Friday, April 10, 2009

Conficker propagates Scareware

Conficker Shows Its Colors, Installs Rogue Anti-virus

By Erik Larkin

timestamp(1239384600000,'longDateTime') Apr 10, 2009 10:30 am

We knew it would try to make a buck somehow, but until now Conficker hasn't done much beyond spread and update. That changed yesterday, when the worm began installing a rogue anti virus app called SpywareProtect2009 on infected machines.

A Kaspersky researcher reports that the worm began using its peer-to-peer functionality yesterday to pull down new files, including updates and the fake security program. The fake app goes with the usual scareware tactics of identifying threats on the computer (ironically true in this case) and offering to clean the PC for $49.95.

The scareware tactic makes big money for online scammers, and I've talked to some experts who guessed Conficker might take this step. In addition to the scareware download, Conficker is also pulling down an update for a .E variant that will once again allow the worm to spread using a Microsoft vulnerability (MS08-067), and will also attempt to stop more existing programs and block attempts to reach additional domains (see the full list of messed-with processes and domains from Sophos).

The new update also adds an interesting new self-destruct mechanism to automatically delete itself after May 3rd, 2009. A Microsoft Malware Protection Center blog post has a good list of the new .E variant changes, and the Today @ PC World blog lists some new clues that might point to its creators.

If you see a scareware pop-up or other indicator on your PC, it's important to know whether it's from a relatively harmless visit to a Web site, or whether it 's from an existing malware infection like Conficker. This story can help you tell which is which. And for a quick and easy way to tell if you're infected with Conficker, use the Conficker Working Group's Eye Chart.

The eye chart will retrieve specific images from sites known to be blocked by Conficker.
I tried it and found my machines clean:
If you see this above: It probably means this:
All images displayed = Normal/Not Infected by Conficker (or using proxy)
at

4 comments:

  1. Autumnbabie's NicholsonApril 10, 2009 at 6:37 PM

    Thank you Canice. My computer says I am good, but I downloaded the Spyware anyway and I am running it. Hope all is well with you!!

    ReplyDelete
  2. canice mApril 10, 2009 at 7:06 PM

    What spyware??

    ReplyDelete
  3. Autumnbabie's NicholsonApril 10, 2009 at 7:16 PM

    And for a quick and easy way to tell if you're infected with Conficker, use the Conficker Working Group's Eye Chart.

    When I clicked on Conflicker Working Group's Eye Chart it took me to PCtools. I had a problem downloading the program. I had a problem getting it off my computer. I'm not good at this stuff my friend, lol. I am now running my McAfee and will stick with that. I can see the eye chart now.........I didn't see it before which is why I clicked on the above. All is good.

    ReplyDelete
  4. Theresa HarveyApril 13, 2009 at 7:58 AM

    am running opera web browser as of yet i have not had any problems..And i use avant anti virus so all my scans say i am good lets just hope it stays that way..But i really don't hear much about opera any way
    Thanks Raven

    ReplyDelete