Conficker

[interval]

Conficker, aka Downup, aka Downadup, aka Kido, has been making quite a splash lately. Largely becuase no one seem to know what its supposed to do. Microsoft is offering a$250,000 for information on the creators. Some time in a sandbox with the thing would be very informative. Anyone thought about analyzing this? I am, I just need to get my hands on a copy, safely...

[Black Viper]

Conficker, aka Downup, aka Downadup, aka Kido, has been making quite a splash lately. Largely becuase no one seem to know what its supposed to do.

It is a viri infecting unpatched Server service systems even though the fix has been released months ago.
Discussions about this could be considered a violation of "Rule #3: methods to exploit a vulnerability" so walk softly and take any sandbox play toys elsewhere.

http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=1

[Black Viper]

Updated web site with latest info outlined here to include previous update:

October 24, 2008: A vulnerability in the Server Service has been discovered for Windows 2000 -> Windows 7 (basically, all versions in the last 9 years). Please see this security bulletin and update your PC accordingly: http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx

February 26, 2009: The Server Service issue is still causing quite a stir on the internet. Ensure that you have fully updated your system as to not be infected by "Conficker" or it's several variants.

CA: http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=75911

F-Secure: http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml

Symantec: http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=1

Sophos: http://www.sophos.com/security/analyses/viruses-and-spyware/w32conficka.html



In order to fix this issue, you need to patch your system using the latest update fix version: http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx

In order to remove the problem, you can use Microsoft's own removal tool or anything else offered from the company links above: http://www.microsoft.com/security/malwareremove/default.mspx

Regardless of what you do or how you choose to go about it, fix/patch/prevent.

BV EDIT: Line spacing

[interval]

Conficker, aka Downup, aka Downadup, aka Kido, has been making quite a splash lately. Largely becuase no one seem to know what its supposed to do.

It is a viri infecting unpatched Server service systems even though the fix has been released months ago.
Discussions about this could be considered a violation of "Rule #3: methods to exploit a vulnerability" so walk softly and take any sandbox play toys elsewhere.

http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=1

Interestingly (or not) I did indeed consider this possibility (i.e; your opinion specifically, BV). Never the less I took the plunge as virii research is a viable and important discipline, and something I do. Attempting to get the Microsoft bounty is a big encentive and so far has been rather elusive. Even so, were a member of your bbs win the bounty it would be a news worthy event, I would think. It would be nice to figure out.

So far I have yet to even capture the darn thing in a sand box so the the world is safe from my machinations. A rather elusive worm for such a legacy.

[Black Viper]

Never the less I took the plunge as virii research is a viable and important discipline, and something I do.

You can do what ever you wish, just not on my forums, or use my forums as a vehicle for such distributions.
You may not request or distribute OS exploits on my forums, via PM or posting.

A member of my forums getting infected due to lack of understanding or ignorance of security issues is not something that I consider "news worthy" or something to brag about, but I would hope that all of them would have at some point in the last four months read my home page to have already been informed of this issue, thus making it a "non-issue".

However, your post did prompt me to update the server service vulnerability throughout my domain and I thank you for that.

BV EDIT: OH MY! I completely missed the point! I apologize for doing so as I took what was said above totally different. Only took me several re-reads to actually understand where the post was going (discovering the viri writers identity). I thought about editing this post and removing my lame statements, but I wanted to prove a point: even BV can be drastically wrong and I try to admit it when able. I am just glad that I figured it out without getting hate PM's.

[Black Viper]

Even to me, the above post seems rather harsh, but at the time I needed to get to the point and did not have any time to elaborate.

I commend those that take the time to research and explore viri, etc, labeling them as "white hats," but I have to walk a very fine line when it comes to what I do and do not allow.

I have considered several times myself to jump into the "white hat" side of "anti-viri" research, but unfortunately, the field is a moving target that changes from moment to moment and I do not have the time to dedicate to such a task and leave it to the "professionals", even though a couple of times, I have received viri in the mail "at the time of release" of worms or viri.

I ask you to read the Monday, November 17, 2003 @ 9:25 PM PST update on this page:
http://www.blackviper.com/News/2003archive.htm

It sums things up well.

I found another one that frustrated me at the time: Tuesday, March 2, 2004 @ 10:56 PM PST
http://www.blackviper.com/News/2004archive.htm

Actually, everywhere from January to end of March are interesting updates on the news page.
March 3rd is a good one where it states that I received (a variation of) Beagle before any information was posted on it.

Now, I must state here that, at one point in time, my personal domain server was dumping "6,000" viri and spam emails in a 24 hour period. "Hot" worms hit my network once every 3 seconds. No kidding. This is sort of why I *shudder* at the thought of anyone actively seeking this content as I was a very unwilling recipient for a long time, watching my inbox fill up with viri, that I completely banned all attachments of any kind, period. This included .jpg "pretty" html emails, etc. If it was over 5k total and not in plain text, it was not viewed by me.

I believe that one of my regular posters does such research, but again, I ask that posting be restricted to "hey, this is broke and this is how ya fix it" rather then "any one have a copy of that new worm running around?" or posting links directly to any file as well as, of course, compromised web sites.

Even though the OP is not directly asking for such, I wanted to ensure that I made my position on the matter clear and not have to do silly stuff like swing the ban bat for what could be an innocent request, meaning no harm.

I thank you, kind readers, for understanding.

BV EDIT: dun bad spelin fixd
BV EDIT 2: I understand the OP's original intentions now. The post from last night edited to reflect that, but this one is intact.

[interval]

Your position has always been clear, don't worry, I'd never infringe, I respect you too much to soil your bbs in such a way.

[couttsj]

I received a bulletin from US-CERT this morning with reference to a new Conficker-D virus set to trigger on April 1.

http://www.us-cert.gov/cas/techalerts/TA09-088A.html

This version is not a new infection, but piggybacks on the B & C infections. The only reason that I mention it is that it has a link to a Microsoft page that is very informative. It gives a fairly good insight into how to detect and manually remove a virus that has been installed under Svchost.exe. You may be surprised (as I was) to find how how many services are actually allowed to run on your system under the netsvcs Svchost. I have 46, not all of which are running. You can see the ones that are running by using the command "tasklist /svc" (I have 9 running).

J.A. Coutts

[Shwa_Rob]

Read the big splash on CNN this morning.  Sales of Symantec will be way up.

In regards to Conficker, by having only the bare essential services running, none of which have ports open , Does this improve my odds on not being infected?

[Black Viper]

In regards to Conficker, by having only the bare essential services running, none of which have ports open , Does this improve my odds on not being infected?

Read this:
http://bbs.blackviper.com/index.php/topic,1696.msg9972.html#msg9972

[DJanda]

Yeah, the advertised threat is past, but this solution is so elegant that I wanted to share it with other geeks. The test attempts to fetch icons from 6 sites 3 Anti-Virus sites (F-Secure, SecureWorks, Trend Micro) and 3 alternative operating systems (Open BSD, Free BSD, Linux)  So simple...
http://www.confickerworkinggroup.org/infection_test/cfeyechart.html