HISTORY …
Conficker, also known as Downup, Downadup and Kido, is a computer worm that surfaced in October 2008 and targets the Microsoft Windows operating system. The worm exploits a previously patched vulnerability in the Windows Server service used by Windows 2000,Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, Windows 7 Beta, and Windows Server 2008 R2 Beta . The worm has been unusually difficult for network operators and law enforcement to counter because of its combined use of advanced malware techniques.
Although the origin of the name "conficker" is not known with certainty, Internet specialists and others have speculated that it is a German portmanteau fusing the term "configure" with "ficken", the German word for "fuck !!!". Microsoft analyst Joshua Phillips describes "conficker" as a rearrangement of portions of the domain name 'trafficconverter.biz'
Four main variants of the Conficker worm are known and have been dubbed Conficker A, B, C and D. They were discovered 21 November 2008, 29 December 2008, 20 February 2009, and 4 March 2009, respectively.
SYMPTOMS …
- Account lockout policies being reset automatically.
- Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Error Reporting Services disabled.
- Domain controllers responding slowly to client requests.
- Unusual amounts of traffic on local area networks.
- Websites related to antivirus software becoming inaccessible.
EFFECTS …
Experts say it is the worst infection since 2003's SQL Slammer. Estimates of the number of computers infected range from almost 9 million PCs to 15 million computers.The initial rapid spread of the worm has been attributed to the number of Windows computers—estimated at 30%—which have yet to apply the Microsoft MS08-067 patch.
Another antivirus software vendor, Panda Security, reported that of the 2 million computers analyzed through ActiveScan, around 115,000 (6%) were infected with this malware.
Intramar, the French Navy computer network, was infected with Conficker in 15 January 2009. The network was subsequently quarantined, forcing aircraft at several airbases to be grounded because their flight plans could not be downloaded.
The U.K. Ministry of Defence reported that some of its major systems and desktops were infected. The worm has spread across administrative offices, NavyStar/N* desktops aboard various Royal Navy warships and Royal Navy submarines, and hospitals across the city of Sheffield reported infection of over 800 computers.
On 13 February 2009, the Bundeswehr reported that about one hundred of their computers were infected.
A memo from the British Director of Parliamentary ICT informed the users of the House of Commons on 24 March 2009 that it had been infected with the worm. The memo, which was subsequently leaked, called for users to avoid connecting any unauthorized equipment to the network.
IN NEWS !!!
As of 13 February 2009, Microsoft is offering a $250,000 USD reward for information leading to the arrest and conviction of the individuals behind the creation and/or distribution of Conficker.
On 24 March 2009, CIRA, the Canadian Internet Registration Authority, locked all previously-unregistered .ca domain names expected to be generated by Conficker C over the next 12 months.[35]
On 31 March 2009 NASK, the Polish national registrar, locked over 150,000 .pl domains expected to be generated by Conficker C over the coming 5 weeks. NASK has also warned that worm traffic may unintentionally inflict a DDoS attack to legitimate domains which happen to be in the generated set.
Message , FROM United State Computer Emergency Readiness Team …
Conficker/Downadup worm, which can infect a Microsoft Windows system from a thumb drive, a network share, or directly across a corporate network, if the network servers are not patched with the MS08-067 patch from Microsoft.
Home users can apply a simple test for the presence of a Conficker/Downadup infection on their home computers. The presence of a Conficker/Downadup infection may be detected if a user is unable to surf to their security solution website or if they are unable to connect to the websites, by downloading detection/removal tools available free from those sites:
http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm&inid=us_ghp_link_conficker_worm
http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx
http://www.mcafee.com
If a user is unable to reach any of these websites, it may indicate a Conficker/Downadup infection. The most recent variant of Conficker/Downadup interferes with queries for these sites, preventing a user from visiting them. If a Conficker/Downadup infection is suspected, the system or computer should be removed from the network or unplugged from the Internet - in the case for home users.
Instructions, support and more information on how to manually remove a Conficker/Downadup infection from a system have been published by major security vendors. Please see below for a few of those sites. Each of these vendors offers free tools that can verify the presence of a Conficker/Downadup infection and remove the worm:
Symantec:
http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99
Microsoft:
http://support.microsoft.com/kb/962007
http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx
Microsoft PC Safety hotline at 1-866-PCSAFETY, for assistance.
US-CERT encourages users to prevent a Conficker/Downadup infection by ensuring all systems have the MS08-067 patch (seehttp://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx), disabling AutoRun functionality (see http://www.us-cert.gov/cas/techalerts/TA09-020A.html), and maintaining up-to-date anti-virus software.
currently this worm is set to get active at 1st April , 2009 ( TODAY !!! ) … and yet nobody knows what’s it upto 
Njoy …
0 comments:
Post a Comment