Tech information that you never knew… Now at your fingertips
Posts tagged conficker
Conficker as a weapon for Cyber attack
Nov 4th
Conficker worm could be ‘weaponized,’ web security researcher warns
November 2, 2009
In the year since the inception of the Conficker worm, a malicious strain of virus that has infected computers all over the globe, security researchers have tracked its spread to as many as 7 million machines.
Although internet security researchers at the Conficker Working Group advise that it is impossible to track the exact number of PCs infected by Conficker, the latest estimates put the worm’s spread at around the 7 million mark, a milestone in the making of a huge botnet, according to Computerworld.
Botnets are controlled by hackers, cyber criminals or sometimes governments for the purpose of launching spam, malware and distributed denial-of-service attacks (DDOS), which can overpower website servers with malicious traffic that slows or crashes websites.
As an element of cyber war, DDOS attacks require a large enough botnet to overpower defenses, according to security experts. Andre DiMino, co-founder of The Shadowserver Foundation, said a botnet the size of Conficker could be “weaponized” in a cyber attack.
“This is certainly a botnet that could be weaponized,” DeMino said, according to Computerworld. “When you have a net of this magnitude, the sky’s the limit in terms of what could be done.”
DDOS attacks launched last July shut down government, banking and commercial sites in the U.S. and South Korea. Smaller attacks have hit sites like Twitter, Facebook and news websites.
Conficker Worm Awakens, Downloads Rogue Anti-virus Software
Apr 13th
Security experts nervously watching computers infested with the prolific Conficker computer worm say they have begun seeing infected hosts downloading additional software, including a new rogue anti-virus product.
Since its debut late last year, the collection of hundreds of thousands – if not millions – of systems sick with Conficker has somewhat baffled security researchers, who are accustomed to seeing such massive networks being used for money-making criminal activities, such as relaying junk e-mail.
Today, however, that mystery evaporated, as anti-virus companies reported seeing Conficker systems being updated with SpywareProtect2009, a so-called “scareware” product that uses fake security alerts to frighten consumers into paying for bogus computer security software.
According to Kaspersky Labs, once the scareware is downloaded, the victim will see the usual warnings, “which naturally asks if you want to remove the threats it’s ‘detected’. Of course, this service comes at a price – $49.95.” Kaspersky reports that the rogue anti-virus product is being downloaded from a Web server in Ukraine.
This development adds an interesting wrinkle. The first version of Conficker contained within its genetic makeup instructions telling infected systems to visit a site called TrafficConverter.biz. As I noted last month, this was a site where distributors of rogue anti-virus products would go for the latest programs and links to the latest download locations. Many affiliates were making six-figure paychecks each month distributing this worthless software by various means, all of them extremely sneaky if not downright illegal.
In its bi-annual security report released this week, Microsoft cited rogue anti-virus as one of the most prolific and fastest-growing threats facing Windows users today.
The rogue anti-virus software, however, was not the only piece of rubbish to be sent to Conficker infected systems this week. Researchers at Trend Micro reported the first stirrings of Conficker.C on Wednesday, when they noticed a new file show up in the temporary director of a number of test machines they’d infected with the worm. They later determined the file had been placed there via Conficker’s built-in peer-to-peer (P2P) communications capability, which allows large groupings of infected systems to hand off software updates and instructions being pushed out by the worm authors.
Trend found that the update was a version of the Waledac family of spam Trojans. Due to similarities in the code and other telltale signs, researchers consider Waledac to be the reincarnation of the “Storm worm,” a spam virus that also used a sophisticated P2P mechanism to spread and share updates.
The Conficker update also sets up a Web server on the infected system, re-enables the ability to spread itself through the Microsoft Windows vulnerability that caused the outbreak in the first place (this spreading capability was absent in the Conficker version prior to this update). It also instructs the Waledac component to remove itself if the date is on or after May 3, 2009.
Perhaps that is due to some ill-understood logic within Conficker, but not all of the systems infected with Conficker.C are receiving the latest updates, said Paul Ferguson, an advanced threat researcher at Trend.
“We’ve seen it happen very slow and staggered,” he said. “We have several nodes that have it and several that don’t.”
Ferguson said there are still several components tucked away in this Conficker update that researchers are struggling to unlock. But he said it’s evident the worm’s authors are ready to start putting it to work.
“There are still some unknowns here, but things are becoming a lot more clear, and it certainly seems they’re making a move here to finally monetize all this effort,” Ferguson said
Conficker wakes up, updates via P2P, drops payload
Apr 10th
The Conficker worm is finally doing something–updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday.
Researchers were analyzing the code of the software that is being dropped onto infected computers but suspect that it is a keystroke logger or some other program designed to steal sensitive data off the machine, said David Perry, global director of security education at Trend Micro.
The software appeared to be a .sys component hiding behind a rootkit, which is software that is designed to hide the fact that a computer has been compromised, according to Trend Micro. The software is heavily encrypted, which makes code analysis difficult, the researchers said.
The worm also tries to connect to MySpace.com, MSN.com, eBay.com, CNN.com and AOL.com as a way to test that the computer has Internet connectivity, deletes all traces of itself in the host machine, and is set to shut down on May 3, according to the TrendLabs Malware Blog.
Because infected computers are receiving the new component in a staggered manner rather than all at once there should be no disruption to the Web sites the computers visit, said Paul Ferguson, advanced threats researcher for Trend Micro.
“After May 3, it shuts down and won’t do any replication,” Perry said. However, infected computers could still be remotely controlled to do something else, he added.
Last night Trend Micro researchers noticed a new file in the Windows Temp folder and a huge encrypted TCP response from a known Conficker P2P IP node hosted in Korea.
“As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP,” the blog post says. “The Conficker/Downad P2P communications is now running in full swing!”
In addition to adding the new propagation functionality, Conficker communicates with servers that are associated with the Waledac family of malware and its Storm botnet, according to a separate blog post by Trend Micro security researcher Rik Ferguson.
The worm tries to access a known Waledac domain and download another encrypted file, the researchers said.
Conficker.C failed to make a splash a week ago despite the fact that it was programmed to activate on April 1. It has infected between 3 million and 12 million computers, according to Perry.
Initially, researchers thought they were seeing a new variant of the Conficker worm, but now they believe it is merely a new component of the worm.
The worm spreads via a hole in Windows that Microsoft patched in October, as well as through removable storage devices and network shares with weak passwords.
The worm disabled security software and blocks access to security Web sites. To check if your computer is infected you can use this Conficker Eye Chart or this site at the University of Bonn.
