p2pnet news view | Security:- Remember back at the beginning of the century when YK2 bugs were going to devastate everyone’s computer? And nothing happened?

Well, tomorrow is C Day when another virus will supposedly wreak havoc online.

It’s called the April Fool virus, or the Conficker C worm, sometimes misspelled Conflicker or Confickr.

The first A variant was detected in October 2008, “taking advantage of previously unknown vulnerability in a Microsoft operating system that has subsequently been patched,” says the Canadian Internet Registration Authority (CIRA), represents anyone with a .ca domain.

Then came a “stronger and more robust” version, Conficker B, unique because of the, “number of tricks that have been incorporated into its design and the degree to which it has been able to spread”.

“In early March, a third variant, Conficker C, appeared,” says the CIRA, going on:

“Whereas Conficker B generated a daily list of 250 new domains to connect to in search of a command and control file, this latest variant will begin on April 1 generating a daily list of 50,000 country-code domains in which these files could be hidden. These names are drawn from 110 country-code domains, including the Canadian extension dot-ca.

“Without a clear idea of the motive behind the creation of the worm and its variants, or the actions the botnet will take, Conficker is being regarded as a potential threat to Internet infrastructure around the world.”

Looks bad. So, after tomorrow, will we have to start using carrier pigeons to communicate with each other?

We’ll soon see and while we wait, it’s God’s gift to security firms.

Even McAfee.

They’re churning out Conficker-inspired PR puffs like there’s no tomorrow, many of them producing patches they say will protect people against Conficker Conflicts.

But April 1?

Forget that.

It’s already bitten into the UK government IT system, “joining millions of others who have fallen victim to it,” says infopackets, going on, “An email sent to MPs, lords and their staff revealed that parliament’s IT network appears to be completely unsecured.

“The Conficker/Downadup worm has been in circulation since November 2008 and a patch is available from Microsoft that fixes it. The fact that parliament’s systems have become infected indicates that their anti-virus software, if there is any, hasn’t been updated since last year and could be vulnerable to other attacks.”

However, “there’s lots of shoddy analysis to go around,” writes George Hulme in InformationWeek, going on to quote the  CBC as saying in Conficker: world’s greatest April Fool’s joke or ‘digital Pearl Harbor’? »»»

Airplanes won’t fall out of the sky, and your banking information is probably safe, says John Leishman, of Geeks on the Way, a North American computer-troubleshooting company based in Calgary.

“We used to dread when a new virus came out,” Leishman told CBCNews.ca. “Our phones were overrun. Even though it was our business, it wasn’t good for long-term corporate relations.”

During those bad old days of viral infections, truly nasty things happened, he said. Computers were shut down, systems hacked, data wiped out.

“Now it’s more ego driven, rather than maliciously driven,” said Leishman. Data is no longer lost the way it used to be, because so many computer users have become wiser and anti-viral software better.

“What pile of obsolete CRTs has this guy been sleeping under?” – Hulme wonders, continuing »»»

First, Conficker.C is more of a threat to Web sites, corporate networks, and other Internet-networked services than individual PCs. These botnets are designed, generally, to spew Spam or shoot so much traffic as to interrupt the availability of networks or Web sites in distributed denial of service attacks. Especially in this case, the end user systems are targeted only as a means to an end: they are not the end goal.

Second, renting these botnets is big business in the underground. Botnet owners rent their ability to send spam. And, it is apparently profitable.

Third, many of the major worms: Code Red, SQL Slammer, Blaster didn’t destroy anything (except availability) in their wake. And, up until very recently, most “hacks” were performed by the curious and technically inclined to snoop on digital networks where they didn’t belong.

Today, malware is more crime driven than ever before. And by crime, I mean more than trespassing. I mean data theft, identity theft, spam, spyware, phishing attacks, credit card theft, etc.

Forth, and this is the most debatable point. I believe anti-virus has helped to reduce some classes of viruses: but this is not why data isn’t the target as was the case with such mass e-mailers as the ILOVEYOU virus of 2000. Data isn’t destroyed because spyware and worms that destroy data don’t propagate well, as they’re quickly identified. This flies against the need to be stealthy to be profitable.

Meanwhile, “I’ve been working with the Honeynet Project’s Tillmann Werner and Felix Leder, who have been digging into Conficker’s profile on the network,” blogs security researcher Dan Kaminsky, adding »»»

What we’ve found is pretty cool:  Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly.  You can literally ask a server if it’s infected with Conficker, and it will tell you.  Tillmann and Felix have their own proof of concept scanner [link broken - Jon], and with the help of Securosis‘ Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys.

We figured this out on Friday, and got code put together for Monday.  It’s been one heck of a weekend.

The technical details are not complicated — Conficker, in all its variants, makes NetpwPathCanonicalize() work quite a bit differently than either the unpatched or the patched MS08-067 version — but I’ll let Tillmann and Felix describe this in full in their “Know Your Enemy” paper, due out any day now with all sorts of interesting observations about this annoying piece of code.  (We didn’t think it made sense to hold up the scanner while finishing up a few final edits on the paper.)

Click here for Microsoft on the subject.

Stay tuned.

»»»

wreak havoc online – Conficker C: poised to strike April 1, March 25, 2009
CIRA -  Backgrounder: The Conficker worm
Even McAfee – p2pnet to McAfee: Pay us what you owe!, March 29, 2009
infopackets – UK Parliament Network Latest Conficker Victim, March 30, 2009
InformationWeek – Conficker: Loathing the FUD and Misunderstanding, March 28, 2009
Dan Kaminsky – Taming Conficker, The Easy Way, March 30, 2009

---

Use free p2pnet newsfeeds for your site. It’s really easy!
Subscribe to p2pnet.net | | rss feed: http://p2pnet.net/p2p.rss | | Mobile – http://p2pnet.net/index-wml.php

---

Net access blocked by government restrictions? Use Psiphon from the Citizen Lab at the University of Toronto. Go here for details.

This entry was posted on Tuesday, March 31st, 2009 at 11:29 am and is filed under Security. You can follow any responses to this entry through the RSS 2.0 feed. You can skip to the end and leave a response. Pinging is currently not allowed.

HOME

Viewed 3474 times