Conficker worm aka skynet

[imported_Imp]

My AV is up to date, but thanks to all the hype, I will update my Windows for once.

 

[Raduque]

Anybody got a link to a legitimate tool that lets you know if a computer is infected with conficker?

 

[Goosemaster]

Originally posted by: Raduque
Anybody got a link to a legitimate tool that lets you know if a computer is infected with conficker?

IIRC jsut tryign to go to the sites listed in many of the articles is enough as it blocks access to them.

 

[Modelworks]

Originally posted by: Raduque
Anybody got a link to a legitimate tool that lets you know if a computer is infected with conficker?

http://iv.cs.uni-bonn.de/wg/cs.../containing-conficker/

These are command line programs .
Start with memory disinfector
http://iv.cs.uni-bonn.de/uploa...nficker_mem_killer.exe

C:\>conficker_mem_killer

----------------------------------
Conficker Memory Disinfector
----------------------------------
Felix Leder, Tillmann Werner 2009
{leder, werner}@cs.uni-bonn.de
----------------------------------

Examining [0] [System Process]: Error [1300] SetPrivilege: Not all privileges or
groups referenced are assigned to the caller.

no match
Examining [4] System: Error [1300] SetPrivilege: Not all privileges or groups re
ferenced are assigned to the caller.

no match
Examining [360] smss.exe: Error [1300] SetPrivilege: Not all privileges or group
s referenced are assigned to the caller.

no match
Examining [504] csrss.exe: Error [1300] SetPrivilege: Not all privileges or grou
ps referenced are assigned to the caller.

no match
Examining [564] wininit.exe: Error [1300] SetPrivilege: Not all privileges or gr
oups referenced are assigned to the caller.

Then file and registry detector
http://iv.cs.uni-bonn.de/uploads/media/regnfile_01.exe

C:\>regnfile_01

----------------------------------
Conficker File and Registry Checker
----------------------------------

Felix Leder, Tillmann Werner 2009
{leder, werner}@cs.uni-bonn.de

----------------------------------
On this computer Conficker will be installed in...

Conficker.A...
DLL: unknown (random)

Conficker.B...
DLL: C:\Windows\system32\xlreyirz.dll...clean (non existent)
Registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\a
gjjvf
Registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ag
jjvf

Conficker.C...
DLL: C:\Windows\system32\mvfhnl.dll...clean (non existent)
Registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\e
nppfensf
Registry key: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\en
ppfensf

C:\>

It makes up the dll name based on the pc name so dll name from one pc will not match the dll name of another.

 

[RichUK]

Confessor Cabal?

 

[Molondo]

On the Memory disinfector, all of them were no match. I had one that said Access denied.

 

[TallBill]

Originally posted by: Imp
My AV is up to date, but thanks to all the hype, I will update my Windows for once.

Mine was too, but Conficker has hidden in my antivirus process. I ran those cleaner programs, but who knows. I really need to find my Vista disc and reinstall anyways, perhaps now is the time.

Edit - And apparently in windows defender too.

 

[vi edit]

Originally posted by: ViRGE

Originally posted by: Joemonkey
Our security team is going crazy over this thing... be interesting to see what happens

Why? There have been plenty of botnet worms before that do the exact same thing. Why is everyone in such a tizzy over this one?

I've been through code red, nimbda, slammer, ect. None of them have spread as fast and been as destructive as this thing. Especially in a domain driven environement. It's replication method is pretty brutal and we've seen infections jump into several hundred in just an hour or so. I don't know if it's a primary intent or just a nice bonus perk that it can completely debilitate domain controllers.

What makes this one different is that if you have shared domain accounts, if one machine gets compromised with access to that account, it can infect others even if they are patched and have antivirus.

 

[Modelworks]

Originally posted by: vi edit

Originally posted by: ViRGE

Originally posted by: Joemonkey
Our security team is going crazy over this thing... be interesting to see what happens

Why? There have been plenty of botnet worms before that do the exact same thing. Why is everyone in such a tizzy over this one?

I've been through code red, nimbda, slammer, ect. None of them have spread as fast and been as destructive as this thing. .

Read the paper they just released on it :
http://www.honeynet.org/files/KYE-Conficker.pdf


It tells how it does what it does. I hate to say it, but it is a work of art .

 

[Gunbuster]

So why cant they monitor what it's checking for timesync and then forge the responses to set off the thing and find out where it will pull new instructions from. Then just DDOS that site.

 

[Modelworks]

Originally posted by: Gunbuster
So why cant they monitor what it's checking for timesync and then forge the responses to set off the thing and find out where it will pull new instructions from. Then just DDOS that site.

It uses some 50,000 sites and creates hundreds more randomly on a daily basis. Time is pulled from websites like google, yahoo, facebook via the normal browsing experience. Blocking major sites like that would be impractical. That is why the creator(s) probably chose that method.

It is also using RSA encryption to protect its code and SSL to protect the data it sends/receives.

 

[will889]

Here's an updated Mcafee stinger tool for Conficker.

Text

 

[amdhunter]

I want in on this...anyone know where I can get infected? I have a VM I can use to play with this.

 

[Genx87]

I thought Skynet was a counter to another virus? Meaning if this thing goes crazy the govt is supposed to unleash Skynet which then decides the best way to fix the problem is start a nuclear war.

 

[imported_Imp]

Originally posted by: TallBill

Originally posted by: Imp
My AV is up to date, but thanks to all the hype, I will update my Windows for once.

Mine was too, but Conficker has hidden in my antivirus process. I ran those cleaner programs, but who knows. I really need to find my Vista disc and reinstall anyways, perhaps now is the time.

Edit - And apparently in windows defender too.

What the hell...

Damnit, wasn't going to pay much of any attention to this. Now I've gotta get out the paranoid hat.

 

[Joemonkey]

Originally posted by: Demon-Xanth

Originally posted by: seemingly random
Since it's april 1 somewhere in the world right now, it seems that the question can now be answered.

March has 31 days.

OK, so what about now?

 

[TraumaRN]

At least I'm not infected.

 

[nobody554]

Originally posted by: amdhunter
I want in on this...anyone know where I can get infected? I have a VM I can use to play with this.

Ditto that. I wanna see what happens.

 

[manowar821]

Don't worry guys, it's happening all on april fools day, it's going to be a massive world-wide goat.cx attack. 😀

 

[Modelworks]

Originally posted by: nobody554

Originally posted by: amdhunter
I want in on this...anyone know where I can get infected? I have a VM I can use to play with this.

Ditto that. I wanna see what happens.

Since version .B, Conficker has included virtual machine detection capabilities. It evaluates the result of the
SLDT instruction to determine whether it runs in a virtual environment.

You could install a OS on a separate HD though .

 

[Modelworks]

Originally posted by: Imp

Originally posted by: TallBill

Originally posted by: Imp
My AV is up to date, but thanks to all the hype, I will update my Windows for once.

Mine was too, but Conficker has hidden in my antivirus process. I ran those cleaner programs, but who knows. I really need to find my Vista disc and reinstall anyways, perhaps now is the time.

Edit - And apparently in windows defender too.

What the hell...

Damnit, wasn't going to pay much of any attention to this. Now I've gotta get out the paranoid hat.

Yeah it hides itself inside of other processes so that you can pull up task manager or process explorer and it will not show itself. You will just see the normal svchost.exe or av.exe

I also read about how you can have all the OS patches installed and while it cannot affect your machine, it still attempts to copy itself to other pc on the network and via usb drives.


Personally I think all we will see April 1st is conficker downloading an improved version of itself. It has already gone through a, b , c , so I guess the creator(s) are learning from each version , probably D tomorrow.

 

[rasczak]

hrmm. interesting read.

 

[SparkyJJO]

I'm not worried about it. I sit behind a couple firewalls and up to date AV and AS 😀

 

[imported_Imp]

Can't wait until tomorrow. Just hope I'm a survivor cause I have nothing backed up. Keep telling myself to, maybe now's the time.

 

[nobody554]

From here.

Your first step should be the tools you already have: Windows Update, to make sure your computer is fully patched, and your current antivirus software, to make sure anything that slips through the cracks is caught.

But if Conficker's already on your machine, it may bypass certain subsystems and updating Windows and your antivirus at this point may not work. If you are worried about anything being amiss -- try booting into Safe Mode, which Conficker prevents, to check -- you should run a specialized tool to get rid of Conficker.