Conficker worm might originate in China

(Credit: Wikipedia)

Updated at 9:13 p.m. PDT with information provided by BKIS stating that its free version of BKAV antivirus software can remove the worm from any infected computer.

There's been a lot of fuss about the Conficker worm. And here's the a $250,000 question: what is the origin of the virus?

$250,000 is the amount of money Microsoft is putting up as a reward for any information leading to an arrest related to the case. Folks at BKIS, a Vietnamese security firm that makes the BKAV antivirus software, announced Monday that they found clues that the virus may have originated in China. Previously, there were rumors that it might have been from Russia or Europe.

The firm's conclusion is based on its analysis of the virus' coding. It found that Conficker's code is closely related to that of the notorious Nimda, a virus that wreaked havoc on the Net and e-mail in 2001. At that time, BKIS determined that Nimda was made in China, based on the firm's own data.

It's important to note that the origin of Nimda was never verified. Though Nimda contained text indicating that it may have originated from China, that is in no way hard evidence.

Even if this finding by BKIS is credible, it's hardly good news, as it does little to help the authorities lay their hands on whomever is responsible for creating the virus. What it does is narrow in on where to block the return of the virus.

Conficker is a very sophisticated worm that took advantage of a security hole mentioned in this Microsoft bulletin. The hole affected all 32-bit and 64-bit Windows operating systems, even those with the latest service packs. The hole allowed the virus to infect the computer without any user interaction via the Internet, local network, or USB thumbdrives. Once infected, it stops the computer's security services and Windows update service, and disables tools and software designed to remove it. The worm also allows the creator to remotely install other malicious codes on the infected computer.

Consequently, the worm is programed to update itself from domains it randomly generates. By April 1, the amount of domains the worm generates and infects to find updates could grow to 50,000 a day. The owner of the virus only needs to use one of these domains to host the update. This makes it virtually impossible for authorities to track the source of the update.

Microsoft and Conficker Cabal, a Microsoft-led ad hoc partnership created to fight against the Conficker worm, have been able to contain about 13 percent of these domain names, a number far from reassuring.

According to Quang Tu Nguyen, CEO of BKIS, there's also a chance that the worm might never return if the owner of the worm, for one reason or another, decides not to continue updating it or fails to do so. This is unlikely, however. Quang also suggests that the next outbreak of the virus might not necessarily be on April 1, as is widely speculated, but rather on any day. The firm does believe that the worm would likely seek to update itself on the April 1.

While this seems worrisome, the update of the virus will only take place on computers that have already been infected with one of Conficker's variants and are connected to the Internet. Currently, the number of infected systems is estimated to be around 10 million worldwide.

Fortunately, it's relatively easy to determine whether your computer is infected. Vu Ngoc Son, manager of BKIS' research center, provided a simple way for you to find out if your computer has the virus.

First, make sure your computer is connected to the Internet by going to a Web site such as Google or CNET. Then, if your computer can also successfully go to the Web sites of Microsoft and known security companies, such as Symantec, McAfee, TrendMicro, Sophos, Panda, and you can also run Windows Update successfully, then your computer is clear from Conficker.

On the other hand, if the computer fails to do any of those, it's likely that it has already been affected. In this case, try to follow these instructions to remove it, or use BKIS' antivirus software that can be downloaded for free. As a last resort, you can also back up your data and install Windows from scratch, then immediately run Windows Update to install the latest security patches.

Note that even when your computer is currently clean, it doesn't mean you won't get infected. This would depend on what the next update of the worm does. A good rule of thumb is to make sure you keep protection software on your computer updated and keep the system current with Microsoft Update. There is a ton of free and effective antivirus software out there that you can find at Download.com.

As the current work being undertaken against the Conficker worm is mostly damage control, the best way to decrease the possibility of another outbreak is for everybody to make sure their computers are free of the virus and updated to Microsoft's latest patch.

Related stories:

Latest Conficker worm gets nastier

FAQ: Conficker time bomb ticks, but don't expect boom

[jumpjetta]

With the news of this possibly being from China, plus a New York Times article today on a computer-based spy network affecting 130 countries also being related to/originated in China (and mentioning the concept of "patriotic hacking"), when are the US and Europe's "patriotic hackers" going to finally get angry and cripple China's computer infrastructure??

[Lumiseon]

That'd be awesome if they did. If we find out what country it's from, then they simply need to hack in and cripple it.

[nitespark]

Nah, that could never happen our nerds are too busy playing WoW.

[superaznman]

lol!

[jumpjetta]

"Made In China" takes on yet another fantastic layer of meaning, right alongside tainted food products and unsafe toys.

[bonochromatic]

@jumpjetta "when are the US and Europe's "patriotic hackers" going to finally get angry and cripple China's computer infrastructure??" - Are you serious? US hackers are pathetic when compared to Russian, eastern European and Chinese hackers. Put quite simply, they're more desperate than we are.<br /><br />I live in China, and I can tell you that I wouldn't be at all surprised to learn that Conficker was created by hackers here - they have the know-how and they don't have enough reasonable opportunities for themselves here.

[86lg4b4c]

boo-hoo,cry me a river.they seem to keep busy sending our kids junk.

[ConfickerInfoDotCom]

Great write up. I fear that with the April Fools day target date that many people with consider this a hoax. Truth be known that Conficker is a growing trojan that began with Conficker-a and now has evolved to conficker-c. Microsoft reported that they first discovered the trojan in November 2008. For all windows based PCs make sure you run a full windows update and combined with a leading anti-virus you should be well protected. http://confickerinfo.com

[sharmajunior]

People who do this kind of stuff should be tortured while being videotaped and then killed. <br />Then the tapes should be sent to the respective governments to show them and shame them in front of the whole world.

[1363nd0f1337]

If anyone really gets infected by this they deserve no sympathy. There's already a security update for this available and they should have up-to-date AV. Also, DON'T CLICK ON THINGS THAT YOU DON'T KNOW WHO SENT THEM/YOU DON'T KNOW WHAT IT IS!

[Lumiseon]

What about those who can't afford damn good anti-virus software, you moron!? And anyway, the worm is apparently able to already hack into the computers anyway. Learn some facts, mongrel.

[Seaspray0]

@Lumiseon. Who can't afford free antivirus software and free windows updates, both of which would have stopped you from becoming infected or removed the infection? Please tell me who can't afford free.

[ferretboy88]

I am so sick of China. Lets just have the war and get it over with. That is what they want. They will fall just like Russia.

[Perry_Clease]

Russia still exists

[Lumiseon]

I think he meant the USSR. But yes, we need to take China and get it over with. A war with them is inevitable. Go to war with them, kick their rears, shoot the hackers.

[sythara]

Havent you played Fallout? Don't you know what happens when you mess with China?

[Seaspray0]

China has not shown itself to be a military agressive nation. I would give them higher marks on not interfering in other countries' affairs than my own USA. Other than the shoddy products, no respect for global copywrite laws or trademarks, poor environmental policies, and oppression towards their own people, the citizens tend to be very gracious and kind.

[superk666]

Dont be silly ...you ferret! Russia never fell...besides WAR is the last thing you should hope for in the U.S when its obvious that you cant even handle Afganistan much less Iraq...and you want a war with CHINA???? HAHAHA!!! <br /><br />Whatever happened to "Americans are for democracy, nor war!"

[sharmajunior]

First a rigged Cisco router to Spy on our government and now this.f*****g worm. China is having its last days. No country controls the internet and patrols it as much as they do and then end up screwing everything for everyone. <br /> <br />I am also sick of china and the cheap ******* (y) products that come outta there. Bought and returned 18 routers in a year. How much crap can they make and sell. The companies should take a note on this poor quality. QC really fell after products started to be made there.

I agree let's send in like 50 nukes and wipe them off the map.

[rdelfin]

For the commenters that have made this into a nation A vs. nation B issue....typical American ignorance....it is one thing that the virus *might* (still not confirmed) be originated in China, and it's a whole different thing that the Chinese Government produced this. This is not a national attack, this is a hacker attack (and the hackers *happened* to be Chinese just as it could have been the case they were from any other part of the world). The "let's attack China"-attitude is what makes look not only ignorant but arrogant in front of the whole world (and I feel sorry for the vast majority of Americans that aren't neither stupid or arrogant).

[monkeyfun14]

Typical American ignorance?<br /><br />Typical European Bigotry?<br /><br />God forbid Americans voice there opinions about another country but Europeans call us fat ***** and idiots.

[CrashPad63]

You gotta understand the old world will be jealous and fearful of the power we hold. And why not? That idiot Bush used it so shamelessly, made all America look like the problem not the solution to the worlds ills.

[sythara]

rdelfin <br />hahaha you're funny. Maybe once you lived in the US and appreciate all its luxury then you can understand that we can trash talk all we want and thats our right. Yeah, our right. Something that you don't have in most otehr countries in the world

[Mr. Dee]

I guess I better turn up the UAC setting in Windows 7 to max! I haven't updated the free kaspersky antivirus since January.

[CrashPad63]

If you patched in October, no fears.

[Seaspray0]

Since windows 7 beta wasn't available until after the patch was released in october, I don't think you'll have to worry about that too much.

[acls78]

Setting the WORM issue aside for a moment, the whole CHINA thing is unnerving. Not only the toys, the food, THE HUMAN and not so human viruses, the copying anything and everything with out permission and the reselling of said goods thereby undermining the exact companies which contracted them. The repeated spying thing, the growth of their production of military weapons their purchasing nuclear bombs from the USSR when it fell and warships, lending the USA large sums of money then calling for the devaluation of the dollar, these are all steps to be number one in the world, do not get it twisted! Research their actions since CLINTON opened up greater trade with them (ignoring worker and human rights issues, the 1st Pres. in the history of the USA to ever do so). CHINA IS GETTING READY TO MAKE IT'S MOVE, IT WILL NOT BE TOMORROW BUT IT IS REAL AND IT IS COMING. what better way to control the world than to control the information highway and the USA has fallen behind in tech advances. So, if we want to retain the freedom of our nation and the world we need to stop taking CHINA FOR A JOKE. They have a long range plan.

[hellomad]

"As a last resort, you can also backup your data and install Windows from scratch, then immediately run Windows Update to install the latest security patches."<br />my questions: what if the author already sent a modification code, since we got no info as what kind of encryption its using and what kind of crypto its using, we will never know what kind of instructions were sent/set to mutate it. isnt it? <br />number 2 question, if it a PCI based rootkit maleware which is ACPI independent? then ACPI needs to be shutdown/stopped till its fixed and then applied after a thorough check. isnt it?<br />number 3. suppose if we take a backup and the backup or backed up files had the malware/virus/worm/rootkit? how to combat that? because i manage a few PC's here which are windows machine. and if they adopt stealth tech then all my combat techniques are useless. especially if its a PCI based attack. where the cracker got access to my BIOS and perhaps may trigger it again via a PCI related command using any remote access methods. then i am back to square one and loose-loose zero-zero as opposed to win-win 20-20 suggested here. <br />any help into this subject may be useful. as of me? i am using Debian GNU linux. so i guess i am free of these things. but anyway, the paranoia always drives first than insanity and then everything else.<br />and as sharmajunior you are an abnormal case and utter idiot and a brain defect with epilipsy and autism infected brainless braindead idiot. if the programmer is baffling so many? then first thing is he/she must be a brilliant coder. and second rather than wasting such talent killing we may ask them to protect us from further attacks than listen to your posts and push ourselves to a point of comitting suicide. retard. sharmajunior YAAFM.

[KillConfickerC]

I think computer users need to start becoming more aware of the risks involved with P2P programs and torrent downloads. I think people have gotten careless as more people are downloading movies and games and whatnot.<br />http://killconfickerc.com

[7r4m]

BKIS is supposed to be famous soon in the security field of IT world for this announcement. Last week, they also challenged the whole IT world by the claim that the reputable VB Test is "out of date" and BKIS would introduce a new method of anti-virus program verifying method when they join VB2009 this September in Geneva. If you're fluent in Vietnamese, you can read the full article about their statement on this site http://cuocsongso.thanhnien.com.vn/news/Pages/200913/20090327095721.aspx

[s1974lee]

This company have a free download to remove the conficker virus from your PC with their Downadup Remover Tool. They also have a total security product with antivirus, anti spyware, firewall downloads etc. see their news article at &lt;a href="http://www.k7computing.com/index.php/News/k7computing-neutralizes-the-latest-internet-worm.html"&gt;Downadup Remover&lt;/a&gt;

[cOnfCuKer]

This stuff on bkis definitely STINKS. It clings on to the deathly glamour of the damn conficker to be here. How could a cnet-someone here know much about a bkis-that-nobody-know-what-it-is, I wonder.

[grajzl]

I agree with KillConfickerC a lot of people have become lax about what they download. I would not be surprised to see it came from the RIAA or the MPAA. they have already been known to set up fake torrents and the like, this is just the next step for them.

[mike1s1]

Well no wonder my server keeps getting port scanned by Chinese IP's but my firewall is blocking it...

[sythara]

I am surprised there are no apple fanatics here raving on how their OS is better.

[Norseman]

Apple fanatic here. I was just wondering if an unpatched Mac without any AV software could have keystrokes "hijacked". No? Hmmmmm. Maybe Macs are worth paying a few bucks extra for, huh?

[Seaspray0]

@Norseman. Yes it can. Once the computer is owned, virus software can do whatever it was programmed to do. <br /> <br />It took less than 2 minutes for a mac to be owned at the last pwn2own contest. <br />http://news.cnet.com/8301-1009_3-10199652-83.html?tag=mncol;posts <br /> <br />The Macintosh and base Linux kernel operating systems have dominated the top spots for vulnerabilities by operating system over the past three years <br />http://news.cnet.com/8301-1009_3-10154662-83.html

[Shian_Infinity]

Linux kernal has way less vulnerabilities than Windows and Mac if in the correct hands. ;p

[nickh2]

Huh? How do you suppose a Wndows .exe is going to run on Mac OS X?

[Norseman]

I've heard all about the sandbox exercises and vulnerability statistics. Tell me about some of the wide-spread, "in-the-wild" EXPLOITS that Macs have experienced. OK--tell me about just one.<br /><br />Louder. I can't hear you.

[1363nd0f1337]

http://www.macfixit.com/article.php?story=20090326104010541<br /><br />How's that for you? All operating systems can be compromised.