Sabtu, 22 Juni 2013

Easy Ways to Check Worm : Win32 Conficker 2013 on Your Computer.

Malware what in his behavior to be able to force 30 companies / the world's leading IT organizations, including Cisco, Microsoft, IBM, ICANN, the IT-ISAC, the Internet Storm Center and the Georgia Institute of Technology to collaborate directly form a special organization to deal with it?

Conficker Malware first appeared in late 2008 and has 5 variants, is still active to this day, the action will result in a lot of Windows Active Directory account username is locked (lock out accounts ), Microsoft issued a $ 250,000 sweepstakes for anyone who can reveal Conficker's makers but to this day the author revealed the latest information and may get you closer to the answer. Is still included in the malware most commonly found on enterprise networks in Indonesia.

Only one virus malware in the world that has a history traits as above, Conficker. Launched on 21 November 2008 and in less than 6 months of issuing all 5 variants as to 1 April 2009 have been waiting anxiously for computer users because it is a determination of whether the makers of Conficker now submit orders on millions of computers infected with Conficker are contains a botnet that will obey whatever Conficker instructed by the manufacturer through the websites that have been prepared The good news, it does not happen and the makers of Conficker may also have hit the deck because a lot of bucks hunters who are tempted by the $ 250,000 from Microsoft to target who is behind this malware so that he carry out the action.

Unites 30 companies / organizations IT world.

Conficker malware is the only one in history who managed to unite many important work together and co-ordinated action to deal with. Not only did the cyber security community, but Microsoft, CISCO, ICANN (Internet Corporation for Assigned Names and Numbers), the Honeynet Project, SRI International, operator domain registration, antivirus vendors and researchers / experts from the world of academia come together to form the Conficker Working Group CWG http :/ / to counter the threat posed by Conficker, particularly with respect to the impact hazard prevention control millions of computers by Conficker botnet computers embedded in infection.

As to the 30 organizations that are members of the Conficker Working Group is as follows:

  1. 1and1
  2. Afilias
  3. AOL
  4. Arbor Networks
  5. Cisco
  6. ESET
  7. F-Secure
  8. Facebook
  9. Georgia Institute of Technology
  10. Global Domains International
  11. IBM-ISS
  12. ICANN
  13. Internet Storm Center
  14. Internet Systems Consortium
  15. IT-ISAC
  16. Juniper
  17. Kaspersky
  18. McAfee
  19. Microsoft
  20. Neustar
  21. NIC Chile
  22. SecureWorks
  23. Shadowserver
  24. Sophos
  25. SRI International
  26. Support Intelligence
  27. Symantec
  28. Team Cymru
  29. Trend Micro
  30. Verisign

Vaksincom got fired up article to discuss the re-malware despite being issued a 5 article about this malware:
  1. 5 Mega Test Tools Network Conficker Detection 29 April 2009 :
  2. MEGA 8 Tools Conficker Test Killer 22 April 2009  :
  3. Conficker.C, time bombs or April Fool? March 31, 2009 :
  4. Between China and Russia, we got a virus, January 27, 2009 :
  5. RPC DCOM part III, Conficker raged in Indonesia December 17, 2008 :
because according to Vaksincom watchlist today, Conficker infected computers in Indonesia is still very much and until this article made estimated amount is still to reach tens of thousands of computers. How can these figures appear, please follow the second part of this article.

Started to carry out the action in November 2008 the first variant of Conficker variants with 5 Conficker.A name began deployed and successfully infect all computers with Microsoft Windows operating system that has not been done patching the RPC DCOM vulnerability recently issued 1 week by Microsoft. In December 2008, EYD version (That has Enhanced Edition) aka Conficker B that has the ability to spread itself through the UFD (USB Flash Disk) successful results reveal itself and infect millions of computers around the world.

Conficker A and B have one main payload make a botnet that will call 250 random internet site that will contain the commands that had been prepared by the author. 250 address of the site is not always the same, and because of the random nature so it is quite difficult to be blocked at the initial appearance. Goal is to create a botnet have a cyber army of zombies that can be commanded to do whatever the manufacturer. In the realm of the internet, force botnet infected computers can be ordered to do anything by the controller. From attacking a website like doing Ddos until the site was paralyzed, steal data from the victim computer, infect returned with another, more sinister malware or make a computer to commit other crimes. Anyway the bottom line is good for controlling and unpleasant for that in controls: p. As an illustration, if you have a computer infected with Conficker and was told to download the site Ddos Pak village chief, and Mr. Lurahnya fierce men and bring an action against you, you might go to jail even if you do not know anything, but you still will be blamed because there is clear evidence in in the computer logs and ISP that your computer is doing to the official website Ddos Mr. Headman.

If Conficker's makers managed to access the sites that will be contacted by millions of Conficker botnet, the impact will be more terrible than the spread of Conficker action itself (which has been a headache administrator of millions of computers). Millions of computers that will do whatever the orders given by the makers of Conficker through websites will be contacted this. Like a nuclear weapons falling into the hands of the wicked will be used for malicious activities and must be prevented. But how to prevent a crime that would be done if the villain (makers of Conficker) is very slick and has not been arrested? While the victim's computer conficker itself has reached millions of computers. Finally CWG (Conficker Working Group), was formed to deal with Conficker perform only a unique step, registering and blocking hundreds of domains to be contacted by Conficker botnet that Conficker's makers do not have access to the websites will be contacted by Conficker botnets. These botnets like chicks lost parent, but if the chicks usually cuty, maybe we can say like T-Rex children lose a parent and eventually Ddos threats by the victim computers Conficker A and B did not materialize. Thanks for the CWG.

So if this is the end of the story of Conficker? Do not forget, we are new to the second variant of Conficker variants and there are 3 more that we have not talked about. Sauron supposing that prevented to meet with cicinnya, of course, he did not remain silent and sends the Nazgul could not beat any man in this world, makers of Conficker sends Conficker.C. And if Conficker B attempted to contact 250 random domains and CWG have to work hard to block 250 domains in every action of Conficker A and B, this time by calling the Conficker.C is 50,000 pseudodomain around the world and once again the CWG have to work hard doing the blocking 50,000 pseudodomain to 131 countries and the bad news, they only have less than 3 weeks before Conficker.C carry out the action on April 1, 2009. Internet community even palpitations waiting for April 1, 2009 if the manufacturer so running the action spreading Conficker attack commands to all computers infected with Conficker. And the good news, April 1, 2009 to avoid chaos and threats Conficker.C internet is not the case. But whether it was a success CWG block pseudodomain 50,000 in less than 3 weeks or because Conficker makers who do not dare to carry out the action as it was already frenetic bounty hunter plus U.S. $ 250,000 from Microsoft for those who managed to help capture the Conficker makers, only the author Conficker who knows :).

Characteristics of Conficker-infected computers.

As informed by PT. Vaksincom : in his article, the characteristics of Conficker-infected computers are:
  1. Login Username in Active Directory (AD) Windows locks repeatedly. So even though it was locked (lock) and opened by Admin, but it was locked again.
  2. Computer getting error message Generic Host Process.
  3. Computers can not access certain websites such security,,,, with message Address not Found but if site- accessed the site from its IP address will be accessible. And other websites can be accessed easily.
  4. Antivirus definition updates disturbed because access to antivirus sites blocked.
  5. Many applications do not function properly. Especially applications that utilize the network and use port 1024 s / d port 10000

But you can try to simply see box 6 below that given by the Conficker Working Group. This tool is the copyright of the Conficker Working Group and is used to help detect whether ordinary computer users still infected with Conficker computer or not:

  • Conficker Eye Chart by Vaksincom, inspired by the Conficker Eye Chart of the Conficker Working Group.
G Data





Conficker Eye Chart can only work properly detect your PC if you are connected directly to the internet and not through the proxy.
  • How to view and interpretation:
  • Seeing all the pictures 

You see all the pictures, analysis:
  1. Computer is not infected with Conficker. or
  2. Conficker infected computers but using a proxy to the internet.

  • Do not see the logo G Data and Norman

You can only see 4 images except G Data logo and Norman, analysis:
Computer is not infected with Conficker Conficker A or B.

  • You do not see the logo G Data, Norman and SecureWorks

You can only see the 3 pictures at the bottom line and could not see the 3 images in the top row, the analysis:
Computers infected with Conficker Conficker C or E.

  • You do not get to see all the pictures

You do not get to see all the pictures, do not worry just yet, this means:
  1. Your browser turn off image loading.
  2. Crappy internet connection.

If you are a network administrator and want to scan your network is still infected with Conficker or not, please use the tools of Simple Conficker Scanner that can be found here Simple Conficker Scanner.

Simple Conficker Scanner v2

Simple Conficker Scanner (SCSv2). It contains a new scanning method which allows for detection of machines infected with the recent Conficker version (D or E, depending on the naming scheme - the tool calls it D). Although the patch to the vulnerable function NetpwPathCanonicalize() was updated in the new variant, the RPC response codes for specially crafted requests are still different for infected machines. This enabled us to write a network scanner to distinguish Conficker zombies from clean hosts.
The scanning results look like this:

$ ./
Simple Conficker Scanner v2 -- (C) Felix Leder, Tillmann Werner 2009
[UNKNOWN] No response from port 445/tcp.
[UNKNOWN] Unable to run NetpwPathCanonicalize.
[CLEAN] Windows Server 2003 R2 3790 Service Pack 2 [Windows Server 2003 R2 5.2]: Seems to be clean.
[INFECTED] Windows 5.1 [Windows 2000 LAN Manager]: Seems to be infected by Conficker D.
[INFECTED] Windows 5.1 [Windows 2000 LAN Manager]: Seems to be infected by Conficker B or C.

The code was released under the GNU General Public License. Get it from here, feel free to adopt and please use it in your scanner tool.

Update: Florian Roth has compiled a Windows version which is available for download from

Tidak ada komentar:

Posting Komentar