The Unknown Zone - proudly an American forum!

The Conficker Worm: April Fool's Joke or Unthinkable Disaster?
By John Markoff

Update | 3:57 p.m. Added links to malware removal tools.

The Conficker worm is scheduled to activate on April 1, and the unanswered question is: Will it prove to be the world's biggest April Fool's joke or is it the information age equivalent of Herman Kahn's legendary 1962 treatise about nuclear war, "Thinking About the Unthinkable"?

Conficker is a program that is spread by exploiting several weaknesses in Microsoft's Windows operating system. Various versions of the software have spread widely around the globe since October, mostly outside the United States because there are more computers overseas running unpatched, pirated Windows. (The program does not infect Macintosh or Linux-based computers.)

An estimated 12 million or more machines have been infected. However, many have also been disinfected, so a precise census is difficult to obtain.

It is possible to detect and remove Conficker using commercial antivirus tools offered by many companies. However, the most recent version of the program has a significantly improved capacity to remove commercial antivirus software and to turn off Microsoft's security update service. It can also block communications with Web services provided by security companies to update their products. It even systematically opens holes in firewalls in an effort to improve its communication with other infected computers.

Given the sophisticated nature of the worm, the question remains: What is the purpose of Conficker, which could possibly become the world's most powerful parallel computer on April 1? That is when the worm will generate 50,000 domain names and systematically try to communicate with each one. The authors then only need to register one of the domain names in order to take control of the millions of zombie computers that have been created.

Speculation about Conficker's purpose ranges from the benign — an April Fool's Day prank — to far darker notions. One likely possibility is that the program will be used in the "rent-a-computer-crook" business, something that has been tried previously by the computer underground. Just like Amazon.com offers computing time on its network for rent, the Conficker team might rent access to its "network" for nefarious purposes like spamming.

The most intriguing clue about the purpose of Conficker lies in the intricate design of the peer-to-peer logic of the latest version of the program, which security researchers are still trying to completely decode.

According to a research addendum to be added Thursday to an earlier paper by researchers at SRI International, in the Conficker C version of the program, the infected computers can act both as clients and servers and share files in both directions. The peer-to-peer design is also highly distributed, making it more difficult for security teams to defeat the system by disabling so-called super-nodes.

Conficker's authors could be planning to create a scheme like Freenet, the peer-to-peer system that was intended to make Internet censorship of documents impossible.

Or perhaps the Conficker botnet's masters have something more Machiavellian in mind. One researcher, Stefan Savage, a computer scientist at the University of California at San Diego, has suggested the idea of a "Dark Google." What if Conficker is intended to give the computer underworld the ability to search for data on all the infected computers around the globe and then sell the answers? Malware already does this on a focused basis using a variety of schemes that are referred to as "spear phishing," in a reference to the widespread use of social engineering tricks on the Net.

But to do something like that on a huge scale? That would be a dragnet — and a genuine horror story.
http://bits.blogs.nytimes.com/2009/03/19/the-conficker-worm-april-fools-joke-or-unthinkable-disaster/


I certainly hope this is an April Fools joke.

Here are some questions and answers that might help:

Questions and Answers: Conficker and April 1st     Posted by Mikko @ 14:32 GMT |

Conficker and Downadup

Q: I heard something really bad is going to happen on the Internet on April 1st! Will it?
A: No, not really.

Q: Seriously, the Conficker worm is going to do something bad on April 1st, right?
A: The Conficker aka Downadup worm is going to change it's operation a bit, but that's unlikely to cause anything visible on April 1st.

Q: So, what will it do on April 1st?
A: So far, Conficker has been polling 250 different domain names every day to download and run an update program. On April 1st, the latest version of Conficker will start to poll 500 out of 50,000 domains a day to do the same thing.

Q: The latest version? There are different versions out there?
A: Yes, and the latest version is not the most common. Most of the infected machines are infected with the B variant, which became widespread in early January. With B variant, nothing happens on April 1st.

Q: I just checked, and my Windows machine is clean. Is something going to happen to me on April 1st?
A: No.

Q: I'm running a Mac, is something going to happen to me?
A: No.

Q: So... this means that the attackers could use this download channel to run any program on all the machines?
A: On all the machines that are infected with the latest version of the worm, yes.

Q: But what's this peer-to-peer functionality I've heard about?
A: The worm has some peer-to-peer functionality which means that infected computers can communicate with each other without the need for a server. This enables the worm to update itself without the need for any of the 250 or 50,000 domains.

Q: But doesn't that mean that if the bad guys wanted to run something on those machines, they don't need to wait for April 1st?
A: Yes! Which is another reason why it's unlikely anything major will happen on April 1st.

Q: Is there going to be media hype?
A: Oh yes. Like there always is when a widespread worm has a date trigger. Think cases like Michelangelo (1992), CIH (1999), Sobig (2003), Mydoom (2004) and Blackworm (2006).

Q: But in those cases nothing much happened even though everybody expected something to happen!
A: Exactly.

Q: So, should I keep my PC shut down on April 1st?
A: No. You should make sure it's clean before April 1st.

Q: Can I change the date on my machine to protect me?
A: No. While the worm uses the local system time for certain parts of its update functionality it doesn't exclusively rely on that.

Q: I'm confused. How can you know beforehand that there will be a global virus attack on April 1st? There must be a conspiracy here!
A: Yes, you're confused. There is not going to be a "global virus attack". The machines that are already infected might do something new on April 1st. We know this because we have reverse engineered the worm code and can see that this is what it has been programmed to do.

Q: Would the downloaded program execute with admin privileges?
A: Yes, with local admin rights. Which is pretty bad.

Q: And they could download that program not just on April 1st but also on any day after that?
A: Correct. So there's no reason why they wouldn't do it on, say, April 5th instead of April 1st.

Q: Ok, they could run any program. To do what?
A: We don't know what they are planning to do, if anything. Of course, they could steal your data, send spam, do DDoS, et cetera. But we don't know.

Q: They? Who are they? Who's behind this worm?
A: We don't know that either. But they seem to be pretty professional in what they do.

Q: Professional? Is it true that Conficker is using the MD6 hash algorithm?
A: Yes. This was probably one of the first real-world cases where this new algorithm was used.

Q: Why can't you just infect a PC, set the clock to April 1st and see what happens?
A: That's not the way it works. The worm connects to certain websites to get the time-of-day.

Q: Oh yeah? Then shut down the websites where it gets the time-of-day and the problem will go away!
A: Can't. These are websites like google.com, yahoo.com and facebook.com.

Q: But surely you could spoof google.com in the lab to get a honeypot machine to connect to a download site today!
A: Sure. And the download sites do not have anything to download, today. They might, on April 1st. Or they might not.

Q: Now I'm worried. How do I know if I'm infected?
A: Try to surf to www.f-secure.com. If you can't reach our website you might be infected, as Downadup/Conficker blocks access to security vendor's websites. Don't tell anybody, but users who can't access f-secure.com because of this can surf to www.fsecure.com instead.

Q: Where does the name "Conficker" come from?
A: Conficker is an anagram of sorts from trafficconverter – a website to which the first variant was connecting.

Q: Why does the worm have two names – Downadup and Conficker?
A: It was found at about the same time by multiple security companies and therefore got multiple names. Today most companies use the name Conficker. There's further confusion about the variant letters among vendors. We're all sorry for that.

Q: How many computers are currently infected by Downadup/Conficker?
A: About 1-2 million. How many of those are infected with the latest version? We don't have an exact count.

Q: How is the industry reacting to all this?
A: We reacted by setting up the Conficker Working Group. Members include security vendors (including us), registrars, research units and so on.

Q: I want more technical details on the worm.
A: Sure. Here's our description, and here's SRI's excellent writeup.

Q: When was the first variant of Downadup/Conficker discovered?
A: It was found on November 20, 2008.

Q: More than four months ago? I want a time line on what happened when.
A: Byron Acohido has one.

Q: Is this all just an April Fools joke?
A: No, it's not. And although we don't think anything will happen on this particular date, Conficker is nothing to laugh about. The gang behind this is serious and we should not underestimate them. The fact that we don't know for real what they are really after just makes it all a bigger mystery.

Q: Is F-Secure able to detect and block this malware?
A: Yes.

Q: Do you have cleaning tool available?
A: Yes, and it's free. Click here to get it.

Q: Are you going to follow this through?
A: Yes. Stay tuned for updates.

http://www.f-secure.com/weblog/archives/00001636.html

 :rant: :rant: :rant: :rant: :rant:

My life has been hell for the last few days because of this crap.

People who do this should be hung by the testicles from a tree above a fire ant nest.

How about people of the non-testicular persuasion?

Quote from: Ma and Pa on March 31, 2009, 11:41:42 AM
How about people of the non-testicular persuasion?

Give em the man called horse treatment!

Quote from: Ma and Pa on March 31, 2009, 11:41:42 AM
How about people of the non-testicular persuasion?

Oh, yeah! Please excuse me. I wrote that in a moment of passion.

Please feel free to substitute an appropriate  part of the anatomy.

But the punishment must involve fire ants.  :biggrin:

Quote from: Palehorse on March 31, 2009, 11:44:41 AM
Give em the man called horse treatment!

Ouch!

Quote from: Bo D on March 31, 2009, 11:45:19 AM
Ouch!

That'd teach them to pierce those puppies!  :icon_twisted:

How about combine the treatments.  The MCH treatment along with a bag of fire ants strapped to each leg.... :icon_twisted:

Quote from: me on March 31, 2009, 11:48:24 AM
How about combine the treatments.  The MCH treatment along with a bag of fire ants strapped to each leg.... :icon_twisted:

Ooooohhh! I LIKE the way you think!  :icon_twisted:

On the news they said to beware of people offering a tool or a fix for this virus. The hackers themselves are doing this too.
They said to try and log in to www.microsoft.com, www.symantec.com or www.macaffee.com directly. If you can't get logged on to them then you might have the virus.
Check the spelling on my links, i guessed at macaffee andsymantec.

I wonder if me might have some Apache blood in her veins? Either that or a Hell of a mean streak!

Quote from: Ma and Pa on March 31, 2009, 12:05:41 PM
I wonder if me might have some Apache blood in her veins? Either that or a Hell of a mean streak!

My better half is part Native American and I've been studying... :biggrin:

Quote from: Bo D on March 31, 2009, 12:00:06 PM
Ooooohhh! I LIKE the way you think!  :icon_twisted:

When it comes to something like this I can be rather vicious... :yes:

This just in ....

Conficker Researchers Counter April 1 Update With Detection Scan

"Just a few days before the elusive Conficker worm is embarks on its latest evolution April 1, security researchers found a way to positively identify machines infected by seemingly invincible cyber worm.
Preceding the anticipated April 1 Conficker evolution, a SANs Institute report indicated that researchers involved in the German Honeynet Project found an anomaly in Conficker that makes it possible to detect the malware on infected hosts with a sophisticated fingerprint scan, giving security administrators an accessible and easy-to-use tool to help combat the sophisticated botnet.

The Honeynet Project already released a breakthrough proof of concept scanner and starting mid-Monday, signatures will be available from several network scanning programs, including McAfee's Foundstone Enterprise, Tenable Network Security's Nessus, and open source Nmap, along with products from Qualys -- all of which will be freely available to the public."

More here ......


http://www.crn.com/security/216401818 (http://www.crn.com/security/216401818)

So. . .anybody here get Confickered?

I didn't thank goodness.

i have been completely unconfickerated.... :yes:

don't stutter when you say that Henry LOL No conflicker here either, or at least not yet.

 ;D

Quote from: mcgonser on April 02, 2009, 02:16:33 PM
don't stutter when you say that Henry LOL No conflicker here either, or at least not yet.

"Yet." And that is the problem. Unless you are absolutely sure your virus definitions are up to date, and unless you are absolutely your Windows is fully patched and updated........the worm could be silently lurking on your hard drive waiting for the word from mother.

Have you checked your Windows Update History lately? Have any updates failed?

Does your antivirus software REALLY protect against this worm?

:spooked:

Quote from: Bo D on April 02, 2009, 03:51:42 PM
"Yet." And that is the problem. Unless you are absolutely sure your virus definitions are up to date, and unless you are absolutely your Windows is fully patched and updated........the worm could be silently lurking on your hard drive waiting for the word from mother.

Have you checked your Windows Update History lately? Have any updates failed?

Does your antivirus software REALLY protect against this worm?

:spooked:

I am half sure. I have a pc and a MAC!  :biggrin:

Bo D: I am going to call you doubting Thomas, you always interject that doubting quallity: Like most of these virus I doubt if we will know for sure until they go active. We just have to hope and pray I guess.

Quote from: mcgonser on April 02, 2009, 04:16:37 PM
Bo D: I am going to call you doubting Thomas, you always interject that doubting quallity: Like most of these virus I doubt if we will know for sure until they go active. We just have to hope and pray I guess.

Call me what you want. I have spent the past week managing a team of 20 techs running all over creation to make sure our clients are protected. And I have had to do much of the hands-on work myself.

As an MCSE with Security Certification, I do know more than a little about this.

But if you don't care, just ignore my attempts to help. But remember this if your computer suddenly becomes one of the bots.

:rolleyes:

Quote from: Palehorse on April 02, 2009, 04:05:32 PM
I am half sure. I have a pc and a MAC!  :biggrin:

Here goes Doubting Thomas again!!!!

http://www.macfixit.com/article.php?story=2009033108432353 (http://www.macfixit.com/article.php?story=2009033108432353)

Warning: "Conficker" worm may affect some Mac users

..........

Still "half sure?"

:biggrin: :biggrin: :biggrin: :biggrin:

Quote from: Bo D on April 02, 2009, 04:37:00 PM
Here goes Doubting Thomas again!!!!

http://www.macfixit.com/article.php?story=2009033108432353 (http://www.macfixit.com/article.php?story=2009033108432353)

Warning: "Conficker" worm may affect some Mac users

..........

Still "half sure?"

:biggrin: :biggrin: :biggrin: :biggrin:

Yup. . . I got protection!

Rut roo.....I might have spoken too soon.  I started to open up IE which I seldom use and neither it or Netscape are on my desktop for some reason.  I opened up windows update which opened up in IE but it didn't look right.   :-\ 

Well, I ran that F-secure thing and McAfee updated and scanned earlier today and nothing was found so maybe it's just a fluke. 

Analysis: Confounding Conficker—Symptoms And Solutions

"We knew it was only a matter of time—a client on the Test Center Lab's threat network became infected with W32.Downadup, aka Conficker.
We were happy about it, however, as It gave us a chance to witness firsthand the behavior of the malware on a client and to test one of the many Conficker-removal tools being offered.

It's tricky to diagnose 100 percent that a machine has been infected with Conficker, but the afflicted machine was displaying some classic symptoms of the latest variant: "

Read more here ....http://www.crn.com/security/216500248 (http://www.crn.com/security/216500248)

Thanks for the update on this.