Tag: conficker

Mebroot becomes More Stealthier!!

Paul

Well Here is something we should all be on the look out for:
[ad#cricket-right-ez]

Thousands of Web sites have been rigged to deliver a powerful piece of malicious software that many security products may be unprepared to handle.

Mebroot inserts program hooks into various functions of the kernel, or the operating system’s core code. Once Mebroot has taken hold, the malware then makes it appear that the MBR hasn’t been tampered with.

[Via Pcworld Magazine]

I will be updating my [intlink id=”2205″ type=”page”]Malware Resource[/intlink] for the Prevx Software, but this looks to be a very bad root kit.  From my understanding most of the security related software.   It seems this little program will become even harder to detect and remove.   It also looks like this is ready to start infecting people with this root kit.   You should update every part of your system from [intlink id=”3327″ type=”post”]Windows Patches[/intlink] to Browser. [intlink id=”2229″ type=”post”] Securnia once said[/intlink] that most people are not patched fully!!  Just like the [intlink id=”3301″ type=”post”]Conficker Worm[/intlink], if your not fully patched and keeping anti-virus and Firewalls on your system then you might as well be walking on nails.

Conficker Gets a new Look : Spyware Protector 2009

Paul3 Replies

Looks like the Conficker Worm has changed directions according to Viruslist:

One of the files is a rogue antivirus app, which we detect as FraudTool.Win32.SpywareProtect2009.s. The first version of Kido, detected back in November 2008, also downloaded fake antivirus to the infected machine. And once again, six months later, we’ve got unknown cybercriminals using the same trick.

The rogue software, SpywareProtect2009, can be found on spy-protect-2009.com., spywrprotect-2009.com, spywareprotector-2009.com.

[See Pictures of website at Viruslist.com]

[ad#cricket-right-ez]From my understanding of this worm, it seems to be trying to [intlink id=”3114″ type=”post”]scareware tactic[/intlink] trying to get you to pay $49.95 to remove these threats. F-secure has also seen this worm and thinks this is doing what the Waldec virus is doing by becoming a spambot. According to Eset, the botnet is larger than most and this could create a problem in the future.  It seems that it used the p2p to distribute this update so they could bypass the domain blocks that were in place.

I will tell you this, if you get the warnings you are infected by all means go to my [intlink id=”2205″ type=”page”]Malware resource page[/intlink] and do a scan from the trusted sources.   I will update as I get more information on this little development.

Spam Messages go out with Fake Conficker Alerts

Paul

Sopho’s blog is reporting:

This past weekend, SophosLabs noticed a new “Conficker” theme in the content of these spam messages. Instead of saying there is a critical windows update that needs to be applied, they say that “your Internet company” believes you to be infected, and to click the link to scan your computer

[Via Sophos]

[ad#cricket-right-ez]As in [intlink id=”3114″ type=”post”]previous post about fake Anti-virus Software[/intlink] sites trying to scare you into sending them free money.  You should always be cautious when it comes to these sites that make you think you have a virus.  Some things to consider when you visit sites that are claiming you have a virus:

  • Is this a true anti virus company?  If your unsure you can always google the company to better help you determine if this a fake site.

  • You also should consider going to the real deal on anti-virus there are several different companies that I know of off the top of my head but it should always be one that is not a fly by night type of anti-virus company.   The real companies have people and resources watching for the latest viruses, and other Maleware.

According to Sopho’s the Maleware site is detected as Mal/FakeAV-AH with there system.  Remember you don’t always have to buy anit virus software there are [intlink id=”2205″ type=”page”]several good free versions[/intlink] out there that do a pretty good job at defending against a virus, Trojan, or a Computer Worm.  If you feel you might have a virus you can do a free anti-virus scans to make sure you are not infected.   I also suggest having a firewall installed if you have not done that yet, that will also greatly help prevent a virus or worm but remember you are the last line of defense with Maleware!!

Conficker maps of US!

Paul

conficker_us_map

The Conficker Work Group has been busy the last few days compiling data of where the [intlink id=”3240″ type=”post”]Conficker Worm[/intlink] is in the world.  I am just showing one of the many pictures they have compiled.

[ad#cricket-right-ez]

Now I must say this isn’t entirely accurate, but it gives a good impression of how many computers in the US have been infected and still need to be removed.   Giving that most of these are business that haven’t updated there Windows Machines, this isn’t surprising.  So I am guessing that if this map is close to what we expected, some of the companies didn’t do anything about[intlink id=”3214″ type=”post”] Conifcker during the hype[/intlink].

That being said, I would like people to answer this question?  Has any technicians had to disinfect systems that had the conficker worm?  Are you seeing a rise in repairs, in regards to conficker related problems?

I was look around there website, the Conficker Work Group, and I stumbled on a really good resource.  It is called Conficker Eye Chart.  If certain images don’t load then you might be infected.   If you want to find out if your infected go check the chart out for yourself.

The Group also has a great list of tools to remove the Conficker Worm.    Although, I have been saying for the past week that the best way to prevent from getting infected is having [intlink id=”2205″ type=”page”]Anti-virus, and Firewalls[/intlink].  You will also need to remember that only you can prevent from getting a computer virus or worm, you’re the last line of defense!!

The Register Goes down, People are asking is it the Conficker Worm?

Paul

twitterregister1

I’ve heard stories from other Twitter Folks about it being Denial of Service attack:

twitterregister2

[ad#cricket-right-ez]

Now it is possible to have[intlink id=”3236″ type=”post”] Conficker to all botnets[/intlink] to try to go to the site but I am not certian it is the Conficker.  It could be as simple as someone misconfigured a server and no one can get to it.  People who want to check out what people on twitter are saying can search for it and see for yourself.    I’ll update as needed when I find out more, but it will probably be a couple of hours before the site is back up, according to some reports.  I’ll know more later today, so keep tune.

Update at 6:30pm EST

We speculate that the source of the problem may have been a large scale Denial of Service attack against UltraDNS, or an internal operations problem. When we were able to sucessfully query UltraDNS servers, responses were slow to come back, or largely timed out. The problem began to clear itself up around 10:00 am Eastern, when we saw DNS responses returning quickly again, and our favorite sites coming back online.
[Via DynamicNetwork Service Inc.]

It looks like this might of been the cause for Amazon, and some other sites including the Register. I’m not quite sure what happened but someone talks about it on Redidit:

Wed Apr 01 | 14:37:03 >: nslookup xxx.xxx.com ;; connection timed out; no servers could be reached
Edit: Just got off the phone with Register.com support. The technician admitted to me that they have had a “server failure” and the problem is affecting all of their customers.

Although this post suggest they had a server failure, I am not quite sure what happened but I am going to let you figure that out!! This is some really good information go on Twitter. So you can try to figure it out some more for yourself.

Oh a side not, I’ve gotten the right RSS feed working, if you want to subscribe to my site and get automatic updates with full text just subscribe to my feed.