The Conficker Virus

[David Farber <dave () farber net>]

Begin forwarded message:

From: Tobin Maginnis <ptm () pix cs olemiss edu>
Date: April 10, 2009 1:46:19 PM EDT
To: David Farber <dave () farber net>
Subject: The Conficker Virus

There has not been much mention of Conficker on this list, but if one  
reads the SRI reports and wants to be aware of Internet security -  
This is it!

http://mtc.sri.com/Conficker/
http://mtc.sri.com/Conficker/addendumC/

Excerpts -

... [Conficker version] C is, in fact, a robust and secure
distribution utility for distributing malicious [or any type of]  
content and binaries to tens of millions of computers across the  
Internet. This utility incorporates a potent arsenal of methods to  
defend itself from security products, updates, and diagnosis tools. It  
further demonstrates the rapid development pace at which Conficker's  
authors are
maintaining their current foothold on a large number of
Internet-connected hosts.  Further, if organized into a
coordinated offensive weapon, this multimillion-node botnet
poses a serious and dire threat to the Internet.

... [Conficker version] C now selects its rendezvous points
from a pool of over 50,000 randomly generated domain name
candidates each day. [Conficker version] C further increases
Conficker's top-level domain (TLD) spread from five TLDs in
Conficker A, to eight TLDs in B, to 110 TLDs that must now
be involved in coordination efforts to track and block C's
potential DNS queries.

Total hosts infected with Conflicker A & B as of 19-Mar-09:
10,512,451

In the last few months this worm has relentlessly pushed all
other infection agents out of the way, as Conflicker A & B
has infiltrated nearly every Windows 2K and XP honeypot that
we have placed out on the Internet.

... regions with dense Conflicker A & B populations also
appear to correspond to areas where the use of unregistered
(pirated) Windows releases are widespread, and the regular
application of available security patches are rare.

... on 27 December 2008 we stumbled upon two highly
suspicious connection attempts that might link us to the
malware authors. Connection 1: 81.23.XX.XX - Kyivstar.net,
Kiev, Ukraine and connection 2: 200.68.XX.XXX -
Alternativagratis.com, Buenos Aires, Argentina

... we must also acknowledge the multiple skill sets that
are revealed within the evolving design and implementation
of Conficker.  Those responsible for this outbreak have
demonstrated Internet-wide programming skills, advanced
cryptographic skills, custom dual-layer code packing and
code obfuscation skills, and in-depth knowledge of Windows
internals and security products.  They are among the first
to introduce the Internet rendezvous point scheme, and have
now integrated a sophisticated P2P protocol that does not
require an embedded peer list.  They have continually seeded
the Internet with new MD5 variants, and have adapted their
code base to address the latest attempts to thwart
Conficker.   They have infiltrated government sites,
military networks, home PCs, critical infrastructure, small
networks, and universities, around the world.  Perhaps an
even greater threat than what they have done so far, is what
they have learned and what they will build next.


========
Conficker Eye Chart

All six images displayed = Normal/Not Infected by Conficker
(or using proxy)
Security/AV logos not displayed = Possibly Infected by
Conficker (C variant or greater)
Some security/AV logos not displayed = Possibly Infected by
Conficker B variant
Lower images don't appear (Tux, blowfish, devil)
        =
  1.  Image loading turned off in browser?
  2. Verification images most likely being DDoSed
(attacked by thousands of machines around the globe)

The important part is the top images -- do you see them?
Any other combination = Poor Internet connection?

http://rudd-o.com/en/linux-and-free-software/conficker-eye-chart-reloaded





-------------------------------------------
Archives: https://www.listbox.com/member/archive/247/=now
RSS Feed: https://www.listbox.com/member/archive/rss/247/
Powered by Listbox: http://www.listbox.com