Conficker zombies celebrate 'activation' anniversary
Anti-climactic Downadup gets one bump
Thursday marks the first anniversary of the much hyped Conficker trigger date. Little of note happened on 1 April 2009 and machines infected by Conficker (aka Downadup) remain largely dormant, but an estimated 6.5 million Windows PCs remain infected with the threat.
These machines are "wide open to further attacks", net security firm Symantec warns.
The rascals behind the worm remain unknown and the purpose of the malware unclear. Some in the anti-virus industry, such as Raimund Genes, CTO of Trend Micro, reckon the malware was designed to distribute scareware (fake anti-virus scanners designed to nag victims into buying software of little or no utility, often on the basis of false warnings of Trojan infection).
Machines infected with the C variant of Conficker subsequently became infected with Spyware Protect 2009 (a scareware package) and the Waledac botnet client, a factor that supports this theory. Infected machines are closely monitored by law enforcement and by members of the Conficker Working Group, a factor that goes a long way towards explaining why crooks have not used the huge botnet under their control to send spam, launch a denial of service attack or any other form of high visibility attack.
The first version of Conficker began spreading in November 2008, initially using a recently patched Microsoft Windows vulnerability to infect systems. Later its capability of jumping from infected USB sticks onto PCs or via weakly secured network shares became more important. Early victims included the Houses of Parliament, the Ministry of Defence and Manchester City Council.
More recently Greater Manchester Police, which was forced to unplug itself from the Police National Computer for five days in February in order to carry out a clean-up operation, and several hospitals in the UK were laid low by Conficker. Orla Cox, security operations manager at Symantec Security Response, said that “Conficker may not be the biggest known botnet on the block, but it still has the potential to do serious harm”.
Approximately 6.5 million systems are still infected with either the A or B variants of Conficker. The C variant, which used a P2P method of spreading, has been slowly dying out over the past year as victims clean up their systems.
Around 210,000 machines are reckoned to be infected with this variant, down from an April 2009 peak of 1.5 million victims. Another variant, Conficker-E, emerged on last April but was programmed to delete from infected systems a month later and has all but disappeared.
Symantec has published a video charting the evolution of Conficker. The clip also runs through a list of suggested countermeasures, such as keeping systems fully patched and running up to date anti-virus (natch). ®
Forget about robbin' banks or pimping, I want my own botnet
Actually, I don't want either, but one can see the temptation.
i have info on the hackers. been fighting since 2008 aug
i dont care if i get introuble, but the hacker that was building the worm as i kept finding its flaws came from a service called windstream. he had a copy of windstream also that had a pixel error in the scripts on the main page. i dunno if thats related to the mouse jumps at the begining.
i went through extreme caution to avoid wrongful accusations. ill tell you why i know hes the original hacker.
first thing i noticed in monitoring is that windstream.net was used more than all the other ips combined. he was as a remote connection using port 80 going to sites i never went to.
2nd, windstream was one of the original strings in memory that was monitored and kicked him off at that time each time it was typed. you can see the asterixs disapear.
3rd was when i finally got a successful text out to a community site and mentioned windstream started a panic in the hacker who atttempted to shut down the worm shortly after april first. it came back 3 days later.
also the hashcodes when avail showed that the hacker was best buddies with windstream personel. this may be cause he was using root certs he made that was injected into netscape on the first master boot record that allowed him to email anyone as a support agent of microsoft.
I'm sure they are
"These machines are "wide open to further attacks", net security firm Symantec warns."
I assume your sales desk is open too, for the purchase of security software which help mitigate the threat, or not as the case may be!