Computers

The melodramatic Conficker countdown is starting to resemble one of those never-ending TV soap operas; everyone is talking about it, but it never draws to an end. Well, at last the countdown is in the final straight, because if not we could end up with mass hysteria.

So let's see what new information there is about Conficker. It would seem that some opportunists are taking advantage of the notoriety of Conficker, downloading malware onto computers from domains that are ranked highly in Google searches for the name of this virus. It’s not surprising, when you see how widely the news is being reported.  Google Trends illustrates the point:

What is most interesting is the ranking of countries where this information is being most widely reported, and where most people are searching for this information. Bearing in mind the number of domains that are downloading malware by exploiting the interest in Conficker, without actually having any connection with it, it is likely that although people in these countries may escape the wrath of Conficker, there may still be users who have downloaded other Trojans simply by searching for news about Conficker… Ironic really. Perhaps on April 2 we will be talking about another epidemic in Indonesia or Austria…

What new information is there about Conficker? Absolutely none, other than everyone is waiting with baited breath to see when the apocalypse starts. This all takes me back to when, in the laboratory, we had a calendar for marking the payload dates of notorious viruses such as Friday 13 or Barrotes. So does this mean we are returning to the days of epidemics with payloads and countdowns?

Paradoxically, while we are all waiting to see what happens tomorrow, who knows what is actually going on in the background, and how many people are lining their pockets thanks to Conficker. And to get back to soap operas, what are the odds on a happy ending to the Conficker saga?

It’s no surprise to most readers that I hate buying printer ink. I find the process wasteful and expensive even if I recycle empty ink cartridges. You can imagine my joy when I found a free utility that saves ink and paper. It does this by allowing me to select the items from a web page I wish to print. It even saves web pages as a PDF file.

Lately it seems everybody is talking about Conficker and its variants. And much more so if we have to take into account the build up fear around the coming day of April 1st.  It’s been a while since we saw so much coverage in the general media and I don’t want to tell you to disregard this, because it does contribute to general awareness and make users more conscious.  But I also want to say that perhaps it does more harm than good. Let go back over the issues that are flying around the world.

Regarding the damn date… will Conficker be activated 1st April? No. But it will do something that day, won’t it? Yes, Conficker is a malware that creates random URLs everyday and the PCs infected with it check if there is any new available version to download. It does so 250 times a day.  What will happen then 1st April? The last variant creates 50,000 new URLs. We can’t know if any of them will host an update of the malware, its author could host a new version or even some other type of malware. It checks the date in the Internet; we say this in case somebody has thought of changing the system date of their computer ;-)

If any URL contains an update of the worm, which actions will the new variant carry out? In fact, no one has been able to guess the final aim of Conficker. What we remember from previous infections is that the author’s motive is to become famous, but we doubt very much if it all ends there. If we think about the different business models that there are currently behind malware (mentioned in this blog many times before), it is obvious that its author –or authors- will be looking to make money in some way. But, in which way? It can be by harnessing the infected PCs net to send spam, by installing on the infected PCs some type of rogue antimalware to warn users that their computer is infected enticing them to buy a fake antivirus, by downloading password stealer type Trojans… There are many speculations, but nothing for sure.

Another question posed is if it’s really more dangerous than other types of malware. The answer is no, it’s not more dangerous, though its update functionality leaves a door open to new attacks that could be more dangerous. Its success lies in having exploited a recent MS vulnerability to distribute itself, and that’s why, it has reached many PCs. In this way, its author has been smart and has taken the model of classic viruses. An “intelligent” move of the author has been to use different means of infection, especially through USB keys, MP3 players, etc. What is true is that from version to version it has made its detection more difficult by obfuscating code. And although we can’t talk about a polymorphic virus, it follows this direction.

What stands out from all these are the means of infections through USB devices, as we said before, is the attempt to reach the maximum number of PCs.  And in the way that infected PCs can communicate with each other to update without the need to download a new version from an URL as they use P2P.

The infection level of the previous weeks has been reducing to low levels.  There are probably still malware infecting PCs but not at the levels we were seeing in the previous months. With this situation, the author could take various actions:

a) create a new variant which exploits another 0 day vulnerabilities takes no time to spread and this was the plan all alone for Conficker.
b) Keep alive  the three variants which are distributing, monitoring how much money they are making day by day, to the end.
c) Get bored and do something else…

We bet on option a). Not necessarily for April 1st, but on its way.  It will be a shame to go to so much trouble without getting anything. Because of this we think that it won’t go away so easily.

Above all, don’t get taken in by the panic.  What do users do on the April 1st?  If you have your PCs protected by a good and updated antivirus, nothing.  If you don’t have one, we recommend you to install one (you don’t have to wait until April 1st…) and you can use Panda ActiveScan to be sure you are not infected.  And also we recommend you to install the free tool we have created to avoid contamination through UBS keys.

Last time we talked about cyber criminals using YouTube's Video Annotations feature to guide victims to Malware ridden websites.  Today we'll talk about yet another method being used within YouTube and other social media websites.  

Malware distributors have been creating instructional "How to" videos to get victims to willingly visit malicious websites and infect their own computers.



Once on the site the victim is lured to install Adware/SystemSecurity rogue software. 

The best way to avoid these types of scams is by researching the product prior to installing it on your computer.  Sometimes a simple Google search can literally save you hundreds of dollars in repair costs. 

 

Today we observed yet another Blackhat SEO campaign fueling the distribution of the System Security Rogue Anti-Malware from Pandora Software.

Blackhat SEO is a method used by criminals to trick search engines into displaying their content ahead of other legitimate sites. You can learn more about it here.

(E.g. One of the hijacked searches)

 

Accessing the link redirects the victim to the rogue anti-malware site, which then prompts the user to download and install the malicious software.

Sample hijacked search terms [Full List]:

Cinderella Full Story In Script
Swollen Throat Rash Chest Pains Symptoms
Body Aches All Over And Extreme Fatigue
Candy Bar In Illustrator
Humerous Marriage Definitions
Art Ideas For Babies
Possesive Worksheet
Free Online Scan Malware
Proxy Which Allows Java
Cd Key Do X Blades
Swollen Lymph Nodes And Dry Cough
How To Write Law In Graffiti
Index Of Best Songs
Keys Of Digi Tv
Free Space Crafts For Preschoolers
Execution Of Women Video
Labeled Diagram Of A Foot
Facebook Skins Free
Ear Infections And Sore Muscles

This post has been written by Sean-Paul Correll.