Slashdot Mirror
Conficker Worm Could Create World's Biggest Botnet
nk497 writes "The worm that's supposedly infected almost nine million PCs running Windows, dubbed Cornficker or Downadup, could lead to a massive botnet, security researchers have said. The worm initially spread to systems unpatched against MS08-067, but has since 'evolved and is now able to spread to patched computers through portable USB drives through brute-force password-guessing.'"
Downadup and other such similar worms exploit a vulnerability in the Windows Server service: Server Service Vulnerability -- CVE-2008-4250
The vulnerability is detailed by October 23rd's Microsoft Security Bulletin MS08-067.
This game will waste your life. Don't clicky!
I dont use Windows much but I assumed MS had disabled or at least set the default to off of the autoexec.bat feature so how else could it spread just by plugging in a USB stick? Someone tell me this security hole the size of a planet isn't still enabled by default in Windows installs??
It posts an "execute" option in the autoplay dialog that looks almost exactly like the harmless "browse folder" option, complete with misleading folder icon. It's moderately clever, but of course still rquires autoplay to be enabled.
It's autorun.inf not autoexec.bat, and it does require a bit of user interaction. Double clicking on it in explorer in XP will execute it but on systems running vista/7 it must rely on social engineering.
Conficker basically does some social engineering. Unless Autorun is disabled (it still isn't by default) when you insert a USB stick on a Windows box you get a dialog box asking what you want to do. One of the options on the box appears as "Open folder to view files" which might sound innocuous, but is actually an "autorun.inf" option created by Conficker that in reality runs the virus. The only real clue that you have that something is amiss is that the real "Open folder" option is visible as below the Conficker generated fake.
UNIX? They're not even circumcised! Savages!
http://www.f-secure.com/weblog/ has screenshots showing how exactly it executes from USB sticks under Vista and Windows 7 beta.
It has evolved - but not by natural selection. Some amount of evolution is accepted as a fact by everyone except young-earth creationists (those who believe the world is about 6000 years old). For example, we know that horses used to have toes and now they have hooves. But some believe this evolution is caused by natural selection and genetic variation, while others believe it was the act of a creator or designer. The evolution of wolves into domestic dogs is an example of evolution caused by man (you could call it artificial selection).
-- Ed Avis ed@membled.com
It is common practice for domains to be registered using stolen credit card numbers and phony registration information, as well as using bots within the net to act as proxies between you and the actual server, such as with fast flux. That combined with the fact that the servers are generally hosted in countries that don't have a lot of money, man power, or motivation to track these types of operations down makes stopping them a very difficult process.
It's poorly phrased. It doesn't create 250 domains per day, it CHECKS 250 domains per day. The botnet controller only needs to create one of those domains to upload new instructions.
Infect other computers. That's the whole point of putting itself on the USB stick in the first place.
"If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
See http://isc.sans.org/diary.html?storyid=5695
The option appears as :
Install or run program: Open folder to view files (Publisher not specified)
So people falling for it, would have clicked even on "Install virus and destroy your life ? YES/NO".
The guys at Winh4x have generated a script that detects servers missing the MS08-067 update.
I would have to agree. I fought, what I think is this worm, at work for a week or so. If not, here is what I fought.
*Would disable Recovery console so you couldn't go back to an early date.
*Spread by USB thumb drive.
*Stick in a thumb drive, if the computer had AVG, it would detect it, but not be able to "heal" everything...but by this time it was too late.
One variant of it put in a root kit and blocked all access to antivirus sites. You could go anywhere on the Internet unless it happened to be an antivirus site.
This same one also blocked exe files if they happened to be something like Spybot search and destroy. It just wouldn't run anymore.
Also, it turns off the ability to change settings to view hidden files and folders, so you can't see the folders it adds.
My guess is, it is pretty freaking trivial for these people to do whatever they freaking want in Windows (except for probably disabling DRM!).
Transporter_ii
Doctors destroy health, lawyers destroy justice, universities destroy knowledge, religion destroys spirituality
How does one disable autoplay in XP, without making a half dozen manual registry changes?
Through a policy (gpedit.msc).
http://support.microsoft.com/kb/953252
The article is about 10 times as long as it needs to be, look for the subtitle "How to use Group Policy settings to disable all Autorun features".
A nice idea in theory. Since I'm in exactly this business, allow me to illustrate how this works (or rather, how it doesn't).
You follow this trail to some registrar in, say, Uzbekistan. He will point you to Malaysia, where the server is located. So you phone your local Interpol office (let's assume you are on good terms with them and they actually listen when you call, as in my case. It helps when you point them to some bank scams first so they see you as someone who ain't just a waste of time). If they are inexperienced cops eager to make a bust, they will start writing letters towards Malaysia, asking for aid in their endeavour to shut that server down.
If they are experienced cops, they'll tell you "meh" and shrug their shoulders, knowing it's fruitless, or if it finally comes to a positive end and the server gets closed, it already changed location at least twice, rendering your "victory" pointless.
But let's find out who is behind it all. To save some space here, allow me to just point you to Wikipedia's article about the RBN. I'm not saying this is a deal of the RBN, but it might give you an idea why following the money trail to find out who is behind it is about as pointless. You might even find out who did it. Doesn't do jack, though, if he's sitting in a country that has other problems.
The point is, countries usually don't care about it too much if their citizens break the law abroad, at least if they got enough problems with other crimes at home. And while I'm not really saying that it is so in this case, some countries could have a very keen interest in having someone around that has access to a worldwide network of botnet machines...
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.