Slashdot Mirror
Conficker Worm Could Create World's Biggest Botnet
nk497 writes "The worm that's supposedly infected almost nine million PCs running Windows, dubbed Cornficker or Downadup, could lead to a massive botnet, security researchers have said. The worm initially spread to systems unpatched against MS08-067, but has since 'evolved and is now able to spread to patched computers through portable USB drives through brute-force password-guessing.'"
Downadup and other such similar worms exploit a vulnerability in the Windows Server service: Server Service Vulnerability -- CVE-2008-4250
The vulnerability is detailed by October 23rd's Microsoft Security Bulletin MS08-067.
This game will waste your life. Don't clicky!
I dont use Windows much but I assumed MS had disabled or at least set the default to off of the autoexec.bat feature so how else could it spread just by plugging in a USB stick? Someone tell me this security hole the size of a planet isn't still enabled by default in Windows installs??
It posts an "execute" option in the autoplay dialog that looks almost exactly like the harmless "browse folder" option, complete with misleading folder icon. It's moderately clever, but of course still rquires autoplay to be enabled.
Conficker basically does some social engineering. Unless Autorun is disabled (it still isn't by default) when you insert a USB stick on a Windows box you get a dialog box asking what you want to do. One of the options on the box appears as "Open folder to view files" which might sound innocuous, but is actually an "autorun.inf" option created by Conficker that in reality runs the virus. The only real clue that you have that something is amiss is that the real "Open folder" option is visible as below the Conficker generated fake.
UNIX? They're not even circumcised! Savages!
http://www.f-secure.com/weblog/ has screenshots showing how exactly it executes from USB sticks under Vista and Windows 7 beta.
It's poorly phrased. It doesn't create 250 domains per day, it CHECKS 250 domains per day. The botnet controller only needs to create one of those domains to upload new instructions.
See http://isc.sans.org/diary.html?storyid=5695
The option appears as :
Install or run program: Open folder to view files (Publisher not specified)
So people falling for it, would have clicked even on "Install virus and destroy your life ? YES/NO".
I would have to agree. I fought, what I think is this worm, at work for a week or so. If not, here is what I fought.
*Would disable Recovery console so you couldn't go back to an early date.
*Spread by USB thumb drive.
*Stick in a thumb drive, if the computer had AVG, it would detect it, but not be able to "heal" everything...but by this time it was too late.
One variant of it put in a root kit and blocked all access to antivirus sites. You could go anywhere on the Internet unless it happened to be an antivirus site.
This same one also blocked exe files if they happened to be something like Spybot search and destroy. It just wouldn't run anymore.
Also, it turns off the ability to change settings to view hidden files and folders, so you can't see the folders it adds.
My guess is, it is pretty freaking trivial for these people to do whatever they freaking want in Windows (except for probably disabling DRM!).
Transporter_ii
Doctors destroy health, lawyers destroy justice, universities destroy knowledge, religion destroys spirituality