Zero Day

Ryan Naraine and Dancho Danchev

Get Zero Day via:: Mobile; RSS; Email Alerts
Bios:: Ryan’s Bio; Dancho’s Bio

April 2nd, 2009

Eyeballing Conficker with eye-charts and maps

Posted by Ryan Naraine @ 11:29 am

Categories: Anti Virus, Arbitrary Code Execution, Botnets, Browsers, Complex Attacks, Data theft, Denial of Service (DoS), Exploit code, Locally Running Web Servers, Malware, Microsoft, Patch Watch, Responsible disclosure, Symantec, Viruses and Worms

Tags: Web, SecureWorks Inc., Malware, Web Site, Conficker, Cyberthreats, Spyware, Adware & Malware, Web Site Development, Viruses And Worms, Security

As expected, the April 1st activation date for the Conficker worm passed without much noise but, as Microsoft and others are explaining, the botnet associated with the worm is very much alive — and still potentially dangerous.

“[This threat] should remain a manageable cause for concern and it doesn’t go away after April 1,” says Microsoft’s Christopher Budd. The malware still lives on millions of Windows machines and could start calling home for instructions at any time.

Now that the crazy hype has died down (hopefully!), it’s important for end users to get reliable information on eyeballing the presence of Conficker on a machine and, if it’s found, disinfection instructions from a Web site that isn’t blocked by the malware.

Because Conficker blocks victims from visiting Web sites for anti-malware vendors, Joe Stewart from SecureWorks has come up with a clever eye-chart (if that gets blocked, try this one) that provides visual confirmation on infections.

If you can see all three images in the top grid below, your computer is NOT infected with Conficker. However, if one of the F-Secure, SecureWorks or Trend Micro logos appears broken, chances are your computer is part of the Conficker botnet. Here’s the explanation on how to interpret the chart.

It’s also very tricky to point users to disinfection tools because they are all hosted on Web sites that are blocked. The only one I’ve seen on an unblocked site is BitDefender’s bdtools.net, which offers disinfection tools for single PCs or networks.

If Conficker is not present on your machine, it’s important that you apply all Microsoft security updates immediately.

The Conficker Working Group has also provided some excellent maps with a view of the botnet around the world:

WORLD MAP:

USA INFECTIONS:

EUROPE INFECTIONS:

Ryan Naraine is a journalist and security evangelist at Kaspersky Lab. He manages Threatpost.com, a security news portal. Here is Ryan's full profile and disclosure of his industry affiliations.

Email Ryan Naraine

For daily updates on Ryan's activities, follow him on Twitter.

Subscribe to Zero Day via Email alerts or RSS.

Talkback
Most Recent of 22 Talkback(s)

Thread View
Flat View

Be careful with the eyeball: There does exist some infections that redirects
all your DNS queries for a domain name within a
rogue root domain that resolves to other sites.
So you may effectively see the images from e... (Read the rest); Posted by: PhilippeV Posted on: 04/10/09 You are currently: a Guest | Log in | Terms of Use