Beware Conficker worm come April 1

For anyone concerned with new upcoming virus threats this year, check the following article out:

What do you guys think? Will this updated malware cause a stir with users? Make sure you update any anti-virus software you have...

By the way, Microsoft has a free online safety scan, which should detect any Conficker versions according to the article:

You can access it here: http://onecare.live.com/site/en-us/default.htm

Beware Conficker worm come April 1
Tue Mar 24, 2009 6:21PM EDT

In an event that hits the computer world only once every few years, security experts are racing against time to mitigate the impact of a bit of malware which is set to wreak havoc on a hard-coded date. As is often the case, that date is April 1.

Malware creators love to target April Fool's Day with their wares, and the latest worm, called Conficker C, could be one of the most damaging attacks we've seen in years.

Conficker first bubbled up in late 2008 and began making headlines in January as known infections topped 9 million computers. Now in its third variant, Conficker C, the worm has grown incredibly complicated, powerful, and virulent... though no one is quite sure exactly what it will do when D-Day arrives.

Thanks in part to a quarter-million-dollar bounty on the head of the writer of the worm, offered by Microsoft, security researchers are aggressively digging into the worm's code as they attempt to engineer a cure or find the writer before the deadline. What's known so far is that on April 1, all infected computers will come under the control of a master machine located somewhere across the web, at which point anything's possible. Will the zombie machines become denial of service attack pawns, steal personal information, wipe hard drives, or simply manifest more traditional malware pop-ups and extortion-like come-ons designed to sell you phony security software? No one knows.

Conficker is clever in the way it hides its tracks because it uses an enormous number of URLs to communicate with HQ. The first version of Conficker used just 250 addresses each day -- which security researchers and ICANN simply bought and/or disabled -- but Conficker C will up the ante to 50,000 addresses a day when it goes active, a number which simply can't be tracked and disabled by hand.

At this point, you should be extra vigilant about protecting your PC: Patch Windows completely through Windows Update and update your anti-malware software as well. Make sure your antivirus software is actually running too, as Conficker may have disabled it.

Source:
http://tech.yahoo.com/blogs/null/128643/beware-conficker-worm-come-april-1/

 

- apply ALL windows security patches
- use strong passwords in the network
- disable autorun for removable media
- use non-admin account
- keep your AV updated
- of course behave responsibly (no suspicious attachments opening, no risky sites browsing, using other browser than IE, ... forcing your colleagues do the same )
...and you should be fine.

edit: some more info about the C variant... http://community.ca.com/blogs/secur...new-conficker-variant-not-fooling-around.aspx

 

I hope it rickrolls everyone. Then maybe people will stop trying to pull "the ultimate rick roll prank" because no one will be able to top that.

 

I actually came in contact with conflicker/downadup worm a couple days ago. I plugged my USB drive into my laptop and AVG went off detecting it. From what I heard it's been spreading via USB drives like wild fire. I assume I probably picked it up at school while I had my USB plugged into one of their computers. I'm actually extremely curious about what will happy on the 1st.

 

I'm going to push my system date back to December 31, 1999. The Y2K bug will make short work of this little worm.

 

if my AV and windows is updated,
i should have nothing to worry about, right?

 

check to make sure your AV has conficker in it's database. considering how notorious conficker is by now, your AV definitely should, otherwise you should switch AV's.


So... supposedly, the French military has decided to ground some planes as a result of this worm... source

Also, this from F-secure:

Q: I heard something really bad is going to happen on the Internet on April 1st! Will it?
A: No, not really.

Q: Seriously, the Conficker worm is going to do something bad on April 1st, right?
A: The Conficker aka Downadup worm is going to change it's operation a bit, but that's unlikely to cause anything visible on April 1st.

Q: So, what will it do on April 1st?
A: So far, Conficker has been polling 250 different domain names every day to download and run an update program. On April 1st, the latest version of Conficker will start to poll 500 out of 50,000 domains a day to do the same thing.

Q: The latest version? There are different versions out there?
A: Yes, and the latest version is not the most common. Most of the infected machines are infected with the B variant, which became widespread in early January. With B variant, nothing happens on April 1st.

Q: I just checked, and my Windows machine is clean. Is something going to happen to me on April 1st?
A: No.

Q: I'm running a Mac, is something going to happen to me?
A: No.

Q: So… this means that the attackers could use this download channel to run any program on all the machines?
A: On all the machines that are infected with the latest version of the worm, yes.

Q: But what's this peer-to-peer functionality I've heard about?
A: The worm has some peer-to-peer functionality which means that infected computers can communicate with each other without the need for a server. This enables the worm to update itself without the need for any of the 250 or 50,000 domains.

Q: But doesn't that mean that if the bad guys wanted to run something on those machines, they don't need to wait for April 1st?
A: Yes! Which is another reason why it's unlikely anything major will happen on April 1st.

Q: Is there going to be media hype?
A: Oh yes. Like there always is when a widespread worm has a date trigger. Think cases like Michelangelo (1992), CIH (1999), Sobig (2003), Mydoom (2004) and Blackworm (2006).

Q: But in those cases nothing much happened even though everybody expected something to happen!
A: Exactly.

Q: So, should I keep my PC shut down on April 1st?
A: No. You should make sure it's clean before April 1st.

Q: Can I change the date on my machine to protect me?
A: No. While the worm uses the local system time for certain parts of its update functionality it doesn't exclusively rely on that.

Q: I'm confused. How can you know beforehand that there will be a global virus attack on April 1st? There must be a conspiracy here!
A: Yes, you're confused. There is not going to be a "global virus attack". The machines that are already infected might do something new on April 1st. We know this because we have reverse engineered the worm code and can see that this is what it has been programmed to do.

Q: Would the downloaded program execute with admin privileges?
A: Yes, with local admin rights. Which is pretty bad.

Q: And they could download that program not just on April 1st but also on any day after that?
A: Correct. So there's no reason why they wouldn't do it on, say, April 5th instead of April 1st.

Q: Ok, they could run any program. To do what?
A: We don't know what they are planning to do, if anything. Of course, they could steal your data, send spam, do DDoS, et cetera. But we don't know.

Q: They? Who are they? Who's behind this worm?
A: We don't know that either. But they seem to be pretty professional in what they do.

Q: Professional? Is it true that Conficker is using the MD6 hash algorithm?
A: Yes. This was probably one of the first real-world cases where this new algorithm was used.

Q: Why can't you just infect a PC, set the clock to April 1st and see what happens?
A: That's not the way it works. The worm connects to certain websites to get the time-of-day.

Q: Oh yeah? Then shut down the websites where it gets the time-of-day and the problem will go away!
A: Can't. These are websites like google.com, yahoo.com and facebook.com.

Q: But surely you could spoof google.com in the lab to get a honeypot machine to connect to a download site today!
A: Sure. And the download sites do not have anything to download, today. They might, on April 1st. Or they might not.

Q: Now I'm worried. How do I know if I'm infected?
A: Try to surf to www.f-secure.com. If you can't reach our website you might be infected, as Downadup/Conficker blocks access to security vendor's websites. Don't tell anybody, but users who can't access f-secure.com because of this can surf to www.fsecure.com instead.

Q: Where does the name "Conficker" come from?
A: Conficker is an anagram of sorts from trafficconverter – a website to which the first variant was connecting.

Q: Why does the worm have two names – Downadup and Conficker?
A: It was found at about the same time by multiple security companies and therefore got multiple names. Today most companies use the name Conficker. There's further confusion about the variant letters among vendors. We're all sorry for that.

Q: How many computers are currently infected by Downadup/Conficker?
A: About 1-2 million. How many of those are infected with the latest version? We don't have an exact count.

Q: How is the industry reacting to all this?
A: We reacted by setting up the Conficker Working Group. Members include security vendors (including us), registrars, research units and so on.

Q: I want more technical details on the worm.
A: Sure. Here's our description, and here's SRI's excellent writeup.

Q: When was the first variant of Downadup/Conficker discovered?
A: It was found on November 20, 2008.

Q: More than four months ago? I want a time line on what happened when.
A: Byron Acohido has one.

Q: Is F-Secure able to detect and block this malware?
A: Yes.

Q: Do you have cleaning tool available?
A: Yes, and it's free. Click here to get it.

Q: Are you going to follow this through?
A: Yes. Stay tuned for updates.

 

Detector/Remover on the link below.

http://anything2fix.wordpress.com/2009/01/06/new-virus-detected-win32confickera-worm/

 

Or just take a day off from the net on April 1st

Safe surfing is the best way to protect oneself from malware infection, regardless of AV and Firewalls that one uses.

cheers ...

 

This is probably the best public analysis of Conficker to date (this is C variant):

http://mtc.sri.com/Conficker/addendumC/

 

This is another reason to use Vista. Vista's security measures block most of the virus's avenues of attack. Unless, of course, you double click it. Even if you do, UAC will block it.

 

I'm not too worried. I've done several scans from a few different security softwares and all of them confirmed that my computer is clean.

 

Defintely update your system the day before and during the day to be sure, on April 1. If your system was updated to the virus definitions of last month, most likely it won't detect the new Conficker because it might be composed of new scripts. Update both your anti-virus and Windows Update to be sure. I use NIS 2009 and LiveUpdate always automatically updates like once a day at minimum to get new virus definitions.

Also, be careful of USB drives. Like Emerica posted, i can spread via USB too. Just disable autorun to be sure...

 

Wait I've been hearing a lot of talk about this worm in the news lately...but why can't I just unplug my LAN cable and everything will be alright (for me)? xD

 

You can, but if the millions of people infected just unplugged their lans, it would be a huge inconvenience that could affect their jobs and work. Also, it doesn't get rid of the problem. Next time you plug in your lan, the virus is still there, and it can execute anytime, not just April 1st.

 

Some interesting information and alpha/beta tools to clean networks infected by Conficker variants; The HoneyNet Project and Bonn University Computer Science Department.

Don't use the software from the last link unless you really know what you're doing.
It's NOT meant for household situations. This software is under development.
Cheers.

 

Some information from MS http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

 

I hope millions of computers get infected with conficker worm. It'll mean less lag on the internets and no queues in the MMOs I play for at least a few days.

 

can avira or superspyware remover detect it?

 

i know avira does... but in reality this has become such a highly spoken of worm that any respectable AV should detect it by now. If your AV doesn't, it's time to switch.

 

ok avira does
that good enough for me

(avira free right?)

 

all versions of avira use the same virus database, so yes

http://www.avira.com/en/security_news/conficker_worm.html

 

Great.... Now im all scared and stuff now..

On the side note. I just tried Avira now, im updating it and doing a full system scan, it is not as a resource hog as AVG when it does a full system scan. I think it detected 2 things that AVG didn't. It says "2 Warnings" what ever that is suppose to mean.

The scan is half way done. Ill do a report after wards if you guys want me to.

Also im a bit confused.. Does Avira have ANti spyware too or is it just anti virus? I got the free verson of avira.

 

i use avira and superantipyware. the combination is good

 

Thanks for the tip, i think i have used SuperAntiSpyware before. I remember the little yellow bug icon.

+1 rep!

 

Avira free has basic antispyware protection.

 

Time to do a scan later. I don't wanna turn on this machine then getting an April Fools prank from Conficker :|.

Are there "symptoms" to Conficker?

 

I always get a warning from Avira saying it can't access my page file. I have been told that is normal.

 

You're windows firewall may be disabled and windows update and defender may not work.

 

time to backup your HDD`s i think

 

just a note... in case that conficker is sitting there already, make sure to scan the backup properly before using it. it may sound trivial, but many people cannot get rid of returning infection - and then find out that it was the backup.

 

Does Avira Antivir Personal- Free Version have protection against this worm?

Or does AVG free? Any free Anti-virus have protection vs the worm?

 

Avast has got warning when you start the scanner control panel.

 

regarding AVG, yes, it detects all known variants (including the C one) as Worm/Downadup (it has several aliases - Conficker, Kido, Downadup). i'm not sure about Avira, but i guess that it detects that as well.

 

Any AV worth it's reputation (free or not) should have it in it's database. And should be able to deal with it.

Question is....how sucessfully though. That we will see tomorrow.

Can't wait to see the results.

 

read about 10 posts back in the thread..

 

yes avira can detect it.

Norton i think is best for protection(using it on my moms desktop main computer)

im also using superantispywareremover becuase its a lesser AV but is good.
hmmmm complete format of my comp may be good to get some of this junk off it....and this dang invinsible corrupt file that never goes away.

BUT IM NOT GOING TO GET THE WORM, I DONT EAT FISH

 

How do you get this virus in the first place?

 

unprotected surf

 

And by not installing Windows updates (Microsoft has already patched the hole Conficker uses on October 23 2008).
Infected external media; USB sticks.
Infected (company/university/etc.) networks.

 

I'm not gonna do a thing about it

What will it do? Make my computer into an atom bomb ?

 

I couldn't care less about this so called virus. Nothing going to happen and I'm definitely not taking any additional precautions.

 

I found this on CNET

http://download.cnet.com/Conficker-Removal-Tool/3000-2239_4-10911447.html?cdlPid=11016361

Let see if anyone use it lol...

 

Yes, but it doesn't matter because the world ends tonight anyway as global warming will kill us all in a flash of fire and a drowning of water.

Seriously, a little caution and some checking wouldn't hurt anyone.
Not that this is any different than any other April 1st.

 

So to get this virus you need to visit a certain website that will automatically infect your computer once you visit it? If a client is then infected with the virus, can it spread to other computers in the network on its own (without using removable media)? I'm guessing it could since the client is connected directly to the host computer and from there it infects the entire network.

But to get it in the first place you need to visit an infected site right? I don't think I've visited any unpopular sites or sites from europe or asia. If this virus could infect major sites like google, yahoo, youtube, newegg, amazon, etc. then I'll surely be worried. If it's some unheard of site that's only infected then I should be safe. I have everything up to date as well.

 

Paranoid!!! Worst comes to worst I reformat my laptop...

 

man... everyone's saying "i'm not going to do anything about it" or "paranoid.. worst comes to worst I have to reformat"

wow... you guys are SOOO brave... lol

for real, the reason that this is hyped up is because people don't want to have damage done to their pc and don't want to have to reformat, because some people, maybe not you guys, have sensitive info, or business related info that could easily affect them financially.. that's why its a big deal, and what some people don't seem to understand when they go "omg its so hyped up, but i dont think its a big deal so i dont care about it" ok good for you then lol, thanks for letting us know!

 

Do you think banks or corporate computer systems will be affected by it?????

 

I hope AIG gets affected.

 

how come we havent heard anything about it yet? if its world-wide shouldn't other countries have gotten it now since its already april 1st there?