madison
Home / News & Blogs

Conficker tracking - all's quiet, so far

Elinor Mills CNET News | April 1, 2009 4:18 AM PDT

Summary

So it's been April 1st for almost 18 hours now in New Zealand and it's the early hours of April 1st on the east coast of the United States. So what's going on? So far -- nothing.

Topics

Trend Micro Inc., Domain, Computer, Asia, Productivity, Cyberthreats, Security, Viruses And Worms, Conficker, malware, virus, removal, antivirus, worm, Elinor Mills CNET News
April 1, 6:35 a.m. PDT: McAfee says its Avert Labs is seeing Conficker-infected hosts attempting to call their "master" to get instructions, but those calls are not getting through. "This could be deliberate and the infected hosts may try again later, perhaps over the weekend when people aren't watching as closely," McAfee spokesman Joris Evers says. Hear more on this podcast. And for more technical details on what the worm is doing, McAfee Avert Labs has an updated blog posting.

April 1, 3:27 a.m. PDT: At F-Secure, a Wednesday morning post says there's still nothing much to report, other than a few April Fools' jokes circulating on the Web:

So it's been April 1st for almost 18 hours now in New Zealand and it's the early hours of April 1st on the east coast of the United States. So what's going on? So far -- nothing. Infected computers are generating the list of 50,000 domains and are attempting to contact 500 of those like we've described earlier, but so far no update has been made available (by the bad guys).

March 31, 7:25 p.m. PDT: Trend Micro's Paul Ferguson reports that things seem quiet. "So far, there's been no significant activity," he said, adding that a Trend Micro researcher in the Philippines reported seeing the same amount of traffic on Wednesday as he had been seeing the past few days in Asia-Pacific.

March 31, 4:00 p.m. PDT: The Conficker worm is stirring on some infected computers in Asia where it's April 1, but so far the activity is very tame, security researchers say.

"We've seen activity in honeypot machines in Asia...They're generating the 50,000 list of (potential) domains to contact," said Paul Ferguson, an advanced threats researcher for Trend Micro.

The latest variant of the worm, Conficker.C, was set to activate on April 1, which for some of the infected machines will happen at local time and for others it will be GMT, depending on whether the machines are turned on and connected to the Internet, he said.

The process seems to be starting slowly, with infected machines starting to generate the list of domains and then picking one domain and trying to contact it and waiting before continuing on through 500 of those 50,000 domains, according to Ferguson.

The owners of the infected computers likely won't notice anything, unless they can't access the Web sites of security vendors and then they will know they are infected, he said. Trend Micro has figured out a way to unblock the computer from the sites that the worm has blocked using a Microsoft networking service, he said. More details are on the Trend Micro site.

"Nothing at this point; we're running updates every half hour or so," Dave Marcus, director of security research for McAfee Avert Labs, said when asked to report what he was seeing. "They're supposed to connect to one of a variety of Web sites and download a piece of code. What that code is supposed to do is up in the air."

IBM ISS's X-Force group also reported that things were quiet, at least for the moment, in Asia where most of the infections are. Nearly 45 percent are in Asia, followed by Europe at about 30 percent, 13.6 percent in South America and 5.8 percent in North America, according to the Frequency X blog.

IBM ISS also said it had found a way for ISPs to detect infected computers on a network by monitoring the peer-to-peer communications the worm makes between infected PCs.

Experts say the worm could be used to steal passwords or other sensitive data from infected computers, or turn them into a botnet that sends out spam.

The worm exploits a vulnerability in Windows that Microsoft patched in October and spreads through weakly protected network shares and via removable storage devices, like USB drives.

Conficker.C also shuts down security services, blocks computers from connecting to security Web sites, and downloads a Trojan. It reaches out to other infected computers via peer-to-peer networking, in addition to being programmed to reach out to 500 domains to receive updated copies or other malware instead of just 250 domains as earlier versions did.

This article was originally posted on CNET News.

Talkback Most Recent of 39 Talkback(s)

  • Interesting...
    ... since the amount of spam I've received today is much greater than it has been in the past. Somebody has ramped up the effort on the bad guys' side.
    ZDNet Gravatar
    ejhonda
    1st Apr 2009
  • Spam is not cornficker! nt
    nt
    ZDNet Gravatar
    windozefreak
    1st Apr 2009
  • RE: Conficker tracking - all's quiet, so far
    Hrmmm well no duh! Did you actually think there was going to be some giant uproar? Of course not! This thing was DOA since the patch has been out for quite some time. It was more media scare tactics than anything, and even ZDNet is in that guilty party.
    ZDNet Gravatar
    Loverock Davidson
    1st Apr 2009
  • It's all an April fools joke! Don't be fooled!
    Conficker is wreaking havoc all over the world but the industry has conspired to play one big practical joke on all of us by pretending everything is OK. Just wait until you wake up tomorrow and when the joke is over and you'll see the damage that has been done.
    ZDNet Gravatar
    ye
    1st Apr 2009
  • I have to agree with you on this, Lovey.
    This thing was DOA since the patch has been out for quite some
    time. It was more media scare tactics than anything, and even ZDNet is
    in that guilty party.

    Even media outlets can't get it right. I've seen stories that Conficker
    infects patched Windows NT 5.x/6.x systems, Mac OS X machines,
    Mac OS Classic machines, Linux Machines, and various distributions of
    UNIX - Windows is the only target OS affected by this bug, and MS08-
    067 fixed the vulnerability for conficker. The only OSes I've seen
    conflicting information on are Windows
    NT 4 and Windows 9x/ME.

    The moral of the story - If you're a home user, make sure you do your
    automatic updates, and if you're a business user, make sure you keep
    your patches as close to up-to-date as possible.
    ZDNet Gravatar
    nix_hed
    1st Apr 2009
  • Like the flu.
    You may not get sick from this year's flu virus because there is enough people that flu shot (read vaccination) to prevent the flu virus from one person that is infected to a person that is vaccinated and the chain is broken since the vaccinated person can't get sick and retranmitted to another person and that person can be you.
    Similarly with this worm, with all of the news and people telling people to update their systems that the worm didn't go too far since the infected machine is probability hitting a updated and safe system thus the chain is broken.
    We need to wait awhile to be sure but for now the Conficker infected systems are hitting mostly protected systems so it is not as bad it is. However we don't know what is up the sleeve of the makers of the Conficker so we need to wait to see if this person/people will change the operation of the worm on the fly or not.
    ZDNet Gravatar
    phatkat
    1st Apr 2009
  • I drive a Mac. YAWN.
    I'm going to pop some popcorn, sit back, and watch the circus unfold. From the bleachers. As a spectator.
    ZDNet Gravatar
    Geedavey
    1st Apr 2009
  • I drive four patched Windows systems. YAWN.
    Funny, none of my four Windows systems have been infected. Maybe it is because I'm not one of those "smart" people who disable automatic updates, and therefore have been patched for almost 5 months now.

    Mac users only wish their OS was as successful as Windows. Not even the bad guys considers it a worthwhile target. Having an installed base of 1.1 billion users certainly makes Windows a worthwhile target, even after it has already been patched, thanks to dimwits that turn off automatic updates (yes, the number of unpatched Windows systems are still more than all of OSX - ouch!). We all know by now that OS X certainly isn't harder to hack than Windows. On the contrary, it was stated multiple times by the security experts at Pwn2Own that it was the easiest to hack of all the mainstream OSes.

    So if I were you I'd stop making everyone else keep bringing that point up every time.
    ZDNet Gravatar
    Qbt
    1st Apr 2009
  • PWN2Own was all about the browser hacks, not the OS hacks
    Besides, if i was trying for free hardware, I'd go for the Apple instead of
    the VAIOs, simply because I could sell it for a higher price on Craigslist.
    ZDNet Gravatar
    nix_hed
    1st Apr 2009
  • Missed the important bits
    PWN2Own was all about the browser hacks, not the OS hacks

    Maybe, but the important parts were the security experts' comments afterwards about OS X and how it was the easiest to exploit.

    But hey, whatever excuse you can come up with to cover up the fact that Apple once again had it's @ss handed to it on a plate when the playing field was leveled by making the incentives to hack it equal for all platforms. Sorry, we are not buying your spin. OS X has been exposed for the security joke it really is.

    Keep hoping Apple maintains their pathetically low marketshare, since it seems to be the only thing between you and the hackers.
    ZDNet Gravatar
    Qbt
    1st Apr 2009
  • Go back and re-read what he wrote.
    I'll quote the relevant part:

    "On the contrary, it was stated multiple times by the security experts at Pwn2Own that it was the easiest to hack of all the mainstream OSes."
    ZDNet Gravatar
    ye
    1st Apr 2009
  • Does not change the fact that a patched OSX
    was taken total control of.

    Sure, it does matters how they got in, (but then they will allways find a way), what is even scarier is what they can do once they are in, which is why we do not use Macs.
    ZDNet Gravatar
    GuidingLight
    1st Apr 2009
  • Wrong
    "was taken total control of. "

    Um, no it wasn't. try rereading the report.
    ZDNet Gravatar
    DeusExMachina
    2nd Apr 2009
  • The Circus is Aleady Here
    And, you don't need popcorn to participate.
    ZDNet Gravatar
    windozefreak
    1st Apr 2009
  • My Mac runs Windows...
    ... and my Windows is fixed. Even then, Mac OS X will eventually have an
    issue like this.

    Moral of the story - patch.
    ZDNet Gravatar
    nix_hed
    1st Apr 2009
View More Comments

Talkback - Tell Us What You Think

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity