View Thread

Atheists Today » Easy Reading » The Lounge
Who is here? 1 guest(s)
 Print Thread
Conficker has activated

(CNET) -- The Conficker worm is finally doing something--updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday.
This piece of computer code told the worm to activate on April 1, researchers found.

This piece of computer code told the worm to activate on April 1, researchers found.

Researchers were analyzing the code of the software that is being dropped onto infected computers but suspect that it is a keystroke logger or some other program designed to steal sensitive data off the machine, said David Perry, global director of security education at Trend Micro.

The software appeared to be a .sys component hiding behind a rootkit, which is software that is designed to hide the fact that a computer has been compromised, according to Trend Micro. The software is heavily encrypted, which makes code analysis difficult, the researchers said.

The worm also tries to connect to,,, and as a way to test that the computer has Internet connectivity, deletes all traces of itself in the host machine, and is set to shut down on May 3, according to the TrendLabs Malware Blog.

Because infected computers are receiving the new component in a staggered manner rather than all at once there should be no disruption to the Web sites the computers visit, said Paul Ferguson, advanced threats researcher for Trend Micro.

"After May 3, it shuts down and won't do any replication," Perry said. However, infected computers could still be remotely controlled to do something else, he added.
Don't Miss

* Latest CNET News videos
* CNET News image galleries
* More technology news from CNET

On Tuesday night Trend Micro researchers noticed a new file in the Windows Temp folder and a huge encrypted TCP response from a known Conficker P2P IP node hosted in Korea.

"As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP," the blog post says. "The Conficker/Downad P2P communications is now running in full swing!"

In addition to adding the new propagation functionality, Conficker communicates with servers that are associated with the Waledac family of malware and its Storm botnet, according to a separate blog post by Trend Micro security researcher Rik Ferguson.

The worm tries to access a known Waledac domain and download another encrypted file, the researchers said.

Conficker.C failed to make a splash a week ago despite the fact that it was programmed to activate on April 1. It has infected between 3 million and 12 million computers, according to Perry.

Initially, researchers thought they were seeing a new variant of the Conficker worm, but now they believe it is merely a new component of the worm.

The worm spreads via a hole in Windows that Microsoft patched in October, as well as through removable storage devices and network shares with weak passwords.

The worm disables security software and blocks access to security Web sites.
Edited by RayvenAlandria on 04/09/2009 10:39
Luckily, I don't know anyone that was affected by this. I'm wondering what type of computer users were affected most by this...?
"The world is my country, and do good is my religion." - Thomas Paine
One of the things conficker is now doing is tricking people into buying fake virus scanners. I remember one of the women here at Atheist Today getting hit by one of these a while back. (Sinny or Hypatia). I still suspect confiker and it's variants are being used by organized crime. I am also sure that rogue nations and terrorists are involved and/or watching closely. ( My money's on Korea and China). The current activities may be a test run to see what they can do.

Conficker is a rootkit and some rootkits are not detectable. (We have the fucktards at Sony to thank for rootkits). Confiker is a serious threat and I feel it will evolve and become a monster. I imagine there will be many variants and they'll be used by different organizations for different purposes, some with just be criminals looking to make money, others will be terrorists hoping to disrupt our infrastructure and harm the world. All we can do is hope the anti-virus experts can stay a step ahead of the cyber terrorists. There's a war going on that most people don't even know about.



Conficker Worm Awakens, Downloads Rogue Anti-virus Software

Security experts nervously watching computers infested with the prolific Conficker computer worm say they have begun seeing infected hosts downloading additional software, including a new rogue anti-virus product.

Since its debut late last year, the collection of hundreds of thousands - if not millions - of systems sick with Conficker has somewhat baffled security researchers, who are accustomed to seeing such massive networks being used for money-making criminal activities, such as relaying junk e-mail.

Today, however, that mystery evaporated, as anti-virus companies reported seeing Conficker systems being updated with SpywareProtect2009, a so-called "scareware" product that uses fake security alerts to frighten consumers into paying for bogus computer security software.

According to Kaspersky Labs, once the scareware is downloaded, the victim will see the usual warnings, "which naturally asks if you want to remove the threats it's 'detected'. Of course, this service comes at a price - $49.95." Kaspersky reports that the rogue anti-virus product is being downloaded from a Web server in Ukraine.

This development adds an interesting wrinkle. The first version of Conficker contained within its genetic makeup instructions telling infected systems to visit a site called As I noted last month, this was a site where distributors of rogue anti-virus products would go for the latest programs and links to the latest download locations. Many affiliates were making six-figure paychecks each month distributing this worthless software by various means, all of them extremely sneaky if not downright illegal.


In its bi-annual security report released this week, Microsoft cited rogue anti-virus as one of the most prolific and fastest-growing threats facing Windows users today.

The rogue anti-virus software, however, was not the only piece of rubbish to be sent to Conficker infected systems this week. Researchers at Trend Micro reported the first stirrings of Conficker.C on Wednesday, when they noticed a new file show up in the temporary director of a number of test machines they'd infected with the worm. They later determined the file had been placed there via Conficker's built-in peer-to-peer (P2P) communications capability, which allows large groupings of infected systems to hand off software updates and instructions being pushed out by the worm authors.

Trend found that the update was a version of the Waledac family of spam Trojans. Due to similarities in the code and other telltale signs, researchers consider Waledac to be the reincarnation of the "Storm worm," a spam virus that also used a sophisticated P2P mechanism to spread and share updates.

The Conficker update also sets up a Web server on the infected system, re-enables the ability to spread itself through the Microsoft Windows vulnerability that caused the outbreak in the first place (this spreading capability was absent in the Conficker version prior to this update). It also instructs the Waledac component to remove itself if the date is on or after May 3, 2009.

Perhaps that is due to some ill-understood logic within Conficker, but not all of the systems infected with Conficker.C are receiving the latest updates, said Paul Ferguson, an advanced threat researcher at Trend.

"We've seen it happen very slow and staggered," he said. "We have several nodes that have it and several that don't."

Ferguson said there are still several components tucked away in this Conficker update that researchers are struggling to unlock. But he said it's evident the worm's authors are ready to start putting it to work.

"There are still some unknowns here, but things are becoming a lot more clear, and it certainly seems they're making a move here to finally monetize all this effort," Ferguson said.


Try to go to this Symantec page. If you can load the page you are most likely not infected. (unless for some reason your variant has not enabled web address blocking of the major anti-virus companies)

If you google conficker to find removal tools DO NOT GO TO ANY SITE YOU ARE NOT 100% SURE OF. Only go to big name sites of well known anti-virus companies, and make sure the url is the correct one and not a fake.

One tricky thing virus and worm authors do is to make a *removal tool* or *antivirus program* that is actually the worm in disguise. Be paranoid.
Skeeve wrote:
Luckily, I don't know anyone that was affected by this. I'm wondering what type of computer users were affected most by this...?

Unfortunately, it is a lot to blame on the IT administration and the lack of security intelligence. I bet at least 50% of IT admins have not implemented the update that fixed the hole that Conficker is exploiting. I am not worried about it. If anyone wants a security check let me know.
That's right, I said it...
Jump to Forum: