Latest Conficker worm gets nastier

The authors of the latest variant of the Conficker worm are upping the ante against security vendors who are working to stop the spread and threat of the persistent program.

Conficker.C shuts down security services, blocks computers from connecting to security Web sites, and downloads a Trojan. It also is programmed to begin connecting to 50,000 different domains on April 1 to receive updated copies or other malware, as opposed to connecting to 250 domains a day as previous versions are doing, Ben Greenbaum, senior research manager for Symantec Security Response, said on Friday.

The authors of the code are "strengthening their hold on their collection of infected machines at the same time they are attempting to strengthen their ability to control those machines by moving to 50,000 domains," he said.

A self-described "cabal" of companies, including Microsoft, Symantec, and a host of domain registration providers, have been trying to thwart the efforts of Conficker by pre-registering and locking up the domain names being used by the worm to distribute updates.

Now that Conficker.C is targeting 50,000 domains, the group has its work cut out for it, Greenbaum said. Regardless, "it's unknown at this point whether (boosting the domains) is an effective sidestep around the cabal's actions," he said.

The worm, also called Kido or Downadup, was first detected in November and is believed to have infected more than 10,000 computers. The first two versions exploit a vulnerability that Microsoft patched in October.

The second variant, Conficker.B, was detected last month. It added the ability to spread through network shares and via removable storage devices, like USB drives, through the AutoRun function in Windows.

Among the domains targeted by Conficker was that of Southwest Airlines, which was expected to see an increase in traffic from the botnet on Friday, Sophos said last week. However, a Southwest spokesman said there had been no impact to the site from any additional traffic as a result of Conficker.

Experts are urging computer users to apply the Microsoft patch and update their antivirus software. And this week, Enigma Software Group and BitDefender announced free Conficker removal tools.

Conficker has proved to be such a nuisance that for information leading to an arrest in the Conficker case.

Symantec has more technical and historical details on Conficker on its Web site.

[Lerianis3]

Easy answer to this problem with the websites: simply make an international agreement that any site that is being used by virus writers and SOLELY for virus writers is automatically forfeit and will be shut down, no matter WHAT country they are found in.
I highly doubt that even CHINA would want to be connected with these idiots.

[Hunnter2k3]

But there is still that little chance that it could well have BEEN China.
Imagine having all that power, millions of machines that could work together to crush your enemy.

And taking down websites isn't going to work out so easily, sadly.
They have a hard enough time killing IRC rooms with botnets connecting. (worse when it is public rooms that are completely innocent)
Creating the international agreement is much harder than you think, Russia for example already have very lax laws when it comes to the internet.

[Lerianis3]

Excuse me? It is not that hard to kill IRC rooms with botnets connecting, and there are methods to realize that "Hey, this is a bot..... BAN/DISCONNECT!"
With websites, it's even easier to do, because you just have to go to the domain registrar and inform them "Hey, this site is being used for a botnet..... remove it from your listings permanently and lock the domain forever."

[Hunnter2k3]

I find it funny how they somehow think that they will even find this person.
It could be me, it could be Elinor, it could be Bill Gates himself, they will just never be able to find this person. (and i'm not the kind of person who throws "never" around carelessly)

Somehow, i don't think Microsoft realize how easy it is to sneak into someone's wireless, inject some worm and that's it.
Props if they actually used a massive wireless hotspot (train stations, hotels, etc), so many people leave their connection easily open, shares, etc.
There are so many ways they could have gotten this thing online.

And lets say that they find a hotspot that it appears to be uploaded from (most likely scenario),
1) IDing the person is pretty slim,
2) You'd have to search every single person who goes through there, day in, day out,
3) It isn't exactly hard to have an innocent computer with some malicious code saved entirely in RAM, uploaded with a spoofed address, then RAM drive "self destructs" and shreds its own driver.
The chances of finding the creator are pretty much 0%.
The only chance is if the person admitted it.

[pentest]

Never say never. If the guy who wrote it has a loose tongue, while say drinking, someone will turn them in for the money.

It is better to say, not likely.

[shellcodes_coder]

Just keep your system up-to-date. I have my Vista x64 system up-to-date with no antivirus installed and till now I have never had any virus infection. Yo :)

[pentest]

How would you know if you had one? Not all viruses cause noticeable effects.

[Lerianis3]

He could run anti-virus on an occasional basis using on-line or 'on-demand' virus scanners. Personally, I would like Norton to go that way: on-demand virus scanning of only files that have been changed since the last scan was done. Kaspersky has that now... where you can have the program only run when you wish it to run, saving some processor cycles and giving power back to the applications you are running.

[shellcodes_coder]

pentest: I don't run any antivirus. I even have Windows defender disabled.
How would you know if you had one? Well I have written an application that will periodically check for SHA1 checksum of all the running applications and if the SHA1 checksum does change (via updates etc), then it will notify me. Then...you know or just monitor the applications that run in the background and registry settings etc

[tm_anon]

@shellcodes_coder

So basically, you're running a homemade antivirus without the possibility of moving it into quarantine or simply deleting it completely from your system.

You may argue that it does more. I agree, your program does more, but it's still doing the same job without some of the bells and whistles.

[Jonathan]

*Waits for the first mactard to come on and say that just switch to a Mac and you will be fine* Or just keep your damn system patched and you would also be fine. But NOOOOO. Users have to be retarded and lazy. These same users prob aren't even running SP2.

[pentest]

It is possible to get this even with a fully patched system, so who is retarded?

[kelmon]

I'm trying to decide what is worse - those people who post relatively unhelpful comments like "get a Mac" or those people who think they are hilariously funny by baiting them with silly comments like "Waits for the first mactard to come on". Didn't you grow out of pathetic name calling at school?

[SpiritWater]

Got a trojan last week by visiting AppleInsider.com. It took 5 different anti-malware products to completely clean the machine. I visited the AppleInsider.com site on my Mac and it warned me there was malware on the site and to go back to the previous page. I believe Safari taps into a Google tech that identifies site that have malware infections. Anyway, Safari can do that so why can't IE do the same?

[pentest]

IE hardly ever catches malicious sites. Safari does, as well as FF.

[Lerianis3]

Because Microsoft has been too lazy to put this functionality into their browser. Opera has this, Firefox has this, Safari has this..... IE's the only major internet browser on the market right now that DOESN'T have this. Heck, even IE's phishing protections don't work right or well..... they need to take a cue from Firefox and Safari on these things.

[SactoGuy018]

This is all the more reason you need to have a decent full Internet security suite running on your computer, especially if you are connected to a broadband connection. I use Norton Internet Security 2008 and because it automatically updates itself with the latest malware definitions in the background, I will be assured that I have the latest protection against these quite nasty malware.

[pentest]

Norton is a joke and behaves just like a virus. You are better off with free programs. Hell, I have slipped obvious malware by Norton such as keyloggers that utilize the very helpful, but obvious MS supplied SetWindowsHookEx, a custom driver(read: rootkit) loader and doesn't even alert when it loads a module into the kernel, and that is with no trampoline set up to hide it from the loading process. On the other side it clamps down hard on Cain, which is not malware in and of itself, whines about various kernel debuggers, and I have seen it shut down nessus and nikto. You can tell it to ignore these problems, but eventually it reverses your settings. It completely takes over your system and refuses to let go, even though it is a slow, bloated, buggy mess.

Another thing you are missing is that all anti-malware software is behind the curve, they are reactive, not proactive. If you are expecting them to save you, you will eventually be in for a rude surprise.

[nickh2]

If Norton were to do its job properly it would delete itself. Can you say PIFTS.EXE?

[eetsheet]

Two thumbs down for both Norton and McAfee. Trend Micro, AVG, and many others do the job much better. pentest is correct.

[Lerianis3]

Pentest is wrong, I have to say. Why would you need to run a kernel debugger on your system? That is NOT a normal user thing in the slightest. As to Nikto and Nessus.... never even heard of those two programs. Keyloggers? Excuse me, but they do warn you about them, period and done with. I've had it warn me about them numerous times.

As to being reactive and not proactive...... yeah, they are, because that is the best way to do things without handing over processor cycles unnecessarily to these programs all the time.

[METAPAN]

Does anybody know how to avoid it?

[tm_anon]

2 ways to avoid it each and every time

1) don't use Windows

2) don't connect to any device or any service that is not already loaded onto your computer, including installing software, just in case the manufacturor of that software was infected prior to the creation and distribution of that software.

[Lerianis3]

Give me a break, Mactard. Not using Windows is NOT a legitimate way to avoid a virus, seeing as how there are viruses for MacOSX and Linux systems. Neither is the second thing that you mention there.

If you want to avoid this virus: be sure to scan anything you download from a 'flaky' source (and any site that you are not ABSOLUTELY SURE of the files coming off it like Download.com or MajorGeeks is a flaky source!). Also, use Vista with UAC running. This thing CANNOT get automatically installed on a Vista system with UAC on it, you would have to KNOWINGLY allow the program to run that has this thing attached to it.

[Dalkorian]

Name one OS X virus, Lerianis. Just one. Trojans don't count and if you don't understand why then stay quiet and let people wonder if you're a fool.

[tm_anon]

@Lerianis3

OS X has trojans, no viruses though. Linux has viruses. They're well documented, there are even instructions on how to install them on your machine since they don't spread. I mean, the only way to get a virus on Linux is to build it yourself.

By the way, the thing you're talking about that can't get installed on a Vista machine with UAC on. Yeah, it's gotten on Vista machines with UAC on. In fact, until the patch got through, it was flying right by UAC. With the patch, it's still spreading to other machines, all Windows.

So tell me something, how exactly is the solution of not using Windows NOT a legitimate way to avoid the "virus"?

Oh, and another thing, Conficker is a worm, not a virus, and I use Linux, not Mac. Get your facts straight. Notice I neglected to call you by any derogatory names throughout my response, do try and grow up. Adults don't use name calling as a debate tactic.

[JCPayne]

"I'm a Win-doze PC."
*cough* *cough* *hack* *cough*
"kill me, pleaseee"

Ohh Mojave!

[Lerianis3]

Get real. There are viruses for OSX and Linux, so stop the bullcrap. Try giving something LEGITIMATE to the discussion, like real methods to avoid these things.

[nickh2]

"There are viruses for OSX ..."

Name one. Just one, this is all I am asking.

Oh yeah, trojans don't count. Has to be a real virus.

[jtjt145]

Told you so!
DO NOT USE WINDOWS

[Lelouche_vi_Britannia]

The best way to protect yourself against this is to update your Windows installation. If you're already infected I'd pretty much go with the sollution provided by bitdefender on http://www.downadup.org

That removal tool worked for a friend of mine and as far as I know from my experience with BitDefender, it won't miss a thing if it's up to date and you have tweaked a little the configuration.

[tolicster]

If were infected I would surely go for the removal tools from bitdefender. Like I've said on my review I don't see any safer solution for the time being. Good thing I'm keeping my antivirus and win up to date so that it never even had a chance to come close to my PC. :)

[basdej]

you never play games do you?

mac is ****, because theres nearly no software for it.

muhahahahaha, windows rulezzzzzzzzzzzzzzzz

[vmlenigma]

Ah I can run Windblows on my Mac, but why ruing such a beautiful thing eh? I cant wait Conficker starts formatting all window HDs LOL
I guess Microcrap never told you guys about the TAX you have to pay for paying for such a cheap unstable piece of crap


Windows is like a Venereal Disease, If you dont use protection You are bound to get a BUG

[jayhawk73]

this is a nasty nasty virus. I got it from who knows where. I have the MS patches, SP3, Bitdefender running, etc....but 2 days in a row Bitdefender said it couldn't contact the update server (hint #1) then I tried to click on my drive in my computer and it said there was a problem with a COM file (hint #2) finally I tried to install the bitdefender fix and I was told I no longer had admin rights on my computer. I changed my login back to admin rights and watched it erase the admin rights as soon as I clicked OK.

I said screw it and formatted the drive and re-installed windows. Probably a little extreme but worth it not having to worry about what's going to happen next.

Like I said I have no idea how I got it. One day it was fine the next it was hosed.

[28yrsTech]

MacScan, need I say more?

[Zonny]

"And this week, Enigma Software Group and BitDefender announced free Conficker removal tools. "

BitDefender, I trust.

But my research tells me that Enigma is NOT a reputable source of anti-malware programs. BEWARE,

[Lelouche_vi_Britannia]

I wouldn' go either with Enigma especially after I saw that video of theirs with 3 restarts and 3 of 4 traces removed.

If it were to be infected with it or something I'd surely go with BitDefender that already proved useful on my friends' computer earlier this week. :)

[szilagyic]

Windows has been riddled with exploits since... forever. There are other alternatives such as Linux, which is immune to widespread attacks such as this. Personally I migrated from Windows XP to Fedora 10 Linux and I can't be happier. Now I'm free from all of this chaos, worry, and overall maintenance headaches of Windows, not to mention COST.

<a href="http://members.apex-internet.com/sa/windowslinux">http://members.apex-internet.com/sa/windowslinux</a>

[vmlenigma]

Dear Conficker Virus Writer. this is what I want for Christmas
destroy all windows machine

Tommy Linux
LOL

[hellomad]

http://www.viruslist.com/en/weblog?weblogid=183651915
a cross platform virus/malware/worm all possible via a simple programming language. so? be it windows, linux, bsd, solaris, aix, hpux and last but not least THE MAC FAN BOYS, good news for you, assembly works in MAC too, see http://developer.apple.com/DOCUMENTATION/DeveloperTools/Reference/Assembler/Assembler.pdf has assembler info for PPC/PPC64 macs. so macs will get prolly screwed more than windows. now if you know assembly and IPC well? then you can write not one but trillion virus/bacterias/FUNGUS/worm/et al for MAC. now beat this MAC. so all your CLAIM on cross platform, i.e. a virus which works on all platform and MAC is good will be squashed soon. and anyway, assembly doesnt give a 2 cent screw if its PPC/i386/ia64/Sparc/ARM/x86_64 et al. if someone knows PPC arch and knows assembly inside out? YOU MAC USERS might think of changing arch? well lemme know i got some USED PC's. since assembly works in all kind of arch, all are screwed. hehehe. this is hilarious, not just intel or amd or sparc or anything. all are equally severely screwed.
MOV MAC
hopefully now annoying MAC screamers will get angry, that mac is safe. your boat fusilage got holes too man?!. yes a ? & ! & . bahahahahaha! and you will also sink along with us MAC users. hehehehe! LOL.
and who knows, if someone good with PPC assembly might have already written a few lines and prolly playing with your PPC. bahahaha!
ciao!
asm + c + IPC = MAC PISSED MAD! ;-)

[hellomad]

p.s. adding more pinch and salt and sand scrubbing paper rub to wound? http://www.menuetos.net/ this is a full assembly language operating system. so expect something soon for PPC MAC users. then? may be you can call that day doomsday aka armageddon for all MAC users. hehehehe. this is hilarious.
so proudy mac users and a simple hint on assembly may shut their boasts. bahahahaha! sad MAC FANS SAD, here my 2 drops of crocodile tears. :((
good luck MAC and PPC/PPC64 ;-)

[illmaticscripts]

<embed src="http://i.ehow.com/images/widget/rss.swf?feed=http%3a%2f%2fwww.ehow.com%2fWidgetRss.aspx%3fuserId%3d9052aee7-f8bd-4683-8873-fdb6b9319f8a" width="300" height="450" allowScriptAccess="always" type="application/x-shockwave-flash"/><br><a href="http://www.ehow.com/videos.html" target="_blank">How to Videos</a> & Articles: eHow.com