W32/Conficker: Much Ado About Nothing?
Friday March 27, 2009 at 4:36 am CST
Posted by Vinoo Thomas
In the run-up to April 1, the media spotlight around the latest Conficker worm variant has reached a morbid frenzy. From being touted as an “April Fool’s joke” to outrageous headlines such as “Millions of computers expected to be destroyed”–no other worm in recent history has generated this much media attention. But what have we learned from history? From the days of Michelangelo to the recent Blaster, SoBig, Sober, and Kamasutra worms, the hype surrounding the activation or payload dates of major Internet worms have turned out to be only damp squibs.
What happens on April Fool’s Day is anyone’s guess. Although we still don’t know the real intent of the authors of the Conficker worm, they have consistently improved the worm by adding new functionality and anti-debugging tricks with every released variant. In order to resist the Conficker Cabal initiative, which recently blocked domain registrations associated with previous Conficker A and B variants, the worm authors upped the randomly generated domain count from 250 to 50,000. The intent behind generating and attempting to contact so many domains is to make it extremely difficult for security researchers to monitor sites that could potentially host a payload for the Conficker worm to download and execute.
What we do know is almost all the security vendors have thoroughly analyzed Conficker–also known as Downadup and Kido worm–and have good generic detection and cleaning in place. Uploading a couple of randomly selected Conficker binaries to the VirusTotal site consistently shows an overall anti-virus detection rate of 90 percent or above. And these high detection rates are across vendors–small or big.
To prepare for any trouble on April 1, McAfee now offers a special build of its standalone cleaning tool Stinger, which will be updated on a daily basis to include any undetected Conficker variants from the wild. This special build of Stinger can be downloaded from the Avert Tools site. We’ve also posted detailed documentation on mitigation steps that security staff within organizations can take to combat W32/Conficker. Additional McAfee product coverage information for MS08-067–the Microsoft Windows Server Service vulnerability, which is exploited by the worm–can be viewed at the McAfee Threat Center.
Please ensure that your copy of Microsoft Windows is patched and your security software is fully up to date. That way you won’t end up an April Fool.
March 27th, 2009 at 15:07
[...] Conficker already – this blog is intended to be an addendum to the previously published blog – W32/Conficker: Much Ado About Nothing. Some Conficker snippets, if you [...]
March 30th, 2009 at 20:18
The executable on the Stinger page has no publisher entry. Is this real?
March 31st, 2009 at 07:16
Where does Shakespeare come into play? Much Ado About Nothing sounds like a poorly chosen name for this virus.
March 31st, 2009 at 12:12
i am very leary of downloading any tool for my computer…once again .. is this really a real tool or perhaps the worm itself?
March 31st, 2009 at 12:28
When I click on the McAfee removal tool shown on the PC World article on msn.com, my IE warning says the download from McAfee has no valid digital signature. I’m trying to do a Conficker check on my computer but am paranoid about clicking on anything that appears suspicious. I have McAfee anti-virus installed on my PC.
March 31st, 2009 at 18:05
I lost the message regarding the resubscription to McAfee. I want it, since AOL no longer furnishes it. Thanks for Stinger.
March 31st, 2009 at 20:19
[...] “W32/Conficker: Much Ado About Nothing?“. [...]
April 1st, 2009 at 01:09
I am of the same mind as Gail. I went to McAfee site and clicking on the security advisory link led me to avertlabs.com. The article describes ” McAfee now offers a special build of its standalone cleaning tool Stinger, which will be updated on a daily basis to include any undetected Conficker variants from the wild”
attractive offer, but clicking on the stinger link leads to this:
you have chosen to open stinger_Coficker.exe which is a binary File from http://vil.nai.com
This does not give any confidence in McAfee as this doesn’t look legit, yet you get to it from their website
April 1st, 2009 at 01:51
[...] http://www.avertlabs.com/research/blog/index.php/2009/03/27/w32conficker-much-ado-about-nothing/?cid... [...]
April 1st, 2009 at 10:27
The http://vil.nai.com link is legit. McAfee used to be Network Associates Inc. and just hasn’t updated all of their URLs yet. In fact if you google network associates, it brings you to McAfee pages.
You can get McAfee’s free SiteAdvisor tool to tell you if you are visiting an unsafe site or downloading a risky file. Get it here http://www.siteadvisor.com/
April 1st, 2009 at 10:55
I’ve read all 8 of your responses and I have deemed you all to be total idiots… please turn in your computers to the nearest Goodwill donation center as none of you have the minimal mental capacity required to own or operate a home PC.
April 2nd, 2009 at 03:26
Thursday, April 02, 2009, 5:18:58 AM
Unfortunately I have had to use McAfee’s ‘Stinger’ many, many, moons ago. It’s a very good tool & save my bacon [PC]! Just download the file to your computor desktop or a download folder. Scan it with your AV & a Spyware scanner, then go to its properties & unblock it. Then your ready to enable Stinger & let it do its thing. You won’t be sorry, you took those extra steps.
Thanks McAfee! Stingers a great tool to use.
April 7th, 2009 at 09:46
[...] 2) Tente rodar o software chamado Stinger criado pela McAffe gratuitamente. Você encontra o link para download neste artigo. [...]
June 4th, 2009 at 17:46
[...] Tente rodar o software chamado Stinger criado pela McAffe gratuitamente. No Related [...]
August 6th, 2009 at 04:49
[...] 2) Tente rodar o software chamado Stinger criado pela McAffe gratuitamente. Você encontra o link para download neste artigo. [...]