Conficker Continues

The BBC has an article on Conficker, the virus that everyone seemed to think passed us by on April 1st.

The Conficker worm has started to update infected machines with a mystery package of data.

Computer security firms watching the malicious program noticed that it sprang into life late on 8 April.

The activity on its update system delivered encrypted software to compromised machines. It is not yet clear what the payload contains.

The Conficker virus variants are thought to be present on millions of PCs around the world.

Spam connection

The updating activity has begun about a week later than expected. Analysis of the “C” variant of Conficker (aka Downadup) revealed that its updating mechanism was due to go live on 1 April.

The belated updates were spotted by researchers for Trend Micro following the arrival of a new file in one of the directories in so-called “honeypot” machines deliberately seeded with Conficker C.

Analysis showed that the file had arrived via the peer-to-peer file transfer system that infected machines use to communicate.

In a bid to avoid alerting people to its activity, the update is slowly being trickled across the population of machines harbouring the C variant. Exact figures for the number of Conficker-infected machines are hard to determine, but the minimum is widely believed to be three million.

“The Conficker/Downad P2P communications is now running in full swing,” wrote Ivan Macalintal from Trend Research on the company’s security blog.

Once it arrives on a machine, the package of data randomly checks one of five different websites – MySpace, MSN, eBay, CNN and AOL – to ensure its host still has net access and to confirm the current time and date.

Following this check the data package removes all traces of its installation.

The strong encryption on the payload has, so far, prevented detailed analysis of what it actually does. However, security experts speculate that it is a “rootkit” that will bury itself deep in Windows in order to steal saleable data such as bank website login details.

Security researchers are continuing to analyse the payload to get a better idea of what it is intended to do.

Symantec said it too had noticed the increased activity of Conficker and its analysis suggested a link with another well-known virus called Waledac. This malicious program steals sensitive data, turns PCs into spam relays and opens up a backdoor so the machine can be controlled remotely.

The security firm noticed that the update also included an instruction to the worm to remove itself on 3 May, 2009. However, the Waledac imposed backdoor on the machine will remain open, so its creators can still control compromised PCs.

Conficker Arrives

ArmageddonIs it time to buy those boxes of ammo and head for the hills? We’ll see.

This Wednesday, April 1st the Conficker worm will do something. No one knows what. But it has security experts up late. It is believed that at one point Conficker was on 6% of the world’s PCs. This has been reduced dramatically by the work of Microsoft in issuing special patches for the worm. But hundreds of thousands of PCs are still estimated to be infected.

Early this month, Symantec’s security researchers began noticing that the worm was changing in order to avoid steps to interrupt the worm’s links with its hacker controllers. The first versions of the worm generated a list of 250 possible domains each day that could be used to route instructions from hackers. The new edition uses a list of 50,000 URLs in order to overwhelm security researchers.

Typically hackers use large botnets of computers to commit distributed denial of service (DDOS) attacks against websites. The hackers will demand that large websites pay them in order to be spared.

If you are worried about your computers or those of people you love, you can read Microsoft’s alert and my earlier post on how to prevent and remove the virus.

Free AntiSpyware

SUPERAntiSpyware is very good antispyware that is free for personal use. While Antivirus software is very important, Antispyware can help too in making sure that you aren’t getting hijacked by Spyware, Adware, Malware, Trojans, Dialers, Worms, and Key Loggers.

You can run it whenever you want, not needing to take up resources when you aren’t using it.

Down & Up Worm Worst Ever

Over the last few months, the “Down and Up” worm, also known as “Conficker” has infected an estimated 6% of all PCs worldwide. The concern is what the authors will now do with all these compromised systems. They could ask for credit card information as the bogus Antivirus 2009 does. They could use the computers to attack and demand money from websites through denial of service (DOS) attacks. No one knows yet what the intentions of the authors are.

It is considered the most professional and pernicious worm attack that researchers have yet seen. It effects all versions of Windows. As a worm, it does not require any user action for the computer to be compromised. The machine must just not be recently patched.

Download the Malicious Software Removal Tool (also available in Windows Updates) in order to protect your computer or to possibly get rid of the worm (most people who have it do not know). Then you can feel comfortable that your computer is owned by you and not by the bad guys.

Malicious Software Removal Tool (MSRT)

Microsoft recently reported that their Malicious Software Removal Tool (MSRT), which was included in Windows Updates on December 9, 2008, has now removed over 400,000 copies of the nefarious “Antivirus 2009”.

An Arlington, VA client was recently infected by that Antivirus 2009 malware. It has been the most pernicious malware that I have seen recently, as most users can be tricked into installing it. Many fake sites exist that you might find during a normal web search. The sites appear to be a standard Windows Control Panel page which pretends to search for and find viruses. If you click “Ok” or “Remove All” you will be infected.

It will eventually take away all administrative rights from you and ask for your credit card to update and remove the viruses. Of course, it never removes anything, but instead gives your credit card info to the bad guys to use as they wish. Your computer is also a zombie ready to do whatever they ask of it.

The problem is that the dialog boxes and alerts look just like legitimate ones that might appear from Microsoft. See the fake Antivirus 2009 alert above.

I mentioned another variant of this malware called Antivirus XP 2008 in an earlier post.

While there are other tools you could use, Microsoft’s Malicious Software Removal Tool (MSRT) is a real solution that will remove and protect the computer from this Malware. It is available as a critical update from Microsoft.

It is not always apparent how to run Microsoft’s Malicious Software Removal Tool (MSRT). If you have it installed, you can just go to Start – Run and they type mrt