Conficker C

Re: Conficker C

Funniest news story about this I saw on TV or maybe the Internet. The reporter said something like, "And if you are infected and can't visit these sites, ask your friend to download a copy of the software and *email* it to you."

Yay! Executables by email!

Wait! Can you hear it? Is that the sound of mail scanners choking on the sending of executables at attachments, and new trojans and malware disguising themselves to claim to remove conficker C if you, "just run this program attached"

Yay for media news with GREAT advice!

I think they got this advice from an out of work IT guy looking for a job, but that is just a guess.

[Still haven't found the source of this news story]

Re: Conficker C

I just got this from Sonicwall at 4/1 6:30pm EDT. Nothing like a timely warning.

SonicWALL Service Bulletin-VULNERABILITY ALERT: Conficker Worm

xor

Re: Conficker C

IT'S ALIVE!

http://news.cnet.com/8301-1009_3-10215678-83.html

Re: Conficker C

The original article; http://blog.trendmicro.com/downadcon...nt-in-the-mix/

I've been following this now over the past day or so and from what I could gather the new conficker.E variant has been using compromised machines to contact eachother via P2P, it downloaded an encrypted .sys file (that no one including Trend Micro, Microsoft and Symantec has been able to crack) and it has also downloaded Spyware Remover 2009 which is your average Scareware.

It's hard finding up to date information about it as the only articles I could find today were on your usual scaremongering sites borrowing information from the Trend Micro article and adding a little bullshit for good measure.

Another article I'd read on an infosec site (I can't find the link now) said they monitored one compromised machine send out over 42k spam emails in a 12 hour period after it downloaded a Waledac-esque program.

Anyone else read anything of interest?

Re: Conficker C

I haven't kept up on this as much as i've liked, but the p2p was known for a while... I think it was introduced in .B+ whatever variant they called it. I think there was a good link from Kaminsky's blog, I think its somewhere in this thread. I'd link it but the iphone doesnt have copypasta yet.

Re: Conficker C

Yes, the anticipated P2P behavior was known from the Conficker C variant whose analysis I quoted in the OP

I'm kind of confused by Conficker E... according to the analysts I've seen it's been designed to remove itself on May 3rd, while leaving a backdoor open.

I'm curious as to why they'd do that...

Re: Conficker C

Bascule, I had the same reaction to that article. I'm assuming you mean the one from cnet. We had a short discussion about it at work and we've come to conclusion that the article was shit. It was very vague and unspecific, so I don't think they had any idea wtf is going on.

Re: Conficker C

I think this payload just goes to show that the people who wrote it, and wrote the others aren't really interested in world conquest, but merely making money off the stupid.

Re: Conficker C

I'd be inclined to agree, at least with their tactics so far. Scareware makes serious bucks amongst the likes of the elderly, those with minimal computer knowlege etc (today I spoke with my grandparents and they warned me against "a new virus that was taking over every computer and you had to add as much AV to your computer as you could to make it safe"; these are the sort of people that Conficker will make money off currently).

But as already stated, Conficker.E will delete itself come may 3rd, but still leave a backdoor open for it's creators.

Most people I've talked to haven't even heard of conficker or a "botnet" and are generally oblivious to this sort of cybercrime. Will they use the backdoor for further money making schemes?

I still haven't heard what the encrypted .sys file has turned out to be despite the industry's "top experts" working on it.

Re: Conficker C

I am kind of disappointed in this though. I was kind of looking forward to interpocalypse, or maybe 1 billion telephones ringing at the same time.

Re: Conficker C

This is how I see the whole Confucker C deal. Lets call them the Evil Black Hat Group (EBHG). Here I am a member of EBHG and I/we spend most of the waking hours writing, surfing, researching, ...etc code and associated computer stuff. Do I/we in some adolescent blase of glory shut down the internet? Then what....? Read a book, watch TV, go outside into the sun and climb mountains. I don't think so. These people are more dependent on the internet than we are. I/we would destroying the very thing that gives us purpose in life. It's the threat of force that keeps the wheels turning, use it and it's over Johnny. These folks are smart enough to know if you shut down 65 million computers and cause untold virtual damage that the powers to be WILL find you.

I agree this is less about world domination and more about money. Hurting the internet hurts everyone, not just the US. Hurting the internet(telephony, computers, ...etc) hurts terrorist organizations as well; even more so. Without the internet they lack command and control structure; they lack the ability to organize and communicate. More importantly they lack the ability to make money.

xor

Re: Conficker C

I don't think at this stage anyone is disputing it's about money, and you raise great points there.

I think the question is; How they will use their botnet to make money?

Re: Conficker C

Penis Pills
Cheap Pharmaceuticals
Renting the botnet to other criminals

Someone on the forums here had posted a link on how spam makes money. It's probably all tied together.

Re: Conficker C

Spam for one. The bot farmers can also lease out the botnet for DDoS attacks. Quick Google search brings me to Storm botnet entry, but beyond what we've said they just say "other malicious things" :3

Bascule, disregard what I said, apparently a few other people have said the same thing, including MS on a random blog post they made. Nobody BIG has said "yes, .E is official and yes, it deletes itself" I find it odd as well. I'm going to look into it on Monday....

Re: Conficker C

Well I happened upon a network the day it became active.. the 8th I think, and discovered 18 machines all scanning each other, the switch struggling and the buffer on the router to the outside full up. I was called out for "slow internet" the ISP told me they saw tons of traffic going to china, mexico, and middle east countries. They traced one connection down to a machine at a pharmaceutical company in New Jersey. The ISP commented about 1200 UDP connections in less than 2 seconds as he was watching the traffic scroll past him.

So.. now Im left with the task of cleaning all 18 machines, on a domain, where the virus has stolen all the domain accounts and has admin to local machine and domain accounts, and I have to clean them all while not disabling the entire company from doing business.
Im sure all their thumb drives are infected, the employees with laptops took it home to their home pc's, and who knows what else. Should be a fun week tackling this job..

Interesting though, one article I read said the new C/D variant has a shutoff date of May something.