Conficker cares : M$ offers $250 000 for arrest

[jee]

Problems with the Conficker worm have become so widespread that Microsoft is putting up $250,000 for information leading to the arrest of the worm's author.

Additionally, Microsoft is collaborating with other industry organizations to form a group to stop the self-replicating worm, which is said to be one of the largest botnets ever created. Among the group's members are Symantec, domain registry organization Internet Corporation for Assigned Names and Numbers (ICANN), America Online and Verisign.

Reports have suggested that as many as 10 million PCs have been infected since Conficker first surfaced in October 2008 as a vulnerability in Windows' remote procedure call (RPC) requests; Microsoft released an out-of-band patch

http://gcn.com/articles/2009/02/13/micr ... eator.aspx

Third party information on conficker:
http://isc.sans.org/diary.html?storyid=5860

[SBSP]

LOL Thats kwl, If i was the worm creator i would give my self up

That's about 2.5 bar!


anyway I dont understand how they could never find the correct name where this worm is connecting to.
As far as i understand it connects to thousands of generated domain names and one of those thousand names is the real domain name hosting more parts of the worm.

Surly if they have an infected PC in a controlled environment with a DNS server they can always supply requested names with 1 IP and then log the DNS names generated (They cant be random as one of the connections must be real)

Then just have an another application doing the same request as the worm does and connect to all those generated names and download until it find the correct name, it will dake a day or 2.
And once they have the real DNS name they can see who the registered person is, or if its dynamic they can see who the service provider is and narrow it down from there?

The full problem is probably deeper to that i'm thinking.

[doo_much]

And when they catch him/her?

Job-offer from the FBI/CIA?

[Frozenfireside]

And when they catch him/her?

Job-offer from the FBI/CIA?

No. They used to do that, now it's straight to jail.

[Hex_Rated]

For a long time...

Then you might get employed as a security analyst. Only after you've been analysed in the pen.

[Synthesis]

For the paranoid:

here's a MS patch you should run for the conficker worm:
http://www.microsoft.com/technet/securi ... 8-067.mspx

And a free vaccine to prevent anything jumping to your USB drives: http://www.pandasecurity.com/usa/homeus ... sbvaccine/

Source: http://news.cnet.com/8301-1009_3-10204590-83.html

Good luck peeps, the clock is ticking.

[jee]

to spend energy or not to spend energy... hmmm that is the question

http://mtc.sri.com/Conficker/addendumC/

sometimes i wonder if we can differentiate between paranoid and playing safe?

[jee]

SecureWorks senior researcher Joe Stewart is the latest good-guy coder to downplay the significance of millions of Conficker-infected PCs calling home on April 1. Stewart, who gave up bass guitar to become a virus hunter, says 3 million or so infected PCs checking in daily at a fresh list of 50,000 Web domains scattered around 110 top-level domains is “not so scary.”

Though SecureWorks was not invited to become a member of the Microsoft-led Conficker Cabal, Stewart says the Cabal ought not be underestimated. “These are the security industry’s heavy-hitters,” says Stewart. “And you can be sure they are working diligently to mitigate the domain issue.”

But Sophos researcher Chet Wisniewski points out that if a large percentage of infected PC successfully dial home on April 1, here’s what the bad guys will have achieved:

--A proven way to get Confick-infected PCs to randomly check in at a possible 1.5 million rendezvous points a month (50,000 domains X 30 days).

--A proven way to incorporate 110 top-level domains into that mix. Not just .com, .net, .biz and .org. But also .ru (Russia), .cn (China), .ro (Romania), .ua ( Ukraine), .ng (Nigeria) and dozens of other nations unlikely to co-operate with the Cabal in shutting down Conficker rendezvous points.

--A robust, automated technique to use the Internet push out instructions to millions of Conficker-infected PCs.

“They’re betting we’re not going to be able to register all those domains and block their access to them,” says Wisniewski.

http://blogs.usatoday.com/technologyliv ... -worm.html

[jee]

http://isc.sans.org/diary.html?storyid=6097

Interesting

Locate Conficker infected hosts with a network scan!
Published: 2009-03-30,
Last Updated: 2009-03-30 22:15:31 UTC
by Daniel Wesemann (Version: 4)
3 comment(s) Facebookacebook witter

The Honeynet Project has discovered an anomaly in Conficker that makes it possible to detect infected hosts with an elaborate fingerprint scan over the network. This is great news if you suspect an infection and have no other means to check, or if you simply want to double-check information that your other defense mechanisms (IDS, AntiVirus, etc) provide.

The write-up and scanning tool are available on the Honeynet Website.
Nessus Plug-In 36036: www.nessus.org
Instructions on how to scan for Conficker with NMAP: http://www.skullsecurity.org/blog/?p=209 . http://seclists.org/nmap-dev/2009/q1/0869.html has specific tips on how to scan large networks with the new NMAP feature.

Be careful when searching for any of these tools with a search engine. A good part of the search results returned on the keyword "Conficker" are scare-ware and fake anti-virus that try to cash in on the Conficker scare. We have a summary of removal tools with links available on isc.sans.org/conficker

The Honeynet project have also published a new write-up at http://www.honeynet.org/papers/conficker

[jee]

The effective size of the Conficker botnet might be far smaller than previously thought.

Last week machines infected with the latest variant of Conficker began to download additional components - files associated with the rogue anti-malware application SpywareProtect2009 and a notorious botnet client, Waledac - via the worm's built-in P2P update mechanism.

Security researchers at Kaspersky Lab have developed an application that analyses the P2P network communications associated with the malware. Over a 24-hour observation period, Kaspersky analysts spotted 200,652 unique IP addresses participating in the network, far less than initial estimates of infected Conficker hosts that ran into the millions.

However Kaspersky notes that the low volume is explained by the fact that only the latest variants of the worm are communicating via the monitored P2P network. In addition, only a minority of the nodes infected with earlier variants of the worm have been updated to the latest version.

A more detailed analysis, including geographical breakdown of compromised hosts, can be found on Kaspersky's blog here

http://www.theregister.co.uk/2009/04/17 ... 2p_update/