Slashdot Mirror
Conficker Worm Could Create World's Biggest Botnet
nk497 writes "The worm that's supposedly infected almost nine million PCs running Windows, dubbed Cornficker or Downadup, could lead to a massive botnet, security researchers have said. The worm initially spread to systems unpatched against MS08-067, but has since 'evolved and is now able to spread to patched computers through portable USB drives through brute-force password-guessing.'"
The worm initially spread to systems unpatched against MS08-067, but has since 'evolved
It hasn't evolved. This is clearly Intelligent Design and anyone denying this is a godless heathen!
As long as there are slaughterhouses, there will be battlefields.
It should not be that hard to follow the money generates by this malware. Infecting 8 million PC should be a crime.
from the write down, it downloads data from
" hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe"
follow that money and the bad guys will be found quickly.
One thing about botnets... I don't really understand why there couldn't be a blacklist of known botnet controllers maintained by a trusted authority (SANS, or perhaps a collaboration of the leading AV vendors, for example) that ISPs could use to block their customers from connecting to. Or, they could even go one step further and shut off the customers connecting to botnets until they're sure the customers have cleaned their computers.
I'm the Devil the Windows users warned you about.
I dont use Windows much but I assumed MS had disabled or at least set the default to off of the autoexec.bat feature so how else could it spread just by plugging in a USB stick? Someone tell me this security hole the size of a planet isn't still enabled by default in Windows installs??
Do I just have a dirty mind, or did others upon first glance read this as the "Cornfucker" worm?
"Every great cause begins as a movement, becomes a business, and eventually degenerates into a racket." -- Eric Hoffer
Why is it able to register domains automatically? This is where we should be working to block the verdamt thing... stopping the automatic registration of domains... make it take time and require money to actually create the domain...
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
the size of Pluto maybe.
The guys at Winh4x have generated a script that detects servers missing the MS08-067 update.
... welcome our new beowulf clusters overlord.
From this day on, I shall say, imagine a cornfucker-net of
I would have to agree. I fought, what I think is this worm, at work for a week or so. If not, here is what I fought.
*Would disable Recovery console so you couldn't go back to an early date.
*Spread by USB thumb drive.
*Stick in a thumb drive, if the computer had AVG, it would detect it, but not be able to "heal" everything...but by this time it was too late.
One variant of it put in a root kit and blocked all access to antivirus sites. You could go anywhere on the Internet unless it happened to be an antivirus site.
This same one also blocked exe files if they happened to be something like Spybot search and destroy. It just wouldn't run anymore.
Also, it turns off the ability to change settings to view hidden files and folders, so you can't see the folders it adds.
My guess is, it is pretty freaking trivial for these people to do whatever they freaking want in Windows (except for probably disabling DRM!).
Transporter_ii
Doctors destroy health, lawyers destroy justice, universities destroy knowledge, religion destroys spirituality
As it's windows anyway, can't MS issue a patch that asks a user for confirmation every time an outgoing request gets made ? Or at least keep logs that it can monitor for bot like activity. If you are getting more than a certain number of outgoing connections without any other user input, then it should flag it to the user as suspicious, via a report that appears on boot, and need confirmation before anything else can be executed.
You could still have trusted services, time.windows.com etc, but multiple requests when the browser hasn't registered a click for an hour should be regarded as suspicious. I realise this is the "wrong end of the stick", but we have to deal with things the way they are, not how we'd like them to be. At least being nagged will bring the publics awareness to the problem existing on their machines.
Another idea - use the mouse, so that if it's left unmoved for more than x amount of time the "watchdog" would lock the net down. If you need to leave something running like bittorrent, you can specifically add it as a trusted service, but never permanently. Anything other than BT accessing the net during that time period (or until you move the mouse again) will automatically be denied.
It seems to me that the wider community is having to carry the can for the sorry state of windows security, so making life inconvenient for those who leave their machines unpatched should be fair game.
It wasn't that long ago that someone declared the storm botnet had been cracked wide open, from which some people made the extremely erroneous extrapolation that botnets would become a thing of the past.
Well, I guess that almost held for two weeks. Maybe someday people will consider addressing the underlying cause of these problems instead of the symptoms.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
I hope so. I've been trying for days to get it to work in Ubuntu. I tried sudo apt-get cornficker and that didn't work. I didn't see it in the repositories. Anyone know of a good way to install it?
Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
The only reason why there hasn't been a class action lawsuit against Microsoft for their incompetence is that many misguided people STILL think that every 20 minutes of MS Word is worth 1 week of their time spent Patching and Praying and trying to recover data.
The argument that the vast Windows Ecosystem (700 m computers) is itself an argument for using Windows has been disproven by the Internet. If you have a network or connect to the Internet, Windows is a significant risk. And don't blame the users. That's as arrogant as the US makers of the cars that Nader condemned in 1965. Windows is "Unsafe At Internet Speed".
The Windows operating system, which is a liability on any network, must be constantly patched to protect against the "latest" threats. Microsoft's only constructive answers to these exploits are "patch and pray" and also to cripple connectivity (Windows XP SP2).
There will always be smart Bad Guys. The Bad Guys who excel at being bad are MUCH more creative than Microsoft and they have clearly put Generalissimo Ballmero and his regiments to flight. If you have the worst possible defences, you can't expect to be left in peace. Using Windows today is like sending your cavalry to engage hostile tanks. You *will* get slaughtered at some point and if it doesn't happen immediately, it's because the tank crews took pity.
Rich And Stupid is not so bad as Working For Rich And Stupid.
Well, that may be because you misspelled the name of the package. apt-get conficker is what you're looking for. HTH!
From what I have been reading, this only affects Windows PCs.
Or is it because it doesn't affect Linux and people should switch to avoid this kind of thing?
This AC is confused.
The problem is that most people tolerate a certain amount of crap in their life. They don't clean the windshield for a single bug-strike, they don't pump up a tire that is a little low, and they don't care about computer virus problems if they haven't been hurt by them lately.
In simple economic terms, it currently costs the average computer user more time and effort to protect against virus problems than they (personally) perceive themselves to suffer from them. They'd rather throw $60 at the problem and install an "anti-virus solution" than expend any time and effort to learn how to protect themselves. If you consider how long it would take the average computer user to come up to speed on protecting themselves, $60 is quite a bargain.
Should OS vendors be better about protecting against malware by design? Absolutely. The current auto-patching system seems like trying to keep a fleet of ships afloat by patching paper thin hulls at sea, why not fit them with thicker hulls before leaving port? Oh, yeah, because that Aero interface (paint) is more important to sales than any invisible security (thick hull) that actually costs much more to build - and 80% of the market doesn't really have a choice in vendor selection anyway, and of the 20% who do, 19.9% of them are clueless about inherent security.
Sorry but this should be tagged 'haha'.
One could argue that humans are Evolution's way to create code.
I've been using the BotScout.com lookup service to stop comment spammers and bots from registering on my forums and it's working like a charm. Well worth a look.
A tiny bit of code added to the registration page and the bots and comment spammers are dumped straight to limbo land.
Very nice, very nice indeed
thank you for that larry
Now that you're done fucking your sister, I mean your wife
Maybe you can do something about your last remaining tooth
Doesn't quite make an attractive smile with only one tooth showing in the middle of your face
I was scanning the Tech Herald article which quotes FSecure. They start talking about an incremented string being the unique identifier for each newly infected system. If I understood what they're saying, I don't think that would work. The bot would fall prey to the same problems you have when doing any type of unique id on a distributed system. That is to say incrementing a value is not a guaranteed way of obtaining a unique ID because the value you are incrementing is most likely not the highest value. I think you'd have to use something like a UUID to guarantee uniqueness. Maybe I'm misunderstanding what they're saying.
Back when the big worm floating around was "Code Red" exploiting IIS, it occurred to me that those of us trying to combat this problem are too nice.
A suggested solution: The Counter-Worm. Devise a piece of software that is capable of exploiting an infected system, possibly through the same vulnerability that the worm uses (whichever worm is at large, presently). Run that software on an internet-facing host. If that host is attacked by an infected system, the Counter-Worm should:
1. Compromise the worm-infected system, destroying the worm, and
2. Install a variant of itself, which will propagate to other hosts which attack it (potentially following the original worm back to the source).
3. Put a great big footprint on the compromised system that says "Your system was compromised. Please seek professional services to rebuild and secure your computer against use by malicious individuals."
4(a). After a predetermined amount of time (24-48 hours) self destruct, destroying the host OS but leaving any data intact on the hard drives, but leaving the footprint message for anyone who connects the hard disks for data recovery.
Is this vigilantism? Probably. But if most of the source systems are, in fact, in countries with questionable legal infrastructures, there wouldn't be any real repercussions. Given how effective law enforcement has been against worm-creators, I doubt that Counter-Worm creators would suffer much in the way of penalties.
Isn't this mean to the victims of the worm? I suppose it is. However, it would by definition have no effect on responsible people whose systems were not infected, and it would create an incentive for a) people who own computers to start keeping themselves protected and b) companies who write computer software to start creating countermeasures that actually work. If this really bothers you, leave out step 4.
Would this work? I don't know. But it would almost certainly be more effective than the current methods. The real question is whether this would stop the original perpetrators, or just create a new arms race; regrettably, it would probably cause the latter. Perhaps a better step 4 would be to have the system create a new botnet that traces the original worm back to its source, so that a team of thugs can find the perps and crush their knuckles into a fine powder, never to type or click again.
Am I bitter? Not really, just tired and frustrated.
like turtles?
Probably the reason they didn't was certain devices had to get drivers loaded or they would not work at all, like a stick that needs a codec installed to access its encrypted content. to boot.
The US government had so much trouble with USB sticks that the made a policy that government employees were not allowed to insert them. If the US govt had half a clue, they would have made Microsoft change the defaults to save their own butts. I just cannot understand this. ;-(
Trouble is that police is not going to do international police work for one pc. solving 8 million crimes however should be good for their statistics however...