Posts Tagged ‘downadup’

What is this Conflicken’ Thing??

Tuesday, March 31st, 2009

geekablog-logoConficker?

Conflicker?

DownAdUp?

It’s all so confusing, but whatever the name, the worm is the same. Here’s the scoop (for simplicity of reading, I’m going to just refer to it as Conflicker)

Conflicker has been around for a while and as of this writing, has three known variants (versions), A, B,  and C. The much-hyped event that’s anticipated for this April Fool’s Day is that a new variant, Conflicker_D is expected to be deployed.

Backgrounder:

In general, Conflicker is a botnet type worm which means the way it works is to infect as many machines as possible and enable a “network” of sorts by allowing the worm’s author to take control of the infected machines through the Internet.  Although no other payload has yet been discovered, it is assumed that any payload could be potentially delivered once the author takes control of the infected machines.

How does Conflicker get on your PC?

Unlike old-school viruses that were transmitted via email or other so-called ‘viral’ methods, there is no social engineering or similar trickery required for your PC to become infected with Conflicker.  That is, you don’t infect yourself by clicking or opening anything. In fact, all that’s required to get infected, is to be connected to the Internet and not have the correct  patches (Windows updates) from Microsoft! This is because Conflicker gets into your machine through a security flaw in Windows and if you don’t have the patch from Microsoft that closes up the flaw, your PC is susceptible to infection.

What are the symptoms?

Unfortunately for the unprotected and infected, there really aren’t any visible symptoms to speak of. Unlike old-school viruses that generally displayed some sort of calling card then emailed themselves to all your friends and wiped out your hard drive, Conflicker remains more valuable to it’s author by being quiet,  efficient, and undetected.  The most common symptom that might alert you to a Conflicker infection is a virus scan reporting that you’re infected.

Why Conflicker?

Why is it valuable to somebody to infect all those (millions) of PCs and not do typical virus-like things such as destroy those machines? Consider the power of a person or entity having simultaneous control of all those  millions of machines to do whatever they please, whenever they please!  For example, how much would access to those machines be worth on the black market to an unscrupulous organization that may want to harvest credit card or banking information, or use those machines to launch a DOS (Denial of Service) attack against a website.  The possibilities for how those millions of machines could be put to use are endless, so what the author of Conflicker has done is created a high-value network of PCs that may include your own if you are infected, and may just be sold of to the highest bidder as a tool that’s not likely to be used for good.

How can you protect yourself?

If you have Windows automatic updates turned on, you’re probably already protected as Microsoft  already released the updates that close the flaw back in October of 2008.

If you’re not sure, you can get updates from the microsoft update website by clicking this link: Windows Updates

It’s also a good idea to make sure your Antivirus program is up to date and perform a virus scan as all of the major Antivirus providers currently detect Conflicker variants.

Below is a short list of resources. You can find a more comprehensive list including technical research info at The Internet Storm Center/DSHIELD

Removal Instructions

Microsoft: 
http://support.microsoft.com/kb/962007

Kaspersky:
http://support.kaspersky.com/faq/

BitDefender:
http://www.bitdefender.com/VIRUS-1000462-en–Win32.Worm.Downadup.Gen.html

Trend Micro:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp
To be able to access Anti-Virus vendors and SANS, Microsoft and others, from an infected Conficker.C machine, TrendMicro suggests to use “net stop dnscache” from the command line

Sophos:
http://www.sophos.com/support/knowledgebase/article/51416.html

Removal Tools

Microsoft MSRT:
http://www.microsoft.com/security/malwareremove/default.mspx

F-Secure:
ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip

AhnLab::
http://global.ahnlab.com/global/file_removeal_down.jsp?filename=12371830475821&down_filename=v3conficker.zip

Symantec:
http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99

McAfee:
http://vil.nai.com/vil/stinger/

ESET:http://download.eset.com/special/EConfickerRemover.exe

BitDefender:
http://www.bdtools.net/

Kaspersky:
http://data2.kaspersky-labs.com:8080/special/KidoKiller_v3.3.3.zip

TrendMicro:
https://securecloud.com/support/sysclean

Sophos:
https://secure.sophos.com/products/free-tools/conficker-removal-tool-network/download (registration required)

ghc-logo-341w-x-482hThis article was written by Andy Trask, Head Geek at Geek Housecalls, the New England area’s original traveling computer geeks, on the web at www.geekhousecalls.com. Geek Housecalls specializes in “anything computer” and, since 2001, has become the trusted in-home computer and technology support provider for over 15,000 families and small business computer users in eastern Massachusetts, Rhode Island, and southern New Hampshire. For help with your computers, gadgets, or network at home or at the office, click here to contact Geek Housecalls via the web, or call toll free:

1-877-4PC-GEEK             (1-877-472-4335)