Blog

Conficker Info

26/03/2009 16:26

 

Conficker

From Wikipedia, the free encyclopedia

 
Jump to: navigation, search
Common name Conficker
Aliases
Classification Highly Dangerous
Type Computer Worm
Subtype Computer Virus
Author(s) <Unknown>

Conficker, also known as Downup, Downadup and Kido, is a computer worm that surfaced in October 2008 and targets the Microsoft Windows operating system.[1] The worm exploits a known vulnerability in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and the Windows 7 Beta.[2][3][4] The latest variant will begin checking for a payload to download on April 1, 2009.[5]

Contents

[hide]

[edit] Operation

The Conficker worm spreads itself primarily through a buffer overflow vulnerability in the Server Service on Windows computers. The worm uses a specially crafted RPC request to execute code on the target computer.[6]

When executed on a computer, Conficker disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting.

It receives further instructions by connecting to a server. The instructions it receives may include to propagate, gather personal information and to download and install additional malware onto the victim's computer.[7] The worm also attaches itself to certain Windows processes such as svchost.exe, explorer.exe and services.exe.[8]

The worm seems to implement some of the ideas presented by Fucs, Paes de Barros e Pereira at the Blackhat Briefings Europe 2007, specifically: digitally signed additional payload, use of PRNG for communication and P2P communication.[9]

[edit] Payload

The "A" variant of Conficker will create an HTTP server and open a random port between 1024 and 10000. If the remote machine is exploited successfully, the victim will connect back to the HTTP server and download a worm copy. It will also reset System Restore points, and download files to the target computer.[10] The other variants are said to have payload that will activate on April 1.[11]

[edit] Symptoms of infection

  • Account lockout policies being reset automatically.
  • Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Error Reporting Services are automatically disabled.
  • Domain controllers respond slowly to client requests.
  • System network gets unusually congested. This can be checked with network traffic chart on Windows Task Manager.
  • On websites related to antivirus software, Windows system updates cannot be accessed.[12]
  • Launches a brute force dictionary attack against administrator passwords to help it spread through ADMIN$ shares, making choice of sensible passwords advisable.[13]

[edit] Impact

Experts say it is the worst infection since the SQL Slammer.[14] Estimates of the number of computers infected range from almost 9 million PCs[15][16] to 15 million computers.[17]

Another antivirus software vendor, Panda Security, reported that of the 2 million computers analyzed through ActiveScan, around 115,000 (6%) were infected with this malware.[18]

The potential scale of infection is large because 30 percent of Windows computers do not have the Microsoft Windows patch released in October 2008 to block this vulnerability.[19]

The U.K. Ministry of Defence reported that some of its major systems and desktops were infected. The worm has spread across administrative offices, NavyStar/N* desktops aboard various Royal Navy warships and Royal Navy submarines, and Hospitals across the city of Sheffield reported infection of over 800 computers.[20][21]

On February 6, 2009, the computers used by the Houston Municipal Courts were infected with Conficker. How the virus got into the system is unknown.[22]

On February 13 the Bundeswehr reported that some hundred of their computers were infected.[23]

[edit] Response

On February 12, 2009, Microsoft announced the formation of a technology industry collaboration to combat the effects of Conficker. Organizations involved in this collaborative effort include Microsoft, Afilias, ICANN, Neustar, Verisign, CNNIC, Public Internet Registry, Global Domains International, Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, The Shadowserver Foundation, Arbor Networks and Support Intelligence.

As of February 13, 2009, Microsoft is offering a $250,000 USD reward for information leading to the arrest and conviction of the criminals behind the creation and/or distribution of Conficker.[24][25][26][27][28][29]

[edit] Patching and removal

On 15 October 2008 Microsoft released a patch (MS08-067) to fix the vulnerability.[30] Removal tools are available from Microsoft,[31] BitDefender,[32] ESET, Symantec,[33] Sophos,[34] and Kaspersky Lab,[35] while McAfee and AVG can remove it with an on-demand scan.[36][37] While Microsoft has released patches for the later Windows XP Service Packs 2 and 3 and Windows 2000 SP4 and Vista, it has not released any patch for Windows XP Service Pack 1 or earlier versions (excluding Windows 2000 SP4), as the support period for these service packs has expired. Since the virus can spread via USB drives that trigger AutoRun, disabling the AutoRun feature for external media (through modifying the Windows Registry) is recommended.[38] However the United States Computer Emergency Readiness Team describe Microsoft's guidelines on disabling Autorun as being "not fully effective," and they provide their own guides.[39] Microsoft has released a removal guide for the worm via the Microsoft website.

Also, on March 16, 2009, BitDefender released an updated tool to remove the already famous Downadup/Conficker worm on a new domain that has not been blocked by the malicious computer code at a website called "bdtools.net".

Apart from the fact that the BitDefender tool removes the latest and most resilient to disinfection release of the virus, it also comes as a separate installer dedicated to network administrators. In this way, the scanner can be dispatched throughout networks in order to remotely scan and disinfect workstations.

[edit] See also

[edit] References

  1. ^ "Three million hit by Windows worm". BBC News Online. BBC. 2009-01-16. https://news.bbc.co.uk/1/hi/technology/7832652.stm. Retrieved on 2009-01-16. 
  2. ^ Conficker worm still wreaking havoc on Windows systems. Government Computer News. January 15, 2009.
  3. ^ Windows 7 Beta is not immune conficker. Digital world. January 29, 2009.
  4. ^ $250,000 Reward for the Author of Nasty Worm Affecting Windows 7, Vista, and XP. Softpedia. February 13,2009.
  5. ^ CONFICKER C ANALYSIS (draft). March 19, 2009.
  6. ^ https://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-4250
  7. ^ "Conficker Worm Attack Getting Worse: Here's How to Protect Yourself". PC World. 2009-01-17. https://www.pcworld.com/article/157877/conficker_worm_attack_getting_worse_heres_how_to_protect_yourself.html. Retrieved on 2009-01-18. 
  8. ^ "F-Secure Malware Information Pages". F-secure. https://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml#details. Retrieved on 2009-01-18. 
  9. ^ "New botnets trends and threats". BlackHat. https://www.blackhat.com/presentations/bh-europe-07/Fucs-Paes-de-Barros-Pereira/Presentation/bh-eu-07-barros.pdf. Retrieved on 2009-03-10. 
  10. ^ https://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A
  11. ^ Giz Explains: How a Brainy Worm Might Jack the World's PCs on April 1. Gizmodo. March 25, 2009.
  12. ^ "Virus alert about the Win32/Conficker.B worm". Microsoft. 2009-01-15. https://support.microsoft.com/kb/962007. Retrieved on 2009-01-22. 
  13. ^ "Passwords used by the Conficker worm". Sophos. https://www.sophos.com/blogs/gc/g/2009/01/16/passwords-conficker-worm/. Retrieved on 2009-01-16. 
  14. ^ Markoff, John (2009-01-22). "Worm Infects Millions of Computers Worldwide". New York Times. https://www.nytimes.com/2009/01/23/technology/internet/23worm.html?em. 
  15. ^ Sean (2009-01-16). "Preemptive Blocklist and More Downadup Numbers". F-Secure. https://www.f-secure.com/weblog/archives/00001582.html. Retrieved on 2009-01-16. 
  16. ^ Neild, Barry (16 January 2009). "Downadup virus exposes millions of PCs to hijack". CNN. https://edition.cnn.com/2009/TECH/ptech/01/16/virus.downadup/?iref=mpstoryview. Retrieved on 2009-01-18. 
  17. ^ "Virus strikes 15 million PCs". UPI.com. 2009-01-26. https://www.upi.com/Top_News/2009/01/25/Virus_strikes_15_million_PCs/UPI-19421232924206/. Retrieved on 2009-03-25. 
  18. ^ Panda Security (2009-01-21). "Six percent of computers scanned by Panda Security are infected by the Conficker worm". Panda Security. https://www.pandasecurity.com/homeusers/media/press-releases/viewnews?noticia=9526. Retrieved on 2009-01-21. 
  19. ^ "Three in 10 Windows PCs still vulnerable to Conficker exploit". The Register. 19 January 2009. https://www.theregister.co.uk/2009/01/19/conficker_worm_feed/. Retrieved on 2009-01-20. 
  20. ^ "MoD networks still malware-plagued after two weeks". The Register. 20 January 2009. https://www.theregister.co.uk/2009/01/20/mod_malware_still_going_strong/. Retrieved on 2009-01-20. 
  21. ^ "Conficker seizes city's hospital network". The Register. 2009-01-20. https://www.theregister.co.uk/2009/01/20/sheffield_conficker/. Retrieved on 2009-01-20. 
  22. ^ https://www.chron.com/disp/story.mpl/front/6250411.html[dead link]
  23. ^ Conficker Worm infect hundreds of bundeswher computers. Date accessed: March 15, 2009.
  24. ^ https://www.cnn.com/2009/TECH/ptech/02/13/virus.downadup/index.html
  25. ^ Microsoft announces industry alliance, $250k reward to combat Conflicker. Zero Day. February 12, 2009.
  26. ^ Microsoft offers $250,000 reward for Comficker arrest. CNET News. February 12, 2009.
  27. ^ Microsoft announces $250 Conficker worm bounty. Network World. February 12, 2009
  28. ^ Microsoft offers $250,000 bounty for capture of Conficker worm creator. Guardian.co.uk. Februaury 13, 2009
  29. ^ "Microsoft bounty for worm creator". BBC. 2009-02-13. https://news.bbc.co.uk/1/hi/technology/7887577.stm. Retrieved on 2009-02-13. 
  30. ^ "Microsoft Security Bulletin MS08-067". 2008-10-23. https://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx. Retrieved on 2009-01-19. 
  31. ^ https://www.microsoft.com/security/malwareremove/default.mspx,
  32. ^ https://www.bitdefender.com/VIRUS-1000462-en--Win32.Worm.Downadup.Gen.html
  33. ^ https://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=3
  34. ^ https://www.sophos.com/support/knowledgebase/article/51416.html
  35. ^ https://support.kaspersky.com/faq/?qid=208279973 How to fight network worm Net-Worm.Win32.Kido
  36. ^ https://vil.nai.com/vil/content/v_153464.htm
  37. ^ https://www.viruslist.com/en/alerts?alertid=203996089
  38. ^ "MS08-067 Worm, Downadup/Conflicker". https://www.f-secure.com/weblog/archives/00001576.html. Retrieved on 2009-01-08. 
  39. ^ "Microsoft Windows Does Not Disable AutoRun Properly". US-CERT. January 29, 2009. https://www.us-cert.gov/cas/techalerts/TA09-020A.html. Retrieved on 2009-02-16.
>>

Assalamualaikum

17/02/2009 10:08

Web site ini dilancarkan oleh team kami jadi tunggu dan lihat blogs akan ditulis terima kasih kerana melayari email kami.Contatct kami jika ada masaalah.

>>

Tags

  1. Save Malay
  2. Movie

Contact

Amirul Asyraf amirulayraf_040894@rocketmail.com 014-2479905

Search site

© 2008 All rights reserved.