For those that asked about the Worm
First, I want to clarify that while I sit behind a keyboard all day, technically I am not an “expert” when it comes to viruses and worms, etc., (I primarily write software and build web applications and websites) but being in this industry I have had to deal with issues related to malware, etc., and I have had dialogue with various government agencies including the FBI and CERT regarding issues related to hacking, etc. I am also kept abreast of “trends” through various forms of direct communication from the Federal Government’s CERT (Computer Emergency Response Team) in the event that something is brewing or is already in place. All of this to say, that I am probably a little more knowledgeable about viruses, worms, and malware, than most people, but by no means someone you should rely on solely. At the bottom of this post I am putting some links to products I recommend however, the one thing that I will advise is having one of these products on all of your machines.
I have received no fewer than 100 emails, text messages, twitters, and facebook messages since yesterday evening and this morning from friends asking “seriously, what do we need to do about this worm thing?” So I decided that the best thing to do, instead of responding to all of these one at a time (which I attempted to do this morning but gave up) is to just post what I know about it on here in hopes that everyone will read this, so sorry if I don’t respond directly to your questions… (again, at the bottom of this blog post are links to some antivirus software that I recommend, you can click on the links directly and purchase these online securely)
- If you use a Mac, don’t worry…
- If you noticed that your Windows Update has stopped working automatically you might want to check into that, that’s a symptom that you have been infected.
- It is most likely to propagate itself through networks at large corporations and businesses but the casual home user is not immune
- It will likely force you to be unable to interact with a lot of popular antivirus websites that are out there, they might have this part fixed by now but I know that early on it was supposed to block you from receiving files from places that did virus protection and removal and all of that.
- It basically resides on your machine without you really knowing it and then at a certain point it interacts with about 200 (possibly 500) websites that more or less tell it what to do. Now this could be used for anything, most likely a denial of service on a particular website (this happens when 10 million computers all login to one particular website or service at the same time and fry the gizzard more or less). The serious side of this would be if it has also got some key logging components that could potentially harvest and send your passwords, credit card numbers, etc.
That’s basically all i know about the worm itself, now here is what we know this morning after it has officially turned April 1 across the globe.
- There might be more than they originally thought affected by this virus according to some things I have read this morning.
- The upside to all of this is that when these computers basically went out to these websites or services to look for instructions, nothing was sent to them. So basically nothing happened, so far..
Those of you who know me know that I haven’t been too concerned about this one, but that doesn’t mean that there isn’t something brewing out there that we should all be concerned about in the future. I firmly believe that in our lifetimes we will see at least one global attack of some sort, attacks like these are just getting better and more elaborate over time.
In fact, the writers of this Conficker thing have actually gathered a lot of respect from inside the community (myself included) due to the complexity of the thing.
Finally, what can you do to protect yourself or your network from having something like this take you down and potentially ruin your day? The answer is the same answer I have been giving out for 10 years or more, use and update an antivirus program.
I have some recommendations if you are interested in solutions for your home or small business, the links below will take you directly to these products for purchasing.
- Norton AntiVirus 2009 – complete package
- Spy Sweeper with AntiVirus – subscription package
- Webroot AntiVirus with AntiSpyware – subscription package
- ZoneAlarm Antivirus – complete package
- ZoneAlarm Antivirus Small Business Edition – complete package
If you are looking for a more high-end approach to fighting viruses, spyware, etc., our friends at Tiger Direct also offer some options that include installation of the software by their team. If you are novice computer user and would rather have someone install the software remotely for you, this is probably the option for you:
- I-Team Install: Antivirus/ Desktop Security Suite
- I-Team Install Option: Corporate Antivirus Client
- I-Team Install Opt: Corp Antivirus (Symantec, Etc)
As a side note, I posted the message to twitter last night about the worm as kind of an inside joke to a room full of about 35 or 40 programmers I was meeting with. Since Twitter also posts to my Facebook, I may have inadvertently created panic with some of you that weren’t in the loop, sorry about that… While we were all joking about this thing, it’s still something that should always be in the back of our minds.
Happy April Fools Day though…
Conficker Worm Reports Rolling In
Reports are trickling in about the impact from the Conficker worm, as infected systems passed zero hour at midnight and began downloading additional malicious components.
Here’s a quick roundup of some of the more notable incidents caused by Conficker so far, according to published reports:
- A nuclear missile installation near Elmendorf Air force Base outside of Anchorage, Alaska briefly went on a full-scale military alert after technicians manning the bunker suspected that several of their control systems were infected with Conficker. According to wire reports, the remote facility temporarily moved to Defense Condition (Defcon) 3 in the pre-dawn hours, but quickly backed down from that posture. An airman at the installation who asked not to be identified blamed the mishap on "way too much caffeine" consumed by occupants inside the secluded underground control room. The airman said the facility’s lead engineer became agitated and inconsolable after watching an Internet broadcast of Sunday night’s hard-hitting 60 Minutes expose’ on the Conficker worm entitled, "The Internet is Infected."
- In Iceland, Conficker brought a brief thaw to the long economic winter that began last year with the government’s inexorable slide into bankruptcy. According to local news reports, shortly after midnight local time, an ATM in the capital city of Reykjavik began spewing 100-Krona notes. Banking officials there reportedly said the Microsoft Windows-based based bank system began disbursing the bills after a local prankster crammed an infected USB stick into the maw of the teller machine.
- Londoners woke up to find the iconic clock tower Big Ben stopped at precisely one minute till midnight. The British tabloids blared that the giant timepiece had been felled by the Conficker worm. But security officials reasoned that the beloved landmark — legendary for its reliability — would have stopped exactly one minute later had the expected 12:00 a.m. updates to Conficker actually been the culprit. Several members of Parliament are now calling for a full investigation into the incident.
- In Waukesha, Wis., Leroy "Mac" MacElrie, 64, turned himself in to local police, claiming he was the author of the original Conficker worm, and that all of the subsequent versions were mere copycats. According to charging documents, MacElrie said he wrote the worm to get back at Microsoft founder Bill Gates for "not stopping spam by 2008 like he said he would." The man was released on his own recognizance, but several hours later a local television station captured footage of the man standing on a nearby street corner repeatedly shouting "I’m the confickter!"
———————————
In case you haven’t guessed it yet, APRIL FOOLS!!! Seriously, if something like this was going to roll out to the masses today my partners and i would not have been having sushi last night in Little Rock…
Live Blog: Countdown to Conficker
I found this live blog regarding the Conficker for those of you interested in tracking it’s progress through the evening. Apparently there are some outside reports of various locations in Asia seeing some light effects from the variant but nothing too heavy. Hopefully we all wake up in the morning and laugh about it…
You can track the live blog here: http://ow.ly/1Ou2
This post will be updated continually to track activity on the Conficker worm, the latest variant of which had been expected to hit the Internet on April 1. Click here or read below for background on Conficker.
7:25 p.m. PDT: Trend Micro’s Paul Ferguson reports that things seem quiet. "So far, there’s been no significant activity," he said, adding that a Trend Micro researcher in the Philippines reported seeing the same amount of traffic on Wednesday as he had been seeing the past few days in Asia-Pacific.
4:00 p.m. PDT: The Conficker worm is stirring on some infected computers in Asia where it’s April 1, but so far the activity is very tame, security researchers say.
"We’ve seen activity in honeypot machines in Asia…They’re generating the 50,000 list of (potential) domains to contact," said Paul Ferguson, an advanced threats researcher for Trend Micro.
The latest variant of the worm, Conficker.C, was set to activate on April 1, which for some of the infected machines will happen at local time and for others it will be GMT, depending on whether the machines are turned on and connected to the Internet, he said.
The process seems to be starting slowly, with infected machines starting to generate the list of domains and then picking one domain and trying to contact it and waiting before continuing on through 500 of those 50,000 domains, according to Ferguson.
The owners of the infected computers likely won’t notice anything, unless they can’t access the Web sites of security vendors and then they will know they are infected, he said. Trend Micro has figured out a way to unblock the computer from the sites that the worm has blocked using a Microsoft networking service, he said. More details are on the Trend Micro site.
"Nothing at this point; we’re running updates every half hour or so," Dave Marcus, director of security research for McAfee Avert Labs, said when asked to report what he was seeing. "They’re supposed to connect to one of a variety of Web sites and download a piece of code. What that code is supposed to do is up in the air."
IBM ISS’s X-Force group also reported that things were quiet, at least for the moment, in Asia where most of the infections are. Nearly 45 percent are in Asia, followed by Europe at about 30 percent, 13.6 percent in South America and 5.8 percent in North America, according to the Frequency X blog.
IBM ISS also said it had found a way for ISPs to detect infected computers on a network by monitoring the peer-to-peer communications the worm makes between infected PCs.
Experts say the worm could be used to steal passwords or other sensitive data from infected computers, or turn them into a botnet that sends out spam.
The worm exploits a vulnerability in Windows that Microsoft patched in October and spreads through weakly protected network shares and via removable storage devices, like USB drives.
Conficker.C also shuts down security services, blocks computers from connecting to security Web sites, and downloads a Trojan. It reaches out to other infected computers via peer-to-peer networking, in addition to being programmed to reach out to 500 domains to receive updated copies or other malware instead of just 250 domains as earlier versions did.
Click here for an FAQ about the worm.
Live blog: Countdown to Conficker | Security – CNET News
Conficker: Just in Case
Honestly I am getting ready to go to bed and sleep easy tonight, but before I do, I figured I would throw another log on the fire for those that want to stay up tonight and panic about the Conficker worm, here’s a survival guide by Christopher Null from Yahoo Tech in regards to the Conficker worm variant.
I can think of at least 3 or 4 times in history that we have been baited to wait on a payload deployed by worms like this Conficker and they never panned out really, or at least on the global scale that analysts are calling for this one too. Personally I think that there might be a little something to this one, but I don’t foresee the global impact that everyone is expecting, but just to be on the safe side, everyone should probably stockpile canned goods and board games just in case. Good Night!
Tomorrow — April 1 — is D-Day for Conficker, as whatever nasty payload it’s packing is currently set to activate. What happens come midnight is a mystery: Will it turn the millions of infected computers into spam-sending zombie robots? Or will it start capturing everything you type — passwords, credit card numbers, etc. — and send that information back to its masters?
No one knows, but we’ll probably find out soon.
Or not. As Slate notes, Conficker is scheduled to go "live" on April 1, but whoever’s controlling it could choose not to wreak havoc but instead do absolutely nothing, waiting for a time when there’s less heat. They can do this because the way Conficker is designed is extremely clever: Rather than containing a list of specific, static instructions, Conficker reaches out to the web to receive updated marching orders via a huge list of websites it creates. Conficker.C — the latest bad boy — will start checking 50,000 different semi-randomly-generated sites a day looking for instructions, so there’s no way to shut down all of them. If just one of those sites goes live with legitimate instructions, Conficker keeps on trucking.
Conficker’s a nasty little worm that takes serious efforts to bypass your security defenses, but you aren’t without some tools in your arsenal to protect yourself.
Your first step should be the tools you already have: Windows Update, to make sure your computer is fully patched, and your current antivirus software, to make sure anything that slips through the cracks is caught.
But if Conficker’s already on your machine, it may bypass certain subsystems and updating Windows and your antivirus at this point may not work. If you are worried about anything being amiss — try booting into Safe Mode, which Conficker prevents, to check — you should run a specialized tool to get rid of Conficker.
Microsoft offers a web-based scanner (note that some users have reported it crashed their machines; I had no trouble with it), so you might try one of these downloadable options instead: Symantec’s Conficker (aka Downadup) tool, Trend Micro’s Cleanup Engine, or Malwarebytes. Conficker may prevent your machine from accessing any of these websites, so you may have to download these tools from a known non-infected computer if you need them. Follow the instructions given on each site to run them successfully. (Also note: None of these tools should harm your computer if you don’t have Conficker.)
As a final safety note, all users — whether they’re worried about an infection or know for sure they’re clean — are also wise to make a full data backup today.
What won’t work? Turning your PC off tonight and back on on April 2 will not protect you from the worm (sorry to the dozens of people who wrote me asking if this would do the trick). Temporarily disconnecting your computer from the web won’t help if the malware is already on your machine — it will simply activate once you connect again. Changing the date on your PC will likely have no helpful effect, either. And yes, Macs are immune this time out. Follow the above instructions to detect and remove the worm.
Oh yeah, and let’s don’t forget what tomorrow is…
And, don’t get me wrong, if I was terribly concerned I probably would not be getting ready for bed…
Last-minute Conficker survival guide : Christopher Null : Yahoo! Tech
April Fools Day Worm Variant
Turns out if you get the email saying lookout that there is a bad virus that will hit your computer on April 1st this year, there might actually be something to that rumor. This Conficker variant, which has been around for a while now, is apparently touting a launch date of April 1st now in some variants that are showing up…
(CNN) — A computer-science detective story is playing out on the Internet as security experts try to hunt down a worm called Conficker C and prevent it from damaging millions of computers on April Fool’s Day. The anti-worm researchers have banded together in a group they call the Conficker Cabal. Members are searching for the malicious software program’s author and for ways to do damage control if he or she can’t be stopped. They’re motivated in part by a $250,000 bounty from Microsoft and also by what seems to be a sort of Dick Tracy ethic.
"We love catching bad guys," said Alvin Estevez, CEO of Enigma Software Group, which is one of many companies trying to crack Conficker. "We’re like former hackers who like to catch other hackers. To us, we get almost a feather in our cap to be able to knock out that worm. We slap each other five when we’re killing those infections."
The malicious program already is thought to have infected between 5 million and 10 million computers. Those infections haven’t spawned many symptoms, but on April 1 a master computer is scheduled to gain control of these zombie machines, said Don DeBolt, director of threat research for CA, a New York-based IT and software company.
What happens on April Fool’s Day is anyone’s guess.The program could delete all of the files on a person’s computer, use zombie PCs — those controlled by a master — to overwhelm and shut down Web sites or monitor a person’s keyboard strokes to collect private information like passwords or bank account information, experts said.
More likely, though, said DeBolt, the virus may try to get computer users to buy fake software or spend money on other phony products. Experts said computer hackers largely have moved away from showboating and causing random trouble. They now usually try to make money off their viral programs. DeBolt said Conficker C imbeds itself deep in the computer where it is difficult to track. The program, for instance, stops Windows from conducting automatic updates that could prevent the malware from causing damage.
The program’s code is also written to evolve over time and its author appears to be making updates to thwart some of the Conficker Cabal’s attempts to neuter the worm. "It is very much a cat and mouse game," DeBolt said.
It’s unclear who wrote the program, but members of the Cabal are looking for clues. First, they know that some recent malware programs have come from Eastern European countries outside the jurisdiction of the European Union, said Patrick Morganelli, senior vice president of technology for Enigma Software. Worm program authors often hide in those countries to stay out of sight from law enforcement, he said.
In a way, the Conficker Cabal is also looking for the program author’s fingerprints. DeBolt said security researchers are looking through old malware programs to see if their programming styles are similar to that of Conficker C. The prospects for catching the program’s author are not good, Morganelli said."Unless they open their mouth, they’ll never be found," he said.
So, the most effective counter-assault simply may be damage control. One quick way to see if your computer has been infected is to see if you have gotten automatic updates from Windows in March. If so, your computer likely is fine, DeBolt said. Microsoft released a statement saying the company "is actively working with the industry to mitigate the spread of the worm."
Users who haven’t gotten the latest Windows updates should go to http://safety.live.com if they fear they’re infected, the company’s statement says. DeBolt said people who use other antivirus software should check to make sure they’ve received the latest updates, which also could have been disabled by Conficker C.
The first version of Conficker — strain A — was released in late 2008. That version used 250 Web addresses — generated daily by the system — as the means of communication between the master computer and its zombies. The end goal of the first line was to sell computer users fake antivirus software, said Morganelli. Computer security experts largely patched that problem by working with the Internet Corporation for Assigned Names and Numbers to disable or buy the problematic URLs, he said.
That process-of-elimination approach isn’t likely to be effective with Conficker strain C, Morganelli said. The new version will generate 50,000 URLs per day instead of just 250 when it becomes active, DeBolt said. The first iteration of Conficker is thought to have grown out of a free function for security programs created by Dr. Ronald Rivest, a computer science professor at the Massachusetts Institute of Technology.
"Any technology can be used for good or evil, and this is just an example of that," Rivest said. Many viruses have taken pieces of benevolent programs and used them for ill. But overall the "open source" environment online promotes computer security far more than it enables hackers, DeBolt said.
"I don’t blame the open-source community at all" for virus attacks, he said. CA said it recently found a piece of code in Conficker C that says the worm will become active on April 1. Previous versions of the malicious software launched on specific dates noted in the program code, so the April Fool’s Day launch date is not likely to be a trick, DeBolt said. "The best minds in the industry are working on this to protect customers," he said. "We’re trying to reduce the impact of the April 1 date as best we can. But we know … this malware will continue to evolve."
No joke in April Fool’s Day computer worm – CNN.com
Microsoft Offers Bounty for Hackers
Apparently Microsoft is looking to shut down the hackers who developed the Conicker aka Downadup Virus. They are so serious that they have offered a $250,000 reward leading to the arrest and conviction of the developer.
I don’t recall Microsoft ever doing this before, wonder what it is about this virus that gives them the heeby-jeebies? hmmmmm… Here’s a little bit more information about the Microsoft Bounty that I ran across on CNN this morning. All I want to know is when in the world is Windows 7 going to hit the shelves? A lot of people are already asking…
(CNN) — Software giant Microsoft is offering a $250,000 reward for information leading to the arrest and conviction of hackers behind a powerful computer virus that could lead to millions of PCs being hijacked.
Experts have so far been baffled by the true purpose of the Conficker or Downadup virus, but have described its spread as one of the most serious infections ever seen.
The worm exploits a bug in Microsoft Windows to infect mainly corporate networks, then — although it has yet to cause any harm — it opens a link back to its point of origin, meaning it can receive further orders to wreak havoc.
Microsoft has issued a patch to fix the bug, however if a single machine is infected in a large network, it will spread unchecked — often reinfecting machines that have been disinfected.
The threat from the virus prompted Microsoft in collaboration with other technology industry names to this week announce a $250,000 reward for information to track down those behind Conficker.
"As part of Microsoft’s ongoing security efforts, we constantly look for ways to use a diverse set of tools and develop methodologies to protect our customers," said George Stathakopoulos, of Microsoft’s Trustworthy Computing Group.
Mikko Hypponen, chief research officer at anti-virus firm F-Secure says the true scope of the virus is not known, but in the past 24 hours his company monitored Conficker signals from two million Internet protocol addresses.
"That’s a lot," he told CNN. "And one IP address here does not mean one infected computer, it means at least one infected computer.
"Many of those IP addresses are obviously company proxies or firewalls, hiding hundreds of more infections behind it. Unfortunately this also makes it impossible to estimate the total count of infected systems.
"So it’s still big. Very big."
Microsoft has previously paid out similar rewards to informants who helped identify the creator of Sasser, another notorious worm let loose in 2004. The perpetrator was tracked to Germany, where he was sentenced a year later.
