Xtra News Community 2
March 29, 2024, 03:09:41 am
Welcome, Guest. Please login or register.

Login with username, password and session length
News: Welcome to Xtra News Community 2 — please also join our XNC2-BACKUP-GROUP.
 
  Home Help Arcade Gallery Links BITEBACK! XNC2-BACKUP-GROUP Staff List Login Register  

Conficker computer worm

Pages: [1]   Go Down
  Print  
Author Topic: Conficker computer worm  (Read 1729 times)
0 Members and 2 Guests are viewing this topic.
DazzaMc
Don't give me Karma!
Moderator
Absolutely Fabulously Incredibly Shit-Hot Member
*
Posts: 5557


« on: March 29, 2009, 11:34:01 am »

Computer mega-worm could be nastiest ever cybercrime tool

SAN FRANCISCO - The fast-moving Conficker computer worm, a scourge of the internet that has infected at least 3 million PCs, is set to spring to life in a new way on Wednesday - April Fools' Day.

That's when many of the poisoned machines will get more aggressive about "phoning home" to the worm's creators over the internet. When that happens, the bad guys behind the worm will be able to trigger the program to send spam, spread more infections, clog networks with traffic, or try and bring down websites.

Technically, this could cause havoc, from massive network outages to the creation of a cyberweapon of mass destruction that attacks government computers. But researchers who have been tracking Conficker say the date will probably come and go quietly.

More likely, these researchers say, the programming change that goes into effect April 1 is partly symbolic - an April Fools' Day tweaking of Conficker's pursuers, who for now have been able to prevent the worm from doing significant damage.


"I don't think there will be a cataclysmic network event," said Richard Wang, manager of the US research division of security firm Sophos PLC. "It doesn't make sense for the guys behind Conficker to cause a major network problem, because if they're breaking parts of the internet they can't make any money."

Previous internet threats were designed to cause haphazard destruction. In 2003 a worm known as Slammer saturated the internet's data pipelines with so much traffic it crippled corporate and government systems, including A™ networks and 911 centres.

Far more often now, internet threats are designed to ring up profits. Control of infected PCs is valuable on the black market, since the machines can be rented out, from one group of bad guys to another, and act as a kind of illicit supercomputer, sending spam, scanning websites for security holes, or participating in network attacks.

The army of Conficker-infected machines, known as a "botnet," could be one of the greatest cybercrime tools ever assembled. Conficker's authors just need to figure out a way to reliably communicate with it.

Infected PCs need commands to come alive. They get those commands by connecting to websites controlled by the bad guys. Even legitimate sites can be co-opted for this purpose, if hackers break in and use the sites' servers to send out malicious commands.

So far, Conficker-infected machines have been trying to connect each day to 250 internet domains - the spots on the internet where websites are parked. The bad guys need to get just one of those sites under their control to send their commands to the botnet.

The name Conficker comes from rearranging letters in the name of one of the original sites the worm was connecting to.

Conficker has been a victim of its success, however, because its rapid spread across the internet drew the notice of computer security companies. They have been able to work with domain name registrars, which administer website addresses, to block the botnet from dialling in.

Now those efforts will get much harder. On April 1, many Conficker-infected machines will generate a list of 50,000 new domains a day that they could try. Of that group, the botnet will randomly select 500 for the machines to actually query.

The bad guys still need to get only one of those up and running to connect to their botnet. And the bigger list of possibilities increases the odds they'll slip something by the security community.

Researchers already know which domains the infected machines will check, but pre-emptively registering them all, or persuading the registrars to neutralize all of them, is a bigger hurdle.

"We expect something will happen, but we don't quite know what it will look like," said Jose Nazario, manager of security research for Arbor Networks, a member of the "Conficker Cabal," an alliance trying to hunt down the worm's authors.

"With every move that they make, there's the potential to identify who they are, where they're located and what we can do about them," he added. "The real challenge right now is doing all that work around the world. That's not a technical challenge, but it is a logistical challenge."

Conficker's authors also have updated the worm so infected machines have new ways to talk to each other. They can share malicious commands rather than having to contact a hacked website for instructions.

That variation is important because it shows that even as security researchers have neutralised much of what the botnet might do, the worm's authors "didn't lose control of their botnet," said Michael La Pilla, manager of the malicious code operations team at VeriSign Inc.'s iDefence division.

The Conficker outbreak illustrates the importance of keeping current with internet security updates. Conficker moves from PC to PC by exploiting a vulnerability in Windows that Microsoft fixed in October. But many people haven't applied the patch or are running pirated copies of Windows that don't get the updates.

Unlike other internet threats that trick people into downloading a malicious program, Conficker is so good at spreading because it finds vulnerable PCs on its own and doesn't need human involvement to infect a machine.

Once inside, it does nasty things. The worm tries to crack administrators' passwords, disables security software, blocks access to antivirus vendors' websites to prevent updating, and opens the machines to further infections by Conficker's authors.

Someone whose machine is infected might have to reinstall the operating system.

-AP

http://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=10564030
Report Spam   Logged

Reality is merely an illusion, albeit a very persistent one.

Share on Facebook Share on Twitter

DazzaMc
Don't give me Karma!
Moderator
Absolutely Fabulously Incredibly Shit-Hot Member
*
Posts: 5557


« Reply #1 on: March 29, 2009, 11:35:49 am »

See also: http://xtranewscommunity2.smfforfree.com/index.php/topic,68.0.html
Report Spam   Logged

Reality is merely an illusion, albeit a very persistent one.
dragontamer
Guest
« Reply #2 on: March 29, 2009, 03:34:21 pm »

Full castration for twats who write these worms should be a real option for the justice system.
Report Spam   Logged
Lovelee
XNC2 GOD
*
Posts: 19338



« Reply #3 on: March 31, 2009, 04:09:36 pm »

Defences bolstered ahead of Conficker April Fools' offensive

The US Department of Homeland Security released a tool on Monday to detect whether a computer is infected by the Conficker worm.

The department, in a statement, said the detection tool for the Conficker worm, also known as DownAdUP, had been developed by the US Computer Emergency Readiness Team (US-CERT).

"While tools have existed for individual users, this is the only free tool - and the most comprehensive one - available for enterprises like federal and state government and private sector networks to determine the extent to which their systems are infected by this worm," said US-CERT director Mischel Kwon.

"Our experts at US-CERT are working around the clock to increase our capabilities to address the cyber risk to our nation's critical networks and systems, both from this threat and all others," he added.

The worm is suspected to have infected million of computers running the Windows operating system and Windows maker Microsoft has offered a 250,000 dollar bounty for those responsible for the worm.

US-CERT recommended that Windows users apply Microsoft security patch MS08-067 to help provide protection against the worm.

The patch is designed to prevent an attacker from remotely taking control of an infected computer system and installing additional malicious software.

Malware could be triggered to steal data, generate spam attacks or turn control of infected computers over to hackers amassing "zombie" machines into "botnet" armies.

The worm is programmed to modify itself on Wednesday, April Fool's Day, according to computer security specialists.

Conficker had been programmed to reach out to 250 websites daily to download commands from its masters, they said, but on Wednesday it will begin connecting with 50,000 websites daily for instructions.

The hackers behind the worm have yet to give it any specific orders.

"That's the interesting thing. The only thing the worm is being asked to do is to ask for further instructions," Steve Trilling, vice president of security firm Symantec, told the CBS program "60 Minutes" in a story aired on Sunday.

AFP

Advice from US-CERT

-US-CERT recommends that Windows Operating Systems users apply Microsoft security patch MS08-067 as quickly as possible to help protect themselves from the worm. They can also disable AutoRun functionality.

-Home users can apply the US-CERT test for the presence of a Conficker/Downadup infection on their home computers. The presence of an infection may be detected if users are unable to connect to their security solution Web site or if they are unable to download free detection/removal tools.

-If an infection is suspected, the system or computer should be removed from the network. In the case of home users, the computer should be unplugged from the internet.

-Instructions, support and tools you help you manually remove a Conficker/Downadup infection from a system have been published by most major security vendors.

-US-CERT recommends that computer users and administrators keep up-to-date on security patches and fixes for their operating system and install up-to-date anti-virus and anti-spyware software. A firewall will also help block attacks before they can get into your computer.
http://www.smh.com.au/articles/2009/03/31/1238261551017.html
Report Spam   Logged

Laughter is the best medicine, unless you've got a really nasty case of syphilis, in which case penicillin is your best bet.
DazzaMc
Don't give me Karma!
Moderator
Absolutely Fabulously Incredibly Shit-Hot Member
*
Posts: 5557


« Reply #4 on: March 31, 2009, 04:18:12 pm »

Yep - same.

I'll be checking the news on this via the phone in the morning - before I boot up anything.
I'm also pulling the pin on all my servers over night... just in case.

I'm pretty sure these machines are clean - but you just never know....


 Smiley
Report Spam   Logged

Reality is merely an illusion, albeit a very persistent one.
Lovelee
XNC2 GOD
*
Posts: 19338



« Reply #5 on: April 01, 2009, 07:30:56 am »

Yeh mines sweet - Im till having trouble with the cairns page .. should I uninstall and redownload java??  Its other pages too that have java I guess.
Report Spam   Logged

Laughter is the best medicine, unless you've got a really nasty case of syphilis, in which case penicillin is your best bet.
DazzaMc
Don't give me Karma!
Moderator
Absolutely Fabulously Incredibly Shit-Hot Member
*
Posts: 5557


« Reply #6 on: April 01, 2009, 07:40:31 am »

Either that or IE...

But then - Javascript shouldn't stop a page from loading, it should only throw errors on load...

 Smiley
Report Spam   Logged

Reality is merely an illusion, albeit a very persistent one.
Lovelee
XNC2 GOD
*
Posts: 19338



« Reply #7 on: April 01, 2009, 08:41:09 am »

I cant load the bnz bank page either  :hdsc

And I use firefox ... maybe I will try with IE .. I'll let you know


Hmm now thats interesting the bank opened using IE .. grrrrrr
« Last Edit: April 01, 2009, 08:46:14 am by Lovelee » Report Spam   Logged

Laughter is the best medicine, unless you've got a really nasty case of syphilis, in which case penicillin is your best bet.
DazzaMc
Don't give me Karma!
Moderator
Absolutely Fabulously Incredibly Shit-Hot Member
*
Posts: 5557


« Reply #8 on: April 01, 2009, 09:20:31 am »

Fire fox sucks..... for many reasons.


Then again - so does IE, for many reasons....

The sooner we can jack-in direct to the net and not need browsers at all the better!


That's still 10-15 years away thou...

 :bgrn
Report Spam   Logged

Reality is merely an illusion, albeit a very persistent one.
Lovelee
XNC2 GOD
*
Posts: 19338



« Reply #9 on: April 01, 2009, 09:29:58 am »

Maybe I will uninstall FF and download it again ... should I do the same to JAva??

Daz .. will u have a look at the startup pics I loaded and let me know what I can remove pse?
Report Spam   Logged

Laughter is the best medicine, unless you've got a really nasty case of syphilis, in which case penicillin is your best bet.
DazzaMc
Don't give me Karma!
Moderator
Absolutely Fabulously Incredibly Shit-Hot Member
*
Posts: 5557


« Reply #10 on: April 01, 2009, 09:48:46 am »

Which startup pic's love?

 :cf
Report Spam   Logged

Reality is merely an illusion, albeit a very persistent one.
Lovelee
XNC2 GOD
*
Posts: 19338



« Reply #11 on: April 01, 2009, 12:50:02 pm »

http://xtranewscommunity2.smfforfree.com/index.php/topic,61.0.html

scroll down to mess 21 and 22 pse  :bgrn
Report Spam   Logged

Laughter is the best medicine, unless you've got a really nasty case of syphilis, in which case penicillin is your best bet.
DazzaMc
Don't give me Karma!
Moderator
Absolutely Fabulously Incredibly Shit-Hot Member
*
Posts: 5557


« Reply #12 on: April 01, 2009, 01:23:34 pm »

Well.... this is all trial and error, but for starters;

IncMail
SweetIM
HP Digital Imaging (should start up when you need it)
And One Note (if you don't use it)


What's AWC?
Try that then reboot and make sure everything you actually NEED is working OK.

Of course, if you NEED any of the above on-boot then don't deselect them...

 Smiley
Report Spam   Logged

Reality is merely an illusion, albeit a very persistent one.
DazzaMc
Don't give me Karma!
Moderator
Absolutely Fabulously Incredibly Shit-Hot Member
*
Posts: 5557


« Reply #13 on: April 01, 2009, 01:28:08 pm »

Donq could lose....

PC Suite
WIndows Live... ?
Adobe Acobat Reader
RealPlayer


There may be a few other's there Donq but you need to expend the "Start up Item" column so I can read them...
The "Microsoft" ones looks a bit suspect - is it pre-loading office/IE or something?

And tcnz_Mccitr.... ?


Try that then reboot and make sure everything you actually NEED is working OK.

Of course, if you NEED any of the above on-boot then don't deselect them...

 Smiley
Report Spam   Logged

Reality is merely an illusion, albeit a very persistent one.
Lovelee
XNC2 GOD
*
Posts: 19338



« Reply #14 on: April 01, 2009, 06:12:17 pm »

LOL Whats AWC??

Fucked if I know hahahah  :wv :sl
Report Spam   Logged

Laughter is the best medicine, unless you've got a really nasty case of syphilis, in which case penicillin is your best bet.
Lovelee
XNC2 GOD
*
Posts: 19338



« Reply #15 on: April 10, 2009, 09:25:18 am »

Conficker wakes up, updates via P2P, drops payload

The Conficker worm is finally doing something--updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday.
This piece of computer code told the worm to activate on April 1, researchers found.

This piece of computer code told the worm to activate on April 1, researchers found.

Researchers were analyzing the code of the software that is being dropped onto infected computers but suspect that it is a keystroke logger or some other program designed to steal sensitive data off the machine, said David Perry, global director of security education at Trend Micro.

The software appeared to be a .sys component hiding behind a rootkit, which is software that is designed to hide the fact that a computer has been compromised, according to Trend Micro. The software is heavily encrypted, which makes code analysis difficult, the researchers said.

The worm also tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com as a way to test that the computer has Internet connectivity, deletes all traces of itself in the host machine, and is set to shut down on May 3, according to the TrendLabs Malware Blog.

Because infected computers are receiving the new component in a staggered manner rather than all at once there should be no disruption to the Web sites the computers visit, said Paul Ferguson, advanced threats researcher for Trend Micro.

"After May 3, it shuts down and won't do any replication," Perry said. However, infected computers could still be remotely controlled to do something else, he added.

On Tuesday night Trend Micro researchers noticed a new file in the Windows Temp folder and a huge encrypted TCP response from a known Conficker P2P IP node hosted in Korea.

"As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP," the blog post says. "The Conficker/Downad P2P communications is now running in full swing!"

In addition to adding the new propagation functionality, Conficker communicates with servers that are associated with the Waledac family of malware and its Storm botnet, according to a separate blog post by Trend Micro security researcher Rik Ferguson.

The worm tries to access a known Waledac domain and download another encrypted file, the researchers said.

Conficker.C failed to make a splash a week ago despite the fact that it was programmed to activate on April 1. It has infected between 3 million and 12 million computers, according to Perry.

Initially, researchers thought they were seeing a new variant of the Conficker worm, but now they believe it is merely a new component of the worm.

The worm spreads via a hole in Windows that Microsoft patched in October, as well as through removable storage devices and network shares with weak passwords.

The worm disables security software and blocks access to security Web sites.

http://edition.cnn.com/2009/TECH/04/09/conficker.activated/index.html?eref=rss_topstories

Daz - the trojan I got last week was doing that, disabling my security and blocking access to security web sites?HuhHuhHuh?
Report Spam   Logged

Laughter is the best medicine, unless you've got a really nasty case of syphilis, in which case penicillin is your best bet.
DazzaMc
Don't give me Karma!
Moderator
Absolutely Fabulously Incredibly Shit-Hot Member
*
Posts: 5557


« Reply #16 on: April 10, 2009, 09:49:02 am »

Yer - a lot of them do.

Go here: http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

If you can see all of the logos at the top then you're sweet.
Report Spam   Logged

Reality is merely an illusion, albeit a very persistent one.
Lovelee
XNC2 GOD
*
Posts: 19338



« Reply #17 on: April 10, 2009, 09:59:00 am »

OOO thats good _ I see them all.  Thanks
Report Spam   Logged

Laughter is the best medicine, unless you've got a really nasty case of syphilis, in which case penicillin is your best bet.
Lovelee
XNC2 GOD
*
Posts: 19338



« Reply #18 on: June 14, 2009, 12:04:52 pm »

The inside story of the Conficker worm

A HOTEL bar in Arlington, Virginia, 23 October 2008. A group of computer security experts has spent the day holed up with law enforcement agencies. It is an annual event that attracts the best in the business, but one the participants like to keep low-key - and under the radar of the cybercriminals they are discussing.

That evening, conversation over drinks turned to a security update Microsoft had just released. Its timing was suspicious: updates usually came once a month, and the next was not due for two weeks. "I remember thinking I should take a look at this," recalls Paul Ferguson, a researcher at Trend Micro, a web security company in Cupertino, California.

He did. So did the rest of the computer security industry. In fact, they talked, puzzled and worried about little else for months after. The update heralded the birth of the Conficker worm - one of the most sophisticated pieces of malignant software ever seen.

Despite an unprecedented collaboration against them, Conficker's accomplished creators have been able to bluff and dodge to gain control of machines inside homes, universities, government offices and the armed forces of at least three nations, establishing a powerful and lucrative network of "zombie" computers. New Scientist has pieced together the sobering details of that cat-and-mouse fight.

more
http://www.newscientist.com/article/mg20227121.500-the-inside-story-of-the-conficker-worm.html
Report Spam   Logged

Laughter is the best medicine, unless you've got a really nasty case of syphilis, in which case penicillin is your best bet.
Nitpicker1
Guest
« Reply #19 on: July 14, 2009, 04:13:39 pm »

Yer - a lot of them do.

Go here: http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

If you can see all of the logos at the top then you're sweet.


If you can see all six images in both rows of the top table, you are either not infected by Conficker, or you may be using a proxy server, in which case you will not be able to use this test to make an accurate determination, since Conficker will be unable to block you from viewing the AV/security sites.



Report Spam   Logged

Pages: [1]   Go Up
  Print  
 
Jump to:  

Powered by EzPortal
Open XNC2 Smileys
Bookmark this site! | Upgrade This Forum
SMF For Free - Create your own Forum


Powered by SMF | SMF © 2016, Simple Machines
Privacy Policy
Page created in 0.061 seconds with 16 queries.