Wednesday, April 1, 2009

Conficker tracking - all's quiet, so far

April 1, 6:35 a.m. PDT: McAfee says its Avert Labs is seeing Conficker-infected hosts attempting to call their "master" to get instructions, but those calls are not getting through. "This could be deliberate and the infected hosts may try again later, perhaps over the weekend when people aren't watching as closely," McAfee spokesman Joris Evers says. Hear more on this podcast. And for more technical details on what the worm is doing, McAfee Avert Labs has an updated blog posting.

April 1, 3:27 a.m. PDT: At F-Secure, a Wednesday morning post says there's still nothing much to report, other than a few April Fools' jokes circulating on the Web:

So it's been April 1st for almost 18 hours now in New Zealand and it's the early hours of April 1st on the east coast of the United States. So what's going on? So far -- nothing. Infected computers are generating the list of 50,000 domains and are attempting to contact 500 of those like we've described earlier, but so far no update has been made available (by the bad guys).

March 31, 7:25 p.m. PDT: Trend Micro's Paul Ferguson reports that things seem quiet. "So far, there's been no significant activity," he said, adding that a Trend Micro researcher in the Philippines reported seeing the same amount of traffic on Wednesday as he had been seeing the past few days in Asia-Pacific.

March 31, 4:00 p.m. PDT: The Conficker worm is stirring on some infected computers in Asia where it's April 1, but so far the activity is very tame, security researchers say.

"We've seen activity in honeypot machines in Asia...They're generating the 50,000 list of (potential) domains to contact," said Paul Ferguson, an advanced threats researcher for Trend Micro.

See also: The 'no bull' guide to Conficker
Googling for Conficker clean-up information? Be careful
Are you ready for Conficker?
Researchers make Conficker breakthrough
CBS 60 Minutes covers Conficker, malware epidemic

The latest variant of the worm, Conficker.C, was set to activate on April 1, which for some of the infected machines will happen at local time and for others it will be GMT, depending on whether the machines are turned on and connected to the Internet, he said.

The process seems to be starting slowly, with infected machines starting to generate the list of domains and then picking one domain and trying to contact it and waiting before continuing on through 500 of those 50,000 domains, according to Ferguson.

The owners of the infected computers likely won't notice anything, unless they can't access the Web sites of security vendors and then they will know they are infected, he said. Trend Micro has figured out a way to unblock the computer from the sites that the worm has blocked using a Microsoft networking service, he said. More details are on the Trend Micro site.

"Nothing at this point; we're running updates every half hour or so," Dave Marcus, director of security research for McAfee Avert Labs, said when asked to report what he was seeing. "They're supposed to connect to one of a variety of Web sites and download a piece of code. What that code is supposed to do is up in the air."

IBM ISS's X-Force group also reported that things were quiet, at least for the moment, in Asia where most of the infections are. Nearly 45 percent are in Asia, followed by Europe at about 30 percent, 13.6 percent in South America and 5.8 percent in North America, according to the Frequency X blog.

IBM ISS also said it had found a way for ISPs to detect infected computers on a network by monitoring the peer-to-peer communications the worm makes between infected PCs.

Experts say the worm could be used to steal passwords or other sensitive data from infected computers, or turn them into a botnet that sends out spam.

The worm exploits a vulnerability in Windows that Microsoft patched in October and spreads through weakly protected network shares and via removable storage devices, like USB drives.

Conficker.C also shuts down security services, blocks computers from connecting to security Web sites, and downloads a Trojan. It reaches out to other infected computers via peer-to-peer networking, in addition to being programmed to reach out to 500 domains to receive updated copies or other malware instead of just 250 domains as earlier versions did.

This article was originally posted on CNET News.

  • Trend Micro offers security for messaging environments
  • Be Quiet! Dark Power Pro 650W
  • Zotac GeForce GTX 260 AMP²! (216) Edition
  • 0 comments: