Experts warn of imminent Conficker attack (4/9/09)

Discussion in 'malware problems & news' started by hawki, Apr 9, 2009.

Thread Status:
Not open for further replies.
  1. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,955
    Location:
    DC Metro Area
    Experts warn of imminent Conficker attack -- Keylogger Suspected (4/9/09)

    Conficker wakes up, updates via P2P, drops payload -- KEYLOGGER/ROOTKIT SUSPECTED

    (CNET) -- The Conficker worm is finally doing something--updating via peer-to-peer between infected computers and dropping a mystery payload on infected computers, Trend Micro said on Wednesday.


    This piece of computer code told the worm to activate on April 1, researchers found.

    Researchers were analyzing the code of the software that is being dropped onto infected computers but suspect that it is a keystroke logger or some other program designed to steal sensitive data off the machine, said David Perry, global director of security education at Trend Micro.

    The software appeared to be a .sys component HIDING BEHIND A ROOTKIT , which is software that is designed to hide the fact that a computer has been compromised, according to Trend Micro. The software is heavily encrypted, which makes code analysis difficult, the researchers said.

    http://us.cnn.com/2009/TECH/04/09/conficker.activated/index.html

    Security experts have uncovered new Conficker activity which could indicate that the hackers behind the worm are finally gearing up for an assault.

    Researchers at Trend Micro discovered a new variant of Downad/Conficker last night, called Worm_Downad.E, which is spreading over the peer-to-peer network of infected PCs created by the previous version.

    http://www.vnunet.com/vnunet/news/2240194/conficker-activity-emerges


    Conficker worm continues to rampage
    09.04.2009
    The Conficker virus – otherwise known as the W32.Downadup worm – continues to be active and may actually be linked to one of the most active spambots on the planet.

    Symantec Security Response has observed that the W32.Downadup worm continues to be active, and has warned businesses to continue to be cautious.

    “On April 8, 2009 we discovered a new sample that is a slightly modified version of the original W32.Downadup worm. The worm previously updated its functionality with the .C variant, which installed on top of the .B variant infections, and we are now seeing the same type of update happening on top of the .A variant infections,” Symantec said in a warning note.

    http://www.siliconrepublic.com/news/article/12714/cio/conficker-worm-continues-to-rampage


    Conficker now definitely downloading updates through P2P

    Trend Micro reports that the Conficker.C (or Downad) worm has now indeed begun to download updates – not, however, from the web sites that many have been watching, but through its peer-to-peer function. The experts say they stumbled on this while observing the Windows Temp folder and the network traffic on an infected system. In contrast to Conficker.A and .B, the .C version can establish a P2P network with other infected systems and use it to download further programs and receive commands. Trend Micro says this P2P operation is now going full blast.

    http://www.h-online.com/security/Conficker-now-definitely-downloading-updates--/news/113044


    New Conficker variant talks to servers associated with the Waledac botnet, and downloads an ‘unknown’ payload.
    9 Apr 2009 at 12:17

    Security researchers have discovered a new variant of Conficker, which has downloaded a payload from servers connected to the Waledac botnet. A week after the April Fool’s Conficker scare, a ‘dropper’ came through which updated Conficker and added new functionality through its P2P connectivity. The new Conficker variant was also talking to servers and websites that were already known for their associations with the Waledac family of malware.

    http://www.itpro.co.uk/610478/new-variant-of-conficker-strikes

    Conficker reprogrammed for new attack run
    IDG news service

    Researchers are warning that the Conficker worm has been reprogrammed to strengthen its defences and boost its ability to attack more machines.

    Over the last day or so, researchers with Websense and Trend Micro said some PCs infected with Conficker received a binary file over P-to-P. Conficker's controllers have been hampered by efforts of the security community to get directions via a website, so they are now using the P-to-P function, said Rik Ferguson, senior security advisor for the vendor Trend Micro.

    The new binary tells Conficker to start scanning for other computers that haven't patched the Microsoft vulnerability, Ferguson said. A previous update turned that capability off, which hinted that Conficker's controllers maybe thought the botnet had grown too large.

    But now, "it certainly indicates they [Conficker's authors] are seeking to control more machines," Ferguson said.

    http://www.techworld.com/security/news/index.cfm?newsid=114124&pagtype=all
     
    Last edited: Apr 9, 2009
  2. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,955
    Location:
    DC Metro Area
    Conficker now downloading scareware on infected machines .

    The Conficker botnet has stirred to life, using its peer-to-peer communication system to update itself and download scareware (fake anti-virus programs) to millions of infected Windows machines.

    http://blogs.zdnet.com/security/?p=3110
     
  3. hawki

    hawki Registered Member

    Joined:
    Dec 17, 2008
    Posts:
    1,955
    Location:
    DC Metro Area
    Kaspersky Lab's analysis of new version of Kido (Conficker)

    Assuming that there are 5 million infected machines out there, the botnet could send out about 400 billion spam messages over a 24-hour period!

    http://www.kaspersky.com/news?id=207575791
     
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,632
    Location:
    U.S.A. (South)
    Thats a lot of botnets. I don't P2P anything, but you can bet the rest of the world opens wide for that potential.

    EASTER
     
Loading...
Thread Status:
Not open for further replies.