The worm that won’t go away will get an upgrade on April 1

The Conficker worm has been wreaking havoc on internet users ever since it climbed out of its slimy hole in the internet’s dark nether-regions back in 2008.  Now the worm is about to get even more dangerous when it receives its latest refresh in a series of periodic updates on April 1.  Security officials are bracing for the impact that the upgrade might have.

Either diabolical or brilliant, it’s the Conficker worm’s unique design that allowed it infect over 8 million business computers last year and scores of other individual users.  The worm, like many viruses, is regularly evolving thanks to periodic downloads.  However, the techniques it uses to do so are rather unique — it cleverly creates thousands of false domains daily to throw off investigators. On the update day, it selects 500 correct domains out of the 50,000 candidates to download malware and updates from.

Pierre-Marc Bureau, a researcher at Eset says that this has helped the virus evolve from an initial novice-seeming threat targeting a flaw in Windows services into a large scale menace.  States Mr. Bureau, “From a high-level perspective, the ‘A’ variant gave the impression [of being] a ‘test run’.  It had code that probably was not meant to be spread globally. For example, it was checking for the presence of an Ukrainian keyboard or Ukrainian IP before infecting a system.”

The first run also contained a false lead — it tried to download and execute a file called loadav.exe.  This led security research to believe it was just one of a pack of malware programs trying to peddle fake antivirus software.  It turned out to be a red herring — the file was never uploaded and the next generation did away with the feature.

In the second version, the worm continued to spread through Windows Services on unpatched machines.  However, the update also granted it the power to spread over network shares by trying to log in autonomously into network machines with weak passwords.  It also gained the ability to load itself onto USB sticks connected to infected machines, gaining another means of transmission.  The scanning speed for machines to infect was greatly optimized — in short the worm had become a real big problem.

Finally, the worm got its third update, becoming the Downadup virus as it’s now known.  The latest version added peer-to-peer communication between infected systems.  It also added new domain-generation algorithms to help it disguise where it was receiving its updates from.

At this point the worm is already a full scale threat, and there’s no telling what might happen with the next update.  Describes Mr. Bureau, “During the last week, 3.88 percent of our users have been attacked by Conficker, either because they accessed an infected device or by a network attack.  The percentage is very high and shows that a high number of computers are presently infected and that the worm is still spreading.”

Estimates of the number infected machines vary greatly, but most experts agree that over 10 million computers, largely in the business sector were compromised last year.  The number is large enough that Microsoft, which already has offered a bounty for the worm’s writers, and AOL are teaming up to trying to weed out the domains it uses.  However, they face an uphill battle due to the vast number of domains the worm generates.  And law enforcement and security experts are no closer to having any clue what individual or individuals are writing the Conficker code.

Meanwhile the Conficker continues to spread and get smarter.  Its actions leave little doubt in the security community — it’s creating an army of infected machines, one that could do serious damage if unleashed.

Adriel Desautels, CTO of Netragard states, “I don’t think that the threat comes from the worm itself, it comes from the people that are in control of the mass of Conficker-infected systems.  Those people have an immensely powerful weapon at their disposal, and that weapon threatens all of us.”

April 1 will see the attacks taken to the next level — and it’s anyone’s guess what capabilities it might gain.

Source: DailyTech

The dreaded WORM, the worst nightmare of those who haven’t patched thier Windows OS is now attacking legitimate sites this month. If you have been following my BLOG, I have published about this nasty worm back then. I haven’t known the name yet, until it was a full blown catastrophe by  the assesment of security experts. The name of the worm varies, but it was popularly known as W32.Downadup or the Conficker worm.

This threat is so major that major industries in IT joined hands to combat this threat. Microsoft, the developer of Windows OS is the one that is heavily affected by this worm, offered cash rewards to the one who can provide information leading to the arrest and conviction of the author(s) of this worm. And now the Worm has started to evolved into different variants, and make it’s move to perform DDoS (Distributed Denial of Service) attack to legitimate sites online.

read the full article below:

Among the key innovations of the Conficker worm (W32.Downadup) was the pseudo-random domain generation algorithm used for the generation of dynamic command and control locations in order to make it nearly impossible for researchers and the industry to take them down.  However, once the domain registration algorithm was successfully reverse engineering, it became possible to measure the estimated number of affected hosts by registering several of the upcoming phone back locations.

What if the Conficker worm suddenly decided that the phone-back locations for March were those of legitimate sites?

According to Sophos, during March, the millions of Conficker infected hosts will attempt to phone back to several legitimate domains, among which is a Southwest Airlines owned wnsux.com, potentially causing a distributed denial of service attack on all of them. Here’s a list of the legitimate domains and dates on which Conficker will attempt to contact/potentially DDoS them:

Music Search Engine - jogli.com on 8th of March
Southwest Airlines - wnsux.com on 13th of March
Women’s Net in Qinghai Province - qhflh.com on 18th of March
Phonetics by Computer - praat.org on 31th of March

In an attempt to mitigate this attack, Southwest Airlines owned wnsux.comdomains was modified yesterday and is no longer resolving to a particular IP. However, praat.org is a redirect to the University of Amsterdam’s Institute of Phonetic Sciences and just like qhflh.com and jogli.com is still active.

The reverse engineering of the domain registration algorithm not only made it possible to anticipate the upcoming command and control locations, but also, allowed security companies to pre-register them and lock them under the Conficker Cabal alliance with members such as Microsoft and the ICANN.  Moreover, perhaps the most pragmatic mitigation solution implemented on a large scale so far, has been OpenDNS updated Stats System which automatically stops resolving Conficker’s latest domains, a feature which they introduced last month.

For the time being, the Conficker botnet remains in a “stay tuned” mode with the real malicious payload to be delivered at any particular moment. A patch has been available since October, 2008.

Conficker graph courtesy of Microsoft’s Malware Protection Center.

Source: ZDnet Blog

That’s right, a quarter million dollars for any information that may lead to arrest and conviction to the author(s) of the conficker worm that is ravaging the globe.

From Dailytech:

The worm continues to infect a large number of computers while security experts try and figure out what to do

Microsoft has created a new technology industry posse and a $250,000 reward for people who help turn over the creators of the Conficker worm.

The Conficker worm multiplied like wildfire, and spreads through a hole found in Microsoft Windows systems, though the vulnerability was patched in October.  It also is able to disable anti-malware protection and will block an infected PC from visiting anti-malware vendors Web sites to receive updates.

Security experts are even more worried about the possibility the worm calls home every 24 hours to at least 250 servers each day for instructions or directed actions.

The Houston police department was forced to stop arresting people with traffic warrants because the worm spread its way through the police and city court’s computer systems.  Violent offenders were still arrested, but those with outstanding traffic warrants were simply issued citations instead of being arrested, Houston police officials said.

There also was a Conficker outbreak among French military computers, which led to several fighter planes being grounded until everything could be fixed.

Microsoft is working with the Internet Corporation for Assigned Names and Numbers (ICANN) and PC security experts while trying to identify the worm’s creators.  VeriSign, NeuStar, Public Internet Registry, Global Domains International, AOL, F-Secure, George Tech, and several other organizations have joined the fight to help capture who ever created the Internet worm.

“As part of Microsoft’s ongoing security efforts, we constantly look for ways to use a diverse set of tools and develop methodologies to protect our customers,” Microsoft Trustworthy Computing Group G.M. George Stathakopoulos said in a statement.  “By combining our expertise with the broader community we can expand the boundaries of defense to better protect people worldwide.” 

Security company Symantec reported that more than 2.2 million IP addresses over the past five days have been infected with two different forms of the worm, three months after it first hit the Internet.  To date, it’s infected at least 10 million PCs since first being introduced into the wild.