| Author | Message | ||
     Indy_bueller |
What do you guys think.....media hype again or is this a real threat? Guess we'll find out tomorrow.... | ||
| F_skinner |
It is a real threat that has been countered. We will see tomorrow if the counter measures are effective. | ||
| Doon |
Just waiting to see what happens here. Shall see what becomes of it. I have beer in 2 out of the 3 office fridges just in case we need to drink heavily (we are an ISP...) | ||
| F_skinner |
From the DHS Daily report on IT. Security experts have made a breakthrough in their five-month battle against the Conficker worm, with the discovery that the malware leaves a fingerprint on infected machines which is easy to detect using a variety of off-the-shelf network scanners. The finding means that, for the first time, administrators around the world have easy-to-use tools to positively identify machines on their networks that are contaminated by the worm. As of March 30, signatures will be available for at least half a dozen network scanning programs, including the open-source Nmap, McAfee’s Foundstone Enterprise, and Nessus, made by Tenable Network Security. Up to now, there were only two ways to detect Conficker, and neither was easy. One was to monitor outbound connections for each computer on a network, an effort that had already proved difficult for organizations with machines that count into the hundreds of thousands or millions. With the advent of the Conficker C variant, traffic monitoring became a fruitless endeavor because the malware has been programmed to remain dormant until April 1. The only other method for identifying Conficker-infected computers was to individually scan each one, another measure that placed onerous requirements on admins. The discovery of Conficker’s tell-tale heart two days before activation may prove to be an ace up the sleeve of the white hat security world. Source: http://www.channelregister.co.uk/2009/03/30/confic ker_signature_discovery/ | ||
| Doon |
F_Skinner. Every try to NMAP the equiv of a couple /16's  A Good portion of our users DSL modems default to running PAT anyway so hard to tell. Internally we are all FreeBSD/Mac, so I isn't too worried. But I do have the Clue-by-four all warmed up in case we need to start ACL'ing / null routing infected boxen.. | ||
| Danger_dave |
It is tomorrow here. Nearly 3pm on the 1st and some of my web site hosts are currently fritzed. (Message edited by danger_dave on March 31, 2009) | ||
| F_skinner |
You should not be too worried. I spent a good portion of day explaining this crap. If you have to start ACLing I think you may have already lost the battle. If you have ever been seen Symantec or Mcafee in action they are all over this. At least in the wild. DoD systems are a little different. I was so happy to get home and twist a wrench on the S1. Now that is a productive day. | ||
| Indy_bueller |
I'm a little on edge because I am desktop support for a public school district that has over 5000 PC's. Tomorrow could be a bad day. | ||
| Squidbuzz |
From the SANS Institute. --Researchers Find Method to Test for Conficker Infection (March 30, 2009) Researchers have found a way to detect whether or not a computer is infected with the Conficker worm. Until now, the known methods for determining whether or not a computer was infected with Conficker - monitoring outbound connections on networks and scanning each computer individually - were difficult and consumed significant amounts of resources.. The new technique involves remotely calling the NetpwPathCanonicalize() function. Dan Kaminsky said, "You can literally ask a server if it's infected with Conficker, and it will tell you." http://www.securityfocus.com/brief/936 http://www.theregister.co.uk/2009/03/30/conficker_ signature_discovery/ http://www.h-online.com/security/German-researcher s-develop-network-scan-for-Conficker-worm--/news/1 12963 [Editor's Note (Honan): The full research is available from the University of Bonn at http://iv.cs.uni-bonn.de/wg/cs/applications/contai ning-conficker/. Nmap 4.85 Beta can also detect infected computers and can be downloaded from http://nmap.org/download.html. The US DHS also released a detection tool at http://www.dhs.gov/ynews/releases/pr_1238443907751 .shtm. (Ullrich): Kaminsky's method is important if you need to test a large number of systems remotely. For a quick individual test, check if you can still get to sites like symantec.com or sans.org. Conficker will block access to these sites. For a list of conficker removal tools and other resources, see isc.sans.org/conficker (or use dshield.org/conficker if you are already infected because sans.org will be blocked). Also be aware of malicious fake removal tool that will certainly be offered for conficker. (Hoelzer): This is excellent and timely news. Tomorrow we will have an opportunity to see how aware the community at large has become.] | ||
| Froggy |
I found out I am working the help desk tomorrow, hopefully this is just hype. And talking about it on a IRC chat room, this made my spill my drink!
| ||
| Swordsman |
Did they ever figure out exactly what its purpose is? What exactly IS the threat? I just backed up all my important stuff to CDs tonight (stupid free DVD burning software wouldn't work.... kept leaving folders empty). ~SM | ||
| Brinnutz |
Froggy, what IRC server/chan? | ||
| Froggy |
#Wootoff on Efnet | ||
| Swordsman |
"stash: april fools conficker is actually going to install norton antivirus on all the computers" Damn, that DOES sound like a Norton trick! Their software ACTS like a virus when you're trying to uninstall... stubborn bastard. Guess they follow the "takes one to know one" school of thought.  ~SM | ||
| Hootowl |
I think they are wildly overestimating the number of infected machines. They couldn't even SNORT this thing until the day before yesterday, yet for months it has been "20 million infected machines". If they're basing that on numbers for previous worm outbreaks, I don't think it is valid. There are several mitigating factors today: Most everyone uses a home router. Windows SP2 and later has a host based firewall that is on by default. The automatic update monitoring service will nag you until you turn on automatic updates. Enterprises have gotten much better about patch management. The major AV vendors have had signatures out for all known variants for months. This is not a zero day event. | ||
| Froggy |
Yea Hoot, in the "Hurray for Mac" thread, I basically stated you pretty much got to go out of your way to get infected by this at this point. You would of needed to be infected by spyware or some other virus for the last few months and not done a thing fix it, just to be highly vulnerable. | ||
| Froggy |
Swordsman, look up Norton Removal Tool, its made by Symantac and its a godsend to cleaning up the mess that results from attempting to uninstall any of the Symantac/Norton antiviruses. | ||
| Mortarmanmike120 |
Ya'll lost me at this: F_Skinner. Every try to NMAP the equiv of a couple /16's A Good portion of our users DSL modems default to running PAT anyway so hard to tell. Internally we are all FreeBSD/Mac, so I isn't too worried. But I do have the Clue-by-four all warmed up in case we need to start ACL'ing / null routing infected boxen.. That makes my head hurt. Think I'll leave all this high thinkin' to the brainiacs in the group and go back to the 'ladies on bikes' thread. Enjoy folks, I'm thankful there's lots of smart people that like doing this stuff. | ||
| Bill0351 |
After finding out that we were infected, the computer tech guys at our School district spent the last few weekends working overtime manually dealing with each and every computer. I hope it worked! Bill | ||
| Jaimec |
This wouldn't even BE an issue if people just enabled Microsoft update to automatically keep their systems up to date. Microsoft patched the hole this thing used to infect systems back in OCTOBER. The worm first appeared in November. If it really did infect MILLIONS of PCs, then MILLIONS of users are just clueless. As someone said earlier: This was HARDLY a zero-day exploit. | ||
| Reepicheep |
I suspect it will just quietly steal passwords... | ||
| Doon |
Mortarmanmike120: Basically attempting to scan 120K hosts looking for infection As for ACL's that was the worse case scenario. if all of a sudden it turned into a huge DDOS network, or became self aware. | ||
| Hexangler |
http://www.nytimes.com/2009/04/01/technology/inter net/01virus.html?_r=1&hpw Experts See Early Activity From Conficker Worm By JOHN MARKOFF Published: March 31, 2009 MENLO PARK, Calif. — Members of an informal global alliance of computer security specialists who have been trying to eradicate a malicious software program known as Conficker said Tuesday that they were seeing early attempts by the program to communicate with a control server. The researchers said they were uncertain if it had been successful. The Conficker software, which has spread aggressively around the globe since October and is designed to lash together infected machines into a powerful computer known as a botnet, has touched off widespread concern. Computer security researchers who have examined a recent version of the program, called Conficker C, have said it was set to try to download commands from a server at an unknown Internet location on Wednesday. There was no certainty about the intent of the program, which could be used to send e-mail spam, distribute malicious software or generate a potentially devastating “denial of service” attack on Web sites or networks. The choice of April Fool’s Day by the program’s authors, who are unknown, has led to speculation that the program might be a hoax. But a variety of computer security executives and law enforcement officials have pointed out that the program, which has spread to at least 12 million computers, could inflict genuine harm. Consensus among security specialists on Tuesday was that it was likely to take several days before the program’s intent could be determined. A group of computer security specialists has tried to make it impossible for Conficker’s authors to download instructions to infected computers. While they were doing so, the authors began distributing the C version of the program. It was intended to begin contacting 50,000 Internet domains on Wednesday. In response, the researchers have created a system that will allow them to trap all of the attempted botnet communications. That has involved a global effort, including monitoring the domains of 110 countries. A spokeswoman for the Conficker Cabal, a security working group organized by Microsoft and other computer security companies, said on Tuesday that the group had no new information to report about the activity of the malicious program. “All we are saying is ‘patch and clean, patch and clean,’ ” said Nicole Miller, a Microsoft spokeswoman, referring to the process of disinfecting and protecting machines infected by the software, which targets Windows-based computers. Separately, I.B.M. said that Mark Yason, a company researcher, had decoded Conficker’s internal communication protocol. The company said that will make it easier for security teams to detect and interrupt the program’s activities. Earlier this year Microsoft offered a $250,000 reward for information leading to the arrest of Conficker’s author or authors. | ||
| Anonymous |
Hello, I am Botnet, created by the masterful Conficker C worm. If you are seeing this message, your computer is infected and has been activated to aid in a plot to take over the world. Please step away from the machine or I will be forced use some Fringe-style hypnotic program to melt your brain. Thank you, A Russian Teenager. | ||
| Swordsman |
LOL! I KNEW it! It's the Russians!  ~SM |
