Warning: Conficker worm infections gaining traction

We're seeing quite a large number of Conficker worm infections since the start of the New Year and specially since the Conficker.C variant appeared on December 31. It seems that the return to work after the Christmas break has kick-started Conficker again. Daniel Nyström, our Tech Support front man in Sweden, already noticed an increase in infections a few days ago.

As you may recall Conficker is a worm that spreads via networks and USB drives. It attempts to brute force usernames and passwords and takes advantage of Server Service vulnerability in Windows which allows for remote code execution. The worm also auto-updates itself every day from a long list of URLs so it looks like its preparing for a larger attack.

Checking again the SANS activity by port it's obvious this is something you need to worry about:

As posted about a month and a half ago, TruPrevent prevents Conficker worm network infections proactively thanks to a new Policy Rule we pushed out to all our retail products. In addition we've added signature detection for all Conficker variants. I'll post details on manually creating and pushing out TruPrevent Policy Rules on corporate networks as soon as possible.

As a curiosity I was travelling the other day and while connected to the WiFi network of a German airport I noticed the following Conficker worm variant trying to brute force its way into my machine:

 

 

The Conficker worm means business so be careful out there. Some preventive steps you should be following if you haven't done so already:

  • If you're responsible for a network, scan for vulnerable machines (using Baseline Analyzer, Nessus, etc.).
  • Patch your servers and workstations by visiting Microsoft Security Bulletin MS08-067.
  • Disinfect infected machines using Malware Radar on networks or ActiveScan for stand-alone PCs.
  • Turn off AutoRun feature for USB drives on your machines (and ask your Microsoft representative for a global solution to AutoRun).
  • Make sure your antivirus and security solution is up-to-date on the latest version and signature database.

Related News

13 Responses

Leave a Reply
  1. Pedro Bustamante
    Jan 13, 2009 - 05:11 PM

    In some cases we have detected that its impossible to open security sites ( microsoft ) to install the patch so will be needed to stop the DNS client service…. and then acced to the patch MS08-067 and install it..

    Reply
  2. Pedro Bustamante
    Jan 13, 2009 - 05:53 PM

    Correct Alvaro, among other side effects it prevents access to certain security sites as well as is able to download any new code and execute it from a large list of URLs which changes every day. This could be a preparation for a larger attack. Some estimates from our colleagues at F-Secure already say that there are over 2 million infected IPs (one corporate firewall/proxy IP could mean hundreds or thousands of infected machines).

    Reply
  3. Extremesecurity
    Jan 22, 2009 - 11:59 PM

    Did Downadup/conficker attack your network? I’ve created a batch file for system administrators to clean/patch/cure infected systems in their networks.

    check it out here:

    http://extremesecurity.blogspot.com/2009/01/beat-downadupconficker-like-pro-my.html

    Reply
  4. Pedro Bustamante
    Jan 25, 2009 - 02:14 AM

    What is the cool program that did the trace of ip addresses?

    Reply
  5. Pedro Bustamante
    Jan 26, 2009 - 09:11 AM

    Thanks for the link Aa’ed.

    John, I imagine you’re referring to the picture on the post. It’s Wireshark network sniffer.

    Reply
  6. Pedro Bustamante
    Jan 27, 2009 - 02:05 PM

    Hi!I have a Panda GPPromo 09 edition and I have the Error updating 12007 msg when I try to maually update.It means I’m infected with this Conficker?And sometimes when my Panda is updat/ed/ing (in 06,07,08 editions Panda IS ) the update normally broke my current downloads.Or when I play online during update…my game turns into Matrix slow motion.

    Reply
  7. Pedro Bustamante
    Mar 30, 2009 - 04:45 PM

    Part of the reason for this widespread attack are poorly configured Windows PCs running out there. The other reason are loopholes in Windows for allowing the exploits to work. Personally, I migrated over to Fedora 10 Linux and I couldn’t be happier. Now I don’t have to worry about all of these virus attacks, frequent maintenance and rebooting, and many other reasons.

    http://members.apex-internet.com/sa/windowslinux

    Reply
  8. coffee fiend
    Apr 01, 2009 - 05:14 AM

    ironically, even if someone used Conficker to steal my credit card info, there wouldn’t be any credit there for them to exploit or spend

    Reply
  9. Pedro Bustamante
    Apr 01, 2009 - 06:23 PM

    Would Conficker disable security sites on some computers, but not others? I ran a removal utility yesterday, and was able to download it from Symantec fine, as well as get to Microsoft’s website, but, upon restarting my computer according to the utility’s instructions, I couldn’t log in because I kept getting logged out by what I think might be Conficker.

    I started the utility at 15:38 -8GMT, restarted at 17:00 -8GMT.

    Reply
  10. Pedro Bustamante
    Apr 01, 2009 - 06:30 PM

    i want to know more about how to spread this worm? can anyone tell me how to infect others?

    Reply
  11. Pedro Bustamante
    Apr 09, 2009 - 12:01 AM

    @virus,

    please fill out your full name and contact information at https://tips.fbi.gov and tell them about your plans to infect other people with viruses. I’m sure they’ll be interested in what you have to say.

    Reply
  12. Computer Support
    Sep 14, 2009 - 08:50 AM

    I’m trying to make sure this network (10k+) is safe from Conflicker. i cannot find the processes for this thing, and I’m trying to find a way to use SMS to find all the infections on the network, and another to find all the ones that are patched against it. anyone have a process list for Conflicker?

    Reply
  13. Pedro Bustamante
    Sep 15, 2009 - 09:51 AM

    @ComputerSupport, what you’re asking for is not really easy as Conficker creates system, read-only DLL files in Windows system directory with random names. It also creates .VMX files in the RECYCLERrandom_name of all the shared and removable drives and modifies autorun.inf to make sure it is executed automatically (as well as a scheduled task).
    The best thing you can do is to make sure all the endpoints are patched with MS08-067.
    Alternatively use Panda USB Vaccine which can be deployed to multiple endpoints via login script or SMS to disable autorun on the machines and vaccinate USB drives.
    More info on Conficker.C at
    http://www.pandasecurity.com/homeusers/security-info/204292/information/Conficker.C

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

COPYRIGHT 2014 PANDA SECURITY