Print 45 comment(s) - last by lexluthermiest.. on Apr 4 at 6:51 AM

Ever evolving, the Conficker worm has gained the ability to download updates and malware from a select handful of randomly generated domains, the ability to spread over networks by hacking weak passwords, peer to peer communications between infected computers and transmission via USB. After 10 million+ infections, the worm will be updated again April 1.  (Source: Cool Circuit)
The worm that won't go away will get an upgrade on April 1

The Conficker worm has been wreaking havoc on internet users ever since it climbed out of its slimy hole in the internet's dark nether-regions back in 2008.  Now the worm is about to get even more dangerous when it receives its latest refresh in a series of periodic updates on April 1.  Security officials are bracing for the impact that the upgrade might have.

Either diabolical or brilliant, it's the Conficker worm's unique design that allowed it infect over 8 million business computers last year and scores of other individual users.  The worm, like many viruses, is regularly evolving thanks to periodic downloads.  However, the techniques it uses to do so are rather unique -- it cleverly creates thousands of false domains daily to throw off investigators. On the update day, it selects 500 correct domains out of the 50,000 candidates to download malware and updates from.

Pierre-Marc Bureau, a researcher at Eset says that this has helped the virus evolve from an initial novice-seeming threat targeting a flaw in Windows services into a large scale menace.  States Mr. Bureau, "From a high-level perspective, the 'A' variant gave the impression [of being] a 'test run'.  It had code that probably was not meant to be spread globally. For example, it was checking for the presence of an Ukrainian keyboard or Ukrainian IP before infecting a system."

The first run also contained a false lead -- it tried to download and execute a file called loadav.exe.  This led security research to believe it was just one of a pack of malware programs trying to peddle fake antivirus software.  It turned out to be a red herring -- the file was never uploaded and the next generation did away with the feature.

In the second version, the worm continued to spread through Windows Services on unpatched machines.  However, the update also granted it the power to spread over network shares by trying to log in autonomously into network machines with weak passwords.  It also gained the ability to load itself onto USB sticks connected to infected machines, gaining another means of transmission.  The scanning speed for machines to infect was greatly optimized -- in short the worm had become a real big problem.

Finally, the worm got its third update, becoming the Downadup virus as it’s now known.  The latest version added peer-to-peer communication between infected systems.  It also added new domain-generation algorithms to help it disguise where it was receiving its updates from.

At this point the worm is already a full scale threat, and there's no telling what might happen with the next update.  Describes Mr. Bureau, "During the last week, 3.88 percent of our users have been attacked by Conficker, either because they accessed an infected device or by a network attack.  The percentage is very high and shows that a high number of computers are presently infected and that the worm is still spreading."

Estimates of the number infected machines vary greatly, but most experts agree that over 10 million computers, largely in the business sector were compromised last year.  The number is large enough that Microsoft, which already has offered a bounty for the worm's writers, and AOL are teaming up to trying to weed out the domains it uses.  However, they face an uphill battle due to the vast number of domains the worm generates.  And law enforcement and security experts are no closer to having any clue what individual or individuals are writing the Conficker code.

Meanwhile the Conficker continues to spread and get smarter.  Its actions leave little doubt in the security community -- it's creating an army of infected machines, one that could do serious damage if unleashed.

Adriel Desautels, CTO of Netragard states, "I don't think that the threat comes from the worm itself, it comes from the people that are in control of the mass of Conficker-infected systems.  Those people have an immensely powerful weapon at their disposal, and that weapon threatens all of us."

April 1 will see the attacks taken to the next level -- and it’s anyone's guess what capabilities it might gain.

Comments     Threshold

This article is over a month old, voting and posting comments is disabled

It all makes sense now...
By anonymo on 3/27/2009 9:38:52 AM , Rating: 5
Now I know why my laptop was scooting around my apartment rubbing it's butt on my carpet...

RE: It all makes sense now...
By Radnor on 3/27/2009 9:41:58 AM , Rating: 5
It just wants to do some Folding@home.

Poor thing.

RE: It all makes sense now...
By WoWCow on 3/27/2009 10:19:37 AM , Rating: 2
Perhaps its because Frenzy is on the loose, after all, he unleashed the continuously evolving virus into the military.

Or your laptop has just been affected by the AllSpark; nothing to say other then fact it may transform itself one day.

So-so movies with decent robots can go a long way...

By choadenstein on 3/27/2009 10:00:56 AM , Rating: 5
... On April 1st, 2009 - Skynet *cough*, excuse me, Conficker became self-aware...

RE: Self-Aware
By ADDAvenger on 3/27/2009 12:07:22 PM , Rating: 2
frick, I came here to post this

RE: Self-Aware
By bupkus on 3/27/2009 3:32:35 PM , Rating: 1
... On April 1st, 2009 - Skynet *cough*, excuse me, Conficker became self-aware...

...and decides to bake cookies.

RE: Self-Aware
By AnnihilatorX on 3/27/2009 3:51:03 PM , Rating: 2
HA April Fools!

RE: Self-Aware
By TennesseeTony on 3/28/2009 12:28:27 PM , Rating: 2
I sure hope it's an April Fools gag! I've seen this little bus-turd get through several of my favorite anti-viruses. (user's hadn't updated on some of them, other's were up to date)

Why is it so dangerous?
By sapster86 on 3/27/2009 11:37:28 AM , Rating: 2
so why is this worm so dangerous? is it that there is no way for virus / malware scanners to detect it? if this is the case i can easily see why its such a nightmare.
Or is it (more likely) purely the sheer number of stupid or uneducated people who either don't have a up to date virus scanner installed or don't do any windows updates.

RE: Why is it so dangerous?
By PorreKaj on 3/27/2009 12:18:14 PM , Rating: 5
Sry but no.

at 3rd. edition of Conficker we had the breach, hitting multiple systems even though AV was fully updated ( SAV hrm )
AVAST* didn't pick it up, Symantecs "conficker/downadup removal package didn't pick it up.
Windows defender + MRT didn't kill it. it just slipped right in on unpatched pc's ( Yes Unpatched, dunno why, i Flamed the WSUS team for that one ) -.- in was everywere. Network shares, USB key's gah :P

It didn't do any harm but it was PIA to remove.

( First update after impact; AVAST bootscan cought it )

It was a fun hunt though.

what's a worm?
By dare2savefreedom on 3/28/2009 1:56:43 PM , Rating: 1
I run ubuntu+fedora linux - so what's a worm?
what's a virus?

RE: what's a worm?
By stmok on 3/28/2009 3:52:23 PM , Rating: 2
Yeah, I'm a Linux user as well. But why intentionally provoke people?

This is a Windows issue, nothing to do with Linux.

RE: what's a worm?
By Hieyeck on 3/31/2009 9:21:44 AM , Rating: 1
That's like mac users saying they don't get virii. Well no shit, you don't have 90% of the market share. If you're going to spend all the time and effort to make a bomb, you're not going to make it with vinegar and baking soda.

RE: what's a worm?
By MRwizard on 3/31/2009 10:56:21 AM , Rating: 2
talk about fascism! i can't rate your post!

-1 (and -1 to dailytech for this blatant favouritism of OS's)

and no, no operating system is safe. yes there might only be a handful (literally) of virus's and trojans for linux, but the point is they are still out there.

Gotta love this
By PorreKaj on 3/27/2009 11:09:27 AM , Rating: 5
I've been running arround along with my colleagues all day, Patching older non automated systems to prepare for this.

Disabling Autorun - dunno why, must follow instructions though.

First i thought it was a 1. April Joke, u know "honest" programmers tricking ppl to update their systems by scaring them.

Can't wait for the 1. of April.

By johnfranks999 on 3/27/2009 12:08:53 PM , Rating: 4
Most companies enjoy “security” insofar as they haven’t been targeted, or had an employee make a human error with catastrophic exposure (whether exposure of sensitive data, or exposure of the organization to malware). Price Waterhouse Cooper and Carnegie-Mellon’s CyLab have recent surveys that show the senior executive class to be, basically, clueless regarding IT risk and its tie to overall enterprise (business) risk. Data breaches and viruses are due to a lagging business culture – absent new eCulture, breaches will, and continue to, increase. As CIO, I’m constantly seeking things that work, in hopes that good ideas make their way back to me - check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices.
The author, David Scott, has an interview that is a great exposure: -
The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
In the realm of risk, unmanaged possibilities become probabilities – read the book BEFORE you suffer a bad outcome – or propagate one.

I tell you huwhat
By Randomblame on 3/27/2009 9:26:30 PM , Rating: 2
It's thos dang ol chineese man they comin at you with them hackers man all over there like wham bam lickity split man

RE: I tell you huwhat
By nunya on 3/30/2009 1:37:16 AM , Rating: 2
Damn it Boomhower, get away from the computer...

Evil Mac
By DBZLuisD on 3/28/2009 1:10:31 PM , Rating: 3
It would be funny if Apple was the one behind this worm.

By Etern205 on 3/27/2009 10:10:29 AM , Rating: 2
Worms FTW!
Not the virus, but the game like in the picture.

By brightstar on 3/27/2009 11:33:29 AM , Rating: 2
"I don't think that the threat comes from the worm itself, it comes from the people that are in control of the mass of Conficker-infected systems.

Oh, your good,very good? I slapped myself in the head when I read that.

By Murloc on 3/27/2009 11:46:27 AM , Rating: 2
prepare for the invasion.

By DatabaseMX on 3/31/2009 3:55:05 PM , Rating: 2
I have yet to see an article that points this out!

Whos doing it?
By xenos123 on 3/27/2009 12:30:16 PM , Rating: 1
Writing something like this must have taken a lot of time and effort. Perhaps its a group rather than an individual? Its been purposefully trying to elude authorities, makes me think some sort of political group are doing it??

.22 hollow point...
By mattclary on 3/27/09, Rating: -1
RE: .22 hollow point...
By rdeegvainl on 3/27/2009 10:21:34 AM , Rating: 5
internet tough guys

RE: .22 hollow point...
By Seemonkeyscanfly on 3/27/09, Rating: -1
RE: .22 hollow point...
By Lord 666 on 3/27/09, Rating: -1
RE: .22 hollow point...
By Seemonkeyscanfly on 3/27/09, Rating: -1
RE: .22 hollow point...
By Seemonkeyscanfly on 3/27/2009 12:32:55 PM , Rating: 1
sorry should have started off Well on We...

RE: .22 hollow point...
By aegisofrime on 3/28/2009 12:26:34 AM , Rating: 2
Behead him with a blunt spoon.

A cookie for anyone who knows where that came from, because I have no idea myself.

RE: .22 hollow point...
By nidomus on 3/28/2009 3:41:12 PM , Rating: 1
Scoop their eyes out with a melon baller.

RE: .22 hollow point...
By xKeGSx on 3/28/2009 4:26:41 PM , Rating: 2
Behead him with a blunt spoon.

All I know is:
I'll cut his heart out with a spoon!

Said by: Sheriff of Nottingham
Movie: Robin Hood: Prince of Thieves

RE: .22 hollow point...
By Byte on 3/27/2009 3:51:28 PM , Rating: 2
Anyone know what patch specifically plugs the hole this worm uses? Is it already in SP2 XP? Also anyone know where I can download this worm to test out all my antivirus software?

RE: .22 hollow point...
By bodar on 3/28/2009 7:08:29 AM , Rating: 2
And people keep telling me to get SP2....
By goku on 3/27/09, Rating: -1
RE: And people keep telling me to get SP2....
By vistaisfine on 3/28/2009 1:14:32 AM , Rating: 2
a vaccination is a dud virus injected into the body to create antibodies that your immune system will remember so when you DO get infected with the flu you recover faster.

being laid out for a full week because you didnt get your shot is not gonna make your boss happy.


whats the point of running scans from other computers and creating overhead on your network? oh so you can be a big man and claim you dont need antivirus?

just because you beat around the bush and essentially still scan for viruses does not give you the authority to come to the defense of others who don't use antivirus at all simply because those people are naive.

RE: And people keep telling me to get SP2....
By TomCorelis on 3/28/2009 2:53:16 PM , Rating: 3
There are *still* Windows XP SP2 holdouts?

By lexluthermiester on 3/28/2009 3:37:20 PM , Rating: 2
Yes, there are. Sad isn't it?

SP3 is perfectly safe and when you disable many of the services that don't need to be running and set yourself up with a GOOD firewall, this little bugger has little chance of getting into a system through a network connection. Now USB drives are another story...

And for all you Vista/Win7/64bit OS users out there, you are just as open to this threat as anyone else...

RE: And people keep telling me to get SP2....
By goku on 3/29/2009 10:39:07 AM , Rating: 1
Did you ever consider for a SECOND, why people don't like XP, Vista or even any of their service packs due to their increase in resource usage AND program compatibility? I didn't think so.

By Spuke on 4/1/2009 7:06:24 PM , Rating: 2
With today's hardware, I, personally, don't notice. The only applications that tax my hardware are CAD apps and games. Maybe it's your setup.

By lexluthermiester on 4/4/2009 6:44:26 AM , Rating: 2
Yes, I did consider those issues. And if you don't like XP or Vista, then you most likely are using OSX or some flavor of Linux/BSD. But for those of us who like and use XP, SP3 has been good. As for Vista, I'm not a fan. Windows 7 however, is shaping up very nicely!

RE: And people keep telling me to get SP2....
By DASQ on 3/30/2009 11:22:09 AM , Rating: 2
SP3 is causing a lot of 'no boots' for people. The solution is literally to uninstall SP3. I see it a little too often here on this campus, it's made me hesitant to suggest SP3 in any situation.

By lexluthermiester on 4/4/2009 6:51:50 AM , Rating: 2
I have installed SP3 on XP based systems over 100 times and never encountered this no boot situation. But then again, I have been using the version of SP3 that is known to be stable. The no boot issue, from what I've read seems to be occurring only in limited number of situations.

But hey, if you are having that issue, then just do a fresh install using a disc that has had the pack slip-streamed in with an app like n-lite or something... That's what I do, and it works every time.

"This week I got an iPhone. This weekend I got four chargers so I can keep it charged everywhere I go and a land line so I can actually make phone calls." -- Facebook CEO Mark Zuckerberg

Copyright 2016 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki