cancel
Showing results for 
Search instead for 
Did you mean: 

Conficker.C Worm - Major Attack targeted for April Fools Day

The Conficker worm is one of the most dangerous malware threats in years, especially for corporate users. A new "C" variant has been developed that's even more potent and stealthier than the two prior variants. It's imperative that Microsoft's MS08-067 patch be applied to all servers and workstations, while the worm is currently dormant.

If it establishes a foothold anywhere in the network, it can even spread to systems that are patched with the MS08-067, if they are insecure in other areas, (i.e., it uses multiple attack methods).

Please take precautions now, as this one will be even more difficult than "B" was to clean.

Conficker.C Worm - Major Attack targeted for April Fools Day
http://techfragments.com/news/629/Software/Downadup_Win32Conficker-C_Worm_Revving_Up_to_Spread.html
http://arstechnica.com/security/news/2009/03/confickerc-primed-for-april-fools-activation.ars
http://www.maximumpc.com/article/news/this_no_joke_confickerc_strike_april_fools_day
http://news.cnet.com/8301-1009_3-10196122-83.html
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=77976

QUOTE: Just when you might have thought it was safe to start using USB flash drives at work again, the third, and by all accounts, most fiendish version of the Conficker worm that's infected millions of PCs already is set to attack on April 1st, Ars Technica reports. Conficker.C's designed to hide itself even more thoroughly than its older siblings Conficker.A and Conficker.B, using tricks such as:

Inserting itself into as many as five Windows-related folders such as System, Movie Maker, Internet Explorer, and others (under a random name, of course)
• Creating access control entries and locking the file(s)
Registers dummy services using a "one (name) from column A, one from column B,null and two from column C" method

To find out what happens when Conficker.C strikes, join us after the jump.
Conficker.C's payload makes it harder than ever to recover from being infected:

Deactivates Windows Security Center notifications
Prevents restart in Safe Mode
Prevents Windows Defender from running at system startup
Deletes all system restore points
Disables various error-reporting and security services
Terminates over twenty security-related processes
Blocks DNS queries
Blocks access to security and antivirus websites
• And, to top it all off, Conficker.C can choose from a list of 500 domains to contact out of a pool of 50,000 (way up from Conficker.B's 32 out of 250).

Conficker.C - Detailed Evaluation by SRI
http://mtc.sri.com/Conficker/addendumC/

QUOTE: Variant C represents the third major revision of the Conficker malware family, which first appeared on the Internet on 20 November 2008. C distinguishes itself as a significant revision to Conficker B.null In fact, we estimate that C leaves as little as 15% of the original B code base untouched

Below are some resources for information and cleaning tools for the Conficker worm:

Conficker - Cleaning tips for corporate users
http://msmvps.com/blogs/harrywaldron/archive/2009/01/27/conficker-cleaning-tips-for-corporate-users....

Internet Storm Center - Conficker Resource Center
http://isc.sans.org/diary.html?storyid=5860

Microsoft Resources
http://support.microsoft.com/kb/962007
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
5 Replies

RE: Conficker.C Worm - Major Attack targeted for April Fools Day

Hopefully, Conficker.C won't affect as many people as in the past when more unpatched systems were present. Still on April 1st, a much more robust version of Conficker will become active from the current dormant "sleep mode". In preparation for this expected outbreak, the Internet Storm Center has updated their excellent list of cleaning and informational resources.

ISC - Updated Conficker Resource Center
http://isc.sans.org/diary.html?storyid=5860

QUOTE: I am hoping that this will allow you to pick and choose the information, removal tool, and more importantly your own path when mitigating Conficker.

RE: Conficker.C Worm - Major Attack targeted for April Fools Day

18 hours after April 1st started at the International Date line it's fairly quiet, here's hoping it stays that way ... There are some spam "April Fools" hoaxes circulating attempting to alarm folks

http://www.f-secure.com/weblog/archives/00001645.html
http://blog.trendmicro.com/strange-april-foolsd-day-prank/

The April 1st routine is mainly to update and not attack (although new malware attacks could originate later from an updated infected client). Below are some good security site resources to periodically check on developments through the day:

http://www.f-secure.com/weblog/
http://isc.sans.org/
http://www.avertlabs.com/research/blog/
http://blog.trendmicro.com/

* * * * *

AVERT is reporting a few UDP based updates via the highly encrypted P2P channel
http://www.avertlabs.com/research/blog/index.php/2009/04/01/confickerc-on-the-wire-2/

QUOTE: There were a few instances where Conficker.C did discover peers out there, and exchanged short UDP packets with them over several minutes. We were extremely curious about them.

* * * * *

GREAT RESOURCE FOR CORPORATE ADMINS

Nmap 4.85 Beta6 released to Scan for Conficker Worm
http://insecure.org/
http://nmap.org/download.html

RE: Conficker.C Worm - Major Attack targeted for April Fools Day

Another good update on Conficker below. Please note that on April 1st, "C" started it's routines to update and more developments could occur in the days ahead. Most likely, the malware authors will want to keep this advanced worm as quiet and stealth-like as possible. It uses an advanced and encrypted P2P channel for update and control functions, much like the Storm Worm Botnet.

Today's actions are not a major attack or an April Fools Day joke that it did nothing. The authors know that security folks are on high alert in watching it and have most likely delayed trying to do anything today.

http://sunbeltblog.blogspot.com/2009/03/please-world-is-not-ending-on-april-1.html

QUOTE: Yeah, Conficker is a serious problem, but not for home and corporate users who employ best practices already. The real problem is for the security professionals trying to prevent the worm from impacting the millions of people who fail to learn anything about security.

So, you still want to protect against Conficker? Here is what to do. Make sure that the Windows Security center is functioning and you are up to date on your Microsoft security patches. You can go to http://update.microsoft.com to manually check for updates. Make sure you’re antivirus product is up to date.

RE: Conficker.C Worm - Major Attack targeted for April Fools Day

F-Secure has a good FAQ providing the latest developments on this Internet worm:

Conficker - Post April 1st FAQ
http://www.f-secure.com/weblog/archives/00001647.html

 

What really happened was that the Conficker Working Group was able to prevent them from registering any of the domains used by the worm. Never before have we seen such a global cooperation within the industry and we're proud to be a member of that group. Also, it would've been pretty stupid for the people behind Conficker to do something on the day everyone expected them to.

CD
Level 7
Report Inappropriate Content
Message 6 of 6

RE: Conficker.C Worm - Major Attack targeted for April Fools Day

I hope that everyone understands the immense scale of infected machines out there, and that this was NOT a false alarm.

Professionals worked together to actively combat the infection and prevent a severe global threat, and I for one am very grateful that my WWW connection was not disrupted.

I hope the publicity this generated will encourage more end users to keep current on computer security issues, and proactively use anti-malware software and to keep all their PC applications updated.

Thank you again for the great information you post here for us. grin