The now infamous Conficker worm created quite the scare for security researchers, and in some ways, it still does. In a new report (PDF), the Conficker Working Group -- a coalition of cybersecurity experts and industry heavyweights including Microsoft, ICANN, domain registry operators, AV vendors, and academic researchers -- reveals what they've learned from the worm, as well as some of the frustrations.
In short, the group has been successful in blocking the worm's author(s) from being able to use the worm for whatever dastardly deeds it might have been created for, but they've failed to kill Conficker entirely.
"The Conficker Working Group sees its biggest success as preventing the author of Conficker from gaining control of the botnet," CGW notes. "Nearly every person interviewed for this report said this aspect of the effort has been successful. The blocking of domains continues and the Working Group has indicated they will maintain their effort."
At the same time, CGW "sees its biggest failure as the inability to remediate infected computers and eliminate the threat of the botnet. While remediation efforts did take place, millions of the A/B variations of Conficker remain on infected computers."
Shockingly, the self-replicating worm remains on more than five million computers and "is among the largest botnet in the past five years," the report said. And while the author hasn't been caught, the group believes the person responsible lived in Eastern Europe.
In just a few days from now, we'll reach the one-year anniversary of the Downadup/Conficker threat's April 1, 2009 trigger date, and just like last year, April Fool's Day will likely pass without seeing the Internet come crashing down.
"Today, one year later, we know that the criminal(s) behind Downadup/Conficker still have the keys to some 6.5 million of these computers, which have not been fixed by their owners, leaving them open to be victimized at any time by cybercriminals," Symantec wrote in a blog post. "We're still seeing the .A and .B variants of the worm continue to spread, albeit at a much reduced rate."
According to Symantec, the infected PCs are being "very closely monitored" by law enforcement and the members of the Conficker Working Group, so even though several million PCs remain vulnerable, all the attention is "likely [to] prevent [Conficker's creators] from further playing out their original criminal plans."
Even still, Symantec says we're still not out of the woods.
"These 6.5 million computers infected with Downadup/Conficker are still much like a load gun, waiting to be fired," Symantec warns.
There's a new botnet in town, and this one has the potential to trump Conficker, says security firm Netwitness, which discovered the botnet. According to Netwitness, the Kneber botnet has already infected more than 74,000 macnines worldwide.
Netwitness describes Kneber as a ZeuS Trojan botnet, and more than half of the systems infected also have the Waledac Trojan, the same worm that was used to create email spam botnets assoicated with Conficker. But unlike Conficker, whose dastardly deeds have yet to be revealed, Netwitness says Kneber has been designed to target and steal login credentials and other private information.
Kneber has been found in 196 countries so far, but is most prominent in Egypt, Mexico, Saudi Arabia, Turkey, and the U.S. It targets Windows machines, most of which include Windows XP Professional SP2, and most of which reside in corporate and government infrastructures.
According to Netwitness, Kneber has nabbed some 68,000 login credentials in the past 4 weeks.
AutoRun was originally intended to help automatically start programs stored on optical media. However, once USB drives became popular, AutoRun also became a popular way to launch programs from hard disks and thumb drives by working with Windows' built-in AutoPlay functionality. Unfortunately, AutoRun's ability to provide instant launching for programs has also been widely exploited by malware such as the notorious Conficker/Downadup worm and others. Microsoft changed how AutoRun works in Windows 7 RC, but until now, Windows XP, Windows Vista, and Windows Server 2003 have been wide open to USB-based AutoRun attacks. To find out how Redmond's reining in AutoRun, join us after the jump.
One of the nastiest worms in recent history, the Conficker worm, which first surfaced in October 2008, manage to infect over 9 million PCs, shut down French and British military assets, and prompt a $250,000 reward from Microsoft for information leading to the arrest and conviction of the worm's creators.
Nearly a year later, the hefty reward remains uncollected while security experts continue to try and trace Conficker's origins and erase the threat. But it's still out there, as is the threat of another attack.
"It's using the best current practices and state of the art to communicate and to protect itself," Rodney Joffe, director of the Conficker Working Group, said of the worm. "We have not found the trick to take control back from the malware in any way."
After all this time, researchers are still left speculating what exactly Conficker was ultimately designed to do. It could as be simple as generating large amounts of spam, or it could record keystrokes and steal users' login information. On a larger and more frightening scale, researchers say its possible Conficker was designed by an intelligence agency or another country's military in order to monitor or disable an enemy's computers.
On the bright side, no one is sitting idly by waiting for Conficker to strike again. While security experts continue to work on ways to eradicate the worm, Conficker remains an open investigation with the FBI, who purportedly has a few leads.
AutoRun and AutoPlay, Microsoft's "dangerous duo" for launching programs from CD/DVD and other removable media types, have become among malware authors' favorite infection vectors - and Microsoft has finally said, "enough already!"
A research study by Forefront Client Securitycited by the Engineering Windows 7 blog determined that infections that can be started with AutoRun amounted to 17.7% of detected infections in the second half of 2008.
Although AutoRun was originally designed strictly for optical media, it can be used for other types of media. For example, you can create an autorun.inf file that adds the program on the media to the AutoPlay menu Windows displays, and change the default icon to make the malware program mimic a legitimate program. Conficker used this method to spread, as illustrated here.
Starting in Windows 7 RC, Microsoft has changed how both AutoRun and AutoPlay work:
AutoPlay no longer supports AutoRun on non-optical removable media. An autorun.inf file on a USB or other type of non-optical removable media will be disregarded. Only AutoPlay options that pertain to the types of files on the media will be listed.
When AutoPlay displays programs present on the media, the dialog now states that those programs will be run from the media.
To learn more about these changes, and to find out what other Microsoft operating systems will eventually get similar protection, join us after the jump.
Mainstream Media’s fascination with the Conficker virus is somewhat amusing, but the actions of the world’s most famous computer trogan on the other hand are not. According to Fox News, Conficker is finally starting to show signs of life and has begun organizing thousands of machines into a botnet to send email spam and spread malware.
Anybody running anti virus or Windows update is pretty much protected from Conficker at this point, but amazingly this still leaves millions of machines to worry about. It remains to be seen how much longer Conficker will continue to plague the web, but hopefully at the very least this brings computer security to the minds of mainstream users.
So Conficker is spreading spam and spyware? Anyone surprised?
Streetlights didn't stop working, satellites never fell from orbit, and the internet didn't spontaneously combust. So what exactly did the Conficker.c worm manage to accomplish? Up till now, the answer is 'not much,' but Trend Micro warns the worm has started making its move.
It's been just over a week since Conficker.c was supposed to turn machines against man in an epic battle not even Will Smith (the actor, not the Editor-in-Chief) would be able to defeat, and while we can probably put such related fears to rest, Trend Micro security researchers say machines already infected with the worm have begun receiving a new payload through P2P. The payload is being detected as WORM_DOWNAD.E.
"Basically the component it's downloading via peer-to-peer is just a dropper -- so it drops yet another component, which we are in the process of finalizing analysis on now," Trend Micro researcher Paul Ferguson said in a conversation with eWEEK. "It looks like it has some rootkit capabilities, but beyond that right now I can't go into any additional detail, I don't have complete information in front of me."
Conficker.c received much media attention prior to April 1st, when the worm was expected to wreak all kinds of havoc. But April Fool's Day has come and gone without much movement from the worm, which either means the threat was grossly overblown, or its writers are waiting for the dust to settle.
April Fools' Day might be all fun and games for some, but if you manage to fall prey to the Conficker worm, it's no laughing matter. As reported earlier this month by our very own Mark Soper, the third version of Conficker (Conficker.c) is set to wreak havoc tomorrow, April 1st. Here's what you need to know.
What is Conficker?
Conficker is one of the nastiest computer worms in recent history to go on the warpath against Windows-based PCs. First surfacing in October, 2008, Conficker targets Windows 2000, XP, Vista, Server 2003, Server 2008, Server 2008 R2 Beta, and even Windows 7. To date, Conficker has infected over 9 million PCs, shut down French and British military assests, and prompted a $250,000 reward from Microsoft for information leading to the arrest and conviction of the worm's creators.
What Does it Do?
The first two versions of Conficker -- variants A and B -- exploit a vulnerability in the Server Service on Windows-based PCs to take advantage of an already-infected source computer. Once infected, the worm goes to work exploiting the network hole, cracking administrator passwords, prevents access to security websites and services for automatic updates, disables backup services, erases recently saved documents, and among other things, also leaves you vulnerable to other infected machines.
What Happens Tomorrow?
One of the scariest things about Conficker, including Conficker.c, is that its full potential isn't known. Come tomorrow, those infected might be prompted to buy fake sofware products, or it could start monitoring your keystrokes to lift sensitive information like banking passwords. Files could end up deleted, or it might transform your computer into a zombie PC while staying under the radar. Whatever it ends up doing, it won't be good, and you need to take proper precautions right now.
Join us after the jump to find out how to avoid infection, or what you can do if it's already too late. **Now with April 1st Update!**
Just when you might have thought it was safe to start using USB flash drives at work again, the third, and by all accounts, most fiendish version of the Conficker worm that's infected millions of PCs already is set to attack on April 1st, Ars Technicareports. Conficker.C's designed to hide itself even more thoroughly than its older siblings, using tricks such as:
Inserting itself into as many as five Windows-related folders such as System, Movie Maker, Internet Explorer, and others (under a random name, of course)
Creating access control entries and locking the file(s)
Registers dummy services using a "one (name) from column A, one from column B, and two from column C" method
To find out what happens when Conficker.C strikes, join us after the jump.