Conficker Worm - Virus Update

Mave

Mave

TMS Founder
Administrator
Messages
234,583
Location
Belgium
__________________________________

Conficker Worm - Virus Update
__________________________________


Wikipedia Info:
Code: 
http://en.wikipedia.org/wiki/Conficker


Microsoft Bulletin:
Code: 
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx


Microsoft Update:
Code: 
http://www.microsoft.com/downloads/details.aspx?familyid=0D5F9B6E-9265-44B9-A376-2067B73D6A03&displaylang=en


Symantec - Conficker Removal Tool:
Code: 
http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=3


__________________________________



Information:

Conficker Worm, also known as Downup, Downandup and Kido, is a computer worm that surfaced in October 2008 and targets the Microsoft Windows operating system. The worm exploits a known vulnerability in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and the Windows 7 Beta.

Operation:

The Conficker worm spreads itself primarily through a buffer overflow vulnerability in the Server Service on Windows computers. The worm uses a specially crafted RPC request to execute code on the target computer.

When executed on a computer, Conficker disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting. It then connects to a server, where it receives further orders to propagate, gather personal information, and downloads and installs additional malware onto the victim's computer. The worm also attaches itself to certain Windows processes such as svchost.exe, explorer.exe and services.exe.

Payload:

The A variant of Conficker will create an HTTP Server and open a random port between 1024 and 10000. If the remote machine is exploited successfully, the victim will connect back to the HTTP server and download a worm copy. It will also reset System Restore Points, and download files to the target computer.

Symptoms of Infection:

* Account lockout policies being reset automatically.
* Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Error Reporting Services are automatically disabled.
* Domain controllers respond slowly to client requests.
* System network gets unusually congested. This can be checked with network traffic chart on Windows Task Manager.
* On websites related with antivirus software, Windows system updates cannot be accessed.

In addition, the worm launches a brute force dictionary attack against administrator passwords to help it spread through ADMIN$ shares, making choice of sensible passwords advisable.

Impact:

By January 16, 2009, antivirus software vendor F-Secure reported that Conficker had infected almost 9 million PCs. The New York Times reported that Conficker had infected 9 million PCs by January 22, 2009, while The Guardian estimated 3.5 million infected PCs. As of January 26, 2009, Conficker had infected more than 15 million computers, making it one of the most widespread infections in recent times.

Another antivirus software vendor Panda Security reported that of the 2 million computers analyzed through ActiveScan, around 115,000 (6%) were infected with this malware.

Conficker is reported to be one of the largest botnets created because 30 percent of Windows computers do not have the Microsoft Windows patch released in October 2008.

The U.K. Ministry of Defence reported that some of its major systems and desktops are infected. The worm has spread across administrative offices, NavyStar/N* desktops aboard various Royal Navy warships and Royal Navy submarines, and Hospitals across the city of Sheffield reported infection of over 800 computers.

Experts say it is the worst infection since the SQL Slammer.

As of February 13 2009, Microsoft is offering a $250,000 USD Reward for information leading to the arrest and conviction of the criminals behind the creation and or distribution of Conficker.

Removal:

On 15 October 2008 Microsoft released a patch (MS08-067) to fix the vulnerability. Removal tools are available from Microsoft, Symantec and Kaspersky Lab while McAfee can remove it with an on demand scan. Since the virus can spread via USB drives that trigger AutoRun, disabling the AutoRun feature for external media through modifying the Windows Registry is recommended. While Microsoft has released patches for the later Windows XP Service Packs 2 and 3 and Windows 2000 SP4 and Vista, it has not released any patch for Windows XP Service Pack 1 or earlier versions (excluding Windows 2000 SP4), as the support period for these service packs has expired.
Click to expand...

Better protect yourself from this one :wink: I just did :holmes:
 
lol :tongue:

When we did a botnet, all we used was MSN spread and did all other stuff manually.
This person who coded this has to be certainly advanced in scripting and researching also if he combined such thing that spreads basically invisible (network spread?)
 
Andre9977 said:
lol :tongue:

When we did a botnet, all we used was MSN spread and did all other stuff manually.
This person who coded this has to be certainly advanced in scripting and researching also if he combined such thing that spreads basically invisible (network spread?)
Click to expand...

lol Andre :tongue:

BTW: Is there any way to find out whether your pc is IN a botnet or not?
 
Mave said:
BTW: Is there any way to find out whether your pc is IN a botnet or not?
Click to expand...
Not unless you get a way to go to the botnet holder's IRC network. If it is a IRC bot then most likely you will get detection warning - IRC connections are flagged under malware. If you don't get a detection message but still suspect that you are in one, you'll have to run the suspicious program (that you think infected you) in VMware and trace the connections. Then you can hijack the botnet perhaps (if they use some RXbot or something which can easily be cracked - good for you) using some tutorial (basic password injection) or I don't know - threaten the people to remove you from botlist or something.

Also would be smart not to run programs that look like those .exes (no significiant image or anything). If you open up suspicious one, it will simply plant the virus into your computer and then do nothing. It may seem like it does nothing to you, but how do you know - is the worm already spreading through your network computers, is it already infecting serious system files, has it already blocked off AV sites, is it sending spread messages to your MSN contacts?

Hehe, so be careful! And you can't hide from this Conficker unless you're "pro" lulz.
 
But if I was actually in a botnet, without knowing it, would I notice it? Would like my pc lag uber hard, or have massive internet lag?
 
Mave said:
But if I was actually in a botnet, without knowing it, would I notice it? Would like my pc lag uber hard, or have massive internet lag?
Click to expand...
Ok lets say you don't have an anti-virus (actually I don't ::) I run all suspicious stuff in VMWare), it would be like:
(1) your internet lags if someone is using the botnet to DDoS some host (large amount of packets)
(2) certain sites would be blocked - AV sites mainly (I infact had one virus once that sent you to SunnyPornTube when I went to free.avg.com)
(3) some programs wouldn't start up (yes, they blatantly loop and exit the programs that are labeled as threat to the net)

If some sites are blocked, make sure you check C:\WINDOWS\system32\drivers\etc\hosts file. Some bots (RXbot for example) modifies that hosts.etc file when it is "installed" (ran for first time). Redirecting data works very simple, all you got to do is:
Code: 
127.0.0.1            free.avg.com
That would redirect data sent to free.avg.com to 127.0.0.1 (localhost - yet by default on your PC).
I think you could also redirect to sites (hmm quite unsure how to).
If you're infected that way, simply remove all but
Code: 
127.0.0.1            localhost
and the stuff you've set yourself.

Some bad bot, I believe, would also cause PC lag, but if they want to work "undetected", I don't think so.
 
when i had it i formated constantly pc cuz you can't get rid off it, it blocks all sites and everything expect offline features... even anti virus can't. it can only detect and warn you.
 
You must log in or register to reply here.
Back
Top Bottom