Slashdot Mirror

← Back to Stories (view on slashdot.org)

Conficker Worm Could Create World's Biggest Botnet

Posted by kdawson on from the holding-our-collective-breath dept.

nk497 writes "The worm that's supposedly infected almost nine million PCs running Windows, dubbed Cornficker or Downadup, could lead to a massive botnet, security researchers have said. The worm initially spread to systems unpatched against MS08-067, but has since 'evolved and is now able to spread to patched computers through portable USB drives through brute-force password-guessing.'"

6 of 220 comments (clear)

  1. Re:How can it spread through USB sticks? by k.a.f. · · Score: 5, Informative

    I dont use Windows much but I assumed MS had disabled or at least set the default to off of the autoexec.bat feature so how else could it spread just by plugging in a USB stick? Someone tell me this security hole the size of a planet isn't still enabled by default in Windows installs??

    It posts an "execute" option in the autoplay dialog that looks almost exactly like the harmless "browse folder" option, complete with misleading folder icon. It's moderately clever, but of course still rquires autoplay to be enabled.

  2. Re:How can it spread through USB sticks? by Zocalo · · Score: 5, Informative

    Conficker basically does some social engineering. Unless Autorun is disabled (it still isn't by default) when you insert a USB stick on a Windows box you get a dialog box asking what you want to do. One of the options on the box appears as "Open folder to view files" which might sound innocuous, but is actually an "autorun.inf" option created by Conficker that in reality runs the virus. The only real clue that you have that something is amiss is that the real "Open folder" option is visible as below the Conficker generated fake.

    --
    UNIX? They're not even circumcised! Savages!
  3. Re:How can it spread through USB sticks? by h3rmanni · · Score: 5, Informative

    http://www.f-secure.com/weblog/ has screenshots showing how exactly it executes from USB sticks under Vista and Windows 7 beta.

  4. Re:This is what baffles me... by chalkyj · · Score: 5, Informative

    It's poorly phrased. It doesn't create 250 domains per day, it CHECKS 250 domains per day. The botnet controller only needs to create one of those domains to upload new instructions.

  5. Re:How can it spread through USB sticks? by Anonymous Coward · · Score: 4, Informative

    See http://isc.sans.org/diary.html?storyid=5695

    The option appears as :

    Install or run program: Open folder to view files (Publisher not specified)

    So people falling for it, would have clicked even on "Install virus and destroy your life ? YES/NO".

  6. Trivial for a worm to change the flag? by transporter_ii · · Score: 4, Informative

    I would have to agree. I fought, what I think is this worm, at work for a week or so. If not, here is what I fought.

    *Would disable Recovery console so you couldn't go back to an early date.
    *Spread by USB thumb drive.
    *Stick in a thumb drive, if the computer had AVG, it would detect it, but not be able to "heal" everything...but by this time it was too late.

    One variant of it put in a root kit and blocked all access to antivirus sites. You could go anywhere on the Internet unless it happened to be an antivirus site.

    This same one also blocked exe files if they happened to be something like Spybot search and destroy. It just wouldn't run anymore.

    Also, it turns off the ability to change settings to view hidden files and folders, so you can't see the folders it adds.

    My guess is, it is pretty freaking trivial for these people to do whatever they freaking want in Windows (except for probably disabling DRM!).

    Transporter_ii

    --
    Doctors destroy health, lawyers destroy justice, universities destroy knowledge, religion destroys spirituality