An Associated Press report published early Sunday says that the University of Utah officials reported that 700 campus computers were infected by the infamous Worm. Among the 700 computers infected were systems located on networks used by the three university hospitals.In the lackluster AP report, missing various important details, university spokespeople said that patient data was not compromised. Conficker was discovered on Friday to have compromised systems at the three hospitals, the university medical school, as well as the colleges of pharmacy, nursing, and health. The only good bit of information from the AP report is that no patient information was lost due to Conficker. Yet, it is unknown how Conficker infected the university’s network, something the AP and the university report left out. Over the weekend several hundred stories surrounding the worm started to spread, mostly focused on the Trend Micro and BitDefender discoveries of a new variant that used P2P methods to update itself.If you have followed Conficker related news over the last several months, then you know that it has undergone four transformations, it can use HTTP methods to update itself or P2P, and it has a small connection to the Waledac family of Malware. In addition, aside from annoying system administrators and end users the world over, Conficker has so far been mostly harmless.Yes, previous versions of Conficker as well as the latest variant have the ability to download and install malicious anti-Virus or Rogue applications. Yet, this ability shouldn’t cause half of the panic that it has. The hype started when Trend Micro reported on the discovery of a new Conficker variant, shortly after BitDefender reported their discoveries. In both examples, Conficker used its P2P abilities to download new code. The Rogue anti-Virus panic comes from Trend Micro’s discovery that their Conficker infected system, just after the P2P update, attempted to connect to a known Waledac URL."Another interesting thing we also noticed was that the Downad/Conficker box was trying to access a known Waledac domain (goodnewsdigital(dot)com) and download yet another encrypted file. This coincidentally happened just after the creation of the new Downad/Conficker binary," wrote Ivan Macalintal, in the Trend Micro report on the new variant.“The domain resolves currently to an IP that is hosting a known Waledac ploy in HTML to download print.exe, which has been verified to be a new Waledac binary.”Last Wednesday, Vlad Valceanu, BitDefender's Senior Security Researcher, told The Tech Herald a little more about the new variant.“We found a new variant yesterday, which is very similar to the old one. It blocks more domains and more disinfection tools. As you know, Conficker was already blocking access to security websites and removal tools. Now its list is bigger. It is a minor upgrade to the C version, designed to make disinfection even harder, or to counter the disinfections methods that have appeared.”It appears that this variant has a simple goal insofar as "it is designed to keep its hold on the infected machines," Valceanu explained.Considering the oversaturation of coverage this worm has received, it is a wonder that there are any new systems for it to infect. However, because there are so many ways to spread the Worm, and not everyone follows the security mantra of update, patch, and repeat, Conficker is still a pain to deal with. While Conficker is a nightmare to deal with system administration wise, there is still no reason to focus solely on this Worm and treat it as the end of the world. As previously mentioned, The Tech Herald has created a single index of Conficker-related information. This index houses news, protection and mitigation instructions, as well as a list of removal links and related vendor information and articles. If for some reason you have not hardened your system against a Conficker infection, start with page four of the index.The Tech Herald: Conficker: The Tech Herald’s index of news and information
University of Utah hit by you-know-what – Conficker FUD continues.(IMG:J.Anderson)
Interested in a more interactive TTH? Join our Facebook Group Want regular updates from The Tech Herald? Follow us on Twitter
Advertising
Comment on this Story