Topic: Conficker worm turns meaner; disables antivirus software

[georgecloner]

Symantec warns a third variant of the Conficker virus is on the loose. It’s the nastiest strain yet, by dint of a new ability to disable security software, and block attempts to track where it phones home on the web.

In a tactical switch, Conficker's authors are sending the new strain to already-infected PCs, helping the worm burrow deeper and become more resistant to attempts to dig it out.

In a security update, Symantec’s Peter Coogan writes that the worm’s focus on holding-off antivius software is part of a new strategy overall:

“[It’s] authors are now aiming for increasing the longevity of the existing threat on infected machines. Instead of trying to infect further systems, they seem to be protecting currently infected machines from antivirus software and remediation.”

The new mutation also regains the initiative on generating random domain names, or web servers that infected machines phone home to. The previous version generated 250 random web address per day, using an algorithm that was successfully reverse-engineered by Microsoft, and others. The new Conficker variant, using a new algorithm, generates 50,000 domains - making it, for the time being, impossible to track and reversing one of the security software companies’ few wins in the war on the worm.

Symantec discovered the new variant of Conficker (also known as Downadup) Saturday New Zealand time when the fresh mutation - officially called W.32Downadup.C - was attracted to a “honeypot” - a PC purposefully left exposed to internet threats.

"Think of it as an updated module that's more aggressive, more robust in defending itself," says Vincent Weafer, vice president of Symantec Security Response.

The first two versions of the Conficker worm did not disable antivirus software.

The new variant attempts to disable antivirus software and security analysis tools - but Symantec is still gauging the new Conficker variant’s degree of success with this tactic, saying it is still in the early stages of analysing the new sample.

Still waiting for the other boot to drop
The new variant of the worm maintains its predecessor’s modus operandi. That is, it burrows into a PC, then “phones home” to one of the many Conficker servers to let the worm’s author’s now the infected machine is now ready to accept the virus’s payload.

A major conundrum: no payload has yet to be delivered, despite Conficker infecting upwards of 16 million PCs, making it the most virulent computer virus to ever sweep the planet.

Symantec says the new mutation, with its emphasis on keeping infected machines vulnerable for longer, may be an attempt by Conficker’s author’s to buy time.

But the question remains: for what?

De-worming
The two key defences against Conficker remain.
1. Keep your antivirus software up-to-date as possible through live updates.
2. Install Microsoft’s Conficker patch, which makes Windows less vulnerable. Microsoft has made patches available for all editions of Windows, but points out that the most recent version, Vista, is the most resistant to the worm.

Microsoft's worm response center (Microsoft.com/conficker) has links to the patch, plus information and advice on Conficker's A and B strains, but as of Monday morning NZ time has yet to be updated for the new C strain.

(The NBR)

[Samker]

A major conundrum: no payload has yet to be delivered, despite Conficker infecting upwards of 16 million PCs, making it the most virulent computer virus to ever sweep the planet.

Unlikely this number increase even with all this Patches, Updates, Protection advices... 

Here you can find and download all latest Updates direct from Microsoft: http://technet.microsoft.com/en-us/security/dd452420.aspx

[bodarc]

If a Trojan/whatever is slick enough to defeat your A/V then it's using the Operating System to get the job done.  Once your PC is PWNED it's too late perhaps to use your locally installed Anti-virus to remove ...unless your vendor can deliver an .EXE fix.  It's time for a NEW TOOL for your professional toolkit.  This is not a real solution for the faint of heart.

The way some of the latest virii work, Safe Mode scanning is even ineffective.  Make a BartPE bootdisk and install some "portable" AV scanners ...the type that run without installing.  Then you can scan your infected hard disk from a bootable CD/DVD in Windows Preinstallation environment and not from your infected O/S.  Try "ClamWin" portable A/V, it's free, or add the portable scanner that is part of your licensed A/V.  That would be available as an option likely as a "bootable floppy" or disk, read your help file.  Then you can just copy those files to your BartPE (all of this is easier said than done, so if you don't know what I am saying then it's likely not in your PC skillset)  Of course you can't create that licensed A/V bootdisk from an infected machine.

This is an advanced techy thing, I mean you have to be able to create a bootable BartPE disk and add A/V applications like ClamWin.  Just google clamwin and bartpe... you'll get there.  BartPE's site even has a list of anitvirus software that will work on their disk.  It may take you the rest of the day but you will have a mighty tool for your Support Desk.  It may take even longer to develop a disk with a strong enough (and freshly enough updated!) A/V to remove some of these new beasties, but a bootable disk may be the only weapon, short of pulling your drive and slaving it to another PC in Safe Mode ...but of course that could just result in two infected PCs!

TECHTIP: extract the downloaded ClamWin and install it on your desktop run the exe and allow it to update latest DAT files, then copy that updated "install" (doesn't truly install as such) to your Bart disk (and your Thumbdrive! ..oh yeah after using it to SCAN your thumbdrive ...which is likely the source of your infection ;-)