It's alive!! Conficker wakes up

Computer worm updates via P2P, drops payload

The Conficker worm is finally doing something--updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday.

Researchers were analyzing the code of the software that is being dropped onto infected computers but suspect that it is a keystroke logger or some other program designed to steal sensitive data off the machine, said David Perry, global director of security education at Trend Micro.

The software appeared to be a .sys component hiding behind a rootkit, which is software that is designed to hide the fact that a computer has been compromised, according to Trend Micro. The software is heavily encrypted, which makes code analysis difficult, the researchers said.

The worm also tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com as a way to test that the computer has Internet connectivity, deletes all traces of itself in the host machine, and is set to shut down on May 3, according to the TrendLabs Malware Blog.

Because infected computers are receiving the new component in a staggered manner rather than all at once there should be no disruption to the Web sites the computers visit, said Paul Ferguson, advanced threats researcher for Trend Micro.

"After May 3, it shuts down and won't do any replication," Perry said. However, infected computers could still be remotely controlled to do something else, he added.

On Tuesday night Trend Micro researchers noticed a new file in the Windows Temp folder and a huge encrypted TCP response from a known Conficker P2P IP node hosted in Korea.

"As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP," the blog post says. "The Conficker/Downad P2P communications is now running in full swing!"

In addition to adding the new propagation functionality, Conficker communicates with servers that are associated with the Waledac family of malware and its Storm botnet, according to a separate blog post by Trend Micro security researcher Rik Ferguson.

The worm tries to access a known Waledac domain and download another encrypted file, the researchers said.

Conficker.C failed to make a splash a week ago despite the fact that it was programmed to activate on April 1. It has infected between 3 million and 12 million computers, according to Perry.

Initially, researchers thought they were seeing a new variant of the Conficker worm, but now they believe it is merely a new component of the worm.

The worm spreads via a hole in Windows that Microsoft patched in October, as well as through removable storage devices and network shares with weak passwords.

The worm disables security software and blocks access to security Web sites.

The Conficker Worm: April Fool’s Joke or Digital Armegeddon?

The Conficker worm is scheduled to activate on April 1, for those of you who are long time readers, you'll know that I have been warning you about this virus for a few months now, back on January 16 2009 with the first virus alert, then again on February 14th 2009 when Microsoft announced the reward leading to the arrest and conviction of those responsible for the chaotic virus.

The remaining unanswered question is: Will it prove to be the world’s biggest April Fool’s joke or is this virus as bad as some experts believe it to be?

Conficker is a program that is spread by exploiting several weaknesses in Microsoft’s Windows operating system. Various versions of the software have spread widely around the world since October 2008, mostly outside the United States because there are more computers overseas running unpatched, pirated Windows. (The program does not infect Macintosh or Linux-based computers.)

An estimated 12 million or more machines have been infected. However, many have also been disinfected, so a precise census is difficult to obtain.

It is possible to detect and remove Conficker using commercial antivirus tools offered by many companies. However, the most recent version of the program has a significantly improved capacity to remove commercial antivirus software and to turn off Microsoft’s security update service. It can also block communications with Web services provided by security companies to update their products. It even systematically opens holes in firewalls in an effort to improve its communication with other infected computers.

Given the sophisticated nature of the worm, the question remains: What is the purpose of Conficker, which could possibly become the world’s most powerful parallel computer on April 1? That is when the worm will generate 50,000 domain names and systematically try to communicate with each one. The authors then only need to register one of the domain names in order to take control of the millions of zombie computers that have been created.

Speculation about Conficker’s purpose ranges from the benign — an April Fool’s Day joke — to far darker notions. One likely possibility is that the program will be used in the “rent-a-rogue-computer” business, something that has been tried previously by the computer underground. Just like Amazon.com offers computing time on its network for rent, the Conficker team might rent access to its “network” for devious purposes like spamming.

The most intriguing clue about the purpose of Conficker lies in the intricate design of the peer-to-peer logic of the latest version of the program, which security researchers are still trying to completely decode.

According to a research addendum to be added Thursday to an earlier paper by researchers at SRI International, in the Conficker C version of the program, the infected computers can act both as clients and servers and share files in both directions. The peer-to-peer design is also highly distributed, making it extremely difficult for security teams to defeat the system by disabling so-called super-nodes.

Conficker’s authors could be planning to create a scheme like Freenet, the peer-to-peer system that was intended to make Internet censorship of documents impossible.

Or perhaps the Conficker botnet’s masters have something more Machiavellian in mind. One researcher, by the name of Stefan Savage, a computer scientist at the University of California at San Diego, has suggested the idea of a “Dark Google.” His theory is, What if Conficker is intended to give the computer underworld the ability to search for data on all the infected computers around the globe and then sell the answers? Malware already does this on a focused basis using a variety of schemes that are referred to as “spear phishing,” in a reference to the widespread use of social engineering tricks on the Net.

But to do something like that on such a huge scale? That would be a dragnet — and a genuine horror story.

What's going to happen on April 1st 2009? will most of the internet come crashing down? will millions of computers be wiped out? Or is this like the so-called Millenium Bug? lots of sizzle, very little steak.. (oh great, now i'm hungry, should have had a bigger breakfast) We'll have to wait and see......

Hollywood couldn't write this script....

Thoughts? what do you think will happen a week from today?

Microsoft offers $250k bounty to catch worm creator

Software giant Microsoft is offering a $250,000 reward for information leading to the arrest and conviction of hackers behind a powerful computer virus that could lead to millions of PCs being hijacked.

Experts have so far been baffled by the true purpose of the Conficker or Downadup virus, but have described its spread as one of the most serious infections ever seen.

The worm exploits a bug in Microsoft Windows to infect mainly corporate networks, then -- although it has yet to cause any harm -- it opens a link back to its point of origin, meaning it can receive further orders to wreak havoc.

Microsoft has issued a patch to fix the bug, however if a single machine is infected in a large network, it will spread unchecked -- often reinfecting machines that have been disinfected.

The threat from the virus prompted Microsoft in collaboration with other technology industry names to this week announce a $250,000 reward for information to track down those behind Conficker.

"As part of Microsoft's ongoing security efforts, we constantly look for ways to use a diverse set of tools and develop methodologies to protect our customers," said George Stathakopoulos, of Microsoft's Trustworthy Computing Group.

Mikko Hypponen, chief research officer at anti-virus firm F-Secure says the true scope of the virus is not known, but in the past 24 hours his company monitored Conficker signals from two million Internet protocol addresses.

"That's a lot," he says. "And one IP address here does not mean one infected computer, it means at least one infected computer."

"Many of those IP addresses are obviously company proxies or firewalls, hiding hundreds of more infections behind it. Unfortunately this also makes it impossible to estimate the total count of infected systems."

"So it's still big. Very big."

Microsoft has previously paid out similar rewards to informants who helped identify the creator of Sasser, another notorious worm let loose in 2004. The perpetrator was tracked to Germany, where he was sentenced a year later.

Think you've gotten the warning a little too late and might already have it? I've found a posting online on how to deal with the 2 annoying viruses.

*VIRUS ALERT* Downadup virus exposes millions of PCs to hijack

A new sleeper virus that could allow hackers to steal financial and personal information has now spread to more than eight million computers in what industry analysts say is one of the most serious infections they have ever seen.

The Downadup or Conficker worm exploits a bug in Microsoft Windows to infect mainly corporate networks, where -- although it has yet to cause any harm -- it potentially exposes infected PCs to hijack.

Mikko Hypponen, chief research officer at anti-virus firm F-Secure, says while the purpose of the worm is unclear, its unique "phone home" design, linking back to its point of origin, means it can receive further orders to wreak havoc.

He said his company had reverse-engineered its program, which they suspected of originating in Ukraine, and is using the call-back mechanism to monitor an exponential infection rate, despite Microsoft's issuing of a patch to fix the bug.

"On Tuesday there were 2.5 million, on Wednesday 3.5 million and today [Friday], eight million," he said. "It's getting worse, not better."

Hypponen explained the dangers that Downadup poses, who is most at risk and what can be done to stop its spread.

How serious is it?

It is the most serious large scale worm outbreak we have seen in recent years because of how widespread it is, but it is not very serious in terms of what it does. So far it doesn't try to steal personal information or credit card details.

Who is affected?

We have large infections in Europe, the United States and in Asia. It is a Windows worm and almost all the cases are corporate networks. There are very few reports of independent home computers affected.

What does it do?

It is a complicated worm most likely engineered by a group of people who have spent time making it very complicated to analyze and remove. The real reason why they have created it is hard to say right now, but we do know how it replicates.

How does it spread?

The worm does not spread over email or the Web. However if an infected laptop is connected to your corporate network, it will immediately scan the network looking for machines to infect. These will be machines that have not installed a patch from Microsoft known as MS08-067. The worm will also scan company networks trying to guess your password, trying hundreds and hundreds of common words. If it gets in, even if you are not at your machine, it will infect and begin spreading to other servers. A third method of spreading is via USB data sticks.

How can I prevent it infecting my machine?

The best way is to get the patch and install it company-wide. The second way is password security. Use long, difficult passwords -- particularly for administrators who cannot afford to be locked out of the machines they will have to fix.

What can I do if it has already infected?

Machines can be disinfected. The problem is for companies with thousands of infected machines, which can become re-infected from just one computer even as they are being cleared.

Did this alert reach you too late? Has your computer already been affected? share your stories...