Sign in with
Sign up | Sign in

Reports: Conficker From China, Easily Detected

By - Source: Tom's Hardware US | B 26 comments

With April 1 drawing nearer, the Conficker fear has really started to set in. As security experts endeavor to reveal the origin of the virus, others are trying to figure out a method to detect the virus and neutralize the sense of impending doom.

As of Monday, it looks like there’s progress on both fronts. According to the Register, experts have discovered that the malware leaves a fingerprint on machines which is easy to detect using off-the-shelf scanners. While previous methods of detecting the virus have been extremely arduous, this discovery means that admins now have easy-to-use use tools with which to identify infected machines in their networks. The Reg goes on to report that  as of mid-Monday, signatures will be available for at least six network scanners, including the Nmap, McAfee's Foundstone Enterprise and Nessus.

Meanwhile, back at the ranch, those desperately seeking information about the virus or where it came from also seem to be making headway. CNet reports that in response to Microsoft’s offer of a bounty amounting to $250,000 for information leading to an arrest, personnel at BKIS, a Vietnamese security firm that makes the BKAV antivirus software, said Monday that they found clues that the virus may have originated from China. Previous reports speculated that the virus came from Russia or Europe.

With over ten million PCs infected, the Conficker worm is supposedly lying dormant awaiting further instructions. Both F-Secure and Sophos say that although the Conficker worm will do something on April 1, triggering a global virus attack is highly unlikely. In fact, the worm will merely contact its growing network to receive updates, perhaps even change its operation.

"So far, Conficker has been polling 250 different domain names every day to download and run an update program. On April 1st, the latest version of Conficker will start to poll 500 out of 50,000 domains a day to do the same thing," said F-Secure.

The security firm also said that the latest version is not the most common Conficker worm. In fact, most of the contaminated machines are infected with the B variant that became widespread back in January. According to F-Secure, the B variant will not be updating on April 1, however the new variant might do something new.

"We know this because we have reverse engineered the worm code and can see that this is what it has been programmed to do," F-Secure added.

With the level of panic flying around at the moment we’re more inclined to believe that the panic itself is more contagious or dangerous than the worm. For now, we’ll treat it seriously but not take it seriously. Expect the best but prepare for the worst, and all that.

Display all 26 comments.
This thread is closed for comments
  • 0 Hide
    tester3000 , March 30, 2009 2:27 PM
    This is gonna be epic. LOl
  • 3 Hide
    tayb , March 30, 2009 2:29 PM
    What? From China? No way...
  • 0 Hide
    juvealert , March 30, 2009 3:28 PM
    Can some one link how i would know if i have the virus installed or not? Does anyone kow if NOD32 is capable in detecting the virus?
  • 0 Hide
    Shnur , March 30, 2009 3:33 PM
    juvealertCan some one link how i would know if i have the virus installed or not? Does anyone kow if NOD32 is capable in detecting the virus?

    have no idea... it should be, because it's a good way for anti-virus vendors to prove that they are good and that they can protect you from it. nod32 has a good reputation so it's in their interest to keep it and to get a signature done asap.
  • 5 Hide
    CChick , March 30, 2009 3:48 PM
    Any up-to-date AV scanner will be about to detect ver B without any issue.

    The newest one is being update atm. So just keep checking your AV scanner.

    but seriously speaking, I have no pity to whoever gets hit by this, it was using an old ass "exploit" to get people infected, so yeah its for people thats too retarded to update their systems ... hahaha. My friend's sister got hit, and I was laughing my ass off. Since she tries to blame me for the infection when I never even touched her comp, suck it bitch.
  • 3 Hide
    LuxZg , March 30, 2009 3:57 PM
    Well, I have used these Conficker news as an excuse to finaly do some updating in our small company.. I spent all day bringing some older computers up to XP SP3+all patches, not to mention an old server from Windows 2000 to Server 2003 SP2 and stuff like that.. I still have a lot of work for tomorrow, but something bad for somthing good, eh? At least after I'm done I'll know that all computers in the network are on the same level of in(security) and updated as they should be :) 

    and if that stopped any malicious operations, than all the better ;) 
  • 0 Hide
    juvealert , March 30, 2009 4:00 PM
    sry guys to ask this question, but does anyone knows if the conflicker can hijack microsoft outlook 2003 ?

    thanks for the reply
  • 0 Hide
    nekatreven , March 30, 2009 4:13 PM
    We started forwarding to opendns for external dns lookups at the office. Some people love opendns, some hate it...

    I'm on the fence myself, and we may go back to using root servers later, but opendns has (bought, or otherwise) the list of control domains for conflicker, and will tell us if our network starts making requests to look the control domains up.
  • 2 Hide
    gamerk316 , March 30, 2009 4:22 PM
    In two begins...
  • 1 Hide
    fuser , March 30, 2009 5:34 PM
    Who is panicking?
  • 6 Hide
    grieve , March 30, 2009 7:48 PM
    OMG it's the 2000 bug all over again!

    Settle down, update your unit and go check out the porn as usual.
  • 0 Hide
    itadakimasu , March 30, 2009 9:25 PM
    so... can't they shut down the domains that it's coming from>? or do they need some sort of warrant?

    The next person to get any kind of malware from internet surfing on my network is going to get put on a tight leash... seriously, nobody is giving you a free Iphone, why would you click on such a thing?
  • 5 Hide
    Kary , March 30, 2009 9:28 PM
    April 1st: Chinese virus blocks all porn in the US.
    April 2nd: WW III
    April 3rd: The human race ends.
  • 1 Hide
    mindless728 , March 30, 2009 9:47 PM
    where can i get it to give to my friends, remember, sharing is caring, LOL
  • 1 Hide
    tipoo , March 30, 2009 9:59 PM
    This Conficker worm is the most exiting piece of malware on the PC for quite some time now, i eagerly await seeing what it really does.
  • 2 Hide
    anamaniac , March 30, 2009 11:09 PM
    I agree tipoo. Likely harmless, but its been interesting anyways.
    My father got scared. ;) 

    If Kary is right... I'll be on the front line myself with a rifle... gimme back my porn!
  • 4 Hide
    Anonymous , March 31, 2009 12:23 AM
    Set your computer's date to April 1st and see what happens.
  • 1 Hide
    the last resort , March 31, 2009 1:02 AM
    CommonmanSet your computer's date to April 1st and see what happens.

    HAHA. Its one of those things where in theory it shouldn't do anything, but would be really funny to do.

    I would also laugh if someone did that, and the entire worm thing got confused, and could no longer figure out what to do.
  • 0 Hide
    anamaniac , March 31, 2009 1:42 AM
    Setting to April first.
  • 0 Hide
    anamaniac , March 31, 2009 2:00 AM
    Guess I should get a infected computer first. ha

    My father's laptop should do.
Display more comments