Glitch City Laboratories Archives

Glitch City Laboratories closed on 1 September 2020 (announcement). This is an archived copy of a thread from Glitch City Laboratories Forums.

You can join Glitch City Research Institute to ask questions or discuss current developments.

You may also download the archive of this forum in .tar.gz, .sql.gz, or .sqlite.gz formats.

General Discussion

Conficker plans to make a comeback - Page 1

Conficker plans to make a comeback

Posted by: Wild MissingNo. appeared
Date: 2009-09-04 15:57:54
I was looking up viruses, and worms to find a virus/worm, since a friend of mine seems to be infected with the Stration (Stratio and Warezov), where his MSN (old account) keeps sending me a link through MSN (he caught it from an idiot friend), and even though he doesn't use the account it keeps sending me the link that seems to lead to the Stration Worm. So I was looking up Conficker since its been quiet since around April 1st, and seems to be making a come back, and in July 4th (this year), have spotted a new computer virus/worm called W32.Dozer, that's been attacking the United States and North Korea. Not much has been said about this, seeing as it is still new. Here's a news artical about Conficker's return and W32.Dozer.

Conficker borks London council
Updated An Ealing council employee infected the UK local authority's IT systems with the Conficker-D worm after he plugged an infected USB into a work computer, causing tens of thousands of pounds in damages in the process.

The May incident took several days to clean-up and landed the west London council with a bill of ?500,000 in lost revenue and repairs, The Guardian reports. Because IT systems were borked, the council was unable to process more than 1,800 parking tickets, at an estimated cost of ?90,000, libraries lost out on ?25,000 in fines and booking fees, council property rent went uncollected, and ?14,000 was spent in overime sorting out delayed housing benefit claims.

The infection was eventually traced back to the unfortunate housing department worker's PC, the Press Association adds.

Ealing council defended the council's handling of the incident in a statement (below).

    Like many other organisations, Ealing Council?s computer and telephone network was attacked by a sophisticated virus.

    The council acted immediately to protect all data and ensure that essential frontline services could continue to operate. Costs to the council included urgent work to recover computer systems and prevent the virus from spreading.

The outbreak bears the hallmarks of the Conficker worm, which affected Manchester City Council in February to much the same effect. A detailed report on he incident, compiled by the council, blamed the infection on he use of a USB stick contaminated by Conficker-D. The worm exploited a Windows Autorun security weakness in Windows 2000 machines used by the council to upload itself and spread

Connections to remote sites were blocked during the clean-up operations. That left staff in outlying offices without telephony (because the council relies on a VoIP-based system). It also left staff in the main council office without voicemail for days for the same reason.

IT chiefs have put in a bid for a council-wide XP upgrade and extra end point and anti-virus defences at a potential cost of ?600K. The upgrade would give the ability o lock down ports on PCs.

Jason Holloway, regional sales manager Northern Europe for flash disk vendor SanDisk, commented: "It underlines the fact that conventional USB flash drives have become a key method for spreading infections stealthily, as the US Army found last year."

"It also shows that virus scanning has to extend beyond the PC to all types of removable storage or - better still - that employees should be issued with company flash drives that include on-board antivirus scanning," he added. ?
Bootnote

Ealing is best known for the film studio that gave birth to the classic Ealing comedies of the late 40s and 50s, including Kind Hearts and Coronets and The Lavender Hill Mob. More recently the studios were brought back to life for an ill-advised remake of St Trinian's.


W32.Dozer:
Fireworks weren't the only thing going off on the 4th of July. Several U.S. and South Korean government, financial, and media websites were attacked and at different times, were offline. There's been a lot of speculation about the source of the attacks, but here is what we know so far.

We've observed a number of malware components that are responsible for the attacks. W32.Dozer, Trojan.Dozer, W32.Mydoom.A@mm, and W32.Mytob!gen work in tandem to both spread and attack. W32.Dozer, a dropper that contains all the other components within it, is sent by W32.Mytob!gen to email addresses it gathers from the compromised computer. If a user executes the attachment, W32.Dozer drops Trojan.Dozer and W32.Mydoom.A@mm on the compromised computer. W32.Mydoom.A@mm in turn drops W32.Mytob!gen and a removal tool built by the threat authors, allowing them to uninstall W32.Mytob!gen if they so prefer. W32.Mytob!gen gathers email addresses, sends the W32.Dozer dropper to them, and the cycle continues.

Trojan.Dozer acts as a backdoor and connects to IPs through certain ports. We have activity on the following IP addresses and ports:

213.33.116.41 through TCP port 53
216.199.83.203 through TCP port 80
213.23.243.210 through TCP port 443

These commands allow the Trojan to update itself and show the status of the DDoS. Performing DDoS attacks on predetermined sites from a component file is also one of the commands the Trojan receives. The Trojan may start an HTTP protocol session with GET or POST, UDP, ICMP, TCP ACK, or TCP SYN flood to perform the DDoS attacks.

While these attacks are ongoing, you can do your part by keeping your security software updated as often as possible. Worthy to note: filtering email attachments and blocking the IP addresses noted above in your firewall can help take the boom out of Mydoom and the bull out of Dozer.

W32.Dozer: South Korea botnet attack not finished yet
The denial-of-service attacks against Web sites in the U.S. and South Korea that started last weekend may have stopped for now, but code on the infected bots was set to wipe data on Friday, security experts said.

There were no immediate reports of any of the compromised PCs in the botnet having files deleted, but that doesn?t mean it wasn?t happening or won?t in the future, said Gerry Egan, a product manager in Symantec?s Security Technology Response group.

There are only about 50,000 infected PCs around the world being used in the attacks, which is relatively small compared to the millions that were infected with Conficker, he said.

The attacks started over the July 4 weekend launching distributed DOS attacks on dozens of government and commercial sites in the U.S. and South Korea. The attacks, which resurged during the week at least twice, affected sites including the White House, the Federal Trade Commission, the Secret Service, and The Washington Post.

One of the files dropped on infected PCs is programmed to wipe out files on the PC, including a master boot record, which will render the system inoperable when the PC is rebooted, Symantec said. ?Basically, your system is in trouble if this executes,? Egan said.

Botnet expert Joe Stewart of SecureWorks told The Washington Post that he tested the self-destruct Trojan and found it capable of erasing the hard drive on an infected system, but that that function wasn?t being triggered. He speculated that either there is a bug in the code or that the feature is set to activate at a later date.

Researchers are finding that the botnets launching the attacks are infected with several types of malware. The MyDoom worm is being used to spread infections between computers via e-mail, Symantec and other antivirus vendors have reported.

A dropper program called W32.Dozer that contains the other components is sent by W32.Mytob!gen to e-mail addresses it gathers from the compromised computer, the Symantec Response Blog says. If a user executes the attachment, W32.Dozer drops Trojan.Dozer and W32.Mydoom.A@mm on the system.

The Dozer Trojan serves as a backdoor and connects to IPs through certain ports, allowing it to update itself and to receive instructions on sites to attack, according to Symantec. It?s unclear if the DOS attacks will happen again because the infected PCs can receive new instructions at any time, Egan said.

?There is nothing new or novel in the technology,? he said. Judging by the high-profile sites attacked it?s likely the attackers are just trying to get attention, he added.

South Korea officials told reporters on Friday that the DOS attacks used 86 IP addresses in 16 countries, including South Korea, the U.S., Japan, and Guatemala, but not North Korea, according to an Associated Press report.

Re: Conficker plans to make a comeback

Posted by: ?????(000)
Date: 2009-09-04 16:06:19
Fucking hell. WHY DO PEOPLE KEEP DOING THIS KIND OF THING?!?

Re: Conficker plans to make a comeback

Posted by: tachi
Date: 2009-09-04 16:18:16
South Korea but not NORTH korea? I blame the communists!

Re: Conficker plans to make a comeback

Posted by: Ratipharos
Date: 2009-09-04 16:36:16
Borks?

Re: Conficker plans to make a comeback

Posted by: Wild MissingNo. appeared
Date: 2009-09-04 17:41:34
It's what they do, to commit crimes like with most viruses/worms use a payload, that costs the victim money, so I heard. Not much has been said on Conficker, I can't find the article that was posted 12 hours ago (1st of September), but that one of the UK was posted 8 hours ago, so this people do this to get attention/money. Borks…good question, on that but it's what it was called in the artical I was reading. I know others say that none of this is important, but it will be if you kill your own computer by not listening. I post these topics, to warn others not for spam. But again people create these worms/viruses to gain attention, money, or to cause trouble.

Re: Conficker plans to make a comeback

Posted by: GARYM9
Date: 2009-09-04 18:55:53
"The worm exploited a Windows Autorun security weakness in Windows 2000 machines used by the council to upload itself and spread

Connections to remote sites were blocked during the clean-up operations. That left staff in outlying offices without telephony (because the council relies on a VoIP-based system). It also left staff in the main council office without voicemail for days for the same reason.

IT chiefs have put in a bid for a council-wide XP upgrade and extra end point and anti-virus defences at a potential cost of ?600K. The upgrade would give the ability o lock down ports on PCs."

FAIL

Re: Conficker plans to make a comeback

Posted by: Wild MissingNo. appeared
Date: 2009-09-04 19:02:18
Ah, but there is one worm/virus that if Vista is infected a 95 machine could get it but no one is sure WHAT Dozer is based on. It was found in the wild, this year. So, 2000 doesn't seem used much anymore, most use Vista/XP.

Re: Conficker plans to make a comeback

Posted by: GARYM9
Date: 2009-09-04 19:06:46

Ah, but there is one worm/virus that if Vista is infected a 95 machine could get it but no one is sure WHAT Dozer is based on. It was found in the wild, this year. So, 2000 doesn't seem used much anymore, most use Vista/XP.


But the vulnerability that Conficker used has been patched on most PCs.

Also, who the hell uses Windows to run an important network?  That's like using cardboard to make your bank vault.

Re: Conficker plans to make a comeback

Posted by: fivex
Date: 2009-09-04 19:11:41


Ah, but there is one worm/virus that if Vista is infected a 95 machine could get it but no one is sure WHAT Dozer is based on. It was found in the wild, this year. So, 2000 doesn't seem used much anymore, most use Vista/XP.


But the vulnerability that Conficker used has been patched on most PCs.

Also, who the hell uses Windows to run an important network?  That's like using cardboard to make your bank vault.
Alot of people.

Re: Conficker plans to make a comeback

Posted by: tachi
Date: 2009-09-04 19:12:24
Yeah sorry gary lots of people use windows!

Re: Conficker plans to make a comeback

Posted by: Wild MissingNo. appeared
Date: 2009-09-04 19:14:09
They do, and that is why there's Conficker and so on now. I'm gonna wait a few days or two to look for Conficker/Win32.Dozer to find anymore said about it.

Re: Conficker plans to make a comeback

Posted by: tachi
Date: 2009-09-04 19:15:06
Is this straight up facts or Hear/say?

Re: Conficker plans to make a comeback

Posted by: GARYM9
Date: 2009-09-04 19:15:21


Ah, but there is one worm/virus that if Vista is infected a 95 machine could get it but no one is sure WHAT Dozer is based on. It was found in the wild, this year. So, 2000 doesn't seem used much anymore, most use Vista/XP.


But the vulnerability that Conficker used has been patched on most PCs.

Also, who the hell uses Windows to run an important network?  That's like using cardboard to make your bank vault.

Re: Conficker plans to make a comeback

Posted by: Wild MissingNo. appeared
Date: 2009-09-04 19:22:17
This is up straight, Tachi. Conficker was meant to make an attack on April 1st this year but was known as a hoax, but now the worm has been quiet for a while is now coming back. Not much as been said about the worm's return as a lot of PCs are still infected with the worm, and parts of the variants. Over here in the UK most of the systems here are infected with Conficker.D, but other places I don't know what they are infected with, seeing as I think it was the US/other places infected with Conficker.A, or Conficker.B but nothing has been said other than the infected systems become zombies (under the creators control). Win32.Dozer is still sort of new, so I don't know what it can do yet, but sounds like it destroys files.

Re: Conficker plans to make a comeback

Posted by: tachi
Date: 2009-09-04 19:23:16
So what stuff should I avoid?