In an event that hits the computer world only once every few years, security experts are racing against time to mitigate the impact of a bit of malware which is set to wreak havoc on a hard-coded date. As is often the case, that date is April 1.
Malware creators love to target April Fool's Day with their wares, and the latest worm, called Conficker C, could be one of the most damaging attacks we've seen in years.
Conficker first bubbled up in late 2008 and began making headlines in January as known infections topped 9 million computers. Now in its third variant, Conficker C, the worm has grown incredibly complicated, powerful, and virulent... though no one is quite sure exactly what it will do when D-Day arrives.
Thanks in part to a quarter-million-dollar bounty on the head of the writer of the worm, offered by Microsoft, security researchers are aggressively digging into the worm's code as they attempt to engineer a cure or find the writer before the deadline. What's known so far is that on April 1, all infected computers will come under the control of a master machine located somewhere across the web, at which point anything's possible. Will the zombie machines become denial of service attack pawns, steal personal information, wipe hard drives, or simply manifest more traditional malware pop-ups and extortion-like come-ons designed to sell you phony security software? No one knows.
Conficker is clever in the way it hides its tracks because it uses an enormous number of URLs to communicate with HQ. The first version of Conficker used just 250 addresses each day -- which security researchers and ICANN simply bought and/or disabled -- but Conficker C will up the ante to 50,000 addresses a day when it goes active, a number which simply can't be tracked and disabled by hand.
At this point, you should be extra vigilant about protecting your PC: Patch Windows completely through Windows Update and update your anti-malware software as well. Make sure your antivirus software is actually running too, as Conficker may have disabled it.
Microsoft also offers a free online safety scan here, which should be able to detect all Conficker versions.
src="http://pagead2.googlesyndication.com/pagead/show_ads.js">
Thursday, March 26, 2009
Conficker C Infection Symptoms
* Account lockout policies being reset automatically.
* Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Error Reporting Services are automatically disabled.
* Domain controllers respond slowly to client requests.
* System network gets unusually congested. This can be checked with network traffic chart on Windows Task Manager.
* On websites related to antivirus software, Windows system updates cannot be accessed.
* Launches a brute force dictionary attack against administrator passwords to help it spread through ADMIN$ shares, making choice of sensible passwords advisable.
* Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Error Reporting Services are automatically disabled.
* Domain controllers respond slowly to client requests.
* System network gets unusually congested. This can be checked with network traffic chart on Windows Task Manager.
* On websites related to antivirus software, Windows system updates cannot be accessed.
* Launches a brute force dictionary attack against administrator passwords to help it spread through ADMIN$ shares, making choice of sensible passwords advisable.
Conficker C
A computer-science detective story is playing out on the Internet as security experts try to hunt down a worm called Conficker C and prevent it from damaging millions of computers on April Fool's Day.
This piece of computer code tells the worm to activate on April 1, 2009, researchers at CA found.
This piece of computer code tells the worm to activate on April 1, 2009, researchers at CA found.
The anti-worm researchers have banded together in a group they call the Conficker Cabal. Members are searching for the malicious software program's author and for ways to do damage control if he or she can't be stopped.
They're motivated in part by a $250,000 bounty from Microsoft and also by what seems to be a sort of Dick Tracy ethic.
"We love catching bad guys," said Alvin Estevez, CEO of Enigma Software Group, which is one of many companies trying to crack Conficker. "We're like former hackers who like to catch other hackers. To us, we get almost a feather in our cap to be able to knock out that worm. We slap each other five when we're killing those infections."
The malicious program already is thought to have infected between 5 million and 10 million computers.
Those infections haven't spawned many symptoms, but on April 1 a master computer is scheduled to gain control of these zombie machines, said Don DeBolt, director of threat research for CA, a New York-based IT and software company.
What happens on April Fool's Day is anyone's guess.
Don't Miss
* $250K Microsoft bounty to catch worm creator
* Downadup virus exposes millions of PCs to hijack
The program could delete all of the files on a person's computer, use zombie PCs -- those controlled by a master -- to overwhelm and shut down Web sites or monitor a person's keyboard strokes to collect private information like passwords or bank account information, experts said.
More likely, though, said DeBolt, the virus may try to get computer users to buy fake software or spend money on other phony products.
Experts said computer hackers largely have moved away from showboating and causing random trouble. They now usually try to make money off their viral programs.
DeBolt said Conficker C imbeds itself deep in the computer where it is difficult to track. The program, for instance, stops Windows from conducting automatic updates that could prevent the malware from causing damage.
The program's code is also written to evolve over time and its author appears to be making updates to thwart some of the Conficker Cabal's attempts to neuter the worm.
"It is very much a cat and mouse game," DeBolt said.
It's unclear who wrote the program, but members of the Cabal are looking for clues.
First, they know that some recent malware programs have come from Eastern European countries outside the jurisdiction of the European Union, said Patrick Morganelli, senior vice president of technology for Enigma Software.
Worm program authors often hide in those countries to stay out of sight from law enforcement, he said.
In a way, the Conficker Cabal is also looking for the program author's fingerprints. DeBolt said security researchers are looking through old malware programs to see if their programming styles are similar to that of Conficker C.
The prospects for catching the program's author are not good, Morganelli said.
"Unless they open their mouth, they'll never be found," he said.
So, the most effective counter-assault simply may be damage control.
One quick way to see if your computer has been infected is to see if you have gotten automatic updates from Windows in March. If so, your computer likely is fine, DeBolt said.
Microsoft released a statement saying the company "is actively working with the industry to mitigate the spread of the worm."
Users who haven't gotten the latest Windows updates should go to http://safety.live.com if they fear they're infected, the company's statement says.
DeBolt said people who use other antivirus software should check to make sure they've received the latest updates, which also could have been disabled by Conficker C.
The first version of Conficker -- strain A -- was released in late 2008.
That version used 250 Web addresses -- generated daily by the system -- as the means of communication between the master computer and its zombies.
The end goal of the first line was to sell computer users fake antivirus software, said Morganelli.
Computer security experts largely patched that problem by working with the Internet Corporation for Assigned Names and Numbers to disable or buy the problematic URLs, he said.
That process-of-elimination approach isn't likely to be effective with Conficker strain C, Morganelli said. The new version will generate 50,000 URLs per day instead of just 250 when it becomes active, DeBolt said.
The first iteration of Conficker is thought to have grown out of a free function for security programs created by Dr. Ronald Rivest, a computer science professor at the Massachusetts Institute of Technology.
"Any technology can be used for good or evil, and this is just an example of that," Rivest said.
Many viruses have taken pieces of benevolent programs and used them for ill. But overall the "open source" environment online promotes computer security far more than it enables hackers, DeBolt said.
"I don't blame the open-source community at all" for virus attacks, he said.
CA said it recently found a piece of code in Conficker C that says the worm will become active on April 1. Previous versions of the malicious software launched on specific dates noted in the program code, so the April Fool's Day launch date is not likely to be a trick, DeBolt said.
"The best minds in the industry are working on this to protect customers," he said. "We're trying to reduce the impact of the April 1 date as best we can. But we know ... this malware will continue to evolve."
This piece of computer code tells the worm to activate on April 1, 2009, researchers at CA found.
This piece of computer code tells the worm to activate on April 1, 2009, researchers at CA found.
The anti-worm researchers have banded together in a group they call the Conficker Cabal. Members are searching for the malicious software program's author and for ways to do damage control if he or she can't be stopped.
They're motivated in part by a $250,000 bounty from Microsoft and also by what seems to be a sort of Dick Tracy ethic.
"We love catching bad guys," said Alvin Estevez, CEO of Enigma Software Group, which is one of many companies trying to crack Conficker. "We're like former hackers who like to catch other hackers. To us, we get almost a feather in our cap to be able to knock out that worm. We slap each other five when we're killing those infections."
The malicious program already is thought to have infected between 5 million and 10 million computers.
Those infections haven't spawned many symptoms, but on April 1 a master computer is scheduled to gain control of these zombie machines, said Don DeBolt, director of threat research for CA, a New York-based IT and software company.
What happens on April Fool's Day is anyone's guess.
Don't Miss
* $250K Microsoft bounty to catch worm creator
* Downadup virus exposes millions of PCs to hijack
The program could delete all of the files on a person's computer, use zombie PCs -- those controlled by a master -- to overwhelm and shut down Web sites or monitor a person's keyboard strokes to collect private information like passwords or bank account information, experts said.
More likely, though, said DeBolt, the virus may try to get computer users to buy fake software or spend money on other phony products.
Experts said computer hackers largely have moved away from showboating and causing random trouble. They now usually try to make money off their viral programs.
DeBolt said Conficker C imbeds itself deep in the computer where it is difficult to track. The program, for instance, stops Windows from conducting automatic updates that could prevent the malware from causing damage.
The program's code is also written to evolve over time and its author appears to be making updates to thwart some of the Conficker Cabal's attempts to neuter the worm.
"It is very much a cat and mouse game," DeBolt said.
It's unclear who wrote the program, but members of the Cabal are looking for clues.
First, they know that some recent malware programs have come from Eastern European countries outside the jurisdiction of the European Union, said Patrick Morganelli, senior vice president of technology for Enigma Software.
Worm program authors often hide in those countries to stay out of sight from law enforcement, he said.
In a way, the Conficker Cabal is also looking for the program author's fingerprints. DeBolt said security researchers are looking through old malware programs to see if their programming styles are similar to that of Conficker C.
The prospects for catching the program's author are not good, Morganelli said.
"Unless they open their mouth, they'll never be found," he said.
So, the most effective counter-assault simply may be damage control.
One quick way to see if your computer has been infected is to see if you have gotten automatic updates from Windows in March. If so, your computer likely is fine, DeBolt said.
Microsoft released a statement saying the company "is actively working with the industry to mitigate the spread of the worm."
Users who haven't gotten the latest Windows updates should go to http://safety.live.com if they fear they're infected, the company's statement says.
DeBolt said people who use other antivirus software should check to make sure they've received the latest updates, which also could have been disabled by Conficker C.
The first version of Conficker -- strain A -- was released in late 2008.
That version used 250 Web addresses -- generated daily by the system -- as the means of communication between the master computer and its zombies.
The end goal of the first line was to sell computer users fake antivirus software, said Morganelli.
Computer security experts largely patched that problem by working with the Internet Corporation for Assigned Names and Numbers to disable or buy the problematic URLs, he said.
That process-of-elimination approach isn't likely to be effective with Conficker strain C, Morganelli said. The new version will generate 50,000 URLs per day instead of just 250 when it becomes active, DeBolt said.
The first iteration of Conficker is thought to have grown out of a free function for security programs created by Dr. Ronald Rivest, a computer science professor at the Massachusetts Institute of Technology.
"Any technology can be used for good or evil, and this is just an example of that," Rivest said.
Many viruses have taken pieces of benevolent programs and used them for ill. But overall the "open source" environment online promotes computer security far more than it enables hackers, DeBolt said.
"I don't blame the open-source community at all" for virus attacks, he said.
CA said it recently found a piece of code in Conficker C that says the worm will become active on April 1. Previous versions of the malicious software launched on specific dates noted in the program code, so the April Fool's Day launch date is not likely to be a trick, DeBolt said.
"The best minds in the industry are working on this to protect customers," he said. "We're trying to reduce the impact of the April 1 date as best we can. But we know ... this malware will continue to evolve."
Subscribe to:
Comments (Atom)