Mar 31 2009 12:48AM GMT
Posted by: Ken Harthun
Security,
Security bulletin,
Security management,
Vulnerabilities,
Worm,
Conficker,
Microsoft Windows
No one knows for sure, but we do know that *something* is going to happen on April Fools’ Day. Conficker is a new breed of malware; the people behind it are of exceptional intelligence. They aren’t a crew of script kiddies out to make a quick buck. Whatever Conficker is specifically designed to do, you can bet its actions will be directed toward: 1. Maximizing proliferation of its binaries (survival); 2. Avoiding detection; and, 3. Maximizing profit (or damage).
The worm has been pretty effective at #1, by some estimates having already infected several million PCs. It has done this through exploitation of a Windows vulnerability, MS08-067 that was patched back in October and about which I wrote Will They Ever Learn to Patch? in January. However, it’s possible that those computers in the most concentrated areas of infection–China, Russia, India, Brazil, and Argentina–are impossible to patch because they are running pirated copies of Microsoft Windows software, and Microsoft does not allow updates of any kind to its pirated software. Seems to me this is a self-defeating policy, but I’m just a sensible Geek, not a Microsoft executive.
As for #2, the latest variant has added new anti-detection features. According to Larry Seltzer writing in PCMag.com, “Avoiding detection is a major theme with Conficker.C. It’s not the first malware to try to defend itself in-memory against security software and diagnostic tools, but “C” does a lot of this. For instance, it disables Windows Automatic Updates and the Windows Security Center.”
We’ll find out Wednesday, April 1st, what–if anything–happens with #3. My bet is that it’ll be another Y2K-type event. Then again, who knows?
Feb 10 2009 3:02AM GMT
Posted by: Ken Harthun
Security,
Malware,
OpenDNS,
Conficker,
Worm,
Cybercrime,
Anti-malware
With some estimates placing the number of computers infected by the Conficker worm at 10 million or more, Conficker has the potential to become one of the biggest botnets ever. Given that many system administrators probably don’t realize they’re hosting the parasite, it’s a good bet that things will get worse before they get better. Fortunately, the good guys at OpenDNS are offering a free service designed to alert administrators of Conficker’s presence and help them with containment and cleanup.
Though Conficker began spreading late last year, so far none of the infected machines has downloaded any software that would create a botnet or send spam. However, that could change in a blink if the criminals behind Conficker add a malicious payload to any of the domains the drones connect to every day. If a network has any PCs that try to connect to the rogue servers, OpenDNS will pinpoint them. As part of the service, infected machines will be prevented from connecting to the control servers:
What’s interesting about this particular virus is that it uses the Domain Name System in a unique way: Conficker contains an algorithm that checks 250 new domains per day for instructions on what it should do. This puts us in a unique position to keep you safe since we’re in the unique position of providing insight and intelligence into your DNS service. We’ve teamed with Kaspersky Lab to identify those 250 daily domains, and stop resolving them.
Administrators must register for a free account in order to take advantage of the service and must use OpenDNS on their networks. Once the account is set up, it’s a simple matter to check for Conficker’s presence:
To find out if Conficker has penetrated your network, simply log in to your account and select Stats on the left sidebar. From there choose Blocked Domains and filter “only domains blocked as malware.” This will generate a list of malware sites your network has attempted to connect with.
