Cornficker – computer virus or a new terror weapon?   Leave a comment

Conficker has gone on to become one of the most widespread internet worms in recent years.

The conficker computer worm, also known as downup, downandup and Kido first surfaced in 2008 but as of January 17, various reports declare that 6.5 million computers have already been infected by this virus. It also states that 3 in 10 windows PC are vulnerable to conficker attacks.

It could be the biggest April Fool’s joke ever played on the internet, or it could be one of the worst days ever for computers connected to the network. Security experts can’t work out whether the Conficker virus will wreak havoc on Wednesday , or just let the day pass quietly.

Experts have worked out that from midnight on 1 April, the Conficker program will start scanning thousands of websites for a new set of instructions telling it what to do next. The infected machines thus comprise one of the biggest “botnets” – a network of “robot” computers – in internet history. And if they were all given a target, such as simultaneously sending search queries to Google or trying to connect to a gambling site, they could knock it offline through the sheer volume of connections – a “denial of service”. Victims usually discover that they have been locked out of their computers or have very slow-running internet connections.

Careful study of infected machines has revealed that from midnight on Wednesday they will seek new instructions from a randomly generated list of thousands of websites that changes every day. Just one needs to be under the virus writers’ control to turn Conficker into a newly configured botnet – making the task of catching the exact site a search for a needle in a computing haystack.

Experts admit that they have little idea of where Conficker might be headed next. “It’s a brave man who puts his neck out like that,” said Graham Cluley, an analyst with internet security company Sophos. “For what it’s worth, we have never seen earlier versions of the Conficker worm downloading a malicious payload.”

It is also rumoured that Conficker may not activate immediately, preferring to lie in wait before receiving further orders to avoid scrutiny. The main purpose of Conficker is to provide the authors with a secure binary updating service that effectively allows them instant control of millions of PCs worldwide.

The identity of its creator remains unknown, despite Microsoft offering a bounty of $250,000 (£176,000) for the information. Usual methods of unpacking the virus code to examine its workings have been thwarted because the authors have encrypted it, using algorithms that render it almost uncrackable.

Symptoms –

  • Users being locked out of directory
  • Access to admin shares denied
  • Scheduled tasks being created
  • Access to security related web sites is blocked.

Method of Infection –

  • This worm exploits the MS08-067 Microsoft Windows Server Service vulnerability in order to propagate.
  • Machines should be patched and rebooted to protect against this worm re-infecting the system after cleaning.
  • Upon detection of this worm the system should be rebooted to clean memory correctly. May require more that one reboot.
  • Scheduled tasks have been seen to be created on the system to re-activate the worm.
  • Autorun.inf files have been seen to be used to re-activate the worm.

Removal –

  • Users infected by W32/Conficker.worm should perform an On Demand Scan to remove remnants of the worm in memory using the latest DATs.
  • Upon detection of W32/Conficker!mem and REBOOT, the W32/Conficker.worm malware components will be removed.

More information –

But beware of the other malware and virus creeping into your system by means of fraudulent software claiming to be an anti-dote to Conrficker. Microsoft is behind it and will do an appropriate press release for it. So trust only well known names for the cure.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: