gfxgfx
 
Please login or register.

Login with username, password and session length
 
gfx gfx
gfx
76649 Posts in 13454 Topics by 2082 Members - Latest Member: nike66 September 20, 2021, 07:55:20 am
*
gfx*gfx
gfx
WinMX World :: Forum  |  Discussion  |  WinMx World News  |  Conficker wakes up, updates via P2P, drops payload
gfx
gfxgfx
 

Author Topic: Conficker wakes up, updates via P2P, drops payload  (Read 915 times)

0 Members and 1 Guest are viewing this topic.

Offline DaBees-Knees

  • WMW Team
  • *****
Conficker wakes up, updates via P2P, drops payload
« on: April 09, 2009, 06:37:43 pm »
http://www.cnn.com/2009/TECH/04/09/conficker.activated/index.html

Quote
The Conficker worm is finally doing something--updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday. This piece of computer code told the worm to activate on April 1, researchers found. Researchers were analyzing the code of the software that is being dropped onto infected computers but suspect that it is a keystroke logger or some other program designed to steal sensitive data off the machine, said David Perry, global director of security education at Trend Micro. The software appeared to be a .sys component hiding behind a rootkit, which is software that is designed to hide the fact that a computer has been compromised, according to Trend Micro. The software is heavily encrypted, which makes code analysis difficult, the researchers said. The worm also tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com as a way to test that the computer has Internet connectivity, deletes all traces of itself in the host machine, and is set to shut down on May 3, according to the TrendLabs Malware Blog. Because infected computers are receiving the new component in a staggered manner rather than all at once there should be no disruption to the Web sites the computers visit, said Paul Ferguson, advanced threats researcher for Trend Micro. "After May 3, it shuts down and won't do any replication," Perry said. However, infected computers could still be remotely controlled to do something else, he added. On Tuesday night Trend Micro researchers noticed a new file in the Windows Temp folder and a huge encrypted TCP response from a known Conficker P2P IP node hosted in Korea. "As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP," the blog post says. "The Conficker/Downad P2P communications is now running in full swing!" In addition to adding the new propagation functionality, Conficker communicates with servers that are associated with the Waledac family of malware and its Storm botnet, according to a separate blog post by Trend Micro security researcher Rik Ferguson. The worm tries to access a known Waledac domain and download another encrypted file, the researchers said. Conficker.C failed to make a splash a week ago despite the fact that it was programmed to activate on April 1. It has infected between 3 million and 12 million computers, according to Perry. Initially, researchers thought they were seeing a new variant of the Conficker worm, but now they believe it is merely a new component of the worm. The worm spreads via a hole in Windows that Microsoft patched in October, as well as through removable storage devices and network shares with weak passwords. The worm disables security software and blocks access to security Web sites.

It would seem that it's doing something after all.  :scared:

Offline Forested665

  • Forum Member
  • Linux:2003 FreeBSD:2004 Debian/BSD developer:2006
Re: Conficker wakes up, updates via P2P, drops payload
« Reply #1 on: April 09, 2009, 07:48:39 pm »
This does make me wonder though.
Seeing two computers infected im not saying the conficker is fake.
But it does make me wonder how easy it would be for the Anti-virus companies to "fabricate" a fake virus and a "removal" tool to scare thousands of people into buying their product.
I don't think trend micro is dumb enough to pull such a stunt, but i wouldn't put it past mcaffee.
Same scenario is oddly similar to the "three strikes" scare a couple weeks ago. Would seem the greatest control companies have over people is the people themselves.
BSD -  The Daemons Are No Longer Just Inside My Head.

Offline White Stripes

  • Core
  • *****
  • ***
  • Je suis aimé
Re: Conficker wakes up, updates via P2P, drops payload
« Reply #2 on: April 09, 2009, 08:58:15 pm »
what about the free AVs that can remove it... along with the also-free MS issued malware remover...

i wouldnt put it past norton (money) or even microsoft (WGA doesnt work so release a worm to do the job of killing pirate windows... and do a little sniffing on the RIAA/MPAAs behalf on the side?) to do this either as well...

course more sinister plots could be forming..... im just waiting for the massive DDoSing and DNS posining...

Offline Forested665

  • Forum Member
  • Linux:2003 FreeBSD:2004 Debian/BSD developer:2006
Re: Conficker wakes up, updates via P2P, drops payload
« Reply #3 on: April 09, 2009, 10:06:41 pm »
Quote
course more sinister plots could be forming..... im just waiting for the massive DDoSing and DNS posining...
When I first learned of the conficker worm (and posted a thread about it)
my first impression was not disimilar to my impression of sabre firewalling peeps he doesnt like from his caches.
I seen the conficker as someones mid-life crisis creation to play god with the internet. He doesnt like your site and BOOM you have 3 million computers using less then 2kb of their bandwidth to crawl your site.
For those of you who don't know or dont wish to do the math, that's roughly 600 terrabytes per second of traffic. More then what then what alot of ISPs can even handle.On the brightside if it was to click advertisements it would gain the target site a good bit of money from their paid advertising wich also has the con of putting the sponsor into bankrupcy.
BSD -  The Daemons Are No Longer Just Inside My Head.

Offline RReactor

  • Forum Member
Re: Conficker wakes up, updates via P2P, drops payload
« Reply #4 on: April 12, 2009, 06:58:34 am »
so what is this conflicker doing actually ? what are the symptoms? and actually i would agree that really you would almost want to look at what companies have the most to gain from something like that
RReactor

Offline Forested665

  • Forum Member
  • Linux:2003 FreeBSD:2004 Debian/BSD developer:2006
Re: Conficker wakes up, updates via P2P, drops payload
« Reply #5 on: April 12, 2009, 07:36:43 pm »
Right now its still.... basically doing nothing other then proving a point.
The most suspected course of action by the AV groups and the government "officials" is that somebody will spoof their mac address and sit in an alley behind a hotspot upload the instructions to the decentralized network it has formed. And from there shut down any website/isp they wish.
BSD -  The Daemons Are No Longer Just Inside My Head.

Offline White Stripes

  • Core
  • *****
  • ***
  • Je suis aimé
Re: Conficker wakes up, updates via P2P, drops payload
« Reply #6 on: April 12, 2009, 07:50:10 pm »
its already doing something;

downloading fake AV tools and the waledac spammer tool... watch your inboxes...

http://blog.trendmicro.com/downadconficker-watch-new-variant-in-the-mix/

Offline Forested665

  • Forum Member
  • Linux:2003 FreeBSD:2004 Debian/BSD developer:2006
Re: Conficker wakes up, updates via P2P, drops payload
« Reply #7 on: April 13, 2009, 01:39:11 am »
had forgotten about that.... and the little popups to bring you to a pay site.
hmm... that seems like one of 300 other viruses... maybe Confickers purpose is truely a cartels toy. "Want people to buy your product pay us 300 dollars we will force advertisement upon millions of people by infecting them with a different virus."
BSD -  The Daemons Are No Longer Just Inside My Head.

WinMX World :: Forum  |  Discussion  |  WinMx World News  |  Conficker wakes up, updates via P2P, drops payload
 

gfxgfx
gfx
©2005-2021 WinMXWorld.com. All Rights Reserved.
SMF 2.0.18 | SMF © 2021, Simple Machines | Terms and Policies
Page created in 0.059 seconds with 24 queries.
Helios Multi © Bloc
gfx
Powered by MySQL Powered by PHP Valid XHTML 1.0! Valid CSS!