Common Tasks

Recent Posts

Community

Email Notifications

Personal Links

Archives

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

Conflicker Worm - More Potent MS08-067 attacks to unpatched systems

Lightning MS08-067 worm developments have continued by malicious authors, since Microsoft made this security patch available on October 23, 2008.  The latest development ramps up the danger, as this new worm will delete system restore points, creates a backdoor to download more malicious code, and it even patches the RPC vulnerability to further disquise it's presence.  

While AV protection and firewalls can mitigate attacks to port 445, the best defense is to ensure all PCs are up-to-date for Microsoft security changes.  For example, an unpatched PC might become infected if their firewall fails or isn't active when connected to the Internet.  If this worm were present on a laptop, it could infect unpatched corporate web servers and PCs if Intranet firewall controls are missing.

This new worm represents the most advanced MS08-067 attacks to date.  As noted in every link, it's important to PATCH NOW if you have any systems that don't have this update. 

New malware using an ms08-067 exploit gained momentum
http://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx
http://www.avertlabs.com/research/blog/index.php/2008/11/25/further-067-woes/
http://blog.trendmicro.com/ms08-067-vulnerability-botnets-reloaded/
http://isc.sans.org/diary.html?storyid=5401

QUOTE: First let me say, “PATCH your systems” if you have not done so already! Seriously, you and your machines are sitting ducks for attacks such as MS08-067, which we learned about from Microsoft last month. This type of attack is especially dangerous if your Windows Updates or security products are not up to date. Microsoft released its out-of-cycle emergency patch on the 23rd of October–more than one month ago–so you have no excuse today for being at risk!

According to the description in our Virus Information Library, W32/Conficker.worm decides how it will load itself as a Windows Service depending on whether the compromised version of Windows is Windows 2000. Once loaded in the service space, the worm attempts to download files from the Internet.

The worm continues by setting up an HTTP server that listens on a random port on the victim’s system while hosting a copy of the worm. It then scans for new vulnerable victims to exploit, at which point the new victim will download the worm from the previous victim and so on.

W32/Conficker.worm Detailed Information
http://vil.nai.com/vil/content/v_153464.htm
http://www.f-secure.com/v-descs/worm_w32_downadup_a.shtml
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=75911
http://www.symantec.com/security_response/writeup.jsp?docid=2008-112203-2408-99&tabid=2
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FDOWNAD%2EA&VSect=P
http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A

Trend - Behavioral Diagram
http://www.trendmicro.com/vinfo/images/blog/DOWNAD123.jpg


Time PATCH NOW - if there are any servers or PCs that are not update for Microsoft security releases.  Home users can employ the Windows Update process.  More information can be found in the link below:

MS08-067 Security Patch Information
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Posted: Nov 29 2008, 08:29 AM by Harry Waldron | with 28 comment(s)

Comments

Harry Waldron - Corporate and Home Security said:

This latest development is troubling in that many folks still are not staying up-to-date on Microsoft

# December 4, 2008 2:03 PM

Harry Waldron - Corporate and Home Security said:

This latest development is troubling in that many folks still are not staying up-to-date on Microsoft

# December 4, 2008 2:03 PM

ifan said:

thanks. by the way recently my office got hit with w32 conficker worm. is there anyway i can do to patch windows with infection still existed in all computer? how can i remove the threats before i install the security patch from microsoft? thanks.

ifanefe@yahoo.com

# December 25, 2008 10:57 PM

ifan said:

thanks. by the way recently my office got hit with w32 conficker worm. is there anyway i can do to patch windows with infection still existed in all computers? how can i remove the threats before i install the security patch from microsoft? thanks.

ifanefe@yahoo.com

# December 25, 2008 10:57 PM

Harry Waldron said:

Hi Ifan - There are numerous free cleaning tools that can be found in this site.  Look for a standalone removal tool.  Then apply the MS08-067 patch to prevent reinfections.

GREAT SITE FOR FREE VIRUS REMOVAL TOOLS

(see links on left top side -- "Free Protection and Removal Tools")

www.virusintel.com/tiki-index.php

Free specific tools for Conficker removal below.

www.google.com/search

# December 29, 2008 8:29 AM

smoothtopper said:

I believe my fiancee's pc may be infected with this worm.  I recently cleaned up her system, but have been unable to download windows updates.  Is this a potential symptom of the conflicker worm?   Have followed all the recommended methods to manually restart automatic downloads but nothing has worked.

I want to get the latest updates on her system, but need to overcome this obstacle before doing so.  Thanks in advance for your recommendation(s).

# January 27, 2009 9:30 AM

Harry Waldron said:

Yes, this appears to be symptomatic of the more potent "B" version or ADDITIONAL malware may still be present ... Suggestions:

-- Create a CD that has a number of good cleaning tools on it (F-Secure Standalone remover, MSRT, etc ... references in blog)

-- Make sure the MS08-067 standalone patch is on the CD

-- Keep PC unplugged from Internet (so no more malware is present)

-- Clean PC

-- Apply MS08-067 to PC and reboot afterwards

-- Test for any additional malware with updated AV

-- For 2nd opinion use housecall.trendmicro.com or other sites

-- Test Windows Update capabilities after cleaning

You can apply some of the principles documented here, including some good research and reading as step #1:

msmvps.com/.../conficker-cleaning-tips-for-corporate-users.aspx

# January 28, 2009 10:52 AM

Sushil M said:

The same Virus infected my network also. What we did is first we blocked the 445 port blocked through our Antivirus Software for all the desktops. Installed Fortigate Desktop Client in all the systems and monitored the services hitting the systems and blocked the unnecessary services, which helped me to stop the broadcasting. Third patched all the systems with the latest Microsoft patch and updated the Antivirus Patch. This helped to control the spreading of the virus.  

# February 8, 2009 12:45 AM

Geo said:

My computer got hit and hit hard; I have to reinstall windows. My system, despite several cleaning attempts, patch install, etc. and the programs for removal telling me the system is okay, is now still showing symptoms (security software not updating, sites that could help me not showing, etc.) The little *** is still in there and now I have to nuke/reinstall everything to kill it. If I ever find out who wrote this they won't have to give me any bountry money on this guy; I'll GIVE him to microsoft...

# February 16, 2009 9:23 AM

Thor said:

If the cleaning tools fail, restart the machine into safe mode and run the cleaning tool again.  Then reapply the patch while in safe mode.  Reboot and then update antivirus.

# February 25, 2009 3:51 PM

Horus-anubi-ra said:

Ive found these on this website that can protect your system. Just thought id share it.

# March 31, 2009 12:49 PM

sp said:

Is not being able to redownload your windows part of this virus?

# March 31, 2009 4:24 PM

conflicker|everything about conflicker said:

Pingback from  conflicker|everything about   conflicker

# April 1, 2009 12:28 AM

Ranny said:

Is there a way to tell if my pc has been infected? I have McAfee Security Center installed and it is up to date. I tried to apply MS08-067 and the download stalled during installation process. Cancelled the install and it has been sitting at cancelling updates for over 12 hours.

# April 1, 2009 6:38 AM

Rajeev said:

Can someone please mail me the Microsoft Malicious Software Removal tool. i can not connect to microsoft site for update due to Conflicker. my mail id - awasthi_r@hotmail.com

# April 1, 2009 8:19 AM

sean sebastian said:

buy a mac and forget about this kind of stuff. I am a mac developer and have yet to find one virus for mac that actually gets through to your personal information.  100,000 viruses a year are written for windows. So why does windows vista cost over $300.00. What exactly are you PC's paying for.     I think the new microsoft commercials should say "I'm a PC and I need a doctor".

# April 1, 2009 4:45 PM

MicrosoftEmployee said:

Yes everyone Microsoft and Web Servers Were Hit Offline Today Due To This Dirty Virus My Computer Was Hit But it Was Removed With Microsofts Strong Support...

Need any information On There Where Abouts on ConFlicker msg Me!

On this website and i well Reply Back with a Answer...

# April 2, 2009 12:16 AM

MicrosoftEmployee said:

Release Update For The ConFlicker Worm...Go to website Or Use this link to Keep Your Computer Clear Of Such Virus This is'int even Out to Public But since i work at Microsoft im Going to Leak The Update For The Needed

www.microsoft.com/.../details.aspx

# April 2, 2009 12:33 AM

A guy said:

haha my pc got hit well familys did BUT I USE A MAC and to they get them NO! bahaha sorry little PC Fanboys your computers SUKZ! i know why bill gates wants to leave because hes the BAIT Bill Baits!!!

# April 2, 2009 4:14 AM

Shaquana alazay ferrari malaysia jones said:

This worm is horrible

# April 2, 2009 10:05 AM

Jack said:

My brother told me that the conflicker can erase all your memorys and take all your credit card numbers,he also said that the only computers that cannot be infected are Macs. Is any of this true?

# April 2, 2009 3:58 PM

Harry Waldron said:

>> Jack said: My brother told me that the conflicker can erase all your memorys and take all your credit card numbers,he also said that the only computers that cannot be infected are Macs. Is any of this true?

Hi Jack - Your brother was close on some aspects of what this worm will do.  It can erase all system restore points, prevent your system from being updated, and prevent access to security sites.  While Conficker won't transmit credit card information directly, it does open up security so that other malware can be added (which could include keyloggers transmitting sensitive personal info).

Finally, this is only a Windows virus and Mac/Linux systems are safe from this worm.

# April 3, 2009 2:03 PM

neilosak said:

can we delete this in command prompt? can hijackthis delete this worm?

# April 9, 2009 10:23 AM

Chris said:

Well, I don't care about these viruses or spywares because I have the tech guys of IT24BY7 with me. I have their unlimited support plan and whenever I have any issues with my laptop I just contact them, and they fix the problem within minutes.

They have officially announced their support for Conficker Worm affected computers:

it24by7.com/confickerworm.aspx

These guys are simple awesome, I trust them and I recommend their computer service to everyone.

# April 13, 2009 2:50 PM

Shadow said:

Any chance that a mac gets infected? *scary*

# April 22, 2009 12:37 AM

Internetshadow000 said:

I have been lucky so far with conflicker not getting to my computer, though a friend of mine may have had their computer infected. I recommend McFaee (sorry i know I spelt it wrong) they and Norton can both remove the worm through normal on-demand scans.

# May 4, 2009 11:03 AM

9 Reasons to Switch from Windows to Linux, Revisited | Reich Consulting said:

Pingback from  9 Reasons to Switch from Windows to Linux, Revisited | Reich Consulting

# May 28, 2009 10:35 PM

9 Reasons to Switch from Windows to Linux, Revisited | Reich Consulting said:

Pingback from  9 Reasons to Switch from Windows to Linux, Revisited | Reich Consulting

# May 28, 2009 10:37 PM