Conficker is just "hours" away.
So what's the fuss about Conficker? See this excerpt from the TrendMicro APAC newsletter I got three days ago:
Worm_downad had infected more than 15 million computers, making it one of the widespread infections in recent times.
A new variant of worm_downad (aka Conficker) is expected to be launched on April Fool’s day.
Compared to the old variants, worm_downad.kk is more sophisticated. Here are a few of the payloads :
- Connects to various time servers to determine the current date and time.
- Register itself as a system service to ensure auto execution every startup.
- Deletes a registry key to prevent system startup in safe mode.
- Terminates security-related processes (i.e. procexp, regmon, autoruns, gmer etc.)
- Blocks access to security and antivirus websites.
- Generates 50,000 malicious URLs and attempts to connect to around 500 random generated URLs at a time.
In the network, we can scan for Conficker with Nmap, as posted by SkullSecurity. And of course, from Insecure.org (official Nmap website):
The Conficker worm is receiving a lot of attention because of its vast scale (millions of machines infected) and advanced update mechanisms. Its botnet army is scheduled for new updates and instructions starting on Wednesday (4/1), and nobody (except the bad guys) knows exactly what those instructions will be.
Thanks to excellent research by Tillmann Werner and Felix Leder of The Honeynet Project and implementation work by Ron Bowes, David Fifield, Brandon Enright, and Fyodor, we've rolled out a new Nmap release which can remotely scan for and detect infected machines. Nmap 4.85BETA5 is now available from the download page, including official binaries for Windows and Mac OS X.
To scan for Conficker, use a command such as:nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]
For a deep analysis on Conficker, see this article by SRI International.
Cheers to all!
Cheers to all!
