Beware! Who wants the Conficker worm on April 1st?

[that dude]

What won't work? Turning your PC off tonight and back on on April 2 will not protect you from the worm (sorry to the dozens of people who wrote me asking if this would do the trick). Temporarily disconnecting your computer from the web won't help if the malware is already on your machine -- it will simply activate once you connect again. Changing the date on your PC will likely have no helpful effect, either. And yes, Macs are immune this time out. Follow the above instructions to detect and remove the worm.

Source: http://tech.yahoo.com/blogs/null/132464

id be leary to click on that link on april fools

[NinjaNick]

Srsly? Or you April Foolin' us? Kind of like the Ctrl+W and Alt+F4 routines?

I'd prefer to just never restart my computer ever again.

I did mine. No, I'm not lying. It says right in that article link from yahoo I just posted. I don't think I've participated in anything April Fools since HighSchool.

[Disclaimer]

Ok, I lied. The real reason is that I can't get away from ORDN long enough to go through a restart...it's painful.

[NinjaNick]

I lied too...I won't reboot until I log off here...haha.

It's true though, but I'm not doing it yet, because I'm socializing with you buttheads.

[that dude]

wow

[NinjaNick]

WHOA!

[OsuMj]

hrrmmm... any new news??

[RC51 John]

Why does my computer show I'm send a continuous 230Kb data?

[InyaAzz]

Look folks..

If you can update with windows update, you're fine. The worm shuts down the ability to update.

Just because nothing happens today, doesn't mean something won't happen. It's a zombie network...when the owner decides it's time to act, it will act. The ONLY thing that this code was supposed to do today was change the way it updated.

The way these things work, is that they lay low..and slow. They keep quiet and don't draw attention to themselves. This was a network created to make money..and you can't make money if you draw attention to yourself.

[Cdubyah]

Look folks..

If you can update with windows update, you're fine. The worm shuts down the ability to update.

Just because nothing happens today, doesn't mean something won't happen. It's a zombie network...when the owner decides it's time to act, it will act. The ONLY thing that this code was supposed to do today was change the way it updated.

The way these things work, is that they lay low..and slow. They keep quiet and don't draw attention to themselves. This was a network created to make money..and you can't make money if you draw attention to yourself.

Agreed.

Problem is I think the creator got a wee bit greedy. The bug went widespread, thus causing microsoft, and security companies to start taking a closer look.

Really if you can update, and your virus protection can update, you should be fine.

[InyaAzz]

gay porn again

That was our secret.

[InyaAzz]

Agreed.

Problem is I think the creator got a wee bit greedy. The bug went widespread, thus causing microsoft, and security companies to start taking a closer look.

Really if you can update, and your virus protection can update, you should be fine.

Quoted for truth

[John]

What 60 Minutes didn't say last night is that this is only on Window's machines. And Microsoft has already had a patch fix out for this malware. If your Window's machine is up to date and has the latest patches then you'll be fine.

We have been laughing about that 60 minutes piece all day today. We watched it online and had some good laughs at the expense of CBS.

why would they mention that though? they dont want people to know that there are other options out there than windows. some of them are even FREE (gasp!)

especially with however much money MS spends on advertising on CBS. there were like 3 MS ads every commercial break during the tourney.

id wager it probably WAS mentioned, but edited out. when they were talking to that symantec guy, you could see his computer was running linux

[chrisknight]

Changing the Date on your computer wont help, the worm checks various public NTP servers.

Unplugging your PC will not help. The worm will still be there willing to infect any PC not patched when you plug back in.

Best advise, keep your PC's behind a NATing router, keep your PC's patched with microsofts update site, and keep your virus definitions updated.

MS patch for conficker is KB958644. See if you have it in Control panel, Add/Remove programs, check 'show updates.

Fsecure.

Q: I heard something really bad is going to happen on the Internet on April 1st! Will it?

A: No, not really.

Q: Seriously, the Conficker worm is going to do something bad on April 1st, right?

A: The Conficker aka Downadup worm is going to change it's operation a bit, but that's unlikely to cause anything visible on April 1st.

Q: So, what will it do on April 1st?

A: So far, Conficker has been polling 250 different domain names every day to download and run an update program. On April 1st, the latest version of Conficker will start to poll 500 out of 50,000 domains a day to do the same thing.

Q: The latest version? There are different versions out there?

A: Yes, and the latest version is not the most common. Most of the infected machines are infected with the B variant, which became widespread in early January. With B variant, nothing happens on April 1st.

Q: I just checked, and my Windows machine is clean. Is something going to happen to me on April 1st?

A: No.

Q: I'm running a Mac, is something going to happen to me?

A: No.

Q: So… this means that the attackers could use this download channel to run any program on all the machines?

A: On all the machines that are infected with the latest version of the worm, yes.

Q: But what's this peer-to-peer functionality I've heard about?

A: The worm has some peer-to-peer functionality which means that infected computers can communicate with each other without the need for a server. This enables the worm to update itself without the need for any of the 250 or 50,000 domains.

Q: But doesn't that mean that if the bad guys wanted to run something on those machines, they don't need to wait for April 1st?

A: Yes! Which is another reason why it's unlikely anything major will happen on April 1st.

Q: Is there going to be media hype?

A: Oh yes. Like there always is when a widespread worm has a date trigger. Think cases like Michelangelo (1992), CIH (1999), Sobig (2003), Mydoom (2004) and Blackworm (2006).

Q: But in those cases nothing much happened even though everybody expected something to happen!

A: Exactly.

Q: So, should I keep my PC shut down on April 1st?

A: No. You should make sure it's clean before April 1st.

Q: Can I change the date on my machine to protect me?

A: No. While the worm uses the local system time for certain parts of its update functionality it doesn't exclusively rely on that.

Q: I'm confused. How can you know beforehand that there will be a global virus attack on April 1st? There must be a conspiracy here!

A: Yes, you're confused. There is not going to be a "global virus attack". The machines that are already infected might do something new on April 1st. We know this because we have reverse engineered the worm code and can see that this is what it has been programmed to do.

Q: Would the downloaded program execute with admin privileges?

A: Yes, with local admin rights. Which is pretty bad.

Q: And they could download that program not just on April 1st but also on any day after that?

A: Correct. So there's no reason why they wouldn't do it on, say, April 5th instead of April 1st.

Q: Ok, they could run any program. To do what?

A: We don't know what they are planning to do, if anything. Of course, they could steal your data, send spam, do DDoS, et cetera. But we don't know.

Q: They? Who are they? Who's behind this worm?

A: We don't know that either. But they seem to be pretty professional in what they do.

Q: Professional? Is it true that Conficker is using the MD6 hash algorithm?

A: Yes. This was probably one of the first real-world cases where this new algorithm was used.

Q: Why can't you just infect a PC, set the clock to April 1st and see what happens?

A: That's not the way it works. The worm connects to certain websites to get the time-of-day.

Q: Oh yeah? Then shut down the websites where it gets the time-of-day and the problem will go away!

A: Can't. These are websites like google.com, yahoo.com and facebook.com.

Q: But surely you could spoof google.com in the lab to get a honeypot machine to connect to a download site today!

A: Sure. And the download sites do not have anything to download, today. They might, on April 1st. Or they might not.

Q: Now I'm worried. How do I know if I'm infected?

A: Try to surf to www.f-secure.com. If you can't reach our website you might be infected, as Downadup/Conficker blocks access to security vendor's websites. Don't tell anybody, but users who can't access f-secure.com because of this can surf to www.fsecure.com instead.

Q: Where does the name "Conficker" come from?

A: Conficker is an anagram of sorts from trafficconverter – a website to which the first variant was connecting.

Q: Why does the worm have two names – Downadup and Conficker?

A: It was found at about the same time by multiple security companies and therefore got multiple names. Today most companies use the name Conficker. There's further confusion about the variant letters among vendors. We're all sorry for that.

Q: How many computers are currently infected by Downadup/Conficker?

A: About 1-2 million. How many of those are infected with the latest version? We don't have an exact count.

Q: How is the industry reacting to all this?

A: We reacted by setting up the Conficker Working Group. Members include security vendors (including us), registrars, research units and so on.

Q: I want more technical details on the worm.

A: Sure. Here's our description, and here's SRI's excellent writeup.

Q: When was the first variant of Downadup/Conficker discovered?

A: It was found on November 20, 2008.

Q: More than four months ago? I want a time line on what happened when.

A: Byron Acohido has one.

Q: Is this all just an April Fools joke?

A: No, it's not. And although we don't think anything will happen on this particular date, Conficker is nothing to laugh about. The gang behind this is serious and we should not underestimate them. The fact that we don't know for real what they are really after just makes it all a bigger mystery.

Q: Is F-Secure able to detect and block this malware?

A: Yes.

Q: Do you have cleaning tool available?

A: Yes, and it's free. Click here to get it.

Q: Are you going to follow this through?

A: Yes. Stay tuned for updates.

Edited April 1, 2009 by chrisknight

[chrisknight]

I would install superantispyware removal tool to help with spyware:

http://www.superantispyware.com/superantispywarefreevspro.html

Its free and of the best. Run it NOW!

Also, instead, malwarebytes.

http://www.malwarebytes.org/

These do not replace your antivirus software.

Run Labrea: (advanced users only)

http://labrea.sourceforge.net/

Your ISP would be pissed if you run this on your public interface as it grabs up unused IP addresses from their DHCP server.

Run it on your internal subnet, its fun...

Edited April 1, 2009 by chrisknight

[V4junkie]

Thanks for posting the FAQ, that was a good read.

[cbrjess0815]

my computer at home had some kinda virus... I updated my protection and it went away... my first virus. Gosh thats annoying as fuck!

[chrisknight]

my computer at home had some kinda virus... I updated my protection and it went away... my first virus. Gosh thats annoying as fuck!

Run a superantispyware scan on it as well... You'll be surprised at what it finds...