Skip to content

Conficker at work…

April 2, 2009

So a funny story on this whole Conficker worm

The in-house IT “expert” at our office sent round an email saying “I think it’s all a big hoax – but to be safe, update your anti-virus”.

Well, it would appear he didn’t take his own advice… our email server keeps getting blocked on my firewall… seems to be trying to connect to my machine on port 135 (Which is not a port it should be using LOL – but it is a port that Conficker uses to tunnel via RPC to spread)

So, I guess we have it “in-house”…

I suppose I should notify the ‘expert’ in the office eh?

Later – giggle… “It’s all a hoax”; uh huh..

From Canada’s Globe and Mail today – Conficker worm lies low on April Fool’s Day

Excerpt from the Article:

One of the most high-profile computer worms in recent history quietly activated yesterday, but showed no signs of causing havoc.

“Conficker should still be considered a serious threat …,” Dan Hubbard, chief technology officer at Websense, an internet security company, said in a statement. “There are millions of machines that are infected and the capability is definitely there for attackers to use the network for nefarious purposes.”

Computers infected with Conficker can be used to create a powerful botnet, which in turn could be used for everything from sending spam e-mails to mining for credit-card information. Computer users can protect themselves by downloading Microsoft’s security patches and updates – the worm only targets Windows-based machines. Microsoft has also offered a $250,000 reward for information leading to the worm’s authors.

Some computer security experts believe the flood of attention Conficker garnered in recent weeks may have given its authors reason to lay low, and wait a few days to send further instructions to infected computers.

In another Canadian paper, however, we are being told it is no big deal, and more importantly, that it has stopped spreading. Dean Turner, director of Global Intelligence Network Symantec Security Response has stated:

The worm has stopped spreading. The writers of the virus seem to have removed the virus’s ability to replicate itself, which would suggest they believe they already have enough infected computers to accomplish whatever they are or were planning.

“Stopped spreading” – Yeah, sure – so why am I getting a firewall alarm every hour? When before today I never had? LOL!


UPDATE – hmm a whole raft of odd port connections now trying to come through! Guess it isn’t as dead as everyone thinks LOL.

8 Comments leave one →
  1. fal2grace permalink
    April 2, 2009 3:01 PM

    We have “experts” like that too:)

  2. April 2, 2009 3:06 PM

    ‘hmm a whole raft of odd port connections now trying to come through! Guess it isn’t as dead as everyone thinks LOL.’

    I have had this also, my firewall has been attacked quite a few times today.

    • feveriam permalink*
      April 2, 2009 3:21 PM

      Looking at Conficker info pages, it appears it tries to set up a Peer to Peer network between infected hosts; on random ports… then proceeds to scan nearby computers for similar infected machines. Once set-up the P2P is used to update each other; as the logic for contacting the update servers may or may not find a server – the P2P logic is breath taking! A whole new way of spreading around!

      I’d be very careful running any windows based torrent software for a while!

      • April 2, 2009 9:33 PM

        Indeed! I finally discovered what had happened after visiting your Youtube and blog sites that kept my mac crashing.

        I have discovered I have been infected with a new hideous OS X worm called Rape.osx, which DELETES SYSTEM FILES randomly, uses the App ‘Spotlight’ to search recent activity, replicate itself across every drive and and seems to keep some record of your web activity, and randomly changes your mozilla bookmarks.

        For normal people who use Windows etc, I have a feeling that conficker is a sleeping giant waiting for a cmd to send pure hell down it’s botnet. Why would anything that replicates itself via P2P on over 12 million boot drives across the globe with such an insidious methodology just …. conk out? Pfffff! This stinks.

        Once is an accident
        Twice is a pattern
        Thrice is a program.


  3. Lilli permalink
    April 3, 2009 11:02 AM

    It’s not surprising someone wants to crash the internet with Google Earth watching every movement.

    This must be the pinnacle of Big Brother.

    Look at this picture of the Excel Centre.

    • feveriam permalink*
      April 3, 2009 11:21 AM

      Take a look at the first article on the blog entry I just posted – you’ll begin to understand where it is going…


  4. Lilli permalink
    April 3, 2009 12:48 PM

    Thanks Mike.

    ‘Stopped spreading’ reminds me of Reinhardt’s newest picture.

  5. Lilli permalink
    April 4, 2009 2:42 PM

    There is a bit more on Conficker here …

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: