It is not because those infected machines didn't get an update from the virusmakers that the virus is dead. It is still strong and very much alive and kicking ass.
THe greatest problem with this intelligent and sophisticated virus is that you have to be fully secured for 100% and not 90%. The 10% really makes a difference between a normal stable network and IT people running around trying to contain outbreaks and control the effects of the infected machines. It means that every machine connected to your network or resources has to be fully patched and has to have an antivirus that controls every file and process BEFORE it connects to windows.
Network managers will understand the complexity of what this means.
But conficker is for this reason the ideal instrument to get a lock down on your network and conquer those last bastions of resistance against the securisation of your network.
thank you for this conficker, you have helped the security managers more than you ever thought.....
strange that traffic that some send me
conficker traffic allright
infecting and trying to get outside
for the first time in a month
are these guys the only ones ?
In order to help prevent malware from spreading (such as Conficker) using the AutoRun mechanism, the Windows 7 engineering team made two important changes to the product:
- AutoPlay will no longer support the AutoRun functionality for non-optical removable media. In other words, AutoPlay will still work for CD/DVDs but it will no longer work for USB drives. For example, if an infected USB drive is inserted on a machine then the AutoRun task will not be displayed. This will block the increasing social engineer threat highlighted in the SIR. The dialogs below highlight the difference that users will see after this change. Before the change, the malware is leveraging AutoRun (box in red) to confuse the user. After the change, AutoRun will no longer work, so the AutoPlay options are safe
- A dialog change was done to clarify that the program being executed is running from external media.
This change will also be made available for VISTA and XP users in the near future.
Today we released version 2 of our Simple Conficker Scanner (SCSv2). It contains a new scanning method which allows for detection of machines infected with the recent Conficker version (D or E, depending on the naming scheme - the tool calls it D). Although the patch to the vulnerable function NetpwPathCanonicalize() was updated in the new variant, the RPC response codes for specially crafted requests are still different for infected machines. This enabled us to write a network scanner to distinguish Conficker zombies from clean hosts.
Arbor networks has attack scanners all over the world and uses this information to make indexes. Even if sometimes you can have questions with their methodology or with some results, they are an indication that should be followed up on and not being taken for granted.
When we started using the indicators from Arbor Belgium was nr3, later 5 on the international attack index. Than things started to get better (or worse elsewhere) and we were less dangerous.
Last week we started back at number 5 and a few days later we are at number 3 of the most dangerous networks around.
But it is an index and the reason we have that result is that we have a very high level of traffic on port 445 which is used by Conficker and other worms like that. We have for the moment the highest level of such traffic in the world.
we have published on http://insecure.skynetblogs.be the list of the most dangerous attackers and of the IP addresses where according to Arbor a Control and Command Center for botnets could be installed. If you aren't sure or you want to file an compliant, contact the FCCU Belgian Cyberpolice, they also have contacts with Arbor Networks.
Holiday is over, back to work and clean up that mess
And if you aren't Conficker resistant yet, it is time to become it because it seems that - if these indications are right - we will see a lot more of those around here in the coming weeks (and there is an update looming before the third of may)
THis is the most worrying news read so far. In the first instance everybody laughed when we read that a big US unversity was brought down by Conficker. We all said that they weren't patched and that they weren't protected by an antivirus and that the admins were losers. Probably to correct this and to inform us of the new dangers that this adapted worm is setting by these ameliorations they informed the Internet Storm Center.
* the infected machines were PATCHED
* the infected machines had an uptodate ANTIVIRUS
(still sitting down now ...... I am reading this for the third time just to let it sink in....)
This is the advice from the admins from the battlefield
"Ensure that when an average user logs in it does not allow them to mount via RPC resources on other workstations in the domain. (i.e. When Alice logs into her workstation she cannot mount the Admin$ share on Bob's machine without being prompted for credentials.) Using the GPO [Computer ConfigurationWindows SettingsSecurity SettingsLocal PoliciesUser Rights AssignmentAccess this computer from the network] to limit RPC logins to workstations can be very helpful in this regard. see: <http://technet.microsoft.com/en-us/library/cc740196.aspx>
SO IT IS NOT ENOUGH TO BE PATCHED YOU ALSO NEED A SECURITY HARDENING
This promises for a lot of networks hard from the outside, some first defense on the inside but the USB backdoor still open and the passwords still weak and the internal monitoring not present or not DEEP or specialised enough.
Sometimes there are discussions that take too much effort, space and time and make no other sense than to derail discussion and attention. The same discussion as about the first of april non-outbreak is now taking place between researchers who all claim to have an idea about how many computers and networks are infected by the Conficker worm.
First of all it is not important if it are 1 million, 2 million or even 100 thousand. None of this makes the worm more or less worrying. Is the net a safer place if only 30.000 computers are infected. No, because if each of them goes to a website to ddos it every second, the website will go down, period. It is not the number of infected computers that is important, it is the use and the future possibilities of the worm that are important.
We know that the new versions will be more difficult to find for vulnerability checkers (false lookalike patch), network traffic analyzers (P2P segmented traffic) and that anlyzing the code of the worm itself becomes harder each time. These are the things we should research and think about. How do we make sure that vulnerability checkers can still make the right decision about the patch in a matter of seconds (or should we ask ourselves that we should let the audit take longer ?). How can we make sure that traffic analyzers in our networks can still track and locate this traffic and which tools have to be upgraded to be able to do so ? How do we make sure that the analyzers can still decode and analyse the code of the worm, even if it will mean that over time the best of the world will have to work together to be able to find every information one may need.
We know a new version will be launched after the third of may. And we have no clue about what to expect.
There are other more important questions to ask ourselves and the ITsecurity community with regard to conficker - which seems to be a very powerful team to be up against.
* Who are those guys and why can't we locate them and why can't the law enforcement agencies of the world that are able to arrest hundreds of pedos worldwide not invest the same resources in getting or stopping this guys.
* The basic problem is that in some countries there are more pirated windows versions than legal ones and that those pirated ones aren't patched. The consequence is that millions of such computers can be easily hacked and connected to a botnet. This makes the internet far less secure for any (legal) user of a windows package. THe question for Microsoft (I am sure they are not going to like this one :)) is basically this
Do I let everybody have access to the securitypatches and do I make sure that everybody can use them so that the internet is a safer place (because you can install a Network Access Policy saying that you need to have patches and antivirus installed) and do I look for other ways to encourage people to use legal versions of my OS. (through service packs that have nothing to do with security) or do I let this situation continue ?
* Another question is what the roles of the ISP's and network administrators are. Shouldn't they help with the distribution and promotion of the patches ? Shouldn't they distribute free antivirus and securitypackages to their users (just as your car comes with brakes and all kinds of included security stuff). It is a good thing to read that Mdm Dyson (one of the leading ladies of the internet) and the readers of the Clickx computer magazine think so.... All we need is the political will or the strategic commercial choice. As an ISP with free securitypackages for your clients you will have less problems on your networks, less helpdesk problems and you can offer a more secure hosting and transaction environment based upon network access policies.
These are the things one should talk about, not about the numbers. Whatever the numbers, they will always be too big for such a powerful and ever enhancing malware and botnet network to not worry about the eventual consequences if someone uses that power.
It can now infect by a simple USB stick. Do you have an USB Policy ? Is your antivirus installed so it will check an USB before it can contact the PC and drop its infection ? THought not, so you can now think about developing one because this will be the new way of infection - together with the fact that it is working by P2P protocols to spread itself without looking for the internet contacts that are being closed and monitored.
According to qualisys about 1 in 5 of the 300.000 client PC's analysed didn't install the patch from October 2008 yet. This is an enormous number. It seems as if we will really need a Network Access Policy just as we have this for your car.
It is also the case that the virus installs now a 'lookalike' patch on an infected machine that looks nearly as good as the original patch from Microsoft and so many vulnerability tests will fail to see the difference. This will ask a rethink from patchcontrol installations in enterprises.
The P2P traffic in your network will also probably stay under the radar because it is few, small and splintered. Or you will have to finetune your tools to catch all traffic on those specific ports - or you will have to install internal firewalls that block those ports between segments of your network.
So check everything again and be sure that you have all your machines patched.
do understand that these are only the numbers of IP's that they are seeing on their installations that are infected, do not extrapolate them into anything else
They said that all the hype and media-attention (for which we should thank the media and defend them for doing so against all those that lamblasted them after the first of april) that it was all mediaselling scaremongering and an overblown joke. Only because the update didn't come that day.
Meanwhile a coalition of IT and securityfirms are working every day to clean the web and get all the players involved. They wanted to use every second before the next update to clean computers or get them to update their computers. Every one of them is a personal victory for each of them.
But the botnet operators aren't sitting still either. They choose to wait a bit - social engineering trics as we have seen many times before - and load the update in small entities to be sure that no new media storm would erupt and interrupt their distribution process. That seems to have worked as the journalists only seem to want disaster stories and not gradual growing into a disaster story.
What do we know about the new variant that is being distributed one step at a time
* they don't use the watched and blocked addresses but the P2P processes. It can be updated from any other infected computer. This means that connections between your computers in your network are becoming more critical. It means that internal workstations need firewalls too in the near future and that critical parts of your network need to be seperated internally ....
* it will upgrade the 3d of May
* it installs Spyware Protect 2009 a rogue securityware that loads the PC with popups with FUD untill you pay
* it installs parts of the waldec botnet, the most dangerous and powerful spamming botnet around for the moment (some think they made the conficker also)
* it will scan internal networks for other infectable networks
* it will test periodically several addresses to test for internetconnectivity
I think several of those aren't used in professional networks and can be blocked and monitored.
* Uses SSDP to find Internet gateway devices (i.e. routers) and issues a SOAP command on the device to open an external TCP port and redirect it to an internal IP:port
http://blogs.technet.com/mmpc/archive/2009/04/09/win32-co... Opens port 5114, and serves as an HTTP server by broadcasting via SSDP request
* uses randomly generated ports between the ranges of 1024 and 10000 to communicate and propagate
* It also does not leave a trace of itself in the host machine. It runs and deletes all traces, no files, no registries
* Waledac domain goodnewsdigital.com downloads some updates and from the Waledec fast flux domain infrastructure so you have to block this
I think there are enough blocking and discovery tips in here to clean up your network even if that will always be difficult if that network is great and mobile.
The last few weeks links are coming in on MSN and other chatprograms that say they want to meet you or say they have sexy or other pics of themselves (or from you). Now there are zipfiles and .scr files. They seem to be infected and as chatprograms are sometimes difficult to analyse for some antivirus programs they effectively infect machines even if you have an antivirus for the rest of your use (the same is true for P2P and for downloading pirated software).
Now it seems that Conficker 2 is spreading this way. It is called Neeris and is not perfect because it still needs the IRC port 449 or 6667 to contact a control and command center for the botnet. It is an old virus that has been refurbished and began spreading on friday. In a network you always block IRC and as a user you probably have no use for this service.
It will try to infect other computers on the network by scanning on port 445. When you block this kind of scanning and redirect it to for example your firewall you will see immediately popping up the infected stations.
Version 0.1B: Conficker_C_P2P_Scanner.C (thanks to Fabien Perigaud - CERT Lexsi, France)
author: Vinod Yegneswaran
compiled and tested on - Gnu gcc ver 4.2.2, running Linux, little endian only.
Conficker_C_P2P_Scanner is an network-based active scanner application that scans a subnet for Conficker C infected hosts.
Conficker_C_P2P_Scanner [-t ms waittime] [-v (verbose)] <low-address> <high-address>
low|high-address - specifies the start and end address ranges to be scanned
ex: % Conficker_C_P2P_Scanner 192.168.7.0 192.168.99.255
will scan all addresses in subnets 192.168.[7-99]
All Conficker C hosts perform outbound P2P scanning in search of other C infected peers. Each C-infected host opens four network ports in listen mode: 2 TCP ports and 2 UDP. These four listen ports are derived from a function of the host's own IP address and the current epoch week. To illustrate the algorithm used to compute C's P2P client listen ports, we include a source code example C implementation, which we reverse-engineered from a Conficker C binary captured on 5 March 2009.
For the first time ever there is an enormous coalition distributing lists of IP adresses that seem to have conficker traffic. They are working, sometimes a day or two behind, but you get the warnings again. Than it is up to you to look for the culprit or the laptop.
Do not neglect these warnings because conficker is capable of infecting other computers (for example servers that you forgot or don't patch because out of fear) and now you have no choice but to clean up and patch everything in your network.
The numbers of infected machines that are detected is increasing every day. The next big activation day is 5th of april or the day after depending on the clock and timezone.
These maps are based on the first numbers of infections.
Meanwhile the international coordination says that they have counted about half a million infected posts connecting to the monitored websites. This is far from the first numbers, but maybe netwerkadministrators and securityprofessionals have been cleaning up that mess for weeks.
But as you see on the Map, Belgium had an important infection rate
more maps can be found here
If your browser shows the images (and is not getting them from a proxy) than you are probably not infected. The idea is that an infected PC will be blocked from around a 100 security companies so an infected post would never see these images.
So go over to http://honeyblog.org/junkyard/conficker/
The Conficker worm utilizes a variety of attack vectors to transmit and receive payloads, including: software vulnerabilities (e.g. MS08-067), portable media devices (e.g. USB thumb drives and hard drives), as well as leveraging endpoint weaknesses (e.g. weak passwords on network-enabled systems). The Conficker worm will also spawn remote access backdoors on the system and attempt to download additional malware to further infect the host.
W32/Conficker.worm exploits the MS08-067 vulnerability in Microsoft Windows Server Service. If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. Machines should be patched and rebooted to clean the system, then rebooted again to prevent reinfection.
McAfee has developed a utility that will assess for the presence of the Conficker worm and identify which systems are already infected. We recommend that you download the McAfee Conficker Detection Tool now.
too few pc's and too much not tested and those that are given as vulnerable seem not to be that in the first place
Double check and use other more professional installations which should already have a special conficker update as worldwide networks are cleaning up the mess.
The search results for the world
The search results for Belgium
And as you see, there was not so much preparation, people just started the last days to prepare themselves, while they should have been inspecting computers if they were patched and had antivirus and so on. So don't call it hype, there was still much negligence.
In the list there are also some Belgian sites (and some are real online business) that will be contacted by infected conficker clients in the month of april. Do not believe the hype, neither the nonhype, just take into the account the possibility that you could be overloaden with different kinds of traffic that you never had before.
It is a possibility to contact your hosting firm and ISP and see that there is a light version of site available, that you have a backup, that they drop conficker trafic and meanwhile up the security to be sure that you aren't hacked and used as a dropsite for those clients.
The very smart guys in Germany have made a listing of all the domains that are real and that will be contacted by infected conficker clients. They had organised this by day but that makes it quite difficult for administrators to look through. And it doesn't matter what day, it is in april and so if it is tomorrow or next week (holiday) you better be sure to make preparations.
It is possible that those sites would be scanned for vulnerabilities and eventually hacked to download the updates to the infected stations or hijack them. It is one possibility among others.