Interesting People mailing list archives
The Conficker Virus
From: David Farber <dave () farber net>
Date: Fri, 10 Apr 2009 13:49:02 -0400
Begin forwarded message: From: Tobin Maginnis <ptm () pix cs olemiss edu> Date: April 10, 2009 1:46:19 PM EDT To: David Farber <dave () farber net> Subject: The Conficker VirusThere has not been much mention of Conficker on this list, but if one reads the SRI reports and wants to be aware of Internet security - This is it!
http://mtc.sri.com/Conficker/ http://mtc.sri.com/Conficker/addendumC/ Excerpts - ... [Conficker version] C is, in fact, a robust and securedistribution utility for distributing malicious [or any type of] content and binaries to tens of millions of computers across the Internet. This utility incorporates a potent arsenal of methods to defend itself from security products, updates, and diagnosis tools. It further demonstrates the rapid development pace at which Conficker's authors are
maintaining their current foothold on a large number of Internet-connected hosts. Further, if organized into a coordinated offensive weapon, this multimillion-node botnet poses a serious and dire threat to the Internet. ... [Conficker version] C now selects its rendezvous points from a pool of over 50,000 randomly generated domain name candidates each day. [Conficker version] C further increases Conficker's top-level domain (TLD) spread from five TLDs in Conficker A, to eight TLDs in B, to 110 TLDs that must now be involved in coordination efforts to track and block C's potential DNS queries. Total hosts infected with Conflicker A & B as of 19-Mar-09: 10,512,451 In the last few months this worm has relentlessly pushed all other infection agents out of the way, as Conflicker A & B has infiltrated nearly every Windows 2K and XP honeypot that we have placed out on the Internet. ... regions with dense Conflicker A & B populations also appear to correspond to areas where the use of unregistered (pirated) Windows releases are widespread, and the regular application of available security patches are rare. ... on 27 December 2008 we stumbled upon two highly suspicious connection attempts that might link us to the malware authors. Connection 1: 81.23.XX.XX - Kyivstar.net, Kiev, Ukraine and connection 2: 200.68.XX.XXX - Alternativagratis.com, Buenos Aires, Argentina ... we must also acknowledge the multiple skill sets that are revealed within the evolving design and implementation of Conficker. Those responsible for this outbreak have demonstrated Internet-wide programming skills, advanced cryptographic skills, custom dual-layer code packing and code obfuscation skills, and in-depth knowledge of Windows internals and security products. They are among the first to introduce the Internet rendezvous point scheme, and have now integrated a sophisticated P2P protocol that does not require an embedded peer list. They have continually seeded the Internet with new MD5 variants, and have adapted their code base to address the latest attempts to thwart Conficker. They have infiltrated government sites, military networks, home PCs, critical infrastructure, small networks, and universities, around the world. Perhaps an even greater threat than what they have done so far, is what they have learned and what they will build next. ======== Conficker Eye Chart All six images displayed = Normal/Not Infected by Conficker (or using proxy) Security/AV logos not displayed = Possibly Infected by Conficker (C variant or greater) Some security/AV logos not displayed = Possibly Infected by Conficker B variant Lower images don't appear (Tux, blowfish, devil) = 1. Image loading turned off in browser? 2. Verification images most likely being DDoSed (attacked by thousands of machines around the globe) The important part is the top images -- do you see them? Any other combination = Poor Internet connection? http://rudd-o.com/en/linux-and-free-software/conficker-eye-chart-reloaded ------------------------------------------- Archives: https://www.listbox.com/member/archive/247/=now RSS Feed: https://www.listbox.com/member/archive/rss/247/ Powered by Listbox: http://www.listbox.com
Current thread:
- The Conficker Virus David Farber (Apr 10)