TechSpot

Mal/Conficker-A is a worm for the Windows platform

By Bobbye
Jan 16, 2009
  1. Mal/Conficker-A Very Active:

    How it spreads : * Removable storage devices, * Network shares
    Characteristics: * Installs itself in the registry

    Does this sound familiar?

    If you don't patch, the ever-transforming Conficker malware program could end up testing your security perimeter breach responses.
    Emergency Microsoft Patch MS08-067 Issued, Exploit code in wild. The Patch:. Microsoft released the patch on Oct. 2008 to windows update.
    The patch can be found here: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

    Sources and Additional information : Sophos http://www.sophos.com/security/analyses/viruses-and-spyware/malconfickera.html?_log_from=rss
    InfoWorld: http://weblog.infoworld.com/securit...r_malwa.html?source=NLC-DAILY&cgd=2009-01-16]
    TechNet http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
     
  2. jobeard

    jobeard TS Ambassador Posts: 9,322   +622

    just beautiful

    this post should be a MODEL for known infection/resolutions;

    in fact (imo), this style and content deserves its own subforum!
     
  3. rev_olie

    rev_olie TS Maniac Posts: 560

    I think Joebeards idea should go in the site feedback and suggestions (tell me if you do I'll back ya up :))
    This should be stickied as well. Really good info Bobbeye :approve:

    PS any know fixes yet? I know they got one denied on the grounds that it would be unauthorized use
     
  4. Bobbye

    Bobbye Helper on the Fringe Topic Starter Posts: 16,335   +36

    Scary isn't it! Sounds like quite a few of the malware posts here!
     
  5. rev_olie

    rev_olie TS Maniac Posts: 560

    I must admit your right. Looking over there seems to be a few signs here and there. Its 3.5 million infected machines up to now, so Fsecure could really use a workaround to help get it sorted
     
  6. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    The easiest way is to write a script specific to the users random files - I prefer combofix

    Afterwards, there is a tool from microsoft to repair the autorun features - the user has to log off their user account then log back in for the changes to take effect :grinthumb
     
  7. rev_olie

    rev_olie TS Maniac Posts: 560

    Hmm sounds interesting. Were do yo learn to write scripts for combofix etc?

    Im guessing you mean like were you put:

    File for deleation
    File
    fileexample.exe

    Registrykey
    fiwefwn4233yr9r

    something like that anyhow :p. Obviousley there isnt a registry key fiwefwn4233yr9r but you know what i mean :p

    Sorry if im ruining you post btw bobbye :eek:
     
  8. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    Over 9 million people are now infected with this...

    Did you notice Microsoft released the patch back in October 2008. Goes to show how many unsecured systems are out there.

    If you had automatic updates enabled you should have received the patch back then

    A good firewall also goes a long way
     
  9. Bobbye

    Bobbye Helper on the Fringe Topic Starter Posts: 16,335   +36

    An Update on the Conficker Worm aka Downadup

    The morning paper gave some descriptions of this Worm which give real world mean analogies to it's activities:

    " If you're looking for a digital Pearl Harbor, we now have the Japanese ships steaming toward us on the horizon." (Rick Wesson, CEO of Support Intelligence)

    "I don't know why more people aren't afraid of these programs- this is like having a mole in your organization that can do things like send out any information it finds on machines." (Merrick L. Furst computer scientist at Georgia Tech)

    And although Conficker is supposedly a new program, it borrows on earlier work by an Eastern European criminal gang using the idea of "scareware"- warning users of an infection and asking for a credit card number to pay for an antivirus program-bogus of course-which actually further infects the system.

    A twist was found in the original version of the program: if the computer had a Ukrainian keyboard, it would not infect the computer!!! (sound like shades of the DNS Changer)

    And finally, it has been found that about 30% of Windows-based system remain vulnerable because they have not gotten the patch. (Oct. 2008, Microsoft Security Bulletin MS08-067 – Critical-Vulnerability in Server Service Could Allow Remote Code Execution (958644))

    Source: St. Petersburg Times from the NY Times)
     
  10. rf6647

    rf6647 TS Maniac Posts: 829

    The vulnerability cited here is one of many. While patched against that exploit, all heck broke loose when I connected a refurbished TomTom navigator to my laptop, and I directed it to update from the internet. ComboFix rescued the laptop and its ability to use DNS, but I need more info about 'autorun', since the Tomtom cannot relink to the internet.

    Before repairing the autorun, to my way of thinking, this thread suggests scanning the TomTom for anything that implicates the device rather than the unsecured wifi connection that was used.
     
  11. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

  12. Blind Dragon

    Blind Dragon TS Evangelist Posts: 3,908

    I am posting this separate as I wanted to stress:

    In a network setting, one must take care to isolate infected machines from the other computers on the network while cleaning them, as the machine may be reinfected by other systems not yet cleaned.
     
Topic Status:
Not open for further replies.

Similar Topics

Add New Comment

You need to be a member to leave a comment. Join thousands of tech enthusiasts and participate.
TechSpot Account You may also...