Conficker virus begins to attack PCs: experts

Originally posted by tristar
reply to post by makeitso

 

No that is not correct.

I may provide you with a video showing you the methods used and implemented.

Thank you,

methods used and implemented for what specifically?

I asked for links to research showing that Conficker is programmed to steal data and do the other things you indicated it was doing.

On that note, if you could allow me 48hrs to alter the video file showing methods used, i would be great full.

No problem. I can respect that request.

Although, perhaps the request was not clear. Allow me re-phrase yet again. Please be aware that I was not asking for an altered video from U-tube.

Rather posted links to recognized organizations / researchers disecting Confickers programing, (like I did), that have posted their replicable research showing that Conficker is currently programmed to, and is stealing data, selling it, etc.

You may be aware of this research and I am not, that is why I asked for the links. to research. Not a video

Thanks,

Good thing our SIPRNET and JWICS are all internal, with no outside access.

Yes i understand, by no means am i going to upload some Youtube video or Google video. When you view it, you will understand how easy or should is say how effective this is. The mere transfer of data once inside, is a 3 minute depending on what you are accessing.

Off topic: Would also like to take the time in applauding everyone who has taken the time to post within here and their level of posts. I honestly did not expect this level and quality of response.

i am having problems loading images from websites, even this one, but all the test i do show i dont have conflicker, is anyone else having this problem? is it some how related to conflicker?

Originally posted by Pondering Soul
i am having problems loading images from websites, even this one, but all the test i do show i dont have conflicker, is anyone else having this problem? is it some how related to conflicker?

You could try to clean your Cache Files and perform a system check.

MACDailyNews

Just google conficker stealing data and you'll find endless links talking about it.

"The Kido (aka Conficker/Downadup) botnet [has] kicked into action – what everyone’s been on the lookout for since 1st April," Kaspersky Lab reports. "The [Windows] computers infected with Trojan-Downloader.Win32.Kido (aka Conficker.c) contacted each other over P2P, telling infected machines to download new malicious files."

"The latest version of Kido also downloads Email-Worm.Win32.Iksmas.atz to infected systems. This email worm is also known as Waledac, and is able to steal data and send spam," Kaspersky Lab reports

I've personally cleaned about 3 PCs with this malware on it. Supposedly Windows update covers it but only the forms that it has recognized, that the forms that it has been changed to recently. This software is mutating to survive and is ran by individuals from China and South Amer. to basically scam people with anything from stealing bank info to charging for bogus anti-virus. The last computer I cleaned was acting as a spammer and wasn't picked up by any anti-virus or anti-spyware and had all of its Windows updates.

reply to post by tristar

reply to post by makeitso
I chose my words carefully and made no claims in that sentence. At this moment in time, I haven't read a single experts testimony that explains the motivations behind Conficker. The updates it downloads are encrypted beyond any immediate resolution using brute force or Ophcrack. I was speculating from a pragmatic perspective. The admirable planning that the creators have applied to Conficker in terms of concealing intent implies illegal activity.

The best minds in IT security haven't figured it out and I find that telling. Strictly speaking, it isn't even a botnet yet as the infected PCs have not been coordinated towards a definable end. As of now, Conficker has the potential for anonymous crime on a grand scale. Each infected PC/laptop is it's own server via P2P. Spam, bank and retail details, along with passwords are there to be exploited behind the current anonymity of the Conficker backers. There's no indication that they'll use it to sell rogue anti-malware (antivirus 2009?).

Time will tell what the plans are. The caution and ingenuity demonstrated so far suggests there is a business plan. I'm fascinated to find out what that plan will be.



EDIT to add this Know Your Enemy: Containing Conficker, it's a PDF document from Honeynet and contains everything known about Conficker up to early April.


[edit on 26-4-2009 by Kandinsky]

Originally posted by ModernAcademia
I told everyone, even here on ATS
The worst thing that the virus can do is nothing

Why? that makes no sense. please explain .
thanks

Originally posted by intelinside451
I've personally cleaned about 3 PCs with this malware on it. Supposedly Windows update covers it but only the forms that it has recognized, that the forms that it has been changed to recently. This software is mutating to survive and is ran by individuals from China and South Amer. to basically scam people with anything from stealing bank info to charging for bogus anti-virus. The last computer I cleaned was acting as a spammer and wasn't picked up by any anti-virus or anti-spyware and had all of its Windows updates.

reply to post by tristar

 

I was referring to him not being able to view the site, nothing else, just a basic assumption on basic pc/mac issues, nothing more nothing else. If does have a root embedded virus then he would need to do more in-depth functions.

Originally posted by Kandinsky
reply to post by makeitso

 

I chose my words carefully and made no claims in that sentence. At this moment in time, I haven't read a single experts testimony that explains the motivations behind Conficker. The updates it downloads are encrypted beyond any immediate resolution using brute force or Ophcrack. I was speculating from a pragmatic perspective. The admirable planning that the creators have applied to Conficker in terms of concealing intent implies illegal activity.

The best minds in IT security haven't figured it out and I find that telling. Strictly speaking, it isn't even a botnet yet as the infected PCs have not been coordinated towards a definable end. As of now, Conficker has the potential for anonymous crime on a grand scale. Each infected PC/laptop is it's own server via P2P. Spam, bank and retail details, along with passwords are there to be exploited behind the current anonymity of the Conficker backers. There's no indication that they'll use it to sell rogue anti-malware (antivirus 2009?).

Time will tell what the plans are. The caution and ingenuity demonstrated so far suggests there is a business plan. I'm fascinated to find out what that plan will be.

EDIT to add this Know Your Enemy: Containing Conficker, it's a PDF document from Honeynet and contains everything known about Conficker up to early April.


[edit on 26-4-2009 by Kandinsky]

Well said Sir/Madam,

Good to see that informed members are active and applying what knowledge is available. Lets keep in mind this not your average code, so asking "what,who,when and how" is not a simple process of applying what educational knowledge one has but rather who is associated and to what extent one has been exposed to similar parameters.
Again, thank you for your input.

so what do you all expect ?

when a person does these kind of thing is then rewarded with a very good job at the end of the day what do you all expect ?

this thing will never end, it will happen over and over again until there is a punishment to who ever does something like this in the future.

just my thoughts

peace

reply to post by LucidDreamer85


If I remember right what that member meant was something along these lines:

If the virus is not doing anything that one can detect, then it is worse than having an "active" virus.

I could be wrong, but I want to say I remember reading that post somewhere on these boards.

----

Also, I am still anxious to see this 'proof' on how the virus is stealing data etc. I smell Fjnords...

reply to post by tristar


Ummm, noot he's not wrong, he was exactly right. I think you are a little confused maybe? Possibly you should read current news stories on this virus/trojan/backdoor/whatever. Reading comprehension is your friend!

Originally posted by maus80
reply to post by tristar

 

Ummm, noot he's not wrong, he was exactly right. I think you are a little confused maybe? Possibly you should read current news stories on this virus/trojan/backdoor/whatever. Reading comprehension is your friend!

In reference to which question or post ?

You need to understand its not only your computer that is infected, if you have emailed anyone while you were infected then THAT data (username/password) has been logged and sent, so in actual fact your doing nothing apart from just dusting the surface. If you were using a company email then that email server is also at risk and everyone who has an account within that particular mail server.

You don't really know how network security works, do you.

I've been in the business for over 30 years now, and this isn't some special super-code that can get data off of our servers, exchange, oracle, or otherwise. A single computers lack of protection does not mean that it magically can bypass all other security on our network. It CAN spread to other non-protected computers and infect them as well. Of course, most companies having data worth stealing does monthly updates on all servers, uses SMS to push updates to PCs, and pushes critical updates as they appear.

I've had one virus in the last 10 years at my current job, that actually spread to 2 others computers on my network, and did enough damage that I had to rebuild those PCs. We still have firewalls in place however. What do you think happens? That an infected PC sends this evil code to our server, which then sneaks past server security steals data, and then somehow magically gets back out of our network with that data? It doesn't work like that. There is a reason you cannot use another companies VPN software inside of your companies firewalled network.

The virus that spreads via Outlook isn't infecting the Exchange server. It's simply utilizing the GAL (for a nasty virus), or a local personal contacts list, to spread. And even if you send code this way, it still requires your Exchange server to not be updated to filter out that particular virus, and your users STILL have to be stupid enough to open these attachments up.

There is a reason that pirated versions are seeing more infections. When you try to go to microsoft / updates, and get the security updates, it now installed the genuine advantage tool (i.e. MS's "is that really a legal copy of windows?" tool). If your version is not valid, it will NOT get updates. Since the security update for this particular code was released in November (those PCs on our network that were patched did NOT get this), all certified versions of windows do get patched. Pirated versions have a good chance to be unpatchable for security updates.

Finally, all companies with data worth stealing are protected. The only computers we had infected (and many companies) are a handful of PCs that fell through the cracks. Either the SMS client is not working properly, or it's a loaner / kiosk station that isn't used very often, or we have some users who travel overseas for long periods, and come back needing updates. These are typically the ones that get infected.

If your IT is really on the ball, this is of no concern whatsoever. After our initial infections, we did the standard stuff: send warnings out to the office, made sure all servers were up to date, ran an SMS check to see if the security update was present on all computers, and updates those handful that came back negative. We've not had a single infection since.

i.e. people are overreacting to this virus. It's no more sinister than any others I've had roll through. I've had many worse ones in fact.

OMG guys... I was so worried about this that I went to PC World today and the guy there was really helpful. He sold me Norton 2009 and said that would take care of the problem.

So if anyone out there is worried, I'd suggest going down to PC world and getting Norton 2009 as the guy there said it would 100% solve the problem and protect against this problem.

I'm not the most computer literate guy but the man in PC world was real helpful. I'm really recommending PC world. PC world were really great today.

Star and flag.

reply to post by Dutty_Rag


It's a virus that takes advantage of a security hole. Norton is not any better (and is worse than others) than any anti-virus program.

The best steps to protect is: Get all security updates for your computer. Security update 958644 (MS08-067) is the one that prevents the security hole that this code is taking advantage of. If you have this, and are not currently infected, you will not GET infected.

Turn on system restore. This allows your computer to take a snapshot of all system files, and restore them based on restore points created (at set times, and another version is created before a new item is installed). If you get this, and then run a system restore prior to the date you received it, it will be as if you never had it.

Norton is so-so. Not bad, but not great, either. Malwarebytes.com is better. It actually removes stuff like antivirus 2008 (and its variants), vundo, and the other really nasty ones, that usually confuses mcafee and norton products. And it's free! Norton's active protection is pretty solid. Others (like Trend) are fairly horrid. Usually a Trend protected computer says "Yo! I am now detecting this specific virus that I inexplicably allowed to get on your computer in the first place.. my bad!"

[edit on 26-4-2009 by fleabit]

[edit on 26-4-2009 by fleabit]

Originally posted by fleabit
reply to post by Dutty_Rag

 

It's a virus that takes advantage of a security hole. Norton is not any better (and is worse than others) than any anti-virus program.

The best steps to protect is: Get all security updates for your computer. Security update 958644 (MS08-067) is the one that prevents the security hole that this code is taking advantage of. If you have this, and are not currently infected, you will not GET infected.

Turn on system restore. This allows your computer to take a snapshot of all system files, and restore them based on restore points created (at set times, and another version is created before a new item is installed). If you get this, and then run a system restore prior to the date you received it, it will be as if you never had it.

Norton is so-so. Not bad, but not great, either. Malwarebytes.com is better. It actually removes stuff like antivirus 2008 (and its variants), vundo, and the other really nasty ones, that usually confuses mcafee and norton products. And it's free! Norton's active protection is pretty solid. Others (like Trend) are fairly horrid. Usually a Trend protected computer says "Yo! I am now detecting this specific virus that I inexplicably allowed to get on your computer in the first place.. my bad!"

[edit on 26-4-2009 by fleabit]

[edit on 26-4-2009 by fleabit]

OMG so are you saying that I shouldn't have been sold Norton? Can I take it back now even though I have installed it? (Obviously I would uninstall it back onto the CD ROM so I could take it back, I wouldn't try and copy it).

If they mis-sold me something telling me it was the best then I can take it back right? Are you certain it's really not the best because the kid in PC World seemed pretty adamant?

reply to post by tristar

Keep in mind, this worm CANNOT BE STOPPED.

Not quite accurate. There are several search and removal tools out there for this one. Microsoft added one in the recent update to the Malicious Software Removal Tool. If you keep Windows updated, you should be fine. If you want to be as cautious as possible you can use more of the removal tools:

Sophos

Symantec

BDTools

Running any (or all, if you wish) of those, and keeping Windows updated should keep you safe.


TA

[edit on 26-4-2009 by TheAssociate]