Quantcast
Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
    1. Welcome to GTAForums!

    1. GTANet.com

    1. GTA Online

      1. Los Santos Tuners
      2. Updates
      3. Find Lobbies & Players
      4. Guides & Strategies
      5. Vehicles
      6. Content Creator
      7. Help & Support
    2. Red Dead Online

      1. Blood Money
      2. Frontier Pursuits
      3. Find Lobbies & Outlaws
      4. Help & Support
    3. Crews

    1. Red Dead Redemption 2

      1. PC
      2. Help & Support
    2. Red Dead Redemption

    1. Grand Theft Auto Series

      1. St. Andrews Cathedral
    2. GTA VI

    3. GTA V

      1. Guides & Strategies
      2. Help & Support
    4. GTA IV

      1. The Lost and Damned
      2. The Ballad of Gay Tony
      3. Guides & Strategies
      4. Help & Support
    5. GTA San Andreas

      1. Guides & Strategies
      2. Help & Support
    6. GTA Vice City

      1. Guides & Strategies
      2. Help & Support
    7. GTA III

      1. Guides & Strategies
      2. Help & Support
    8. Portable Games

      1. GTA Chinatown Wars
      2. GTA Vice City Stories
      3. GTA Liberty City Stories
    9. Top-Down Games

      1. GTA Advance
      2. GTA 2
      3. GTA
    1. GTA Mods

      1. GTA V
      2. GTA IV
      3. GTA III, VC & SA
      4. Tutorials
    2. Red Dead Mods

      1. Documentation
    3. Mod Showroom

      1. Scripts & Plugins
      2. Maps
      3. Total Conversions
      4. Vehicles
      5. Textures
      6. Characters
      7. Tools
      8. Other
      9. Workshop
    4. Featured Mods

      1. Design Your Own Mission
      2. OpenIV
      3. GTA: Underground
      4. GTA: Liberty City
      5. GTA: State of Liberty
    1. Rockstar Games

    2. Rockstar Collectors

    1. Off-Topic

      1. General Chat
      2. Gaming
      3. Technology
      4. Movies & TV
      5. Music
      6. Sports
      7. Vehicles
    2. Expression

      1. Graphics / Visual Arts
      2. GFX Requests & Tutorials
      3. Writers' Discussion
      4. Debates & Discussion
    1. Announcements

      1. GTANet 20th Anniversary
    2. Support

    3. Suggestions

Conficker.C


BlOoDStReAm101
 Share

Recommended Posts

 

In an event that hits the computer world only once every few years, security experts are racing against time to mitigate the impact of a bit of malware which is set to wreak havoc on a hard-coded date. As is often the case, that date is April 1.

 

Malware creators love to target April Fool's Day with their wares, and the latest worm, called Conficker C, could be one of the most damaging attacks we've seen in years.

 

Conficker first bubbled up in late 2008 and began making headlines in January as known infections topped 9 million computers. Now in its third variant, Conficker C, the worm has grown incredibly complicated, powerful, and virulent... though no one is quite sure exactly what it will do when D-Day arrives.

 

Thanks in part to a quarter-million-dollar bounty on the head of the writer of the worm, offered by Microsoft, security researchers are aggressively digging into the worm's code as they attempt to engineer a cure or find the writer before the deadline. What's known so far is that on April 1, all infected computers will come under the control of a master machine located somewhere across the web, at which point anything's possible. Will the zombie machines become denial of service attack pawns, steal personal information, wipe hard drives, or simply manifest more traditional malware pop-ups and extortion-like come-ons designed to sell you phony security software? No one knows.

 

Conficker is clever in the way it hides its tracks because it uses an enormous number of URLs to communicate with HQ. The first version of Conficker used just 250 addresses each day -- which security researchers and ICANN simply bought and/or disabled -- but Conficker C will up the ante to 50,000 addresses a day when it goes active, a number which simply can't be tracked and disabled by hand.

 

At this point, you should be extra vigilant about protecting your PC: Patch Windows completely through Windows Update and update your anti-malware software as well. Make sure your antivirus software is actually running too, as Conficker may have disabled it.

 

 

Source

 

I'm assuming that this is the third installment of this worm that is truly going to affect a lot of people. And I do believe at some point last month, my computer got infected and I had no choice but to do a restore to factory settings. That was just Conficker.B...I can only imagine what this worm will do come April 1st. On the plus side, if someone finds out who the mastermind behind all of this is, they will receive $250,000 by Microsoft. So, happy hunting!

Link to comment
Share on other sites

Smells like an April Fools joke.

 

Feh I'm on a Mac so I don't really care.

How does it sound like an April Fools joke? Someone is going to write a virus and infect millions of computers just for a gag? I don't think that's a very prudent expenditure of time.

QUOTE (K^2) ...not only is it legal for you to go around with a concealed penis, it requires absolutely no registration!

Link to comment
Share on other sites

Well, I'm sure Sags will be fine, assuming you're still running some Linux distro.

I should be as well. I've got XP and W7 installed on different partitions, so unless this Conficker wipes my drives completely I'll still have a usable computer.

1xHtopY.png
Link to comment
Share on other sites

Smells like an April Fools joke.

 

Feh I'm on a Mac so I don't really care.

How does it sound like an April Fools joke? Someone is going to write a virus and infect millions of computers just for a gag? I don't think that's a very prudent expenditure of time.

Well it does. Wouldn't be the first time a news source pulled a prank.

user posted image
Link to comment
Share on other sites

Just seen this news, I don't want the same thing happens last year. I'm going to update my windows security and Mc Afee. Make a backup to Phenom and just use this Athlon. If this just a prank news, well so be it.

Link to comment
Share on other sites

Smells like an April Fools joke.

 

Feh I'm on a Mac so I don't really care.

How does it sound like an April Fools joke? Someone is going to write a virus and infect millions of computers just for a gag? I don't think that's a very prudent expenditure of time.

Well it does. Wouldn't be the first time a news source pulled a prank.

Conficker isn't just an April Fools gag cooked up by that website. It's a real piece of malware and has been able to fool & get past major security companies around the world, and it's still unknown as to what it is actually going to do when it's timer runs out.

Link to comment
Share on other sites

 

Smells like an April Fools joke.

 

Feh I'm on a Mac so I don't really care.

How does it sound like an April Fools joke? Someone is going to write a virus and infect millions of computers just for a gag? I don't think that's a very prudent expenditure of time.

Well it does. Wouldn't be the first time a news source pulled a prank.

Yeah, I guess I could save the smart-assed commentary...

 

But, Conficker has been a pretty major security concern for a while now because it's managed to infect so many PCs. It hasn't been a real problem in North America until recently, which is why not many people have heard about it. In any case, at the estimated number of infected PCs, it will be the largest botnet in the world, and by a pretty significant number.

 

To give you an idea of how bad it is: http://en.wikipedia.org/wiki/Botnet#Histor...List_of_Botnets

 

Srizbi was actually so powerful, that when the ISP that most of its bots were on was taken down, global spam volume decreased by 75%. Right now Conficker is is almost 20 times larger by its estimated size, and it's only getting bigger. This could have some major implications. If this was used to launch DDoS attacks, whoever the target was would practically be helpless.

QUOTE (K^2) ...not only is it legal for you to go around with a concealed penis, it requires absolutely no registration!

Link to comment
Share on other sites

For real? So the only electronic thing on my house that will be turned on on that week will be my 360.

@Jam and Butter: Look at the source on the first post...

 

Turning off my computer for the whole week as well, or at least pulling the ethernet plug out to be safe. I am almost sure that I got infected by the Conficker at least once. I also know that my own school has gotten the widespread virus last month which was most likely the Conficker "B" version of the worm. It all makes sense now.

Link to comment
Share on other sites

Everyone would be much better off to update their anti-virus, and install a software firewall to monitor and control out-bound connections. If your anti-virus can't catch it, the firewall will.

 

It shouldn't be too hard to avoid receiving it. Just avoid downloading files for a little while, and then after a week or so there should be signatures available for most anti-virus programs that will catch it. General downloading etiquette applies; don't open strange emails, don't download loads of random files off the internet, don't execute anything that doesn't have some kind of credentials behind it.

 

That isn't to say it's one scary son of a bitch. I found a very detailed analysis ( http://mtc.sri.com/Conficker/addendumC/ ), and I'll just quote this excerpt ( the rest is very technical ).

 

Implications

 

Variant C represents the third major revision of the Conficker malware family, which first appeared on the Internet on 20 November 2008.  C distinguishes itself as a significant revision to Conficker B.  In fact, we estimate that C  leaves as little as 15% of the original B code base untouched, as illustrated in Appendix 3,  A Comparative Assessment of Conficker B and C Process Images.    Whereas the recently reported B++ variant represented a more surgical derivative of B,  C incorporates a major restructuring of B's previous thread architecture and program logic, including major functional additions such as a new peer-to-peer (P2P) coordination channel,  and a revision of the domain generation algorithm (DGA).  It is clear that the Conficker authors are well informed and are tracking efforts to eliminate the previous Conficker epidemics at the host and Internet governance level.  In Conficker C, they have now responded with many of their own countermeasures to thwart these latest defenses.

 

For example, C's latest revision of Conficker's now well-known Internet rendezvous logic may represent a direct retort to the action of the Conficker Cabal, which recently blocked all domain registrations associated with the A and B strains.  C now selects its rendezvous points from a pool of over 50,000 randomly generated domain name candidates each day.  C further increases Conficker's top-level domain (TLD) spread from five TLDs in Conficker A, to eight TLDs in B, to 110 TLDs that must now be involved in coordination efforts to track and block C's potential DNS queries.    With this latest escalation in domain space manipulation, C not only represents a significant challenge to those hoping to track its census, but highlights some weaknesses in the long-term viability of how  Internet address and name space governance is conducted.

 

One interesting and minimally explored aspect of Conficker is its early and sophisticated adoption of binary encryption, digital signatures, and advanced hash algorithms to prevent third-party hijacking of the infected population.  At its core, the main purpose of Conficker is to provide the authors with a secure binary updating service that effectively allows them instant control of millions of PCs worldwide.  Through the use of these binary encryption methods, Conficker's authors have taken care to ensure that other groups cannot upload arbitrary binaries to their infected drone population, and these protections cover all Conficker updating services: Internet rendezvous point downloads, buffer overflow re-exploitation, and the latest P2P control protocol.

 

In evaluating this mechanism, we find that the Conficker authors have devised a sophisticated encryption protocol that is generally robust to direct attack.  All three crypto-systems employed by Conficker's authors (RC4, RSA, and MD-6) also have one underlying commonality.  They were all produced by Dr. Ron Rivest of MIT.  Furthermore, the use of MD-6 is a particularly unusual algorithm selection, as it represents the latest encryption hash algorithm produced to date.  The discovery of MD-6 in Conficker B is indeed highly unusual given Conficker's own development time line.  We date the creation of Conficker A to have occurred in October 2008, roughly the same time frame that MD-6 had been publicly released by Dr. Rivest (see http://groups.csail.mit.edu/cis/md6).  While A employed SHA-1, we can now confirm that MD-6 had been integrated into Conficker B by late December 2008 (i.e., the authors chose to incorporate a hash algorithm that had literally been made publicly available only a few weeks earlier).

 

Unfortunately for the Conficker authors, by mid-January, Dr. Rivest’s group submitted a revised version of the MD-6 algorithm, as a buffer overflow had been discovered in its implementation.  This revision was inserted quietly, followed later by a more visible public announcement of the buffer overflow on 19 February 2009, with the release of the Fortify report (http://blog.fortify.com/repo/Fortify-SHA-3-Report.pdf). We confirmed that this buffer overflow was present in the Conficker B implementations.  However, we also confirmed that this buffer overflow was not exploitable as a means to take control of Conficker hosts.    Nevertheless, the Conficker developers were obviously aware of these developments, as they have now repaired their MD-6 implementation in Conficker C, using the identical fix made by Dr. Rivest's group.  Clearly the authors are aware of, and adept at understanding and incorporating, the latest cryptographic advances, and are actively monitoring the latest developments in this community.

 

One major implication from the Conficker B and C variants, as well as other now recently emerging malware families, is the sophistication with which they are able to terminate, disable, reconfigure, or blackhole native operating system (OS) and third-party security services.  We provide an in-depth analysis of Conficker's Security Product Disablement logic, to help illustrate the comprehensive challenge that modern malware poses to security products, and to Microsoft's anti-malware efforts.  Conficker offers a nice illustration of the degree to which security vendors are being actively challenged to not  just hunt for malicious logic, but to defend their own availability, integrity, and the network connectivity vital to providing them a continual flow of the latest malware threat intelligence.

 

Perhaps the most obvious frightening aspect of Conficker C is its clear potential to do harm.  Among the long history of malware epidemics, very few can claim sustained worldwide infiltration of multiple millions of infected drones.  Perhaps in the best case, Conficker may be used as a sustained and profitable platform for massive Internet fraud and theft.  In the worst case, Conficker could be turned into a powerful offensive weapon for performing concerted information warfare attacks that could disrupt not just countries, but the Internet itself.

 

Finally, we must also acknowledge the multiple skill sets that are revealed within the evolving design and implementation of Conficker.  Those responsible for this outbreak have demonstrated Internet-wide programming skills, advanced cryptographic skills, custom dual-layer code packing and code obfuscation skills, and in-depth knowledge of Windows internals and security products.  They are among the first to introduce the Internet rendezvous point scheme, and have now integrated a sophisticated P2P protocol that does not require an embedded peer list.  They have continually seeded the Internet with new MD5 variants, and have adapted their code base to address the latest attempts to thwart Conficker.  They have infiltrated government sites, military networks, home PCs, critical infrastructure, small networks, and universities, around the world.  Perhaps an even greater threat than what they have done so far, is what they have learned and what they will build next.

 

The actual analysis is definitely worth a look if you really want to piss your pants.

 

 

Conficker C incorporates a variety of strategies to secure and defend its installation on the victim host.  To do this, C employs several measures to cloak its presence, as well as measures to kill or disable security products that would otherwise detect its presence.  C's assault on security products begins right away, just after its mutex checks (to detect new installs from reinfections).  At each process initialization, it performs an in-memory patch of the host's DNS resolution services to prevent domain lookups to a variety of security product (and research) sites.  C then spawns a separate thread to halt and disable security and update services,  and then enters an infinite loop.  There, it continually searches for and  terminates active security products and patches.    These steps are performed each time C is invoked.

 

Upon first installation,  C installs itself and obfuscates its presence on the victim's host,. These steps allow it to avoid easy diagnosis and removal by an attentive user. It deletes all restore points prior to its infection to thwart rollback, and sets NTFS file permissions on its stored file image to prevent write and delete privileges.  Most of this logic also appeared in prior version, but here we find some extensions and updates.

 

C also incorporates logic to disable Windows' firewall protection of certain high-order UDP and TCP ports.  These firewall adjustments are not performed at initialization, but rather occur when C enters its network communication logic.

 

 

In my opinion, worse part about this is that if you're already infected, it's going to be hard to remove and stop. I really think it's going to be out of the user's hands this time.

 

@Pico

I don't really think people running Mac or any other *nix are going to totally unaffected. With the sophistication of the code so far, I don't think it would be too unimaginable for them to attack other platforms. Mac and Linux aren't impervious, they both have very recently been shown to be vulnerable; Mac through third-party Flash exploits, and Linux has been shown to be at the mercy of the user with the new psyb0t. If I really had to pick which one I thought was more vulnerable, I would say Linux because the coders seem to have a talent for following community development of encryption and hashing algorithms that are practically brand new, they could certainly do the same with Linux or popular OpenSource software that runs on it. The last BIND vulnerability , and Debian's little affinity for the number 9 causing thousands of ssh accounts to be vulnerable must be fresh on their mind.

 

The implications of what they're going to use all this power for is more concerning. All of the security in the world won't matter for an organization that is being DDoS'd by a botnet this large.

QUOTE (K^2) ...not only is it legal for you to go around with a concealed penis, it requires absolutely no registration!

Link to comment
Share on other sites

You're telling me this is real?

mercie_blink.gif

Yeah, very real. There's all sorts of analysis reports done by other security organizations on this thing. It's definitely not a hoax.

 

It could by chance, be a hoax by the actual coders. I find this very unlikely with the amount of time and resources needed to write the code, and use the methods they are using. It's much more likely that it's going to be used for a giant spamming ring.

 

Who knows why they chose April 1st. Maybe they thought people will have their guards down that day? It's very likely the coders are from a country that does not even celebrate April Fools day. I think the first article mentioned that a lot of malware writers like to release their things on April 1st. It's probably just a coincidence, but it's definitely a real piece of code.

QUOTE (K^2) ...not only is it legal for you to go around with a concealed penis, it requires absolutely no registration!

Link to comment
Share on other sites

My friends are idiots. I told them about this today in class and showed them the article and all, and now they're saying they aren't going online on April 1st. They don't seem to understand that if they did have it, they already have it by now and its just sitting in their system, waiting until the 1st to activate itself. They think it's magically going to infect millions of computers April 1st somehow.

Link to comment
Share on other sites

Ha! You cannot defeat me with Virii alone! I usually only go to 6 different websites*, none of which i know are infected or can infect me.

 

*GTAF, Wikipedia, Halo Wiki, TVtropes, Youtube and a EarthBound forum)

Link to comment
Share on other sites

I just hope someone finds the coder and puts him behind bars. The damages to millions of computers is definitely something to be noticed. Good thing Microsoft put a bounty on that hacker/coder. $250,000 is a lot of cash that Microsoft is offering. I'm surprised no one found any trace of this guy as of yet. Perhaps there is a way come April 1st?

Link to comment
Share on other sites

 

Make a backup to Phenom and just use this Athlon.

Wait, you're going to swap out your processor? dontgetit.gif

Hey! That's stupid action tounge.gif I got two PC, one use Athlon, the other is Phenom use for backup my works. Anyway do you think Mc Afee can detect this virus? It's updated but I'm still worry because this is my first time I'm using it. I'm not downloading any files from now on, the only website I browse are GTAF, GameSpot, GameFAQS.

Edited by copperwire93
Link to comment
Share on other sites

The real concern should be that you invite the malware thru stupidity. People who pass Malware are not aware they have it or attempt to repair or find it.

 

I can't assume which AV will work best on this, but I advise Anti-Rootkits as well as Virus tools. I would say, if need be, surf with that disposable drive you'd otherwise toss out until the 'coast is clear'.

 

If you are so overtly worried of a crash and loss of data, keep the damn computer and drive OFF LINE!!! Simple solution to a complex problem

 

No Worries Mate!

Link to comment
Share on other sites

Ha! You cannot defeat me with Virii alone! I usually only go to 6 different websites*, none of which i know are infected or can infect me.

 

*GTAF, Wikipedia, Halo Wiki, TVtropes, Youtube and a EarthBound forum)

How can you get it?

 

I have AVG, and it tells me if the websites are safe or not.

Also, i only use some social networking and here, generally safe websites.

 

Whats a good firewall to use?

Link to comment
Share on other sites

Truth is, those are precautions, I don't know how my systems got infected, it wasn't obvious to me, so the thing is GET the FREE (if need be) Anti Virus/Anti Rootkits running together, and avoid the easy falls like files that are not trust-worthy or anything that could be Phishing.

 

Invoke a scan of your system DAILY or every other. Mine updates more then once a week, so if I can, I reboot to install things in case, and run scans when I leave a system on, it's good to do it then so it doesn't hamper operations.

Link to comment
Share on other sites

Depends if the majority of experts think it's low risk because of the projected date, but I'm doubting that as it stands. The threats out there ARE real. I've put data at risk, even now I suppose, BUT, my biggest problem was with three memory cards that stopped working for me this week. I can't help but wonder if a computer acting strange caused them to fail? Well, one failed more then a week ago, one was a Lexar Mem Stick Duo, the other a Sony Micro Vault USB, sadly, that one was pretty cool, I saved the compression software on a standard HDD if memory serves, it compresses and decompresses all data optionally!

Link to comment
Share on other sites

Make a backup to Phenom and just use this Athlon.

Wait, you're going to swap out your processor? dontgetit.gif

Hey! That's stupid action tounge.gif I got two PC, one use Athlon, the other is Phenom use for backup my works. Anyway do you think Mc Afee can detect this virus? It's updated but I'm still worry because this is my first time I'm using it. I'm not downloading any files from now on, the only website I browse are GTAF, GameSpot, GameFAQS.

Yes, I'm only going on GTAF and Youtube until this dies down.

Link to comment
Share on other sites

I don't think it would, because, as far as I know, it will activate whenever it's April 1st where the main computer is (the one to which all infected PCs are linked to). And cause mayhem everywhere. Or do nothing.

 

Anyone thought of Skynet when reading about it?

We will be the arms that lift you up oqKntbC.gifWe will be the hand that strike you down

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

  • 1 User Currently Viewing
    0 members, 0 Anonymous, 1 Guest

×
×
  • Create New...

Important Information

By using GTAForums.com, you agree to our Terms of Use and Privacy Policy.