Confiker "C"

rambo · March 21, 2009, 11:01am

Are we secure against the worm Confiker "c "
Sounds a stupid question,i know,but this latest onslasught sounds like it could be a real problem.
Thanks and Regards

JamesFrance · March 21, 2009, 11:37am

A good question, I was hoping this was dealt with by now:
http://malwareresearchgroup.com/?p=358

rambo · March 21, 2009, 12:07pm

Interesting report James.
I would hope by now (v.8) deals with the problem.
I would also expect some comment from the developers.
From what i have read about Confiker “C” it is going to be a very serious problem for networks and the like.
Regards

rambo · March 21, 2009, 12:21pm

This is what i nam talking about.

rambo · March 21, 2009, 7:32pm

An answer would be appreciated.
Thank you.

rambo · March 23, 2009, 7:46am

Still no answer?

mokito · March 23, 2009, 9:39am

not sure if you take a look in the CIS version but they tested it with .439 and .477 was released some time ago now…

Breen · March 23, 2009, 12:14pm

Conficker C is known since 11 Mar 2009, so I think there should be signature for it, but I’m not 100% sure.

rambo · March 23, 2009, 5:36pm

Any comment from the developers?

alaertsxan · March 23, 2009, 5:44pm

I’ve seen some conficker entries on the update databasepage so I guess we’re safe. I know we are against conficker.b

Xan

darcjrt · March 23, 2009, 5:52pm

D+ stops it for sure!! proved by egemen somewhere in the forum.

who_te_fuc · March 23, 2009, 6:00pm

I read that too… If I remember correctly D+ even warned for “malicious behavior” (really strong alert) if Conficker is trying to run… =)

rambo · March 23, 2009, 6:03pm

I am much obliged
thank you

darcjrt · March 23, 2009, 6:20pm

Yep it says something like behavior or heuristics or something really cool!!

:comodorocks:

system · March 23, 2009, 11:24pm

I’ve been reading this forum for quite some time now, and now decided to write something… I wanted to clarify some points, I felt the need to clarity.

Hope you guys don’t mind.

And? I’m sure you, me, and other people would be able to interpret a given alert by Defense+, which could be for Conficker/Downadup, new version, aka Conficker.C.

But, what most people want, is for their security solution, to stop it/others, by detecting the malware, and not some action, which could say anything like - Ad-aware.exe is attempting to …

People’s reaction - Oh, is Ad-aware… Let’s allow it. BOOM!

I wouldn’t be surprised if Defense+ would even say it’s unknown (I know for a fact it says unknown). A lot legitimate applications are unknow, in what comes to Defense+.

Follow my raciocine here?

Defense+, and other HIPS, I’ve worked with, and still work, are not the solution for the masses. Sorry, but it isn’t.
Very cautious people would fall for a very simple trick, as the one I’ve mentioned above.

If we were talking about a 0-day malware, then, most people would become infected, either by not running a HIPS or by running a HIPS, advised by someone else, but, which they do not know how to work with.

Reality is, we’re talking about an already known malware, and if COMODO AV doesn’t detect such, then they should hurry, and make such detection available, no?

Saying that Defense+ has been proven to intercept it, in a test done by someone who knows how to interpret alerts, isn’t a fair deal, in my most honest opinion.

I wonder, if I put it to test with hundreds of people, and wired them all up on a network, and tell to them:

I’m gonna get in your systems and alerts will be given. Not all is bad, nor all is good. The ultimate decision is yours. Choose wisely.

What would be then end result?

It could happen a very restrict number knows what they’re dealing with. But, the higher % woulnd’t, and given my warning, they would either allow or block all.

Let’s not make of a HIPS, what is not - the ultimate solution for the masses.

Take care

darcjrt · March 23, 2009, 11:36pm

Here we go again. If you look at the messages posted of D+ preventing confliker from running you will see actually the word MALWARE!!! even my 3 year old son will click BLOCK!

system · March 23, 2009, 11:43pm

Yes, it does. Still, is also tags perfectly legitimate applications as malware, due to the heuristics thing.

So, what?

Wouldn’t, in a situation like that, some user just allow it? After all, don’t forgot, we could be talking about some warning mentioning Ad-aware, Spybot.exe, Avira, Avast… whatever. And happen, that, hey, the user does have it installed on the system, and someone told him/her that Defense+ could give such a warning for safe applications.

And, in Ad-aware’s case, Defense+ doesn’t recognize it as a known application. Meaning, it won’t check if it’s indeed Ad-aware or not. It will just alert. Who says it isn’t? Who says it is?

panic · March 23, 2009, 11:56pm

Conficker B and C detected by the AV last night with DB revision 1082. It reports it as (from memory) malware with the name “kido”, which several AVs firms (including Comodo) are using to denote the Conficker family.

Ewen

Breen · March 24, 2009, 12:17am

Yep, unfortunately what you’ve posted makes sense. My girfriend’s pc was infected because she didn’t know how to react for the “unknown”, not malware, alert. D+ worked but the alert wasn’t clear enough.

panic · March 24, 2009, 3:24am

One more time …

Conficker B and C detected by the AV - not Defense+ last night with DB revision 1082. It reports it (from memory) as malware with the name “kido”, which several AVs firms (including Comodo) are using to denote the Conficker family.

Ewen