8th April 2009 - Conficker begins stealthy update
The Conficker worm has started to update infected machines with a mystery package of data.
Computer security firms watching the malicious program noticed that it sprang into life late on 8 April.
The activity on its update system delivered encrypted software to compromised machines. It is not yet clear what the payload contains.
The Conficker virus variants are thought to be present on millions of PCs around the world.
Spam connection
The updating activity has begun about a week later than expected. Analysis of the "C" variant of Conficker (aka Downadup) revealed that its updating mechanism was due to go live on 1 April.
The belated updates were spotted by researchers for Trend Micro following the arrival of a new file in one of the directories in so-called "honeypot" machines deliberately seeded with Conficker C.
Analysis showed that the file had arrived via the peer-to-peer file transfer system that infected machines use to communicate.
In a bid to avoid alerting people to its activity, the update is slowly being trickled across the population of machines harbouring the C variant. Exact figures for the number of Conficker-infected machines are hard to determine, but the minimum is widely believed to be three million.
"The Conficker/Downad P2P communications is now running in full swing," wrote Ivan Macalintal from Trend Research on the company's security blog.
Once it arrives on a machine, the package of data randomly checks one of five different websites - MySpace, MSN, eBay, CNN and AOL - to ensure its host still has net access and to confirm the current time and date.
Following this check the data package removes all traces of its installation.
The strong encryption on the payload has, so far, prevented detailed analysis of what it actually does. However, security experts speculate that it is a "rootkit" that will bury itself deep in Windows in order to steal saleable data such as bank website login details.
Security researchers are continuing to analyse the payload to get a better idea of what it is intended to do.
Symantec said it too had noticed the increased activity of Conficker and its analysis suggested a link with another well-known virus called Waledac. This malicious program steals sensitive data, turns PCs into spam relays and opens up a backdoor so the machine can be controlled remotely.
The security firm noticed that the update also included an instruction to the worm to remove itself on 3 May, 2009. However, the Waledac imposed backdoor on the machine will remain open, so its creators can still control compromised PCs. 25th March 2009 - April Fools variant of Conficker warning, Conficker.C
The Conficker worm will be active again on 1 April, according to an analysis of its most recent variant, Conficker.C, by the net security firm CA.
This malicious piece of software, also known as Downup, Downadup and Kido, spreads among computers running most variants of the Windows operating system and turns them into nodes on a multi-million member "botnet" of zombie computers that can be controlled remotely by the worm's as yet unidentified authors.
Since it first appeared in October 2008 it has apparently infected more than 15 million computers around the internet, though even that number is no more than an educated guess because the worm works very hard to disguise its presence on a PC.
The worm turns
Conficker spreads through a security vulnerability in the Windows Server Service that allows a carefully written program to persuade the attacked computer to run malicious code instead of the Microsoft-written software.
Once installed it turns off Windows Automatic Update and stops you using the Windows Security Centre. It disables a range of internal services that could be used by anti-malware programs, blocks access to a number of anti-virus websites and even resets and deletes system restore points so you can't go back to an uninfected installation of your operating system.
And at some point it connects to a remote site to download additional malware and register itself as part of the botnet. The analysis of the latest version indicates that this will next happen on April 1st, and the day maybe a bad one because the way it does this has changed in the latest version of the worm, making it significantly harder to stop.
Previous Conficker infections were controlled to some extent because security researchers were able to determine which servers the worm was going to try to contact and block access to them before it did so. But the C variant has a much larger pool of potential domains to choose from, as it selects 500 target servers from a pool of 50,000 while previous versions chose 32 from 250.
As a result the ad hoc group of security researchers who have been working to limit the botnet's use, the Conficker Cabal, will have a much harder time ensuring that infected systems do not make the connection to the remote service that may allow them to be used to send spam e-mail, log user keystrokes or launch denial of service attacks on other computers.
We will have to wait until April to see how effective efforts at controlling Conficker are, but the analysis that has been done to date shows that it is a particularly well-designed program, one that will be hard to beat.
The overall sophistication of the current generation of malicious software is rather impressive, and I occasionally find myself admiring the skill of its developers in the same way that I can appreciate the technical skill and imagination that goes into fighter planes, tanks and modern armaments.
I may not approve of the use to which the ingenuity is being put, but I can't deny that Conficker's developers are ingenious in the way they have developed and distributed their code.
Whatever happens with this particular worm, we have to hope that the security features in Windows 7 will reduce the impact of all types of malicious software in the Microsoft ecosystem, although there will probably be enough unpatched systems around for some years to sustain Conficker and other worms, especially if the growth of netbooks means that Windows XP is still being used.
But while it's easy to blame Microsoft for making its systems vulnerable we should also acknowledge that our own demands have contributed a great deal to the current situation and may make a complete solution unachievable.
We have demanded complex, sophisticated computers that are easy to use, simple to interact with and able to connect to the internet as full peers. We want what Jonathan Zittrain calls "generative" systems that can run new software to take advantage of new services and connect us to new people. And we do not want to spend hours configuring firewalls, locking down features or scanning for potential malware.
History lesson
Perhaps we should not be surprised that attempts to make these systems secure have failed.
I see a parallel between our attempts to have security and reliability in the complex computer systems we are building today and the attempts by philosophers at the turn of the 20th to reduce all of mathematics to formal logic.
The work of Frege, Russell and Whitehead was undermined by the Austrian mathematician Kurt Gödel when he published his Incompleteness Theorem in 1931. He showed that in any sufficiently complex mathematical system there will be statements that cannot be proved either true or false, and that this is not because of errors or mistakes but is a fundamental property of the system.
His work made it clear that attempts to explain all of mathematics in terms of formal logic were doomed to failure, and there are clear similarities between our attempts to free our computers and the network from malware and the world described by Gödel.
There will always be flaws and security holes in the rich, complex computing environment, and as a result there will always be space for malicious software to propagate.
That doesn't mean our attempts to limit its spread and control the potential damage are futile, but it does mean they will be never-ending.
1st February 2009 - Conficker Virus Out of control, over 9.5 millions computers infected Experts are warning that hackers have yet to activate the payload of the Conficker virus.
The worm is spreading through low security networks, memory sticks, and PCs without current security updates.
The malicious program - also known as Downadup or Kido - was first discovered in October 2008.
Although the spread of the worm appears to be levelling off, there are fears someone could easily take control of any and all of the 9.5m infected PCs.
Speaking to the BBC, F-Secure's chief research officer, Mikko Hypponen, said there was still a real risk to users.
"Total infections appear to be peaking. That said, a full count is hard, because we also don't know how many machines are being cleaned. But we estimate there are still more than 9m infected PCs world wide.
"It is scary thinking about how much control they [a hacker] could have over all these computers. They would have access to millions of machines with full administrator rights.
"But they haven't done that yet, maybe they're scared. That's good news. But there is also the scenario that someone else figures out how to activate this worm. That is a worrying prospect."
Experts say users should have up-to-date anti-virus software and install Microsoft's MS08-067 patch. The patch is known as KB958644.
Speaking to the BBC, Graham Cluley, senior technology consultant with anti-virus firm Sophos, said the outbreak was of a scale they had not seen for some time.
"Microsoft did a good job of updating people's home computers, but the virus continues to infect business who have ignored the patch update.
"A shortage of IT staff during the holiday break didn't help and rolling out a patch over a large number of computers isn't easy.
"What's more, if your users are using weak passwords - 12345, QWERTY, etc - then the virus can crack them in short order," he added.
"But as the virus can be spread with USB memory sticks, even having the Windows patch won't keep you safe. You need anti-virus software for that."
According to Microsoft, the worm works by searching for a Windows executable file called "services.exe" and then becomes part of that code.
It then copies itself into the Windows system folder as a random file of a type known as a "dll". It gives itself a 5-8 character name, such as piftoc.dll, and then modifies the Registry, which lists key Windows settings, to run the infected dll file as a service.
Once the worm is up and running, it creates an HTTP server, resets a machine's System Restore point (making it far harder to recover the infected system) and then downloads files from the hacker's web site.
Most malware uses one of a handful of sites to download files from, making them fairly easy to locate, target, and shut down.
But Conficker does things differently.
Right now, we're seeing hundreds of thousands of [infected] unique IP addresses
Toni Koivunen, F-Secure
Anti-virus firm F-Secure says that the worm uses a complicated algorithm to generate hundreds of different domain names every day, such as mphtfrxs.net, imctaef.cc, and hcweu.org. Only one of these will actually be the site used to download the hackers' files. On the face of it, tracing this one site is almost impossible.
Speaking to the BBC, Kaspersky Lab's security analyst Eddy Willems said that a new strain of the worm was complicating matters.
"There was a new variant released less than two weeks ago and that's the one causing most of the problems," said Mr Willems
"The replication methods are quite good. It's using multiple mechanisms, including USB sticks, so if someone got an infection from one company and then takes his USB stick to another firm, it could infect that network too. It also downloads lots of content and creating new variants though this mechanism.
"Of course, the real problem is that people haven't patched their software," he added.
Removal instructions and link to removal tool found on our forum HERE
