Get Smart about Business Spending
Conficker also installs fake antivirus software
Researchers have discovered another feature of the Conficker worm that provides an additional clue about the intent of the creators--the worm installs malware that masquerades as antivirus software, Trend Micro said on Friday.
The worm, which has infected millions of Windows-based computers on the Internet, is downloading a program called Spyware Protect 2009 and displaying warning messages saying that the computer is infected and offering to clean it up for $49.95, according to the Trend Micro blog.
If you see this pop-up message, chances are your computer is infected with Conficker. The latest feature of the widespread worm is that it installs fake antivirus software on infected machines.
(Credit: Trend Micro)The infection alerts repeatedly appear and experts are worried that people may be clicking on them and paying for the software just to be rid of the annoying messages, thereby handing thieves their credit card information.
The fake antivirus program also attempts to install a Trojan downloader that is programmed to download new versions of Spyware Protect 2009, according to Kasperky Lab's blog. However, the domain the Trojan downloader was being accessed from has been shut down, the blog said.
The fake antivirus feature further bolsters the speculation that the motivation behind the worm is to make money and not a desire to disrupt computer or network operations.
Researchers were still analyzing new component code of the worm that began being spread via peer-to-peer and being downloaded off domains that host the Waledec worm on Wednesday but were finding the task difficult because the instructions are encrypted.
The worm spreads via a hole in Windows that Microsoft patched in October, as well as through removable storage devices and network shares with weak passwords. The worm disables security software and blocks access to security Web sites.
Despite all the news the worm has made, many computers still remain unpatched, Sophos said. Of the number of people who have used Sophos' free endpoint assessment test to check the security risk of a network since the beginning of the year, 11 percent did not have the Microsoft patch installed, according to Graham Cluley's blog at Sophos.
For the month of March, 10 percent of all of the people who used the Sophos assessment tool were missing the patch, he said. The company did not divulge exactly how many people had used the tool and Cluley said the statistics cannot be extrapolated to represent the number of unpatched systems on the Internet.
In an indication of infection rates, IBM's Internet Security Systems group released statistics that show that the number of unique IPs infected with Conficker.C is increasing slightly.
Based on infections seen through monitoring devices in its IBM ISS' Managed Security Services, the number has grown from just over 64,000 on April 2 to more than 71,000 on April 8, according to the unit's Frequency X blog.
"We've seen around 11 percent more unique IPs in the past few days in comparison to a week ago," the blog said, also adding that the number doesn't necessarily indicate the scope of worldwide Conficker infection.
Nearly 60 percent of the infections monitored by IBM ISS are in Asia, followed by 18 percent each in Europe and South America, and 4 percent in North America, the statistics show. By country, China leads with 16.6 percent, followed by Brazil at 10.8 percent, Russia at 10.2 percent and Korea at 4.6 percent, according to ISS.
To check if your computer is infected you can use this Conficker Eye Chart or this site at the University of Bonn. There is also a Conficker removal guide on CNET's Download.com site.
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor. 
Why can't Microsoft can't get anything right?"
I have a question for you - are you under the delusion that Apple does get it "right" This is only an issue on Windows XP - VISTA is safe, and also... MICROSOFT PATCHED THE FLAW IN OCTOBER!!! It's not MS's fault that it's users do not update the product.
I'm not standing up for them, because I hate a lot of what MS does, but a virus outbreak isn't their fault, and they have done everything they can to stop it's spread.
This is only an issue on Windows XP - VISTA is safe, and also...
-----------------------------------------------------------------------
Where does this lie keep coming from? Fista isn't any safer than XP regarding Conficker, otherwise it wouldn't be included in the patch! Look over the affected systems that MS08-067 patches and explain why fista is included if it's so "safe". Try to avoid any M$ spin arguments, please.
" by paulsecic April 11, 2009 9:43 AM PDT
Why can't Microsoft can't get anything right?"
I have a question for you - are you under the delusion that Apple does get it "right" This is only an issue on Windows XP - VISTA is safe, and also... MICROSOFT PATCHED THE FLAW IN OCTOBER!!! It's not MS's fault that it's users do not update the product.
I'm not standing up for them, because I hate a lot of what MS does, but a virus outbreak isn't their fault, and they have done everything they can to stop it's spread."
Obviously you aren't educated enough to realize there are many more OS's available than Apple's Mac OS and MS's Windows. Assuming that paulsecic is talking about an Apple to Windows comparison is ludicrous.
To answer paulsecic's question "Why can't Windows get anything right?", it really isn't a matter of getting it right or wrong. Computers and operating systems are programmed by people, who aren't perfect. There happens to be other people out there who can find the open holes in the system and exploit those weaknesses. Since MS Windows is so widely used, and remains to be the OS of choice by most of the computer users on the globe, the exploits are mainly aimed at Windows. If another OS was as popular, the parasites would exploit that one. There is no OS that "has it right" but there are those that attempt to thwart most attacks better than others.
Some people just don't think or check it out first before they do things.
Same with the junk friends send me that I have to check out and then find its another scam.
But hey, at least this will reduce the piracy rate (or so I hope).
Microsoft simply needs to realize (as do other companies) that they are NEVER EVER EVER EVER EVER going to stop piracy....... until they start charging a REASONABLE AMOUNT for their products.
Even if they did charge a reasonable amount people would still do it.
People pirate $5 apps
Even if they did charge a reasonable amount people would still do it.
People pirate $5 apps
"
a very good point - MS doesn't charge that much btw - it's 139 for XP Pro, that's been the cost of the software for a while, and for home, if you're buying OEM (if you buy retail box, I only need ask...WHY?), is roughly the same, slightly more because of more features.
Heck, OSX 10.4 is $129 bucks, and that's just the service pack for OSX 10.3 (to all the poor people who have 10.0,1,2,3 anyway... feel worse for that guy who has 10.1, then got 2, then got 3, and now got four... dang.)
Each of these "families" are based on the same design, the "Aqua" interface on top of Darwin (a derivative of OpenBSD), but include different feature sets. That is simplifying things pretty drastically, but the premise holds. Expose and FileVault came with 10.3, Automator and Dashboard came with 10.4, Spaces and TimeMachine came with 10.5.
I feel for the poor suckers who paid for 3.1, then 95, then 98, then ME, then 2000, then XP ... only to get raked over the coals for fista and then this new "fista sp3 - AKA w7" garbage. How many of those "changes" were actually nothing more than service pack improvements over the previous versions? Hint: 98 was nothing more than 95 with some of the more critical bugs removed, ME is knows as being nothing but a repackaged 98 with more bugs *INTRODUCED*, XP was eye-candy on top of 2000. To make matters worse, M$ introduced WGA - meaning upgrading winblows actually give you a MORE LIMITED system than what you started with, now including a kill switch that's under M$'s full control. I guess since you were stupid enough to by winblows to begin with, it proves to them that you can't be trusted to control you own computer, so they include this kill switch to keep you under their control.
My last computer 2 weeks ago got a virus and only was 1/2 fixed by Avira and I could not open IE, so I put my old/new HP online.
I ran MSwindows update but it did not offer the conflicker patch.
I looked at my past updates and nothing, actually there were about 4 other patches that were not recommened in the AutoUpdate which I read about when downloading the conflicker patch.
Why is that, it boogles my mind to think that it may my somehow attached to my IP
It should of scanned and said YOU NEED THE CONFLICKER PATCH YOU DON'T HAVE IT.
I am so pissed I had to do this all manually. What a waste of time and research. The only other thing I can think of is that when I downloaded Service Pack 3 it already has the patch which in that case, I have redownloaded it and installed it. But when I ran it and the system said "INSPECTING" it should have said, YOU ALREADY HAVE RUN THIS PATCH
Also any patches I download from the list show up in my Add/Remove but not on my Automatic Update history on MS website. This is so confusing and makes me irrate beyond believe.
Gosh, I love the internet, but this OS and actually my hardware is making me think of retiring my systems and getting a dog and the newpaper and a short wave radio.
I might just do that, I think the novelty is wearing off because of all the crap.
I talk to people who I never meet, I research stuff I quickly forget, I play games that stop me from doing chores. I think I've saturated myself for long enough and hackers and MS's lack of care for it's OS is just getting to me.
There's no such thing as anonymity anymore. My life is now a stamp with an IP address and that's just not about where I live. I think my virtual world must be unpluged. My real world needs work.
I just don't need the Fear mongering anymore.
Conficker Worm: Help Protect Windows from Conficker
http://technet.microsoft.com/en-us/security/dd452420.aspx
Microsoft Security Bulletin MS08-067 ? Critical
Vulnerability in Server Service Could Allow Remote Code Execution (958644)
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
Microsoft Security Bulletin MS08-067 - Critical
Linux is a good alternative to Windows, until it's time to upgrade machines. Then, I highly recommend a Macintosh to most people. This guy "superthings" obviously wants a safe and trouble-free computing experience. Linux will be safe and trouble-free, only if it's configured properly from the get go and he makes no major changes to it. Just installing new software is a huge problem for most new users with Linux, depending on the distro used. I only recommend Linux to people that have an intermediate to advanced knowledge of computers OR they won't be installing software and modifying the OS. I don't like being "tech support" to my friends and family. But if you feel like taking on "superthings" as a client, then by all means do so. At least he won't have to worry about conficker anymore with Windows! Poor guy sounds like he's ready to eschew all technology!!
Why is that, it boogles my mind to think that it may my somehow attached to my IP
It should of scanned and said YOU NEED THE CONFLICKER PATCH YOU DON'T HAVE IT.
----------------------------------------------------------------
I'm confident that I can reassure you they wouldn't attach the presence of the patch to the IP itself in the way you describe. Think of how that wouldn't work in a corporate environment, where many machines run through a NATing router and appear to have only one IP on the public side. M$ can be pretty brain dead at times, but not this brain dead.
As others have mentioned, it's MS08-067 you want. I don't think it would have been rolled into SP3 because I think SP3 came out before that patch, but I could be wrong about that. The patch MS08-067 came out in October 2008, I think SP3 predates that by a few months at least. You'll have to patrol M$'s KB articles (Knowledge Base) to figure out how to determine if that particular patch is installed or not.
Something to consider if you have unused hard drive space is to partition that for a Linux install (Ubuntu is pretty easy to deal with in general, though there are many others to choose from). You'll end up with what's called a "dual-boot" machine, where you can still boot winblows when you desire to feel the whips and chains of M$ controlling you but have the freedom to try Linux when security is of utmost importance.
Not kidding here, CNet had a video on here saying that is how they are viewed.
Still, it's unethical, immoral, and flat out illegal to steal. I am very sympathetic, and these days even empathetic, to their plight. But stealing is not the answer. They are criminals and should be punished accordingly.
If they have all this know-how and energy to engage in illegal activity, they have energy to do something constructive. Crime is only a short term fix, a personal fix. It does nothing to improve their society, for the long term. It's a sign of weakness of character.
Really, people just need to upgrade to Vista and Windows 7 (when it comes out later this year). They have protections that would have stopped Conflicker in it's TRACKS, before it even got started.
my personal recommendation is to take an afternoon and dual-boot your machine with a small non-windows OS of some sort, so when windows goes down you won't.
Yup, windows delivers that in spades.
Lerianis, Vista and 7 can and do have Conficker. Even a patched system can get infected if the delivery vector is changed. The patches don't stop it from running, just block the infection vectors. New ones are constantly being found.
Do you really want the NSA to send out a worm to infect everyone running Windows?
Turn automatic updates on(select "Notify me but don't automatically download or install them"). Then don't download Windows Genuine Advantage Notifications or KB905474. Still get all the updates but no way MS know your windows is fake.
I guess if you're stupid enough to run winblows to begin with you can't be trusted to run a computer without a remote kill switch in it.
1. Call your credit card company and tell them that the card number has been stolen and you want it cancelled and a new card sent to your address of record.
2. Change every password you have - to your work email, to your bank account, to Amazon, etc. I am sure they have all been compromised.
3. Use software like Kaspersky anti-virus and SuperAntiSpyware to find all the hidden malware. It usually take running several complete scans after rebooting before it has all been cleaned out.
4. Swear an oath to patch your machine on time.
5. Swear an oath not to click on pop up boxes that you don't expect and fully understand.
6. Consider permanently unplugging your computer and renewing your subscription to Readers Digest.
PS. Follow MD-240Zs advice first. I would start with changing my passwords (on a different computer), then cancel the credit cards.
Might not be. But the above is a consideration.
Intelligence agencies do do these sorts of things and put a great deal of planning into it.
I can see laypeople and even security professionals closing that door, but until you have solid evidence otherwise you really can not do that.
1. It's mainly Windows that is so susceptible. Until they plug up all the holes, they don't stand a chance of making any progress. The whole model of the operating system is flawed when it comes to security.
2. People have to be educated about security. Until each and every user is security conscious, there will always be a problem
3. Until we make it not worth the effort to write these viruses, there will always be people writing them. If not enough people fall for them, see 2, then it won't be worth the effort.
4. If the punishments are harsh enough, then it won't be worth it, see number 3.
All of these things have to happen (an probably some others I've neglected to put down) before there will be any serious impact on viruses and spam. By the way, the country that is the source of the majority of spam, is the United States. In the mean time, lock down your computers, be security conscious, run Mac OS X or Linux if you can, and be wary!
The long term solution to this problem is genetic diversity. No operating system should have more than 10% of the market.
There is no need to get infected these days, even visiting dodgy sites. One other thing, use caution with search engines. Google comes up with a lot of bad sites, Lycos and Yahoo are safer.
- by One-Eared Gundark April 13, 2009 9:32 AM PDT
- Looks like I'll be getting more repair business coming my way.
- Reply to this comment
-
-
- by The_happy_switcher April 13, 2009 11:24 AM PDT
- More like MORON sitting between keyboard and chair. You don't need any fancy abbreviations.
-
-
- by pithenumber April 13, 2009 12:25 PM PDT
- @Applerocks
-
-
Showing 1 of 2 pages (75 Comments)When I ship a cleaned PC back to the owner, I always include instructions on how to keep free of viruses and malware. In 100% of the cases I've handled, it is PEBKAC (Problem Exists Between Keyboard And Chair).
PEBCAK is an inside joke for computer repair guys
its a way to insult the customer without them knowing, so yes, we do need fancy abbreviations