Reports: Conficker From China, Easily Detected

With April 1 drawing nearer, the Conficker fear has really started to set in. As security experts endeavor to reveal the origin of the virus, others are trying to figure out a method to detect the virus and neutralize the sense of impending doom.

As of Monday, it looks like there’s progress on both fronts. According to the Register, experts have discovered that the malware leaves a fingerprint on machines which is easy to detect using off-the-shelf scanners. While previous methods of detecting the virus have been extremely arduous, this discovery means that admins now have easy-to-use use tools with which to identify infected machines in their networks. The Reg goes on to report that  as of mid-Monday, signatures will be available for at least six network scanners, including the Nmap, McAfee's Foundstone Enterprise and Nessus.

Meanwhile, back at the ranch, those desperately seeking information about the virus or where it came from also seem to be making headway. CNet reports that in response to Microsoft’s offer of a bounty amounting to $250,000 for information leading to an arrest, personnel at BKIS, a Vietnamese security firm that makes the BKAV antivirus software, said Monday that they found clues that the virus may have originated from China. Previous reports speculated that the virus came from Russia or Europe.

With over ten million PCs infected, the Conficker worm is supposedly lying dormant awaiting further instructions. Both F-Secure (opens in new tab) and Sophos say that although the Conficker worm will do something on April 1, triggering a global virus attack is highly unlikely. In fact, the worm will merely contact its growing network to receive updates, perhaps even change its operation.

"So far, Conficker has been polling 250 different domain names every day to download and run an update program. On April 1st, the latest version of Conficker will start to poll 500 out of 50,000 domains a day to do the same thing," said F-Secure.

The security firm also said that the latest version is not the most common Conficker worm. In fact, most of the contaminated machines are infected with the B variant that became widespread back in January. According to F-Secure, the B variant will not be updating on April 1, however the new variant might do something new.

"We know this because we have reverse engineered the worm code and can see that this is what it has been programmed to do," F-Secure added.

With the level of panic flying around at the moment we’re more inclined to believe that the panic itself is more contagious or dangerous than the worm. For now, we’ll treat it seriously but not take it seriously. Expect the best but prepare for the worst, and all that.

  • tester3000
    This is gonna be epic. LOl
  • tayb
    What? From China? No way...
  • juvealert
    Can some one link how i would know if i have the virus installed or not? Does anyone kow if NOD32 is capable in detecting the virus?
  • Shnur
    juvealertCan some one link how i would know if i have the virus installed or not? Does anyone kow if NOD32 is capable in detecting the virus?have no idea... it should be, because it's a good way for anti-virus vendors to prove that they are good and that they can protect you from it. nod32 has a good reputation so it's in their interest to keep it and to get a signature done asap.
  • CChick
    Any up-to-date AV scanner will be about to detect ver B without any issue.

    The newest one is being update atm. So just keep checking your AV scanner.

    but seriously speaking, I have no pity to whoever gets hit by this, it was using an old ass "exploit" to get people infected, so yeah its for people thats too retarded to update their systems ... hahaha. My friend's sister got hit, and I was laughing my ass off. Since she tries to blame me for the infection when I never even touched her comp, suck it bitch.
  • LuxZg
    Well, I have used these Conficker news as an excuse to finaly do some updating in our small company.. I spent all day bringing some older computers up to XP SP3+all patches, not to mention an old server from Windows 2000 to Server 2003 SP2 and stuff like that.. I still have a lot of work for tomorrow, but something bad for somthing good, eh? At least after I'm done I'll know that all computers in the network are on the same level of in(security) and updated as they should be :)

    and if that stopped any malicious operations, than all the better ;)
  • juvealert
    sry guys to ask this question, but does anyone knows if the conflicker can hijack microsoft outlook 2003 ?

    thanks for the reply
  • nekatreven
    We started forwarding to opendns for external dns lookups at the office. Some people love opendns, some hate it...

    I'm on the fence myself, and we may go back to using root servers later, but opendns has (bought, or otherwise) the list of control domains for conflicker, and will tell us if our network starts making requests to look the control domains up.
  • gamerk316
    In two begins...
  • fuser
    Who is panicking?