After skipping out on its April 1 debutante ball, the Conficker worm has returned with a smile and a new payload. The worm has begun to update infected clients with a strain researchers are calling Conficker.E, and this process has revealed some interesting insight into just what may be the worm’s origins.

In a post on Trend Micro’s Countermeasures blog, Rik Ferguson explains what’s going on:

As well as reactivating the original propogation (sic) functionality, this new variant sheds some extra light on possible links with other malware and origins of the worm. This new Downad/Conficker variant is talking to a server which is known already for being associated with the Waledac family of malware, in order to download further malicious components. These components have so far been missing, but could this finally be the “other boot dropping” that we have all been waiting for?

Waledac has, for a while now, been suspected to be the latest offering from the people behind the Storm botnet. Could it be that Downad/Conficker, Waledac and Storm all originate from the same cybercriminal gang?

Conficker’s original method of propagation exploits a hole that Microsoft fixed in October, and this has returned after being removed from March’s -C variant. More interestingly, the new variant is set to delete itself without a trace on May 3.

(more…)

Conficker is basically a gigantic pain in the ass that has exited hibernation to the annoyance of administrators everywhere. The latest variant, Conficker.C, has been viewed as a particularly genius step in an altogether brilliant case study in worm authoring. Capable of evading heuristic detection, IPS filters, blocking AV applications, preventing access to Windows Update and just generally being an asshole to a whole host of solutions, it was believed that tagging and evicting Conficker would be an arduous task.

Enter the breakthrough: Researchers have discovered a misstep in Conficker.C’s design that makes it detectable with the traditional network tool known as nmap. Originally designed as a security tool, nmap is capable of scanning and listing network devices, parameters and services. Unfortunately for Conficker’s author(s), Conficker.C happens to be just such a service that nmap can detect with this string:

nmap -PN -T4 -p139,445 -n -v –script=smb-check-vulns –script-args safe=1 [targetnetworks]

The discovery comes just in the nick of time, as this is the auspicious day in which the newest variant emerges from its beauty sleep to do whatever bogus things it was designed to do.

Companies like McAfee have been quick to piggyback on the discovery by releasing detection tools that sniff for the presence of the worm in a convenient GUI. As the Conficker.C worm prevents access to a whole host of security sites — including all the vendors currently offering a tool — we’ve done you a favor and attached a detection tool to our little update here.

Happy April Fools day.

Download: McAfee Conficker Test

Conficker is a nasty and enterprising worm that has spawned a $250k bounty for the author’s capture and at least one variant that has evaded the efforts of security firms. The race to defeat Conficker may be at an end, however, as Romanian anti-virus vendor BitDefender has announced a tool that will identify and remove any known variant of the worm.

BitDefender is the first to offer a free tool which disinfects all versions of Downadup and is available for all infected users at: http://bdtools.net This domain is the first to serve a removal tool without being blocked by the e-threat.

The worm itself is not new, it made its first appearance late November 2008, known under the names Conficker or Kido as well exploiting the vulnerability described in the Microsoft security bulletin MS08-067. After successful exploitation it used to install rogue security software on the infected machine.

The author of the infamous Trojan.Zlob has left a message for Microsoft in a new strain of malware’s most long-lived and irritating clade of spyware.

For Windows Defender’s Team:
I saw your post in the blog (10-Oct-2008) about my previous message.
Just want to say ‘Hello’ from Russia.
You are really good guys. It was a surprise for me that Microsoft can respond on threats so fast.
I can’t sign here now (he-he, sorry), how it was some years ago for more seriously vulnerability for all Windows ;)
Happy New Year, guys, and good luck!
P.S. BTW, we are closing soon. Not because of your work. :-))
So, you will not see some of my great ;) ideas in that family of software.
Try to search in exploits/shellcodes and rootkits.
Also, it is funny (probably for you), but Microsoft offered me a job to help
improve some of Vista’s protection. It’s not interesting for me, just a life’s irony.

Did I mention that Icrontic has a world-class team of malware fighters that can help you thwart the efforts of asshats like this?

The popular internet security site CastleCops has suspended operations as of December 23rd, 2008. Visitors were greeted with the message below:

Greetings Folks,

You have arrived at the CastleCops website, which is currently offline. It has been our pleasure to investigate online crime and volunteer with our virtual family to assist with your computer needs and make the Internet a safer place. Unfortunately, all things come to an end. Keep up the good fight folks, for the spirit of this community lies within each of us. We are empowered to improve the safety and security of the Internet in our own way. Let us feel blessed for the impact we made and the relationships created.

(more…)

UK Romanian security vendor BitDefender has identified a new strain of malware explicitly designed to attack Firefox by exploiting the popular addons feature.

The exploit, identified as Trojan.PWS.ChromeInject.A, registers itself as an addon with Firefox and is configured to relay a user’s credentials for more than 100 global financial institutions. Using JavaScript to execute its function, this new strain of malware registers itself as the harmless and popular Greasemonkey addon.

(more…)

Security analyst AV Comparatives has released their 2008 performance analysis for leading anti-virus solutions. Sixteen different products from wildly different ends of the price scale were pitted head-to-head in a battle to prove which application has the greatest impact on system performance.

(more…)

A Microsoft report released on November 3 reveals that the nation of China is the leading target for malware on the Windows platform.

The Redmond software giant indicated that China’s fascination with interactive web apps has made them the ideal attack vector. Seemingly-innocent websites are being loaded with powerful attacks capable of stealing passwords or logging keys.

The report found that a tremendous 47% of all malware was found or targeted at users with Chinese as the local language. In comparison, just 23% of the attacks compiled in 2008 were targeted at English speakers.

(more…)

The amount of malware I see on PCs is absolutely absurd; infections to the point where Windows will not even load the welcome screen. These are infections that are so bad that the computer can’t even spawn the basic processes to run essential tasks on the PC. I see infections that are so bad that the OS is irreparably corrupt, requiring a backup on an external hard drive adapter and a reformat to fix the issue.

(more…)