CONFIKER’S MO
After the confiker virus has gained access to a system it will install itself by adding a number of randomly named dynamic link libraries (dlls) into the system directory.
Next, confiker will install a system service in order to execute itself.
Cunningly, it also modifies some system registries in order to hide the service that it created.
do you know the 4 ways of stopping the Conficker virus?
The next step is for the virus to propagate itself.
It will do this by attempting to spread through local networks by using brute-force techniques on usernames and passwords.
Additionally, confiker will attempt to copy itself to any external devices it finds, such as external hard drives, flash drives, memory cards, etc.
Removal of confiker can be somewhat tricky as it blocks access to the most well-known security websites, such as Microsoft, McAfee, Norton, etc., which seriously reduces the effectiveness of anti-virus solutions.
4 WAYS TO STOP THE CONFIKER VIRUS
Here, then, are 4 ways to either stop or hamper the spread of the confiker virus -
1.Firstly, ensure that you are up to date with all your operating system patches from Microsoft – this virus specifically attacks the latest Microsoft RPC vulnerability (MS08-067).
2. Always, always ensure that you have anti-virus installed and kept totally up-to-date.
3. Control the use of USB and other external devices on your system. Even if you know what to look out for, other family members may not.
4. The domains listed below are known to be used by confiker to update itself. Block them all with your firewall. If you don’t have a firewall, get one!
MALICIOUS DOMAINS
The confiker (or downadup as it is also known) virus will, at some point, try to contact one or more of the following domains in order to download further (and, presumably, malicious) updates -
btddc.com
d34ft.com
23drf.com
cscs7.com
mgaazz.com
hhgg3.com
trafficconverter.biz
So make sure you block them!
FEEDBACK
Have I missed anything?
Can you offer any more advice on how to stop or avoid the confiker virus?
LATEST : Confiker may have just installed a keystroke logger.
NEW : 10 Articles explain everything you need to know about Conficker
Article by Lee Munson
Lee's non-technical background allows him to write about internet security in a clear way that is understandable to both IT professionals and people just like you who need simple answers to your security questions.
Lee has written 2278 awesome articles for us at Security FAQs
View all posts by Lee Munson →
{ 42 comments… read them below or add one }
what are recent updates for Conficker worm
Hi Anupam
My latest post about Conficker was a couple of weeks ago : http://www.security-faqs.com/the-conficker-worm-proved-to-be-the-biggest-problem-in-2009.html
Let me know if there is any specific information you are after and I’ll try and find it for you…
LOL. Too true!
99.99% of all computer issues are caused by the person sitting between the chair and the keyboard.
Very good point Jeff – people believe the Mac is immune to viruses.
It isn’t though, it’s just targeted less as Windows is far more widespread.
The idea that Macs never get viruses or specifically can’t, is a myth that mac users love to believe.
Macs are nothing more than x86 pcs running a custom build of a specialized Linux.
Yea, regular x86 pc hardware and the software os is just a version of Linux… Deal with it fan boys.
And you can get viruses. There just are not many viruses for macs because there aren’t enough people using them, and linux is by its nature a fairly secure OS in the first place. (It was written as a secure network ready os from the ground up.) If Mac was the big dog in town, there would be tons of viruses written for mac, and few for windows, but that’s how the cookie crumbled for Apple.
*Disclaimer – I am neither a Windows, Linux, Mac, or any other OS you can think of fan boy. I use all of them for their strengths, which is why I am aware of all of their weaknesses.
iPolicy Networks is providing detection and prevention from Conficker worm through its IDS signature. Below link is having more details:
http://ipolicynetworks.com/technology/files/W32.Worm.Conficker.html
What if I think I am already infected w/conficker? I can’t go to microsoft or mcaffe’s websites?
No – if you have live update it should be an automated process.
Q: If we have Symantec and live update, do I need to run this (mentioned by Justin?)
http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99
I am really hesitant to run an executable at the 11th hour here.
http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99
the removal tool-remember u wont even know ur infected till its to late, run this, it was just released,
Exactly – most people use Windows, regardless of it’s merits vs the Mac OS, because it is so entrenched into their lives.
Why do you think that Windows is a virus Joe?
> PC is far more superior than mac.
That is just dumb. The reason is that the CAD software is better because the MS-Windows PC has a larger market.
MS-Windows has a much better software selection, but OS itself is definitely inferior.
I totally agree with you but it’s a fact that (for whatever reason) the majority of computer users run Windows.
I have the program and the steps to destroy it so write to me and I tell u
You can always get a Mac running OSX and you won’t have to worry about problems like that. The way BSD Unix is constructed, viruses cannot spread. So that’s the best option to end these types of “Windows based” problems.
#3 clarification… I have a mouse, external DVD, camera, external hard drive and additional USB port plugged into USB ports. What will that allow or cause to happen???
Tis virus is using many more domain names nowadays. You may consider using the free http://www.opendns.org as they are blocking such domains. In other words: if you (or the virus) ask OpenDNS for the IP address of some domain, and it has been blocked, then you (or the virus) won’t get it).
See http://blog.opendns.com/2009/02/09/stats-are-back-and-conficker/
Tis virus is using many more domain names nowadays. You may consider using the free http://www.opendns.org as they are blocking such domains. In other words: if you (or the virus) ask OpenDNS for the IP address of some domain, and it has been blocked, then you (or the virus) won’t get it).
See Stats are back; and we’re blocking Conficker.
my boy friend is working in a IT support company in Malaysia..his company is facing this confiker virus and he told me they are having alot of trouble removing it..
if u can tell me how u did it..i maybe can update my boyfriend abt it…
Ha ha, I understand – mine are just the same!
Point 3 is good as my kids are totally clueless about security.
With computer security you have to be proactive – reactive normally spells trouble for sure.
Indeed, it is surprising how many people ignore these warnings and expect AV or patches to be done for them.
Excellent article, thanks. I had confiker on my own system and it was difficult to remove.
I was having a few hosting issues and am in the process of moving my sites to different places. When that one moves I will certainly be writing some more.
You should know… it’s a photo of you
P.S. Have you forgotten the ancient Egypt site? I havent seen anything new for a couple of weeks.
Cool pic! Where’d you find that one?
Ohhhh it’s a tricky one alright Trev. Glad you got rid of it though
That’s a very good point Tom, thanks for adding that.
It took me 6 hours to remove this damn confiker virus from my system
You could, and should, block all those malicious domains at the router level too if you are using one.
I just grabbed the patch from the MS site. Thanks.
You’re welcome Kate.
I’m glad you got rid of it in the end Paddy
That’s good to hear
Why don’t we ask why the majority of Architects used AutoCAD instead of MicroStation… the reason is clear; PC is far more superior than mac.
It’s because Microsoft Windows IS a virus, spread by social engineering.
Thanks for that link Justin.
That is a sign that you may well be infected. Do you have McAfee installed and up-to-date at the moment?
{ 18 trackbacks }