byUsers Forums

Jellyroll · 31-03-2009 07:41:14

The Conficker Worm, that has been infecting PCs for around six months through various means including infected memory sticks, is set to trigger tomorrow, April 1st 2009. Note that, in spite of the date, this isn't an April Fool - this message is being posted on March 31st.

No-one (apart from the worm's authors) really knows what will happen when the worm triggers. The following information, from US-CERT (United States Computer Emergency Readiness Team), tells about as much as we know; and more usefully, gives a simple way to check if your PC is infected. If you can't reach any of the links given in Section I of the alert, you may be infected, If you can reach all three, you're probably not - but it's worth double-checking anyway to be sure.

We urge all our users to make sure they are not infected by this worm, and we urge all our users to make sure they remain free from infection by running up-to-date anti-virus software, ensuring their PCs are regularly updated with the latest patches from their OS providers (Microsoft for Windows, Apple for OSX etc.), and ensuring they only access the Internet from behind a firewall, whether it's a hardware-based one or a software one.

Please click here for an update on the situation, 9th April 2009

Subject: US-CERT Technical Cyber Security Alert TA09-088A -- Conficker Worm Targets Microsoft Windows Systems

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

National Cyber Alert System

Technical Cyber Security Alert TA09-088A

Conficker Worm Targets Microsoft Windows Systems

Original release date: March 29, 2009
Last revised: March 30, 2009
Source: US-CERT

Systems Affected

* Microsoft Windows

Overview

US-CERT is aware of public reports indicating a widespread
infection of the Conficker/Downadup worm, which can infect a
Microsoft Windows system from a thumb drive, a network share, or
directly across a corporate network, if the network servers are not
patched with the MS08-067 patch from Microsoft.

I. Description

Home users can apply a simple test for the presence of a
Conficker/Downadup infection on their home computers. The presence
of a Conficker/Downadup infection may be detected if a user is
unable to surf to their security solution website or if they are
unable to connect to the websites, by downloading detection/removal
tools available free from those sites:

* http://www.symantec.com/norton/theme.js … icker_worm
* http://www.microsoft.com/protect/comput … icker.mspx
* http://www.mcafee.com

If a user is unable to reach any of these websites, it may indicate
a Conficker/Downadup infection. The most recent variant of
Conficker/Downadup interferes with queries for these sites,
preventing a user from visiting them. If a Conficker/Downadup
infection is suspected, the system or computer should be removed
from the network or unplugged from the Internet - in the case for
home users.

II. Impact

A remote, unauthenticated attacker could execute arbitrary code on
a vulnerable system.

III. Solution

Instructions, support and more information on how to manually
remove a Conficker/Downadup infection from a system have been
published by major security vendors. Please see below for a few of
those sites. Each of these vendors offers free tools that can
verify the presence of a Conficker/Downadup infection and remove
the worm:

Symantec:
http://www.symantec.com/business/securi … 16-0247-99

Microsoft:
http://support.microsoft.com/kb/962007

http://www.microsoft.com/protect/comput … icker.mspx

Microsoft PC Safety hotline at 1-866-PCSAFETY, for assistance.

US-CERT encourages users to prevent a Conficker/Downadup infection by
ensuring all systems have the MS08-067 patch (see
http://www.microsoft.com/technet/securi … 8-067.mspx),
disabling AutoRun functionality (see
http://www.us-cert.gov/cas/techalerts/TA09-020A.html), and
maintaining up-to-date anti-virus software.

IV. References

* Microsoft Windows Does Not Disable AutoRun Properly -
<http://www.us-cert.gov/cas/techalerts/TA09-020A.html>

* Virus alert about the Win32/Conficker.B worm -
<http://support.microsoft.com/kb/962007>

* Microsoft Security Bulletin MS08-067 - Critical -
<http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx>

* MS08-067: Vulnerability in Server service could allow remote code
execution -
<http://support.microsoft.com/kb/958644>

* The Conficker Worm -
<http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm>

* W32/Conficker.worm -
<http://us.mcafee.com/root/campaign.asp?cid=54857>

* W32.Downadup Removal Tool -
<http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99>

____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA09-088A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA09-088A Feedback VU#827267" in
the subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2009 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________

Revision History

March 29, 2009: Initial release
March 30, 2009: Included additional details

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBSdEYX3IHljM+H4irAQIYGQgAiYr6a3OCj8JFRPhDWwwampacVHYxW2o+
fKkXtHu093UYd8tXWv/crvQzMfMPaH/+zwXhO/pEPqyAh+916EvqVpsMnvhOOJzw
1y7y+aCYtxlS+B8/TXbI0GGjzv8HmmlCOoxg4jz9BggR+fnjVC+gqq0Ml16Z539J
2/TRiidVh+QwIUB7KtsPZU0DZgCFkXBoAWEurd2kpqGP8xkK2M3/N6PN2GfftqSg
Apzc80ikWUCXcA2ppbk0V85bRw3NhIiXmN5EBgQr28ZF2WByaSnCE6irTKN0eTX1
E2q21qIdfjd09BVLWgXRa0kXG8eqZBgt6uulf/yfd9S5pPquz4Cyuw==
=zSHY
-----END PGP SIGNATURE-----

Note that the PGP signature may not verify correctly on the message as displayed in your browser.

Last edited by Jellyroll (09-04-2009 12:03:39)

Silkie341 · 31-03-2009 16:31:22

I thought this was patched back in October? Not that some places won't be hit, like the dimwit's at the last company I worked for who went six month's without AV updates and system patches because the losers in the IT department wouldn't admit they hadn't a clue what they were doing.

Make sure your auto updates are on and the same for your AV package then wait and see what happens. hmm

Jellyroll · 31-03-2009 18:01:38

In spite of protection being in place since before the worm was first discovered last November, it is estimated that there are around ten million infected PCs - infected because of weak & easily-guessed passwords, failure to install patches, failure to run up-to-date anti-virus and failure to operate behind firewalls.

Tomorrow may prove interesting. I just hope that people reading this will be interested observers, not unwitting participants.

Silkie341 · 31-03-2009 22:12:20

True. I always say that internet security for your PC is best viewed with a generous dose of paranoia, they are out to get you and you can't really rely on one solution. I force myself to make awkward passwords even though by nature I'm as prone to being lazy as anyone else.

What I'm really worried about is the inevitable slew of calls I'll get from friends or relatives tomorrow if it really does kick off something major. I swear one of these day's I'll replace the little security lecture with a permanent marker pen and their monitors.

Jellyroll · 02-04-2009 20:23:16

Well, it all seems quiet, but the worm is still around. Stay safe, folks. cool

Dizzydiza · 03-04-2009 21:56:45

I got an email this evening offering a link to find out more about the conficker virus and and antivirus code to use.....needless to say it is now in my junk mail box roll

Jellyroll · 03-04-2009 23:15:18

Yes indeed. Real anti-virus vendors don't use pop-ups and spam to sell their goods.

Jellyroll · 09-04-2009 12:01:11

Update 9th April 2009
Conficker has started the next phase of its operation, downloading malware onto infected PCs via its own P2P network. The newly-downloaded software is encrypted, so its purpose is as yet unclear.

Trend Micro blog post on the subject

http://www.confickerworkinggroup.org/in … chart.html is a web page to help identify if you are infected -- but be aware that it is not foolproof, and won't help if you are running through a non-transparent proxy (i.e. one entered manually or automatically into your browser's configuration), as it identifies the worm's presence by its effect on DNS. A manual proxy request won't use DNS, but a request through a transparent proxy will.

http://news.bbc.co.uk/2/low/technology/7991422.stm

Silkie341 · 09-04-2009 18:55:30

That working group site is timing out for me.

TazUk · 09-04-2009 19:34:50

I haven't managed to access it either hmm

Jellyroll · 09-04-2009 19:40:05

Yup - looks like it is either overwhelmed by connection attempts by concerned users, or it's undergoing a DoS.

byUsers Forums

Announcement

#1 31-03-2009 07:41:14

Conficker Worm

#2 31-03-2009 16:31:22

Re: Conficker Worm

#3 31-03-2009 18:01:38

Re: Conficker Worm

#4 31-03-2009 22:12:20

Re: Conficker Worm

#5 02-04-2009 20:23:16

Re: Conficker Worm

#6 03-04-2009 21:56:45

Re: Conficker Worm

#7 03-04-2009 23:15:18

Re: Conficker Worm

#8 09-04-2009 12:01:11

Re: Conficker Worm

#9 09-04-2009 18:55:30

Re: Conficker Worm

#10 09-04-2009 19:34:50

Re: Conficker Worm

#11 09-04-2009 19:40:05

Re: Conficker Worm

Board footer