Help - Search - Members - Calendar
Full Version: Conficker Information
Gladiator Security Forum > General Security > General Security Discussions
Terryala
Mar 13 2009, 06:06 PM
Tools to remove Conficker

A number of antivirus software vendors, including Symantec, F-Secure and BitDefender, are now offering a dedicated tool to remove the Conficker worm. The programs do not require installation of any anti-virus solution. Since the programs are small they can also be run from a USB drive on an infected system. McAfee does not offer a dedicated tool, however, their Avert Stinger stand-alone utility can detect some versions of the Conficker worm.

Unfortunately not all of the anti-virus manufacturers confirm and detail which versions of the Conficker worm their program removes, nor do they guarantee that it will be completely eliminated. Generally, if users are not able to restore from a backup of their system, or perform a complete system restore, these tools should work to remove the Conficker worm and help close any back doors that may have been left open by it. In principle, an infected machine is compromised and users can never be completely sure that the infection was eliminated.

http://www.h-online.com/security/Tools-to-...r--/news/112845
TheSentinel
Mar 17 2009, 07:36 PM
Heise Online UK reports about few removal tools of vendors to fight with Conficker. The offers are from vendors like Symantec, F-Secure and Bitdefender. Other offers are not know right now with posting this information.

More details to read:
http://www.heise.de/english/newsticker/news/134694


Terryala
Mar 30 2009, 04:01 PM
Busted! Conficker's tell-tale heart uncovered

QUOTE
Researchers find Conficker cure, just in time

By Dan Goodin in San Francisco •

Security experts have made a breakthrough in their five-month battle against the Conficker worm, with the discovery that the malware leaves a fingerprint on infected machines that is easy to detect using a variety of off-the-shelf network scanners.

The finding means that, for the first time, administrators around the world have easy-to-use tools to positively identify machines on their networks that are contaminated by the worm. As of mid-Monday, signatures will be available for at least half a dozen network scanning programs, including the open-source Nmap, McAfee's Foundstone Enterprise and Nessus, made by Tenable Network Security.

Up to now there were only two ways to detect Conficker, and neither was easy. One was to monitor outbound connections for each computer on a network, an effort that had already proved difficult for organizations with machines that count into the hundreds of thousands or millions. With the advent of the Conficker C variant, traffic monitoring became a fruitless endeavour because the malware has been programmed to remain dormant until April 1.

The only other method for identifying Conficker-infected computers was to individually scan each one, another measure that placed onerous requirements on admins.

The discovery of Conficker's tell-tale heart two days before activation may prove to be an ace up the sleeve of the the white hat security world.


CONTINUED:

http://www.theregister.co.uk/2009/03/30/co...ture_discovery/
Terryala
Mar 30 2009, 04:28 PM
Conficker Work Group - RepairTools

QUOTE
Introduction

The following list are the sanctioned repair and detection tools that are supported and given out by the appropriate and direct vendors of tools. Note that if you cannot get to one or more of these, you might be infected with conficker or any of the other many malicious programs out there. Try another, at the time of this writing, not all of these are blocked by conficker and any of them will work.

"Custodian of the Tools"

The Internet Storm Center/DSHIELD has stepped forward to keep track of all the tools. The list below is a copy from that list, hosted here:

http://www.dshield.org/diary.html?storyid=5860

Tools List

AhnLab
BitDefender
ESET
Kaspersky
F-Secure Malware Removal Tool
McAfee
Microsoft Malicious Software Removal Tool
Sophos
Symantec FixDownadup.exe Notes
TrendMicro


http://www.confickerworkinggroup.org/wiki/...ANY.RepairTools
Terryala
Mar 31 2009, 05:33 PM
Freeloaders are taking advantage of Conficker scare

According to reports by several anti-virus vendors, the fear of Conficker has brought the first freeloaders to the scene. The cyber criminals try to sell alleged removal tools for the Conficker worm. According to F-Secure, a Google or other search engine query for Conficker removal tools will quickly produce dubious offers that promise a lot and deliver nothing – or even infect the PC with malware themselves. The freeloaders generally belong to the scareware developer crowd. They create programs which try to scare users into buying ineffective anti-virus software by displaying false virus alerts on PCs.

There is no need for users to do a Google search, however, because functioning and virus-free Conficker removal tools can be downloaded free of charge directly from the sites of several anti-virus vendors. Among the vendors offering such programs are Sophos, Symantec, F-Secure, Kaspersky and BitDefender.

Talking about tools: After Felix Leder and Tillmann Werner at Bonn University published their Conficker scanning tool which can be used for remote detection of infected systems, several commercial vendors have produced their own scanners based on the Bonn research. The current version (4.85BETA5) of nmap supports the search for computers that are infected with Conficker. The line nmap --script=smb-check-vulns --script-args=safe=1 -p445 -d ip-adresse is reported to run the test.

Tenable has added a "Conficker Detection" plug-in to Nessus. Security firm Qualys recently extended its online service to include Conficker detection. Vendor nCircle also offers a Conficker scanner for networks.

http://www.h-online.com/security/Freeloade...e--/news/112974
TheSentinel
Mar 31 2009, 07:02 PM
QUOTE
Detecting Conficker
Mon, 03/30/2009 - 12:09 — tillmann.werner

As you know, bad things are going to happen on April 1st: people will be sending out emails to their friends, telling silly jokes and putting MTAs under a higher load. Besides that (but not quite that bad), Conficker will activate its domain name generation routine to contact command-and-control servers. We have been researching this piece of malware recently, with a focus on how to detect Conficker-infected machines. Felix and I had a discussion with Dan Kaminsky about the possibilities to actively detect Conficker and wrote a scanner for this task. Our proof-of-concept code is publicly available and can be downloaded from here.

More to read:
http://www.heise.de/security/Deutsche-Fors.../meldung/135434
http://honeynet.org/node/388
TheSentinel
Mar 31 2009, 07:30 PM
QUOTE
March 31st, 2009

Are you ready for Conficker?

Posted by Christopher Dawson @ 11:09 am

So tomorrow is April 1st and the sky will be falling shortly. We all know that the 4 forms of the Conficker worm are out there, ready to do something tomorrow that will probably be a pain in the butt at best and seriously disruptive at worst.

Hopefully, for most of us in Ed Tech, this will be a non-issue. Any Windows computers patched after October 2008 should have the necessary tools to detect Conficker, most of us run more AV than the average home user and many sit behind a firewall with some sort of gateway anti-malware. A reasonable Mac and Linux presence in education doesn’t hurt anything either, since these machines won’t have a problem with the worm.

We do have a couple of vulnerabilities that many businesses don’t, however. Too often, when it comes down to keeping aging computers and network equipment running, we overlook regular maintenance and patching, particularly on those computers that sit relatively hidden in classrooms or tucked into nooks by resourceful teachers.

Secondly, students and teachers bring laptops and portable drives back and forth from home (generally far less secure environments) very frequently and Conficker has been transmitted via USB drives. While some schools and universities have significant security in place around personal laptops, funding can certainly be an issue in getting comprehensive measures in place.

More to read:
http://education.zdnet.com/?p=2332
TheSentinel
Mar 31 2009, 07:50 PM
QUOTE
March 30th, 2009

The "no bull" guide to Conficker

Posted by Adrian Kingsley-Hughes @ 3:53 pm

I usually have a pretty good idea of how widespread a particular piece of malware is by the number of incidents of infection (or reports of infection) that I come across. But when it comes to the Conficker worm (aka Downadup or Kido), I get the feeling that while there’s a lot of hype surrounding this latest bit of malware, actual infections are much lower than some would want you to believe. However, over the past few days the number of enquires I’m getting in relation to Conficker has skyrocketed, so to try to answer people’s questions, and calm people’s fears, I’ve put together a quick “no bull” guide to Conficker.

Some antivirus companies love to hype malware because it’s a great way to sell security products. While Conficker isn’t new (it’s been around since November last year), the April 1st trigger date gives security firms the opportunity to ratchet up the hype a couple of more notches (and help drive concerned users straight into the hands of cybercriminals). However, it’s important to note that it’s unclear right now as to what will happen come the trigger date. However, what is clear is that you will need to be infected to be at risk of anything happening at all.

More:
http://blogs.zdnet.com/hardware/?p=4053
Terryala
Apr 3 2009, 09:16 AM
Simple Conficker test for end users

Joe Stewart of SecureWorks has developed a simple test which reveals at a glance whether or not a system has been infected with one of the wide-spread versions of Conficker. The H now offers our own version of this test page.

Click to view attachment

If certain images are missing on the test page as shown, the system is likely to be infected.

Once a Conficker infection is suspected on a system, the anti-virus software installed on that system can no longer be trusted. The malware terminates a number of security mechanisms and prevents the start of certain programs. The new test is based on the fact that Conficker blocks access to various security and anti-virus pages. It includes a page that shows images of normal and of blocked sites. If only the images of the AV vendors are missing, there is a high likelihood that the computer has been infected with Conficker – or with another type of malware that behaves in a similar way.

Affected systems should, at the least, be treated with one of the Conficker removal tools. With this in mind, users are advised not to blindly follow the first link that comes up but look for a trustworthy vendor instead (see: Freeloaders are taking advantage of Conficker scare).

Users should also be aware that the test has several limitations. Conficker infiltrates dnsapi.dll and filters accesses by blocking DNS queries there. This, however, does not affect systems that involve a proxy. As a result, the test is not suitable for environments like corporate networks, where a network scanner capable of detecting Conficker should be used instead.

Another problem is that the original version Conficker.A doesn't block DNS queries, which makes it impossible for the test page to reveal version A infections. However Conficker.A is less common than its successors Conficker.B & C.

Felix Leder und Tillmann Werner, the authors of the honeynet paper analysing conficker, also put up a test page that uses the fact that Conficker blocks DNS reqeuests. They use CSS style sheets to diagnose infections with Conficker B/C.

Rather embarrassingly, the Conficker Working Group adopted Stewart's original test without pointing out that it doesn't detect Conficker.A. Instead, users are presented with the misleading message: "Not Infected by Conficker." One would think that an organisation which includes both Microsoft and all the major AV vendors would check its tests before releasing them.

See also:
Conficker test (English version) at heise Security

(djwm)
TheSentinel
Apr 3 2009, 11:47 AM
QUOTE
Conficker: So what's the moral of the story?

Why despite the hype, the worm still matters
By Elinor Mills

Published: 3 April 2009 08:59 BST

1 April has come and gone and in the minds of many people the Conficker worm turned out to be a joke instead of the major internet security event that might have been envisioned. Was the hype good, or bad, and who is to blame?

"I'm not sure what to think," said Bruce Schneier, chief security technology officer at BT. "In a sense, the whole Conficker thing just puts a name on a general problem."

The problem is that there are tons of malicious programs and attacks out there on the internet every day and people don't do enough to protect their computers, experts say. People need to be vigilant in patching their systems and updating their antivirus and other security software all the time, and not just when there is a virus outbreak. This isn't new at all.

More to read:
http://software.silicon.com/malware/0,3800...39415809,00.htm
Terryala
Apr 3 2009, 11:31 PM
The H Security Conficker information site

On this page you will find all of the important information about the Conficker worm, including how to detect it and to guard against it. Note that some manufacturers call Conficker either Kido or Downadup.

MORE HERE:

http://www.h-online.com/security/The-H-Sec...features/113002
Terryala
Apr 6 2009, 03:17 AM
Conficker copycat prowls for victims, says Microsoft

QUOTE
Four-year-old Neeris worm copies Conficker's attack strategies
By Gregg Keizer

April 5, 2009 (Computerworld) An old, but little-known worm has copied some of the infection strategies of Conficker, the worm that raised a ruckus last week, Microsoft security researchers said late Friday.

Neeris, which harks to May 2005, is now exploiting the same Windows bug that Conficker put to good use, and is spreading through flash drives, another Conficker characteristic, said Ziv Mador and Aaron Putnam, researchers with the Microsoft Malware Protection Center.

According to Mador and Putnam, Neeris' makers recently added an exploit for the MS08-067 vulnerability that Microsoft patched last October. The emergency update -- one of the rare times Microsoft has issued a patch outside its usual monthly scheduled --- fixed a flaw in the Windows Server service, which is used for file- and print-sharing by Windows PCs.

Conficker, the worm that began using a new communications scheme to receive commands from its hacker controllers last Wednesday, exploited the same MS08-067 vulnerability to devastating effect in late 2008 and early 2009. During January, for instance, Conficker infected millions of machines, many of them by exploiting MS08-067.


CONTINUED:

http://www.computerworld.com/action/articl...ticleId=9131139
TheSentinel
Apr 6 2009, 11:30 AM
The German IT magazin called Heise has launched a website together with H Security with detailed information about Conficker. At this website you'll find nearly all information which is available til now. It contains the latest stauts about that worm, which vendor has launche removal tools and some info more.

Heise and H Security info about Conficker

Terryala
Apr 9 2009, 01:13 AM
Conficker wakes up, updates via P2P, drops payload

QUOTE
by Elinor Mills

The Conficker worm is finally doing something--updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday.

Researchers were analyzing the code of the software that is being dropped onto infected computers but suspect that it is a keystroke logger or some other program designed to steal sensitive data off the machine, said David Perry, global director of security education at Trend Micro.

The worm also tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com as a way to test that the computer has Internet connectivity, deletes all traces of itself in the host machine, and is set to shut down on May 3, according to the TrendLabs Malware Blog.

Because infected computers are receiving the new component in a staggered manner rather than all at once there should be no disruption to the Web sites the computers visit, said Paul Ferguson, advanced threats researcher for Trend Micro.

"After May 3, it shuts down and won't do any replication," Perry said. However, infected computers could still be remotely controlled to do something else, he added.

Last night Trend Micro researchers noticed a new file in the Windows Temp folder and a huge encrypted TCP response from a known Conficker P2P IP node hosted in Korea.

"As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP," the blog post says. "The Conficker/Downad P2P communications is now running in full swing!"

In addition to adding the new propagation functionality, Conficker communicates with servers that are associated with the Waledac family of malware and its Storm botnet, according to a separate blog post by Trend Micro security researcher Rik Ferguson.

The worm tries to access a known Waledac domain and download another encrypted file, the researchers said.

Conficker.C failed to make a splash a week ago despite the fact that it was programmed to activate on April 1.

Initially, researchers thought they were seeing a new variant of the Conficker worm, but now they believe it is merely a new component of the worm.

The worm spreads via a hole in Windows that Microsoft patched in October, as well as through removable storage devices and network shares with weak passwords.


http://news.cnet.com/8301-1009_3-10215678-...g=2547-1_3-0-20

MORE HERE:

TrendLabs Malware Blog

http://blog.trendmicro.com/downadconficker...ant-in-the-mix/
Terryala
Apr 9 2009, 08:45 PM
Fake "Conficker Infection Alert" spam campaign circulating

QUOTE
Posted by Dancho Danchev

Researchers at Marshal8e6’s TRACElabs have intercepted a spam campaign that’s issuing bogus “Conficker Infection Alerts” and redirecting users to rogue security software upon clicking on the links.

The event-based social engineering campaign is also impersonating various Microsoft security departments in order to improve its truthfulness. This is the second attempt in recent weeks to hijack anticipated traffic, following last week’s campaign consisting of typosquatted conficker removal tool domains aiming to impersonate the legitimate ones.

Here’s the message, its associated subjects and related rogue security software domains used in the spam campaign:


“Dear Microsoft Customer,

Starting 04/01/2009 the ‘Conficker’ worm began infecting Microsoft customers unusually rapidly. Microsoft has been advised by your Internet provider that your network is infected.

To counteract further spread we advise removing the infection using an antispyware program. We are supplying all effected Windows Users with a free system scan in order to clean any files infected by the virus.

Please visit the Windows Computer Safety Center by simply clicking here to start the scan. The process takes under a minute and will prevent your files from being compromised. We appreciate your prompt cooperation.

Regards,
Microsoft Windows Agent #2 (Hollis)
Microsoft Windows Computer Safety Division
Email Ref Code: RANDOM NUMBER”


CONTINUED:

http://blogs.zdnet.com/security/?p=3105
Terryala
Apr 9 2009, 09:04 PM
Conficker cashes in, installs spam bots and scareware

QUOTE
Year's biggest threat finally reveals moneymaking model
By Gregg Keizer

April 9, 2009 (Computerworld) The makers of Conficker, the worm that has infected millions of PCs, have begun to do what all botnet owners do -- make money -- security researchers said today as they started analyzing the malware's newest variant.

Conficker.e, as the update has been dubbed, began downloading and installing on previously infected PCs at midnight London time, said Kevin Hogan, director of security response operations at Symantec Corp.

In several ways, the new Conficker is a lot like the original version of the worm, which appeared in November 2008. "At first blush, it looked like the Conficker.a variant," said Hogan. "But this is actually new in that it rejumbled existing code from previous versions."

It also downloads several new malicious files to the infected system that reveal how Conficker's handlers intend to profit from their collection of compromised computers, Hogan said.

According to Symantec, Conficker.e is downloading and installing Waledac, a noted bot that has been on the upswing for several months. Waledac is perhaps best known as the successor to the infamous Storm bot of 2008; researchers unanimously believe that its makers are from the same group that ran Storm last year. Like Storm, Waledac bots -- the PCs that are infected with the Trojan horse -- are rented out to spammers.

"Two things come to mind," said Hogan, referring to the Conficker.e-Waledac connection. "The people responsible for Waledac could be from the same group as Conficker, or they may be directly associated with the Conficker people. Or the people behind Conficker have sold the use of their botnet to Waledac, who in turn are in the spam business."


CONTINUED:

http://www.computerworld.com/action/articl...ticleId=9131380
Terryala
Apr 10 2009, 09:15 PM
Conficker Shows Its Colors, Installs Rogue Anti-virus

QUOTE
Erik Larkin

Apr 10, 2009 12:30 pm

We knew it would try to make a buck somehow, but until now Conficker hasn't done much beyond spread and update. That changed yesterday, when the worm began installing a rogue antivirus app called SpywareProtect2009 on infected machines.

A Kaspersky researcher reports that the worm began using its peer-to-peer functionality yesterday to pull down new files, including updates and the fake security program. The fake app goes with the usual scareware tactics of identifying threats on the computer (ironically true in this case) and offering to clean the PC for $49.95.

The scareware tactic makes big money for online scammers, and I've talked to some experts who guessed Conficker might take this step. In addition to the scareware download, Conficker is also pulling down an update for a .E variant that will once again allow the worm to spread using a Microsoft vulnerability (MS08-067), and will also attempt to stop more existing programs and block attempts to reach additional domains (see the full list of messed-with processes and domains from Sophos).

The new update also adds an interesting new self-destruct mechanism to automatically delete itself after May 3rd, 2009. A Microsoft Malware Protection Center blog post has a good list of the new .E variant changes, and the Today @ PC World blog lists some new clues that might point to its creators.

If you see a scareware pop-up or other indicator on your PC, it's important to know whether it's from a relatively harmless visit to a Web site, or whether it 's from an existing malware infection like Conficker. This story can help you tell which is which. And for a quick and easy way to tell if you're infected with Conficker, use the Conficker Working Group's Eye Chart.


http://www.pcworld.com/article/162936/conf...tml?tk=rss_news
TheSentinel
Apr 12 2009, 07:28 PM
QUOTE
Additional information on this

The neverending story

Aleks April 09, 2009 | 13:18 GMT

Last night the Kido (aka Conficker/ Downadup) botnet kicked into action – what everyone’s been on the lookout for since 1st April.

The computers infected with Trojan-Downloader.Win32.Kido (aka Conficker.c) contacted each other over P2P, telling infected machines to download new malicious files.

This latest Kido variant - Net-Worm.Win32.Kido.js - is very different to previous ones, with two notable points: once again it’s a worm, and it’s only functional until 3rd May. We’re still digging into the files, and we’ll post updates.

Kido doesn’t only download updates for itself; it’s the other files it downloads which really make the story interesting.

One of the files is a rogue antivirus app, which we detect as FraudTool.Win32.SpywareProtect2009.s. The first version of Kido, detected back in November 2008, also tried to download fake antivirus to the infected machine. And once again, six months later, we’ve got unknown cybercriminals using the same trick.

The rogue software, SpywareProtect2009, can be found on spy-protect-2009.com., spywrprotect-2009.com, spywareprotector-2009.com.

More to read:
http://www.viruslist.com/en/weblog?weblogid=208187654
Terryala
Apr 13 2009, 12:18 PM
Is the Conficker worm showing its hand?

People have been speculating, waiting and prognosticating, but until now the extremely cleverly programmed Conficker worm has limited itself to mainly defensive measures, such as opening various communications channels (Conficker.C can set up peer-to-peer networks with other infected systems) in order to transform itself with downloaded code, and to actively combating anti-virus software and security analysis tools. Even on 1 April, the known date on which Conficker.C would be looking for updates, virtually nothing happened. Now however, money is involved: computers infected with the Conficker worm are downloading the scareware program "SpywareProtect2009".

Click to view attachment

Is this what Conficker is spreading?


Swindlers are earning a lot of money with scareware products like "Antivirus 2009", "Malwarecore", "WinDefender", "WinSpywareProtect", "XPDefender" and yes, "SpywareProtect2009". These scareware scams run a small injected program that alarms users by constantly displaying pop-up messages warning that their PCs are infected. Non-expert users can be persuaded to pay money for these bogus anti-virus products, typically bearing familiar-sounding names. In the best case, they've lost their money but nothing more. Worst case, the software they've bought actually loads malware on to the PC that may well transform it into a bot, a conduit for spam. Over a brief period late last year, for example, Microsoft removed scareware from almost a million Windows PCs with its Malicious Software Removal Tool (MSRT). More information is given in the The H article Thieves and Charlatans - Rogue Anti-virus Products.

An analysis by Kaspersky Labs says the infected zombies use their peer-to-peer structures to exchange the Conficker update as well as the address of servers in the Ukraine from which they then download and install "SpywareProtect2009". This then of course "discovers" a variety of threats, and asks users to pay $49.95 (Visa or Mastercard accepted) to get them removed. The Ukraine has already played a role: Conficker.A contained a suicide switch that was triggered whenever the worm discovered that a Ukrainian keyboard was in use.

Felix Leder and Tillmann Werner, both of Bonn University, recently made news by demystifying the Conficker worm, and Leder now reports that the new Conficker variant is blocking further domains, among them the Bonn University server with the Conficker test. This has therefore been provisionally relocated.

http://www.h-online.com/security/Is-the-Co...d--/news/113054
TheSentinel
Apr 19 2009, 03:27 PM
Symantec offers detailed information about this malware at one of their websites:
QUOTE
Worried about Conficker? A few simple steps can protect you.

Target: All users of Windows XP and Windows Vista.

If you reached this web site, your computer is not infected. If you are running an up-to-date version of a Norton security solution – you are not infected.

The Conficker worm is no longer spreading quickly. On April 1st the worm took steps to protect itself. Since then we have seen signs that the worm may be spreading new malicious code between already infected machines.

More to read:
http://www.symantec.com/norton/theme.jsp?t..._conficker_worm
Terryala
Apr 25 2009, 01:46 AM
Containing Conficker

QUOTE
Tools and Infos

Felix Leder and Tillmann Werner

The following page contains the tools and analysis results described in our "Know your Enemy" paper "Containing Conficker - To Tame a Malware". The paper is published by the Honeynet Project and can be downloaded here: https://www.honeynet.org/papers/conficker

All tools are to be considered as proof of concepts. Even though most of them run stable, they are not meant for use in production. They do not come with any warranty. All tools are available including source code and are licences using GPL.

If you enjoy our tools...we enjoy feedback. Just send us an E-mail. You can also send us an E-mail if you have improved the code or have a question


CONTINUED:

http://iv.cs.uni-bonn.de/wg/cs/application...ning-conficker/
Amherstclane
Nov 14 2009, 05:45 PM
The German IT magazin called Heise has launched a website together with H Security with detailed information about Conficker.
At this website you'll find nearly all information which is available til now. It contains the latest stauts about that worm, which vendor has launche removal tools and some info more.
TheSentinel
Nov 14 2009, 06:53 PM
Hello Amherstclane

First: Welcome at GSF.
Second: You're referring to news, which had already been published here Mar 13 2009, 07:06 PM (s. top of this thread)

Regards
BU
This is a "lo-fi" version of our main content. To view the full version with more information, formatting and images, please click here.
Invision Power Board © 2001-2009 Invision Power Services, Inc.