The Mudcat Café TM
Thread #119783 Message #2601100
Posted By: JohnInKansas
31-Mar-09 - 06:38 AM
Thread Name: Tech:April 1 Conficker worm/virus attack for real?
Subject: RE: Tech: April 1 virus attack for real?
This virus is came from the Philippines...
... and from China, Russia, the Ukraine, Hungary, and almost anywhere in Europe or the American continents.
Every computer infected with this worm attempts to infect other computers. You could get it from "anywhere."
Every computer infected with this worm also turns on periodically to listen/ask for instructions, mostly from a half-dozen servers predominantly in Europe (so far).
The puzzle with this one is that the only thing it does so far is attempt to spread itself. There is no "payload" (yet) to make it do anything, but an instruction to "do something" could be downloaded by the control server(s) it communicates with at any time, to do anything the "botmaster" wants to tell it to do.
The vulnerability most used by early versions was patched last October, so most infections are believed to be in illegal/pirated Windows versions that don't get regular patches (or those operated by people who don't bother to get patched). The worm has "mutated" several times though, and may now attack other vulnerabilities.
While the estimates of infected machines seems to hover at about 300,000,000, and that sounds like a lot, it should be noted that Microsoft patches at least that many once per month through autoupdate, which makes it credible that a payload could be delivered to all the infected machines within no more than a day or two and quite possibly within just a few hours since the payload needn't be as large as many patches, and the botmaster doesn't have to negotiate the connection, confirm permissions, download the patch and sometimes a new installer, install, and log changes.
Also note that the myth about "just reset you clock" most likely will not provide any protection or delay in "activation" of the worm. If your local clock is set within 60 years of the actual date, an "offset" is calculated every time you connect to a new server, and the server knows what day it is. Server to user communication is based on having - very accurately - the same "clock" at both ends so that your computer can talk in synch even if your local clock is wrong. The "local clock plus offset" is the time used. 01 APR 2009 is probably going to arrive on 01 APR 2009 no matter what your local clock says.
John