What Happened To Conficker?

[webfact]

Any encounters with that worm in Thailand to report yet?

Compared with all the fuss made about before April 1st its now dead silent - too silent...

[H2oDunc]

Did about as much damage as the dreaded Y2K problem. But it probably generated a lot of hits on certain websites ???

[webfact]

Did about as much damage as the dreaded Y2K problem. But it probably generated a lot of hits on certain websites ???

thats exactly what I thought...

[peter991]

I disagree. The Downadup worm—also called Conflicker—has now infected an estimated 10 million PCs worldwide, and security experts say they expect to see a dangerous second-stage payload dropped soon.

"It has the potential to infect about 30% of Windows systems online, a potential 300 to 350 million PCs," says Don Jackson, director of threat intelligence in the counter threat unit at SecureWorks. The worm, first identified in November and suspected to have originated in the Ukraine, is quickly ramping up, and while Downadup today is not malicious in the sense of destroying files — its main trick is to block users from accessing antivirus sites to obtain updates to protect against it — the worm is capable of downloading second-stage code for darker purposes. Many experts anticipate that could occur soon.

What that darker purpose might be is a source of speculation, but Jackson theorizes that it will may well end up being "rogue antivirus malware" that demands the user buy it to eliminate the worm. "It's basically extortion," he says.

Like SecureWorks, IBM notes that it's the second stage payload of the Downadup worm that is a source of concern. "Right now it's not destroying or stealing,--it's just hanging out," comments Tom Cross, X-Force researcher in the IBM ISS division. "It's building its network of hosts."

While no one knows exactly what stage two payload will bring, one reason for the worm's somewhat slow but steady progress is its use of Windows "AutoRun" to copy itself through Windows file-sharing and USB tokens, Cross says.

"If it copies itself to a file share, and if the user clicks on a file, the user's computer will get infected," Cross says. "Even if the computer is patched, you can still get infected if you access one of the infected USB drives or file shares." Cross advises that AutoRun be disabled.

This is an additional means of the worm spreading beyond exploiting the Windows RPC flaw identified last October, for which a patch is available. The worm also has a password-cracker that is adept at cracking administrative accounts or other computers, though very strong passwords should make that much harder, Cross says.

Source: Networkworld

[nikster]

You know what Conficker did on April 1st? It downloaded upgrades, just as was predicted. It's now bigger and badder than ever. It has new code that will make the next upgrade cycle actually impossible to stop, and it put more stuff into place to make itself harder to detect.

Who knows what the authors of this worm are up to - most likely they are going to rent out their huge network of zombie machines for money. Then others can buy access and use it for DDOS attacks (which is usually just blackmail) or sending out spam, or some other purpose.

Here is what is not going to happen to the infected machines: Data is not going to be destroyed. The machines are not going to crash. In fact, the idea behind the whole thing is to be invisible so you, the user, will never know you are actually a spam zombie on demand. That's the whole point. They might be used to steal private data, but doing that on such a vast scale would require a very large background op and maybe bring the law down on these guys for sure, so I think it would be too risky. Then again - what do I know.

[JetsetBkk]

I just had conflicker. I let my g/f plug her USB flash drive into my USB hub to do some college work and immediately Avira antivirus detected conflicker in "install.inf" on the flash drive.

I wasn't quick enough to stop her clicking on something, so the Avira message disappeared.

I then "safely removed" the drive and plugged it in again, but this time hit the "delete" option when the Avira message appeared.

I then ran Spybot Search and Destroy on the flash drive and got a BSOD! I've started a separate topic about that, here: http://www.thaivisa.com/forum/index.php?s=...t&p=3036806

[Mario2008]

At my school we have a massive infection with cornficker. I't a serious problem and difficult to get rid of.

[Supernova]

At my school we have a massive infection with cornficker. I't a serious problem and difficult to get rid of.

All I can say is keep your computer up-to-date with the latest 'critical' patches.

Run the Malicious Software Removal Tool on infected computers. MRT will remove Conficker and a host of other worms.

MRT v2.14

MRT v2.14 (for Windows x64)

To prevent further infection, install the following security patch:

Vulnerability in Server Service Could Allow Remote Code Execution (958644)