 sj |
||
|
||
Tech:April 1 Conficker worm/virus attack for real?
|
|
|
Subject: RE: Tech:April 1 Conficker worm/virus attack for real? From: JohnInKansas Date: 28 Sep 11 - 06:50 AM Conficker is beginning to show up in the usual lists of "Bothersome Malware of xxxxx" (fill in your year, month, location, or whatever) but patches have closed the vulnerabilities it has used and AV programs now have good signatures for it, so it's not considered all that troublesome now. It could mutate and come back, but at present it's a low threat for reasonably competent users. Windows versions Win2K and Win98 and older can't be fully patched, but good AV programs can catch it even on these. A problem is with all the pirated OS copies that can't get patches, the people who don't bother to patch, and the huge number of people who don't run any AV programs. A high percentage of those machine will be - and likely will remain - infected, and any infected machine will continue to attempt to infect everybody else. This means that conficker will pop up fairly persistently, perhaps for several years; but with barely adequate protections there's little likelihood that anyone with an IQ half their age will experience new infections that their AV can't block. For reference relative to those unpatched obsolete and unprotected operators, there are still some numbers of new infections by virus/trojan kinds, for malware for which any AV has had adequate blocking for nearly 20 years. A few of them just never seem to fade completely. New things that you do need to be concerned about now include: -- a "boot spoofing" method that has appeared that is able to run during boot before the AV can load. This new type hasn't been used maliciously yet, but is of sufficient concern that Win8 is predicted to have a protection turned on by default in a way that may significantly affect some uses of computers using that OS. (This was mentioned in the "OS Confusion" thread a few days back.) -- a new type of browser infection capable of affecting both IE and Firefox with a single infection on a machine, or whichever of the two browsers is used on the machine. -- at least one new OS X infection that is generating serious concern for Mac users, and 3 or 4 others that are "significant." -- as always, there are a few more infections affecting Linux than people are willing to admit; but due to low numbers of Linux users they haven't (yet) become particularly bothersome. AV experts are increasingly finding significant to "serious" infections in newer types of machines, with some significant infections in smart phones. McAfee has announced an "all systems" program that they claim can protect computers and "all other digital devices" with a single program, and Kaspersky indicates they'll have something similar "within months." Norton is saying they'll probably offer an "all over" protection system fairly soon, but I haven't seen a date or them. John |
|
Subject: RE: Tech:April 1 Conficker worm/virus attack for real? From: saulgoldie Date: 27 Sep 11 - 03:33 PM They're talking about this on "Fresh Air." Any Mudcat techies have any reassuring updates on the discussion? Saul |
|
Subject: RE: Tech:April 1 Conficker worm/virus attack for real? From: Wyrd Sister Date: 09 Apr 09 - 03:08 PM Conficker active From the BBC website |
|
Subject: RE: Tech:April 1 Conficker worm/virus attack for real? From: Artful Codger Date: 01 Apr 09 - 03:07 PM Nothing obvious has to happen on your computer. The worm could be collecting information and sending it on. From what they've been able to determine, the worm was designed to obtain new instructions today, but they may not be triggered until later; they may only help it to hide and embed more deeply for the time being. If Microsoft created the virus, it would probably break down on its own. It would be more likely that evil geniuses at Apple, Sun or Debian created the virus, because they're actually competent, and stand to gain more if people defect from Windows. Microsoft doesn't need to create such a virus--it already has y'all by the shorthairs. |
|
Subject: RE: Tech:April 1 Conficker worm/virus attack for real? From: Leadfingers Date: 01 Apr 09 - 01:45 PM I was without ANY internet all morning , but that was down to my ISP having a problem in my area ! NO Worms in here , thank God ! |
|
Subject: RE: BS: Admin alert to nasty worm 4-1 From: Stilly River Sage Date: 31 Mar 09 - 11:43 PM This one seems to have a lot of variables as far as predicted outcomes. I'm not ready to install Symantec (it's on my work laptop, but not my home computer) but in case you think you might have it, Here is a good story about how to detect and remove the Conficker virus. From cnet download.com
Let's assume you're on the receiving end of the worst April Fool's Day joke of 2009: your computer's been infected with the Conficker virus. It's a frustrating, but not insurmountable, problem. This guide will walk you through how to cleanse your computer and inoculate against other Conficker variants. First off, make sure that you are actually infected. There aren't many warning signs, but a few will stand out if you know what to look for. One fast way to check is to try to visit any major security software publisher's Web site. If you've cleared your browser cache beforehand, and you can load the sites of Symantec, Eset, Avira, or AVG, you're clean because Conficker blocks access to them. Another good litmus test is to check on the status and functionality of Windows services such as Automatic Updates, the Background Intelligent Transfer Service, Windows Defender, and Error Reporting Services. If any of those have been disabled without your consent, or if your account lockout policies have changed without approval, you might be infected. Other warning signs include unusually high traffic on your local area network, and domain controllers responding slowly to client requests. If you're running an up-to-date virus scanner, it's unlikely you'll get infected unless you've configured your computer to not receive automatic Windows updates. Checking your list of installed updates for security update MS08-067 (KB 958644) is not recommended because the worm, alternatively known as Kido, Downup, or Downadup, fakes the patch job. Assuming you've got the virus, the next step is to download one of several free removal clients. The Conficker-specific tools are McAfee's Stinger, Eset's Win32/Conficker Worm Removal Tool, Symantec's W32.Downadup Removal Tool, and Sophos' Conficker Cleanup Tool. Avira specifically mentions on their Web site that Antivir will prevent infection and remove the virus if you have it, although I don't have an infected machine to confirm this against. AVG states that AVG Free will protect you against the virus, but doesn't say if it can remove it once you've been infected. If none of these programs work for you, Avira also offers Conficker-specific instructions on how to use their rescue CD to fix your computer. This requires a secondary computer so you can create the CD, if you haven't done so prior to infection. It is strongly recommended that if you're infected and you have the luxury of a second machine, disconnect the infected computer from the Internet and install any repair programs or other fixes via CD or USB key. One of the most common infection vectors for Conflicker and its ilk is the Windows AutoRun feature. Eset claims that one out of every 15 threats they detected in 2008 used autorun.inf. Unfortunately, disabling it is not as simple as you may think, because even when disabled through conventional means it still parses most of the autorun.inf file, instead of not reading it at all. To disable it completely, users will need to copy the text below into Notepad. It should be one line from the left bracket to the final quotation mark. REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\IniFileMapping\Autorun.inf]@="@SYS:DoesNotExist" Save it as something memorable, such as StopAutoRun.REG. Double-click on the saved file, and you close the AutoRun loophole. You also won't be able to automatically play DVDs just by putting them in the disc drive, but that seems a reasonable price to pay for slamming the door on this gaping security flaw. Once you've gotten your computer clean and killed off the AutoRun feature, there's still more to do. These changes, however, are behavioral. Stay on top of Windows security updates from Microsoft, do not under any circumstances click on any Web-based ''free virus scan'' offers, and make sure you're not only running a reputable security suite, but that it's configured for daily virus definition file updates. Go to the actual page for the article--there are a lot of links in it. SRS |
|
Subject: BS: Admin alert to nasty worm 4-1 From: Donuel Date: 31 Mar 09 - 11:36 PM My wife has spent hours today protecting and patching against the computer worm that is designed to hatch tommorrow. Do your own research and take what prudent actions you deem best. That tommorrow is april fools day may catch many people of guard or disbelieving. Hopefully it will not be hazardous to servers or be possibly benign but no one seems to know exactly how nasty it might be. |
|
Subject: RE: Tech:April 1 Conficker worm/virus attack for real? From: Alice Date: 31 Mar 09 - 10:50 PM another great reason I love my MAC |
|
Subject: RE: Tech:April 1 Conficker worm/virus attack for real? From: katlaughing Date: 31 Mar 09 - 09:48 PM Thanks for all of the info guys. I am using the MS Malicious Worm scan program, now, plus all of my usual and I figured out how to turn off those ports. |
|
Subject: RE: Tech:April 1 Conficker worm/virus attack for real? From: JohnInKansas Date: 31 Mar 09 - 07:37 PM Since threads were combined here, in the third post, by From: Sawzaw, Date: 30 Mar 09 - 11:36 AM you can find a link to" http://technet.microsoft.com/en-us/security/dd452420.aspx This page is intended for IT "professionals" who may need to know how to distribute advice and protection for an organization. The above site directs "consumers" to a separate page, which is the one linked immediately above by Andrez: http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx Both of the above pages offer the assurance that you are unlikely to be successfully attacked by this worm if your Win2K or later OS is up to date for Microsoft Critical patches, since the main vulnerability used by the worm was patched last October. This is not a 100% assurance, however, since the latest version of the worm also uses other methods. Assurance is given that most AV programs can detect and disable the worm if definitions are kept current. This leaves the possibility that a new variant might have gotten on your computer if it arrived "between updates" and wasn't immediately recognized. A "full system scan" with most good AV programs should find any infection present on a computer and should remove the original worm, but it's not completely certain that all AV programs can remove all "effects" if the worm was "executed" and allowed to make channges before it was detected and removed. At the second link, you can download and run a full system scan of the Microsoft Malicious Software Remover - if you're able to get to the site. This worm attempts to block access to the Malware Remover site. The Malicious Software Remover can be downloaded, if you can access the page, at: http://www.microsoft.com/security/malwareremove/default.mspx It can also be accessed, again if you can get to the site, at any Microsoft Update site, such as: http://update.microsoft.com/microsoftupdate/v6/vistadefault.aspx?ln=en-us (Vista, US, English site) Your Windows Start button should show you a "Microsoft Update" button, if not on the rollup then in Programs that will take you to the update site appropriate for your version. The "last resort," should you be unable to connect to the Malicious Software Remover, is to go to the "Windows Live One-Care" page for a scan and repair: http://onecare.live.com/site/en-us/default.htm?s_cid=sah On my Vista machine I got a beta version that ran for about three hours, then failed and told me to come back later. For WinXP (or other) you may be asked to log in for a "free trial" - and if you get this I'd suggest reading carefully (and perhaps printing) the EULA. There really isn't a "fix" for our few Win98 users, but the second link in this post has a link to advice on "minimizing" the vulnerability. John |
|
Subject: RE: Tech:April 1 Conficker worm/virus attack for r From: Andrez Date: 31 Mar 09 - 04:51 PM Info from Microsoft along with a few extra info links to add to the general Conficker info pool on this thread. Just cut and paste into your browser. http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx Cheers, Andrez |
|
Subject: RE: Tech:April 1 Conficker worm/virus attack for real? From: kendall Date: 31 Mar 09 - 04:51 PM My computer guru just told me that if I have up to date Kasperski anti virus I have nothing to worry about. |
|
Subject: RE: Tech:April 1 Conficker worm/virus attack for real? From: GUEST,mg Date: 31 Mar 09 - 03:36 PM Our university sent out a warning on it. mg |
|
Subject: RE: Tech:April 1 Conficker worm/virus attack for real? From: katlaughing Date: 31 Mar 09 - 03:29 PM IS there an easy understandable way to tell me how to close my Port 80 and my ICPM ping port? According to Norton security scan they are both open, which I don't understand because I have AVG and Sunbelt firewall both running. |
|
Subject: RE: Tech: Conficker Worm for April Fool's From: JohnInKansas Date: 31 Mar 09 - 01:03 PM The April 1 "doomsday" for Conficker just means that on that date the worm is scheduled to make a slight change in the way it tries to spread itself. Among other methods, Conficker "sends" a request for connection to "randomly selected" addresses that people might be using. By actually "naming" the computer it wants to connect to, it avoids the "cloaking" that most good AV systems provide to prevent the outside world from being able to tell that you're "on the web." (Among others, Norton's web "Security Check" will tell you whether your computer is properly "cloaked." Free check and report. So far as I've seen Win2K is the most recent Windows version that can't be hidden, but others can be revealed if external ports are left open when not necessary.) On April 1, Conficker changes from attempting to send to a few thousand "addresses" to a more complete list of 50,000 different addresses. Since many people get a different address each time they hook up to an ISP, lots of people may have the same address at different times, and with a few thousand infected computers all searching for connections there is the potential for the speed at which the infection spreads to be greatly increased. Thus far, the worm only prepares to be able to take control of the computers it infects, but no payload to "do something" has appeared. It seems illogical that the method of propagation would be changed if the botmasters thought they had enough slave computers to be ready to put them to work, so this change probably suggests that they'll continue to accumulate infected machines for a while before telling them to "make it happen." You won't see anything happen on April 1. The only change expected is that you won't see (possibly) many more infections just like the ones that you don't see now. John |
|
Subject: RE: Tech: Conficker Worm for April Fool's From: Bonnie Shaljean Date: 31 Mar 09 - 11:53 AM There's also this from ZDnet: http://blogs.zdnet.com/hardware/?p=4053&tag=nl.e539 |
|
Subject: RE: Tech: April 1 virus attack for real? From: Sawzaw Date: 31 Mar 09 - 08:52 AM The Avert Stinger tool downloadable here is supposed to be able to detect and remove the worm. http://www.mcafee.com/us/threat_center/conficker.html |
|
Subject: RE: Tech: April 1 virus attack for real? From: kendall Date: 31 Mar 09 - 07:48 AM I gave me a good excuse to dump Face book. |
|
Subject: RE: Tech: April 1 virus attack for real? From: GUEST,unknown Date: 31 Mar 09 - 07:31 AM we will see tomorrow what will happen lol... be calm dude... nothing in this world cannot be solve.. |
|
Subject: RE: Tech: April 1 virus attack for real? From: JohnInKansas Date: 31 Mar 09 - 06:52 AM Megan L - But yours is on now, and if it were infected that's sufficient for it to connect to a master server without your knowledge and download something new. Your local clock only sets the instruction to make the connection. It will happen the next time the computer is turned on. John |
|
Subject: RE: Tech: April 1 virus attack for real? From: Megan L Date: 31 Mar 09 - 06:41 AM "Every computer infected with this worm also turns on periodically to listen/ask for instructions, mostly from a half-dozen servers predominantly in Europe (so far)." What even when it is switched of at the wall now that is clever |
|
Subject: RE: Tech: April 1 virus attack for real? From: JohnInKansas Date: 31 Mar 09 - 06:38 AM This virus is came from the Philippines... ... and from China, Russia, the Ukraine, Hungary, and almost anywhere in Europe or the American continents. Every computer infected with this worm attempts to infect other computers. You could get it from "anywhere." Every computer infected with this worm also turns on periodically to listen/ask for instructions, mostly from a half-dozen servers predominantly in Europe (so far). The puzzle with this one is that the only thing it does so far is attempt to spread itself. There is no "payload" (yet) to make it do anything, but an instruction to "do something" could be downloaded by the control server(s) it communicates with at any time, to do anything the "botmaster" wants to tell it to do. The vulnerability most used by early versions was patched last October, so most infections are believed to be in illegal/pirated Windows versions that don't get regular patches (or those operated by people who don't bother to get patched). The worm has "mutated" several times though, and may now attack other vulnerabilities. While the estimates of infected machines seems to hover at about 300,000,000, and that sounds like a lot, it should be noted that Microsoft patches at least that many once per month through autoupdate, which makes it credible that a payload could be delivered to all the infected machines within no more than a day or two and quite possibly within just a few hours since the payload needn't be as large as many patches, and the botmaster doesn't have to negotiate the connection, confirm permissions, download the patch and sometimes a new installer, install, and log changes. Also note that the myth about "just reset you clock" most likely will not provide any protection or delay in "activation" of the worm. If your local clock is set within 60 years of the actual date, an "offset" is calculated every time you connect to a new server, and the server knows what day it is. Server to user communication is based on having - very accurately - the same "clock" at both ends so that your computer can talk in synch even if your local clock is wrong. The "local clock plus offset" is the time used. 01 APR 2009 is probably going to arrive on 01 APR 2009 no matter what your local clock says. John |
|
Subject: RE: Tech: April 1 virus attack for real? From: GUEST,Unknown Date: 31 Mar 09 - 04:12 AM This virus is came from the Philippines... |
|
Subject: RE: Tech: Conficker Worm for April Fool's From: Sawzaw Date: 31 Mar 09 - 12:58 AM Thanks Amos. I am more concerned now. I didn't see this thread before. I had Conficker B just before Christmas and I saw in my modem log that it was trying to connect to an IP in the Ukraine. It would not let me connect to malwarebytes.org but If I used www.malwarebytes.org I could connect and get updates. |
|
Subject: RE: Tech: Conficker Worm for April Fool's From: Amos Date: 30 Mar 09 - 04:13 PM A good analysis of COnficker by SRI. A |
|
Subject: RE: Tech: April 1 virus attack for real? From: bubblyrat Date: 30 Mar 09 - 02:35 PM Apparently, "All Fools' Day "is on April 11th anyway, so no self-respecting,educated,thinking,computer saboteur is going to make his move until then.Anyway, if all computers went down,it might be a good thing----young men and women would have to come out of their bedrooms into the daylight and the Real World,and people generally might start talking to each other again !! |
|
Subject: RE: Tech: April 1 virus attack for real? From: Sawzaw Date: 30 Mar 09 - 01:25 PM Yes Amos, there were problems that were solved but people went ballistic. An ex State Trooper I know was all set with guns,ammo, generators, cash and food for the meltdown. I called him up on New Years day and asked him if he had crawled out of his bunker yet. He said "you son of a bitch". There was a lot of hype about it. I am just sharing my thought on the current matter and using 2000 as a comparison. |
|
Subject: RE: Tech: April 1 virus attack for real? From: Amos Date: 30 Mar 09 - 01:13 PM There were plenty of installations where it (Y2K) was in fact an important issue. They were remedied by a LOT of work, and it was less expensive than the catastrophe of not remedying them would have been. That your sdite had a no-event does not by itself provide insight to what the scope of the actual problem was or would have beenwithout all the remediation. A |
|
Subject: RE: Tech: April 1 virus attack for real? From: GUEST,Hmmm Date: 30 Mar 09 - 01:01 PM Read John in Kansas responce in this previous thread by KatLaughing. http://www.mudcat.org/thread.cfm?threadid=119624&messages=3 |
|
Subject: RE: Tech: April 1 virus attack for real? From: GUEST,Auld timer Date: 30 Mar 09 - 12:33 PM The year 2000 " problem " was for the most part a money making exercise. I was involved in seting up generators and stand-by control systems and was "on call" for three days before and three days after the non event. |
|
Subject: RE: Tech: April 1 virus attack for real? From: pavane Date: 30 Mar 09 - 11:48 AM I have to say that the year 2000 problem was a very real problem, not a hoax. It was not a single "Millenium bug" but the result of many programming shortcuts made in previous years on all kinds of systems, from PCs to Mainframes. The only reason that there were few serious problems on the day was a huge effort in the previous years to identify and fix the bugs. |
|
Subject: Tech: April 1 virus attack for real? From: Sawzaw Date: 30 Mar 09 - 11:36 AM According to the NYT and 60 Minutes, it is believed the Conficker worm will launch some sort of undefined attack over the internet and on infected computers like sleeper cells called into action. However this is not backed up by any credible source such as name brand antivirus sites I can find. It appears to be a rumor. It would be childs play to set the clock ahead on any computer and see what happens. It would be possible in a lab to even create a fake internet connection to date and time setting sites on the net to see what happens and to study the activity of any programs searching for anything over the net. Therefore, I am not guaranteeing anything, but I beleive it to be a rumor or a hoax much like the year 2000 meltdown, creating FUD, fear, uncertainty and doubt. I had Conficker and Downadup on my computer and I was able to eliminate it with Malwarebytes. I also usw AVG antivirus but it did not detect the two worms. To be safe, I will be setting my computer's clock back on day today and I will be watching the news before I start it up on April 1. Could April 1 be Conficker's trigger date? Chris Keall March 30 2009 The super-worm has made tens of millions of PCs vulnerable, yet so far delivered no payload to any. One "expert" warns that April 1 could be the date that the other boot drops. In a 60 Minutes video preview, reporter Lesley Stahl, without citing any source, says the Conficker worm, which "lies dormant in millions of American PCs" (and many non-American PCs, in point of fact) "could be triggered on April 1." Ms Stahl correctly describes the virus as "a sleeper cell programmed to receive instructions" before diving into more speculative territory about "D-Day": "No one knows if on April 1 they'll just issue instruction to just stay sitting there, or whether it will start stealing our money, or launch a spam attack." Ms Stahl's comments have sparked a wave of panic on the net but experts at security companies have lined up to say there is no evidence whatsoever that Conficker will trigger on April 1. A surpisingly detail-free New York Times piece echoes Ms Stahl's sentiments, adding that some kind of April 1 prank effect could be triggered (or does the entire rumour have a wiff of April 1 about it?) The worm's true purpose – beyond jacking up 60 Minutes ratings – remains a mystery. Conficker could well be malevolent, and could well trigger soon, but April 1 is just a date pulled from the air. And regardless of when Conficker drops, your protective advice remains the same: keep your antivirus software up-to-date and, if you're a Windows user, install Microsoft's anti-Conficker patch via http://microsoft.com/conficker. Conficker Tests Limits of Reality and Hype By Lawrence Walsh 2009-03-29 April 1 is reportedly D-Day for the latest variant of the global worm, but is the hype living up to reality. Dire predictions for the wave of destruction coming with Conficker.C's activation may be grossly exaggregated, but that doesn't mean solution providers shouldn't help their customers prepare for this and many other security threats. In just three short days the world will learn how dangerous the latest variant of the Conficker worm is. Some reports say that more than 10 million PCs are already infected and the activation of the worm will cause massive distributed denial of service (DDoS) attacks. The concern is so great that the alarms have been sounding for more than a week and the battlements manned in anticipation of an overwhelming assault by this digital menace. Conficker concerns have created a wave of hype so great that the FUD threatens to overwhelm networks and administrators more so than the actual worm. Over the weekend, Symantec even warned that searching for information about Conficker could open users to compromise by the malware. The truth about malware is much more sublime and boring than the hype of pending disaster and unthinkable destruction. |
|
Subject: RE: Tech: Conficker Worm for April Fool's From: JohnInKansas Date: 24 Mar 09 - 02:07 AM One of the suggested difficulties with Conficker is that it can be restored from a system backup, so in order to remove it and keep it gone you have to turn off System Restore, clean it out, and then turn System Restore back on. Some AV programs that "remove it" apparently don't always delete old backups that may still contain it. News reports are vague, but presence of the infection has been noted in some MySpace and Face Book pages, particularly in the "work at home" of "secret shopper" ad links that "friends" seem to post at a lot of the "vanity pages." (Ads of this kind appear to be most common on pages that the kids set up for "granny" to brag about the grandkids. Granny is clueless.) It is common enough in the US that my Norton logs show a half dozen "blocks" of attempts to push it - in about the past 9 or 10 months. In fact its the only "attack" or "scumware" seen other than "cookie" (ad trackers) in that time. John |
|
Subject: Tech: Conficker Worm for April Fool's From: katlaughing Date: 23 Mar 09 - 06:45 PM Just saw this on the NYTimes site and thought some might be interested. There is more at the link. The Conficker worm is scheduled to activate on April 1, and the unanswered question is: Will it prove to be the world's biggest April Fool's joke or is it the information age equivalent of Herman Kahn's legendary 1962 treatise about nuclear war, "Thinking About the Unthinkable"? Conficker is a program that is spread by exploiting several weaknesses in Microsoft's Windows operating system. Various versions of the software have spread widely around the globe since October, mostly outside the United States because there are more computers overseas running unpatched, pirated Windows. (The program does not infect Macintosh or Linux-based computers.) An estimated 12 million or more machines have been infected. However, many have also been disinfected, so a precise census is difficult to obtain.
-Joe Offer- |
| Share Thread: |