[woodcreeker]

Conficker Worm Spikes, Infects 1.1 Million PCs In Less Than 24 Hours

It has been over a month since we heard much about Conficker, but the worm has reappeared with a vengeance over the past seven days. According to Finnish security company F-Secure, more than one million PCs have been infected with the worm (also known as Kido or Downadup) in the past 24 hours, with a total of 3.52 million machines infected worldwide. According to F-Secure, that 3.52 million is a conservative estimate.

The problem isn't so much with the older version of Conficker (now known as Conficker.A) but with a new flavor, dubbed Conficker.B. Ars spoke with Roger Halbheer, Chief Security Advisor of Microsoft's EMEA (Europe, Middle East, and Africa); he's been monitoring (and writing) about the current spread of infections. The skyrocketing infection rate is actually being caused by several factors; Roger describes Conficker.B as a "beast," and Microsoft has built the following diagram to demonstrate how the worm functions.



Once run or given access to an unprotected machine, Conficker.B begins searching for other systems or shares within the local network that it can infect. Shared systems, removable drives, or unpatched systems are all eligible targets, as are machines with weak passwords. This last bit is an important new feature of Conficker.B; a complete list of the passwords it checks for can be found here. If Conficker.B manages to successfully guess a password, it moves in and continues hunting for new targets. Microsoft summarizes the new strain as follows:

Worm:Win32/Conficker.B is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.

Roger confirmed that the Malicious Software Removal Tool (MSRT) has checked for and removed Conficker.B since December 29, 2008, but it's not possible to access any Microsoft website once Conficker.B has infected a system; the worm blocks access to multiple domains based on string identification. If you've got a system that's infected, you'll need to download the latest MSRT from Microsoft on a clean system and run it manually.

Not all AV scanners currently detect Conficker.B, even if they've been updated to detect Conficker.A—I don't have a list of specific solutions that can't currently catch the new worm, but all of Microsoft's antimalware/antivirus products—Forefront, OneCare, and the Online Safety Scanner—will find Conficker.B if it's present (and you somehow haven't noticed). If there's a scrap of good news in all this, it's that Conficker.B is not a subtle worm.

Roger has provided some additional coverage on the worm that may be useful. First and foremost, he recommends installing MS08-067—this will not remove an existing infection, but it will guard against attack from either version of the agent, provided you aren't using weak passwords.
When Conficker.A first appeared, we raised the question of whether or not Microsoft should force updates in certain situations, and what those situations might be. In this case, even unilaterally enforced updates wouldn't solve the problem of weak passwords, but it would have undoubtedly cut the number of new infections we are seeing today. The size of that reduction would be the point on which the value of forced updates would turn, and of course, that's the one thing we can't predict; there are holes in existing AV products that would allow Conficker.B through, and the worm will attack and infect machines using weak passwords. Depending on how you view the situation; this second strain could reinforce the need for mandatory updates or blow a whole in the argument.

Part of the reason for the problem, however, must inevitably come back upon the users, IT administrators, or managers that opted not to install the patch. As Roger writes: "If you decide not to roll out a security update which is so critical that we decide to go out of band, you play Russian Roulette with your network...The same is actually true if you do not run and maintain an appropriate Anti-Malware solution...Now, if we look at Conficker.B: This is really an ugly beast: You need just one infected machine in your network in order to have it spread across your network fast and aggressively. You can get it even through a USB-stick...it just needs one unpatched/infected machine."

Indeed. Based on the characteristics of a worm such as this, even mandatory updates would only be one facet of prevention.

To help customers who are affected, we decided to add capabilities to detect and remove this worm to the January version of the MSRT. This version is released today and is available here. If your computer or environment is impacted by this malware, you may want to run the MSRT to help disinfect it. The first step would be to install the update on all your computers and replace passwords of network shares with stronger ones. Then use the MSRT to remove the worm from infected computers. Infected computers may not be able to access Windows Update and therefore the administrator may need first to download the tool using a clean computer, and then distribute it to the other machines, for example by copying it to a share, write-protecting the share, then running the tool from there. KB article 891716 provides information on how to use the MSRT in enterprise environments and you can learn more about Win32/Conficker.B and about preventive measures here. The MSRT released today is also addressing Win32/Banload which is a family of trojan downloaders. We will post another blog discussing Win32/Banload later this month.

[Ladybbird]

Thank you for this, Im running it now WC. Could this be what has affected this site with the warnings folk have received trying to enter the site? Also I had something for sure on my laptop with someone stealing my email address and posting hundreds to promotional emails to yahoo addresses. I had to contact AOL helpline (in India) as the hackers had even changed my password on that email account and AOL reset the password. I did have an easy password on there before. But I am still having problems on my email account with AOL.



.

[jjk326]

Lady: I heard two girls from SD hack David Bisbal email by entering to his personal question they answer that question and gain access to his email and
ask 100K dollars for the info, the were arrested now.

[Ladybbird]

Quote:

Originally Posted by jjk326

Lady: I heard two girls from SD hack David Bisbal email by entering to his personal question they answer that question and gain access to his email and
ask 100K dollars for the info, the were arrested now.

Please PM with the link to the info and give me more info on what you have on this. Thanks JJ. I dont want to hijack this thread.




.

[Ladybbird]

2 found and removed:

Worm:Win32/Alcan.D is a worm that spreads via peer-to-peer (P2P) file sharing networks. Worm:Win32/Alcan.D downloads and runs files from remote websites and may interfere with security software installed on the system.

Backdoor:Win32/RBot
Win32/IRCBot.worm.variant (AhnLab)
W32/Ircbot.1!Generic (Authentium (Command))
Win32/Rbot!generic (CA)
Win32/Rbot.Y (ESET)
Backdoor.Win32.Rbot.gen (Kaspersky)
W32/Sdbot.worm.gen.g (McAfee)
W32/Spybot.BPUM (Norman)
W32/Rbot-GR (Sophos)
W32.Spybot.Worm (Symantec)
WORM_SPYBOT.GEN (Trend Micro)



.

[whitefish]

Sorry to hear that.... Love your Mac and be free of worms & horses....

[Ladybbird]

Im sorry but you know my heart belongs to WC, dont want to get involved with this Mac friend of yours.

Seriously I will find a few hours w.o. constant interruptions and learn my MAC, then I wont have to go through these virus checks. Do you mean on a MAC they never have to worry about any sort of virus? EVER?



.

[boboisno1]

I believe they had a virus once, didn't go anywhere and it wasn't a virus in the traditional sense.

[whitefish]

EVER......

[Ladybbird]

Quote:

Originally Posted by whitefish

EVER......

.

[Ladybbird]

Quote:

Originally Posted by boboisno1

I believe they had a virus once, didn't go anywhere and it wasn't a virus in the traditional sense.

WF flipped you with his fin Bobo, want me to rub it better with my wing?



.

[boboisno1]

It's ok thanks, we're actually both right in a way. I just wish my memory was better, they had something but it was sooooo long ago and it didn't do any harm. It was talked about on a show called Lab with Leo (good show still on) but I just don't remember exactly what it was.

Quote:

Originally Posted by Ladybbird

WF flipped you with his fin Bobo, want me to rub it better with my wing?



.

[Ladybbird]

Quote:

Originally Posted by whitefish

EVER......

YouTube - Macintosh Virus Discovered

YouTube - Do Macs Get Viruses? Anti-Virus for OS X?

.

[Ladybbird]

Quote:

Originally Posted by boboisno1

It's ok thanks, we're actually both right in a way. I just wish my memory was better, they had something but it was sooooo long ago and it didn't do any harm. It was talked about on a show called Lab with Leo (good show still on) but I just don't remember exactly what it was.

I remembered hearing something a long time ago, but like you Bobo couldnt remember when and where. Found this though;

First ever virus for Mac OS X discovered

Looks like you were right Bobo.


.

[Ladybbird]

I think everyone should download this Microsoft Malware detection/removal link provided by Woodcreeker on his original post in this thread. It picked up 2 worms on my system.





.