Slashdot Mirror
Conficker Worm Could Create World's Biggest Botnet
nk497 writes "The worm that's supposedly infected almost nine million PCs running Windows, dubbed Cornficker or Downadup, could lead to a massive botnet, security researchers have said. The worm initially spread to systems unpatched against MS08-067, but has since 'evolved and is now able to spread to patched computers through portable USB drives through brute-force password-guessing.'"
It should not be that hard to follow the money generates by this malware. Infecting 8 million PC should be a crime.
It's a crime if it's spammers. It's not a crime if it's government or content industry.
Bitterness aside, the main problem is that usually the people doing it are in a country where it is, for a number of reasons, difficult to track them down. Still, I agree that, short of keeping your OS up to date (if you /must/ use Windows), following the money is the best approach.
93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
This would only work for centralized command and control mechanisms. More sophisticated bots use decentralized p2p type communication, as was with the storm worm last year. Conflicker uses a built in mechanism to generate new domains to contact each day, and while security firms are deploying blacklists based on the generator code, it could easily be changed in a new variant. This is of course not taking into account the difficulty one would have in getting ISP's to maintain a list of blacklisted domains that changes day to day.
Its a good bet that the machine or machines responding to the trafficconverter.biz domain name are either hacked (e.g. zombies) or obtained using stolen or fake credit cards and other ID.
The chances that the information listed for the account(s) owning trafficconverter.biz matches with the owners of this botnet is very little.
I really hate Microsoft for this kind of stupidity. They could have just made an option "autorun program from USB stick" with nothing customizable about it.
It's not like the FBI and Interpol and going to look at the bogus whois information and throw their hands up and say "oh noes". They can go and raid the registrar's offices and find out what IPs registered the domain, what credit cards (stolen or not) were used, and if they were stolen, where from and when. Furthermore the worm has a whole list of websites, so every single one of those can be checked in the same way, and even if they are all hijacked, there will be hundreds of potential clues about the perpetrators.
Personally, I am sick of spammers attempting to add comment spam to sites that I run, signing up for bogus accounts, sending massive amounts of spam, continuously trying ssh connections, running exploits etc the list goes on. The police need to do something to help us.
Rich.
libguestfs - tools for accessing and modifying virtual machine disk images
I would guess it's trivial for this worm to change the flag to enable autorun, however.
Only after its executing....and if it's doing that, what's the point?
There are shills on slashdot. Apparently, I'm one of them.
agreed 100%. until some serious pound me in the ass prison time is handed out to more than a few of these guys, it won't stop. better coordination with isp's is also the answer here, once these virus/spam sites are identified, for fucks sake blacklist them. this simple act would stop 100,000's of infected pc's from giving up information making the whole venture less profitable.
If you mod me down, I will become more powerful than you can imagine....
Personally, I am sick of spammers attempting to add comment spam to sites that I run, signing up for bogus accounts, sending massive amounts of spam, continuously trying ssh connections, running exploits etc the list goes on. The police need to do something to help us.
Rich.
I think you should be careful what you wish for. The Police could do something, they could turn the Internet into a Police State.
It wasn't that long ago that someone declared the storm botnet had been cracked wide open, from which some people made the extremely erroneous extrapolation that botnets would become a thing of the past.
Well, I guess that almost held for two weeks. Maybe someday people will consider addressing the underlying cause of these problems instead of the symptoms.
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
My post did address your question, but maybe not as directly as necessary.
Which police? Which law enforcement? Which banks? Which victims? The problem is that such questions are not only difficult to answer but are severely hindered by international boundaries. It's nothing to do with how easy it is to catch the kid down the road doing this to you, it's about how to illicit information from a foreign country who really have no interest in helping you (it's hurting them too, most probably, but that's no incentive). There may even be laws in that country that prevent dissipation of that information outside the country's own law enforcement (Data Protection Acts etc.) Look at the trouble the record industry is having illiciting information on who uses an IP when they KNOW the IP and are represented in the same country as the user and have probable cause to ask for more information. Now imagine that I'm Russian, and the Russian record industry doesn't care what I do... *you* try and extract, based in a foreign country like the USA, the name and address of the Russian user who owns an Russian IP that you think was involved. It's nigh-on impossible, even when you KNOW who it was, let alone if you are just tracing through logs of potential proxies with the intention to seize those proxies to trace back to the original source, etc.
Basically, the law doesn't help you here at all because once you cross international boundaries, things get infinitely more complicated and it ends up costing too much money to even consider it. That's my point... sod the law (it may not even be illegal in the country of the author to do such things, so you can't rely on it) and use technical solutions to STOP THE CRIME BEING POSSIBLE in the first place. It's like whinging that kids keep stealing things out of your house because you have no garden walls, no locks on your doors, you leave the doors open all the time even if you are out and you put a large sign in the street saying "Please don't steal my things". OF COURSE it's against the law to take your things but you'll never get them all back because you'll never know who was walking past when you weren't there and taking a few simple technical measures makes the crime much, much, much more difficult.
The Windows Firewall is greatly improved in SP3, but even the default un-patched firewall in XP is more or less a joke if you plan on doing any network sharing. So either way you have to deal with it. Also, I think it's SP3 you mean about the tampering with IE. It'll install IE7 if you want it or not unless you already had it installed. The only way to uninstall it without going through a big hassle is to have IE7 installed prior to installing SP3 if I remember right.
There are very few reasons to not install a service pack for Windows. I've not heard of any hardware compatibility issues, and for sure that is not a problem with new hardware. It may take forever, but from high end gaming systems to crappy E-Machines with at best 512MB of RAM, installing SP2 for XP is the only smart thing to do and doesn't slow the system down once its installed.
If anyone has some proof otherwise (as in links, not anecdotal) please correct me. But I've neither heard of nor seen an issue caused by SP2 that hasn't been patched for a long while (over a year or two).
Then when Joe-Idiot gets a virus, it's probably his own fault because he bypassed the safety barrier and thus you can throw him off if his IP starts spamming or trying to infect others.
Most ISP terms of service allow them to do this already. If they actually tried to enforce it, they wouldn't have any customers left.
All intents and purposes. Not intensive purposes.
Yes, sometimes the public interest outweighs the commercial interest of a business. It happens in meatspace every day for all kinds of reasons, from anonymous bomb threats to the president coming within 2 miles of the place.
I must admit, it is cleverly done. Put me in front of a Windows machine with default settings and I'd probably select the topmost option.
Still, it's an epic fail to enable such autostart of random programs from USB stick. It is sacrificing essential security for questionable convenience.
*ALL* operating systems much be constantly patched to protect against the "latest" threats. Windows just gets the majority share of attention because there are millions of Windows boxes, many unpatched, many owned and operated by computer illiterate users who have little or no interest in securing them (And even in Vista, which is a vast improvement on XP from a security perspective, the default security leaves a lot to be desired).
Ok, they are *usually* less serious than this particular vulnerability, but my Ubuntu box downloads "critical" updates at least once a week on average.
Microsoft have made a lot of bad design decisions in their products, often in order to thwart competition, but them actually being incompetent or negligent, especially in recent years, is a lot harder to prove.
Which is all fine and dandy, until you realize that text files can have an executable component, if there is a buffer overflow or some other kind of incorrect data handling in notepad.
There is no such thing as a non-executable file.
"City hall" in German is "Rathaus" Kinda explains a few things......
Most ISP terms of service allow them to do this already. If they actually tried to enforce it, they wouldn't have any customers left.
That's a fair comment, but I don't think it's true. Given the near-monopoloy position of ISPs, the customer either can't leave, or would think long and hard before doing so.
The real issue I think is that it will cost the ISP real money (in terms of added call volume to their support weenies). If they allow their infected customers to pollute the internet, then the cost is passed down the line to those who are forced to deal with the problem. That makes it someone else's problem.
Perfectly reasonable strategy, of course, and one that's based in human nature. Good samaritans aren't frightened of "getting involved", but rather prefer someone else to do what needs to be done so that "someone else" shoulders any and all burdens or costs.
The only reason why there hasn't been a class action lawsuit against Microsoft for their incompetence is that many misguided people STILL think that every 20 minutes of MS Word is worth 1 week of their time spent Patching and Praying and trying to recover data.
Actually, I think it's more fundamental than that. I think the last 20 years of Microsoft dominance have convinced people that this is the *only way computers can work*. That it's impossible to do any better. So they've learned to live with the instability, the insecurity, the constant fear of losing work due to mysterious crashes and instabilities.
Heck, just look at the praise lavished on XP. Compared to 95, XP is a quantum leap in terms of stability. And yet, in my experience, it's only just adequate. But compared to what people were used to, it's amazing!