HOME > CURRENT ACTIVITIES


 CURRENT ACTIVITIES

Fake CDC H1N1 Vaccination malware Spam
Date: December 08, 2009

It has been reported that a spam campaign claiming to be from the Center for Disease Control and Prevention (CDC) and requesting that recipients complete a "Personal H1N1 Vaccination Profile" is in the wild distributing Zbot variants.

Screenshot of the spam mail (source: McAfee)

These emails contain a url that points to a dodgy CDC website which urges the victim to download an archive that contains the instructions for creating Personal H1N1 Vaccination Profile

Fake website (Source: McAfee)

Some of the subject lines of this spam are:

  • Governmental registration program on the H1N1 vaccination
  • State Vaccination H1N1 Program
  • Your personal Vaccination Profile
  • Create your personal Vaccination Profile
  • State Vaccination Program
  • Creation of personal Vaccination Profile
  • Instructions on creation of your personal Vaccination Profile
  • Creation of your personal Vaccination Profile

Users are advised to take the following precautions to protect themselves:

  • Do not follow unsolicited web links or attachments in email messages.
  • Keep up-to-date patches and fixes on the operating system and application software.
  • Keep up-to-date Antivirus and Antispyware signatures.
  • Do not visit untrusted websites.

References

http://www.avertlabs.com/research/blog/index.php/2009/12/01/
h1n1-vaccination-profile-a-path-to-infection/
http://community.ca.com/blogs/securityadvisor/archive/2009/12/01/
zbot-s-launching-of-state-quot-vaccination-quot-h1n1-program.aspx
http://www.cdc.gov/hoaxes_rumors.html
http://antivirus.about.com/od/virusdescriptions/p/cdch1n1scam.htm
http://blogs.technet.com/mmpc/archive/2009/11/27/do-and-don-ts-for-
p-w0rd.aspx

 

Propagation of malware through spam impersonating System/Mail Administrator
Date: October 16, 2009
Updated: October 20, 2009

It has been observed that a new wave of spam e-mails purportedly arriving from the organisations System/Mail Administrators /tech-support team is circulating widely.

These " highly personalized " spam mails alert users to update/upgrade system software due to a recent server upgrade and includes an URL or ZIP attachment. It urges the users to click the URL or open attached ZIP file, and execute for updation. Some of the attached/downloaded malware are detected as ZBot /Cutwail variants.

This email message spoofs the sender email address so that the sender looks like "tech-admin /support @organisation-domain -name" and the links are having the format

http:||updates.organisation-domain.secure.some-domain mail|id=<10digitID>-legitimateemail@ organisation-domain .com -patch407574.exe

To make it more convincing, the victim's domain name is used as the sub-domain and used throughout the message body along with the victim's e-mail address.

See below some of the screen shots of the malicious spam.

 



Screenshot of the malicious page redirected: (Source: Websense Securitylab)

It is also observed that mails pretends to be coming from Microsoft asking the users to install the attached antispyware program to evade away from the resurfaced Conficker Worm which started from 18/10/2009.

Screenshot of the malicious spam mail:

Some of the domains reported with the malicious campaign are given below:

Users are advised to implement following countermeasures:

•  Block the emails with above mentioned subject lines at Mail Gateway
•  Exercise caution while clicking on any link embedded inside the e-mail message/Instant messages or web pages.
•  Install and maintain updated anti-virus software at Mail gateway and desktop level
•  Install and maintain updated anti-spyware software at desktop level
•  Keep up-to-date on patches and fixes on the OS and application software

References

http://securitylabs.websense.com/content/Alerts/3491.aspx http://blog.trendmicro.com/tailor-made-zbot-spam-campaign-targets-
various-companies/
http://isc.sans.org/diary.html?storyid=7333 http://isc.sans.org/diary.html?storyid=7357 http://www.symantec.com/connect/blogs/personalized-patchupdate-spam-delivering-malware

 


Series of Mass iframe Injection on Websites-Serving Blended Malware
Date : Augest 28, 2009

It has been observed that a number of websites have been compromised and infected with iframe script tags pointing to malicious JavaScript file
"x.js", hosted on domain "a0v[d0t]org". Remote attackers launched successful attacks on the web servers running ASP and inserted iframe script tag "script src=http://a0v[d0t]org/x[d0t]js" into the web pages.

When a user visits any of the infected websites, the script gets executed on visitors computer system without user's intervention. Upon execution it tries to connect to some more malicious domains hardcoded in the JavaScript files & HTML pages, then download and install desegregated malware consisting of trojans, backdoors, keyloggers, password stealers & downloaders onto the visitors computer system. These malware are
downloaded from different domains. A Case study describing the malicious redirection mechanism can be found here (CERT-In Case Study CICS-2009-01).

A snapshot of malicious webpage is shown below:


A list of the malicious files getting downloaded on visitors system are as follows:

a.jpg, x3.swf, 16.js, 9.exe, 19.exe, 29.exe, b.jpg, x4.swf, x115.css, 10.exe, 20.exe, 30.exe, url.jpg, x5.swf, 1.exe, 11.exe, 21.exe, 31.exe
c.jpg, t2.htm, 2.exe, 12.exe, 22.exe, 32.exe, d.jpg, of.htm, 3.exe, 13.exe, 23.exe, 33.exe, e.jpg, of.css, 4.exe, 14.exe, 24.exe, YTPPSeee.vbs, f.jpg, of.js, 5.exe, 15.exe, 25.exe, YTPPSeee.pif,
swfobject.js, ytfl.htm, 6.exe, 16.exe, 26.exe, x1.swf, 14.js, 7.exe, 17.exe, 27.exe, x2.swf, 15.js, 8.exe, 18.exe, 28.exe.


Some of the malicious domains involved are as follows:
[Do not visit these domain, this may harm your computer,
replace " [d0t] " with "." for domain name.]

a0v [d0t] org, d.bgsew [d0t] com, txt.bhssd [d0t] com,
js.tongji.linezing [d0t] com, yea24.2288 [d0t] org,
ds3gj [d0t] cn, 1.boksx [d0t] com, 2.boksx [d0t] com,
3.boksx [d0t] com.

It has been found that most of the files downloaded are trojan download agents, trojan dropper, online gaming password stealers, keyloggers, rootkit and backdoor trojans. Most of the dropped malwares are known malware and detection is available with most of the antivirus vendors. It may be noted that many such malicious domains could be hosted and new wave of iFrame injections could be launched to redirect users to these malicious websites hosted on a Botnet.

Countermeasures:

  • Disable client side scripting.
  • Disable Javascript and ActiveX scripting in the browser settings.
  • Use NoScript extension with Firefox browser.
  • Use Signed Scripting: Implement “signed scripting” such that
    any script with an invalid or un-trusted signature would not
    run automatically.
  • Enterprises shall implement IPS and Security solutions with
    content inspection at perimeter level.
  • Keep up-to-date on patches and fixes on the OS and application
    software.
  • Install and maintain updated anti-virus software at desktop level.
  • Exercise caution even while visiting trusted websites.
  • Secure the web applications against SQL injection and XSS attacks.
  • For more details refer CERT-In Case Study and Whitepaper on SQL injection Techniques & Countermeasures.

References

http://www.securityfocus.com/brief/1001
http://blog.scansafe.com/journal/2009/8/21/up-to-55k- compromised-by-potent-backdoordata-theft-cocktail.html
http://news.softpedia.com/news/Over-62-000-New-URLs- Serving-Exploits-Cocktail-120006.shtml
http://www.theregister.co.uk/2009/08/24/mass_web_infection/
http://www.cert-in.org.in/knowledgebase/whitepapers/CICS-2009-01.pdf


Microsoft Office web components ActiveX exploit
Date : July 16, 2009

It is reported that an exploit for the zero -day vulnerability in Microsoft Office web components described in CERT -In vulnerability note
CIVN 2009 -83 is being reported.
This vulnerability is due to a memory corruption error in the Office Web Components ActiveX Controls (OWC10.dll and OWC11.dll).

Microsoft Office Web Components are a collection of Component Object Model (COM) controls for publishing spreadsheets, charts, and databases to the Web, and for viewing the published components on the Web.

Once successfully exploited, an attacker can execute arbitrary code in a "browse and get owned" scenario with the privilege of the user.

It is reported that Several websites are operational -which uses script fragmentation wherein the whole malicious script is fragmented and hosted in several websites- hosting malicious JavaScript's detected as JS_SHELLCODE.BH (Trend Micro)

A screenshot of the shell code (Source: Trend Micro)


It connects to the following Web site to download and execute a malicious file:
http://{BLOCKED}nf5.com/889/123/1.exe - (TROJ_DLOADER.DOF Trend Micro)

It has been reported that this vulnerability is being used for targeted attacks with crafted Office documents with embedded HTML.

Countermeasures:

  • Apply appropriate workarounds as mentioned in CERT-In vulnerability note CIVN-2009-83.
  • Block access to the exploit domains listed here at the perimeter.
  • Configure Internet Explorer to prompt before running Active Scripting or to disable Active Scripting in the Internet and Local intranet security zone
  • Do not open or save Microsoft Office Documents received from unknown and untrusted sources.

References

http://www.microsoft.com/technet/security/advisory/
973472.mspx
http://support.microsoft.com/kb/973472
http://blogs.technet.com/srd/archive/2009/07/13/more
-information-about-the-office-web-components-activex-
vulnerability.aspx
http://www.cert-in.org.in/vulnerability/civn-2009-83.htm
http://blogs.technet.com/srd/archive/2008/02/03/activex
-ontrols.aspx
http://blog.trendmicro.com/ocw-activex-exploit-follows
-mpeg2tunerequest%E2%80%99s-lead/
http://www.dslreports.com/forum/r21469081-Script-fragmentation
-attacks-to-bypass-antivirus-protection
http://isc.sans.org/diary.html?storyid=6778
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=JS_SHELLCODE.BH
http://threatinfo.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=TROJ_DLOADER.DOF


Fake Microsoft "critical update" spam propagating trojan
Date : June 23, 2009

It has been observed that malicious files are being propagated through fraudulent websites pretending to be providing critical updates to Microsoft Windows Outlook/Outlook Express.

The spam mails come with subject line “ Microsoft Outlook critical update. When a user clicks on the links provided in the spam mail it takes users to malicious websites hosting variants of ZBOT, an information stealing trojan. A sample email is shown in the following screenshot: (SOURCE: Trend Micro).


Upon execution of ZBOT trojan the affected system connects to a website (http://{BLOCKED}i.com/lbrc/lbr.bin) to download a .bin file with information referring to download the updated variants of the trojan and send the stolen data to a particular website .The stolen data is sent to the website ( http://{BLOCKED}i.com/lbr/rec.php) via HTTP POST method. This configuration file also contains the list of websites for which it captures keystokes/data, whenever the user visit these websites.

Users are advised to implement following countermeasures:

  • Do not click upon any link embedded inside the untrusted e-mail messages or web pages.
  • Install and maintain updated anti-virus software at gateway and desktop level.
  • Install and maintain updated anti-spyware software at desktop level.
  • Keep up-to-date on patches and fixes on the OS and application software.
  • Follow the guidance provided by Microsoft regarding Recognize and avoid fraudulent e-mail to Microsoft customers.

References

http://blog.trendmicro.com/critical-update-leads-to
-critical-info-theft/
http://threatinfo.trendmicro.com/vinfo/virusencyclo/
default5.asp?VName=TROJ_ZBOT.BTS&VSect=T
http://www.sophos.com/blogs/sophoslabs/v/post/4889
http://www.securecomputing.net.au/News/148325,fake
-microsoft-critical-update-spam-propagating-trojan.aspx


Email scams circulating related to the Swine Flu
Date : May 01, 2009

It has been reported that malicious users are taking advantage of the recent Swine Flu outbreak by distributing unsolicited emails with swine-flu-themed subjects. The attacks arrive through an unsolicited email message typically containing a subject line related to the Swine Flu. These email messages may contain a link or an attachment. If users click on this link or open the attachment, they may be directed to a phishing website or infected with malicious code.

It has been reported that a document titled "Swine influenza frequently asked questions.pdf" is circulating on the internet as an email
attachment and being used to drop malware on computers. This malicious PDF file, known as Bloodhound.Exploit.6, takes advantage of a vulnerability in Adobe to drop a malicious "infostealer" Trojan on the user's computer, which is used to steal personal information, such as credit card number, online bank credentials etc.

Some of the subject lines of this spam are:

•  First US swine flu victims!
•  Madonna caught swine flu!
•  NY victims of swine flu
•  Salma Hayek caught swine flu!
•  Swine flu in Hollywood !
•  Swine flu in USA
•  Swine flu worldwide!
•  US swine flu statistics.

The body of the message is a short sentence followed by a link.

It appears that dozens of new web site names with the term "swineflu" included in them were registered during the last few days. Right now they are not used for anything, but it is anticipated that at some point, these sites may be used for spamming purposes, perhaps advertisements or even greater malicious use.

Users are advised to implement the following countermeasures to protect themselves:

•  Do not follow unsolicited web links or attachments in
email messages.
•  Keep up-to-date patches and fixes on the operating system and application software.
•  Keep up-to-date Antivirus and Antispyware signatures. •  Do not visit untrusted websites.
•  Do not disclose any financial or personal information
being asked in unsolicited email.

References

http://www.avertlabs.com/research/blog/index.php
/2009/04/27/swine-flue-spam/
http://www.us-cert.gov/current/index.html#
swine_flu_phishing_attacks_and
http://www.theregister.co.uk/2009/04/29/
swine_flu_spam/
http://www.cbc.ca/technology/story/2009/04/29/
tech-090429-swine-flu-spam.html
http://voices.washingtonpost.com/securityfix/2009/04/
scammers_spammers_embrace_swin.html?wprss=securityfix


Exploit for Internet Explorer Memory corruption vulnerability in the wild
Date : February 19, 2009



It has been observed that an exploit targeting Microsoft Internet Explorer memory Corruption vulnerability (MS09-002) is in the wild. Further details of the vulnerability are available in CERT -In vulnerability CIVN-2009-23.

The vulnerability is due to a memory corruption error when Internet Explorer handles errors that could occur when calls are made to un-initialized or deleted memory objects. Successfully exploiting this vulnerability may give an attacker to execute remote code on the victim system and harvest sensitive, personal information from an infected machine.

It is reported that the exploit propagates in the form of a crafted word document (XML_DLOADER.A, Trend Micro). This word document contains an embedded ActiveX control which upon opening, connects to a website to launch and execute MS09-002 exploit (HTML_DLOADER.AS,Trend Micro).
On successful exploitation the exploit drops a backdoor detected as BKDR_AGENT.XZMS

This backdoor changes the system configuration and installs a .DLL file that has information stealing capabilities and sends the stolen information to another URL via port 443. It takes screenshots of the infected system and sends these screenshots to a remote location. It also creates a hidden Internet Explorer window which connects to a website to listen for commands.

Countermeasures:

  • Apply appropriate patches as mentioned in Microsoft Security Bulletin MS09-002
  • Do not open or save Microsoft Office files that received from untrusted sources or that received unexpectedly from trusted sources.
  • Install and maintain updated anti-virus software at gateway and desktop level.
  • Install and maintain Firewall at Desktop level.
  • Do not follow unsolicited links to URLs.
  • Set Internet Explorer security setting to “High” to prompt before running ActiveX controls and Active scripting.

References

http://www.microsoft.com/technet/security/bulletin/MS09-002.mspx
http://isc.sans.org/diary.html?storyid=5884
http://blog.trendmicro.com/another-exploit-targets-ie7-bug/
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=BKDR_AGENT.XZMS&VSect=T
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?
VName=HTML_DLOADER.AS
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=
XML_DLOADER.A
http://www.f-secure.com/weblog/
http://vil.nai.com/vil/content/v_154088.htm
http://www.avertlabs.com/research/blog/index.php/2009/02/17/
ms09-002-exploit-in-the-wild-uses-msword-lure/


Waledac worm variants Propagating
Date : February 10, 2009; March 17, 2009
Updated : April 17, 2009; July 06, 2009;



It has been observed that ‘Win32/Waledac Worm’ is circulating via spam e-mails pretending to be Valentine’s Day Greetings to deceive users to download the greeting card or the attached file.

These spam e-mails comes with the subject line such as “short and sweet”, “Me and You”,” In Your Arms”,” With all my love” and other Valentine’s Day related phrases. E-mail contains URL which takes to the user to malicious fast flux websites hosting malware “youandme.exe", "onlyyou.exe", "you.exe", and "meandyou.exe",, start.exe” and so on.
The spam mail looks like (Source: McAfee)

Upon clicking the link users are lead to WebPages as depicted below (Source:McAfee)

When the page is clicked, the user is prompted to download a file dubbed as WORM_WALEDAC.AR( Trend Micro)

It is also observed that spam mails related to Terror attack with subject lines “Why did they explode bomb there?” or “Why did it happen in your city?” is circulating.

A spam mail is given below

Upon clicking the link users are directed to a fake website depicted below which presents a video from Reuters and prompts for the users to download flash player to view the video which is a Waledac variant.

It is observed recently that spam mails enticing the user to download an application that will permit them to view other people's SMS messages online. The download file uses alternating filenames, sms.exe, trial.exe, smstrap.exe, freetrial.exe and smsreader.exe.

Screenshot of a spammed email Example:

Screenshot of the malicious SMS Spy theme Web site template:

Updated: July 06, 2009:

A new Waledac spam campaign with the July 4th theme is in the wild. The malicious emails that are sent use subjects and content related to Independence Day of USA, Fourth of July and fireworks shows.

Some of the subject lines of this spam are:

  • Happy Independence Day
  • Proud to be an American
  • Fabulous Independence Day firework
  • Bright and joyful Fourth of July
  • The best of 4th of July Salute
  • Amazing Independence Day salute
  • America for You and Me
  • Celebrate Independence
  • Well done 4th!
  • Super 4th!
  • American Independence Day
  • Celebrating Fourth of July
  • Celebrate the spirit of America
  • Celebrate with Pride
  • Celebrating the spirit of our Country
  • Happy Birthday, America!
  • Independence Day firework broke all records
  • Amazing firework 2009

A sample email is shown in the following screenshot: (Source Symantec).

Clicking on the URL will open a Youtube cloned page with what looks to be an embedded video of a fireworks show for this year’s 4th of July celebration. Screenshot of the malicious website:

Attempting to view the video will prompt the download of an executable file, which is actually the Waledac worm installer.

Users are advised to implement following countermeasures:

  • Block the emails with above mentioned subject lines
  • Block access to the domains listed in Shadow Server at the perimeter
  • Exercise caution while clicking on any link embedded inside the e-mail message/Instant messages or web pages
  • Filter e-mails with abovementioned subject lines and body
  • Install and maintain updated anti-virus software at gateway and desktop level
  • Install and maintain updated anti-spy ware software at desktop level
  • Keep up-to-date on patches and fixes on the OS and application software

References

http://www.avertlabs.com/research/blog/index.php/2009/02/09/
new-valentine-scam-on-the-loose
https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/
malicious_code/article-id/239
http://www.searchsecurityasia.com/content/beware-valentine%E2%
80%99s-day-e-card-keeps-giving
http://www.cert-in.org.in/currentacts/currentact.htm#WCDK
http://www.cert-in.org.in/virus/win32_waledac.htm
http://www.shadowserver.org/wiki/uploads/Calendar/
waledac_domains.txt
http://www.avertlabs.com/research/blog/index.php/2009/02/23/
malware-riding-on-the-tides-of-the-economic-crisis/
http://www.avertlabs.com/research/blog/index.php/2009/01/17/
do-not-worry-obama-di-not-refuse-to-be-a-president/
http://www.avertlabs.com/research/blog/index.php/2009/03/16/
breaking-news-waledac-terror-attack-in-a-city-near-you/
http://securitylabs.websense.com/content/Alerts/3343.aspx
http://www.f-secure.com/weblog/archives/00001658.html
http://www.symantec.com/connect/blogs/waledac-july-campaign
http://www.eset.com/threat-center/blog/?p=1244


Worm Conficker/Downadup/Kido widely propagating
Date : January 22, 2009
Updated : February 09, 2009; February 18, 2009; February 23, 2009;
               March 19, 2009; March 31, 2009; April 15, 2009; May 13, 2009



It has been observed that worm Win32/Conficker/Downadup/kido is spreading widely by exploiting a previously reported Server Service vulnerability described in CERT-In vulnerability note CIVN-2008-170
and Microsoft Security Bulletin MS08-067.

Apart from exploiting the said vulnerability, the attack vectors include network shares (ADMINI$ shares with a long list of hard-coded passwords), removable drives (drops a hidden autorun.inf file), scareware (fake security alerts to frighten consumers into purchasing bogus computer security software) and most recently Metasploit payload (the exploitation method derived from the metasploit ms08_067_netapi module to spread itself).

It is reported that this worm is actively infecting Windows systems with specific language operating systems such as English, Chinese, Arabic, Portugese.

It has also been reported that a list of malicious domains (randomly generated by the worm) are hosting the copy of the worm and are requested for further downloading from the infected machine.

The worm can act as a HTTP server listening to a random port between 1024 and 10000 and if the remote machine is exploited successfully, the victim will connect back to the http server and download a variant of the worm.

A new variant, Conficker B++ or C implements a new backdoor with "auto-update" functionality, allowing machines compromised by the new variant to have additional malicious code installed on them.
Conficker.C uses robust P2P to distribute cryptographically signed updates to other computers infected with conficker.This P2P functionality contains a UDP P2P discovery routine that sends UDP traffic to lists of generated IPs and ports.

A new polymorphic variant, Conficker.D infects the local computer, terminates services and blocks access to numerous Web sites. This variant does not spread to removable drives or shared folders across a network. Win32/Conficker.D may build 50,000 URLs per day to download files and only visits 500 of the generated URLs within a 24-hour period. After a successful download/execution from a generated URL, Win32/Conficker.D lays dormant for four days before resuming URL monitoring again.

Conficker-E is the latest version of the Conficker worm which ultimately drops conficker.C in the victim system.it downloads W32.Waledac trojan and it may also download rogue security tool Spyware Protect 2009.It Opens port 5114 and serve as HTTP server, by broadcasting via SSDP request. Conficker-E is set to delete itself on the May 3, 2009.

When infected the following symptoms can be observed in the affected machine:

  • Blocked access to antivirus-related sites.
  • Disabled services such as Windows Automatic Update Service, Windows Security Center, Windows Defender and Windows Error Reporting and Internet connection sharing service.
  • Resets System Restore Point.
  • High traffic on port 445 in the affected network.
  • Hidden files even after changing the ‘Folder Options’.
  • Inability to log in using Windows credentials because they are locked out

Note: Users are advised to download Conficker Removal Tools
         only from the genuine Antivirus Websites. This is because many
         websites having names related to "Conficker" are being used to
         serve Conficker Worm in place of genuine Conficker Removal          Tools.

A list of possible malicious domains are given here

Countermeasures:

Free Removal Tools:

http://support.microsoft.com/kb/962007
ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip
http://www.symantec.com/security_response/writeup.jsp?
docid=2009-011316-0247-99
http://vil.nai.com/vil/stinger/default.aspx
data2.kaspersky-labs.com:8080/special/KidoKiller_v3.1.zip
www.trendmicro.com/ftp/products/pattern/spyware/fixtool/
SysClean-WORM_DOWNAD.zip

References

http://www.cert-in.org.in/vulnerability/civn-2008-170.htm
http://www.cert-in.org.in/virus/win32_conficker.htm
http://www.avertlabs.com/research/blog/index.php/2009/01/15/
conficker-worm-using-metasploit-payload-to-spread/
http://blog.trendmicro.com/the-mess-that-is-worm_downad/
http://www.microsoft.com/security/portal/Entry.aspx?Name=
Win32%2fConficker
http://www.microsoft.com/security/portal/Entry.aspx?Name=
Worm%3aWin32%2fConficker.gen!A
http://www.microsoft.com/security/portal/Entry.aspx?Name=
Worm%3aWin32%2fConficker.A
http://www.securityfocus.com/brief/887
http://www.microsoft.com/security/portal/Entry.aspx?Name=
Worm%3aWin32%2fConficker.B
http://news.bbc.co.uk/1/hi/technology/7832652.stm
http://voices.washingtonpost.com/securityfix/2009/01/tricky_windows
_worm_wallops_mi.html?wprss=securityfix
http://support.microsoft.com/kb/962007
http://mtc.sri.com/Conficker
http://www.microsoft.com/security/portal/Entry.aspx?Name=
Worm%3aWin32%2fConficker.C
http://www.us-cert.gov/current/index.html#
new_variant_of_conficker_downadup
http://blogs.technet.com/mmpc/archive/2009/
02/20/updated-conficker-functionality.aspx
http://www.doxpara.com/?p=1285
http://www.skullsecurity.org/blog/?p=209
http://seclists.org/nmap-dev/2009/q1/0869.html
http://honeynet.org/node/388
http://www.mcafee.com/us/threat_center/conficker.html
http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
http://www.microsoft.com/security/portal/Entry.aspx?
name=Worm:Win32/Conficker.E
https://forums2.symantec.com/t5/blogs/blogarticlepage/
blog-id/malicious_code/article-id/262
http://blogs.technet.com/msrc/archive/2009/04/09/conficker-e.aspx

< Previous - - Next >