OFF topic? 60 minutes warns about Conflicker worm

14 posts / 0 new
Last post
investorzzo's picture
investorzzo
Status: Diamond Member (Offline)
Joined: Nov 7 2008
Posts: 1182
OFF topic? 60 minutes warns about Conflicker worm

The only reason I am letting you know about this is that it could bring down the internet on April 1 st and no this is not a joke!

http://www.cbsnews.com/stories/2009/03/27/60minutes/main4897053.shtml

SamLinder's picture
SamLinder
Status: Diamond Member (Offline)
Joined: Jul 10 2008
Posts: 1499
Re: OFF topic? 60 minutes warns about Conflicker worm

No one knows for sure if April 1st is really going to be trouble or not as noted at the end of the story:

Conficker investigators have been talking about an April Fool's attack,
because in dissecting the worm, they can see it's been programmed to
receive new instructions on April 1. But nobody knows if the
instructions will be benign, or something that could disrupt the entire
Internet.

SamLinder's picture
SamLinder
Status: Diamond Member (Offline)
Joined: Jul 10 2008
Posts: 1499
Re: OFF topic? 60 minutes warns about Conflicker worm

http://www.askwoody.com/

Conficker’s All Fools Day

Posted on March 28th, 2009 at 05:27

The sky is falling! The sky is falling!

I know it’s true because I read it in … let’s see … where was that?
Oh, it’s right here in the newspaper. Just above the ad for washing
machines. Yeah, see that? Toldja so.

Gimme a break. Yes, Conficker is changing on April 1. No, you don’t need to worry about it.

There’s an excellent, reasoned blog post
about Conficker on the F-Secure site. What? An antivirus manufacturer
says you don’t need to panic, while the venerable Sun says “MILLIONS of
computers around the world could go into meltdown on April 1 because of
a deadly virus.” Gawrsh. And they have a very nice ad for washing
machines, too.

If you’re still running Windows XP, it would behoove you to hop over to the F-Secure Q&A. Down at the bottom, there’s a link to the F-Secure scanner, which will detect and remove all known versions of Conficker.

And you won’t get hit up about dirty laundry…

 

Additional Info:  http://www.snopes.com/computer/virus/conficker.asp

la_bruin's picture
la_bruin
Status: Member (Offline)
Joined: Mar 30 2009
Posts: 1
Re: OFF topic? 60 minutes warns about Conflicker worm

Excellent response.  If I could add one bit of background info:

If you do some research, you'll find that all the recent news about Conficker has suspiciously involved either interviews with, PR releases from, or eminated from discussions originating from a single company:  Symantec Corporation - a major Antivirus Software company.  I am told, that - big surprise - Symantec took an unusually high profile role in the 60 Minutes segment, by bringing out a PR flack to hype up Conficker and "the need for current & modern antivirus software". [coughsalesplugcough]  If you search the net, you'll find that no other Antivirus software companies are doing the same, other than providing reactive commentary to all the recent chit chat around Conficker generated by Symantec. 

When it comes to computer security, alerts around major threats are generally done as a community.  Fear mongering by a lone security company is considered to be low brow since it's effectively preying on consumer's vulnerabilities-for-profit.  A seasoned security expert without an agenda would have provided some context around Conficker noting that complete & proven remedies (premptive patches & reactive detection) for it have been around for months.  Or he might have mentioned that there are other active worms & viruses in the wild that are dramatically more prevalent than Conficker such as Taterf.B. 

I haven't seen the 60 Minutes interview yet (it's been DVRed) but my suspicion is that in security circles on the net, it's known that CBS as a company was recently hit with Conficker companywide and as a result this generated a certain amount of personal interest from the CBS-based news magazine.

Gamayun's picture
Gamayun
Status: Member (Offline)
Joined: Mar 13 2009
Posts: 8
Re: OFF topic? 60 minutes warns about Conflicker worm

As an IT professional I can tell you that this issue has been blown way out of proportion by sensationalist media and is nothing more than an attempt by Symantec to sell more licenses for their antivirus product (which I must say is one of the crappiest on the market though McAfee is a strong contender for that title).

If you like worrying about this kind of threats - you should be a lot more worried by various existing botnets controlled by governments (Chinese, Russian, etc) and shady computer criminals.

 

SamLinder's picture
SamLinder
Status: Diamond Member (Offline)
Joined: Jul 10 2008
Posts: 1499
Re: OFF topic? 60 minutes warns about Conflicker worm

Additional important info can be found at:

http://windowssecrets.com/2009/03/30/01-Run-a-Conficker-removal-tool-bef...

 

Domain-name blocking defeats many removal tips

In perhaps the worm's cruelest behavior, a computer infected with
Conficker.C is prevented from accessing many security-oriented Web
sites. When a user tries to get patches from, say, Microsoft or
Symantec, a browser will time out, suggesting to the user that the site
is down.

Conficker.C interferes with access to sites containing the following
strings (as well as scores of other strings not shown here) in any
portion of the URL:

antivir  ca.  cert.  conficker  f-secure  kaspersky  mcafee
microsoft  msdn.  msft.  norton  panda  safety.live  sans.
symantec  technet  trendmicro  windowsupdate

Computer Associates' security advisory
77976 lists all the strings that Conficker.C currently obstructs.

If your PC is infected, a technical trick might enable you to visit a
site that Conficker is blocking. Instead of entering the site's domain
name in your browser's address bar, enter the site's dotted-decimal IP
address instead, which Conficker doesn't seem to interfere with. (My
thanks to Woody Leonhard for his help with this tip.)

For example, Conficker might block your browser from showing the
Computer Associates advisory I just mentioned. If so, you could replace
the domain name shown in the first line below (www.ca.com) with the
dotted-decimal IP address shown in the second line (130.119.248.144):


www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=77976

130.119.248.144/us/securityadvisor/virusinfo/virus.aspx?id=77976



Here's one way to learn the IP address of a Web site: using an uninfected PC, open a Firefox window and install the
Show IP
browser extension. With this extension enabled, the IP address of
whatever site you're visiting shows up in the browser's status bar.

Of course, if you navigate to a site using its IP address and then
click a link, the site will probably use a spelled-out domain name in
the link. Conficker would block the resulting page, which you'd have to
replace manually with its dotted-decimal equivalent.

Conficker's blocking of security sites is little-understood by most
journalists. For this reason, many fix-it tips from usually reliable
sources won't actually help the victims:

kemosavvy's picture
kemosavvy
Status: Martenson Brigade Member (Offline)
Joined: Oct 13 2008
Posts: 254
Re: OFF topic? 60 minutes warns about Conflicker worm

sam, i had a computer at work that had this same problem where the IP address worked but not the domain name URL. this probably means the computer was infected with the conflicker virus but it doesn't solve my problem. if i have to manually type in the IP address everytime i want to go to secure sites then my computer is still sick with the virus. how do i get rid of it?

(amazingly, i was able to work with a dude from the internet provider and between him and i we got the internet going again but i couldn't tell you how because i don't know).

steve

and yes, i thought the 60 minute piece was a bit infomercial-like, only gave the viewpoint of those from inside the anti-virus companies and a personal story of someone infected by a virus. a contrarian hacker interview would've been nice.

SamLinder's picture
SamLinder
Status: Diamond Member (Offline)
Joined: Jul 10 2008
Posts: 1499
Re: OFF topic? 60 minutes warns about Conflicker worm
kemosavvy wrote:

sam, i had a computer at work that had this same problem where the IP address worked but not the domain name URL. this probably means the computer was infected with the conflicker virus but it doesn't solve my problem. if i have to manually type in the IP address everytime i want to go to secure sites then my computer is still sick with the virus. how do i get rid of it?

(amazingly, i was able to work with a dude from the internet provider and between him and i we got the internet going again but i couldn't tell you how because i don't know).

steve

and yes, i thought the 60 minute piece was a bit infomercial-like, only gave the viewpoint of those from inside the anti-virus companies and a personal story of someone infected by a virus. a contrarian hacker interview would've been nice.

kemosavvy,

Send me an email and I'll send you back a newsletter that describes how to get rid of the conficker worm.

ksteed2007's picture
ksteed2007
Status: Member (Offline)
Joined: Apr 5 2009
Posts: 1
Re: OFF topic? 60 minutes warns about Conflicker worm

Hey I have the worm too and I cant get rid of it could anyone help me? I just was able to get on the internet. I really need help!

jerrydon10's picture
jerrydon10
Status: Gold Member (Offline)
Joined: Mar 2 2009
Posts: 442
Re: OFF topic? 60 minutes warns about Conflicker worm

This software advertises that it removes this particular bug:

http://www.pctools.com/spyware-doctor-antivirus/?ref=google&gclid=CICq9e...

SamLinder's picture
SamLinder
Status: Diamond Member (Offline)
Joined: Jul 10 2008
Posts: 1499
Re: OFF topic? 60 minutes warns about Conflicker worm
ksteed2007 wrote:

Hey I have the worm too and I cant get rid of it could anyone help me? I just was able to get on the internet. I really need help!

 

ksteed2007,

Please try the following:

http://windowssecrets.com/2009/03/30/01-Run-a-removal-tool-before-April-1

How to update your PC and remove Conficker

The following steps should prevent infection by Conficker and eliminate
the worm, if your PC has it. One positive side effect is that you'll
enjoy a computer with up-to-date patches:


  • Step 1. Attempt to run Microsoft Update. The Conficker worm can
    infect vulnerable computers merely by connecting to them remotely via
    the Internet. For this reason, you should first try to patch Windows
    before removing Conficker, lest your machine quickly become infected
    again. It's particularly important to install Microsoft patch 958644
    (security bulletin MS08-067). This patch closes a hole in Windows'
    Remote Procedure Call, which Conficker exploits.

    If you can't find Microsoft Update (or the more limited Windows Update) on your PC's Start menu, visit the
    Microsoft Update
    page on the Web. Internet Explorer is required.

    Microsoft Update might complete successfully, or you might not be able
    to access Microsoft.com at all. In either case, do Step 2.


  • Step 2. Attempt to update your third-party security software.
    Having the latest antivirus signatures will help eradicate Conficker
    and other malware that may be lurking on your PC. Use your security
    software's menu to manually update to the latest defenses.

    Have no security software? Read the
    WS Security Baseline,
    which summarizes the products that are currently rated the highest by respected reviewers.

    • If your updated security software deems your PC to be cleaned up, but
    you couldn't previously access Microsoft.com, go back to Step 1 and run
    Microsoft Update.

    • If you couldn't access your security vendor's site at all, do Step 3.

    • If you finished both Steps 1 and 2 successfully, you should be able to skip Step 3 and do Step 4.


  • Step 3 (optional). Run a standalone Conficker removal tool, if need be.
    The Conficker Working Group — a coalition of Microsoft, Cisco, SRI,
    F-Secure, Kaspersky, and many other security vendors — maintains a list
    of certified detection and repair tools, any of which should remove Conficker. (My thanks to Susan Bradley for her help with this tip.)

    Unfortunately, most the links in the Working Group's list are
    inaccessible on a Conficker-infected PC. A victim can't even reach the
    Working Group's site, because it has in its URL the string conficker, which triggers the worm's blocking behavior.

    As I mentioned earlier, security firm BitDefender has set up a new
    domain from which users can download free Conficker disinfectant
    utilities. This site, BDTools.net, is not currently blocked by the
    worm, to the best of my knowledge. The site offers three options: (a) a
    free online scan; (b) a free, downloadable Single PC Removal Tool for
    individual users; and (c) a free Network Removal Tool, an .exe file that IT admins can use to disinfect an entire LAN.

    BDTools.net: Visit
    BitDefender's download site.

    If you can't access BDTools.net or any other security site from your
    PC, find a machine that isn't infected (such as a public-access
    workstation at a library). Don't use a search engine to look for
    removal tools, some of which are bogus. Instead, download a removal
    tool from the Working Group's certified list onto a USB drive, and then
    use that drive to run the software on the infected PC.

    • After removing Conficker, if you couldn't previously complete Steps 1
    and 2 successfully, go back now and finish those steps to update
    Windows and your security software.

    • Once you've completed Steps 1 and 2, do Step 4.


  • Step 4. Run Secunia's Software Inspector to catch missing application patches.
    Third-party applications, especially media players, are more likely to
    suffer from security holes than Windows itself is. The security firm
    Secunia.com offers a free scan, informing you when your PC is running
    an insecure version of an application that has a security patch
    available.

    Like BDTools.net, the Secunia Software Inspector offers three options:
    (a) a free online scan; (b) a free download for individual users; and
    (c) a LAN utility for IT admins. Unlike BDTools' network tool, which is
    free, Secunia's LAN product costs €5,000 (U.S. $6,500) per year and up,
    depending on the size of your company.

    To run Software Inspector, see Secunia's
    vulnerability scanning
    page.

    In my opinion, everyone should use Software Inspector at least once a
    month, right after installing Microsoft's patches the week of Patch
    Tuesday.


  • Step 5 (optional). Advanced users — use OpenDNS to restrict infected PCs.
    OpenDNS, a San Francisco–based company, provides a free, real-time
    service that prevents PCs from accessing phishing and hacker sites,
    among others. Admins of small and large LANs can use OpenDNS as a
    Domain Name System server.

    The firm introduced on Feb. 9 a new, Conficker-specific feature. If an
    infected PC on a LAN somehow evaded detection, OpenDNS will prevent it
    from contacting Conficker's control servers. Best of all, admins can
    read a report showing which PC tried to connect to a Conficker server.

    For details, read Dan Gookin's
    Register article
    and OpenDNS's
    announcement.

 

SamLinder's picture
SamLinder
Status: Diamond Member (Offline)
Joined: Jul 10 2008
Posts: 1499
How to test your PC for the Conficker Worm

http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

 

 

How to interpret:

If you see this above: It probably means this:
All images displayed = Normal/Not Infected by Conficker (or using proxy)
Security/AV logos not displayed = Possibly Infected by Conficker (C variant or greater)
Some security/AV logos not displayed = Possibly Infected by Conficker A/B variant
No images displayed = Image loading turned off in browser?
Any other combination = Poor Internet connection?

 

 

Explanation:

Conficker (aka Downadup, Kido) is known to block access to over 100 anti-virus and security websites.

If you are blocked from loading the remote images in the first row of
the top table above (AV/security sites) but not blocked from loading
the remote images in the second row (websites of alternative operating
systems) then your Windows PC may be infected by Conficker (or some
other malicious software).

If you can see all six images in both rows of the top table, you are
either not infected by Conficker, or you may be using a proxy server,
in which case you will not be able to use this test to make an accurate
determination, since Conficker will be unable to block you from viewing
the AV/security sites.

 


F-Secure and the F-Secure Logo are trademarks of F-Secure Corporation.

SecureWorks and the SecureWorks Logo are registered trademarks of SecureWorks Inc.

Trend Micro and the T-Ball logo are trademarks or registered trademarks of Trend Micro Inc.

 

Jfhersey's picture
Jfhersey
Status: Member (Offline)
Joined: Apr 10 2009
Posts: 1
Re: OFF topic? 60 minutes warns about Conflicker worm

Hey Can You Send Me The Info On How To Get Rid Of The Conflicker Worm Please

[email protected]

Justin

SamLinder's picture
SamLinder
Status: Diamond Member (Offline)
Joined: Jul 10 2008
Posts: 1499
Re: OFF topic? 60 minutes warns about Conflicker worm
Jfhersey wrote:

Hey Can You Send Me The Info On How To Get Rid Of The Conflicker Worm Please

[email protected]

Justin

See my post #10 above.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Login or Register to post comments