Minggu, 30 Juni 2013

Free Download Operating System Microsoft Windows 8.1 Full Version !!!

Across the world the majority of computer users are still using Windows 7 operating system, and Windows 8, Windows recently announced the update of the version of Windows 8, the Windows 8.1 operating system. Although only minor changes, but Microsoft presents Windows 8.1 with new features to complement the previous version. 

Microsoft seems to be really heard many complaints about the way the interaction with its predecessor, Windows 8. It is seen with a variety of changes to the operating system (OS) is the latest Microsoft. The changes really just minor, but these changes seem to be able to restore a sense of comfort that had disappeared in the use of Windows 8.

Probably one of the most anticipated changes is the Start button. Yes, Microsoft finally return the keys that had disappeared from Windows 8. The "new" is actually just a metro-style Start screen displays when it is clicked. If desired, the user can make the Start Screen display the "all apps" to restore the workings of the traditional Start button.

Users can also right-click on the Start button to see some of the other menus, such as Task Manager, Control Panel, Search, and Run. In fact, the user can turn off the PC via the Shut Down menu directly through the menu. 

Users can also set the Start screen and the desktop using the same wallpaper. This feature makes the user will not be too confused if you want to move from the desktop to the Start Screen.

Screen lock screen did not escape the changes. Now users can install photo slideshow, receive Skype calls, and access the camera directly from the screen.

Although only minor changes, but Microsoft presents Windows 8.1 with new features to complement the previous version. In an event that was held some time ago in San Francisco, United States, users can download the final version of Windows 8.1 by year-end through the Windows App Store, while who can not wait can already taste it through the Microsoft website. 

Overall there are a lot of new features offered by the software giant, but Microsoft is more menintikberatkan the capabilities desired by the user. 

Start menu Windows 8.1 coming back

Start menu Windows 8.1 coming back

Well, of dozens of new features in Windows 8.1, there are several features that are considered important by users, the following 12 new features in Windows 8.1: 
  1. Automatic Update Application. Applications that you download from the App Store now Microsoft will update itself every time the developer released a new version. Later origin connected to the Internet, users will no longer find the update notification icon of the application that is embedded in the Windows App Store. However, there is some confusion what would happen if the renewal application requires more permissions like access to the site or contact list. A spokesman for Microsoft said that it will automatically update as well, even though it may violate some privacy rules Microsoft. 
  2. The return of the Start button. Having previously eliminated Microsoft on Windows 8, the Start button is now re-presented in the Windows 8.1 version. Features is quite small, but this is quite helpful. The button will take the user to the main page of Windows 8. Also, the Start button will give you access power user command to turn off or turn on the device again. 
  3. 4 Running Applications Simultaneously. Window in Windows 8.1 now allows you to work with up to four apps on one screen through Snap.Tapi features does this depends on the screen size of the device you are using. For example, if the user is using a large screen such as a notebook, then let you run 4 of each application on each screen. However, the smaller the range tablet 8 inch will still restrict you to open two windows. 
  4. Mode 'Hands-free'. Updates are not less attractive in Windows 8.1 is a mode called 'hands-free'. Users can scroll through web pages were read without touching it. This mode will be connected to the camera screen is usually printed on the tablet or laptop. So when you waved a hand in front of the screen, then read the article will move. 
  5. Opening Camera While Locked. Microsoft added some new features that better matched for small sized tablet embedded with Windows 8.1. Later, the user can use the camera without opening the tablet. Small features that have great functionality for penggunananya. Also, Microsoft added some new moves for the screen keyboard to make typing on a smaller screen easier. 
  6. More updates home page. New customization in Windows 8.1 lets you choose a desktop background color more and more diverse. It also lets you change the size Tiles.Pengguna can also change the look to a classic Windows 7 interface. It can be temporary with a set period of time. Personalize in customization allows users to some background Tiles with interesting pictures. 
  7. Alternative Miracast Bluetooth. Miracast is an alternative to Bluetooth that offers high-speed wireless connections to other devices. It can connect the projector to a Windows 8.1, Xbox One, other gaming consoles wirelessly to a TV or other device supports Miracast over, too. This is great for streaming video or playing a game of small tablets to larger, such as a TV. 
  8. Booting to Classic Mode. As we all know, Windows 8 offers a frontal changes, including in terms of the interface. Unfortunately, not all the fashion boxes like those operating systems. After a lot of feedback from customers who ask for it, Microsoft is finally allowing users to boot the computer to the classic desktop mode instead of Windows 8 menu. To activate this mode, the user will be able to perform a number of settings through the settings in the settings. 
  9. New Search technology. Windows 8.1 using Microsoft's Bing search technology. As with previous versions, users can find the search bar on the right side of the screen. Instead of looking for files or applications in the form of a category, Windows 8.1 allows the possibility to look up anything on the computer or the Web in a single step. Leblond, Head of Windows Program Management said, "We think this will really change the way you interact with the web and with Windows making it quicker and easier to get something diinginkan.Ini is a modern version of the command line. Results from a local file, applications and settings are easily accessible in the same cozy look by rolling to the left. 
  10. Get connected to SkyDrive. To store photos, files and important documents, Windows 8.1 provides a connection to Microsoft's online storage system, SkyDrive. Files can be stored directly, and even when offline, SkyDrive application will get the new update after files are made available to users. 
  11. Using the Web Browser Internet Explorer 11. Latest OS will be available to use Internet Explorer 11. With a better performance than the current, users can load pages faster and some other new features. Leblond give an example that one can customize the look of modern IE11, to always display the address bar and have a lot of tabs open as you want. 
  12. Have the Outlook application. Outlook email application present in Windows 8.1 for free with a lightweight version of Windows, called Windows RT made for tablets like the Microsoft Surface. 

More complete all the new features in Windows 8.1 "Blue" build 9369 can be found in the following list:. 

  • Metro Applications

  1. New Alarms application.
  2. New Calculator application
  3. New Movie Moments application.
  4. New Sound Recorder application.
  5. New File Manager replaced Skydrive application.
  6. References to Windows Defender application.
  7. Updated Settings application.
  8. Automatic updates.

  • User Interface

  1. Bigger/Smaller tiles for start screen.
  2. Slide up from start to view all apps screen.
  3. Slide to Shutdown feature.
  4. Color slider for theme.
  5. Slideshow for lock screen.
  6. Start screen sync.
  7. New search animation.
  8. Altered search panel.
  9. Multiple snapped applications on wide screen.
  10. Now apps can be snapped too on screen resolutions below 1366 x 768.
  11. Half-Half option for metro applications.
  12. Metro applications on multiple monitors.
  13. Thinner borders for some desktop applications.
  14. No transparent window on minimizing/closing.
  15. Support for touchpad gestures without any additional driver.
  16. Start screen group naming can be done without zooming out.
  17. Switching apps now lets you decide to put on left or right snap.
  18. Button on bottom of start page to enter app list.
  19. Search bar on the app list page.
  20. New animation for opening apps.
  21. Save on SkyDrive by default option.
  22. New device depending start screen icons.
  23. Access camera from lock screen by sliding down.

  • Internet Explorer

  1. Synced tabs feature.
  2. Download list feature on metro version.
  3. Useragentstring added "like Gecko" which Firefox uses.
  4. History wipe on desktop like the one in metro version.
  5. References to WebGL support.
  6. References to Spdy-protocol support.
  7. Metro styled F12 Developer Tools

  • Kernel

  1. Less ram usage.
  2. References to Minkernel.
  3. References to BaseFS.
  4. References to 3G/4G tethering.
  5. References to barcode scanning.
  6. References to Spdy-protocol support.
  7. Support for wireless displays (In Settings app)
  8. Support for touchpad gestures (In Settings app)
  9. ReFS enabled for client. Not only server anymore.
  10. DirectPlay. New Windows Feature.

  • (Resilient File System) Key features of the new file system (ReFS)

  1. Metadata integrity with checksums.
  2. Integrity streams providing optional user data integrity.
  3. Allocate on write transactional model for robust disk updates (also known as copy on write).
  4. Large volume, file and directory sizes.
  5. Storage pooling and virtualization makes file system creation and management easy.
  6. Data striping for performance (bandwidth can be managed) and redundancy for fault tolerance.
  7. Disk scrubbing for protection against latent disk errors
  8. Resiliency to corruptions with "salvage" for maximum volume availability in all cases.
  9. Shared storage pools across machines for additional failure tolerance and load balancing.

You are interested to try it out?
Please download it free at the following link:

Download Full Version Microsoft Windows 8.1
Product Key: NTTX3-RV7VB-T7X7F-WQYYY-9Y92F
English 32-bit (x86), file size = 2.8 Gb

English 64-bit (x64), file size = 3.8 Gb

For those of you who are interested in the other language versions please visit the Microsoft website:

Author : Yohanes Gitoyo.
http://www.hariandialog.com/ , Kamis, 27 June 2013 10:43.
http://www.didno76.com/, Sabtu, 29 Juni 2013.
Diposkan oleh Yohanes Gitoyo, S Pd. di 6/30/2013 12:45:0

Minggu, 23 Juni 2013

All About Worm W/32 Conficker/ Downup/ Downadup/ Kido

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker infected millions of computers including government, business and home computers in over 200 countries, making it the largest known computer worm infection since the 2003 Welchia.

History Conficker.

The origin of the name Conficker is thought to be a portmanteau of the English term "configure" and the German pejorative term Ficker. Microsoft analyst Joshua Phillips gives an alternate interpretation of the name, describing it as a rearrangement of portions of the domain name trafficconverter.biz (with the letter k, not found in the domain name, added as in "trafficker", to avoid a "soft" c sound) which was used by early versions of Conficker to download updates.


The precise origin of Conficker remains unknown. The first variant of Conficker, discovered in early November 2008, propagated through the Internet by exploiting a vulnerability in a network service (MS08-067) on Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 Beta. While Windows 7 may have been affected by this vulnerability, the Windows 7 Beta was not publicly available until January 2009. Although Microsoft released an emergency out-of-band patch on October 23, 2008 to close the vulnerability, a large number of Windows PCs (estimated at 30%) remained unpatched as late as January 2009. A second variant of the virus, discovered in December 2008, added the ability to propagate over LANs through removable media and network shares. Researchers believe that these were decisive factors in allowing the virus to propagate quickly.

Working group members stated at the 2009 Black Hat Briefings that Ukraine is the probable origin of the virus, but declined to reveal further technical discoveries about the virus' internals to avoid tipping off its authors. An initial variant of Conficker did not infect systems with Ukrainian IP addresses or with Ukrainian keyboard layouts. The payload of Conficker.E was downloaded from a host in Ukraine.


Although almost all of the advanced malware techniques used by Conficker have seen past use or are well known to researchers, the virus' combined use of so many has made it unusually difficult to eradicate. The virus' unknown authors are also believed to be tracking anti-malware efforts from network operators and law enforcement and have regularly released new variants to close the virus' own vulnerabilities.

Five variants of the Conficker virus are known and have been dubbed Conficker A, B, C, D and E. They were discovered 21 November 2008, 29 December 2008, 20 February 2009, 4 March 2009 and 7 April 2009, respectively. The Conficker Working Group uses namings of A, B, B++, C, and E for the same variants respectively. This means that (CWG) B++ is equivalent to (MSFT) C and (CWG) C is equivalent to (MSFT) D.
  1. Variant A generates a list of 250 domain names every day across five TLDs. The domain names are generated from a pseudo-random number generator (PRNG) seeded with the current date to ensure that every copy of the virus generates the same names each day. The virus then attempts an HTTP connection to each domain name in turn, expecting from any of them a signed payload.
  2. Variant B increases the number of TLDs to eight, and has a generator tweaked to produce domain names disjoint from those of A. To counter the virus' use of pseudorandom domain names, Internet Corporation for Assigned Names and Numbers (ICANN) and several TLD registries began in February 2009 a coordinated barring of transfers and registrations for these domains. Variant D counters this by generating daily a pool of 50,000 domains across 110 TLDs, from which it randomly chooses 500 to attempt for that day. The generated domain names were also shortened from 8-11 to 4-9 characters to make them more difficult to detect with heuristics. This new pull mechanism (which was disabled until April 1) is unlikely to propagate payloads to more than 1% of infected hosts per day, but is expected to function as a seeding mechanism for the virus' peer-to-peer network. The shorter generated names, however, are expected to collide with 150-200 existing domains per day, potentially causing a distributed denial-of-service attack (DDoS) on sites serving those domains.
  3. Variant C creates a named pipe, over which it can push URLs for downloadable payloads to other infected hosts on a local area network.
  4. Variants B, C and E perform in-memory patches to NetBIOS-related DLLs to close MS08-067 and watch for re-infection attempts through the same vulnerability. Re-infection from more recent versions of Conficker are allowed through, effectively turning the vulnerability into a propagation backdoor.
  5. Variants D and E create an ad-hoc peer-to-peer network to push and pull payloads over the wider Internet. This aspect of the virus is heavily obfuscated in code and not fully understood, but has been observed to use large-scale UDP scanning to build up a peer list of infected hosts and TCP for subsequent transfers of signed payloads. To make analysis more difficult, port numbers for connections are hashed from the IP address of each peer.

Initial infection.
  1. Variants A, B, C and E exploit a vulnerability in the Server Service on Windows computers, in which an already-infected source computer uses a specially-crafted RPC request to force a buffer overflow and execute shellcode on the target computer.[43] On the source computer, the virus runs an HTTP server on a port between 1024 and 10000; the target shellcode connects back to this HTTP server to download a copy of the virus in DLL form, which it then attaches to svchost.exe.[34] Variants B and later may attach instead to a running services.exe or Windows Explorer process.
  2. Variants B and C can remotely execute copies of themselves through the ADMIN$ share on computers visible over NetBIOS. If the share is password-protected, a dictionary attack is attempted, potentially generating large amounts of network traffic and tripping user account lockout policies.
  3. Variants B and C place a copy of their DLL form on any attached removable media (such as USB flash drives), from which they can then infect new hosts through the Windows AutoRun mechanism.

To start itself at system boot, the virus saves a copy of its DLL form to a random filename in the Windows system folder, then adds registry keys to have svchost.exe invoke that DLL as an invisible network service.

To prevent payloads from being hijacked, variant A payloads are first SHA-1-hashed and RC4-encrypted with the 512-bit hash as a key. The hash is then RSA-signed with a 1024-bit private key. The payload is unpacked and executed only if its signature verifies with a public key embedded in the virus. 

Variants B and later use MD6 as their hash function and increase the size of the RSA key to 4096 bits. Conficker B adopted MD6 mere months after it was first published; six weeks after a weakness was discovered in an early version of the algorithm and a new version was published, Conficker upgraded to the new MD6.

Variant C of the virus resets System Restore points and disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting. Processes matching a predefined list of antiviral, diagnostic or system patching tools are watched for and terminated. An in-memory patch is also applied to the system resolver DLL to block lookups of hostnames related to antivirus software vendors and the Windows Update service.

End action
Variant E of the virus was the first to use its base of infected computers for an ulterior purpose. It downloads and installs, from a web server hosted in Ukraine, two additional payloads:
  1. Waledac, a spambot otherwise known to propagate through e-mail attachments. Waledac operates similarly to the 2008 Storm worm and is believed to be written by the same authors.
  2. SpyProtect 2009, a scareware rogue antivirus product.

  1. Account lockout policies being reset automatically.
  2. Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Windows Error Reporting disabled.
  3. Domain controllers responding slowly to client requests.
  4. Congestion on local area networks (ARP flood as consequence of network scan).
  5. Web sites related to antivirus software or the Windows Update service becoming inaccessible.
  6. User accounts locked out.


Recent estimates of the number of infected computers have been notably difficult because the virus has changed its propagation and update strategy from version to version. In January 2009, the estimated number of infected computers ranged from almost 9 million to 15 million. Microsoft has reported the total number of infected computers detected by its antimalware products has remained steady at around 1.7 million from mid-2010 to mid-2011.

Impact in Europe.
Intramar, the French Navy computer network, was infected with Conficker on 15 January 2009. The network was subsequently quarantined, forcing aircraft at several airbases to be grounded because their flight plans could not be downloaded.

The United Kingdom Ministry of Defence reported that some of its major systems and desktops were infected. The virus has spread across administrative offices, NavyStar/N* desktops aboard various Royal Navy warships and Royal Navy submarines, and hospitals across the city of Sheffield reported infection of over 800 computers.

On 2 February 2009, the Bundeswehr, the unified armed forces of Germany reported that about one hundred of their computers were infected.

An infection of Manchester City Council's IT system caused an estimated £1.5m worth of disruption in February 2009. USB flash drives have since been banned, as this was believed to be the vector for the initial infection.

A memo from the Director of the UK Parliamentary ICT service informed the users of the House of Commons on 24 March 2009 that it had been infected with the virus. The memo, which was subsequently leaked, called for users to avoid connecting any unauthorised equipment to the network.

In January 2010, the Greater Manchester Police computer network was infected, leading to its disconnection for three days from the Police National Computer as a precautionary measure; during that time, officers had to ask other forces to run routine checks on vehicles and people.


On 12 February 2009, Microsoft announced the formation of an industry group to collaboratively counter Conficker. The group, which has since been informally dubbed the Conficker Cabal, includes Microsoft, Afilias, ICANN, Neustar, Verisign, China Internet Network Information Center, Public Internet Registry, Global Domains International, M1D Global, America Online, Symantec, F-Secure, ISC, researchers from Georgia Tech, The Shadowserver Foundation, Arbor Networks, and Support Intelligence.
  • From Microsoft.

As of 13 February 2009, Microsoft is offering a $USD250,000 reward for information leading to the arrest and conviction of the individuals behind the creation and/or distribution of Conficker.
  • From registries

ICANN has sought preemptive barring of domain transfers and registrations from all TLD registries affected by the virus' domain generator. Those which have taken action include:
  1. On 13 March 2009, NIC Chile, the .cl ccTLD registry, blocked all the domain names informed by the Conficker Working Group and reviewed a hundred already registered from the worm list.
  2. On 24 March 2009, CIRA, the Canadian Internet Registration Authority, locked all previously-unregistered .ca domain names expected to be generated by the virus over the next 12 months.
  3. On 27 March 2009, NIC-Panama, the .pa ccTLD registry, blocked all the domain names informed by the Conficker Working Group.
  4. On 30 March 2009, SWITCH, the Swiss ccTLD registry, announced it was "taking action to protect internet addresses with the endings .ch and .li from the Conficker computer worm."
  5. On 31 March 2009, NASK, the Polish ccTLD registry, locked over 7,000 .pl domains expected to be generated by the virus over the following five weeks. NASK has also warned that worm traffic may unintentionally inflict a DDoS attack to legitimate domains which happen to be in the generated set.
  6. On 2 April 2009, Island Networks, the ccTLD registry for Guernsey and Jersey, confirmed after investigations and liaison with the IANA that no .gg or .je names were in the set of names generated by the virus.
  7. By mid-April 2009 all domain names generated by Conficker A had been successfully locked or preemptively registered, rendering its update mechanism ineffective.

Removal and detection.

Microsoft has released a removal guide for the virus, and recommends using the current release of its Windows Malicious Software Removal Tool to remove the virus, then applying the patch to prevent re-infection.

Third-party software
Many third-party anti-virus software vendors have released detection updates to their products and claim to be able to remove the worm.

Automated remote detection

On 27 March 2009, Felix Leder and Tillmann Werner from the Honeynet Project discovered that Conficker-infected hosts have a detectable signature when scanned remotely. The peer-to-peer command protocol used by variants D and E of the virus has since been partially reverse-engineered, allowing researchers to imitate the virus network's command packets and positively identify infected computers en-masse.

Signature updates for a number of network scanning applications are now available including NMap and Nessus. In addition, several commercial vendors have released dedicated scanners, namely eEye and McAfee.

It can also be detected in passive mode by sniffing broadcast domains for repeating ARP requests.

The United States Computer Emergency Readiness Team (US-CERT) recommends disabling AutoRun to prevent Variant B of the virus from spreading through removable media. Prior to the release of Microsoft knowledgebase article KB967715, US-CERT described Microsoft's guidelines on disabling Autorun as being "not fully effective" and provided a workaround for disabling it more effectively. US-CERT has also made a network-based tool for detecting Conficker-infected hosts available to federal and state agencies.

How to install and run the Sophos Conficker Removal Tool on a single computer ?

What malware does the Sophos Removal tool remove? 

Details of the specific pieces of malware that this tool will remove are listed on the Sophos Website as follows:
Mal/Conficker-A, Mal/Confick-Dam, Mal/Conficker-B, Mal/ConfInf-A, Troj/ConfData-A, Troj/ConfDr-B, Troj/ConfDr-C, Troj/ConfDr-Gen , W32/ConfDr-Gen, W32/Confick-A, W32/Confick-B, W32/Confick-C, W32/Confick-D, W32/Confick-F, W32/Confick-G, W32/Confick-H, W32/Confick-I, W32/Confick-K, W32/Confick-L, W32/Confick-M, W32/ConfikMem-A, W32/ConfikMem-B

How to install and run the Conficker removal tool on a single computer
  • Download the file Sophos Conficker Removal Tool.msi and save it to a convenient location on your computer, e.g. your Desktop.
  • Double-click the icon and work through the installation wizard. After you have clicked 'Finish' a shortcut is placed on your Desktop.
  • You have 3 options for running the tool:
  1. The installation GUI allows you to run it immediately.
  2. You can run the GUI version by double-clicking the icon on your desktop.
  3. There is a command line version which can be found in Program Files\Sophos\Sophos <threat name> Cleanup Tool\cli.exe. NOTE: You may prefer to run the tool when your computer is not busy with other tasks. Details on how to run it as a script are given in the article Deploying the Sophos Removal tool over a network.
  • When you open the GUI version of the tool, it displays the 'Sophos Removal Tool' window. It displays the name and location of the log file it is creating.
  • Click 'Start Scan' and it will scan the predefined areas for malware. If it finds any malware it will automatically remove it following the scan.  The software will prompt you if a reboot is required following malware removal.

How to install and run the Conficker removal tool on a network
If you want to deploy the tool across a network,
  1. Download the tool as described above.
  2. Read the following section of this article, entitled 'IMPORTANT'.
  3. Go to the knowledgebase article Deploying the Sophos Removal tool over a network for instructions on deploying the tool across a network.
You may see any of the following possible issues:
  1. Occasional failure to remove Conficker service key: The tool will report a failure to cleanup but only a service key will remain. This happens when Conficker has executed for the first time and there has not been a reboot since. It happens because the service key, which has odd permissions restricted to the local user, has not yet been registered in the Service Control Manager. The OS does not have complete knowledge about this service until the next reboot so de-registering the service may not function as expected. Once a reboot has occurred the service is registered and there are no issues with complete removal. Please note that the existence of stray service entries that do not point to Conficker are not detrimental to the functioning of the computer. The same information applies to Sophos Anti-Virus. NB: If the binary component of Conficker has already been removed, the service will not be removed because detection of the service is context-based because it references Conficker.
  2. Removal of scheduled tasks: The Conficker removal tool removes scheduled tasks based on context, i.e. they point to Conficker. If the Conficker binary has been removed already then the context for the scheduled tasks is lost and so they will not be removed. We do this context-based cleanup to ensure that we do not remove scheduled tasks which are not created by Conficker.
  3. Conficker coming back: The Conficker removal tool does not have on-access scanning. It will not prevent other infected computers on the network from re-infecting the computer which has just been cleaned with the tool. This is a common occurrence with network worms so you must ensure that you take precautions to prevent re-infection form other computers on your network. For more advice on this, refer to the Knowledgebase article Sophos Anti-Virus for Windows 2000+: Removing W32/Confick and Mal/Conficker, see the sections describing how to lock down your network and prevent re-infection.

Uninstalling the tool 
Following use, you can remove the tool using Windows Add/Remove programs.

Removing W32/Confick and Mal/Conficker with Sophos Anti-Virus

This article describes how to remove Conficker from your computers if you have Sophos Anti-Virus installed. You can download the Sophos Conficker cleanup tool from the HERE

This article describes the actions of the viruses of the Confick family on your computers and explains how to remove them.

Please note: you must follow all of the steps in this article carefully in order to completely remove the Conficker virus outbreak on your network. This virus replicates itself very easily and re-infects computers and shared network folders. These instructions, when followed carefully, will remove the virus outbreak completely.
  • Refer to the Sophos Security webpages for more information about this family of viruses.
  • Confick viruses spread through the MS08-067 vulnerability.
  • Microsoft released a critical security patch for this in October 2008: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
  • Further information is also given at the bottom of this article.
  • Ensure that all the computers on your network have anti-virus software installed and that their protection is up to date.

About the W32/Confick and Mal/Conficker 

Variants of this malware may be known by other names including: W32/Confick-A, W32/Confick-B, W32/Confick-C, Mal/Conficker-A, W32/CONFICKMEM-A, W32/CONFICKMEM-B, W32/CONFICK-D, WORM_DOWNAD.AD, W32/Conficker.worm, Worm:Win32/Conficker.gen!A, Worm:W32/Downadup, Net-Worm.Win32.Kido.

There are three main infection methods that Confick can use:
  • Spreads via the MS08-67 exploit

In most cases, this is how the virus gets on the network in the first place. The virus takes advantage of the Microsoft exploit:
  1. A copy of the worm is created in the Temporary Internet files folder with a JPG or PNG extension. (These are the first files to appear on the system when it is infected.)
  2. A dll file is created within the System32 folder, e.g. C:\Windows\System32\amcophji.dll
  3. A service is created to run the dll file
  4. It runs as a handle within one of the svchost.exe processes - normally the same one running Netsvcs

You can stop it spreading by this method by applying the patch and cleaning the computer.

  • Spreads via Windows file sharing 

Once on the network the virus can spread using the Microsoft exploit (above) or by accessing the file and admin shares on the network.

When it infects a computer it creates a file with a random name and a random extension within the System32 folder. A scheduled task (running as SYSTEM) will execute this file using rundll32.exe.

  1. A dll file is created with a random extension and name within the System32 folder - e.g. C:\Windows\System32\zdtnx.g
  2. A scheduled task(s) is created to run the above randomly named file using rundll32.exe
  3. The task(s) is called AT*.job where * is a sequential number
  4. It will be running within a rundll32.exe process
  5. There will be one rundll32.exe process running for every scheduled task that has been created
To stop it from spreading by this method, file and print sharing must be disabled until all computers have been fully cleaned.

The Sophos on-access scanner will prevent re-infection as it prevents these scheduled tasks from running. The worm DLL file may be present on disk, but it will not be allowed to run as long as the on-access scanner is enabled.

  • Spreads via removable media such as USB drives

When a removable drive is connected to an infected computer, the Conficker worm will
  1. create a copy of itself in the RECYCLER\S-x-x-xx-xxxxxxxxxx-xxxxxxxxxx-xxxxxxxxx-xxxx folder on that drive (where x consists of random numbers)
  2. drop the file autorun.inf in the root director of the drive.

These files and directories are hidden.

The autorun.inf file will cause the worm to run when the drive is connected to a Windows computer with autoplay enabled, or when the drive is opened in Windows Explorer.

When the worm runs from a removable drive, it will copy itself to the Windows\system32 directory with a .dll extension and set up service registry keys in the same way as the previous infection vectors.

What to do
This is a four stage process, and you must perform all of these steps
  1. Scanning Preparation
  2. Quarantining the network to prevent the spread of infection
  3. Locking down services to prevent spread/execution - using Windows Group Policy
  4. Cleaning up the infections

You are advised to also read the knowledgebase article Sophos Anti-Virus: Tracking and finding Conficker infections.

Ensure that the settings described in the following procedure are applied to all computers. This will allow the Sophos on-access scanner to prevent the virus, whether as a service or a task, from loading on the computer .

1. Scanning Preparation

  • Patch ALL of the computers (infected and uninfected) with MS08-067 (KB958644)
  • Set the On-access scanner policy within the Enterprise Console to:

  1. On-Read
  2. On-Write
  3. Deselect 'Automatically Cleanup'
  4. Choose 'Do Nothing' as the actions OR 'Deny Access'.

  • Ensure HIPS is set to:

  1. Detect Suspicious Behaviour = True
  2. Detect Buffer Overflow = True
  3. Alert Only = False

  • Enable the scanning of all files during on-demand scans:

  1. Open the Anti-Virus policy(ies) on the Enterprise Console
  2. Click on 'Extensions and Exclusions'
  3. Tick the box to scan all files
  4. Press ok

  • Ensure that the Anti-Virus policy has been applied to ALL computers
  • In some cases you will need to reboot a computer. (See step 4b below.)

2. Quarantining the network to prevent the spread of infection

Do one of the following:
  • Disconnect all infected computers from the network by unplugging their network cables.

  • Use client-side firewalls to prevent network access:

If using Sophos Client Firewall (which must be installed on all client computers - see your licence to ensure you are able to use the product):
  1. Open Enterprise Console and edit the Firewall policy
  2. Go to the LAN tab and deselect the NETBIOS options for all network connections

If using Windows Firewall via Group Policy:
  1. Edit your Group Policy for ALL computers
  2. The setting can be found under Computer Configuration|Administrative Templates|Network|Network Connections |Windows Firewall|Domain Profile|Windows Firewall: Allow file and printer sharing exception
  3. Double click and choose to disable.

Using either of these methods could prevent Sophos updates from being downloaded, we suggest that you either :
  1. Add an exception to allow file and print sharing access to your EM Console server/update servers
  2. Setup a WebCID to allow updates to be carried out through HTTP, please see article: 38238

3. Locking down services to prevent spread/execution - using Windows Group Policy

  • Disable Task Scheduler Service - (note, scheduled scans will not work after this, you can still use the right-click 'Full System Scan' from the Enterprise Console.) 

  1. Computer Configuration|Windows Settings|Security Settings|System Services
  2. Locate the 'Task Scheduler' Service
  3. Define this policy.
  4. Set to 'Disabled'

  • Disable USB Autoplay. This must be done correctly as described in the Microsoft knowledgebase http://support.microsoft.com/kb/953252. If this is not done correctly the worm may be able to execute if the USB drive is opened in Explorer or double-clicked from My Computer.

All of the above can be re-enabled when you are satisfied that your entire system is clean and that they have all been patched against MS08-67..

4. Cleaning up the infections

Depending on which action you took in 2 above, do one of the following:

Computers have been disconnected: 
  • Logon with local administrator rights. Do not log on as a domain administrator.
  • Open Quarantine Manager, select all items and click 'Clear from List'.
  • Run a full system scan. One of the following will result:
  1. If the full scan reported an instance of W32/ConfickMEM-A or W32/ConfickMEM-B, clean up this item from the QM and then immediately perform another full scan and cleanup again.  W32/ConfickMEM-A or W32/ConfickMEM-B indicates an active Conficker infection on this computer, so it should be cleaned up as a priority compared to other Conficker detections. This cleanup will terminate the worm in memory and allow the second full scan to detect the worm files on disk.
  2. If the full scan reported that one or more files in the Windows\system32 directory could not be scanned (Error text: '<filename> returned SAV Interface error 0xa0040210: The file could not be accessed') and there were no instances of W32/ConfickMEM-A or W32/ConfickMEM-B reported in the scan, ensure the on-access scanner is enabled as described above, then reboot the computer and perform another full scan. 
  • This computer may have an active infection of Conficker that is preventing the file on disk from being scanned. Rebooting allows the on-access scanner to stop the worm loading and allow the file to be scanned.
  • Run cleanup from the quarantine manager once the scan has finished.
  • Cleanup may prompt for a reboot in order to remove all the components.
  • Scan the machine again to ensure that it is clean.

Client-side Firewalls have been used to prevent file sharing: 

In Enterprise Console:
  1. Acknowledge alerts and errors within the Enterprise Console.
  2. Scan all computers at the same time by right-clicking on them in the console and selecting 'Full System Scan'.
  3. Run cleanup on all computers by right-clicking and selecting 'Cleanup threats'.
  4. Cleanup may prompt for a reboot in order to remove all the components.
  5. Scan the computers again.
  6. Cleanup again if required.

5. Re-infection

If Windows file sharing cannot be disabled, or if an infected computer or USB stick is introduced into the network, reinfection of computers that have already been cleaned up may occur. In these cases, computers running the Sophos on-access scanner are protected against reinfection but will still receive a copy of the worm DLL via file sharing from the infected computer.

These instances will be reported in the Quarantine manager as on-access detections and should be treated as a secondary concern; priority should be given to cleaning up computers with an active detection of Conficker as described above.

Once all computers with an active Conficker infection (i.e. W32/ConfickMEM-A or W32/ConfickMEM-B, as described in Section 4, step 3,1) have been cleaned up, the worm DLLs on uninfected computers can be removed via a full scan and cleanup, and will not return.

Further background information

Refer to the Sophos Security webpages for more information about this family of viruses.

Confick viruses spread through the MS08-067 vulnerability. Microsoft released a critical security patch for this in October 2008: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

  1. To check if the patch is installed, go into Add\Remove Programs and look for KB958644 (ensure that the 'Show updates' box at the top is ticked).
  2. Enable HIPS and BOPs and make sure that "Alert only" is switched off. This should prevent re-infection, however HIPS does not block the virus from running.
  3. This infection also spreads via network shares. It tries to crack passwords of user accounts using a crude dictionary. If an account cannot be cracked it may end up being locked out because of incorrect password attempts (depending on how Active Directory has been set up).
  4. The virus seems to copy a random file name with random file extension to the c:\windows\system32 folder. It also creates a scheduled task named ATx.job - where x is a number. The scheduled task seems to run the file in the system32 folder.
  5. The virus may try to contact a number of websites, some of which are legitimate
  6. It will try to obtain updates for itself from various domains. The use of client firewalls will greatly help to stop the spread of the virus.
  7. This virus will also spread via USB drives and other removable devices, please ensure that they are scanned and cleaned before using them again.
  8. You can prevent the creation of new scheduled tasks via a group policy using the following article- http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/92819.mspx?mfr=true
  9. Using the firewall methods above will prevent Sophos updates from working. There are two ways around this:
  • Setup the secondary server details within the Enterprise Console's updating policy so that the computers can update from Sophos - see article: 12354
  • Add an exception to the firewall policies to allow File and Print sharing connections to the EM Console/EM Library server(s). This can cause the server(s) to be infected as client computers are able to access them.
10. The files that are dropped on the computers are related to the computer name. This means that for a given variant of Conficker, the file name of the dropped DLL on a certain computer will always have the same random name.

Sabtu, 22 Juni 2013

5 Mega Test Tools Network Conficker Detection.

Along with the rise of Swine Flu (Swine Flu) that infect humans and, according to the WHO already at level 4 crunch, airports around the world instantly on alert to monitor the passengers from Mexico and the United States. 

If the world were a source of the spread of a computer virus is a virus-infected file, then in the real world, which is infected with the virus and become a means of spreading the virus is human. Because it applying airports scanning passengers suspected of having the flu by using body temperature scanners because people with the flu (of any kind) must have experienced an increase in body temperature because the body reacts to a foreign virus entry. Actually, the principle is the same in the computer world, when airports use the body temperature scanners at the airport are internet routers and applications that are used instead of human body scanners but Firewall. But there is one advantage possessed by the world of IT than the human world (when compared) today, where the human world is not possible (very difficult and expensive) to be able to monitor the whole man in the city and determine who is infected with flu. If the world of IT we can use a special scanner to detect which machines are infected with the virus so it can be anticipated that a quick and effective way to deal with the virus.

After conducting tests on some tools to eradicate Conficker, the next step is the most crucial if you are a network administrator to identify which machines are infected with the virus and tried to spread the virus. Therefore, Vaksincom perform testing for computer tools to detect Conficker infected tissue and attempt to spread to computers in the network. If we just do the cleaning on one computer alone would not be a problem, but what if the infected computer in your network, but you do not know which machine is infected, because computers sometimes infect our network unexpected, such as notebook computers are often taken home by leadership or part that is often foreign service. Moreover, if we convict a particular computer is infected with viruses, of course, we have to have evidence.

Conficker and symptoms (in the network ....).
If the symptoms described earlier mega conficker test on the computer they will be, so this time we have to know the what conficker impact on the network, as follows:
  • Tried to download and try out access to 250 domains (Conficker B) or 50,000 domain (Conficker C) are random. Here are some random domains TSB:

ect ..................

  • Attempted access to a common domain to check the current time. Some of the domain are:


  • This virus is basically trying to make the distribution through the windows share using the default port 445, but other than that Conficker also uses port 1024 s / d 10,000 to make the distribution on a computer network.

The Tools, Conficker Detection Network .

Of several existing tools, Vaksincom do some testing tools that are familiar and frequently used. Tools TSB issued by several security vendors to help facilitate the detection of Conficker attack on your network.

Here are some tools that are available as follows:
  • Wireshark

Wireshark / Ethereal is one of the many tools Network Analyzer are widely used by network administrators to analyze network performance and also the mainstay tools Vaksinis (Vaksincom technician). Wireshark much preferred because interfaces that use Graphical User Interface (GUI) or a graphic display. Wireshark is able to capture packets of data / information that milling in the network's find out. All types of packet protocols of information in various formats will be easily captured and analyzed. Tools are available in various versions of the OS, such as Windows, Linux, Macintosh, etc..
At the beginning of the emergence and development of Conficker, this tool is the pioneer of the tools used by some security vendors to analyze packets of data / information in a network of Conficker attack. You can download Wireshark on http://www.wireshark.org/download.html.

At the time of installation, pay attention to activate and install the plugin MATE (Meta Analysis Tracing Engine), because it is not activated by default. This plugin can function to filter all data packets of various network protocols in the past. Besides the WinPcap installation process is also included. Perform installation of WinPcap, WinPcap is a driver that is used to read and to filter traffic packet data / information being passed. (See figure 1)

Figure 1, Wireshark in action
Fairly easy to use, when you are running Wireshark, just select the Capture tab and select the Interfaces list. At interfaces capture options, select the appropriate network LAN / Ethernet card and then click the start button. Wireshark also has the ability to scan the computer between segments.

For detection of Conficker, do filter with protocol NBNS (NetBIOS Name Service) then note the info provided, generally NBNS hostname will read the computer but if NBNS read than hostname computers in this case are the domains targeted by Conficker, then they will be a source IP infected computer and trying to deploy and update itself.
  • Nmap (Network Mapper) 

Nmap (Network Mapper) is a network exploration tool and exclusively into one of the frequently used by network administrators. With our Nmap can perform a search to the entire network and find out what services are active on specific ports. Nmap is one of the most widely used tools for network scanning and renowned as a multi-platform tool, fast and lightweight. Nmap runs on all OS types, both console and graphical mode. Amazingly, not like Wireshark, Nmap scan in MS08-067 vulnerability exploited by Conficker that can help administrators determine that any computer that still has vulnerabilities that can be exploited by Conficker. In addition, Nmap also has an advantage that might make a great network administrator in love, he can perform computer scanning between segments.

The emergence and development of Conficker, Nmap with the help of source code from Tillman Werner and Felix Leder of The Honeynet Project, has released a new version with additional features for the detection of Conficker infected computers. You can download the latest version at http://nmap.org/download.html.

Nmap installation process is pretty easy, just like Wireshark, Nmap also perform the installation of WinPcap (if not already installed). If you have installed WinPcap, usually there will be an error and the installation of WinPcap preferably skip it. (See figure 2)

Figure 2, NMAP is also capable of monitoring the network is not less than Wireshark

For its use, either console or GUI mode, we still use the command command. Use of command to detect Conficker there are 2 ways:
  1. Scan network with a read port 139 & 445 (faster): nmap-p-T4 139.445 - script p2p-conficker, smb-os-discovery, smb-check-vulns - script-args checkconficker = 1, safe = 1 (eg IP 192.168.1 network ..)
  2. Scan the network to read the entire port used Conficker (rather slow): nmap-p - T4 - script p2p-conficker, smb-os-discovery, smb-check-vulns - script-args checkall = 1, safe = 1 (eg IP 192.168.1 network .)

  • Retina Network Security Scanner (Conficker Worm)

Although a bit late and launched before 1 April 2009, as one of the computer security vendors, eEye Digital Security also launched a special and free tools to detect the presence of Conficker in the network. This tool is designed to detect the presence and simultaneously detect Conficker vulnerability windows tsb of Windows Server Service vulnerability (MS08-067). You can download this tool at http://www.eeye.com/html/downloads/other/ConfickerScanner.html.

The installation process is very easy and fast, you simply run the installation file that followed further instructions to complete. (See figure 3)

Figure 3, which is an expert Eeye Windows launches Retina Vulnerability Scanner for Conficker.

For general users, Retina tools from Eeye relatively easier than Wireshark and Nmap, when you run this tool you can directly select the desired target with either a single IP or IP range. If you have, you can directly click the scan button. When it is finished a message box will appear finished sign. Results of the scan are TSB 4 categories:
  1. Not Tested (usually due to a closed port 445 / disable, so it can not scan)
  2. Infected (Conficker infected computers detected)
  3. Patched (computer clean and already in patch MS08-067)
  4. Vulnerable (clean computer but not in the patch, prone infected Conficker)

Unfortunately this tool only read ports 139 and 445, so it is very difficult if the computer is infected they will not activate port (File and Printer Sharing). Furthermore, the Retina can not perform scanning between segments and also does not monitor the port 1024 10.000 exploited by Conficker.

4) SCS (Simple Conficker Scanner)
Simple and sophisticated tools made Tillman Werner and Felix Leder of The Honeynet Project, which was launched at the beginning of Vaksincom widely used by ISPs to detect IP IP Indonesia Conficker infected this be a reference to some vendors to create similar tools. They make tools conficker network scanner of the Python language and its later published the source code freely. Recorded several vendors such as Nmap, Foundstone and eEye using source code which is then compiled and used as tools plugin for each vendor used to detect conficker. Tools can be downloaded at the address http://www.4shared.com/get/95921961/d7727fab/scs.html.

SCS does not need to be installed, you just need akstrak the folder / drive that you specify only. But you need to run the SCS install Nmap. This is because SCS requires driver monitoring packets of data. (See figure 4)

Figure 4, Simple Conficker Scanner is simple but sophisticated

To use, SCS using console mode or command prompt. At the command prompt mode, move the folder scs then type the following command:

scs [IP_Awal] [IP End], example: C: \ scs> scs

Just like Retina, SCS just read ports 139 and 445 only.

5) Conficker Detection Tool (MCDT)
Through one of its divisions, namely Foundstone, McAfee released a participating network tools to detect the presence of conficker. Tools are also used source of Tillman Werner and Felix Leder of The Honeynet Project, a development of the team Foundstone designed to detect the presence of Conficker-infected computers, and has been published for free. You can download the http://www.mcafee.com/us/enterprise/confickertest.html address.

This tool does not need to be installed, you only need to extract the directories / drives you specify only. (See figure 5)

Figure 5, Conficker Detection Tool in action

Was fairly easy to use, when you run this tool you can directly select the desired target range. You can even scan if there are multiple network segments on your computer, it is not contained in the Retina. But unfortunately this tool does not perform checks on the MS08-067 vulnerability that Conficker exploits such as Nmap and Retina. Unlike the retina, this tool has three categories namely the scan results:
  1. Infected (Conficker infected computers)
  2. Not infected (infected computer is clean or not)
  3. Not tested (usually due to a closed port 445 / disable, so it can not scan)

Just as Retina and SCS, this tool is read only ports 139 and 445 (File Printer Sharing) and do not monitor the 1024 port 10000 which exploited by Conficker.

Comparison of the results .
Of some of the tools they will be, we want to review and make its comparison table as follows:

From the results of tests performed by the lab Vaksincom, it appears that there is no perfect tool. Each of these tools has advantages and disadvantages of each. Nmap despite having the most complete feature but has a weakness in the use of which still use the command and scan speeds were slower than other tools. While MCDT is a very simple tool without installation and scan quickly enough can have the disadvantage of not function properly if port 445 is closed / disable (File and Printer Sharing in non-disabled) and is not tested in the MS08-067 vulnerability exploited by Conficker .

20 Countries Most Vulnerable to Worm : Win32 Conficker 2013 !

Maybe you are wondering, why revisit Vaksincom Conficker, although the first of his behavior is quite amazing, but if it is a real threat to this day? Based on the database of Vaksinis malware incidents faced until 2013, Conficker malware is still a Top 10 in Indonesia. One proof is the Facebook posts of members in http://www.facebook.com/vaksincom Vaksincom Fan page on June 11, 2013 which was infected with Conficker after doing the test on his PC by opening 6 figure checks Conficker Vaksincom site at http: / / vaksin.com/2013/cek-conficker.html, or in our blog  http://mypcdefender.blogspot.com/2013/06/easy-ways-to-check-malware-conficker.html

But this is of course only one example of course and we need to get an idea of ​​approximately how large the number of Conficker infections in Indonesia to this day. For that Vaksincom use some simple techniques to estimate the Conficker infections in Indonesia because it is the database for the current Conficker infections are difficult to obtain because the infection in developed countries is very low and major infections occurred in countries that have a low adoption of security standards.

The data base used is a database of sri.com, one member of the Conficker Working Group CWG issue data Conficker infection in 2009 at the height of Conficker infections where Indonesia ranks 17 as the country most affected by the Conficker infections by a percentage of 1.57% of infection or 164 794 total incidents. (See table 1 and figure 2)
  1. China, Infection : 2,649,674, Percentage : 25.21%
  2. Brazil, Infection : 1,017,825, Percentage :  9.68%
  3. Russia, Infection : 835.970 , Percentage : 7.95%
  4. India , Infection : 607.172, Percentage :  5.78%
  5. Argentina , Infection : 569.445 , Percentage :   5:42%
  6. Taiwan, Infection : 413.762 , Percentage :    3.94%
  7. Italy, Infection :  374.513 , Percentage :   3:56%
  8. Chile , Infection : 280.182 , Percentage :  2.67%
  9. Ukraine , Infection : 274.411 , Percentage :  2.61%
  10. Malaysia, Infection : 212.477 , Percentage :   2:02%
  11. Korea, Infection : 201.107 , Percentage :  1.91%
  12. German, Infection : 195.923 , Percentage : 1.86%
  13. American, Infection : 191.531, Percentage :  1.82%
  14. Romania, Infection : 182.790  , Percentage : 1.74%
  15. Colombia , Infection : 169.597 , Percentage : 1.61%
  16. Thailand, Infection : 165.080, Percentage :   1:57%
  17. Indonesia , Infection : 164.794 , Percentage :  1:57%
  18. Mexico, Infection : 151.861 , Percentage :  1:44%
  19. Philippines , Infection : 126.594, Percentage :   1:20%
  20. Venezuela, Infection : 102.073, Percentage :   0.97%

Table 1, the 20 countries most affected Conficker 2009

Figure 2, the number of computer terms, China is the country most affected Conficker.

But if asked, whether this reflects poor IT management made China so he was ranked first as the most affected countries so that you are more likely Conficker Conficker infected when visiting China than Chile? To find the answer we can look at the data from Table 2, the lab processed the data Vaksincom below.

Table 2, Top 20 Countries Most at risk of Conficker infected.

Internet users in China was 389 million in 2009 (based on data from the CIA World Fact Book, the Conficker infection the percentage of cases Conficker 2,649,674 per internet user in China was only 0.68%. While Chile, although only suffer as much Conficker case 280 182, but with the ratio 7.009 million Internet users Internet users are infected with Conficker is 4%, second highest after Argentina 4.16%. Thus the probability, of course, you are more at risk of infection if the Conficker visit Chile and Argentina rather than site China.

Then what about Indonesia?
Conficker case of Indonesia compared to internet users in Indonesia is 0.18% and Indonesia at 14 countries in the Top 20 of the world's most Conficker infection risks. Do not be too discouraged because in Asean, Thailand was ranked 13 in the Philippines rank 7 Rank 8 occupying Malaysia as the country most at risk of Conficker infected. Different from the rankings in badminton where the smallest ranked best, if the risk rating Conficker is, the smaller the ranking means more risk.

One interesting thing to observe is the low risk of Conficker in developed countries like the United States and Germany ranked 20th in the ranking of 19. Even countries such as the UK France and Japan who are in the Top 10 countries with the most Internet users in the world in the year 2009 are out of top 20 countries most at risk of Conficker infected. Please see figure 3 below to get information graphics 20 countries most at risk of Conficker infected.

Figure 3, the 20 countries most vulnerable to Conficker infected in 2013

Death toll in Indonesian Conficker

Currently Conficker incident has greatly decreased, but according to data from Microsoft, it is estimated there are 1 2 million computers are still infected with Conficker around the world : https://community.qualys.com/blogs/laws-of-vulnerabilities/2012/04/25/microsoft-sir-2012--new-conficker-statistics

Therefore, if we take a conservative number of Conficker infections worldwide 1,000,000 computers, the number of computers are still infected with Conficker in Indonesia is around 15,700 computers (1.57% X 1,000,000).

Why after 5 years Conficker could still survive and still infect a computer? One reason is because a lot of the Windows operating system that contain security holes that have not been attacked by Conficker patch. In many cases, Conficker is able to penetrate the computer that is protected with updated antivirus program though, because he took advantage of vulnerabilities in this patch yet. Because it is very important to choose a reliable antivirus program and is able to protect you from the Conficker like G Data Antivirus or you do patch the gap keamaman attacked by Conficker.

Source : http://vaksin.com/.

Easy Ways to Check Worm : Win32 Conficker 2013 on Your Computer.

Malware what in his behavior to be able to force 30 companies / the world's leading IT organizations, including Cisco, Microsoft, IBM, ICANN, the IT-ISAC, the Internet Storm Center and the Georgia Institute of Technology to collaborate directly form a special organization to deal with it?

Conficker Malware first appeared in late 2008 and has 5 variants, is still active to this day, the action will result in a lot of Windows Active Directory account username is locked (lock out accounts ), Microsoft issued a $ 250,000 sweepstakes for anyone who can reveal Conficker's makers but to this day the author revealed the latest information and may get you closer to the answer. Is still included in the malware most commonly found on enterprise networks in Indonesia.

Only one virus malware in the world that has a history traits as above, Conficker. Launched on 21 November 2008 and in less than 6 months of issuing all 5 variants as to 1 April 2009 have been waiting anxiously for computer users because it is a determination of whether the makers of Conficker now submit orders on millions of computers infected with Conficker are contains a botnet that will obey whatever Conficker instructed by the manufacturer through the websites that have been prepared http://edition.cnn.com/2009/TECH/03/24/conficker.computer.worm/. The good news, it does not happen and the makers of Conficker may also have hit the deck because a lot of bucks hunters who are tempted by the $ 250,000 from Microsoft to target who is behind this malware so that he carry out the action.

Unites 30 companies / organizations IT world.

Conficker malware is the only one in history who managed to unite many important work together and co-ordinated action to deal with. Not only did the cyber security community, but Microsoft, CISCO, ICANN (Internet Corporation for Assigned Names and Numbers), the Honeynet Project, SRI International, operator domain registration, antivirus vendors and researchers / experts from the world of academia come together to form the Conficker Working Group CWG http :/ / www.confickerworkinggroup.org to counter the threat posed by Conficker, particularly with respect to the impact hazard prevention control millions of computers by Conficker botnet computers embedded in infection.

As to the 30 organizations that are members of the Conficker Working Group is as follows:

  1. 1and1
  2. Afilias
  3. AOL
  4. Arbor Networks
  5. Cisco
  6. ESET
  7. F-Secure
  8. Facebook
  9. Georgia Institute of Technology
  10. Global Domains International
  11. IBM-ISS
  12. ICANN
  13. Internet Storm Center
  14. Internet Systems Consortium
  15. IT-ISAC
  16. Juniper
  17. Kaspersky
  18. McAfee
  19. Microsoft
  20. Neustar
  21. NIC Chile
  22. SecureWorks
  23. Shadowserver
  24. Sophos
  25. SRI International
  26. Support Intelligence
  27. Symantec
  28. Team Cymru
  29. Trend Micro
  30. Verisign

Vaksincom got fired up article to discuss the re-malware despite being issued a 5 article about this malware:
  1. 5 Mega Test Tools Network Conficker Detection 29 April 2009 : http://vaksin.com/2009/0409/Conficker%20Scanner/conficker%20scanner%20review.htm
  2. MEGA 8 Tools Conficker Test Killer 22 April 2009  : http://vaksin.com/2009/0409/Conficker%20Tools/mega%20test%20conficker%20tools.htm
  3. Conficker.C, time bombs or April Fool? March 31, 2009 : http://vaksin.com/2009/0309/confickermop/Bom%20waktu%20atau%20April%20Mop.html
  4. Between China and Russia, we got a virus, January 27, 2009 : http://vaksin.com/2009/0109/conficker2/conficker2.htm
  5. RPC DCOM part III, Conficker raged in Indonesia December 17, 2008 : http://vaksin.com/2008/1208/conficker/conficker.htm
because according to Vaksincom watchlist today, Conficker infected computers in Indonesia is still very much and until this article made estimated amount is still to reach tens of thousands of computers. How can these figures appear, please follow the second part of this article.

Started to carry out the action in November 2008 the first variant of Conficker variants with 5 Conficker.A name began deployed and successfully infect all computers with Microsoft Windows operating system that has not been done patching the RPC DCOM vulnerability recently issued 1 week by Microsoft. In December 2008, EYD version (That has Enhanced Edition) aka Conficker B that has the ability to spread itself through the UFD (USB Flash Disk) successful results reveal itself and infect millions of computers around the world.

Conficker A and B have one main payload make a botnet that will call 250 random internet site that will contain the commands that had been prepared by the author. 250 address of the site is not always the same, and because of the random nature so it is quite difficult to be blocked at the initial appearance. Goal is to create a botnet have a cyber army of zombies that can be commanded to do whatever the manufacturer. In the realm of the internet, force botnet infected computers can be ordered to do anything by the controller. From attacking a website like doing Ddos until the site was paralyzed, steal data from the victim computer, infect returned with another, more sinister malware or make a computer to commit other crimes. Anyway the bottom line is good for controlling and unpleasant for that in controls: p. As an illustration, if you have a computer infected with Conficker and was told to download the site Ddos Pak village chief, and Mr. Lurahnya fierce men and bring an action against you, you might go to jail even if you do not know anything, but you still will be blamed because there is clear evidence in in the computer logs and ISP that your computer is doing to the official website Ddos Mr. Headman.

If Conficker's makers managed to access the sites that will be contacted by millions of Conficker botnet, the impact will be more terrible than the spread of Conficker action itself (which has been a headache administrator of millions of computers). Millions of computers that will do whatever the orders given by the makers of Conficker through websites will be contacted this. Like a nuclear weapons falling into the hands of the wicked will be used for malicious activities and must be prevented. But how to prevent a crime that would be done if the villain (makers of Conficker) is very slick and has not been arrested? While the victim's computer conficker itself has reached millions of computers. Finally CWG (Conficker Working Group), was formed to deal with Conficker perform only a unique step, registering and blocking hundreds of domains to be contacted by Conficker botnet that Conficker's makers do not have access to the websites will be contacted by Conficker botnets. These botnets like chicks lost parent, but if the chicks usually cuty, maybe we can say like T-Rex children lose a parent and eventually Ddos threats by the victim computers Conficker A and B did not materialize. Thanks for the CWG.

So if this is the end of the story of Conficker? Do not forget, we are new to the second variant of Conficker variants and there are 3 more that we have not talked about. Sauron supposing that prevented to meet with cicinnya, of course, he did not remain silent and sends the Nazgul could not beat any man in this world, makers of Conficker sends Conficker.C. And if Conficker B attempted to contact 250 random domains and CWG have to work hard to block 250 domains in every action of Conficker A and B, this time by calling the Conficker.C is 50,000 pseudodomain around the world and once again the CWG have to work hard doing the blocking 50,000 pseudodomain to 131 countries and the bad news, they only have less than 3 weeks before Conficker.C carry out the action on April 1, 2009. Internet community even palpitations waiting for April 1, 2009 if the manufacturer so running the action spreading Conficker attack commands to all computers infected with Conficker. And the good news, April 1, 2009 to avoid chaos and threats Conficker.C internet is not the case. But whether it was a success CWG block pseudodomain 50,000 in less than 3 weeks or because Conficker makers who do not dare to carry out the action as it was already frenetic bounty hunter plus U.S. $ 250,000 from Microsoft for those who managed to help capture the Conficker makers, only the author Conficker who knows :).

Characteristics of Conficker-infected computers.

As informed by PT. Vaksincom :  http://vaksin.com/2009/0109/conficker2/conficker2.htm in his article, the characteristics of Conficker-infected computers are:
  1. Login Username in Active Directory (AD) Windows locks repeatedly. So even though it was locked (lock) and opened by Admin, but it was locked again.
  2. Computer getting error message Generic Host Process.
  3. Computers can not access certain websites such security www.microsoft.com, www.symantec.com, www.norman.com, www.clamav.com, www.grisoft.com with message Address not Found but if site- accessed the site from its IP address will be accessible. And other websites can be accessed easily.
  4. Antivirus definition updates disturbed because access to antivirus sites blocked.
  5. Many applications do not function properly. Especially applications that utilize the network and use port 1024 s / d port 10000

But you can try to simply see box 6 below that given by the Conficker Working Group. This tool is the copyright of the Conficker Working Group and is used to help detect whether ordinary computer users still infected with Conficker computer or not:

  • Conficker Eye Chart by Vaksincom, inspired by the Conficker Eye Chart of the Conficker Working Group.
G Data






Conficker Eye Chart can only work properly detect your PC if you are connected directly to the internet and not through the proxy.
  • How to view and interpretation:
  • Seeing all the pictures 

You see all the pictures, analysis:
  1. Computer is not infected with Conficker. or
  2. Conficker infected computers but using a proxy to the internet.

  • Do not see the logo G Data and Norman

You can only see 4 images except G Data logo and Norman, analysis:
Computer is not infected with Conficker Conficker A or B.

  • You do not see the logo G Data, Norman and SecureWorks

You can only see the 3 pictures at the bottom line and could not see the 3 images in the top row, the analysis:
Computers infected with Conficker Conficker C or E.

  • You do not get to see all the pictures

You do not get to see all the pictures, do not worry just yet, this means:
  1. Your browser turn off image loading.
  2. Crappy internet connection.

If you are a network administrator and want to scan your network is still infected with Conficker or not, please use the tools of Honeynet.org Simple Conficker Scanner that can be found here Simple Conficker Scanner.

Simple Conficker Scanner v2

Simple Conficker Scanner (SCSv2). It contains a new scanning method which allows for detection of machines infected with the recent Conficker version (D or E, depending on the naming scheme - the tool calls it D). Although the patch to the vulnerable function NetpwPathCanonicalize() was updated in the new variant, the RPC response codes for specially crafted requests are still different for infected machines. This enabled us to write a network scanner to distinguish Conficker zombies from clean hosts.
The scanning results look like this:

$ ./scs2.py
Simple Conficker Scanner v2 -- (C) Felix Leder, Tillmann Werner 2009
[UNKNOWN] No response from port 445/tcp.
[UNKNOWN] Unable to run NetpwPathCanonicalize.
[CLEAN] Windows Server 2003 R2 3790 Service Pack 2 [Windows Server 2003 R2 5.2]: Seems to be clean.
[INFECTED] Windows 5.1 [Windows 2000 LAN Manager]: Seems to be infected by Conficker D.
[INFECTED] Windows 5.1 [Windows 2000 LAN Manager]: Seems to be infected by Conficker B or C.

The code was released under the GNU General Public License. Get it from here, feel free to adopt and please use it in your scanner tool.

Update: Florian Roth has compiled a Windows version which is available for download from http://www.bsk-consulting.de/download/scs2-win32.zip.