The 411 on Conficker B++

conficker There’s a lot of tech jargon when reporting the new variant of the Conficker worm, Conficker B++. We’ll skip it.

We previously reported on the miseries of the Conficker worm, AKA W32.Downadup.B: think locking you out of system directories, blocking access to security software and updates, and deleting any system restore points in your computer.

Ouch.

Conficker spread fast earlier this year; at one point Conficker infected over 6 million PCs within four days. Conficker generated random domain names to download more malware from, which created delays in stopping Conficker. Lucky for us, techies cracked the Conficker code, discovering how the worm generated those domains, and blocking access to them for most computer users.

Hold that “phew”: now Conficker B++ uses fresh, stealthier techniques. The SRI Report says that Conficker B++ bypasses the use of Internet Rendezvous Points, using a DLL patch and pipe backdoor to execute its code.

So how do you prevent Conficker B++? The Microsoft patch is critical in fighting Conficker B++. Microsoft’s corporate-friendly language hardly expresses the pain Conficker B++ could mean to you—don’t let understated sentences like “Vulnerability in Server Service Could Allow Remote Code Execution” have you delay these updates. Windows XP and earlier systems are especially vulnerable—if you haven’t already, set your computer to automatically update.

Conficker also exploits commonly used passwords. If you use any of the weak passwords that Conficker exploits, even only for low-value sites, make sure you change them.

Yeah, we’re referring to “sdrowssap”.

Guest Writer: This is a guest post by Kristopher Dukes of FasterPCCleanClean.com – an invaluable asset in the battle against malware. Pay a visit to FasterPCCleanClean.com, and I’m convinced you’ll become a regular visitor.

The content of this article is copyright 2009 © by Dukes Media, LLC All rights reserved.

About these ads

8 Comments

Filed under Anti-Malware Tools, Don't Get Hacked, Interconnectivity, Internet Safety, internet scams, Malware Advisories, Manual Malware Removal, Microsoft Patch Tuesday, Online Safety, Spyware - Adware Protection, System Security, trojans, Viruses, Windows Tips and Tools, worms

8 responses to “The 411 on Conficker B++

  1. Thank you for this well-written update on the Conficker worm.

    The thing about this attack that sticks in my mind the most is — the patch that closed the hole was released in October (months before the outbreak).

    I believe that the primary lesson here (for all of us) is that it is absolutely vital to keep all the software on our machines patched and updated (currently, it is Adobe in the crosshairs) and I would like to re-remind the audience of what I consider to be the best tool to help with that — the free Personal Software Inspector from Secunia.
    http://secunia.com/vulnerability_scanning/personal/

    Thanks.

  2. proview

    When I click on the link for 411-Spyware.com in your guest post WOT blocks access to the site and rates it as dangerous.

    Viewing the site details, category “spyware or adware” .. comment “not safe”.

    Quite ironic, being that this blog is a “friend of WOT”

  3. Bill Mullins

    WOT rates this site incorrectly. There is no perfect system.

    The following are comments, from the “comments” section of an earlier article that point this out. This site has an excellent reputation.

    “Allow me also to express that I believe that it is an absolute travesty that one criminal hacker can log into WOT and give your website a bad review, and now people with the otherwise excellent WOT toolbar will be warned away from your top-notch website.
    The good folks at WOT should remedy this ASAP!”

    TechPaul

    And my own comments on this issue:

    “Tech Paul,

    Absolutely dead on re: the WOT site review. It’s not the first time, nor the last time, that a site review has, or will be manipulated.

    This is not a weakness in WOT however. My experience has been, that people driven security such as WOT, is generally more reliable than systems that utilize other methods.

    A problem I have with all systems though is – it takes waaaay to long to have a rating re-assessed and changed, where appropriate. A time frame of 6 months or more, does not cut it. McAfee Site Advisor is notorious for this type of behavior.”

    As I said there is no perfect system.

  4. Microsoft’s own Malicious Software Removal tool (MRT) should remove this if it’s up to date. Of course if you were updating then it wouldn’t have caught it the first place! To run the MRT manually hit the Windows button>r type in cmd in the run box, type mrt enter. This will allow you to run the MRT in either a deep or quick scan modes. It’s pretty effective tool which all Windows users should have on their machines. Deep scans can take hours, but it will often find things the tool doesn’t catch when it runs automatically after the monthly updates.

  5. proview

    Bill,

    I agree with you that there is no perfect system, but I have to disagree when you say that this is not a weakness in WOT, because I believe it is.

    If anyone can log into WOT, as TechPaul has pointed out, and give your website a bad review then surely this is a weakness.

    Most people who install WOT are going to trust it when it flags up a warning … it’s the Web Of Trust after all, so what is the point of installing WOT if you can’t trust it? If people see the black warning screen they will back away from the site, safe or not.

    If by doing this WOT is driving people away from your website then I believe this to be a huge weakness in the system because it is obvious that the system is being abused by people with malicious intent.

    I have come to the conclusion that the results from a single safe browsing system installed in your browser are not to be trusted, therefore I now have LinkExtend toolbar installed in Firefox 3.

    LinkExtend uses eight different services to determine the safety of a website; Site Advisor, WOT, Browser Defender, plus Norton and Google Safe Browsing are all included.

    On clicking the LinkExtend safety button for 411-Spyware.com, I noticed that only WOT flagged the website as dangerous, all the others showed it as safe and from that I drew my own conclusion as to whether to visit the website or not … I did and it’s an excellent website.

    LinkExtend itself is not perfect, but it does provide much more information for the user to determine whether a website is safe to visit or not.

    As the saying goes “it’s always better to seek a second opinion” … eight is even better, and they can’t all be open to abuse from people who want to drive visitors away from certain websites, as I’m sure your guest writer would agree.

    Regards.

  6. I have to agree with proview.

    The cybercriminals are aware of this flaw in the WOT system, and I believe WOT is, too.
    But what is the best remedy (one that doesn’t weaken our “votes”)?

    With the website in question, there are 5 “votes”. My and another all-green “OK” and 1 hacker’s all-red “not safe!”.. plus two autogenerated pingbacks (which don’t count).
    This has now “balanced” to an overall rating of “yellow”. It was red just a day or so ago.. so maybe WOT is in the process of fixing this… let’s hope. Because, as you pointed out, there’s those other (more professional) “votes” available to the WOT engine/algorithm too.

    How can McAfee + Google + LinkAnalyzer/AVG + Norton + Me + another user — all green (6+)
    + 1 criminal — red (1)
    equate to a warning condition???

    I would like to thank you for turning me on to the Firefox extension as well.

  7. Jonas Andersson

    I would not trust any tool delivered by any tiny organization, not because i am paranoid but because if a small company can make a patch that detects and removes it, so would mcafee or symantec.

    I would advise people to read the SRI-reports created on conficker, the contain the sources and decompication, allowing you to understand just what we are all dealing with. The authors of this malicious software has made sure to remove all footprints. Following MRI’s report i only found 2 distinct trademarks of conficker, the rest is changed and whatever the virus did in the registry, services and file-system left no traces. The trademarking rpc-calls on the network was there during the infection and repeated itself on isolated networks aswell. Viruses (in general) are recognized by traces or definitions (a 200-500 byte binary data chunk that becomes the virus finger-print) that allows the virus scanner to find and remove it. However conficker is among the new generation viruses that encrypts itself, generate random names based on dictionaries that microsoft in general use and such things. I would recommend anyone running business critical systems on win32, that has seen the little “OK”-buttoned windows and then had its computer hanging and the local system account locked out to wipe the disk and re-install. Dont allow an infected system to be on the network and ensure to have all critical ms-updates installed. Install a proper antivirus and keep it updated.