed. The Ukraine has already played a role: Conficker.A contained a suicide switch that was triggered whenever the worm discovered that a Ukrainian keyboard was in use.

Felix Leder and Tillmann Werner, both of Bonn University, recently made news by demystifying the Conficker worm, and Leder now reports that the new Conficker variant is blocking further domains, among them the Bonn University server with the Conficker test. This has therefore been provisionally relocated.


link:


http://www.h-online.com/security/Is-the-Co...d--/news/113054



see also the Conficker Information Page!


http://www.h-online.com/security/The-H-Sec...features/113002



Sabu

1 in 5 Windows PCs Still Hackable by Conficker
And about 5% of business machines infected with the worm, says Qualys
» Comments
By Gregg Keizer, Computerworld

April 14, 2009 — Computerworld —

Although the media blitz about the Conficker worm prompted a significant number of enterprise users to finally fix a six-month-old Windows bug, about one in five business computers still lack the patch, a security company said today.

Scans of more than 300,000 Windows PCs owned by customers of Qualys Inc. show that patching of the MS08-067 vulnerability, a bug that Microsoft fixed with an emergency update issued in October 2008, picked up dramatically two weeks ago.

"The media attention about the April 1 date got people scanning like crazy," said Wolfgang Kandek, Qualys' chief technology officer, referring to the trigger date hard-coded into Conficker, the worm that used the MS08-067 vulnerability to infect millions of machines earlier this year. "We saw three to four times more scans [for the worm] than usual on March 30."

Qualys, like several other security vendors, had issued a Conficker detection tool prior to April 1, when the worm was set to switch to a new communications scheme for instructions from its hacker overlords.

The percentage of scanned PCs vulnerable to the MS08-067 bug began falling April 1, said Kandek, and within several days it had dropped from about 40% to just under 20%. "The whole thing about April 1 was a good thing," Kandek said. "Before [April 1], the number of machines still vulnerable to MS08-067 was probably comparable to other Microsoft vulnerabilities. Now it's better than average."

But even with the additional attention Conficker and the MS80-67 bug have received, about one in every five PCs scanned by Qualys remains unpatched. "I don't know why that is," Kandek said. "They could be older machines, or machines not considered important, or even Windows running on an ATM. Whatever it is, it's hard for me to understand why they're not patched."

Qualys' scans also revealed that about 5% of the PCs pinged were actually infected with one of the four Conficker variants. "That's a relatively low number, but because the Conficker numbers are staggering, it's infected millions, it's really a sizable number," said Kandek.

Last week, Conficker's handlers began updating already-infected PCs and used the opportunity to also install spam bots and phony antivirus software on those systems. Conficker.e, as the new variant has been dubbed, restores the worm's ability to spread to machines not yet patched against the MS08-067 vulnerability.


link:


http://www.csoonline.com/article/489225/_i...le_by_Conficker




Sabu

different articles about this topic .

Conficker also installs fake antivirus software:

http://news.cnet.com/conficker-also-instal...virus-software/


Researchers say Conficker is all about the money:

http://news.cnet.com/researchers-say-confi...bout-the-money/


Conficker postmortem: Hype distracted but threat is real:

http://news.cnet.com/8301-1009_3-10210934-83.html


Conficker wakes up, updates via P2P, drops payload:

http://news.cnet.com/8301-1009_3-10215678-83.html


Many PCs still not patched against Conficker vulnerability:

http://www.sophos.com/blogs/gc/g/2009/04/1...-vulnerability/


Updated Stats for Conficker.C:

http://blogs.iss.net/archive/conficker-easter.html



Conficker seizes city's hospital network:

http://www.theregister.co.uk/2009/01/20/sheffield_conficker/
http://news.cnet.com/8301-1009_3-10226448-83.html


and read the stuff at Kaspersky blog

http://www.viruslist.com/en/weblog




Sabu

Cyber Secure Institute on the Conficker Controversy

Recently WTOP, Washington, DC’s newsradio station, aired an interview with a cybersecurity expert from a major systems integrator who said that the failure of the Conficker worm to result in some form of major cyber assault or disaster showed that our IT systems were more secure, more resilient than people tend to think. This conclusion is wildly off base and patently flawed. In short, just because the other guy in a fight doesn’t pull the trigger when he’s got the gun to your head, doesn’t mean you won the fight.

Since October of 2008, the Conficker worm has been the subject of a great deal of attention and debate. To date, the Conficker worm has infected countless computers—estimates range wildly from 200,000 to more than 10 million. And it has demonstrated the ability to both end run security measures and establish communications with controlled computers despite major efforts. It has also consumed an extraordinary amount of time and energy by CIOs and cybersecurity experts from around the world.

However, because there was no major Conficker-created problem on April 1st when hijacked computers went online and began communicating with controller domains, numerous commentators are now downplaying the significance of the worm. This view is misguided.

In order to properly gauge the importance of the Conficker problem, the threat and the facts must be considered in their totality. Whether or not Conficker ultimately turns out to be a sales tool for bogus Ukrainian security software or something much more destructive, the simple fact is that the Conficker worm has infected perhaps ten million computers around the world. The worm has evolved, circumventing cybersecurity software.

As a result, if anything Conficker has demonstrated the inadequacy of today’s cybersecurity, in particular relying upon cybersecurity add-ons like firewalls, anti-virus programs, and the like.

Additionally, it is wrong to suggest that the worm has not a negative impact. Conficker has begun executing harmful instructions on the computers that it has infiltrated. For example, although shut down in early March, the worm has had its self-propagating routines reinstated—this makes for easier sharing among its generated P2P network. Additionally, the worm received instructions to secretly install copies of the Waledac spamming worm, which has caused computers to be overwhelmed with fake anti-virus software. This software claims to have done a scan of the infected computer, and prompts the user to pay money for the removal tool, but in reality, if the user complies, he has just paid money to have his computer even further infected. While not catastrophic, these impacts are real.

Any analysis of the true impact of Conficker must also factor in the (wasted) time, resources, and energies of the cyber-community, governments, companies and individuals. Extrapolating out from studies on the average cost of similar past attacks, the total economic cost of this worm (including the cost of efforts to combat the worm, the cost of purchasing counter-measure software) could be as high as $9.1 billion. Even using the single, outlying data source that suggests a much more limited scope of infection (<200,000)—vastly less than all other sources suggest—the cost of this virus is still roughly $200 million dollars. It should, however be emphasized that these estimates do not factor in opportunity costs—just what could have been achieved if the expertise, time, energy and resources that have been devoted to combating this virus had been devoted to more productive efforts.

Moreover, it is too soon to say for certain what is next with Conficker itself. The worm remains active. There is no way to know if the actors behind the worm have played out their full hand. It is way too soon to declare victory.

And, it is likely that this is not the last we will see of worms like this one. In all likelihood the next virus that deploys similar capabilities will not be nearly as benign. While the worst case scenario has not yet materialized with this worm, it opens a Pandora’s box of new risks. To suggest that we are somehow secure against these risks, just because Conficker hasn’t yet inflicted the damage it could, is nonsensical.

Finally, the most confounding aspect of the Conficker worm threat is that this entire problem, along with almost all other similar threats, can now be avoided if we start to deploy inherently more secure technologies. At least two technologies, the Integrity Global Security operating platform and the Tenix Interactive Link Device, have been certified by the National Information Assurance Partnership and the NSA against the most sophisticated threats. These new technologies are capable of protecting systems, isolating critical data and can eliminate viruses and worms from computers at the click of the mouse. The widespread deployment of inherently secure cyber-technologies, which are certified to the highest levels of robustness, would reduce the risks of viruses like Conficker virus to basically zero, which, over even the near- to mid-term would more than pay for the cost to deploy these new technologies. Over the long-term the savings here, in time, energy and opportunity costs would clearly be in the hundreds of billions.

This entry was posted on Monday, April 20th, 2009 at 3:20 pm


source:

http://cybersecureinstitute.org/blog/?p=15



other different links.


Is Symantec Ready for Conficker (Downadup)? Yes!:

http://www.symantec.com/connect/blogs/syma...er-downadup-yes


How Symantec can help against Downadap, Kido and Conficker:

http://www.symantec.com/connect/articles/h...o-and-conficker


Worms and threats that spread across networks by network shares have become more common in recent years.--Like Downadup/Conficke:

http://www.symantec.com/connect/articles/w...on-recent-yea-1


Connecting The Dots: Downadup/Conficker Variants :

https://forums2.symantec.com/t5/blogs/bloga.../article-id/265


W32.Downadup P2P Scanner Script for Nmap :

https://forums2.symantec.com/t5/blogs/bloga.../article-id/266


Scanning for Conficker’s peer to peer:

http://www.skullsecurity.org/blog/?p=230


Sabu

"inherently secure cyber-technologies"? Who is the author if this article trying to fool? There is no such thing! That's like saying, "If you eat our brand of genetically-engineered super-broccoli, you'll be immune to the AIDS virus!"

I want to know one thing: What are they trying to sell? Sounds like snake oil to me. The article is eloquently written, but its thrust makes me think that its writers are trying to capitalize on fear. Indeed, they work hard to feed that fear.

As an aside, my antivirus vendor, Avira, have informed me via email that they have the Conficker infection identified and under control, and that as an AntiVir subscriber, I don't need to worry. Well, I take that assurance with a grain of salt because I don't think the full Conficker saga has yet to be written, but alarmist postings like this one only serve to make me believe that someone is trying to cash in on Conficker hysteria.

I am not worried. I am not infected. And I am sure as hell not going to waste any of my money trying to protect myself as a result of scare tactics like this!

Conficker Continues To Spread:

http://viewfromthebunker.com/2009/05/20/co...nues-to-spread/

Sabu

7 July 2009, 12:27
Researchers thwart Conficker worm spread

The Conficker worm has not gone away and is on the rise again. Things may have quietened down on the Conficker front for a while, but, according to statistics from the Conficker Working Group (CWG), the number of infected systems increased from a little over four million (unique IPs) to more than five million in June. The most widely distributed 'A' variant is, however, rather picky – it declines to attack Windows systems located in the Ukraine.

To determine the location of a system it is thinking of attacking, Conficker attempts to query geographical IP-address databases, which allow it to work out roughly where an IP address is located. Specifically, Conficker.A accesses an IP-address database provided by MaxMind, who switched their server to a new address shortly after the worm appeared in order to stop further queries.

Felix Leder and Tillmann Werner from Bonn University have taken advantage of the fact that the worm continues to query the old hard-coded address in order to hinder its spread; they have developed their own database and are running it at the old address, which has been made available by MaxMind. The database returns the Ukraine as the location for all address queries with the result that queried systems are not attacked and thus not infected.

"We are currently observing millions of queries per day," reports Tillmann Werner, "How far the number of infections will be reduced remains to be seen. We have certainly made some small contribution to suppressing its spread." Indeed, since last weekend the number of infected systems has not just stagnated, it has actually fallen.

According to the researchers, it is important that infected systems are now disinfected so that the infection cannot flare up once more. To help with this process, they have released a number of programs available from http://four.cs.uni-bonn.de/conficker. Leder and Tillmann published an analysis of the worm and tools for detecting it earlier this year.

The H Security has a Conficker Information Site with online tests for Conficker infections and links to network scanners and tools to assist with the removal of Conficker from infected systems.

(djwm)

link:

http://www.h-online.com/security/Researche...d--/news/113706


related information below as hes still alive.


InfectionTracking:

http://www.confickerworkinggroup.org/wiki/...fectionTracking


Sabu

The top 28 related sites are now added to Level 1, scanning and collection of
the rest of the control sites is underway and it looks like it will be easier than
expected.