Thread: New Conficker variant to come on April 1

Yikes. Thanks for posting that... Why the hell do people write worms like this??

Yikes. Thanks for posting that... Why the hell do people write worms like this??

You're welcome. I guess it's to attract attention, or maybe just pure boredom? In any way, it's still very sick.

Originally Posted by Mes Tarrant

Yikes. Thanks for posting that... Why the hell do people write worms like this??

I'm guessing it's to receive kudos from other hackers, to see who can create the most carnage!

Anyway, 1st April??

Originally Posted by Adam

I'm guessing it's to receive kudos from other hackers, to see who can create the most carnage!

10 years ago, yeah
Today, it's all about organised crime

Folks, don't rely on your anti-virus software
One of Conficker's strengths (the thing that's made headlines for half a year) is it's ability to cripple anti-virus software, preventing detection (let alone removal)

Conficker infects a machine and lays dormant, waiting....
I don't know where this 1st April date comes from, but it's certainly waiting on a timer for something

You may want to watch this
http://www.cbsnews.com/video/watch/?id=4901282n

Observant viewers of the above may catch a glimpse of the security expert from Symantec using a different Operating System to monitor the infected Windows machine. Just for kicks, here's a screen capture

snapshot1.jpg

Anyway, this should be interesting to watch
(Haven't had a real nasty Windows infection for a while now)

Have fun

Ah... Thanks for that.

Originally Posted by Adam

I'm guessing it's to receive kudos from other hackers, to see who can create the most carnage!

Anyway, 1st April??

I don't think so, I think it is financially motivated, such a virus is worth millions.



Macs FTW

Wait just a sec.

This couldn't possibly be... an April Fool's joke... could it?

Also considering the scan they offer in that article isn't compatible with Firefox?

Okay now that that thought has crossed my mind, I'm like 98% sure that this is a joke.

God fucking dammit.

I think the April 1st date is the joke, but the worm is very real. I think the reason people are worried, is because April 1st is a logical day for something like this to blow up.

Originally Posted by Robot_Butler

I think the April 1st date is the joke, but the worm is very real. I think the reason people are worried, is because April 1st is a logical day for something like this to blow up.

Which is why the joke is so successful.. because it actually makes sense.

It's just gotta be a joke. I think all the problems with the free scan is a dead giveaway.

Originally Posted by Mes Tarrant

Which is why the joke is so successful.. because it actually makes sense.

It's just gotta be a joke. I think all the problems with the free scan is a dead giveaway.

A joke that all mainstream media has reported on in a serious fashion?
I doubt it... Turn on the news, read the paper, it's real.

Ok, googled Conficker and here's a quote from the first link that popped up (unrelated to whether or not it's a joke, but still important):

Microsoft issued a software update that protects computers from Conficker in October. Most anti-virus software will also stop it. The result is that while Conficker is spreading rapidly, it is mainly doing so in parts of the world where people haven’t updated their systems. About 29% of infections are in China, followed by Argentina, Brazil, Russia, and India, according to Symantec. Many of these countries are among those with the highest rate of software piracy, which probably isn’t a coincidence. Less than 1% of infections appear to be in the U.S. according to multiple security researchers.

Originally Posted by Ynot

Today, it's all about organised crime

Originally Posted by plg6067

I think it is financially motivated, such a virus is worth millions.

This. And were it personally up to me, I'd trigger Conficker the day after April fool's, just to be that much more of an ass.

Also, I thought the accepted term for a malicious software writer was 'cracker'. Hackers are the good guys hm?

Originally Posted by Mes Tarrant

Ok, googled Conficker and here's a quote from the first link that popped up (unrelated to whether or not it's a joke, but still important):

Microsoft issued a software update that protects computers from Conficker in October. Most anti-virus software will also stop it. The result is that while Conficker is spreading rapidly, it is mainly doing so in parts of the world where people haven’t updated their systems. About 29% of infections are in China, followed by Argentina, Brazil, Russia, and India, according to Symantec. Many of these countries are among those with the highest rate of software piracy, which probably isn’t a coincidence. Less than 1% of infections appear to be in the U.S. according to multiple security researchers.

with all due respect, it's a lot more complicated than just updating windows....
Conficker has had half-a-dozen variants and it is remotely updatable

The MS update in October 2008 patched against Conficker A

Bob gets infected (windows not patched)
Bill doesn't get infected (windows patched)
Bob's Conficker is remotely updated with a new attack vector
Bob infects Bill using the new attack vector

The newest variant of Conficker, C, was only launched on the 4th of March - that's less than a month ago

Here's a full analysis of Conficker C
http://mtc.sri.com/Conficker/addendumC/

This is going to be big


*edit*
Some nice quotes from the above analysis

Finally, we must also acknowledge the multiple skill sets that are revealed within the evolving design and implementation of Conficker. Those responsible for this outbreak have demonstrated Internet-wide programming skills, advanced cryptographic skills, custom dual-layer code packing and code obfuscation skills, and in-depth knowledge of Windows internals and security products. They are among the first to introduce the Internet rendezvous point scheme, and have now integrated a sophisticated P2P protocol that does not require an embedded peer list. They have continually seeded the Internet with new MD5 variants, and have adapted their code base to address the latest attempts to thwart Conficker. They have infiltrated government sites, military networks, home PCs, critical infrastructure, small networks, and universities, around the world. Perhaps an even greater threat than what they have done so far, is what they have learned and what they will build next.

Like Conficker B, C incorporates logic to defend itself from security products that would otherwise attempt to detect and remove it. C spawns a security product disablement thread. This thread disables critical host security services, such as Windows defender, as well as Windows services that deliver security patches and software updates. These changes effectively prevent the victim host from receiving automated software updates. The thread disables security update notifications and deactivates safeboot mode as a future reboot option. This first thread then spawns a new security process termination thread, which continually monitors for and kills processes whose names match a blacklisted set of 23 security products, hot fixes, and security diagnosis tools.

Conficker C incorporates a variety of strategies to secure and defend its installation on the victim host. To do this, C employs several measures to cloak its presence, as well as measures to kill or disable security products that would otherwise detect its presence. C's assault on security products begins right away, just after its mutex checks (to detect new installs from reinfections). At each process initialization, it performs an in-memory patch of the host's DNS resolution services to prevent domain lookups to a variety of security product (and research) sites. C then spawns a separate thread to halt and disable security and update services, and then enters an infinite loop. There, it continually searches for and terminates active security products and patches. These steps are performed each time C is invoked.

Upon first installation, C installs itself and obfuscates its presence on the victim's host,. These steps allow it to avoid easy diagnosis and removal by an attentive user. It deletes all restore points prior to its infection to thwart rollback, and sets NTFS file permissions on its stored file image to prevent write and delete privileges. Most of this logic also appeared in prior version, but here we find some extensions and updates.

C also incorporates logic to disable Windows' firewall protection of certain high-order UDP and TCP ports. These firewall adjustments are not performed at initialization, but rather occur when C enters its network communication logic.

Microsoft has a nice Knowledgebase (specifically for Conficker.C worm) that may be helpful as well.

Here's the link http://support.microsoft.com/kb/962007

Also it's been mentioned that the Conficker worm, although while dormant will not allow a user to access www.microsoft.com , www.symantec.com or www.us.mcafee.com. Make sure you have accessibility to either of these as well.

--Edit-- If you're on an Apple system or running a Linux based system then you're pretty much immune from this particular virus, nothing to worry about.

I laughed at "This must be a joke", and it isn't even April's fools yet!

Originally Posted by Switch

--Edit-- If you're on an Apple system or running a Linux based system then you're pretty much immune from this particular virus, nothing to worry about.

what do you mean "this particular virus".....?

Anyway, survival of the fittest
Ready!
Go!


*edit*
On a serious note,
£10 says nothing happens tomorrow

The threat is very real
but I just don't trust this "1st April" date

Originally Posted by Ynot

what do you mean "this particular virus".....?

I put it that way because Linux and Apple are not completely immune from viruses at all. No one is writing malicious code for them because of the user group numbers compared to windows based user groups numbers. If I were a hacker, chances are I would not write a virus for an OS that many people do not use. I'd try to do the most wide-spread damage as possible and to as many people as possible.

However I do think that one of the biggest vulnerabilities of Linux and Apple is that many users think it is not vulnerable to viruses.

Originally Posted by Switch

I put it that way because Linux and Apple are not completely immune from viruses at all. No one is writing malicious code for them because of the user group numbers compared to windows based user groups numbers. If I were a hacker, chances are I would not write a virus for an OS that many people do not use. I'd try to do the most

I don't want to sound arrogant,
but that's simply not true


*edit*
Google runs on Linux
Most banks run on Linux (the rest are proprietary UNIX)
The NSA runs Linux
etc.
etc.
etc.
basically, anything of any real importance runs a *nix OS

You think targeting someone's desktop machine is more valuable than targeting server farms and core infrastructure?
Desktop machines are small fry

Compromise a bank system and zero everyone's account
That'd be impressive

Originally Posted by Ynot

Compromise a bank system and zero everyone's account
That'd be impressive

Exactly. That'd be impressive. Black hat hackers / malicious code writers (to call it that) don't really care that much about impressing, I think. By infecting tens of thousands of desktops they can also get the credit card data etc., and that's without trying to hack into an effin' bank.

Of course core infrastructure, server farms etc etc are way more important and are a way bigger deal, but that's exactly it - it's a way bigger deal. Infecting tens of thousands of desktops is easy (all relative of course) and you can also get a fuckload of money if you play it right.

That's not to say they can get away with it that easily, especially if they empty a shitload of bank accounts. But that's not exactly how it works.

Originally Posted by TweaK

Infecting tens of thousands of desktops is easy

indeed,
but it's only easy due to the OS of 85% of desktop machines

seriously,
Windows is targeted because Windows in inherently insecure
no more, no less

Also,
http://www.securityfocus.com/columnists/188

You're right in regards to everything you've mentioned but it doesn't disregard that a Linux based system is vunerable also. They are not as vunerable as windows but in the same retrospect it is vunerable. Because I am 100% sure that Google, The NSA and Most banks who are running Linux are running some kind of AV software. You don't know if you're going to get in an accident but you buckle up for your safety when you get into your car just in case, because it could happen and cars has crashed before.

There is no Anti-Virus software that scans for Linux viruses
because there are no Linux viruses in the wild

Anti-Virus software for Linux scans for Windows viruses
they are designed to be used on mail gateways and file servers which serve Windows clients

While not vulnerable to infections themselves, Linux machines can play a part in virus propagation

One Windows client can infect another Windows client, by sending a nasty email through a Linux mail server

*nix machines are only vulnerable to unauthorised access

Originally Posted by Ynot

There is no Anti-Virus software that scans for Linux viruses
because there are no Linux viruses in the wild

Symantec has had an several AV's specifically for linux platforms for the past 7 or 8 years.

Originally Posted by Ynot

Anti-Virus software for Linux scans for Windows viruses
they are designed to be used on mail gateways and file servers which serve Windows clients

The AV software I've seen scanned files in the ELF format. I cannot remember the name of it but I will definately find it and link it to back up what I'm saying. All I'm saying Ynot is that Linux is not invunerable, there are viruses that has been written specifically for Linux in the past and there will be more written in the future.

I'm sure AV vendors will try to sell Linux Anti-Virus software
(there's been a very profitable market created for AV because of MS)
but it's snake oil

*edit*
a few more articles and things

http://www.linux.com/feature/60208

http://www.techthrob.com/2009/03/02/...gram-on-linux/

https://help.ubuntu.com/community/Linuxvirus