|
| View previous topic :: View next topic |
| Author |
Message |
Please Register and Login to this forum to stop seeing this advertsing.
|
![]() Posted: Post subject: |
|
|
|
|
|
| Back to top |
|
 |
Mad Welshie
Gone Totally Bonkers
Joined: 05 Nov 2008
Posts: 4341
Location: Posting from a secure place... In HOLLAND ----->>>> according to BoB
|
 Posted: Sun Mar 29, 2009 1:48 pm Post subject: Conficker (Downadup) worm updates malicious code |
 |
|
| Quote: | Security watchers are counting down to a change in how the infamous Conficker (Downadup) worm updates malicious code, due to kick in on Wednesday 1 April.
Starting on 1 April, Windows PCs infected by the latest variant of the Conficker worm (Conficker-C) will start attempting to contact a sample of 50,000 pre-programmed potential call-home web servers from which they might receive updates, a massive increase on the 250 potential web server locales used by earlier variants of the code.
"Conficker-C isn't going to contact all 50,000 domains per day," explained Niall Fitzgibbon, a malware analyst at Sophos. "It's only going to contact a randomly-chosen 500 of them which gives each infected machine a very small chance of success if the authors register only one domain. However, the P2P system of Conficker can be used to push digitally signed updates out to other infected machines that don't manage to contact the domain."
Known unknown
Whether anything will actually be offered for download, much less what the payload might be, is unclear. No particular function or payload currently within the malicious code is due to activate on 1 April. It's also possible that a payload will only be offered up for download days or week after the new call-home routine comes into effect.
If updates are successfully made, infected machines are programmed to suspend call-home activity for 72 hours, as an analysis by Sophos explains.
Lessons from the call back routines of previous variants of the worm provide few clues as to what might happen. Sophos said it never observed the previous Conficker-B variant ever downloading malicious payloads, other than updates to Conficker-B++ and Conficker-C. As a result, there isn't much history to draw upon for any speculation as to the eventual goal of the Conficker botnet.
Anti-virus firms are keeping a close eye on what Conficker might do early next month while downplaying concerns that Downadup will either "erupt" or "explode" on 1 April, deluging us with spam or swamping websites with junk traffic in the process.
"Let's not forget that history has shown us that focusing on a specific date for an impending malware attack has sometimes lead to nothing more than a damp squib," notes Graham Cluley, senior technology consultant, at Sophos.
Although nothing might happen it's never a bad time for sys admins to check for infection by Conficker on their network. Such infections have already caused widespread problems.
Symantec said that the worm, which had initially focused solely on spreading "has since developed into a robust botnet, complete with sophisticated code signing to protect update mechanisms, as well as a resilient peer-to-peer protocol". An analysis of the worm, complete with a graphic illustrating the evolution of the worm's propagation, control and defensive features, can be found here.
Windows PCs infected with Conficker (Downadup) are programmed to dial home for updates through a list of pseudo-random domains. Microsoft is heading a group, dubbed the anti-cabal alliance, to block unregistered domains on this list. The more complex call-home routine deployed by Conficker-C comes in apparent response to this move.
Rik Ferguson, a security researcher at Trend Micro, added that blocking call-back domains associated with the latest variant of the worm will be "almost impossible" not only because of the daily volume, but also because there is a possibility that legitimate domains might be hit as a result. Even earlier versions of the worm, calling far fewer domains every day, used algorithms that threw up addresses that coincided with legitimate domains.
|
Story here The Confiker Worm
_________________
 FAO BoB    |
|
| Back to top |
|
|
AllanP
Joined: 17 Jan 2008
Posts: 488
Location: Central Scotland.
|
| Posted: Sun Mar 29, 2009 9:02 pm Post subject: |
|
|
Huntygowk!!!
_________________
Please support Cancer Research. |
|
| Back to top |
|
|
BoB
Assistant Admin
Joined: 17 Nov 2007
Posts: 2937
Location: End of the Telephone line!
|
| Posted: Tue Apr 14, 2009 10:46 am Post subject: |
|
|
Conficker Worm is on the go again, you may have read about it as it was due to come back as a new form on 1st April.
It started before this infecting computers, but it may lie dormant for a few months before changing and causing devastation on your computer.
There are con sites offering to remove the worm, but they infect your computer further with their own virus and worms.
For more read PC Pitstops report |
|
| Back to top |
|
|
WACOlives
Joined: 17 Nov 2008
Posts: 900
Location: east sussex
|
| Posted: Tue Apr 14, 2009 5:23 pm Post subject: |
|
|
Scary stuff BoB..
Being a non-geek I just hope it bypasses me !! 
............................................................................................
On a weekend pass, I would'nt have had time, to get home and marry, that sweetheart of mine |
|
| Back to top |
|
|
BoB
Assistant Admin
Joined: 17 Nov 2007
Posts: 2937
Location: End of the Telephone line!
|
| Posted: Tue Apr 14, 2009 8:32 pm Post subject: |
|
|
With a good Anti-Virus it should pass without being noticed.
This one can change so as not to be picked up, but they behave the same way so they can be detected that way, I HOPE!!!
|
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
