Conficker worm: worst is yet to come

Conficker has wriggled into millions of PCs, leaving them open to receive a nasty parcel of malware from its author. But the worm – shaping up to be the biggest virus attack the world has ever seen - has yet to deliver its payload to a single infected computer. Antivirus experts tell NBR they’re waiting for the other boot to drop.

Peter Sparkes, senior manager for managed security services across Asia Pacific and Japan for Symantec, the largest antivirus player, tells NBR his company has yet to spot a single instance of a PC being hit by a Conficker payload (although the Ministry of Health did take its systems offline during a 15 day battle to root out the worm itself).

The worm works in three stages. In the first, it infects a PC, either online or – in a nice retro touch recalling the days of floppy-borne viruses – a USB thumb drive. Next, it “phones home” to a rogue web server controlled by Conficker’s creator (whom Symantec’s rival F-Secure fingers as a Ukrainian hacker), letting the server know the PC is infected, and now open to receive a payload of malware.

While the malware payload could theoretically be any piece of software, Mr Sparkes notes that unlike the early internet days of show-off hackers and amateur vandals, today’s virus writers are all about making money.

He also notes that Conficker is a very slickly-written piece of software, noted for its uniquely insidious ability to randomly generate 250 server domain names every day (most worms are easier to nab because they “phone home” to a single server).

Mr Sparkes says Conficker (also known as Downadup) is continuing to mutate. One new variant attacks Windows Vista (previously, Windows XP and older versions were more vulnerable). Another hijacks the “autoplay” function in Windows 7 (Vista’s successor, still in beta).

It’s unlikely such a sophisticated operation would not be building up to a major attack.

Typically, today’s malware attempts to sniff out personal details that could provide its author with access to the victim’s bank account or online auction account – or simply holds and individual or company’s data to ransom.

So when Conficker’s payload does hit, it’s likely some of the owners of the estimated 3 million (by Symantec’s count) to 9 million (by F-Secure’s) infected PCs are going to see their online accounts looted.

It’s possible Conficker’s author has set a certain date when all infected PCs will be hit in one big-bang attack, which would maximise the rapidly-reconfiguring worm’s chances against being blocked by security software updates. However, it’s equally possible incremental attacks will take place.

Although Conficker is shaping up to possibly be the world’s largest ever virus attack, Mr Sparkes says infections are concentrated in the small business segment, and geographically in China, Russia and South America – countries where there is less security infrastructure, and fewer have applied Microsoft’s relevant Windows patch (covered here) or auto-update their antivirus software.

This article is tagged with the following keywords. Find out more about My Tags

Post Comment

19 Comments & Questions

Commenter icon key: Subscriber Verified

Can I smell paranoia and a new Y2K? Seems to be a largely unsubstantiated threat of 'potential' and 'massive' liability (again!!) Maybe it is a mutation of Bird Flu?

Reply
Share

The Y2K problems were real - that is why IT professionals adressed them and it was not the end of the world. Y2K is a sucess story

Reply
Share

success :-)

Reply
Share

On January 21st it started taking down PCs in HSBCs WAN system. Several thousand PCs have been destroyed by the worm. They have been attempting to create a repair at the New York IT office, but it looks like a reformat to get work going again. This was not announced so it has not affected the DJIA. We are hush hush about for now.

Reply
Share

Price Waterhouse Cooper and Carnegie-Mellon’s CyLab have recent surveys that show the senior executive class to be, basically, clueless regarding IT risk and its tie to overall enterprise (business) risk. I like to pass along things that work, in hopes that good ideas make their way back to me. Data breaches and thefts are due to a lagging business culture – and people aren’t getting the training they need. As CIO, I look for ways to help my business and IT teams further their education. Check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices.
The author, David Scott, has an interview that is a great exposure: http://businessforum.com/DScott_02.html -
The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
In the realm of risk, unmanaged possibilities become probabilities – read the book BEFORE you suffer a bad outcome.

Reply
Share

So, no comment from Microsoft, huh? Even if i've down-loaded all their super-secure upgrades for my ultra-secure Windows Secure Vista Secure OS? Hmmm...

Reply
Share

My company was infected by Conficker, Right at Xmas. It has taken me 3 weeks to erradicate this worm infestation. I have noticed on the 20th when I had 90% of the infection removed, that there was a sudden outbreak of trojan, viral & adware/spyware on the remaining infected machines. I think it will hit with a VERY BIG BANG. I installed all critical & security updates, and it would still get onto a pc, installing all known updates, patches, and I mean all you can find on Windows update, would it contain the infection. I only picked this thing up by using another AV ventor product using a function for HIPS and Buffer overflow. Patch fast, down the network if you have to. This little sucker is gearing up for nasty business.

Reply
Share

I have been going nuts for weeks battling SOMETHING on/in my windows xp box that began the day after christmas on one machine. I hooked up my laptop to see if I could figure it out and get a handle on it and then through searching around discovered my laptop had already been infected for months! My permissions had been changed, files were locked down and the control I thought I had over my XP box was an illusion. I finally broke down and took them both to the local computer guru who charged me $60 and handed me back my clean machine. He had made a new user and now everything was OK... NOT! I dug around and realized I was still infected with something but I had no clue and no idea how to fix it. I finally broke down and wiped it with a fresh install and a brand new 2009 Security Suite that would help protect me right? I updated Windos and did everything I thought I could do. As soon as I turned on the MSN Messenger I noticed tons of data. I realized that a handful of unknown users were in my 'Allowed' list and as I started to block them the data transfers began to slow down. Too late, my fresh, clean box was already infected. At this point my local techie thought I was insane, which I was starting to agree with. This has absolutely consumed me! Why does Microsoft include things like Remote Access and Netmeeting and enabled by default? I am obviously not into computer security so it is hard for me to know what is normal Microsoft functions on an uninfected computer. After wiping and a fresh install AGAIN, I am now up and running. I do think that I am somehow still infected but that I have gotten it somewhat under control by closing down some ports and blocking out some network access of some Windows functions. My restore points had all been deleted and all the new ones were obiously infected. Processes that enabled this THING to run were protected Windows functions of which I had no control over and which were not detected because they were windows processes. If I wasn't a bit obsessive and actually looking for something, I probably would have never known anything. I think my machine began to port scan others as well as scanning my airways via bluetooth, my wireless connection, etc.. for other places to go. I think this THING is far worse than any suspects. I suppose it is what's being called the Conficker worm, amoung other names, after reading all the security websites and reports such as this. At least now I am feeling a bit justified with my overwheling paranoia over the past month. I think Microsoft understands the seriousness of this matter and guess it is being downplayed because of the intensity of the situation? If your machine is taken over will a patch really help it? I believe that my keystrokes were logged and as soon as an internet connection was detected my machine automatically called out to have the latest worm/trojan/malware info updated. I do think that my usernames and passwords went somewhere and God forbid (but how could they not be?!) are being stored. I checked logs and processes were happening so fast that I realized that this wasn't personal that this was all somehow an automatted process. I pray that a technical doomsday never comes. I love my computer more than I should ever admit that I do. After reading a few repoerts like this I think that some others are pubically acknowledging my suspicions. Who could pull off such a grand scheme? The Russian mob? I know I sound like a nut job and trust me I feel like one after this past month of my sloppy, paranoid, amateur detective work but if you're dealing with this on a large scale or in a business setting, maybe you can understand what I am saying or somehow relate. Microsoft really needs to stand up and take responsibility for their sloppy security flaws. This, whatever it may be, is taking advantage of Microsoft in a way that is almost unfathomable. Unless they go out of their way to help inform the public, this thing will quietly continue it's plot for world domination. I think that this silent crisis could make our current housing and economic woes pale in comparrison. What can we do? Who can we call? I feel so helpless sitting here tapping away on my probably inected Windows Mobile phone. I am paranoid, I will admit it and I am terrified. What kind of effect could this have on our currently unstable economy is this technical nuke detinates? I don't even want to think about it. Where are the good ol' days where I could surf without a care in the world. Thanks Microsoft for storing up all my passwords over the years! Why did I ever allow myself to even do that?! I feel so ashmed, so dirty, so voilated!! :( Now how the heck do I scan my cell and my camera for a wormy trojan?!

Reply
Share

I agree with Emil Heinemann.
My company was also infected by this virus called "Conficker", but the different thing is that i got installed this virus via spam email. I removed the infection about 70 to 80 percent with the new f-secure engine, but at some point it infected more machines in our companies. Also installed all of the updates from the Microsoft. I think microsoft is now useless for the security updates.

Reply
Share

and our company is now in state of having financial problem. Everything is going so outrageous.

Reply
Share

i mean our hospital ( not company)

Reply
Share

I suspected software companies and some government dark forces responsible for this.
In fact, there is an artificial economical crisis which will increase the number of robberies, malware, attacks to privacy, police's abuses, crowd paranoia, etc. This is just beginning.

Reply
Share

I'll show you how, my e-mail address is wpcebu@gmail.com

Reply
Share

went to work at one site that had been hit with conficker, the worm got into the router and reconfigured the router dns, to point to an infected dns. every time i cleaned the system off line, and reconnected to the internet, with all other pc's off, the cleaned pc was re-infected because the router was directing the pc to infected dns... very slick little bugger!

Reply
Share

the infected site infects ur pc, then it blocks the internet service by reconfiguring ur router.
reformat drive c:
create conficker.worm folder

Reply
Share

I know that it's probably been brought up a lot of times, but this should be another lesson that Windows has a lot of quirks that allow viruses to take advantage and exploit the operating system. By using Linux for instance, I can sit back and let all of this happen and not worry about getting infected. Maybe someday Linux will have exploits, but for now it doesn't and that's enough for me. I can use my computer for what it was meant for and not worry about maintenance, viruses, and the entire list.

Reply
Share

osama

Reply
Share

All software have exploits and security holes. It just so happens that Windows is the most used OS by a crap load.

So if you were a bad guy would you want to through something out there to infect a few machines or alot.

Reply
Share

the infected site infects ur pc, then it blocks the internet service by reconfiguring ur router.
reformat drive c:
create conficker.worm folder

Reply
Share

Post New comment or question

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.

NZ Market Snapshot

Forex

Sym Price Change
USD 0.7761 0.0015 0.19%
AUD 0.9524 0.0020 0.21%
EUR 0.6332 -0.0004 -0.06%
GBP 0.4968 0.0011 0.22%
HKD 6.0199 0.0126 0.21%
JPY 92.9660 0.3820 0.41%

Commods

Commodity Price Change Time
Gold Index 1195.4 -2.890 2014-12-19T00:
Oil Brent 61.4 1.580 2014-12-19T00:
Oil Nymex 57.1 2.910 2014-12-19T00:
Silver Index 16.0 0.096 2014-12-19T00:

Indices

Symbol Open High Last %
NZX 50 5527.8 5553.7 5527.8 0.25%
NASDAQ 4752.6 4782.1 4748.4 0.36%
DAX 9827.3 9883.6 9787.0 0.70%
DJI 17778.0 17874.0 17778.2 0.15%
FTSE 6545.3 6620.9 6545.3 0.76%
HKSE 23264.0 23478.9 23116.6 1.26%
NI225 17685.5 17692.6 17621.4 0.08%