Conficker C

**barry99705** · April 13, 2009, 03:11

Re: Conficker C

Originally posted by [Syntax]

Well I happened upon a network the day it became active.. the 8th I think, and discovered 18 machines all scanning each other, the switch struggling and the buffer on the router to the outside full up. I was called out for "slow internet" the ISP told me they saw tons of traffic going to china, mexico, and middle east countries. They traced one connection down to a machine at a pharmaceutical company in New Jersey. The ISP commented about 1200 UDP connections in less than 2 seconds as he was watching the traffic scroll past him.

So.. now Im left with the task of cleaning all 18 machines, on a domain, where the virus has stolen all the domain accounts and has admin to local machine and domain accounts, and I have to clean them all while not disabling the entire company from doing business.
Im sure all their thumb drives are infected, the employees with laptops took it home to their home pc's, and who knows what else. Should be a fun week tackling this job..

Interesting though, one article I read said the new C/D variant has a shutoff date of May something.

Been there done that. It's loads of fun. Nice thing is corporate(who's in Europe) turned off our vpn and shut down the outside connection to the world. We then went in and unplugged all the machines from the routers. Took all day to scan and clean about forty machines.

**g3k_** · April 13, 2009, 04:23

Re: Conficker C

Originally posted by [Syntax]

Well I happened upon a network the day it became active.. the 8th I think, and discovered 18 machines all scanning each other, the switch struggling and the buffer on the router to the outside full up. I was called out for "slow internet" the ISP told me they saw tons of traffic going to china, mexico, and middle east countries. They traced one connection down to a machine at a pharmaceutical company in New Jersey. The ISP commented about 1200 UDP connections in less than 2 seconds as he was watching the traffic scroll past him.

So.. now Im left with the task of cleaning all 18 machines, on a domain, where the virus has stolen all the domain accounts and has admin to local machine and domain accounts, and I have to clean them all while not disabling the entire company from doing business.
Im sure all their thumb drives are infected, the employees with laptops took it home to their home pc's, and who knows what else. Should be a fun week tackling this job..

Interesting though, one article I read said the new C/D variant has a shutoff date of May something.

Check out the link in my signature. That should help you out.

**g3k_** · April 13, 2009, 06:04

Re: Conficker C

Interestingly enough, it seems that conficker now downloads blackmailware and spams the user's PC for $49.95 for a anti-virus suite :P

While this is playground stuff, I find it kind of amusing.

http://arstechnica.com/security/news...tion-alert.ars

**bascule** · April 13, 2009, 11:27

Re: Conficker C

Originally posted by streaker69

I am kind of disappointed in this though. I was kind of looking forward to interpocalypse, or maybe 1 billion telephones ringing at the same time.

Or a DDoS against the root nameservers, which could effectively shut down the Internet itself.

**streaker69** · April 13, 2009, 11:31

Re: Conficker C

Originally posted by bascule

Or a DDoS against the root nameservers, which could effectively shut down the Internet itself.

Good thing I memorized the top 100,000,000 million IP addresses of websites so I don't have to use DNS. :)

**barry99705** · April 13, 2009, 16:05

Re: Conficker C

heh, wasn't reading....

**bascule** · April 24, 2009, 16:05

Re: Conficker C

It would appear that Conficker is being used to distribute spam and malware

**valkyrie** · April 24, 2009, 16:43

Re: Conficker C

Originally posted by bascule

It would appear that Conficker is being used to distribute spam and malware

this surprised you, how?

Regards,

valkyrie
___________________________________________
sapere aude

**bascule** · April 24, 2009, 20:39

Re: Conficker C

Originally posted by valkyrie

this surprised you, how?

It doesn't surprise me, and it's certainly what I expected. It's pretty much the only way to monetize a botnet.

I think it's interesting they're using Conficker to plug infected hosts into existing botnets. I haven't seen that before.

**valkyrie** · April 25, 2009, 03:50

Re: Conficker C

Originally posted by bascule

It doesn't surprise me, and it's certainly what I expected. It's pretty much the only way to monetize a botnet.

I think it's interesting they're using Conficker to plug infected hosts into existing botnets. I haven't seen that before.

As you noted, they have found a way to increase monetization of the botnets. I agree that using an infection to further zombize infected hosts is indeed interesting.

Regards,

valkyrie
__________________________________________________ ___
sapere aude

**YenTheFirst** · April 25, 2009, 07:17

Re: Conficker C

I've got a somewhat interesting query:
I decided to look at some decompiles of the MS08-067 vulnerability, the one conficker uses.
One such decompile: http://www.phreedom.org/blog/2008/decompiling-ms08-067/

What mystifies me, though, is this code doesn't crash is the spot it's 'supposed' to.
When I run it, it doesn't even get bit where the pointer walks back before the beginning of the buffer, it crashes on:

Code:

wcscpy(previous_slash, &p[2]);

What I find odd about this, is, according to the C specification, you can't use wcscpy (or strcpy) on overlapping buffers, and both previous_slash and p are pointers to the same buffer.

does Windows implement wcscpy differently?

**barry99705** · April 26, 2009, 17:15

Re: Conficker C

Originally posted by YenTheFirst

does Windows implement wcscpy differently?

Beats me, but when doesn't windows implement something differently?

**b0n3z** · May 8, 2009, 09:47

Re: Conficker C

And it still hasn't died...

linky

Conficker C

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment