Author Topic: Beware Conficker worm (Read 8141 times)

cord73 · « **on:** April 01, 2009, 02:31:36 am »

Tomorrow -- April 1 -- is D-Day for Conficker, as whatever nasty payload it's packing is currently set to activate. What happens come midnight is a mystery: Will it turn the millions of infected computers into spam-sending zombie robots? Or will it start capturing everything you type -- passwords, credit card numbers, etc. -- and send that information back to its masters? heres the site to check it out some more http://tech.yahoo.com/blogs/null/132464;_ylt=ApUXIGXJhIm._s7G9nQjfMgazJV4

Daniel · « **Reply #1 on:** April 01, 2009, 05:21:20 pm »

I think this Conficker worm is going to turn out like Y2K. It's April 1st, and the worm isn't doing anything except trying to 'phone home' more aggressively from what I've read.

White Stripes · « **Reply #2 on:** April 02, 2009, 08:29:05 am »

http://mtc.sri.com/Conficker/ (conficker 'A' 'B' and 'B++')

http://mtc.sri.com/Conficker/addendumC/index.html (conficker 'C' -- draft analysis)

breakdown of conficker/downadup for the geeky types... ...and its a nasty little bastard...

now if only mainstream software were written with this kind of precision...

Daniel · « **Reply #3 on:** April 02, 2009, 11:39:51 am »

They should take a break from coding Conficker's P2P protocol and work on WinMx's.

White Stripes · « **Reply #4 on:** April 02, 2009, 01:10:10 pm »

http://en.wikipedia.org/wiki/Conficker

this part of the article is rather disturbing:

Quote

On 15 October 2008, Microsoft released an emergency out-of-band patch to fix vulnerability MS08-067, which the worm exploits to spread. The patch applies only to Windows XP SP 2, Windows XP SP 3, Windows 2000 SP4 and Windows Vista; Windows XP SP 1 and earlier are no longer supported.

emphasis mine...

last i looked a lot of MXers and other p2prs are using SP1 cos of the broken TCP/IP of SP2 and SP3.... but there is no fix to protect against conficker/downadup for SP1...

..and daniel... it would be nice to have programmers with those skills working on winmx (imagine if winmx could patch the TCP/IP limit of SP2+ in memory without crashing the system... would definitly be some coding voodoo...) ... but id rather they not have that 'viral' mentality....

Lagerlout666 · « **Reply #5 on:** April 02, 2009, 10:25:12 pm »

Patching tcpip.sys i thought about and tested. After patching tcpip.sys in memory have you ever tried to stream anything to a xbox or PS3? It doesn't work. Ive spent hours trying to work out why an could never find a cure for it. The one and only way is to modify the file itself. But on XP tcpip.sys is loaded at boot up, very early in the boot up process for some reason, i dont why so early but what ever. So back on topic, So winmx would have to reboot a XP machine. Vista though is different, you can patch tcpip.sys and its effective straight away. But again on vista if you use the patch that works in memory you loose xbox360 and PS3 functionality.Now i don't know why it does this and ive seen about the place a few folks with the same error codes i was receiving, but the second i uninstalled the software patch blam it would work instantly.

When making the patch installers i actually considered streamlining in a tcpip patch and wrapped it in a autoit script to fire up and teach folks about what it is. But it was yet another step in the install process and i didn't want to confuse things. I actually have it all built ready, it just never went in.

White Stripes · « **Reply #6 on:** April 03, 2009, 02:28:08 pm »

setup a linux based media server for the ps3 and 360 ... can also install Samba to use as a general file server as well....

windows is just a bad joke at this point.....

-edit-

you have to live with reduced functionality or the conficker/downadup worm at this point if you are using XP..... take your pick....

GhostShip · « **Reply #7 on:** April 09, 2009, 08:14:43 am »

It seems this beastie has begun updating itself and folks should be on high alert

http://news.cnet.com/8301-1009_3-10215678-83.html

Quote

The Conficker worm is finally doing something--updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday.
Researchers were analyzing the code of the software that is being dropped onto infected computers but suspect that it is a keystroke logger or some other program designed to steal sensitive data off the machine, said David Perry, global director of security education at Trend Micro.

The software appeared to be a .sys component hiding behind a rootkit, which is software that is designed to hide the fact that a computer has been compromised, according to Trend Micro. The software is heavily encrypted, which makes code analysis difficult, the researchers said.
The worm also tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com as a way to test that the computer has Internet connectivity, deletes all traces of itself in the host machine, and is set to shut down on May 3, according to the TrendLabs Malware Blog.

For the concerned there is a simple test located here to check if your machine is possibly compromised.

http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

White Stripes · « **Reply #8 on:** April 09, 2009, 07:54:59 pm »

the confickerworkinggroup.org (149.20.56.65) site does not work in and of itself... and no im not accessing it on a windows machine (the MS issued patch for conficker avoidance was installed a -very- long time ago on my one-token wintendo anyway)...

no ping response (67 packets transmitted, 0 packets received, 100% packet loss) and the http server does not answer...

$ curl -v confickerworkinggroup.org
* About to connect() to confickerworkinggroup.org:80
* Connect failed* Closing connection #0
curl: (7) Connect failed

a scary thought if conficker is being used as a massive DDoS system... this thing could take down even microsoft.com .... maybe google but im not so sure about that one...

Forested665 · « **Reply #9 on:** April 09, 2009, 10:10:24 pm »

if the estimated infected computers arent off, it could cause an equivalence of a double in google traffic without the infected users ever knowing .(unless they are above par users and watch their logs)

GhostShip · « **Reply #10 on:** April 09, 2009, 11:41:06 pm »

The page works fine for me and I have double tested it at intervals to be certain, can I suggest you look into alternative reasons for not being able to reach the site.

White Stripes · « **Reply #11 on:** April 10, 2009, 02:39:56 pm »

hmm... site works now... guess they were down for maintenance when i tried to visit....

...just falls into my category of luck... lol...

--edit--

Code: [Select]

$ curl -v confickerworkinggroup.org
* About to connect() to confickerworkinggroup.org:80
* Connected to confickerworkinggroup.org (149.20.56.65) port 80
> GET / HTTP/1.1
User-Agent: curl/7.10.2
Host: confickerworkinggroup.org
Pragma: no-cache
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, */*

<meta http-equiv="refresh" content="0;url=/wiki/">
* Connection #0 left intact
* Closing connection #0

besides... using other connection methods? (with squid without squid.... trying to access it through pages like http://anonymouse.org/ )

you should know me by now

.... id throw every page in the book (then the book itself if i got pissed

) at a problem like that.....

Forested665 · « **Reply #12 on:** April 10, 2009, 11:05:19 pm »

according the CBS national news,
(who still think they are going to use keyloggers)
the new estimate of infected users since the "general awareness" period has reached 15 million. Even less then a kb of upload from those users is more then enough to do some major damage.
Microsoft has issued a 250k USD bounty for the arrested of the creaters.

I can only hope that the people never get ahold of this technology.
While it could easily fight the MPAA,RIAA, and gorups like Media Defender, theres no telling what the general populous would do with that kind of power.

White Stripes · « **Reply #13 on:** April 11, 2009, 06:03:10 am »

i think they are just testing the waters with that supposed keylogger payload.... this thing is gonna get nasty....

Forested665 · « **Reply #14 on:** April 11, 2009, 04:49:41 pm »

if the estimate of "15 million" is correct a keylogger would fill googles hard drives within minutes of text files. for them to be looking for credit card numbers and bank accounts, It will be their great great great grandkids that find the first one in that garbage of text.

White Stripes · « **Reply #15 on:** April 11, 2009, 10:19:57 pm »

could just be targeting specific machines but infecting all of them.... and like i said... could just be a test of the waters... (see how fast the AV companies can decrypt the thing)

tig · « **Reply #16 on:** April 13, 2009, 01:49:01 pm »

Okies guys... could we find a fix for this incase anyone has it or we need to help them get rid of it. Please make it simple and sweet for those around that ummm can not speak computer talk.

Forested665 · « **Reply #17 on:** April 13, 2009, 03:03:42 pm »

A fix has been posted in almost every page mentioning it.
The wiki: http://en.wikipedia.org/wiki/Conficker

Quote

On 15 October 2008, Microsoft released an emergency out-of-band patch for vulnerability MS08-067, which the worm exploits to spread. The patch applies only to Windows XP SP 2, Windows XP SP 3, Windows 2000 SP4 and Windows Vista; Windows XP SP 1 and earlier are no longer supported.[55]

Microsoft has since released a removal guide for the worm, and recommends using the current release of its Malicious Software Removal Tool[56] to remove the worm, then applying the patch to prevent re-infection.[57]

Run the malicous software removal tool.
to do this open the command prompt and type

Code: [Select]

MRT.EXE /F:YThen run windows update to apply the patch to prevent reinfection

The easy step is third party av copmpanies have developed third party tools.
BitDefender, Enigma Software, ESET, F-Secure, Symantec, Sophos,and Kaspersky Lab have released detection updates to their products and are able to remove the worm. McAfee and AVG are able to remove it with an on-demand scan.
These tools can be located currently on the home pages of the perspective vendor's website.

-edit- Most of the third party removal tools are free and have been eluded to work better then microsofts MRT

tig · « **Reply #18 on:** April 13, 2009, 03:08:02 pm »

Can we have it easy than that as I have said someone who doesnt know pc talk... so like steps my a tutorial?

Forested665 · « **Reply #19 on:** April 13, 2009, 03:18:38 pm »

idk how much easier i can make this.
For microsofts method.
Click start
Click Programs
Click Accessories
Click Command Prompt
inside the black box that appears type

Code: [Select]

MRT.EXE /F:Y let it complete
Click Start
Click Windows Updates (Automatic for Vista i beleive)
Read the Terms Of Service presented by microsoft
If you agree to them click i agree and follow the On screen instructions
If you do not agree do not click continue close the page and choose another method.

For Third party tools
Open your web browser.
Using the search bar or the Address bar type the Name of the Antivirus company you most trust that was mentioned in the earlier post.
Hit enter and it will take you to either A) Their page or B) a search page in wich one of the First few results shall be the one you are looking for.
On this websites Home page there should be mention of the COnficker removal tool.
navigate to its page and select to download it
If prompted by internet explorer click Run
If prompted after the download click Run
The program will begin its instalation.
Upon completion it will ask if you would like to Run it when you click close/finish
check thios box for yes
then click close or finish
The program will appear on your page you should then follow its instructions or the instructions provided on the site from wich you obtained it to remove the tool