Author Topic: Deadline Approaches for Confiker (Downadup) Worm  (Read 5576 times)

0 Members and 1 Guest are viewing this topic.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14325
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Deadline Approaches for Confiker (Downadup) Worm
« on: March 25, 2009, 11:58:34 PM »
It is estimated that there are well over a million Windows PC’s currently infected with Conficker. As illustrated in code at the CA Security Advisor Research Blog, on April 1, 2009, the infected machines will attempt to generate 50,000 URLs daily to download an additional component with new instructions.

Think globally and realize that April 1 will arrive earlier in other parts of the world than Europe, U.S., Canada and even Australia.  Ensure that Security Bulletin MS08-067 is installed on your computer.  For other preventative steps, see Time is of the essence.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Paddy

  • LandzDown Team
  • Hero Member
  • *****
  • Posts: 1415
    • View Profile
Re: Conficker worm gets an evil twin
« Reply #1 on: March 26, 2009, 12:42:57 PM »
Quote
Romanians find cure for conficker
Removal tool may spell the end for the notorious Windows worm
Darren Pauli 12/03/2009 17:16:00

BitDefender has released what it claims is the first vaccination tool to remove the notorious Conficker virus that infected some 9 million Windows machines in about three months.

The worm, also known as Downadup, exploits a bug in the Windows Server service used by Windows 2000, XP, Vista, Server 2003 and Server 2008. It spreads primarily through a buffer overflow vulnerability in Windows Server Service where it disables the operating system update service, security center, including Windows Defender, and error reporting.

Security experts claim the worm is the worst infection to date, second to the SQL slammer worm that devastated the Internet in 2003.

The Romanian security vendor said its removal tool, available here, will delete all versions of Downadup and will not be detected by the virus.

Senior malware analyst Vlad Valceanu said the worm is difficult to remove because it contains an in-built update service.

“BitDefender Labs has been seeing an increase in worms, like Downadup, that have a built-in mathematical algorithm, generating strings based on the current date,” Valceanu said in a written statement.

“The worms then produce a fixed number of domain names on a daily basis and check them for updates.

“This makes it easy for malware writers to upgrade a worm or give it a new payload, as they only have to register one of the domains and then upload.

Link to Removal Tools:

 http://bdtools.net/


Paddy..
This is one race of people for whom psychoanalysis is of no use whatsoever - Sigmund Freud (about the Irish)

Never argue with a fool, they will lower you to their level and then beat you with experience.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14325
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Deadline Approaches for Confiker (Downadup) Worm
« Reply #2 on: March 26, 2009, 06:37:43 PM »
SANS ICS has a link to the BitDefender tool as well as those developed by other vendors:  http://isc.sans.org/diary.html?storyid=5860

Based on what has been seen, it is likely they will leave bits behind but they should get the bulk of the mess off the system.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline zep516

  • Malware Experts
  • Full Member
  • *****
  • Posts: 212
    • View Profile
Re: Deadline Approaches for Confiker (Downadup) Worm
« Reply #3 on: March 27, 2009, 05:30:09 PM »

In the run up to April 1st, McAfee is offering a special build of its stand-alone cleaning tool christened Stinger which will be updated on a daily basis to include any undetected Conficker variants from the wild.

Please ensure that your copy of Microsoft Windows is patched and security software is fully up to date to ensure that April 1st 2009, is a day like any other day!

http://www.majorgeeks.com/McAfee_AVERT_Stinger_Conficker__d6157.html

zep.

Info from another forum...
You're only as safe as your last update.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14325
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Deadline Approaches for Confiker (Downadup) Worm
« Reply #4 on: March 27, 2009, 08:56:06 PM »
I know that there is a lot of hype about the April 1 date and I included in promoting it.  The problem is that no one knows what to expect.  Is it a "doomsday" alert?  No.  But, if infected and online, you can be certain that infected machine will be part of the attempt to generate the 50,000 URLs daily to download whatever the additional component may be. 

Could that additional component be used on the infected machines as a botnet to seek out other unprotected computers?  Could it be as a DDoS?  In my opinion, it doesn't matter.  MS08-067 should have been installed last year. 

I have seen more infected computers in the past six months without a software firewall (and some also without an antivirus software) than I have seen in the past five to ten years.  Are these the same irresponsible people who drink and drive?


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Eric the Red

  • ISO/IEC 27001:2005
  • Administrator
  • Hero Member
  • *****
  • Posts: 1617
  • Would somebody please pass me a beer!
    • View Profile
Re: Deadline Approaches for Confiker (Downadup) Worm
« Reply #5 on: March 27, 2009, 11:34:43 PM »
  Are these the same irresponsible people who drink and drive?

Maybe, but I think that we now have evidence that they are the people who run the UK! See http://www.theregister.co.uk/2009/03/27/conficker_parliament_infection/
"The time to start running is around about the "e" in "Hey, you!" "
Proud member Since 2004 

The information I provide is provided "AS IS" without warranty, and confers no rights.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14325
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Deadline Approaches for Confiker (Downadup) Worm
« Reply #6 on: March 28, 2009, 09:48:47 PM »
Update posted in Conficker Information for the Home Computer User.  Includes instructions for disabling autorun & file sharing.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline R-C

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 2789
  • Laissez les bons temps rouler!
    • View Profile
Re: Deadline Approaches for Confiker (Downadup) Worm
« Reply #7 on: March 30, 2009, 02:37:06 PM »
in the most recent windows secrets newsletter there is an excellent article which covers the issues that people who are currently infected are experiencing in that they can not get to any of the removal tools or help sites including windows update to get the patch.    Very good info.
Run a Conficker removal tool before April 1

Corrine excellent write up on your blog also!
registered Linux user:476595
May inspiration fill your heart and hands, run down your legs onto your feet and cause Spontaneous Dancing! :dance:

Offline R-C

  • LzD Friends
  • Hero Member
  • *****
  • Posts: 2789
  • Laissez les bons temps rouler!
    • View Profile
Re: Deadline Approaches for Confiker (Downadup) Worm
« Reply #8 on: March 31, 2009, 04:23:29 AM »
looks like they might have hit paydirt on stopping it in time, we can be hopeful at least!
Researchers exploit Conficker flaw to find infected PCs

Busted! Conficker's tell-tale heart uncovered
registered Linux user:476595
May inspiration fill your heart and hands, run down your legs onto your feet and cause Spontaneous Dancing! :dance:

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14325
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Deadline Approaches for Confiker (Downadup) Worm
« Reply #9 on: March 31, 2009, 03:29:03 PM »
Although very important, particularly considering the Conficker has already hit the House of Commons, military, hospitals and other corporate entities, that is for networks, R-C.  Network Admins can run the tool to find out if there are any infected PCs on the LAN or WAN.  (Sadly, at least as of yesterday, the very first Google search result for "nmap conficker" was malware.Nmap.)

If you can reach Microsoft Updates, ESET, Sophos, Symantec, etc., then your computer is not infected with this worm and there is no need to run the removal tool.  (Illustrated in the BitDefender video on the BitDefender downadup (Conficker) removal tool:  http://www.youtube.com/watch?v=P9Oj01CI0dM )

On the the other hand, to help protect your computer from Conficker as well as other worms, trojans, etc., the same instructions apply -- Microsoft Security Updates, A/V, Firewall, disable file sharing & autorun.

If infected with Conficker, until the domain is blocked, the BD tool is available here.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Eric the Red

  • ISO/IEC 27001:2005
  • Administrator
  • Hero Member
  • *****
  • Posts: 1617
  • Would somebody please pass me a beer!
    • View Profile
Re: Deadline Approaches for Confiker (Downadup) Worm
« Reply #10 on: March 31, 2009, 07:25:37 PM »
We are now over nine hours in to April 1st and so far there is nothing major to report, if you want to follow developments keep an eye of F-Secure's weblog, e.g http://www.f-secure.com/weblog/archives/00001643.html
"The time to start running is around about the "e" in "Hey, you!" "
Proud member Since 2004 

The information I provide is provided "AS IS" without warranty, and confers no rights.

Offline Paddy

  • LandzDown Team
  • Hero Member
  • *****
  • Posts: 1415
    • View Profile
Re: Deadline Approaches for Confiker (Downadup) Worm
« Reply #11 on: March 31, 2009, 11:32:15 PM »
Quote
Security experts are downplaying the potential impact of a virus which some believe is set to strike on 1 April.

Conficker has infected up to 15 million computers to date and is set to change the way it works on Wednesday.


http://news.bbc.co.uk/1/hi/technology/7973131.stm

Paddy.. :blink:
This is one race of people for whom psychoanalysis is of no use whatsoever - Sigmund Freud (about the Irish)

Never argue with a fool, they will lower you to their level and then beat you with experience.

Offline Corrine

  • The Mystical Rose
  • Administrator
  • Hero Member
  • *****
  • Posts: 14325
  • "Stronger than the past, united in our goal."
    • View Profile
    • Security Garden
Re: Deadline Approaches for Confiker (Downadup) Worm
« Reply #12 on: March 31, 2009, 11:52:57 PM »
The videos at F-Secure of Mikko & Patrik's Conficker presentation are fascinating.


Take a walk through the "Security Garden" -- Where Everything is Coming up Roses!

Remember - A day without laughter is a day wasted.
May the wind sing to you and the sun rise in your heart.

Offline Paddy

  • LandzDown Team
  • Hero Member
  • *****
  • Posts: 1415
    • View Profile
Re: Deadline Approaches for Confiker (Downadup) Worm
« Reply #13 on: March 31, 2009, 11:59:25 PM »
Corrine I think the BBC is down playing this threat  / or just reporting the downplay  :)
http://news.bbc.co.uk/today/hi/today/newsid_7973000/7973672.stm

Paddy..
This is one race of people for whom psychoanalysis is of no use whatsoever - Sigmund Freud (about the Irish)

Never argue with a fool, they will lower you to their level and then beat you with experience.

Offline Eric the Red

  • ISO/IEC 27001:2005
  • Administrator
  • Hero Member
  • *****
  • Posts: 1617
  • Would somebody please pass me a beer!
    • View Profile
Re: Deadline Approaches for Confiker (Downadup) Worm
« Reply #14 on: April 01, 2009, 08:04:14 AM »
The videos at F-Secure of Mikko & Patrik's Conficker presentation are fascinating.

F-Secure have also a good Q&A page at http://www.f-secure.com/weblog/archives/00001636.html
"The time to start running is around about the "e" in "Hey, you!" "
Proud member Since 2004 

The information I provide is provided "AS IS" without warranty, and confers no rights.