From F-Secure:

# On April 8th a new update was made available to Conficker.C infected machines via the P2P network
# The new file, which we call Conficker.E, is executed and co-exists alongside the old infection
# It re-introduces spreading via the MS08-067 vulnerability. Spreading functionality was removed in Conficker.C and the gang behind this maybe realized they made a mistake and added it again.
# There’s a possible connection to Waledac, a spambot. Some Conficker.C infected computers connected to a well known Waledac domain and downloaded Waledac from there.
# There’s also a connection to rogue anti-virus products as we’ve seen it end up on Conficker.C infected machines. The rogue product was Spyware Guard 2008.
# Conficker.E deletes itself if the date is May 3, 2009 or later.

DNS (Domain Name System)  – is a method by which the URL’s you type into your browser are translated into the actual Internet IP-addresses fo the appropriate servers. Its by using these unique addresses that information gets routed properly around the Internet. A common comparison is your postal address: You can think of the URL’s as your NAME and the IP address as your street and house number.  Your mail won’t reach you without the address. So for every Domain name out there, a unique Ip address exists. When you make a request in your web browser for a particular website, it queries its DNS provider for the correct IP address and then takes you there. By default you’re probably using your ISP’s DNS servers to provide this functionality for you.

You can create a free account and then set your router or home your home PC’s individually to use OpenDNS’ servers instead of your ISPs. OpenDNS categorizes domain names and URL’s into all kinds of useful collections which you can then choose to allow or deny access to from your network.  OpenDNS grabs your DNS “queries” and, for categories which you’ve chosen to block , it inserts its OWN ip addresses in the return, rather than the actual destination. For example, you can choose to block adult content.  When you type in “www.playboy.com” in your browser, your computer queries OpenDNS for the correct IP address. OpenDNS, sees that you’ve chosen to block this site, and instead of returning  216.163.137.3 (the acutal playboy.com address), it returns with an address owned by OpenDNS. So when your browser goes to this new address, you’re greeted with a nice blocked message that looks something like this:

By intercepting these addresses, OpenDNS has the ability to block all sorts of malicious or unwanted content, and notify you if it detects you trying to access it.  For instance, they can currently detect if you’re infected with the conficker worm.

They also offer all kinds of great statistics about your network’s usage. You can customize the block messages and looks as well.  For the price, OpenDNS can’t be beat.

There are instructions on the OpenDNS website for configuring both home routers and individual computers. For more info click here.

According to Trend Micro’s summary:

Two things can be summed up from the events that transpired:

1. As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP. The Conficker/Downad P2P communications is now running in full swing!
2. Conficker-Waledac connection? Possible, but we still have to dig deeper into this…

Here’s a link to more information from Trend Micro

Here’s a link to the conficker “eye test” – it’ll let you know if your machine is infected or not.

http://www.talkbiz.com/confickertest/

From Microsoft: Conficker infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.

Once your computer is infected, it is now “owned” by the Conficker worm and its creators. It becomes one of millions of infected PC’s making up a massive “army” of infected machines that could possibly be used to implement the author’s bidding at any time.  Here’s the scary part- all these infected machines ( or “bots”) are currently programmed to “check in” with their master on April 1st to get new instructions. No one knows exactly what will happen on that day.

Pundits have speculated a variety of different malicious deeds this massive bot army could undertake on 4/1. One possibility is that the author’s will grab sensitive personal data off all these machines. Another thought is that they will launch massive denial of service attacks on major websites.  Still others believe that this bot army will be sold off for the purposes of sending out Spam worldwide.  No one, except the authors knows for sure.

Regardless, make sure your machines have AntiVirus software, and that its up-to-date. If you’ve just recently installed AntiVirus, make sure you do a full system scan. Make sure Automatic Updates are turned on.

The Honeynet project just released a new python script you can run to scan your network for infected machines. Here’s a link to it:

http://honeynet.org/node/388

For more info about this worm you can check out any of the following links:

http://en.wikipedia.org/wiki/Conficker

http://vil.nai.com/vil/content/v_153464.htm

This one’s REAL technical but a great read if you have the time:

http://mtc.sri.com/Conficker/addendumC/

Let’s be careful out there….