Conficker.C threat to cyber world? What is it?

kaushik_s · 31st March 2009, 17:44

Seems like this virus/worm is going to attack the computers and basically would reside inside the dll's and will send data to it's authors and also spread itself. And this is going to be activated on 1st of April. Initially when I heard about it I thought it to be another april fool prank. But after seeing a mail from our IT dept. and then when checked the net about it this looks to be a real threat. (check about the virus here - An Analysis of Conficker C)

What I understood from the readings is that this worm once attack a system will make the system as it's host. Then it'll disable all the security protocols( you can't even access any of the websites related to security) so that no anti-virus or patch can be downloaded or run. Then it'll make the system as a kind of server to spread itself again. Also it'll be downloading something which no-one yet knows what it is.
I guess many here would've better idea about this virus, so please share your thoughts. And the mods/admins, are TBHP servers are updated to thwart this threat? I hope they are.

condor · 31st March 2009, 18:36

A botnet Virus, also known as W32.Downadup.x (x = A / B / C). A virus that lot of organizations are trying to fight.

Apply MS08-067 Microsoft patch immediately. AND REBOOT YOUR SYSTEM.

More details here :
Conficker - April 1st Virus - April Fools Virus - W32.Downadup Worm | The Conficker C Worm

kaushik_s · 31st March 2009, 19:48

Yeah, thanks Condor. And it seems like I missed another IT upgrade which tells us to check if that patch is applied or not .
How to check : check in your Add/remove program for "KB958644" in Windows XP -software upgrades. If not then get the patch from Microsoft site.

black12rr · 31st March 2009, 22:43

Quote:

Originally Posted by kaushik_s

Yeah, thanks Condor. And it seems like I missed another IT upgrade which tells us to check if that patch is applied or not .
How to check : check in your Add/remove program for "KB958644" in Windows XP -software upgrades. If not then get the patch from Microsoft site.

You will not be seeing any installed updates in add / remove programs , unless you CHECK the check box in this window ,which says "SHOW UPDATES " , then it will list the installed updates also .

govigov · 31st March 2009, 23:09

got this via email.

What Will Conficker Bring on April 1 ? Posted on PCMag.com 03.26.09
The latest variant of the worm, Conficker.C, is programmed to do something on April 1. But what exactly will happen? The scary thing is, no one can say for sure.

The "A" and especially "B" variants of this worm (also known as Downadup) have built a botnet estimated at several million PCs, almost exclusively through exploitation of the MS08-067 vulnerability in Windows. Conficker added some innovative techniques to update itself though a large number of domains, the names of which were algorithmically generated by the program. Because the names were deterministic, it was possible for the DNS authorities (VeriSign, et al) to block the names. With few exceptions, the worm has been unable to spread since that point several weeks ago.

Then the C variant came along. It adds a number of defensive measures designed to protect itself from detection and removal and it ratchets up the number of domains it can check for updates. As this very large and thorough analysis of Conficker.C from SRI International says, "...Conficker C increases the number of daily domain names generated, from 250 to 50,000 potential Internet rendezvous points. Of these 50,000 domains, only 500 are queried, and unlike previous versions, they are queried only once per day." Thus "C" should generate less traffic than the earlier versions, especially in as much as it filters the IP addresses for these domains to make them work better and avoid detection.

Avoiding detection is a major theme with Conficker.C. It's not the first malware to try to defend itself in-memory against security software and diagnostic tools, but "C" does a lot of this. For instance, it disables Windows Automatic Updates and the Windows Security Center. Make sure that the update mechanisms for Windows and your anti-malware are actually occurring because Conficker can turn them off.

But the big news with "C" is that the code is scheduled to come alive on April 1 and start contacting the 50,000 domains and download something. What will they download? What will it make the bots do? Honestly, nobody knows. This is the great mystery.

It is possible for "C" to spread in part because there is a direct push mechanism in "B," allowing an outside system to contact it and provide a domain name from which it should download an update, presumably "C".

Conficker is really sophisticated as malware goes. It's clear that its authors are smart people and perhaps that's what's got security people worried. But the only rational way to approach this is to do the things you know you need to do anyway and then not get hung up on it. Remember, [COLOR=#c00000]there's a very good chance that on April 1 nothing much will happen.[/COLOR]

31st March 2009, 17:44	#1
kaushik_s Senior - BHPian Join Date: Sep 2006 Location: Bangalore Posts: 1,089 Thanked: 164 Times View My Garage	Conficker.C threat to cyber world? What is it? Seems like this virus/worm is going to attack the computers and basically would reside inside the dll's and will send data to it's authors and also spread itself. And this is going to be activated on 1st of April. Initially when I heard about it I thought it to be another april fool prank. But after seeing a mail from our IT dept. and then when checked the net about it this looks to be a real threat. (check about the virus here - An Analysis of Conficker C) What I understood from the readings is that this worm once attack a system will make the system as it's host. Then it'll disable all the security protocols( you can't even access any of the websites related to security) so that no anti-virus or patch can be downloaded or run. Then it'll make the system as a kind of server to spread itself again. Also it'll be downloading something which no-one yet knows what it is. I guess many here would've better idea about this virus, so please share your thoughts. And the mods/admins, are TBHP servers are updated to thwart this threat? I hope they are.
	() Thanks

31st March 2009, 18:36	#2
condor Distinguished - BHPian Join Date: Jun 2006 Location: Speed-brkr City Posts: 16,048 Thanked: 16,387 Times View My Garage	A botnet Virus, also known as W32.Downadup.x (x = A / B / C). A virus that lot of organizations are trying to fight. Apply MS08-067 Microsoft patch immediately. AND REBOOT YOUR SYSTEM. More details here : Conficker - April 1st Virus - April Fools Virus - W32.Downadup Worm \| The Conficker C Worm
	() Thanks

31st March 2009, 19:48	#3
kaushik_s Senior - BHPian Join Date: Sep 2006 Location: Bangalore Posts: 1,089 Thanked: 164 Times View My Garage	Yeah, thanks Condor. And it seems like I missed another IT upgrade which tells us to check if that patch is applied or not . How to check : check in your Add/remove program for "KB958644" in Windows XP -software upgrades. If not then get the patch from Microsoft site.
	() Thanks

31st March 2009, 23:09	#5
govigov Senior - BHPian Join Date: Oct 2007 Location: Cochin!!!!! Posts: 1,701 Thanked: 1,101 Times View My Garage	got this via email. What Will Conficker Bring on April 1 ? Posted on PCMag.com 03.26.09 The latest variant of the worm, Conficker.C, is programmed to do something on April 1. But what exactly will happen? The scary thing is, no one can say for sure. The "A" and especially "B" variants of this worm (also known as Downadup) have built a botnet estimated at several million PCs, almost exclusively through exploitation of the MS08-067 vulnerability in Windows. Conficker added some innovative techniques to update itself though a large number of domains, the names of which were algorithmically generated by the program. Because the names were deterministic, it was possible for the DNS authorities (VeriSign, et al) to block the names. With few exceptions, the worm has been unable to spread since that point several weeks ago. Then the C variant came along. It adds a number of defensive measures designed to protect itself from detection and removal and it ratchets up the number of domains it can check for updates. As this very large and thorough analysis of Conficker.C from SRI International says, "...Conficker C increases the number of daily domain names generated, from 250 to 50,000 potential Internet rendezvous points. Of these 50,000 domains, only 500 are queried, and unlike previous versions, they are queried only once per day." Thus "C" should generate less traffic than the earlier versions, especially in as much as it filters the IP addresses for these domains to make them work better and avoid detection. Avoiding detection is a major theme with Conficker.C. It's not the first malware to try to defend itself in-memory against security software and diagnostic tools, but "C" does a lot of this. For instance, it disables Windows Automatic Updates and the Windows Security Center. Make sure that the update mechanisms for Windows and your anti-malware are actually occurring because Conficker can turn them off. But the big news with "C" is that the code is scheduled to come alive on April 1 and start contacting the 50,000 domains and download something. What will they download? What will it make the bots do? Honestly, nobody knows. This is the great mystery. It is possible for "C" to spread in part because there is a direct push mechanism in "B," allowing an outside system to contact it and provide a domain name from which it should download an update, presumably "C". Conficker is really sophisticated as malware goes. It's clear that its authors are smart people and perhaps that's what's got security people worried. But the only rational way to approach this is to do the things you know you need to do anyway and then not get hung up on it. Remember, [COLOR=#c00000]there's a very good chance that on April 1 nothing much will happen.[/COLOR] Last edited by govigov : 31st March 2009 at 23:11. Reason: removed HTML tags
	() Thanks