DonationCoder.com Forum
Main Area and Open Discussion => Living Room => Topic started by: Ehtyar on March 30, 2009, 05:27 AM
-
Hi all.
Firstly, let me apologize for being so retarded as to have called this thing 'Conflicker' for the past month. I didn't find out I was wrong up until about two hours ago. I've only read about 50 news stories about it... Anyway...
Earlier today I finished watching Lesley Stahl's "freak out" on 60 Minutes (http://blogs.kansascity.com/tvbarn/2009/03/60-minutes-freaks-out-over-conficker-wheres-john-hodgman-when-you-need-him.html) and it struck me just how many times I'd read the same crap over the past month. I've decided that, to remedy the situation, at least amongst DonationCoder regulars, I will post this purely factual summary of the virus/trojan/worm/whatever Conficker. I am most certainly no Conficker expert, but I believe I can do a better job laying out the facts than much of the mass media, and I'll try to keep the tech talk down.
A huuuge thank you to SRI International (http://sri.com/) for publishing their superb analysis of Conficker (http://mtc.sri.com/Conficker) which has provided me with a couple of hours of very interesting reading. I highly recommend the more interested parties read it, it makes for a very enlightening read.
In September 2008, a vulnerability was disclosed (http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx?info=EXLINK) in the Windows operating system that could allow an attacker to execute code on an unpatched machine with system level privileges. This vulnerability was soon plugged by Microsoft, and heavy press coverage meant that most people paying attention responded swiftly and updated their machines. Unfortunately, Microsoft does not permit pirated copies of Windows to be updated, leaving a large segment of the worlds population perpetually vulnerable.
In November 2008, a virus making use of this vulnerability to infect unpatched machines began sweeping across the globe. This virus is known as Conficker, and is estimated to have infected anywhere between 10-15 million computers worldwide. Since November, Conficker has seen 2 significant upgrades made to its initial form, known as Conficker.B and Conficker.C respectively. This summary will focus on the capabilities of variant C as one can expect this form to be the most prevalent.
It is worth mentioning that Microsoft along with several other corporations have banded together to form what they're a "cabal" in unity against Conficker. They worked to thwart variants A and B and would have succeeded were it not for the C variant.
Conficker infects its potential host by issuing a specially crafted Remote Procedure Call over port 445/TCP, causing the host to execute code embedded in the call which leads to the infection of the machine with Conficker. It is also capable of spreading via USB mass storage devices.
Interestingly, Conficker ignores Ukranian IP addresses thanks to an embedded database of IP address ranges and their geological locations. This is believed to be either a ploy to draw misguided attention to the Ukraine as the home of the virus writers, or a way of ensuring an apathetic response from the Ukrianian Government where Conficker is concerned.
When Conficker first infects a system, it follows the following process:
-Conficker first opens a random high-range port on any local firewall/router via UPNP. This port is used later on in the propogation process. It also retrived the external IP address of its host from a variety of websites which is also used in propogation.
-Conficker patches the vulnerability in Windows that allowed it to infects via an in-memory modification of the vulnerable service. The patch is made in such a manner that it will prevent viruses exploiting the same vulnerability from successfully infecting the host, but will permit newer Conficker variants to update the existing infection.
-Conficker makes further in-memory patches which are designed to prevent products which may threaten Conficker from retriving updates from the internet by preventing specific domains from resolving. Conficker also attempts to disable any patches or anti-virus software it is aware of currently running on the host.
-Conficker will then proceed to make regular attempts to propagate across the internet or the local area network via the method described above.
In its current form, Conficker is not an especially great threat. The only particularly malicious behavior exhibited by Conficker is its attempt to terminate and block anti-virus like software. The part of Conficker that has everyone so concerned is its built-in update mechanism.
Conficker was designed to be easily modified by its authors. On April 1, Conficker C will make its first attempt to retrieve new instructions from its author. Conficker C searches for new instructions from its masters in the following fashion:
-Conficker C will generate a list of 50,000 domain names, comprised of random strings, based on certain factors common to all Conficker infections,to which one of a possible 116 TLDs will be appended. 500 of these will then be selected by Conficker to check for new instructions.
-Each domain will be contacted by Conficker. If it finds a Windows binary is available from one of the domains, it will download, validate, and execute the update package.
-This process will be repeated every 24 hours.
Confickers update mechanism is extremely robust and well protected. It would seem its authors designed it speciifically to be invulnerable to attempts by those other than themselves to make available an update that, say, shut Conficker down. I won't go into the specifics here, but you can read them from the third paragraph of "Implications of Variant C" here (http://mtc.sri.com/Conficker/addendumC/index.html).
It is a simple fact that there is indeed no telling what may become of Conficker thanks to this update mechanism, but I find it difficult to imagine an update bringing about the apocalypse as is predicted by many in the media. That said, I do advise everyone to keep their eyes peeled for any signs of Conficker on machines they maintain. I intend to keep this thread updated with news of any updates, should they be released, and I look forward to discussion.
Finally, please see this page (http://isc.sans.org/diary.html?storyid=5860) at the Internet Storm Center for a listing of removal tools and instructions.
Ehtyar.
-
Thanks for this nice write up. WinPatrol's Bill Pytlovany has some blog articles (http://www.bitsfrombill.com/) that talk about Conficker and what might happen on March 31/April 1. His latest article indicates that it's something people should take precautions against (though they are precautions that should be taken normally anyway) but that there probably won't be an Internet meltdown - though that seems a bit toned down from his previous couple of articles.
I've got UPnP turned off on my router and have made sure Win Update has been run along with the Malicious Software Removal tool.
-
http://www.eweek.com/c/a/Security/How-Much-is-Conficker-Really-Impacting-Enterprises-718842/
-
Also wanted to add my thanks for the thoughtful post Ehtyar. :up:
From one of your links i came across this article which looks like fun technical reading: http://mtc.sri.com/Conficker/
-
I see removal instructions etc., but how would you even know if you've got the Conficker virus anyway?
-
I see removal instructions etc., but how would you even know if you've got the Conficker virus anyway?
-Deozaan
I've now read several blogs and an article in USA Today (http://blogs.usatoday.com/technologylive/2009/03/how-to-diagnose.html) that say you should try to log on to the Microsoft, Symantec, and McAfee websites. If you can do that, you probably don't have Conficker. The article goes on to explain: "That’s because Conficker blocks you from reaching any web address that includes Microsoft, Symantec, McAfee, AVG, Kaspersky, Trend Micro, F-Secure, Panda, Sophos, SecureWorks or Sunbelt in the URL. It also blocks URLs that contain 103 other names and phrases that relate to security. You can see the full list by clicking to SRI International's report here (http://mtc.sri.com/Conficker/addendumC/) and scrolling down to the table listed under 'domain lookup prevention.'"
I'm hoping that info is right :)
-
http://www.eweek.com/c/a/Security/How-Much-is-Conficker-Really-Impacting-Enterprises-718842/
-Gothi[c]
Well I'm glad someone is reporting some sense, though that article was apparently written before Variant C was released, and thus does not take into account the new p2p update distribution mechanism.
[edit]
After further reading it seems the article was published very recently, but completely ignored both the enhanced domain generation algorithm and p2p update mechanism of Variant C in their conclusion. I'm a fan of their lack of sensationalism, but their lack of accuracy makes for a misguided conclusion.
[/edit]
Also wanted to add my thanks for the thoughtful post Ehtyar. :up:
From one of your links i came across this article which looks like fun technical reading: http://mtc.sri.com/Conficker/
-mouser
That article is directly linked in my summary (3rd link). It is where much of the information in the summary was sourced from.
I'm hoping that info is right :)
-cyberdiva
It is.
Ehtyar
-
i have a log file named "KB958644.log" to show that i had seemed to apply the patch some time back, so do i have to be worried about getting infected by the 'C' variant?
-
Conficker Working Group's detection and repair tool list (http://www.confickerworkinggroup.org/wiki/pmwiki.php?n=ANY.RepairTools)
Windows Secrets Run a Conficker removal tool before April 1 (http://windowssecrets.com/2009/03/30/01-Run-a-removal-tool-before-April-1) article.
-
The Windows Secrets article that Phil lined to above mentions that most A-V sites and the MS Update site will not be reachable if a machine is infected with Conficker, but you can still get there via the IP addresses for htose same sites. So it would be a good idea to get ahold of those IP addresses sometime ahead of 4/1.
Jim
-
Nice links Phil.
i have a log file named "KB958644.log" to show that i had seemed to apply the patch some time back, so do i have to be worried about getting infected by the 'C' variant?
-lanux128
The patch will prevent installation of Conficker from over the internet. However, if you use a weak password you're still at risk of Conficker guessing it from another machine on your LAN.
Ehtyar.
-
The Windows Secrets article that Phil lined to above mentions that most A-V sites and the MS Update site will not be reachable if a machine is infected with Conficker, but you can still get there via the IP addresses for htose same sites. So it would be a good idea to get ahold of those IP addresses sometime ahead of 4/1.
Jim
-J-Mac
I'm happy to resolve the entire and post it, but I can't find a complete list of what gets blocked. Anyone have one?
Ehtyar.
-
The Windows Secrets article that Phil lined to above mentions that most A-V sites and the MS Update site will not be reachable if a machine is infected with Conficker, but you can still get there via the IP addresses for htose same sites. So it would be a good idea to get ahold of those IP addresses sometime ahead of 4/1.
Jim
-J-Mac
I'm happy to resolve the entire and post it, but I can't find a complete list of what gets blocked. Anyone have one?
Ehtyar.
-Ehtyar
Actually it blocks access to any URLs containing certain strings. Here is the list of strings that it blocks:
In its attempt to prevent access to security-related sites for information, help or software updates, the worm attempts to block running applications from accessing URLs containing any of the following strings:
avg.
avp.
bit9.
ca.
cert.
gmer.
kav.
llnw.
llnwd.
msdn.
msft.
nai.
sans.
vet.
agnitum
ahnlab
anti-
antivir
arcabit
avast
avgate
avira
bothunter
castlecops
ccollomb
centralcommand
clamav
comodo
computerassociates
conficker
cpsecure
cyber-ta
db networkassociates
defender
drweb
dslreports
emsisoft
esafe
eset
etrust
ewido
f-prot
f-secure
fortinet
free-av
freeav
gdata
grisoft
hackerwatch
hacksoft
hauri
ikarus
jotti
k7computing
kaspersky
malware
mcafee
microsoft
mirage
mitre
msftncsi
msmvps
mtc.sri
nod32
norman
norton
onecare
panda
pctools
prevx
ptsecurity
quickheal
removal
rising
rootkit
safety.live
securecomputing
secureworks
sophos
spamhaus
spyware
sunbelt
symantec
technet
threat
threatexpert
trendmicro
trojan
virscan
virus
wilderssecurity
windowsupdate
The above list is from CA's page on Conficker, located here (http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=77976#section4).
Hope this helps.
Jim
-
C-R-A-P. Anyone have any suggestions on what to resolve? :S
As a universal solution what we want is a utility that will resolve domain names without using the Windows API. Dig and Host will both do it, but neither are particularly user-friendly.
Thanks J-Mac.
Ehtyar.
-
How does conficker block those URLs? Simply hooking the winsock DNS resolving functions, or setting the machine's DNS server?
-
From the Windows Secrets article linked above by PhilB66
Admins of small and large LANs can use OpenDNS as a Domain Name System server.
The firm introduced on Feb. 9 a new, Conficker-specific feature. If an infected PC on a LAN somehow evaded detection, OpenDNS will prevent it from contacting Conficker's control servers. Best of all, admins can read a report showing which PC tried to connect to a Conficker server.
It's nice to have a proactive DNS provider! :)
Edit: Direct link (http://download.eset.com/special/EConfickerRemover.exe) to the standalone ESET Conficker Removal tool. Just 119 KB and it tells you immediately if Conficker is found in memory.
-
How does conficker block those URLs? Simply hooking the winsock DNS resolving functions, or setting the machine's DNS server?
-f0dder
Conflicker patches DnsQuery() in memory.
From the Windows Secrets article linked above by PhilB66
Admins of small and large LANs can use OpenDNS as a Domain Name System server.
The firm introduced on Feb. 9 a new, Conficker-specific feature. If an infected PC on a LAN somehow evaded detection, OpenDNS will prevent it from contacting Conficker's control servers. Best of all, admins can read a report showing which PC tried to connect to a Conficker server.
It's nice to have a proactive DNS provider! :)
-nosh
It will be interesting to see if that applies to the millions of domains potentially generated by Variant C. It also won't effect the p2p update mechanism...
Ehtyar.
-
Here's a partial list assuming all are .com and not .net
windowsupdate.microsoft.com
The IP address for the domain is: 207.46.225.221
wilderssecurity.com
The IP address for the domain is: 65.175.38.194
trendmicro.com
The IP address for the domain is: 66.35.255.33
symantec.com
The IP address for the domain is: 206.204.52.31
sunbelt.com
The IP address for the domain is: 69.4.229.56
spamhaus.com
The IP address for the domain is: 24.28.193.9
sophos.com
The IP address for the domain is: 213.31.172.77
secureworks.com
The IP address for the domain is: 67.107.53.168
securecomputing.com
The IP address for the domain is: 66.45.10.76
safety.live.com
The IP address for the domain is: 65.55.240.12
prevx.com
The IP address for the domain is: 62.189.194.222
pctools.com
The IP address for the domain is: 67.192.81.184
panda.com
The IP address for the domain is: 206.124.149.114
onecare.com
The IP address for the domain is: 207.46.197.32
mcafee.com
The IP address for the domain is: 216.49.88.12
norton.com
The IP address for the domain is: 206.204.52.31
: nod32.com
The IP address for the domain is: 72.3.254.86
kaspersky.com
The IP address for the domain is: 195.27.181.34
grisoft.com
The IP address for the domain is: 193.86.103.19
emsisoft.com
The IP address for the domain is: 80.237.191.14
comodo.com
The IP address for the domain is: 91.199.212.132
: castlecops.com
The IP address for the domain is: 204.152.184.144
avast.com
The IP address for the domain is: 67.228.112.196
agnitum.com
The IP address for the domain is: 67.15.231.71
: avg.com
The IP address for the domain is: 193.86.103.19
-
Wow! What a job, gally!
Thank you very much for that!
Jim
-
Can someone here assure me that the computers I have are safe (at least to an extent)? I've reformatted 2 computers within the last 3 months, I really don't want to do it again...
Basics:
All computers running Spyware Terminator w/ ClamAV
All computers running Windows Firewall
All patches from Microsoft/Windows Update applied
All computers behind firewalled router w/ OpenDNS nameservers
My primary computer has DMZ enabled, but Windows Firewall enabled as well
Passwords:
My two computers have a dictionary word (although long) password
Dad's computer has a non-dictionary combination word
Home file server requires no password to access via the LAN (can't remember if it has a logon password or not, it does an automatic logon at boot)
What are the chances of any of my computers being infected? What else should I do to lockdown my home network so I don't catch hell if we end up getting this crap?
EDIT: The file server computer had no password assigned to my account (Administrator rights), fixed that...
-
The primary things you need to concern yourself with for infection prevention are:
-Update your Windows
-Use a strong administrative password
-Disable autorun
You might want to consider getting yourself a real-time virus scanner, ClamAV was originally designed for use on mail servers.
Not sure what you mean by having a computer with DMZ disabled. If you meant your router, then yes I would recommend not having a DMZ at all and using port forwarding where necessary.
Ehtyar.
-
DMZ = bad (come on, how bad is it to do manual port forwards?), dictionary password = bad.
-
Your welcome Jim. ... I did find that some of those, even tho they are the sites ips, may not let you get there... some give an 'access denied' such as pctools and others automatically change to the written url, like norton, right after you use the ip to get there... working around in those sites will take alot of copying and pasting ... symantec/norton won't let you (or maybe just me) use the ip in place of 'www.symantec.com' then '/some/rest/of/an/official/link' to get around in there.
-
Going to HTTP://ip.number.here often won't work, since the site won't get the "Host: domain.name.com" HTTP header they expect. You'd have to put the IPs in your hosts files, but that file is probably used by DnsQuery() and thus the method is going to fail because Conficker's patching.
-
Going to HTTP://ip.number.here often won't work, since the site won't get the "Host: domain.name.com" HTTP header they expect. You'd have to put the IPs in your hosts files, but that file is probably used by DnsQuery() and thus the method is going to fail because Conficker's patching.
-f0dder
That is very true, but using a proxy like hidemyass.com (http://hidemyass.com/) would probably work, without the need of even trying the IP and using the actual URL that conficker is blocking. And yes, you can download removal tools through that proxy. I tested it.
-
Even with a proxy, you'd still be doing the DNS lookup locally - it's only the HTTP connection to the server that's going through the proxy.
-
Even with a proxy, you'd still be doing the DNS lookup locally - it's only the HTTP connection to the server that's going through the proxy.
-f0dder
Wait, I connect to hidemyass.com and type in the url of my antivirus company and click the button. The proxy is using my DNS to find where that url is and not theirs? That just sounds weird, since the point to the proxy is to not connect to the url at all and let the proxy do it for you and forward the data to you.
Unless conficker is blocking your access to that particular proxy service, I don't see how or why it would fail to work.
Try it. Block access to download.eset.com in your hosts file, firewall or any other way you choose. Then put this url in the box at hidemyass.com and see if you get the file, paying close attention to where it says it is coming from: http://download.eset.com/special/EConfickerRemover.exe
-
Going to HTTP://ip.number.here often won't work, since the site won't get the "Host: domain.name.com" HTTP header they expect. You'd have to put the IPs in your hosts files, but that file is probably used by DnsQuery() and thus the method is going to fail because Conficker's patching.
-f0dder
Most of the big sites should work as they're on dedicated/load balanced boxes. For the smaller ones, you can use one of a number of methods to send a fake Host header (https://addons.mozilla.org/en-US/firefox/addon/967).
Even with a proxy, you'd still be doing the DNS lookup locally - it's only the HTTP connection to the server that's going through the proxy.
-f0dder
F0d Man, were you thinking of a proper proxy? App Lady is talking about a web proxy.
Ehtyar.
-
Sorry guys, I hadn't had enough morning coffee when I typed that post - I was thinking of a transparent proxy rather than one of those manual proxies :-[
-
Going to HTTP://ip.number.here often won't work, since the site won't get the "Host: domain.name.com" HTTP header they expect. You'd have to put the IPs in your hosts files, but that file is probably used by DnsQuery() and thus the method is going to fail because Conficker's patching.
-f0dder
That is very true, but using a proxy like hidemyass.com (http://hidemyass.com/) would probably work, without the need of even trying the IP and using the actual URL that conficker is blocking. And yes, you can download removal tools through that proxy. I tested it.
-app103
That's a great tip, app. Thank you!
Jim
-
But did I get this right - anyone with a legal copy of windows (and that includes people with a legal copy of windows which they installed on several machines, or multiple times on one machine for testing/development purposes) who runs regular updates, is protected by free software, so the only people not protected are the people with pirate copies who don't also have a paid/pirated/free copy of a virus scanner.
Those people really deserve what they get, no?
-
The people pirating Windows generally use a WGA hack, so they get updates just fine.
How long was the infection window open before a patch was released?
-
But did I get this right - anyone with a legal copy of windows (and that includes people with a legal copy of windows which they installed on several machines, or multiple times on one machine for testing/development purposes) who runs regular updates, is protected by free software, so the only people not protected are the people with pirate copies who don't also have a paid/pirated/free copy of a virus scanner.
-iphigenie
Incorrect. You can still be infected if using an easily guessed password or through using an infected USB memory stick. The update only protects you from infection over the internet.
Ehtyar.
-
Luckely for me, my computer hates autorun anyways. I believe it only worked for like the first week I had windows installed, and then it just randomly stopped working. Now I need to go home and put a password on my computer's accounts, because I am stupid and don't use passwords on the admin account or my user account because I am stupid... and lazy.
-
This is a classic example of why the 80/20 Rule of Information Security (http://securityresponse.symantec.com/avcenter/security/Content/security.articles/fundamentals.of.info.security.html) works. ...And throwing (away) mountains of cash on system resource hogging "Baby-Sitter) security applications doesn't.
I have never had to do a major cleanup on a network where A. (80/20) was inforced and B. (baby-Sitter) was ignored. Now, I'm not advocation that folks run without AV, I'm just point to an all to commonly repeating pattern where most (if not all) of this could have been avoided if people just took a few minutes outa their day to do something that's completely free.
-
So, it's April 1st...
Anything happening? (no reports in the news yet)
:tellme: :tellme:
-
So, it's April 1st...
Anything happening? (no reports in the news yet)
:tellme: :tellme:
-Edvard
I heard an ABC News radio report that they put an unprotected machine on Internet, and it got probed and compromised within a few minutes. To be honest, I'm not sure how different that might be from any other day on the Internet.
I'm sure that having a NAT router between you an the 'net would go a long way toward preventing the problem (though does having UPNP enabled on the router change that? - It came enabled by default on my most recent router.)
-
post deleted...
-
So, it's April 1st...
Anything happening? (no reports in the news yet)
-Edvard
Yeah, but at some point you can't tell if it's another joke or the real thing. What a date to choose to activate the worm... So far, everything seems all right, did not see any report other than Conficker becoming "self-aware".
What it bothers me is that browsing the Internet today is a major pain in the ass, because everything is loading much slower than it's normal. What's more, I've been trying to download a podcast during the last two hours, achieving some staggering download rates (2 KB per second), and the cablemodem took like 5 minutes to connect to the ISP this morning. I assume the Net is crumbling under the Conficker hammering, or perhaps it's just a particular problem with my provider.
-
I haven't experienced any noticeable delays, so it must be your ISP.
:huh:
-
I'm sure that having a NAT router between you an the 'net would go a long way toward preventing the problem (though does having UPNP enabled on the router change that? - It came enabled by default on my most recent router.)
-mwb1100
Disabling UPNP is to prevent Conficker from spreading from your network only.
I'm surprised at the number of people who expected the skies to fall and the seas boil today. Wasn't my original post about that not happening? Anyway, just be sure to keep your current protections in place and be prepared for the update to occur sometime soon. If you ask me, an awful lot of work has gone into Conficker for its authors to forget about it now.
Ehtyar.
-
While I certainly was not expecting doomsday, I was wondering if something was happening.
So far, it's done nothing but wake up and start resolving DNS's just like they said it would.
I'm with you Ehtyar, it's put together too well to turn out to be nothing. But what it will do, I am very interested in.
-
Indeed!! I spent far too much time yesterday watching news updates in case there was news. I'd very much like to know what Conficker will morph into when its authors decide to get their act together, though I'm not surprised nothing happened yet, far too much media attention at the moment.
Ehtyar.
-
The people pirating Windows generally use a WGA hack, so they get updates just fine.
-f0dder
That, or they just use any one of a number of freebie offline-WSUS apps you can find on the web. With these, they just grab all the updates off Microsoft's website and burn them to a DVD for use on multiple machines.
I'm 110% legal with everything (MS Partners don't dare screw around with that) but I still do all my MS updating via offline utilities.
8)
-
Found this amusing little "eye chart" on friendfeed, for detecting if you are infected with Conficker:
http://www.confickerworkinggroup.org/infection_test/cfeyechart.html
While it's not 100% foolproof detection, it would work in a lot of cases, providing you aren't using certain types of proxies.
-
Why is it not foolproof? IMO that's a much easier way for users to detect to Conficker than attempting to download a tool from a site that Conficker blocks.
I nearly hit the roof at work this morning when we got an email from the higher-ups about Conficker, suggesting that if you believe you're infected you download a cleaning utility from Microsoft or Symantec, both of which are blocked by Conficker. Would common sense not tell you to have users check for infection by attemping to access, say, microsoft.com and then if they have issues, provide a URL that Conficker doesn't block from which to download your removal tool. What the hell is wrong with these people?
Ehtyar.
[edit]
Now that my ranting impulse has been satisfied, thanks for the link App :)
[/edit]
-
Why is it not foolproof? IMO that's a much easier way for users to detect to Conficker than attempting to download a tool from a site that Conficker blocks.
I nearly hit the roof at work this morning when we got an email from the higher-ups about Conficker, suggesting that if you believe you're infected you download a cleaning utility from Microsoft or Symantec, both of which are blocked by Conficker. Would common sense not tell you to have users check for infection by attemping to access, say, microsoft.com and then if they have issues, provide a URL that Conficker doesn't block from which to download your removal tool. What the hell is wrong with these people?
Ehtyar.
-Ehtyar
You think that's bad...? ...Symantec had a big banner on their main page yesterday morning that said "Not sure if you're infected with the April 1st bug? For more information click here".
What more information?!? ... (I'm guessing lame sales pitch/I never checked) ... How about just saying "If you can read this you are ok."? It would make more sense, now wouldn't it?
-
Yeah, so true. My boss was on McAfee for whatever reason yesterday, and they were doing exactly the same thing. It's always such a disappointment when companies take advantage of consumers' ignorance like that.
Ehtyar.
-
I found this just now and thought it might be useful. It is a scanner, written by Team White Hat (Dan Kaminsky's crew) in python that should detect Conficker-infected machines.
The scanner can be downloaded as an independent package that can be run without python:
http://iv.cs.uni-bonn.de/uploads/media/scs_exe.zip
Simply extract the package and run 'scs <start-ip> <end-ip>' to scan an entire IP range, or 'scs <ip-list-file>' to scan a text file containing a list of IPs to scan. You can also run 'scanner <ip>' to scan a single IP address.
If you're handy with python you can download the source script (it requires the Impacket lib):
http://iv.cs.uni-bonn.de/uploads/media/scs.zip
More info is available at:
http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
Hope these help out in some way.
Ehtyar.
-
I just can't help wondering if anything actually happened at the time/date where people were all "OH SNAP WE'RE GOING TO BE BLASTED BY CONFICKER"? I mean, in my everyday, i've literally seen nothing regarding this Conficker, and the Danish news are usually eager to pounce on any major (bad) news outside Denmark, especially one like this of such potential magnitude. (Say that 10 times fast >.>)
The most i've seen of it is sporadic threads on forums here and there, but nothing about if anything actually happened. People do say that bad things will happen, but so far, i've seen... Well, nothing. Personally, i'm starting to doubt the existence of this virus. Am i totally alone in this?
-
You mean you're doubting it will be updated...right? Not sure how you could convince yourself it doesn't exist at all...
Ehtyar.
-
More like, is anything actually going to happen? Because if it really is real, i'm surprised at how well it has hidden itself from the Danish news. As mentioned earlier, they're like a gorilla on a banana when it comes to bad news of such a scale. (I mean, this should at least merit the same level of attention as an airplane crash in USA, considering how widespread it supposedly is)
I guess i'm just a skeptic, but i find it very suspicious when it's set to go off at April 1st, or rather, the end of it.
But before i start sounding offensive, let me rephrase my question: Has anyone here been affected by Conficker yet? I'd like some proof of its existence, as i'm one of those annoying "proof or it didn't happen" kind of guys.
-
I'm not sure I understand exactly what kind of "proof" you need that's not already out there. Are you under the impression that the analysis of Conficker linked in the first post was made up?
Ehtyar.
-
Oh no, absolutely not. It's probably just me being bad at expressing myself. It's just that in my experience, the internet isn't always reliable when it comes to telling true stories. (Though it should be mentioned that DC is the nicest bunch o' people i've met on the internet, by far)
Just disregard my previous questions, doesn't matter anyhow. But thank you for... Uhm... Darn, can't find the words, but thanks. :)
-
Well it looks like it may have started to update to a new variant:
http://blog.trendmicro.com/downadconficker-watch-new-variant-in-the-mix/
https://forums2.symantec.com/t5/Malicious-Code/Downadup-Waledac/ba-p/393454#A260
-
Indeed. CNET has slightly more information here (http://news.cnet.com/8301-1009_3-10215678-83.html), but the lack of available information is pretty staggering really. Once I learn more I'll post an update.
Ehtyar.
-
It's a curious time to release the update, well assuming it's from the same people and not from someone else who has created a way to exploit Conficker itself.
The last two variants took about a month from their "activation" dates to be updated, this one is within 8 days. I'm betting they've already reached the maximum infections and unless they refocus on infecting rather than updating, those numbers will continue to decline, so it makes sense to release the update sooner.
However, I'd think waiting just one more day would have been more beneficial with the Christian holiday and people having/taking off work. It raises an interesting question of which spreads faster the actual updates or the news about the updates?
-
i've just only came across a PC which was infected with Conficker and managed to disinfect with Kaspersky's KKiller and apply the patch from Microsoft. so the threat is out there, forewarned is forearmed..
[ You are not allowed to view attachments ]
-
Why is it not foolproof? IMO that's a much easier way for users to detect to Conficker than attempting to download a tool from a site that Conficker blocks.
-Ehtyar
The reason why it isn't foolproof is there are some cases where it would fail to give correct results and you may see the images and still be infected.
Example: You might be using a proxy where the images are fetched from your ISP's cache, as would be the case if you are using something like AOL's TopSpeed service where all connections go through their proxy and they cache image files from sites that people visit and compress them to make them a smaller file size. It would be retrieved from the ISP's cache server rather than from the site hosting them if the cache already has the file. And it's based on image file URL and not IP, so no matter if Conficker is blocking the site or not, it comes from the cache which isn't blocked and doesn't know the image should be blocked from the user.
I am not sure, but I think Google also has a similar service and there is a plugin for both Firefox and IE (and it may be built into Chrome too), where the images are not compressed like AOL does, but they are served from Google's image cache (same one used for google's image searches). I am not sure if it works the same way as AOL's does, but it's possible that it too can cause a false negative on that Conficker Eye Test site.
BTW: Yes, it does make for much faster page load times and uses much less bandwidth for both the user and AOL, but that cache is an abomination that destroys art and causes all sorts of issues with images when the original site changes the image but it's not updated in the ISP's cache yet. In any AOL browser since v5 (released in the late 90's), it is turned on by default, and most people don't know it and don't know to turn it off. And it's not just dialup people that use it any more...a lot of broadband users are using it too.
-
Are both of these links working for everyone else?
PhilB66 – Posted on 03/30/09
Conficker Working Group's detection and repair tool list http://www.confickerworkinggroup.org/wiki/pmwiki.php?n=ANY.RepairTools
app103 – Posted on 04/02/09
http://www.confickerworkinggroup.org/infection_test/cfeyechart.html
I am getting timeouts / "...cannot display web page".
Could be my security software/settings... trying to determine.
Thought I would confirm the links were valid first.
Thanks,
-
I am getting timeouts / "...cannot display web page".
Could be my security software/settings... trying to determine.
Thought I would confirm the links were valid first.
They work for me.
-
I am getting timeouts / "...cannot display web page".
Could be my security software/settings... trying to determine.
Thought I would confirm the links were valid first.-bob99
that itself might be a sign of Conficker infection.. the fastest way to check for infection is to get Sysinternals' "Process Explorer" and try to run it on your PC. Conficker would shut it down immediately, though it allows Windows' Task Manager.
-
I am getting timeouts / "...cannot display web page".
Could be my security software/settings... trying to determine.
Thought I would confirm the links were valid first.-bob99
that itself might be a sign of Conficker infection.. the fastest way to check for infection is to get Sysinternals' "Process Explorer" and try to run it on your PC. Conficker would shut it down immediately, though it allows Windows' Task Manager.
-lanux128
Of course if you're infected, you won't be able to get to Microsoft.com...
Ehtyar.
-
Conficker is also downloading a fake antivirus named SpywareProtect2009. More @ http://www.viruslist.com/en/weblog?weblogid=208187666
-
Indeed. This part I don't quite understand though. It seems like a poor choice of avenues to make money, and for anyone on their toes it completely reveals the infection. I expected them to try spamming or something.
Ehtyar.
-
Thanks for the suggestions of ways to check.
I am able to run SysInternals' Process Explorer and go to Microsoft. So it must be the internet security package I'm running on this. I have experienced the same thing happening, time outs & web page not loading, with other sites at times. I probably need to change back to the previous IS package I was was using and currently running on a different computer.
bob99