Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

General Discussion

Conficker update. - Page 2

Re: Conficker update.

Posted by: fivex
Date: 2009-04-09 18:36:52
But it's the messenger. Not mail.(IT shouldn't effect the mail)

Re: Conficker update.

Posted by: Wild MissingNo. appeared
Date: 2009-04-09 18:43:10
Mine loads up fine. I used to get an error before the released of Live Windows Messanger. I miss the old one… I've had MSN Messanger on today, as my current account isn't all that old. I've had for about nearly a year.

Re: Conficker update.

Posted by: fivex
Date: 2009-04-09 18:45:57
Age of account doesn't matter. Anyway, this is getting kinda off topic.

anyway, the waledac/conficker connection is interesting.

Re: Conficker update.

Posted by: Wild MissingNo. appeared
Date: 2009-04-09 18:50:24
I think it's damn well insane. I was aware of the Conficker.C, but now there's Conficker.D, and now Conficker.E, or most say Downaup.E. Conficker, is sort of like the SQL Slammer back in 03, but Conficker seems more widespread and highly dangerous. It is unknown what Conficker.D, and Conficker.E, do. Wikipedia, hasn't said much about Conficker.D, and Conficker.E.

Re: Conficker update.

Posted by: fivex
Date: 2009-04-09 18:52:01
I haven't even seen Conficker.D
Conficker.E Runs alongside Conficker.C(D?) and spreads the Conficker.C/e combo.

Re: Conficker update.

Posted by: Wild MissingNo. appeared
Date: 2009-04-09 19:08:13
I was reading on Conficker on Wikipedia, to see if they had any news on how C, works and they have this about the Conficker family, from Wikipedia.

Variant name
Conficker A

Detection date
2008-11-21

Infection vectors
NetBIOS
* Exploits MS08-067 vulnerability in Server service

Update propagation
HTTP pull

* Downloads from trafficconverter.biz
* Downloads daily from any of 250 pseudorandom domains over 5 TLDs

Self-defense & Notable Characteristics
None

* Installs rogue (fake) anti-virus software (aka scareware)

Variant name
Conficker B

Detection date
2008-12-29

Infection vectors
* NetBIOS

* Exploits MS08-067 vulnerability in Server service
* Dictionary attack on ADMIN$ shares

* Removable media

* Creates DLL-based AutoRun trojan on attached removable drive

Update propagation
* HTTP pull

* Downloads daily from any of 250 pseudorandom domains over 8 TLDs

* NetBIOS push

* Patches MS08-067 to open reinfection backdoor in Server service

Self-defense & Notable Characteristics
* Blocks DNS lookups
* Disables AutoUpdate

Variant name
Conficker C

Detection date
2009-02-20

Infection vectors
* NetBIOS

* Exploits MS08-067 vulnerability in Server service
* Dictionary attack on ADMIN$ shares

* Removable media

* Creates DLL-based AutoRun trojan on attached removable drives

Update propagation
* Downloads daily from any of 250 pseudorandom domains over 8 TLDs

* NetBIOS push

* Patches MS08-067 to open reinfection backdoor in Server service
* Creates named pipe to receive URL from remote host, then downloads from URL

Self-defense & Notable Characteristics
* Blocks DNS lookups
* Disables AutoUpdate

Variant name
Conficker D

Detection date
2009-03-04

Infection vectors
None.

Update propagation
* HTTP pull

* Downloads daily from any 500 of 50000 pseudorandom domains over 110 TLDs

* P2P push/pull

* Uses custom protocol to scan for peers via UDP, then transfer via TCP

Self-defense & Notable Characteristics
* Blocks DNS lookups
Does an in-memory patch of DNSAPI.DLL to block lookups of anti-malware related web sites
* Disables AutoUpdate
* Kills anti-malware
* Scans for and terminates processes with names of anti-malware, patch or diagnostic utilities at one-second intervals

Variant name
Conficker E

Detection date
2009-04-07

Infection vectors
?

Update propagation
P2P push/pull

* Uses custom protocol to scan for peers via UDP, then transfer via TCP

Update propagation
* Disables AutoUpdate
* Kills anti-malware
* Scans for and terminates processes with names of anti-malware, patch or diagnostic utilities at one-second intervals

* Downloads and installs the well-known bot Waledac.
* Downloads and installs fake antivirus such as SpyProtect 2009

Re: Conficker update.

Posted by: glitchhunter09
Date: 2009-04-09 19:46:42
I was reading a couple of days ago that conficker can infect USB mass storage devices and as a result spread it to other computer networks.

You'll get a little autorun menu when the flash drive is activated. Then there will be two Open folder to view files option. One has windows Explorer in gray text underneath. The other has unknown Service underneath it in grey text. Don't click the Unknown service one otherwise Conficker will infect the PC the Flash Drive was inserted to. Surpisingly I'm feeling much better despite the fact I'll never be able to make a youtube video ever again.

firefox freezes and crashes on me for no reason now. It also refuses to force itself to close once its frozen which is totally off subject because my computer isn't infected with Conficker as far as I can tell.

Re: Conficker update.

Posted by: fivex
Date: 2009-04-09 20:04:11
That only applys to Vista/7 actually.

Re: Conficker update.

Posted by: Wild MissingNo. appeared
Date: 2009-04-10 04:57:59
I use Vista (laptop), and I haven't been infected with Conficker. I would of known if I was due to the fact they disable a lot of things. Here's some news on Conficker.


Conficker botnet could flood Web with spam

April 10, 2009 (Computerworld) Windows PCs infected with the Conficker worm have turned into junk mail-spewing robots capable of sending billions of spam messages a day, a security company warned today.

According to Kaspersky Lab, a Moscow-based antivirus firm, yesterday's update to Conficker, which in some cases was accompanied by the Waledac spam bot, has resulted in a floodtide of junk e-mail.

"In just 12 hours, one bot alone sent out 42,298 spam messages," said Kaspersky researcher Alex Gostev in a message Friday. "A simple calculation shows that one bot sends out around 80,000 e-mails in 24 hours. Assuming that there are 5 million infected machines out there, the [Conficker] botnet could send out about 400 billion spam messages over a 24-hour period!"

The spam is pitching pharmaceuticals exclusively at the moment, said Gostev, primarily erectile dysfunction medications such as Viagra and Cialis, with message subject headings, including "She will dream of you days and nights!" and "Hot life – our help here. Ensure your potence [sic] today!"

Gostev also noted that almost every message contained a unique domain in the embedded link, a tactic spammers sometimes use to side-step antispam filters, which analyze the frequency that any one domain is used. "We detected the use of 40,542 third-level domains and 33 second-level domains," said Gostev. "They all belonged to spammers and the companies that ordered these mailings."

Most of the domains are hosted in China, he added.

Conficker, the worm that first appeared in November 2008, exploded in early 2009 to infect several million machines and set off a near-panic as an April 1 trigger date approached, was fed a new version early Thursday that restored its ability to spread and beefed up its defenses against security tools. If it successfully updated an already-infected PC, Conficker.e – as the new variant has been labeled – also downloaded and installed a noted spam bot, Waledac.

Waledac has its own checkered history, in that it's assumed to have been created by some of the same hackers who operated the notorious Storm botnet during 2007 and 2008.

The spam coming from Conficker.e-infected systems is actually generated and sent by the Waledac bot Trojan.

Some Conficker bots have also downloaded and installed Spyware Protect 2009, one of the many "scareware" programs in circulation. Scareware is the term given to fake anti-malware software that generates bogus infection warnings and then nags users with endless alerts until they pay to $50 to buy the useless program. According to Microsoft, the scam – also called "rogue software" – is one of the biggest threats to Internet users. In the second half of 2008 alone, Microsoft's anti-malware tools cleaned nearly 6 million PCs of scareware-related infections.

Yesterday, another researcher raised the alarm about the new Conficker and the software it drops, saying that the spam and scareware angles were clearly the first solid evidence of how the worm's makers planned to profit from their crime. "I don't want to be a scaremonger," said Kevin Hogan, director of security response operations at Symantec Corp. "But the situation now, as Conficker does go back to propagating, is actually more serious than a couple of weeks ago."

Here's some more news.

Conficker cashes in, installs spam bots and scareware

Conficker.e is installing SpywareProtect2009, said Gostev in an entry to the Kaspersky blog. "Once it's run, you see the app interface, which naturally asks if you want to remove the threats it's 'detected,' " Gostev said. "Of course, this service comes at a price – $49.95."

Symantec's Hogan said his team was not able to confirm that Conficker also downloads scareware. "That said, not all Conficker nodes act the same," he said. "Some are not downloading at all, so it wouldn't entirely be out of the question that different nodes or sections of the botnet downloaded different things."

Conficker's rogue security software scam isn't new: The worm's first variant also tried to distribute phony antivirus software late last year, though the move was largely unsuccessful, said Hogan, citing earlier analysis by one of his researchers, Eric Chen. "But in all the buzz about Conficker.c and April 1," said Hogan, "people forgot that Conficker's makers have tried to profit in the past."

The lack of a clear business model for Conficker – especially with Conficker.b, the early-January variant that infected at least 4 million PCs, according to Symantec's estimates – had confounded researchers and analysts. In fact, it was one of the reasons why there was so much attention paid to the worm's new communications scheme activation date: Everyone wondered what it would do on April 1 to monetize the effort spent collecting a massive botnet.

Unlike the Conficker.c update, the newest variant restores the worm's ability to spread by exploiting the critical Windows vulnerability Microsoft patched with an emergency fix in October 2008.

"It's been pretty obvious in the last couple of weeks that the footprints of Conficker.b and Conficker.c were very different," Hogan said. While the former had infected millions of PCs, Conficker.c, which only updated still-compromised computers, was on several thousand PCs at most. "If they wanted to stay in business, they needed to reseed it," said Hogan.

"I don't want to be a scaremonger," cautioned Hogan, "but the situation now, as Conficker does go back to propagating, is actually more serious than a couple of weeks ago."

Re: Conficker update.

Posted by: Stackout
Date: 2009-04-20 12:37:33

Conficker also has inspired a copycat worm. Neeris, an IRC bot that spreads itself by sending links through MSN Messenger, has been active for a few years, but a new variant has emerged that borrows some behavior from Conficker, such as exploiting the same hole in Windows that Conficker does and spreading via removable storage devices, Microsoft said.


um, irc bots have had usb spread since way before conficker. also, MS08-067 exploit has been in bots since before Conficker.

Re: Conficker update.

Posted by: Wild MissingNo. appeared
Date: 2009-04-20 12:59:02
Now there's a virus variant of Conficker.

Re: Conficker update.

Posted by: ?????(000)
Date: 2009-04-20 13:04:30
Is there any antivirus that gets rid of this conficker? I fear it might get me and break the laptop itself. This machine has been through so much.

Re: Conficker update.

Posted by: Wild MissingNo. appeared
Date: 2009-04-20 13:11:44
Conficker, seems to go to frandom IPs. I bet it targetted me last week and sent a dangerous Email to me. I never opened it.

Re: Conficker update.

Posted by: ?????(000)
Date: 2009-04-20 13:38:01
It attacks random IPs? IF that's the case, I need to figure out how to change mine, and then change it every day, so I'll be less at risk. And e-mails? I look at the sender, if I don't recognize he/she/it, then I delete the e-mail without a second look.

Re: Conficker update.

Posted by: Wild MissingNo. appeared
Date: 2009-04-20 13:42:17
As far as I know, Conficker sends spam emails.