The Conficker Worm: April Fool’s Joke or Digital Armegeddon?

The Conficker worm is scheduled to activate on April 1, for those of you who are long time readers, you'll know that I have been warning you about this virus for a few months now, back on January 16 2009 with the first virus alert, then again on February 14th 2009 when Microsoft announced the reward leading to the arrest and conviction of those responsible for the chaotic virus.

The remaining unanswered question is: Will it prove to be the world’s biggest April Fool’s joke or is this virus as bad as some experts believe it to be?

Conficker is a program that is spread by exploiting several weaknesses in Microsoft’s Windows operating system. Various versions of the software have spread widely around the world since October 2008, mostly outside the United States because there are more computers overseas running unpatched, pirated Windows. (The program does not infect Macintosh or Linux-based computers.)

An estimated 12 million or more machines have been infected. However, many have also been disinfected, so a precise census is difficult to obtain.

It is possible to detect and remove Conficker using commercial antivirus tools offered by many companies. However, the most recent version of the program has a significantly improved capacity to remove commercial antivirus software and to turn off Microsoft’s security update service. It can also block communications with Web services provided by security companies to update their products. It even systematically opens holes in firewalls in an effort to improve its communication with other infected computers.

Given the sophisticated nature of the worm, the question remains: What is the purpose of Conficker, which could possibly become the world’s most powerful parallel computer on April 1? That is when the worm will generate 50,000 domain names and systematically try to communicate with each one. The authors then only need to register one of the domain names in order to take control of the millions of zombie computers that have been created.

Speculation about Conficker’s purpose ranges from the benign — an April Fool’s Day joke — to far darker notions. One likely possibility is that the program will be used in the “rent-a-rogue-computer” business, something that has been tried previously by the computer underground. Just like Amazon.com offers computing time on its network for rent, the Conficker team might rent access to its “network” for devious purposes like spamming.

The most intriguing clue about the purpose of Conficker lies in the intricate design of the peer-to-peer logic of the latest version of the program, which security researchers are still trying to completely decode.

According to a research addendum to be added Thursday to an earlier paper by researchers at SRI International, in the Conficker C version of the program, the infected computers can act both as clients and servers and share files in both directions. The peer-to-peer design is also highly distributed, making it extremely difficult for security teams to defeat the system by disabling so-called super-nodes.

Conficker’s authors could be planning to create a scheme like Freenet, the peer-to-peer system that was intended to make Internet censorship of documents impossible.

Or perhaps the Conficker botnet’s masters have something more Machiavellian in mind. One researcher, by the name of Stefan Savage, a computer scientist at the University of California at San Diego, has suggested the idea of a “Dark Google.” His theory is, What if Conficker is intended to give the computer underworld the ability to search for data on all the infected computers around the globe and then sell the answers? Malware already does this on a focused basis using a variety of schemes that are referred to as “spear phishing,” in a reference to the widespread use of social engineering tricks on the Net.

But to do something like that on such a huge scale? That would be a dragnet — and a genuine horror story.

What's going to happen on April 1st 2009? will most of the internet come crashing down? will millions of computers be wiped out? Or is this like the so-called Millenium Bug? lots of sizzle, very little steak.. (oh great, now i'm hungry, should have had a bigger breakfast) We'll have to wait and see......

Hollywood couldn't write this script....

Thoughts? what do you think will happen a week from today?

It's alive!! Conficker wakes up

Computer worm updates via P2P, drops payload

The Conficker worm is finally doing something--updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday.

Researchers were analyzing the code of the software that is being dropped onto infected computers but suspect that it is a keystroke logger or some other program designed to steal sensitive data off the machine, said David Perry, global director of security education at Trend Micro.

The software appeared to be a .sys component hiding behind a rootkit, which is software that is designed to hide the fact that a computer has been compromised, according to Trend Micro. The software is heavily encrypted, which makes code analysis difficult, the researchers said.

The worm also tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com as a way to test that the computer has Internet connectivity, deletes all traces of itself in the host machine, and is set to shut down on May 3, according to the TrendLabs Malware Blog.

Because infected computers are receiving the new component in a staggered manner rather than all at once there should be no disruption to the Web sites the computers visit, said Paul Ferguson, advanced threats researcher for Trend Micro.

"After May 3, it shuts down and won't do any replication," Perry said. However, infected computers could still be remotely controlled to do something else, he added.

On Tuesday night Trend Micro researchers noticed a new file in the Windows Temp folder and a huge encrypted TCP response from a known Conficker P2P IP node hosted in Korea.

"As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP," the blog post says. "The Conficker/Downad P2P communications is now running in full swing!"

In addition to adding the new propagation functionality, Conficker communicates with servers that are associated with the Waledac family of malware and its Storm botnet, according to a separate blog post by Trend Micro security researcher Rik Ferguson.

The worm tries to access a known Waledac domain and download another encrypted file, the researchers said.

Conficker.C failed to make a splash a week ago despite the fact that it was programmed to activate on April 1. It has infected between 3 million and 12 million computers, according to Perry.

Initially, researchers thought they were seeing a new variant of the Conficker worm, but now they believe it is merely a new component of the worm.

The worm spreads via a hole in Windows that Microsoft patched in October, as well as through removable storage devices and network shares with weak passwords.

The worm disables security software and blocks access to security Web sites.

Microsoft offers $250k bounty to catch worm creator

Software giant Microsoft is offering a $250,000 reward for information leading to the arrest and conviction of hackers behind a powerful computer virus that could lead to millions of PCs being hijacked.

Experts have so far been baffled by the true purpose of the Conficker or Downadup virus, but have described its spread as one of the most serious infections ever seen.

The worm exploits a bug in Microsoft Windows to infect mainly corporate networks, then -- although it has yet to cause any harm -- it opens a link back to its point of origin, meaning it can receive further orders to wreak havoc.

Microsoft has issued a patch to fix the bug, however if a single machine is infected in a large network, it will spread unchecked -- often reinfecting machines that have been disinfected.

The threat from the virus prompted Microsoft in collaboration with other technology industry names to this week announce a $250,000 reward for information to track down those behind Conficker.

"As part of Microsoft's ongoing security efforts, we constantly look for ways to use a diverse set of tools and develop methodologies to protect our customers," said George Stathakopoulos, of Microsoft's Trustworthy Computing Group.

Mikko Hypponen, chief research officer at anti-virus firm F-Secure says the true scope of the virus is not known, but in the past 24 hours his company monitored Conficker signals from two million Internet protocol addresses.

"That's a lot," he says. "And one IP address here does not mean one infected computer, it means at least one infected computer."

"Many of those IP addresses are obviously company proxies or firewalls, hiding hundreds of more infections behind it. Unfortunately this also makes it impossible to estimate the total count of infected systems."

"So it's still big. Very big."

Microsoft has previously paid out similar rewards to informants who helped identify the creator of Sasser, another notorious worm let loose in 2004. The perpetrator was tracked to Germany, where he was sentenced a year later.

Think you've gotten the warning a little too late and might already have it? I've found a posting online on how to deal with the 2 annoying viruses.

Cybercriminals create botnet using Mac computers

A piece of malicious software unwittingly shared over a peer-to-peer network in January was the key tool in what security researchers are saying was the first known attempt to create a botnet of Mac computers.


Researchers at Symantec say the Trojan, called OSX.Iservice, hid itself in pirated versions of the Apple application iWork '09 and the Mac version of Adobe Photoshop CS4 that were shared on a popular peer-to-peer bittorrent network.

Once downloaded, the applications themselves worked normally, but the Trojan opens a "back door" on the compromised computer that allows it to begin contacting other hosts in its peer-to-peer network for commands.

Researchers Mario Barcena and Alfredo Pesoli of Symantec Ireland, writing in the April 2009 issue of the Virus Bulletin, say the network of infected computers attempted to initiate a denial of service attack on a website in January.

"OSX.Iservice is an interesting piece of malware - not only does it make use of Mac OS internals, but it is also the first Mac botnet that we are aware of," they wrote.

A botnet, or robot network, is a group of linked computers - sometimes called zombies - that have been commandeered, in some instances by criminals, to perform a host of actions, from connecting and infecting other computers to sending out spam or launching distributed denial of service attacks to bring down websites or web servers.

But traditionally, botnets have spread through PCs running Windows, and not Macs, in part because of the low market share of Macs worldwide.

Apple had 7.2 per cent of personal computer market share in the United States in the fourth quarter of 2008, according to technology analyst IDC, but was not among the top five PC makers worldwide, as ranked by shipments.

Kevin Haley, director of Symantec Security Response, said cybercriminals who want to create a botnet of computers traditionally attack machines running Microsoft's Windows operating system because the goal is to have the biggest network possible.

"It's a numbers game," said Haley. "If you're going to go after the largest market, you have to go after the largest target."

An example of a particularly successful botnet is the one created by the Conficker worm, which by some estimates is believed to have spread to as many as 12 million machines.

By comparison, the iBotnet, as the Symantec researchers have dubbed it, spread to only a few thousand computers before it was identified. A number of security firms say removal of the Trojan is simple once it has been identified.

The method used to infiltrate the computers - tricking users to install a Trojan hiding in a free version of software - is also a fairly basic way to access a computer, said Haley, and is not a technique exclusive to Macs or any particular vulnerability inherent in the computer's operating system.

Haley said downloading any file from an unknown source is a potentially dangerous practice, no matter what computer a person uses.

The malicious software, or malware, is unique, however in that it only clearly targeted Mac users and also included a variation - found in the corrupted Adobe Photoshop CS4 file - that used some of the functions on the Mac OS that relate to its own authorization services interface, according to the Symantec Ireland authors.

"With malware authors showing an increasing interest in the Mac platform, we believe that more advanced [user interface] spoofing tricks may be seen in the future," they wrote.

Ryan Naraine, the security evangelist at Kaspersky Lab, said that while a Mac botnet may not be practical for criminals, the discovery of the Trojan is proof that no operating system is inherently safe....Sorry Mac users.

*VIRUS ALERT* Downadup virus exposes millions of PCs to hijack

A new sleeper virus that could allow hackers to steal financial and personal information has now spread to more than eight million computers in what industry analysts say is one of the most serious infections they have ever seen.

The Downadup or Conficker worm exploits a bug in Microsoft Windows to infect mainly corporate networks, where -- although it has yet to cause any harm -- it potentially exposes infected PCs to hijack.

Mikko Hypponen, chief research officer at anti-virus firm F-Secure, says while the purpose of the worm is unclear, its unique "phone home" design, linking back to its point of origin, means it can receive further orders to wreak havoc.

He said his company had reverse-engineered its program, which they suspected of originating in Ukraine, and is using the call-back mechanism to monitor an exponential infection rate, despite Microsoft's issuing of a patch to fix the bug.

"On Tuesday there were 2.5 million, on Wednesday 3.5 million and today [Friday], eight million," he said. "It's getting worse, not better."

Hypponen explained the dangers that Downadup poses, who is most at risk and what can be done to stop its spread.

How serious is it?

It is the most serious large scale worm outbreak we have seen in recent years because of how widespread it is, but it is not very serious in terms of what it does. So far it doesn't try to steal personal information or credit card details.

Who is affected?

We have large infections in Europe, the United States and in Asia. It is a Windows worm and almost all the cases are corporate networks. There are very few reports of independent home computers affected.

What does it do?

It is a complicated worm most likely engineered by a group of people who have spent time making it very complicated to analyze and remove. The real reason why they have created it is hard to say right now, but we do know how it replicates.

How does it spread?

The worm does not spread over email or the Web. However if an infected laptop is connected to your corporate network, it will immediately scan the network looking for machines to infect. These will be machines that have not installed a patch from Microsoft known as MS08-067. The worm will also scan company networks trying to guess your password, trying hundreds and hundreds of common words. If it gets in, even if you are not at your machine, it will infect and begin spreading to other servers. A third method of spreading is via USB data sticks.

How can I prevent it infecting my machine?

The best way is to get the patch and install it company-wide. The second way is password security. Use long, difficult passwords -- particularly for administrators who cannot afford to be locked out of the machines they will have to fix.

What can I do if it has already infected?

Machines can be disinfected. The problem is for companies with thousands of infected machines, which can become re-infected from just one computer even as they are being cleared.

Did this alert reach you too late? Has your computer already been affected? share your stories...