Conficker 4-1?

The latest variant of the worm, Conficker C, which was noticed in early March, is expected to launch its attack once the system date on an infected machine is on or after April 1, 2009.

At that time, copies of the malicious code on infected computers will try to generate and connect to 50,000 web URLs a day from 110 domains around the world while trying to reach a "command and control" domain for further instructions.

The Conficker worm is also known as the Downandup worm.

Just thought I'd mention this, start a conversation. I seem to remember hearing similar warnings almost every year, for April Fist. But I'd like to be sure I'm protected.

:hi:

• On the first release it tried to download and execute a file called loadav.exe. It turned out that the file was never uploaded and the next generation did away with this. This led investigators to believe it was a malware program trying to promote itself as fake antivirus software.

• The second release, the worm used Windows Services, on unpatched machines, to spread. This new release also had the power to spread over network shares by trying to log in autonomously into network machines with weak passwords. It developed the ability to infect USB sticks connected to infected machines, giving it another means of transmission.

• On the final and third release, which became know as the Downadup virus, peer-to-peer communication between infected systems was added to it's arsenal of weapons. The virus also added new domain-generation algorithms to help it disguise where it was receiving its updates from.

Microsoft is offering a bounty for the worm's writers and security experts are no closer to having any clue as to the individual or individuals who are writing the Conficker code.

http://www.physorg.com/news157375646.html

Two passages:



...and...

I mean, I know nominally free online storage sites exist (FileFactory, File Savr) but there limitations to what you can do that may make it impractical, depending on what you need it for.

Some relatively low-cost online storage is out there. I am, in general, not a big fan of such things unless you have a large amount of really important data and want to use it as a third tier redundancy. I do all my backups on DVDs, removable hard drives, and external drives. As my redundancy I use server space I have to store some encrypted rar/tar/zip files with important info, writing, etc. that I wouldn't want to lose if my house burns down or something.

Sorry not to be of more help. I think some people have posted links to recommended online storage sites here and there that don't cost much. Or, if you can deal with the limitations, the free sites would work. Just make sure if you store something important there that you do it as an encrypted file.

P.S. I should add given the context that online storage solutions could be highly susceptible to worms and other things like this. It's not going to do you much good to have all your data backed up with some online storage service if that service's servers get infected and become part of the botnet or effectively taken down by massive DNS poisoning or some such thing.

According to the link below, XP SP3 should be "invulnerable". :eyes:

My external backup options are extremely limited.

I've read the suggestion to change the system date until the fallout has been determined.
Of course, it's got to be 4/1 sometime.

It queries a handful of sites for the current date.

indicates it has been spotted as recently as this month. Do you/they know which AV is catching it?

The usual ones (AVG, McAfee, MS, etc) claim to be able to detect and remove it, but it's unclear if they actually catch all the variants. For example, MS says this about conficker.c:

For detailed instructions on how to manually remove Conficker.C, view the following article using an uninfected computer:
http://support.microsoft.com/kb/962007 - Virus alert for Win32/Conficker.C and manual removal instructions

But that's a link to an article for removing conficker.b. One of the suggestions on that page is to use the MS Malicious Software Removal Tool:

The Microsoft Malware Protection Center has updated the Malicious Software Removal tool (MSRT). This is a stand-alone binary that is useful in the removal of prevalent malicious software, and it can help remove the Win32/Conficker malware family.

You can download the MSRT from either of the following Microsoft Web sites:
http://www.update.microsoft.com (http://www.update.microsoft.com)
http://support.microsoft.com/kb/890830

The malware list for the MSRT only lists conficker with a date of January 2009, with no mention of .a, .b, or .c variants. So, although MS says it'll remove the conficker family, it doesn't say so on the software's specs.

So, in short, who knows?

The BDTools site above is a site created by BitDefender to specifically handle conficker, since the virus actually blocks access to branded antivirus software sites and other sites with certain keywords in their URL. They too offer a tool that'll disinfect conficker/downadup/kiro, but again, they don't make it clear which variants:

http://www.bdtools.net/how-to-remove-downadup.php

and got a first time access request from "Notifier Tool". I upgraded Zone Alarm a few days ago, but I'm pretty sure Avira has had an update since then. It shouldn't be asking for new access rights. I said, no.

Reading that list from your article gave me a squeamish response akin to reading details of brain surgery!
Low tolerance for squeamish.

and got serious ninja skills, a magnificent piece of work. Here's a step-by-step litany of what it does:

http://www.bdtools.net/technical-details-downadup.php

This is so far beyond hacking for bragging rights, it's going to be really interesting to see its purpose revealed. If they get their multimillion-box botnet, then what? DDoS extortion? A worldwide port probe? A beowerewulf cluster to find the next 20 largest primes? Or is this a showcase for interested despots? Hey Kim, you want something better than a nuke-- show us the money!

But I don't think my vote counted. It'd be kinda awesome in a really irritating way though.

All the thought, effort, and money we've poured into worrying about WMDs, nukes, etc. has been a total waste, and we're going to pay for it eventually. It's only a matter of time before someone with an actual brain realizes and implements the potential of things like this. I don't think it will be Kim, unless he sees it as an avenue for getting all the attention he wants. With Kim, it's always about his being an attention whore, not that he wouldn't gladly kill a few billion people or bring the world's financial system to its knees if he thought he could to get that attention, but I just don't know if he's got the brains to realize that potential. But China? Some smart people in China ... and a lot of really good hackers too who aren't quite the "independent rogues" the Chinese government would have us believe, in my paranoid opinion.

Anyway, April 1st has become ever more interesting as time has passed and as communications and computing power has become exponentially faster. The choice of the date suggests at least some grounding in classic hacker lore, so perhaps whoever is behind this will at least be a benevolent overlord after the fall.

True. That demented little Eraserhead just wants to be a rockstar dictator. Too bad he can't elicit much more than a peevish annoyance outside Korea, even with nukes in his pocket.

If Kim bought a megaworm, he'd crap his britches when he found out he'd roasted the WoW servers. Probably lob a nuke at Japan in pique.

What would be a great fairytale ending for this... an hour before midnight a federal strike force storms Norton Labs, drags wailing depantsed executives to Gitmo, burns the building to ashes and salts the earth underneath. Midnight comes... and nothing happens. Aside from everybody buying drinks for everybody, that is.

That was almost like porn, envisioning the entire Norton staff on a perp walk ...

There should be a :drool: smiley. :)

So I'll wake up good and suspicious :D

Who are the masters of intractable software? Given a choice of removing Norton or removing hot glue poured into a computer, is there anybody who wouldn't have to mull it over?

This thing HAS lifted my eyebrows way over my head. It's nimbleness, comprehensiveness, and the way its revisions are approaching real time are alarming. It's getting close to something like rudimentary intelligence.

It'll probably be too late before anyone who matters figures out PC infections aren't the worst that can happen. I'll bet there's more than a few bright eyed Republicans watching developments though, waiting for the chance to saddle up and drive the country off a cliff again.

When I ran across mention of it I thought, "Oh, but that thing was blocked at the DNS level a while ago ..." and then "Oh shit, it's evolved already," and apparently it involved out of one of its own strains through something that was programmed into it from the beginning? Not sure if I have that exactly right, but that's the way it comes across, and that's just too damn near a real, living organism for my little brain to wrap around right now.

Oh, and I'm sure the bright-eyed Republicans are ready. They keep the damn truck gassed up with the key in the ignition at all times.

http://www.nytimes.com/2009/03/29/technology/29spy.html?_r=1

Vast Spy System Loots Computers in 103 Countries

I think the more we talk about this, the better it will be defeated. Hope springs eternal and all. And lets keep that "knock on wood" sign available. That was very cool, thanks.

I refuse to do the Windoze update. I went to the update center but they wont' give me anything unless I go to 7. Screw that. I like my 6. I went for the Custom command, but they won't help me, unless I upgrade. Wish I had the time to switch to Linux.

If you just don't get online on the 1st, and don't open any junk mail afterward, which I never do anyway, will that help? What do you think? I got my SpywareBlaster, Avira, and Malwarebytes running. I go to a lot of sites though that are .uk, .ca, .etc which seem to be the danger zones. Should I just avoid them for a few days?

Eyes wide open. Wish I knew who it was. Nice reward. Someone who owns a lot of MS stock?

I don't use Windows Update and I still have IE6. You can still get security patches as standalone executables, MS just won't help you find them. You have to take note of the date and KB bulletin number, do a search for "security updates" at their download center, then scroll through the results until you find a match. Here's the link those clowns should have in BOLD RED CAPS on their front page:

http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=0d5f9b6e-9265-44b9-a376-2067b73d6a03

WindowsXP-KB958644-x86-ENU

It's available at other places besides Microsoft. Google it, I can't remember from where I downloaded. Also worth grabbing MS Malicious Remove - windows-kb890830-v2.6 which is said to remove Conflicker.

It should be at the download button at the link. Probably safer to get it from the source.

I ran the MSRT a while ago, too. I didn't have any concern that I was infected with anything, but it'd been a while since I'd checked. It ran for about 4 hours, came up clean. But -- when it scanned the last file on the last drive, it raced the CPU and froze that way until I killed it a half hour later. Weird piece of software.

It didn't upgrade IE when I installed SP3. Don't use it anyway.
Chances are even if you install it, you can revert back to 6 after the update.
(haven't verified)

edit: Do you have Vista? I just ran the update tool, and it allows me to un-check IE 7.

XP all the way.

Thank you, Charlie, for that link. But now I gots a question. I downloaded that patch, then clicked to run it, it told me I might have to restart my computer afterwards. Yeah, yeah, I know. Got up to get a cuppa coffee and it suddenly got very dark, as my computer went ahead an restarted without me. I don't like that. Now I've got an icon on my desktop, WindowsXP-KB958644-x86-ENU.exe, which I click on and get the Run button AGAIN. Should I run it again? Or just move it to my Program folder?

Tks.

It can be done away with now.

In the FWIW category. Frankly, even though I'm reading a story here that's supposed to allay fears, the very idea that the thing may just sit there and gain a "new capability" isn't all that reassuring.



There should be some rational middle ground between "total freak out" and "don't worry about it." Unfortunately my tooling around the 'net the past couple days hasn't yielded much that wasn't one or the other.

There are even some interesting conspiracy theories starting to float, such as the idea this is a worm originally developed by the MPAA/RIAA people to bring down peer-to-peer. Now I'm actually kinda drawn to that sort of idea since I have so much contempt for what they do, but we're talking about the people that initiated a program of DDoS attacks, had to outsource it because they didn't employ anyone who could do it, and then got that wrong and were found out. (Still waiting on those prosecutions of course, but "Grandma Moses" in Bugtussle who got all rebellious and downloaded a Metallica track will probably get 5 years. I digress.) These people aren't geniuses. Eraserhead Kim (see previous post by charlie and thank you for that nickname) has more brains than these people.

Anyway, for the sake of discussion and information, I thought I'd post this ...

I've just been reading all sorts of stuff myself. Online newspapers saying, nothing to worry about. Probably mostly just hot air. This, of course, makes me worry even more.

And I've been all conspiracy-theory myself, since I first heard about this a couple of weeks ago, with MS offering that reward.

I was just reading over at MS that I might want to do the fix they offer for Autorun. This comes with warnings about backing up the registry first. Oh dear, not sure I want to get all involved in that. Unless you think it would be a good thing to do, Roy, because I greatly respect your knowledge on things computerish.

So you know, I'm kind of a shut-in and my computer is truly my lifeline. So this kind of stuff scares the crap out of me.

:scared:

But I also know that fear is the mind-killer, so I like to keep myself armed with truth. As soon as I can figure out exactly what that is. :P

In Run prompt, type "regedit". On the registery window, click File > Export. I save them to my desktop. Name and save as any other file. That's your backup!

The patch for Autorun is something you should have for reasons I'll explain in a moment. The warning about backing up the registry is CYA stuff. You're supposed to do that when any kind of update is done, and especially those that update critical functions and mess with the registry in significant ways, and this one does. One reason for it is that if your system is in the middle of altering the registry and the power picks that moment to go out, the registry is dead. Or, if your hard drive suddenly has a burp on a critical sector, same thing. There's all kinds of things that can happen. They usually do not happen, but to be on the safer side, MS and anyone giving decent advice will suggest this.

Backing up the registry is not really a big deal. It's just a huge file. Things like Spybot S&D even have a built-in function that does it for you that you can use if you want. A lot of malware removers mess with the registry, and a lot of them have this function. What's often not said, however, is that just backing up the registry doesn't make life wine and roses if something happens. You've still got to restore it, and if your system won't boot because of a registry corruption, you've got to do this at a more basic level. Most people don't know how to do this, and frankly it's been so long since I have I'd be hesitant to tell you how. And here I'm doing a CYA myself. :-)

What the Autorun patch does (the one that was released last year; if there's been another one, I missed it) is correct an error with they way the process gets called that, even if you have Autorun disabled, allows an attacker to use it anyway to infect your system. If you've got Autorun enabled anyway, it doesn't matter quite as much because the autorun.inf file on whatever device/media you load is going to run, and if the nastigram on that media is malware of some sort that's not detected by whatever security tools you have scanning things, you're screwed.

The function of Autorun is merely a convenience. AutoRun/AutoPlay (both terms are used, but they mean the same thing) should, imo, be disabled. The most convenient way to do this is to install TweakUI, which is a part of MS PowerToys. There's an option in there under MyComputer > AutoPlay that allows you to disable it easily. If the Autorun process is patched and disabled, you shouldn't have any problems. The only inconvenience is that every time you connect external media with an autorun.inf instruction set, load a CD/DVD, etc. you'll have to manually start whatever it is.

All that said, if you're not in the habit of passing around CD/DVDs with others, burning discs you get off torrents, saving things to external drives or USB devices that have autorun functions in them, etc. this is not a huge concern anyway. At least, it's not anymore dangerous than cruising the Internet with a web browser, which is, and for the foreseeable future will remain one of the most common avenues for infection. The trickiest thing I've seen happen is someone having a USB stick hooked up to a computer that is then infected by a virus without the user being aware anything has been written to it, and that virus/whatever uses the autorun process to load itself on every machine to which it is attached every time it's plugged in.

So ... if you can parse that, you can judge your own circumstances.

P.S. And yes, fear is the mind killer. We're afraid of all the wrong things. The anti-malware industry is huge and pulls in hundreds of millions of dollars a year. Hell, it may be billions by now. They work off fear, which is why I call a lot of them a legalized protection racket and also why I point people to free products and suggest giving them a little donation from time to time if you find the authors' products useful. It's a fine line though between instilling too much paranoia and not enough, so I want to make clear nothing I say is meant to suggest the dangers aren't real.

that this baddie is verifiable as coming from P2P exchanges? Or is that speculation? I've removed the boatloads ex-bf installed a few years ago. I hate those frappy things.

One of the security research people said that. It makes sense, though. Peer-to-peer is a very common avenue of infection these days 'cause you have so many people using it without giving one thought to what it is they're getting.

That was where the researcher is from.

Birthplace of ARPANET.

Thanks Why.

And I have TweakUI, thanks to advice in this forum long ago. But I looked under Control Panels, and everything else there, and do not find autorun anywhere tweakable. I did a search for it, found it, but cannot open it. It doesn't seem to be something I need on all the time because the only things I ever do with this machine is digital photos and once in a great while I watch a DVD.

So is there another way to get in there and turn it off?

Start TweakUI. It should be in your start menu under PowerToys for Windows XP unless it was moved.

Click on the My Computer arrow, which will open that tree.

Click on the AutoPlay arrow, which will open another tree.

Click on Types.

Uncheck both Enable Autoplay ... options. Click Apply, and you're done.

I finally found it in Tweak and when I click it tells me: To customize AutoPlay settings, open My Computer, right-click the drive you want to customize, select Properties, then Autoplay.

So I opened My Computer right-clicked C, and AutoPlay is not listed there. It's only on my D drive. I'll leave that on then, because I only play DVD's that I have owned for years. I don't rent or borrow; if I did I would play them thru television, not computer.

And then I remembered what started this conversation. On the MS website it told me: to disable the Autorun functionality in Windows XP you must have security update 950582, update 967715, or update 953252 installed. (which I probably don't)

Then it told me to back up the registry first. So now I will go and look at those updates and figure out which one to use. Well, maybe later.

Anyhoo, I thank you and I hope you get your pony, the mirror one. You deserve it. :hug:

I really want that pony. That mirrored one is just awesome. Thank you for the kind wishes. :)

About TweakUI, those instructions it is giving you are about creating policies for individual drives, and that button just opens up the main My Computer window. I can't recall off the top of my head what you can do there, but that's not the place you need to go.

If I'm not mistaken (going from memory here) that's the dialog screen you get when you just click on the AutoPlay.

I think I may be talking about a different version of TweakUI. I seem to recall the older version embedded itself in the Control Panel, and that sounds like what you're talking about. Again with the memory (which is rustier and rustier every day) this was before TweakUI was integrated into the MS Power Tools.

Anyway, the one I've used for awhile now is the one that's on the download page at the link I gave you earlier. Once you install it, you start it like any other program from the Start menu. It then brings up an interface with a tree structure on the left side with some of the options having little arrows. You click on the arrow next to AutoPlay, as opposed to the word itself, and it opens up more options, the details of which I described earlier.

That's where you need to go.

I'm not sure what those specific updates are, and they do need to be installed. The version of XP I use has Service Pack 3 installed, which must include all that since I haven't installed any other updates except the other one mentioned elsewhere in this thread. Whatever the case, TweakUI, including disabling Autorun, works fine on that.

You may have SP 2.

All this may be irrelevant, but I wanted to make sure we were on the same wavelength. I read your original question and saw the comment about the control panel, which is what got me thinking of this.

I've got my system churning on some stuff that's going to take awhile, but I'll fire up Windows later and verify I'm not expressing the results of a hallucination.