Conficker Worm Could Create World's Biggest Botnet

nk497 writes "The worm that's supposedly infected almost nine million PCs running Windows, dubbed Cornficker or Downadup, could lead to a massive botnet, security researchers have said. The worm initially spread to systems unpatched against MS08-067, but has since 'evolved and is now able to spread to patched computers through portable USB drives through brute-force password-guessing.'"

follow the money.

[leuk_he]

It should not be that hard to follow the money generates by this malware. Infecting 8 million PC should be a crime.

from the write down, it downloads data from

" hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe"

follow that money and the bad guys will be found quickly.

Re:follow the money.

You're assuming too much. Keeping Windows up to date?

One problem is the lifecycle support. SP1 isn't supported anymore, I believe, and even trying to manually install the patch won't work because it requires SP2 or higher to be done. (For XP, of course.)

SP2 won't necessarily work on all computers, for one reason or another. Some may choose not to go up to SP2 due to all that garbage installed with it. (I think a very annoying firewall is installed, and doesn't it tamper with Internet Explorer against one's wishes?)

At least for those people, they can go around doing workarounds. Of course, this will result in an OS eventually becoming non-functional for quite a bit of things.

Re:follow the money.

[maple_shaft]

This nasty virus has caused me to be up working overtime for the past two weeks.

Well one hint to finding the assholes who wrote this virus is the fact that the virus willingly ignores computers originating within the Ukraine.

That narrows it down to about 80 million people. ;-)

Re:follow the money.

[ledow]

It sounds very simple but you're missing the bigger picture.

How do we know that that virus has ANYTHING to do with trafficonverter.biz or that they knowingly provide that service? What are you going to do, shut down the website without a full legal investigation? Brilliant! I don't like slashdot, so I make a virus that looks like it gets its instructions from them, or from random comments posted on there. You've now made it incredibly easy for me to "social-DoS" a website. I can get them shutdown, or cause them lots of financial hassle to deal with the investigation, just by downloading something from them with my virus.

Or say I want AVG out of business - I make the program download a particular older version of AVG to use a known vulnerability in it to propogate my virus or elevate its permissions. Or I just install it on every machine I infect forcibly. If people don't start associating AVG with malware (like that Antivirus 2008/2009 thing) then I've just given them the impression that it's a horrible piece of software that forces itself on you. Or I make sure that it's the only virus scanner that can or can't detect my virus - either way, I win in discrediting AVG.

The fact is that a virus is an unwanted, untrusted application. Because it's untrusted, you can't just start shutting things down because you find a "clue" in that virus's code. That's why it takes *so* long to convict known virus-writers. International boundaries, legal obligations (hence why you can't just "take over" a botnet that has people's/company's PC's in it and issue random command to "clean it up"), verifiable evidence, there are a million holes.

The problem is not that viruses make money. It's that viruses STILL WORK. That they STILL EXIST. That they are STILL CAUGHT by people. They've been around for 30-odd-years and they are more prevelant than ever and 99.9% of viruses operate on a single platform, targetting old, known, already-patched vulnerabilities. The fix for viruses is not to stop their creation by "persuasion" (removing revenue streams, harsher sentences, etc.) but to prevent them by technical means and ensure those means are adhered to. This means punishing users and operating systems that *don't* conform. Virus infections are a daily occurence and people are now blasé about them... I've had people casually mention having dozens of viruses on their machines and could I have a look if they bring it in next month, etc. The problem, again, is an OS that allows such things to exist and propogate so readily and simply (literally, I could write a Windows virus in a matter of hours with no previous knowledge and virtually zero documentation... Unix-based? Wouldn't know where to start because I would need to find a gaping hole in heavily-tested, proven-rugged, complex code that I can barely understand.

My provider shuts customers off if they use port 139 (and others) on their PC's without having previously informed them that, basically, "I know what I'm doing". The Internet stops and all webpages are replaced by an automated message about how to install a firewall (which, thankfully, also includes the "I know what I'm doing" option). I do "know what I'm doing", I have several layers of protection on everything connected to the Internet but I've left this on. What we need is a massive opt-in that enforces this for the average person. My ISP can already scan every webpage and email for me for viruses and replace them with warning text. They need to extend this to be the default, with opt-out. Then when Joe-Idiot gets a virus, it's probably his own fault because he bypassed the safety barrier and thus you can throw him off if his IP starts spamming or trying to infect others.

Even a simple method (e.g. an automated port scan every day, ala GRC.com's ShieldsUp and an email if open ports change). It's not a catch-all but it will certainly shock a few people if they realised just how open their PC's are and will warn companies and professionals when something happens that sho

Re:follow the money.

[Joce640k]

Dunno, but whay can't we remove trafficonverter.biz from the DNS for a few weeks?

You might say it's bad for them and "all smappers need to do to shut down a web site is...blah, blah" but that's ignoring how spammers work. If spammers learn that websites will be removed from DNS at the first sign of trouble then they won't use websites.

Spammers don't do it for political reasons, they're thieves who are trying to get money.

Re:follow the money.

[hesaigo999ca]

Actually you are on to something, we (the people) are not giving enough definition of responsibility for someone owning a website that can be used for harm.
When you drive a car and can hurt people by driving over them, you need a license and pass some courses etc...

Well for owning a website, you have to pay with an proper credit card, should any of those numbers show up as having been stolen the site is downed immediately, and the person contacted to provide new information for credit card approval, and as such will be closely examined for content.

This model could be enforced at the lower level of ISP or DOmain provider, and then when a flag goes off, the feds are contacted just in case...fewer false negatives, and also less work for the feds. ...more responsibility for the domain provider or isp provider.

Re:follow the money.

[Opportunist]

You assume that you're dealing with a country that has a stable legal infrastructure. In 99 of 100 of such cases, you are not.

The servers are usually located either in countries from the Soviet Union breakup or emerging countries in Southeast Asia. Sometimes, but rarely, South America. And if it's anywhere else, rest assured that it's a hacked server that won't stay up longer than a few days. Those people know exactly how long it takes you to find them, find their server's location, get the local authorities into gear, get a warrant and raid them. They clocked us with their past attacks. They deliberately opened up servers in various places and took a look how long it takes here or there to get the paperwork done and actually cut their link. We made some nice progress in this time and actually got some information, but so did they.

Blacklisting would only work in a "great firewall" scenario. Which isn't quite what I'd envision as a good thing either, the temptation for abuse is just a little bit too strong. Not to mention that more likely the abuse will outmatch the intended use.

ISP Blacklists

[Devil's+BSD]

One thing about botnets... I don't really understand why there couldn't be a blacklist of known botnet controllers maintained by a trusted authority (SANS, or perhaps a collaboration of the leading AV vendors, for example) that ISPs could use to block their customers from connecting to. Or, they could even go one step further and shut off the customers connecting to botnets until they're sure the customers have cleaned their computers.

Re:ISP Blacklists

[ChienAndalu]

1) ISPs would have to put in effort and money to combat these things

Depending on the amount of traffic that worm generates, it might even be worth it.

How can it spread through USB sticks?

[Viol8]

I dont use Windows much but I assumed MS had disabled or at least set the default to off of the autoexec.bat feature so how else could it spread just by plugging in a USB stick? Someone tell me this security hole the size of a planet isn't still enabled by default in Windows installs??

Re:How can it spread through USB sticks?

[Spad]

Autorun is still enabled by default in Windows for all removable devices.

USB sticks are a little odd though as autorun only works for certain ones with a specific hardware flag set. I would guess it's trivial for this worm to change the flag to enable autorun, however.

Cancel or allow ?

[smoker2]

As it's windows anyway, can't MS issue a patch that asks a user for confirmation every time an outgoing request gets made ? Or at least keep logs that it can monitor for bot like activity. If you are getting more than a certain number of outgoing connections without any other user input, then it should flag it to the user as suspicious, via a report that appears on boot, and need confirmation before anything else can be executed.

You could still have trusted services, time.windows.com etc, but multiple requests when the browser hasn't registered a click for an hour should be regarded as suspicious. I realise this is the "wrong end of the stick", but we have to deal with things the way they are, not how we'd like them to be. At least being nagged will bring the publics awareness to the problem existing on their machines.

Another idea - use the mouse, so that if it's left unmoved for more than x amount of time the "watchdog" would lock the net down. If you need to leave something running like bittorrent, you can specifically add it as a trusted service, but never permanently. Anything other than BT accessing the net during that time period (or until you move the mouse again) will automatically be denied.

It seems to me that the wider community is having to carry the can for the sorry state of windows security, so making life inconvenient for those who leave their machines unpatched should be fair game.

Re:Cancel or allow ?

[Fittysix]

The 'dimming the desktop' isn't just to catch the users attention. When a UAC prompt comes up it does so on the secure desktop, where mouse and keyboard can not be manipulated by a program. For example, when using synergy http://synergy2.sourceforge.net/ I was unable to interact with the UAC prompt without using the local keyboard/mouse.

Patch and Pray: Windows is a costly liability

[Dystopian+Rebel]

The only reason why there hasn't been a class action lawsuit against Microsoft for their incompetence is that many misguided people STILL think that every 20 minutes of MS Word is worth 1 week of their time spent Patching and Praying and trying to recover data.

The argument that the vast Windows Ecosystem (700 m computers) is itself an argument for using Windows has been disproven by the Internet. If you have a network or connect to the Internet, Windows is a significant risk. And don't blame the users. That's as arrogant as the US makers of the cars that Nader condemned in 1965. Windows is "Unsafe At Internet Speed".

The Windows operating system, which is a liability on any network, must be constantly patched to protect against the "latest" threats. Microsoft's only constructive answers to these exploits are "patch and pray" and also to cripple connectivity (Windows XP SP2).

There will always be smart Bad Guys. The Bad Guys who excel at being bad are MUCH more creative than Microsoft and they have clearly put Generalissimo Ballmero and his regiments to flight. If you have the worst possible defences, you can't expect to be left in peace. Using Windows today is like sending your cavalry to engage hostile tanks. You *will* get slaughtered at some point and if it doesn't happen immediately, it's because the tank crews took pity.