Computer worm set to strike April 1

The first stage of an expected Internet computer worm is to infect millions of units, then, on April 1, force them to randomly connect to 50,000 URLs a day.
Canwest News ServiceMarch 24, 2009

OTTAWA — A malicious computer worm, which has already infected potentially millions of computers around the world, could cause major cyber headaches on April 1, say computer experts.


The Canadian Internet Registration Authority, which manages Canada's dot-ca domain name registry, says Conficker C is the latest variant of a malicious Internet software program that acts in two stages.


In a news release Tuesday, the authority said the first stage is to infect millions of computers, and then, on April 1 it will force computers to randomly connect to 50,000 web URLs a day.


The authority said it is pre-emptively registering and isolating previously unregistered dot-ca domain names expected to be generated over the next 12 months by Conficker C. It claims this will prevent registration of those domains by "undesirable actors."


For security reasons, the authority said it would not release any further details.

another article


Researchers Unite to Hunt Conficker C
Posted by Kara Reeder
Mar 24, 2009 1:58:09 PM

Security researchers have banded together to hunt down a worm called Conficker C and prevent a massive April Fool's Day infection. According to CNN.com, the group is going by the name Conficker Cabal.


CA, a New York-based IT and software company, recently found code in Conficker C that says the worm will become active on April 1. Once that happens, who knows what the result will be. The program could delete all files on a computer or monitor a person's keystrokes to collect personal information. However, it's more likely that that worm will try to get computer users to buy fake software or spend money on other phony products, says Don DeBolt, director of threat research for CA.


Conficker Cabal is motivated in part by a $250,000 bounty for the Conficker authors that Microsoft is offering. But more than that, the virus has wrecked havoc on millions of computers because its code is written to evolve over time.

this doesn't sound good...

can we hug it out?

This bit is a bit more technical on what this thing does


Will Conficker.C Blow up on us April 1?
Wednesday March 25, 2009

This piece of computer code tells the worm to activate on April 1, 2009, researchers at CA found.

Conficker has gotten more than its share of coverage as probably the most important malware in the last year, but this next week will see a whole lot more. The latest variant of the worm, Conficker.C, is programmed to do something on April 1. Exactly what it's going to do and how big a deal it will be for all of us, nobody can really say for sure.

The A and especially B variants of this worm (also known as Downadup) built a botnet in the several million system range, almost exclusively through exploitation of the MS08-067 vulnerability in Windows. Conficker added some innovative techniques to update itself though a large number of domains, the names of which were algorithmically generated by the program. Because the names were deterministic, it was possible for the DNS authorities (VeriSign, et al) to block the names and, with few exceptions, the worm has been unable to spread since that point several weeks ago.

Then C came along. It adds a number of defensive measures designed to protect itself from detection and removal and it ratchets up the number of domains it can check for updates. As this very large and thorough analysis of Conficker.C from SRI International says, "...Conficker C increases the number of daily domain names generated, from 250 to 50,000 potential Internet rendezvous points. Of these 50,000 domains, only 500 are queried, and unlike previous versions, they are queried only once per day." Thus C should generate less traffic than the earlier versions, especially in as much as it filters the IP addresses for these domains to make them work better and avoid detection.

Avoiding detection is a major theme with Conficker.C. It's not the first malware to try to defend itself in-memory against security software and diagnostic tools, but C does a lot of this. For instance, it disables Windows Automatic Updates and the Windows Security Center. My impression from talking to anti-malware vendors is that they can still detect it and I'm inclined to believe them; after all, there is just a few variants of Conficker and they're well-understood.

Some security experts such as Eset are urging you to back up in advance of April 1 and to make sure that your security software is working properly. Of course (and they say this too) these are things you should do in any event. But make sure that the update mechanisms for Windows and your anti-malware are actually occurring because Conficker can turn them off.

But the big news with C is that the code is scheduled to come alive on April 1 and start contacting the 50,000 domains and download something. What will they download? What will it make the bots do? Honestly, nobody knows. This is the great mystery.

Another question you might ask is if the DNS powers that be stopped the propagation mechanism for Conficker A and B, how did C spread? Perhaps it's not that widespread after all? I asked Richard Wang, Manager SophosLabs, US about this. He stresses that it's hard to know for sure how much Conficker C is out there because they're laying low until April 1. Among their customers C is 6% of the Conficker population, but it's not clear if that's representative of the world overall. It is possible for C to spread in part because there is a direct push mechanism in B, allowing an outside system to contact it and provide a domain name from which it should download an update, presumably C.

Conficker is really sophisticated as malware goes. It's clear that its authors are smart people and perhaps that's what's got security people worried. But the only rational way to approach this is to do the things you know you need to do anyway and then not get hung up on it. Remember, there's a very good chance that on April 1 nothing much will happen.

I wanna devise a virus
To bring dire straits to your environment
Crush your corporations with a mild touch
Trash your whole computer system and revert you to papyrus

I want to make a super virus
Strong enough to cause blackouts in every single metropolis
Cause they don't wanna unify us
So fuck it total anarchy and can't nobody stop us

You see late in the evening
Fucked up on my computer and my mind starts roaming
I create like a heathen
The first cycles of this virus I can send through a modem
Infiltration hits your station
No Microsoft or enhanced DOS will impede
Society thinks their safe when
Bingo! Hard drive crashes from the rending

A lot of hackers tried viruses before
Vaporize your text like so much white out
I want it where a file replication is a chore
Lights out shut down entire White House
I don't want just a bug that could be corrected
I'm erecting immaculate design
Break the nation down section by section
Even to the greatest minds it's impossible to find

I wanna devise a virus
To bring dire straits to your environment
Crush your corporations with a mild touch
Trash your whole computer system and revert you to papyrus

I wanna devise a virus
To bring dire straits to your environment
Crush your corporations with a mild touch
Trash your whole computer system and revert you to papyrus

I want to develop a super virus
Better by far than that old Y2K
This is 3030 the time of global unification
Break right through they terminals
Burn 'em all, slaves to silicon
Corrupt politicians with leaders and their keywords
F.B.I and spies stealin bombs
Decipitate their plans in thier face and catch the fever

Everybody loot the stores get your canned goods
Even space stations are having a hard time
Peacekeeepers seek to take our manhood
Which results in the form of global apartheid

Ghettos are trash dumps with gas pumps
Exploding and burnt out since before the great union
The last punks walk around like masked monks
Ready to manipulate the database or break through 'em

Human rights come in a hundreth place
Mass production has always been number one
New Earth has become a repugnant place
So it's time to spread the fear to thunder some

I wanna devise a virus
To bring dire straits to your environment
Crush your corporations with a mild touch
Trash your whole computer system and revert you to papyrus

I wanna devise a virus
To bring dire straits to your environment
Crush your corporations with a mild touch
Trash your whole computer system and revert you to papyrus

April Fools?

the thought crossed my mind

50,000 URLs a day may sound like a lot of URLs, but it really isn't.

It's kind of like 1 trillion dollars.

Get a Mac.

http://www.cnn.com/2009/TECH/03/24/conf ... newssearch

Says in here if you've had any automatic Windows Updates go through in March you should be fine.

so...if they know about it...how the fuck do you remove it? or check to see if you even have it?
they seem to know A LOT about it, but don't mention much about removal at all.

Wow, someone else has heard of Deltron 3030 on here. Awesome.

And I doubt anyone with half a brain will have their computer infected. It's going to be those who can't even work a computer who get fucked over on the 1st.

lol

Well it is the Dark Side of the Moon of hip-hop after all.

My favorite porn sites still work. Who cares if they have access to my banking information.

All is ok with the world.

No problems so far as April Fools' computer worm awakens

By John D. Sutter
CNN

(CNN) -- An April Fool's Day computer worm launched on Wednesday but so far has not caused problems for the millions of computers that are believed to be infected.

That doesn't mean the worm, called Conficker.c, is a joke, computer experts told CNN on Wednesday.

"By no means do I think we're in the clear," said Paul Henry, a forensics and security analyst for Lumension Security, based in Phoenix, Arizona.

On Wednesday, a master computer gained control of an estimated 5 million to 10 million "zombie" PCs infected with the worm, experts said.

Security experts fear the author of the malicious computer program essentially could do anything with those Windows-based machines.

Conficker's motive is probably financial, they said. The worm's author could steal financial information, shut down Web pages, track keystrokes or send spam from infected computers.

"They have full administrative-level rights to run anything they want on all of the infected machines," said Mikko Hypponen, chief research officer for F-Secure, an Internet security company.

Experts who spoke to CNN on Wednesday said it's unlikely the program's author will launch any sort of attack Wednesday or Thursday. But they said some sort of issue is likely to arise in coming weeks or months.

Experts urged computer users not to panic.

The easiest way for computer uses to see if they're infected is to try to access Windows updates from microsoft.com.
http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx
If you can reach the site and if your system updates are working, it is unlikely your computer is infected, experts said.

Further computer patches and information can be found at the Conficker Working Group's Web site.
http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/RepairTools

The worm does not affect Mac computers.

A core group of about 40 computer analysts, researchers and policy experts is working to dismantle the worm, said Jose Nazario, manager of security research at Arbor Networks, and a member of the group, which some call the Conficker Cabal.

Nazario said the group's unprecedented efforts may be one reason an attack hasn't happened.

He said the April 1 launch date for the virus may have been a ploy by the program's author to get attention from the news media. Or it could be a twisted joke.

"Either way, it suggests an interesting sense of humor, I guess," he said.

The worm allows a master computer to communicate with the infected machines through Web sites the worm generates. That function became active April 1, experts said, and allows Conficker's author or authors to seize control of millions of computers around the world.

Infected machines are generating 50,000 URLs per day, which allows the master to talk with them. A previous version of Conficker created only 250 domain names per day.

"What happened now, today, is that the machines started pulling 50,000 domain names in 116 countries around the world -- so that's the change," said Hypponen, another member of the Conficker Cabal.

"The Conficker gang realized we could shut down 250 domain names a day, so they upped the ante," he said. Computer experts will continue to try to shut down the Web addresses that let Conficker's author communicate with infected machines, he said.

Members of the Conficker Working Group have contacted security officials in all 116 affected countries and have shut down many active domain names, Hypponen said.

The situation has played out in the news media as an April Fools' Day joke.

On a technology blog, The Washington Post mocked the hype about Conficker.

"Londoners woke up to find the iconic clock tower Big Ben stopped at precisely one minute till midnight," Brian Krebs wrote. "The British tabloids blared that the giant timepiece had been felled by the Conficker worm."

The post ends with this statement: "In case you haven't guessed it yet, APRIL FOOLS!!!"

Some have compared the situation to New Year's Day in 2000, when many feared the world's computers would crash but few problems were seen.

Henry said that comparison doesn't fit.

"Y2K was a one-time event," he said. "The update for Conficker has basically prepped it for its future. It now has the ability to gather marching orders in a way that, to date, we haven't found a way to block."

Little is know about Conficker's author.

A piece of code in a version of the computer worm prevents the program from harming machines in the Ukraine, leading some to believe that's where the program's author lives.

Others say that could be a ploy.

Many authors of previous computer viruses have come from Eastern Europe outside the jurisdiction of the European Union, experts said.

The many unknowns about Conficker are what make it particularly concerning, said Patrick Morganelli, senior vice president of technology for Enigma Software.

"[An attack] could happen today, it could happen April 15, it could happen two months from now," he said.

Henry says an attack will happen sooner or later.

"They'll wait for the hype to subside," he said. "They'll wait for everyone to stop watching, and they'll take it for a test run. They've put together one hell of a botnet here, and they're going to want to exercise it."

Ukraine, eh?

Exactly what does it take to write a virus like this? Are we talking about an extremely talented set of hackers/programmers working for months or years to create this? It seems like a bot that takes so many people just to figure it out must have either been written by an absolute fucking genius or a group of geniuses working together carefully.