April Fools Virus 2009

Asia, Europe, S. America Biggest Conficker Targets

It's still not clear what, if anything, millions of Microsoft Windows systems infected with the much-hyped Conficker worm will do in the next 12 hours, when the systems are expected to seek out new instructions from the worm's author(s). If anything significant does happen, however, it will disproportionately affect PCs and networks in Asia, Europe and South America, and comparatively few systems in North America, new research suggests.

Researchers at IBM's Internet Security Systems say they found a way to decode the encryption that masks the data shared by peer-to-peer communications software planted on all systems infected by Conficker.C. As a result, ISS has been able to begin charting the location of infected systems across the globe.

According to ISS, only 6 percent of the known infections are located in North America, let alone the United States. In contrast, nearly 45 percent of infections are in Asia, while Europe accounts for 32 percent of infected systems. PCs in South America make up about 14 percent of the Conficker.C botnet, the researchers estimate.

Already in parts of the world, Conficker.C systems are polling a random 500 out of some 50,000 pseudo-random domain names in search of software updates or new instructions from the worm's author(s). Security Fix will have additional updates as more information becomes available as to what the Conficker botnet is doing.

The P2P communications method is a new feature not present in the first two versions of the Conficker worm, and it may serve as a backup mechanism by which the worm authors update infected systems, should the security community succeed in its efforts to prevent the registration of those 50,000 domains (the list of Web site names changes daily).

For the past several months, the so-called "Conficker Cabal" -- a group of security researchers, academics and policy makers -- have banded together to prevent infected systems from downloading additional components or instructions. So far, nobody has observed spam or any other typical cyber crime activity emanating from any Conficker-infected systems, and to date the hope has been that this is because the Cabal has succeeded in preventing Conficker A & B systems from not only downloading software updates, but also from updating themselves to the latest version of Conficker, which includes the P2P communications capability. Only machines infected with Conficker.C are in danger as part of the April 1 threat.

Holly Stewart, threat response manager for X-Force, ISS's research arm, said the company isn't ready to release estimates of the number of systems infected with Conficker.C because it is still gathering data on that front (researchers have estimated that at least 12 million PCs have been infected with the first two versions of the worm). But she said there are signs that at least some percentage of Conficker A & B systems were successfully updated to this latest version.

"Conficker A & B versions used any method they could to spread to as many machines as fast as possible, but we're not seeing much activity at all from those systems anymore" Stewart said. Conficker.C systems don't appear to be spreading either, Stewart said, but they are quite chatty with one another via the P2P mechanism.

"For now [the Conficker.C botnet] is just holding the fort and keeping the lines of communications open," Stewart said.

By Brian Krebs | March 31, 2009; 4:50 PM ET Fraud

"Hackers spend 24 hours a day perfecting their craft," Whale said. "People don't even spend an hour a week securing their computers." ---(quoted from Computer worm is no April Fool's Joke)

REMOVAL TOOLS

One thing to note: Conficker blocks infected machines from running removal tools with "Conficker" in the name. So users might have to change the name of the file (one you've saved the tool to your desktop, right-click on it and select "rename") before running it. The program's instructions will let you know if you need to do this. Many antivirus vendors have already changed the names in their removal tools — in some cases calling the file a misspelled variant of "Conficker" — to trick the worm into letting the program run.

Businesses have a bigger challenge, because Conficker has yet another method for evading detection. Once the worm is inside a machine, it applies its own version of the Microsoft patch that fixes the vulnerability Conficker exploited in the first place. So a business running a standard network scan, looking for unpatched machines, might come up empty-handed, even though some computers on the network are infected.

The scans need to take a deeper dive into the machines on the network — something an antivirus vendor's service should enable. For government agencies, contractors and operators of critical infrastructure, the Department of Homeland Security also has released a network-detection tool for Conficker. ---( quoted from : bultimoresun.com)

List of Conficker removal programs:

http://www.confickerworkinggroup.org/wiki/pmwiki.php?n=ANY.RepairTools

Homeland Security's announcement of its detection tool:

http://tinyurl.com/c3petb