| Date (UTC) | Description |
| 2009-05-02 13:45 |
SANS Internet Storm Center
Decrease in Conficker P2P?
One of our regular contributers has been tracking Conficker related P2P traffic for the last several weeks. Oddly, from their point of view the traffic dropped off to near nothing around 8 PM GMT on April 30th.
|
| 2009-04-28 09:37 |
Microsoft Security Response Center Blog
Changes in Windows to Meet Changes in Threat Landscape
Today, wefre announcing modifications in Windows that adapts to recent changes in the threat environment. Specifically, wefre announcing changes to the behavior in AutoPlay so that it will no longer enable an AutoRun task for devices that are not removable optical media (CD/DVD.).
|
| 2009-04-26 05:38 |
Conficker Work Group
A timeline for Conficker
|
| 2009-04-09 22:44 |
US-CERT
Conficker Worm Targets Microsoft Windows Systems
US-CERT Current Activity
Researchers have discovered a new variant of the Conficker Worm on April 9, 2009. This variant updates earlier infections via its peer to peer (P2P) network as well as resuming scan-and-infect activity against unpatched systems. Public reporting indicates that this variant attempts to download additional malicious code onto victim systems, possibly including copies of the Waledac Trojan, a spam-oriented malicious application which has previously propagated only via bogus email messages containing malicious links.
|
| 2009-04-09 |
Symantec
W32.Downadup.C
|
| 2009-04-08 |
Trend Micro
WORM_DOWNAD.E
Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067)
|
| 2009-04-01 21:43 |
Conficker Work Group
Infection Distribution for Conficker
|
| 2009-04-01 21:43 |
Conficker Work Group
Infection Distribution
The following maps outline all the known infections that we have seen as of Wednesday, 1 April 2009.
|
| 2009-03-31 19:08 |
F-Secure
Conficker's domain routine has already started
F-Secure Weblog : News from the Lab
Infected computers use the local time as the trigger of when to start generating the list of 50,000 domains so in places where the local time is already April 1st, these computers are now actively polling for domains. And, until the GMT date is April 1st they are in fact polling for domains for 31st March. So far there hasn't been any updates available on those sites.
|
| 2009-03-31 11:18 |
F-Secure
When will it start?
F-Secure Weblog : News from the Lab
|
| 2009-03-30 22:34 |
Symantec
ThreatCON (2) => (2)
On April 1, 2009, the Downadup.C worm will start using a changed version of its domain-generation algorithm. The worm uses this algorithm to compute a domain name from which it will try to download updates for itself.
|
| 2009-03-30 01:36 |
US-CERT
TA09-088A: Conficker Worm Targets Microsoft Windows Systems
Via US-CERT Mailing List
|
| 2009-03-30 |
U.S. Department of Homeland Security
DHS Releases Conficker/Downadup Computer Worm Detection Tool
The U.S. Department of Homeland Security (DHS) announced today the release of a DHS-developed detection tool that can be used by the federal government, commercial vendors, state and local governments, and critical infrastructure owners and operators to scan their networks for the Conficker/Downadup computer worm.
|
| 2009-03-26 14:32 |
F-Secure
Questions and Answers: Conficker and April 1st
F-Secure Weblog : News from the Lab
|
| 2009-03-20 02:48 |
SANS Internet Storm Center
Latest on Conficker
The researchers at SRI International updated their Conficker paper today. This is by far one of the best analysis of the Conficker malware.
|
| 2009-03-20 02:32 |
SRI International
Conficker C Analysis
This addendum provides an evolving snapshot of our understanding of the latest Conficker variant, referred to as Conficker C.
|
| 2009-03-07 |
Trend Micro
WORM_DOWNAD.KK
Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067)
|
| 2009-03-06 |
Symantec
W32.Downadup.C
|
| 2009-03-04 |
Microsoft
Win32/Conficker.D
Win32/Conficker.D is a variant of Win32/Conficker. Conficker.D infects the local computer, terminates services, blocks access to numerous security related Web sites and downloads arbitrary code. Conficker.D can relay command instructions to other Conficker.D infected computers via built-in peer-to-peer (P2P) communication. This variant does not spread to removable drives or shared folders across a network (as with previous variants). Conficker.D is installed by previous variants of Win32/Conficker.
|
| 2009-02-24 19:23 |
Microsoft
Microsoft Security Advisory (967940): Update for Windows Autorun
The update corrects an issue that prevents the NoDriveTypeAutoRun registry key from functioning as expected.
|
| 2009-02-23 21:02 |
US-CERT
New Variant of Conficker/Downadup Worm Circulating
US-CERT Current Activity
US-CERT is aware of public reports concerning a new variant of the Conficker/Downadup worm, named Conficker B++. This variant propagates itself via multiple methods, including exploitation of the previously patched vulnerability addressed in MS08-067, password guessing, and the infection of removable media. Most significantly, Conficker B++ implements a new backdoor with "auto-update" functionality, allowing machines compromised by the new variant to have additional malicious code installed on them. According to Microsoft, there is no indication that systems infected with previous variants of Conficker can automatically be re-infected with the B++ variant.
|
| 2009-02-20 |
Microsoft
Win32/Conficker.C
Win32/Conficker.C is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.
|
| 2009-02-13 14:30 |
SANS Internet Storm Center
Third party information on conficker (Version: 2)
In an effort to provde YOU the enduser the ability to educate your self on this threat I will be posting as much information as possible, from as many sources as possible.
|
| 2009-02-12 |
Microsoft
Microsoft Collaborates With Industry to Disrupt Conficker Worm
Microsoft offers $250,000 reward for Conficker arrest and conviction.
|
| 2009-02-12 |
ICANN: Internet Corporation For Assigned Names and Numbers
Microsoft Collaborates With Industry to Disrupt Conficker Worm
Today, Microsoft announced a partnership with technology industry leaders and academia to implement a coordinated, global response to the Conficker (aka Downadup) worm.
|
| 2009-02-10 20:14 |
SANS Internet Storm Center
More tricks from Conficker and VM detection
|
| 2009-02-09 00:50 |
SANS Internet Storm Center
Some tricks from Conficker's bag
There have been a lot of discussions about various aspects of Conficker, definitely the most prevalent worm in last couple of years. Symantec posted a nice series of articles about how Conficker is innovative in various things. One of those innovative things is the use of the autorun.inf file on USB removable media.
|
| 2009-02-06 |
Microsoft
Protect yourself from the Conficker computer worm
The Conficker worm is a computer worm that can infect your computer and spread itself to other computers across a network automatically, without human interaction.
|
| 2009-02-05 04:36 |
JPCERT/CC
JPCERT-AT-2009-0002: Increased activity targeting TCP port 445
|
| 2009-01-19 16:44 |
F-Secure
Social Engineering Autoplay and Windows 7
F-Secure Weblog : News from the Lab
The Downadup worm utilizes autorun.inf files to spread via removable devices such as USB drives. When is AUTORUN.INF really an AUTORUN.INF?, provided analysis. The autorun.inf uses some tricks, such as variable size, to help avoid detection.
|
| 2009-01-17 05:00 |
SANS Internet Storm Center
Investigating and Verifying domains to block (Conficker.B/Downadup.B)
As most of us know, investigation and verification of data plays a critical role in protecting our assets. Blind faith in what others say or do may of course lead to a call from a C level asking why his VP of sales cant get to his favorite vacation blog. Todays diary (and the updates that will follow) will share some of the process and findings of my investigation into the wonderful list of domains that was produced by F-secure that we have previously mentioned.
|
| 2009-01-16 22:27 |
US-CERT
Widespread Infection of Win32/Conflicker/Downadup Worm
US-CERT Current Activity
US-CERT is aware of public reports indicating a widespread infection of the Win32/Conflicker/Downadup worm. This worm exploits a previously patched vulnerability addressed in Microsoft Security Bulletin MS08-067. This worm attempts to propagate via multiple methods including removable media.
|
| 2009-01-16 13:59 |
F-Secure
Calculating the Size of the Downadup Outbreak
F-Secure Weblog : News from the Lab
The number of Downadup infections are skyrocketing based on our calculations. From an estimated 2.4 million infected machines to over 8.9 million during the last four days. That's just amazing.
|
| 2009-01-15 08:38 |
SANS Internet Storm Center
Conficker's autorun and social engineering (Version: 2)
One of the reasons for infecting so many machines is that Conficker uses multiple infection vectors: 1. It exploits the MS08-067 vulnerability, 2. It brute forces Administrator passwords on local networks and spreads through ADMIN$ shares and finally, 3. It infects removable devices and network shares by creating a special autorun.inf file and dropping its own DLL on the device.
|
| 2009-01-14 14:33 |
F-Secure
More Than One Million New Infections
F-Secure Weblog : News from the Lab
Today's total infection count is an estimated 3,521,230 infections worldwide.
|
| 2009-01-13 11:21 |
F-Secure
How Big is Downadup? Very Big.
F-Secure Weblog : News from the Lab
2,395,963 infections worldwide.
|
| 2009-01-12 22:43 |
SANS Internet Storm Center
Downadup / Conficker - MS08-067 exploit and Windows domain account lockout
The storm center handlers mailbox has received a growing number of email inquiries regarding root cause for Windows domain account lockouts which we most likely attribute to the infection base of Downadup/Conficker malware variants.
|
| 2009-01-08 19:49 |
F-Secure
MS08-067 Worm, Downadup/Conflicker
F-Secure Weblog : News from the Lab
Downadup and other such similar worms exploit a vulnerability in the Windows Server service.
|
| 2009-01-07 12:52 |
F-Secure
When is AUTORUN.INF really an AUTORUN.INF?
F-Secure Weblog : News from the Lab
USB worms work by creating a file called AUTORUN.INF on the root of USB drives.
|
| 2009-01-06 12:39 |
Symantec Security Response Blog : Malicious Code
W32.Downadup Infection Statistics
On July 7, Microsoft released a Security Bulletin outlining a vulnerability in the Access Snapshot Viewer ActiveX control. On or about this date, our honeypots began detecting this vulnerability exploited in what I can only describe as a Neosploit wrapper.
|
| 2008-12-30 |
Symantec
W32.Downadup.B
Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067)
|
| 2008-12-29 |
Microsoft
Win32/Conficker.B
Worm:Win32/Conficker.B is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.
|
| 2008-11-24 |
McAfee
W32/Conficker.worm
|
| 2008-11-21 |
Trend Micro
WORM_DOWNAD.A
Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067)
|
| 2008-11-21 |
Symantec
W32.Downadup
Exploiting Server Service Vulnerability (CVE-2008-4250, MS08-067)
|
| 2008-11-21 |
Microsoft
Win32/Conficker.A
Worm:Win32/Conficker.A is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled.
|
