Title: Conficker computer worm wakes up
CG - April 9, 2009 08:31 PM (GMT)
(CNET) -- The Conficker worm is finally doing something--updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday.
Researchers were analyzing the code of the software that is being dropped onto infected computers but suspect that it is a keystroke logger or some other program designed to steal sensitive data off the machine, said David Perry, global director of security education at Trend Micro.
The software appeared to be a .sys component hiding behind a rootkit, which is software that is designed to hide the fact that a computer has been compromised, according to Trend Micro. The software is heavily encrypted, which makes code analysis difficult, the researchers said.
The worm also tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com as a way to test that the computer has Internet connectivity, deletes all traces of itself in the host machine, and is set to shut down on May 3, according to the TrendLabs Malware Blog.
Because infected computers are receiving the new component in a staggered manner rather than all at once there should be no disruption to the Web sites the computers visit, said Paul Ferguson, advanced threats researcher for Trend Micro.
"After May 3, it shuts down and won't do any replication," Perry said. However, infected computers could still be remotely controlled to do something else, he added.
On Tuesday night Trend Micro researchers noticed a new file in the Windows Temp folder and a huge encrypted TCP response from a known Conficker P2P IP node hosted in Korea.
"As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP," the blog post says. "The Conficker/Downad P2P communications is now running in full swing!"
In addition to adding the new propagation functionality, Conficker communicates with servers that are associated with the Waledac family of malware and its Storm botnet, according to a separate blog post by Trend Micro security researcher Rik Ferguson.
The worm tries to access a known Waledac domain and download another encrypted file, the researchers said.
Conficker.C failed to make a splash a week ago despite the fact that it was programmed to activate on April 1. It has infected between 3 million and 12 million computers, according to Perry.
Initially, researchers thought they were seeing a new variant of the Conficker worm, but now they believe it is merely a new component of the worm.
The worm spreads via a hole in Windows that Microsoft patched in October, as well as through removable storage devices and network shares with weak passwords.
The worm disables security software and blocks access to security Web sites.
Researchers were analyzing the code of the software that is being dropped onto infected computers but suspect that it is a keystroke logger or some other program designed to steal sensitive data off the machine, said David Perry, global director of security education at Trend Micro.
The software appeared to be a .sys component hiding behind a rootkit, which is software that is designed to hide the fact that a computer has been compromised, according to Trend Micro. The software is heavily encrypted, which makes code analysis difficult, the researchers said.
The worm also tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com as a way to test that the computer has Internet connectivity, deletes all traces of itself in the host machine, and is set to shut down on May 3, according to the TrendLabs Malware Blog.
Because infected computers are receiving the new component in a staggered manner rather than all at once there should be no disruption to the Web sites the computers visit, said Paul Ferguson, advanced threats researcher for Trend Micro.
"After May 3, it shuts down and won't do any replication," Perry said. However, infected computers could still be remotely controlled to do something else, he added.
On Tuesday night Trend Micro researchers noticed a new file in the Windows Temp folder and a huge encrypted TCP response from a known Conficker P2P IP node hosted in Korea.
"As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP," the blog post says. "The Conficker/Downad P2P communications is now running in full swing!"
In addition to adding the new propagation functionality, Conficker communicates with servers that are associated with the Waledac family of malware and its Storm botnet, according to a separate blog post by Trend Micro security researcher Rik Ferguson.
The worm tries to access a known Waledac domain and download another encrypted file, the researchers said.
Conficker.C failed to make a splash a week ago despite the fact that it was programmed to activate on April 1. It has infected between 3 million and 12 million computers, according to Perry.
Initially, researchers thought they were seeing a new variant of the Conficker worm, but now they believe it is merely a new component of the worm.
The worm spreads via a hole in Windows that Microsoft patched in October, as well as through removable storage devices and network shares with weak passwords.
The worm disables security software and blocks access to security Web sites.
Ward - April 9, 2009 09:31 PM (GMT)
I already downloaded the anti-virus and emailed it to myself just in case ja
Hendrick4life - April 9, 2009 09:33 PM (GMT)
Welcome Back, S.O.B. I kinda knew it may be real, but I just believed the Experts. Surprising to see that It will only last until May 2nd :huh:.
-Curtis J.
-Curtis J.
Aaron - April 9, 2009 09:37 PM (GMT)
I have like IE 6 or 7 on a IBM Thinkpad, I think it has windows 2000 on it. Does this whole mess affect only the newer computer and/or downloads?
Bustos - April 9, 2009 09:41 PM (GMT)
if i dont have the newest updates for windows am i fucked?
I have Windows XP SP2 with just Firefox
I have Windows XP SP2 with just Firefox
Hendrick4life - April 9, 2009 10:18 PM (GMT)
Go Get Windows XP SP3. I tried to find the file so I could link it but couldn't.
Go and Run Microsoft Update. If anything, it will download the files you need. If nothing downloads then run the Malicious Software Removal Tool - From March 2009. Also check & make sure your anti-virus is up to date.
Microsoft Malicious Software Removal Tool - March 2009
To Aaron : Yes it may still affect you. From what I know, if you have access to the Internet you have access to the worm. Follow the instructions I gave Jake, and you should be all set.
-Curtis J.
Go and Run Microsoft Update. If anything, it will download the files you need. If nothing downloads then run the Malicious Software Removal Tool - From March 2009. Also check & make sure your anti-virus is up to date.
Microsoft Malicious Software Removal Tool - March 2009
To Aaron : Yes it may still affect you. From what I know, if you have access to the Internet you have access to the worm. Follow the instructions I gave Jake, and you should be all set.
-Curtis J.
Jake - April 9, 2009 10:19 PM (GMT)
I don't even have any anti-virus shit lul
Hendrick4life - April 9, 2009 10:26 PM (GMT)
If you dont have Anti-Virus Download Microsoft Defender
Windows Defender - 2009 Build
Microsoft Defender no longer supports Windows 2000 though. Also Its only one small step to helping detect it. Defender may not remove it though.
-Curtis J.
Windows Defender - 2009 Build
Microsoft Defender no longer supports Windows 2000 though. Also Its only one small step to helping detect it. Defender may not remove it though.
-Curtis J.
deijr1238 - April 10, 2009 04:26 PM (GMT)
Don't fucking worry about it. Viruses are released everyday, and how many of them actually fuck up computers? The only reason everyone is so worried about this one is because of the media attention, what makes it any different than the others?
BASSPRO8 - April 10, 2009 11:03 PM (GMT)
Hendrick4life - April 10, 2009 11:24 PM (GMT)
| QUOTE (deijr1238 @ Apr 10 2009, 11:26 AM) |
| Don't fucking worry about it. Viruses are released everyday, and how many of them actually fuck up computers? The only reason everyone is so worried about this one is because of the media attention, what makes it any different than the others? |
+1
-Curtis J.
CG - April 10, 2009 11:45 PM (GMT)
Better to be safe than sorry