Beware Conficker worm come April 1

[maniac19642003]

In an event that hits the computer world only once every few years, security experts are racing against time to mitigate the impact of a bit of malware which is set to wreak havoc on a hard-coded date. As is often the case, that date is April 1.Malware creators love to target April Fool's Day with their wares, and the latest worm, called Conficker C, could be one of the most damaging attacks we've seen in years.
Conficker first bubbled up in late 2008 and began making headlines in January as known infections topped 9 million computers. Now in its third variant, Conficker C, the worm has grown incredibly complicated, powerful, and virulent... though no one is quite sure exactly what it will do when D-Day arrives.
Thanks in part to a quarter-million-dollar bounty on the head of the writer of the worm, offered by Microsoft, security researchers are aggressively digging into the worm's code as they attempt to engineer a cure or find the writer before the deadline. What's known so far is that on April 1, all infected computers will come under the control of a master machine located somewhere across the web, at which point anything's possible. Will the zombie machines become denial of service attack pawns, steal personal information, wipe hard drives, or simply manifest more traditional malware pop-ups and extortion-like come-ons designed to sell you phony security software? No one knows.
Conficker is clever in the way it hides its tracks because it uses an enormous number of URLs to communicate with HQ. The first version of Conficker used just 250 addresses each day -- which security researchers and ICANN simply bought and/or disabled -- but Conficker C will up the ante to 50,000 addresses a day when it goes active, a number which simply can't be tracked and disabled by hand.
At this point, you should be extra vigilant about protecting your PC: Patch Windows completely through Windows Update and update your anti-malware software as well. Make sure your antivirus software is actually running too, as Conficker may have disabled it.
Microsoft also offers a free online safety scan here, which should be able to detect all Conficker versions.

[coot]

Conficker time bomb ticks, but don't expect fireworks
by Elinor Mills

There's been lots of hype about the fact that the latest variant of the Conficker worm is set to start communicating with other computers on the Internet on April 1--like an April Fool's Day time bomb with some mysterious payload.

But security researchers say the reality is probably going to be more like what happened when the clocks on the world's computers turned to January 1, 2000, if that.

"It doesn't mean we're going to see some large cyber event on April 1," Dean Turner, director of the global intelligence network at Symantec Security Response, said on Wednesday.

It's likely that the people behind Conficker are interested in using the botnet, which is comprised of all the infected computers, to make money by distributing spam or other malware, experts speculate. To do so, they would need the computers and networks to stay in operation.

"Most of these criminals, even though they haven't done something with this botnet yet, are profit-driven," said Paul Ferguson, an advanced-threats researcher for Trend Micro. "They don't want to bring down the infrastructure. That would not allow them to continue carrying out their scams."

To help clear up some of the confusion about Conficker, here are answers to common questions people may have.

What is Conficker and how does it work?
Conficker is a worm, also known as Kido or Downadup, that cropped up in November. It exploits a vulnerability in Windows that Microsoft patched in October.

Conficker.B, detected in February, added the ability to spread through network shares and via removable storage devices, like USB drives, through the AutoRun function in Windows.

Conficker.C, which surfaced earlier this month, shuts down security services, blocks computers from connecting to security Web sites, and downloads a Trojan. It also reaches out to other infected computers via peer-to-peer networking and includes a list of 50,000 different domains, of which 500 will be contacted by the infected computer on April 1 to receive updated copies or other malware or instructions. Previous Conficker variants were written to connect to 250 domains a day.

Among the domains targeted by Conficker was that of Southwest Airlines, which was expected to see an increase in traffic from the botnet on March 13. But a Southwest spokesman said the worm had had no impact on the site.

Where did Conficker come from?
Some pieces of the Conficker code and methodologies it uses are similar to those used in previous botnet worms created by the underground operation known as the Russian Business Network and cohorts in the Ukraine, Ferguson said. But while there is speculation, researchers don't know for sure who is involved, he said.

"There is some evidence to indicate that this might at one point have been tied to distribution of misleading apps and rogue affiliate networks," said Symantec's Turner.

How is it different from other Internet worms?
Conficker has grown increasingly sophisticated with each iteration, with features designed to increase its longevity, most likely in response to researchers' attempts to block it. After researchers began preregistering domains targeted in the code, the Conficker.C authors upped the ante by having the algorithm generate 50,000 possible domains, instead of just 250, throwing a big roadblock into efforts to counter the worm. The creators also are using advanced encryption to obscure the instructions detailing which random 500 of the 50,000 domains will actually be contacted on April 1.

It appears the authors may also be intending to create domain collisions by targeting domains that are already in use by legitimate owners, Ferguson said.

"They're creating collateral damage, throwing a monkey wrench into our ability to counter them," he said. "What they're trying to do is make our lives miserable on any efforts to mitigate the threat."

Some of the tactics, including the domain randomization, inter-node communication, and use of strong encryption, are new, according to Ferguson.

"They are using tactics that are probably the most complex and sophisticated botnet tactics we've seen to date," he said. "This is very professionally architected design and development."

Added Turner: "This is the first widespread distribution of a worm since about 2004," when Sasser came out. That worm was believed to have infected as many as 500,000 computers.

What is being done to fight Conficker?
Microsoft has partnered with all the major security companies and domain registrars and registries to form the Conficker Coalition Working Group. The parties are collaborating on research, trying to put the pieces of the puzzle together and figure out who is behind the worm and how to stop it. They are using techniques like behavioral analysis of the code and reverse engineering, but researchers don't want to reveal too much information on their efforts. "We have made headway but I'm hesitant to talk about how far we've gotten," Turner said.

Researchers in the U.S. are preregistering domains that are targeted, but experts in Canada are going even further. The Canadian Internet Registration Authority is taking steps to block domains generated in Conficker code that fall in the .ca top-level domain from being used in the botnet, the nonprofit agency said. "If other domain registries were able to do the same thing it would go a long way toward helping mitigate some of the ability for the botnet to breathe," Ferguson said.

Conficker has proved to be such a nuisance that Microsoft has even offered a $250,000 reward for information leading to an arrest in the Conficker case.

What can I do?
Computer users should apply the Microsoft patch and update their antivirus and other security software.

Windows users should also apply a Microsoft update for the AutoRun feature in Windows that was released in February. The patch allows people to selectively disable the Autorun functionality for drives on a system or network to provide more security, to ensure that it is truly disabled. In addition to putting USB drive users at risk of Conficker and other viruses, the Autorun functionality has been blamed for infections from digital photo frames and other storage types.

Panda also has released a free "vaccine" tool for blocking viruses that spread through USB drives.

Microsoft has a Conficker removal tool. More botnet information and removal resources are on the Shadowserver Web site.

[maniac19642003]

Tomorrow -- April 1 -- is D-Day for Conficker, as whatever nasty payload it's packing is currently set to activate. What happens come midnight is a mystery: Will it turn the millions of infected computers into spam-sending zombie robots? Or will it start capturing everything you type -- passwords, credit card numbers, etc. -- and send that information back to its masters?No one knows, but we'll probably find out soon.
Or not. As Slate notes, Conficker is scheduled to go "live" on April 1, but whoever's controlling it could choose not to wreak havoc but instead do absolutely nothing, waiting for a time when there's less heat. They can do this because the way Conficker is designed is extremely clever: Rather than containing a list of specific, static instructions, Conficker reaches out to the web to receive updated marching orders via a huge list of websites it creates. Conficker.C -- the latest bad boy -- will start checking 50,000 different semi-randomly-generated sites a day looking for instructions, so there's no way to shut down all of them. If just one of those sites goes live with legitimate instructions, Conficker keeps on trucking.
Conficker's a nasty little worm that takes serious efforts to bypass your security defenses, but you aren't without some tools in your arsenal to protect yourself.
Your first step should be the tools you already have: Windows Update, to make sure your computer is fully patched, and your current antivirus software, to make sure anything that slips through the cracks is caught.
But if Conficker's already on your machine, it may bypass certain subsystems and updating Windows and your antivirus at this point may not work. If you are worried about anything being amiss -- try booting into Safe Mode, which Conficker prevents, to check -- you should run a specialized tool to get rid of Conficker.
Microsoft offers a web-based scanner (note that some users have reported it crashed their machines; I had no trouble with it), so you might try one of these downloadable options instead: Symantec's Conficker (aka Downadup) tool, Trend Micro's Cleanup Engine, or Malwarebytes. Conficker may prevent your machine from accessing any of these websites, so you may have to download these tools from a known non-infected computer if you need them. Follow the instructions given on each site to run them successfully. (Also note: None of these tools should harm your computer if you don't have Conficker.)
As a final safety note, all users -- whether they're worried about an infection or know for sure they're clean -- are also wise to make a full data backup today.
What won't work? Turning your PC off tonight and back on on April 2 will not protect you from the worm (sorry to the dozens of people who wrote me asking if this would do the trick). Temporarily disconnecting your computer from the web won't help if the malware is already on your machine -- it will simply activate once you connect again. Changing the date on your PC will likely have no helpful effect, either. And yes, Macs are immune this time out. Follow the above instructions to detect and remove the worm.

[maniac19642003]

April 1st has arrived for the whole world now, which means the dreaded Conficker.C -- perhaps the most technologically sophisticated malware attack ever designed -- is no longer dormant and is now actively looking for instructions on the internet.That's the bad news. The good news: Those instructions either haven't been delivered by the worm's creators or (far less likely) Conficker has been thwarted by the attempts to raise awareness about the attack and stop it in its tracks, scaring off the creators.
As discussed widely in the media (and in a server-melting blog post here), Conficker was scheduled to go live on April 1 (local time), which meant it would no longer sit dormant on your computer but would rather begin polling the web for its instructions.
And as I mentioned as a possibility yesterday, those instructions have not yet been delivered despite the arrival of D-Day, so while Conficker is indeed "phoning home," no one is answering the call.
Yet.
Vigilance is key for now, as those instructions could be delivered at any time. Given the panic many people are experiencing over the arrival of April 1 (thank you for all the emails...), if I was a malware writer, I'd wait until tomorrow -- or later -- before launching the real attack, after guards had been let down a bit and people thought the coast was clear. That's not the case.
I'll reiterate that, despite the fact that it hasn't yet gone haywire, I don't believe Conficker is a hoax. This is an extremely sophisticated piece of programming that is indeed looking for instructions from its creator on what to do next and is simply idling in the meantime. Just because those instructions haven't been given does not mean you're safe from attack.
Don't panic, but keep your antivirus running and update, and make sure Windows is patched. My prior post has additional information on keeping yourself protected, whether Conficker finally goes live later today or a year from now.

[maniac19642003]

SAN FRANCISCO (AFP) - The Conficker worm's April 1st trigger date came and went without the bedeviling computer virus causing any mischief but security specialists warn that the threat is far from over. Conficker did just what the "white hats" tracking it expected -- the virus evolved to better resist extermination and make its masters tougher to find.
"There are still millions of personal computers out there that are, unknown to their owners, at risk of being controlled in the future by persons unknown," said Trend Micro threat researcher Paul Ferguson.
"The threat is still there. These guys are smart; they are not going to pull any obvious strings when there are so many eyeballs on the problem."
A task force assembled by Microsoft has been working to stamp out the worm, referred to as Conficker or DownAdUp, and the US software colossus has placed a bounty of 250,000 dollars on the heads of those responsible for the threat.
"It is pretty sophisticated and state-of-the-art," Ferguson said. "It definitely looks like the puppet masters are located in Eastern Europe."
The worm was programmed to evolve on Wednesday to become harder to stop. It began doing just that when infected machines got cues, some from websites with Greenwich Mean Time and others based on local clocks.
The malicious software evolved from East to West, beginning in the first time zones to greet April Fools' Day.
Conficker had been programmed to reach out to 250 websites daily to download commands from its masters, but on Wednesday it began generating daily lists of 50,000 websites and reaching randomly 500 of those.
The hackers behind the worm have yet to give the virus any specific orders. An estimated one to two million computers worldwide are infected with Conficker.
The worm, a self-replicating program, takes advantage of networks or computers that haven't kept up to date with security patches for Windows RPC Server Service.
It can infect machines from the Internet or by hiding on USB memory sticks carrying data from one computer to another.
Malware could be triggered to steal data or turn control of infected computers over to hackers amassing "zombie" machines into "botnet" armies.
"We're still watching to see what it's doing," said Ferguson, a member of the Conficker task force.
"A lot of us have our fingers crossed that people are getting rid of this."
Microsoft has modified its free Malicious Software Removal Tool to detect and remove Conficker. Security firms, including Trend Micro, Symantec and F-Secure, provide Conficker removal services at their websites.
The tell-tale signs that a computer is infected includes the worm blocking efforts to connect with websites of security firms providing online tools for removing the virus.
Conficker task force members have found a way to disable the block by typing in a few commands into computers.
The US Department of Homeland Security (DHS) released a tool on Monday to detect whether a computer is infected by Conficker.
The agency said the worm detector was developed by the US Computer Emergency Readiness Team (US-CERT).
"Our experts at US-CERT are working around the clock to increase our capabilities to address the cyber risk to our nation's critical networks and systems, both from this threat and all others," US-CERT director Mischel Kwon said when the tool was released.
US-CERT recommended that Windows users apply Microsoft security patch MS08-067 to help protect against the worm.
"Life goes on," Ferguson said as the sun set on April Fools' Day in California. "This system could still go off. Time will tell."
While Conficker has been in the spotlight, computer security specialists are finding 10,000 new samples of malicious software daily and hundreds of websites are spewing spam, some of it tainted with viruses, according to Ferguson.
"There are plenty of threats out there," he said.

[maniac19642003]

Many readers have been wondering what the easiest way is to determine whether their computer has been infected with the Conficker worm. Previously I've pointed them to this Conficker Eye Chart -- and that recommendation still holds -- but now I want to respond to further questions about how it works.First, some have looked at the spartan Eye Chart and have worried that it might be, at best, a sham designed to lull you into a false sense of security and, at worst, yet another delivery mechanism for the Conficker worm. It is neither. The Conficker Eye Chart is in reality a very clever way to determine if your computer is compromised, and it doesn't require you to do anything but click one link.
Here's how it works, in brief: Visit the web page linked above and you'll see six images: The three on top are for security software websites, and the three on the bottom are the logos of various open source operating system distributions. The clever part of all this is that the logos aren't actually being served from the web page linked above, but are rather drawn directly from the six different websites to which each logo belongs.
Conficker (as many other pieces of malware) blocks your web browser from reaching many security websites, so if you don't see some of the security logos on the page, you probably have a problem. Why include the open source logos below it? Because if they don't show up, you are probably simply experiencing an internet connectivity problem instead of being the victim of a malware attack.
Whatever you see on the Eye Chart page, just scroll down a bit to determine how to interpret the images in question. Different strains of Conficker will cause a different set of logos to appear (since Conficker.B doesn't block the SecureWorks logo). Of course, you should also remember that many other viruses and worms block access to security software websites, so not seeing some or all of the images could also be a symptom of a different infestation. If you see all the logos, you're probably in the clear.
One point to remember is that Conficker's creators -- or someone -- have been attempting to attack the Eye Chart page directly, so the page may not load at all. If that's the case, don't assume you have Conficker; it's probably just a temporary site outage.
Instead, try one of these other sites, which are also hosting the exact same Eye Chart and which will work exactly the same way. > joestewart.org > baylor.edu > talkbiz.com

[maniac19642003]

BOSTON (Reuters) - A malicious software program known as Conficker that many feared would wreak havoc on April 1 is slowly being activated, weeks after being dismissed as a false alarm, security experts said.
Conficker, also known as Downadup or Kido, is quietly turning an unknown number of personal computers into servers of e-mail spam, they added.
The worm started spreading late last year, infecting millions of computers and turning them into "slaves" that respond to commands sent from a remote server that effectively controls an army of computers known as a botnet.
Its unidentified creators started using those machines for criminal purposes in recent weeks by loading more malicious software onto a small percentage of computers under their control, said Vincent Weafer, a vice president with Symantec Security Response, the research arm of the world's largest security software maker, Symantec Corp.
Conficker installs a second virus, known as Waledac, that sends out e-mail spam without knowledge of the PC's owner, along with a fake anti-spyware program, Weafer said.
The Waledac virus recruits the PCs into a second botnet that has existed for several years and specializes in distributing e-mail spam.
Conficker also carries a third virus that warns users their PCs are infected and offers them a fake anti-virus program, Spyware Protect 2009 for $49.95, according to Russian-based security researcher Kaspersky Lab. If they buy it, their credit card information is stolen and the virus downloads even more malicious software.
Weafer said that while he believes the number of infected machines that have become active is relatively small, he expects a consistent stream of attacks to follow, with other types of malware distributed by Conficker's authors.
"Expect this to be long-term, slowly changing," he said of the worm. "It's not going to be fast, aggressive."
Researchers feared the network controlled by the Conficker worm might be deployed on April 1 for the first time since the worm surfaced last year because it was programed to increase communication attempts from that date.
The security industry formed a task force to fight the worm, bringing widespread attention that experts said probably scared off the criminals who command the slave computers.
That task force thwarted the worm partially by using the Internet's traffic control system to block access to servers that control the slave computers.
Viruses that turn PCs into slaves exploit weaknesses in Microsoft's Windows operating system. The Conficker worm is especially tricky because it can evade corporate firewalls by passing from an infected machine onto a USB memory stick, then onto another PC.
The Conficker botnet is one of many such networks controlled by syndicates that authorities believe are based in eastern Europe, southeast Asia, China and Latin America.

[maniac19642003]

SAN FRANCISCO (AFP) - The Conficker worm's creators are evidently toying with ways to put the pervasive computer virus to work firing off spam or spreading rogue anti-virus applications called "scareware."
An April update sent to a tiny percentage of infected computers had the machines retrieve components of notorious Storm and Waledac worms unleashed in past years to create armies of "botnets" -- automated crime networks -- for spreading spam or scareware.
"It looks like these guys are perhaps testing the waters to see which one of those would be a better money-maker for them," Trend Micro advanced threats researcher Paul Ferguson said Monday of Conficker's masters.
"We have always suspected that the people behind this would not sit idly by without trying to make money off this somehow. Spamming and rogue anti-virus are pretty lucrative for these guys."
Ties to components of Storm and Waledac signal that Conficker's creators were likely involved with the other computer worms, according to security specialists.
"This connects the dots that the same people behind Conficker are the people behind Waledac and Storm," Ferguson said, noting that evidence is pointing to an organized hacker enterprise in the Ukraine.
"These are well-funded organized cyber-criminals in Eastern Europe. They want to steal people's money out of their pockets without being noticed. This same criminal operation is very business savvy."
Hackers are increasingly hiding viruses in bogus computer security software to trick people into installing treacherous programs on machines, Microsoft warned earlier this month.
Rogue security software referred to as "scareware" pretends to check computers for viruses, and then claims to find dangerous infections that the program will fix for a fee.
"The rogue software lures them into paying for protection that, unknown to them, is actually malware offering little or no real protection, and is often designed to steal personal information," Microsoft said.
Hackers have been capitalizing on hype and fear surrounding Conficker to trick people into loading scareware onto computers.
A task force assembled by Microsoft has been working to stamp out Conficker, also referred to as DownAdUp, and the software colossus has placed a bounty of 250,000 dollars on the heads of those responsible for the threat.
The worm, a self-replicating program, takes advantage of networks or computers that haven't kept up to date with security patches for Windows.
It can infect machines from the Internet or by hiding on USB memory sticks carrying data from one computer to another.
Conficker could be triggered to steal data or turn control of infected computers over to hackers amassing "zombie" machines into "botnet" armies.
Ferguson believes Conficker's creators are out for cash, not wanton destruction, but that the worm's spread is a sobering reminder that botnets could be turned against Internet-linked parts of national infrastructures.
"How do you rationalize connecting critical networks to the Internet when those kinds of attacks are possible?" Ferguson asked rhetorically.
"We used to joke that the only guarantee for 100 percent security is a pair of wire cutters."