Conficker Worm Could Create World's Biggest Botnet

← Back to Stories (view on slashdot.org)

Conficker Worm Could Create World's Biggest Botnet

Posted by kdawson on Monday January 19, 2009 @10:18PM from the holding-our-collective-breath dept.

nk497 writes "The worm that's supposedly infected almost nine million PCs running Windows, dubbed Cornficker or Downadup, could lead to a massive botnet, security researchers have said. The worm initially spread to systems unpatched against MS08-067, but has since 'evolved and is now able to spread to patched computers through portable USB drives through brute-force password-guessing.'"

53 of 220 comments (clear)

Evolution by KasperMeerts · 2009-01-19 22:20 · Score: 4, Funny

The worm initially spread to systems unpatched against MS08-067, but has since 'evolved
It hasn't evolved. This is clearly Intelligent Design and anyone denying this is a godless heathen!

--
As long as there are slaughterhouses, there will be battlefields.
1. Re:Evolution by gravos · 2009-01-19 22:27 · Score: 3, Informative
  
  Downadup and other such similar worms exploit a vulnerability in the Windows Server service: Server Service Vulnerability -- CVE-2008-4250
  
  The vulnerability is detailed by October 23rd's Microsoft Security Bulletin MS08-067.
  
  --
  This game will waste your life. Don't clicky!
2. Re:Evolution by Ed+Avis · 2009-01-19 23:08 · Score: 2, Informative
  
  It has evolved - but not by natural selection. Some amount of evolution is accepted as a fact by everyone except young-earth creationists (those who believe the world is about 6000 years old). For example, we know that horses used to have toes and now they have hooves. But some believe this evolution is caused by natural selection and genetic variation, while others believe it was the act of a creator or designer. The evolution of wolves into domestic dogs is an example of evolution caused by man (you could call it artificial selection).
  
  --
  -- Ed Avis ed@membled.com
3. Re:Evolution by jabithew · 2009-01-20 01:14 · Score: 4, Funny
  
  You forgot arguably the biggest driver of evolution; sexual selection.
  But then, this is slashdot, so maybe I shouldn't be surprised.
  
  --
  All intents and purposes. Not intensive purposes.
4. Re:Evolution by cbiltcliffe · 2009-01-20 02:01 · Score: 2, Funny
  
  It's not phishing. Just enter your username and password into my^H^Hslashdot's login form, and make sure your account details are correct.....
  
  --
  "City hall" in German is "Rathaus" Kinda explains a few things......
follow the money. by leuk_he · 2009-01-19 22:27 · Score: 5, Interesting

It should not be that hard to follow the money generates by this malware. Infecting 8 million PC should be a crime.
from the write down, it downloads data from
" hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe"
follow that money and the bad guys will be found quickly.
1. Re:follow the money. by calmofthestorm · 2009-01-19 22:36 · Score: 4, Insightful
  
  It should not be that hard to follow the money generates by this malware. Infecting 8 million PC should be a crime.
  It's a crime if it's spammers. It's not a crime if it's government or content industry.
  Bitterness aside, the main problem is that usually the people doing it are in a country where it is, for a number of reasons, difficult to track them down. Still, I agree that, short of keeping your OS up to date (if you /must/ use Windows), following the money is the best approach.
  
  --
  93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
2. Re:follow the money. by jonwil · 2009-01-19 23:00 · Score: 2, Insightful
  
  Its a good bet that the machine or machines responding to the trafficconverter.biz domain name are either hacked (e.g. zombies) or obtained using stolen or fake credit cards and other ID.
  The chances that the information listed for the account(s) owning trafficconverter.biz matches with the owners of this botnet is very little.
3. Re:follow the money. by Richard+W.M.+Jones · 2009-01-19 23:07 · Score: 5, Insightful
  
  It's not like the FBI and Interpol and going to look at the bogus whois information and throw their hands up and say "oh noes". They can go and raid the registrar's offices and find out what IPs registered the domain, what credit cards (stolen or not) were used, and if they were stolen, where from and when. Furthermore the worm has a whole list of websites, so every single one of those can be checked in the same way, and even if they are all hijacked, there will be hundreds of potential clues about the perpetrators.
  Personally, I am sick of spammers attempting to add comment spam to sites that I run, signing up for bogus accounts, sending massive amounts of spam, continuously trying ssh connections, running exploits etc the list goes on. The police need to do something to help us.
  Rich.
  
  --
  libguestfs - tools for accessing and modifying virtual machine disk images
4. Re:follow the money. by Urd.Yggdrasil · 2009-01-19 23:09 · Score: 2, Informative
  
  It is common practice for domains to be registered using stolen credit card numbers and phony registration information, as well as using bots within the net to act as proxies between you and the actual server, such as with fast flux. That combined with the fact that the servers are generally hosted in countries that don't have a lot of money, man power, or motivation to track these types of operations down makes stopping them a very difficult process.
5. Re:follow the money. by timmarhy · 2009-01-19 23:31 · Score: 4, Insightful
  
  agreed 100%. until some serious pound me in the ass prison time is handed out to more than a few of these guys, it won't stop. better coordination with isp's is also the answer here, once these virus/spam sites are identified, for fucks sake blacklist them. this simple act would stop 100,000's of infected pc's from giving up information making the whole venture less profitable.
  
  --
  If you mod me down, I will become more powerful than you can imagine....
6. Re:follow the money. by Anonymous Coward · 2009-01-19 23:36 · Score: 3, Interesting
  
  You're assuming too much. Keeping Windows up to date?
  One problem is the lifecycle support. SP1 isn't supported anymore, I believe, and even trying to manually install the patch won't work because it requires SP2 or higher to be done. (For XP, of course.)
  SP2 won't necessarily work on all computers, for one reason or another. Some may choose not to go up to SP2 due to all that garbage installed with it. (I think a very annoying firewall is installed, and doesn't it tamper with Internet Explorer against one's wishes?)
  At least for those people, they can go around doing workarounds. Of course, this will result in an OS eventually becoming non-functional for quite a bit of things.
7. Re:follow the money. by maple_shaft · 2009-01-19 23:40 · Score: 4, Interesting
  
  This nasty virus has caused me to be up working overtime for the past two weeks.
  Well one hint to finding the assholes who wrote this virus is the fact that the virus willingly ignores computers originating within the Ukraine.
  That narrows it down to about 80 million people. ;-)
8. Re:follow the money. by ledow · 2009-01-19 23:43 · Score: 4, Interesting
  
  It sounds very simple but you're missing the bigger picture.
  How do we know that that virus has ANYTHING to do with trafficonverter.biz or that they knowingly provide that service? What are you going to do, shut down the website without a full legal investigation? Brilliant! I don't like slashdot, so I make a virus that looks like it gets its instructions from them, or from random comments posted on there. You've now made it incredibly easy for me to "social-DoS" a website. I can get them shutdown, or cause them lots of financial hassle to deal with the investigation, just by downloading something from them with my virus.
  Or say I want AVG out of business - I make the program download a particular older version of AVG to use a known vulnerability in it to propogate my virus or elevate its permissions. Or I just install it on every machine I infect forcibly. If people don't start associating AVG with malware (like that Antivirus 2008/2009 thing) then I've just given them the impression that it's a horrible piece of software that forces itself on you. Or I make sure that it's the only virus scanner that can or can't detect my virus - either way, I win in discrediting AVG.
  The fact is that a virus is an unwanted, untrusted application. Because it's untrusted, you can't just start shutting things down because you find a "clue" in that virus's code. That's why it takes *so* long to convict known virus-writers. International boundaries, legal obligations (hence why you can't just "take over" a botnet that has people's/company's PC's in it and issue random command to "clean it up"), verifiable evidence, there are a million holes.
  The problem is not that viruses make money. It's that viruses STILL WORK. That they STILL EXIST. That they are STILL CAUGHT by people. They've been around for 30-odd-years and they are more prevelant than ever and 99.9% of viruses operate on a single platform, targetting old, known, already-patched vulnerabilities. The fix for viruses is not to stop their creation by "persuasion" (removing revenue streams, harsher sentences, etc.) but to prevent them by technical means and ensure those means are adhered to. This means punishing users and operating systems that *don't* conform. Virus infections are a daily occurence and people are now blasé about them... I've had people casually mention having dozens of viruses on their machines and could I have a look if they bring it in next month, etc. The problem, again, is an OS that allows such things to exist and propogate so readily and simply (literally, I could write a Windows virus in a matter of hours with no previous knowledge and virtually zero documentation... Unix-based? Wouldn't know where to start because I would need to find a gaping hole in heavily-tested, proven-rugged, complex code that I can barely understand.
  My provider shuts customers off if they use port 139 (and others) on their PC's without having previously informed them that, basically, "I know what I'm doing". The Internet stops and all webpages are replaced by an automated message about how to install a firewall (which, thankfully, also includes the "I know what I'm doing" option). I do "know what I'm doing", I have several layers of protection on everything connected to the Internet but I've left this on. What we need is a massive opt-in that enforces this for the average person. My ISP can already scan every webpage and email for me for viruses and replace them with warning text. They need to extend this to be the default, with opt-out. Then when Joe-Idiot gets a virus, it's probably his own fault because he bypassed the safety barrier and thus you can throw him off if his IP starts spamming or trying to infect others.
  Even a simple method (e.g. an automated port scan every day, ala GRC.com's ShieldsUp and an email if open ports change). It's not a catch-all but it will certainly shock a few people if they realised just how open their PC's are and will warn companies and professionals when something happens that sho
9. Re:follow the money. by mlush · 2009-01-20 00:23 · Score: 5, Insightful
  
  Personally, I am sick of spammers attempting to add comment spam to sites that I run, signing up for bogus accounts, sending massive amounts of spam, continuously trying ssh connections, running exploits etc the list goes on. The police need to do something to help us.
  Rich.
  I think you should be careful what you wish for. The Police could do something, they could turn the Internet into a Police State.
10. Re:follow the money. by Joce640k · 2009-01-20 00:27 · Score: 2, Interesting
  
  Dunno, but whay can't we remove trafficonverter.biz from the DNS for a few weeks?
  You might say it's bad for them and "all smappers need to do to shut down a web site is...blah, blah" but that's ignoring how spammers work. If spammers learn that websites will be removed from DNS at the first sign of trouble then they won't use websites.
  Spammers don't do it for political reasons, they're thieves who are trying to get money.
  
  --
  No sig today...
11. Re:follow the money. by ledow · 2009-01-20 00:40 · Score: 2, Insightful
  
  My post did address your question, but maybe not as directly as necessary.
  Which police? Which law enforcement? Which banks? Which victims? The problem is that such questions are not only difficult to answer but are severely hindered by international boundaries. It's nothing to do with how easy it is to catch the kid down the road doing this to you, it's about how to illicit information from a foreign country who really have no interest in helping you (it's hurting them too, most probably, but that's no incentive). There may even be laws in that country that prevent dissipation of that information outside the country's own law enforcement (Data Protection Acts etc.) Look at the trouble the record industry is having illiciting information on who uses an IP when they KNOW the IP and are represented in the same country as the user and have probable cause to ask for more information. Now imagine that I'm Russian, and the Russian record industry doesn't care what I do... *you* try and extract, based in a foreign country like the USA, the name and address of the Russian user who owns an Russian IP that you think was involved. It's nigh-on impossible, even when you KNOW who it was, let alone if you are just tracing through logs of potential proxies with the intention to seize those proxies to trace back to the original source, etc.
  Basically, the law doesn't help you here at all because once you cross international boundaries, things get infinitely more complicated and it ends up costing too much money to even consider it. That's my point... sod the law (it may not even be illegal in the country of the author to do such things, so you can't rely on it) and use technical solutions to STOP THE CRIME BEING POSSIBLE in the first place. It's like whinging that kids keep stealing things out of your house because you have no garden walls, no locks on your doors, you leave the doors open all the time even if you are out and you put a large sign in the street saying "Please don't steal my things". OF COURSE it's against the law to take your things but you'll never get them all back because you'll never know who was walking past when you weren't there and taking a few simple technical measures makes the crime much, much, much more difficult.
12. Re:follow the money. by Cowmonaut · 2009-01-20 01:11 · Score: 2, Insightful
  
  The Windows Firewall is greatly improved in SP3, but even the default un-patched firewall in XP is more or less a joke if you plan on doing any network sharing. So either way you have to deal with it. Also, I think it's SP3 you mean about the tampering with IE. It'll install IE7 if you want it or not unless you already had it installed. The only way to uninstall it without going through a big hassle is to have IE7 installed prior to installing SP3 if I remember right.
  There are very few reasons to not install a service pack for Windows. I've not heard of any hardware compatibility issues, and for sure that is not a problem with new hardware. It may take forever, but from high end gaming systems to crappy E-Machines with at best 512MB of RAM, installing SP2 for XP is the only smart thing to do and doesn't slow the system down once its installed.
  If anyone has some proof otherwise (as in links, not anecdotal) please correct me. But I've neither heard of nor seen an issue caused by SP2 that hasn't been patched for a long while (over a year or two).
13. Re:follow the money. by Erikderzweite · 2009-01-20 01:18 · Score: 2, Funny
  
  This nasty virus has caused me to be up working overtime for the past two weeks.
  Well one hint to finding the assholes who wrote this virus is the fact that the virus willingly ignores computers originating within the Ukraine.
  That narrows it down to about 80 million people. ;-)
  Ukraine has about 46 million people. And the situation is already being dealt with -- Russia has stopped to supply them with gas.
14. Re:follow the money. by jabithew · 2009-01-20 01:25 · Score: 2, Insightful
  
  Then when Joe-Idiot gets a virus, it's probably his own fault because he bypassed the safety barrier and thus you can throw him off if his IP starts spamming or trying to infect others.
  Most ISP terms of service allow them to do this already. If they actually tried to enforce it, they wouldn't have any customers left.
  
  --
  All intents and purposes. Not intensive purposes.
15. Re:follow the money. by jrumney · 2009-01-20 01:37 · Score: 2, Insightful
  
  What are you going to do, shut down the website without a full legal investigation?
  Yes, sometimes the public interest outweighs the commercial interest of a business. It happens in meatspace every day for all kinds of reasons, from anonymous bomb threats to the president coming within 2 miles of the place.
16. Re:follow the money. by cbiltcliffe · 2009-01-20 02:06 · Score: 2, Insightful
  
  Which is all fine and dandy, until you realize that text files can have an executable component, if there is a buffer overflow or some other kind of incorrect data handling in notepad.
  There is no such thing as a non-executable file.
  
  --
  "City hall" in German is "Rathaus" Kinda explains a few things......
17. Re:follow the money. by jjeffries · 2009-01-20 02:25 · Score: 2, Funny
  
  "smappers" is a lovely word and should be given a meaning at once!
18. Re:follow the money. by hesaigo999ca · 2009-01-20 02:32 · Score: 2, Interesting
  
  Actually you are on to something, we (the people) are not giving enough definition of responsibility for someone owning a website that can be used for harm.
  When you drive a car and can hurt people by driving over them, you need a license and pass some courses etc...
  Well for owning a website, you have to pay with an proper credit card, should any of those numbers show up as having been stolen the site is downed immediately, and the person contacted to provide new information for credit card approval, and as such will be closely examined for content.
  This model could be enforced at the lower level of ISP or DOmain provider, and then when a flag goes off, the feds are contacted just in case...fewer false negatives, and also less work for the feds. ...more responsibility for the domain provider or isp provider.
19. Re:follow the money. by value_added · 2009-01-20 02:59 · Score: 2, Insightful
  
  Most ISP terms of service allow them to do this already. If they actually tried to enforce it, they wouldn't have any customers left.
  That's a fair comment, but I don't think it's true. Given the near-monopoloy position of ISPs, the customer either can't leave, or would think long and hard before doing so.
  The real issue I think is that it will cost the ISP real money (in terms of added call volume to their support weenies). If they allow their infected customers to pollute the internet, then the cost is passed down the line to those who are forced to deal with the problem. That makes it someone else's problem.
  Perfectly reasonable strategy, of course, and one that's based in human nature. Good samaritans aren't frightened of "getting involved", but rather prefer someone else to do what needs to be done so that "someone else" shoulders any and all burdens or costs.
20. Re:follow the money. by Opportunist · 2009-01-20 04:19 · Score: 2, Informative
  
  A nice idea in theory. Since I'm in exactly this business, allow me to illustrate how this works (or rather, how it doesn't).
  You follow this trail to some registrar in, say, Uzbekistan. He will point you to Malaysia, where the server is located. So you phone your local Interpol office (let's assume you are on good terms with them and they actually listen when you call, as in my case. It helps when you point them to some bank scams first so they see you as someone who ain't just a waste of time). If they are inexperienced cops eager to make a bust, they will start writing letters towards Malaysia, asking for aid in their endeavour to shut that server down.
  If they are experienced cops, they'll tell you "meh" and shrug their shoulders, knowing it's fruitless, or if it finally comes to a positive end and the server gets closed, it already changed location at least twice, rendering your "victory" pointless.
  But let's find out who is behind it all. To save some space here, allow me to just point you to Wikipedia's article about the RBN. I'm not saying this is a deal of the RBN, but it might give you an idea why following the money trail to find out who is behind it is about as pointless. You might even find out who did it. Doesn't do jack, though, if he's sitting in a country that has other problems.
  The point is, countries usually don't care about it too much if their citizens break the law abroad, at least if they got enough problems with other crimes at home. And while I'm not really saying that it is so in this case, some countries could have a very keen interest in having someone around that has access to a worldwide network of botnet machines...
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
21. Re:follow the money. by Opportunist · 2009-01-20 04:26 · Score: 2, Interesting
  
  You assume that you're dealing with a country that has a stable legal infrastructure. In 99 of 100 of such cases, you are not.
  The servers are usually located either in countries from the Soviet Union breakup or emerging countries in Southeast Asia. Sometimes, but rarely, South America. And if it's anywhere else, rest assured that it's a hacked server that won't stay up longer than a few days. Those people know exactly how long it takes you to find them, find their server's location, get the local authorities into gear, get a warrant and raid them. They clocked us with their past attacks. They deliberately opened up servers in various places and took a look how long it takes here or there to get the paperwork done and actually cut their link. We made some nice progress in this time and actually got some information, but so did they.
  Blacklisting would only work in a "great firewall" scenario. Which isn't quite what I'd envision as a good thing either, the temptation for abuse is just a little bit too strong. Not to mention that more likely the abuse will outmatch the intended use.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
How can it spread through USB sticks? by Viol8 · 2009-01-19 22:46 · Score: 4, Interesting

I dont use Windows much but I assumed MS had disabled or at least set the default to off of the autoexec.bat feature so how else could it spread just by plugging in a USB stick? Someone tell me this security hole the size of a planet isn't still enabled by default in Windows installs??
1. Re:How can it spread through USB sticks? by k.a.f. · 2009-01-19 22:51 · Score: 5, Informative
  
  I dont use Windows much but I assumed MS had disabled or at least set the default to off of the autoexec.bat feature so how else could it spread just by plugging in a USB stick? Someone tell me this security hole the size of a planet isn't still enabled by default in Windows installs??
  It posts an "execute" option in the autoplay dialog that looks almost exactly like the harmless "browse folder" option, complete with misleading folder icon. It's moderately clever, but of course still rquires autoplay to be enabled.
2. Re:How can it spread through USB sticks? by Urd.Yggdrasil · 2009-01-19 22:51 · Score: 2, Informative
  
  It's autorun.inf not autoexec.bat, and it does require a bit of user interaction. Double clicking on it in explorer in XP will execute it but on systems running vista/7 it must rely on social engineering.
3. Re:How can it spread through USB sticks? by Spad · 2009-01-19 22:54 · Score: 5, Interesting
  
  Autorun is still enabled by default in Windows for all removable devices.
  USB sticks are a little odd though as autorun only works for certain ones with a specific hardware flag set. I would guess it's trivial for this worm to change the flag to enable autorun, however.
4. Re:How can it spread through USB sticks? by Zocalo · 2009-01-19 22:56 · Score: 5, Informative
  
  Conficker basically does some social engineering. Unless Autorun is disabled (it still isn't by default) when you insert a USB stick on a Windows box you get a dialog box asking what you want to do. One of the options on the box appears as "Open folder to view files" which might sound innocuous, but is actually an "autorun.inf" option created by Conficker that in reality runs the virus. The only real clue that you have that something is amiss is that the real "Open folder" option is visible as below the Conficker generated fake.
  
  --
  UNIX? They're not even circumcised! Savages!
5. Re:How can it spread through USB sticks? by h3rmanni · 2009-01-19 22:57 · Score: 5, Informative
  
  http://www.f-secure.com/weblog/ has screenshots showing how exactly it executes from USB sticks under Vista and Windows 7 beta.
6. Re:How can it spread through USB sticks? by ChienAndalu · 2009-01-19 23:05 · Score: 3, Insightful
  
  I really hate Microsoft for this kind of stupidity. They could have just made an option "autorun program from USB stick" with nothing customizable about it.
7. Re:How can it spread through USB sticks? by Whiney+Mac+Fanboy · 2009-01-19 23:24 · Score: 2, Insightful
  
  I would guess it's trivial for this worm to change the flag to enable autorun, however.
  Only after its executing....and if it's doing that, what's the point?
  
  --
  There are shills on slashdot. Apparently, I'm one of them.
8. Re:How can it spread through USB sticks? by Aladrin · 2009-01-19 23:30 · Score: 2, Informative
  
  Infect other computers. That's the whole point of putting itself on the USB stick in the first place.
  
  --
  "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
9. Re:How can it spread through USB sticks? by Anonymous Coward · 2009-01-19 23:39 · Score: 4, Informative
  
  See http://isc.sans.org/diary.html?storyid=5695
  The option appears as :
  Install or run program: Open folder to view files (Publisher not specified)
  So people falling for it, would have clicked even on "Install virus and destroy your life ? YES/NO".
10. Re:How can it spread through USB sticks? by Erikderzweite · 2009-01-20 01:40 · Score: 2, Insightful
  
  I must admit, it is cleverly done. Put me in front of a Windows machine with default settings and I'd probably select the topmost option.
  Still, it's an epic fail to enable such autostart of random programs from USB stick. It is sacrificing essential security for questionable convenience.
11. Re:How can it spread through USB sticks? by Gorgonzolanoid · 2009-01-20 04:01 · Score: 2, Informative
  
  How does one disable autoplay in XP, without making a half dozen manual registry changes?
  Through a policy (gpedit.msc).
  http://support.microsoft.com/kb/953252
  The article is about 10 times as long as it needs to be, look for the subtitle "How to use Group Policy settings to disable all Autorun features".
Re:ISP Blacklists by Urd.Yggdrasil · 2009-01-19 22:56 · Score: 3, Insightful

This would only work for centralized command and control mechanisms. More sophisticated bots use decentralized p2p type communication, as was with the storm worm last year. Conflicker uses a built in mechanism to generate new domains to contact each day, and while security firms are deploying blacklists based on the generator code, it could easily be changed in a new variant. This is of course not taking into account the difficulty one would have in getting ISP's to maintain a list of blacklisted domains that changes day to day.
Re:ISP Blacklists by ChienAndalu · 2009-01-19 23:02 · Score: 4, Interesting

1) ISPs would have to put in effort and money to combat these things
Depending on the amount of traffic that worm generates, it might even be worth it.
Creamed, kernel, or cob? by Stanislav_J · 2009-01-19 23:08 · Score: 2, Funny

Do I just have a dirty mind, or did others upon first glance read this as the "Cornfucker" worm?

--
"Every great cause begins as a movement, becomes a business, and eventually degenerates into a racket." -- Eric Hoffer
1. Re:Creamed, kernel, or cob? by KillerLoop · 2009-01-19 23:35 · Score: 2, Funny
  
  In german, cornficker has exactly this meaning.
Re:This is what baffles me... by chalkyj · 2009-01-19 23:30 · Score: 5, Informative

It's poorly phrased. It doesn't create 250 domains per day, it CHECKS 250 domains per day. The botnet controller only needs to create one of those domains to upload new instructions.
Not the size of a planet by tinkerton · 2009-01-19 23:39 · Score: 2, Funny

the size of Pluto maybe.
Finding unpatched servers by Anonymous Coward · 2009-01-19 23:41 · Score: 2, Informative

The guys at Winh4x have generated a script that detects servers missing the MS08-067 update.
Trivial for a worm to change the flag? by transporter_ii · 2009-01-19 23:54 · Score: 4, Informative

I would have to agree. I fought, what I think is this worm, at work for a week or so. If not, here is what I fought.
*Would disable Recovery console so you couldn't go back to an early date.
*Spread by USB thumb drive.
*Stick in a thumb drive, if the computer had AVG, it would detect it, but not be able to "heal" everything...but by this time it was too late.
One variant of it put in a root kit and blocked all access to antivirus sites. You could go anywhere on the Internet unless it happened to be an antivirus site.
This same one also blocked exe files if they happened to be something like Spybot search and destroy. It just wouldn't run anymore.
Also, it turns off the ability to change settings to view hidden files and folders, so you can't see the folders it adds.
My guess is, it is pretty freaking trivial for these people to do whatever they freaking want in Windows (except for probably disabling DRM!).
Transporter_ii

--
Doctors destroy health, lawyers destroy justice, universities destroy knowledge, religion destroys spirituality
Cancel or allow ? by smoker2 · 2009-01-20 00:12 · Score: 2, Interesting

As it's windows anyway, can't MS issue a patch that asks a user for confirmation every time an outgoing request gets made ? Or at least keep logs that it can monitor for bot like activity. If you are getting more than a certain number of outgoing connections without any other user input, then it should flag it to the user as suspicious, via a report that appears on boot, and need confirmation before anything else can be executed.

You could still have trusted services, time.windows.com etc, but multiple requests when the browser hasn't registered a click for an hour should be regarded as suspicious. I realise this is the "wrong end of the stick", but we have to deal with things the way they are, not how we'd like them to be. At least being nagged will bring the publics awareness to the problem existing on their machines.

Another idea - use the mouse, so that if it's left unmoved for more than x amount of time the "watchdog" would lock the net down. If you need to leave something running like bittorrent, you can specifically add it as a trusted service, but never permanently. Anything other than BT accessing the net during that time period (or until you move the mouse again) will automatically be denied.

It seems to me that the wider community is having to carry the can for the sorry state of windows security, so making life inconvenient for those who leave their machines unpatched should be fair game.
1. Re:Cancel or allow ? by Fittysix · 2009-01-20 01:56 · Score: 2, Interesting
  
  The 'dimming the desktop' isn't just to catch the users attention. When a UAC prompt comes up it does so on the secure desktop, where mouse and keyboard can not be manipulated by a program. For example, when using synergy http://synergy2.sourceforge.net/ I was unable to interact with the UAC prompt without using the local keyboard/mouse.
  
  --
  *.sig
Say it ain't so by damn_registrars · 2009-01-20 00:35 · Score: 2, Insightful

It wasn't that long ago that someone declared the storm botnet had been cracked wide open, from which some people made the extremely erroneous extrapolation that botnets would become a thing of the past.

Well, I guess that almost held for two weeks. Maybe someday people will consider addressing the underlying cause of these problems instead of the symptoms.

--
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
Patch and Pray: Windows is a costly liability by Dystopian+Rebel · 2009-01-20 01:36 · Score: 2, Interesting

The only reason why there hasn't been a class action lawsuit against Microsoft for their incompetence is that many misguided people STILL think that every 20 minutes of MS Word is worth 1 week of their time spent Patching and Praying and trying to recover data.
The argument that the vast Windows Ecosystem (700 m computers) is itself an argument for using Windows has been disproven by the Internet. If you have a network or connect to the Internet, Windows is a significant risk. And don't blame the users. That's as arrogant as the US makers of the cars that Nader condemned in 1965. Windows is "Unsafe At Internet Speed".
The Windows operating system, which is a liability on any network, must be constantly patched to protect against the "latest" threats. Microsoft's only constructive answers to these exploits are "patch and pray" and also to cripple connectivity (Windows XP SP2).
There will always be smart Bad Guys. The Bad Guys who excel at being bad are MUCH more creative than Microsoft and they have clearly put Generalissimo Ballmero and his regiments to flight. If you have the worst possible defences, you can't expect to be left in peace. Using Windows today is like sending your cavalry to engage hostile tanks. You *will* get slaughtered at some point and if it doesn't happen immediately, it's because the tank crews took pity.

--
Rich And Stupid is not so bad as Working For Rich And Stupid.
1. Re:Patch and Pray: Windows is a costly liability by Spad · 2009-01-20 02:03 · Score: 4, Insightful
  
  *ALL* operating systems much be constantly patched to protect against the "latest" threats. Windows just gets the majority share of attention because there are millions of Windows boxes, many unpatched, many owned and operated by computer illiterate users who have little or no interest in securing them (And even in Vista, which is a vast improvement on XP from a security perspective, the default security leaves a lot to be desired).
  Ok, they are *usually* less serious than this particular vulnerability, but my Ubuntu box downloads "critical" updates at least once a week on average.
  Microsoft have made a lot of bad design decisions in their products, often in order to thwart competition, but them actually being incompetent or negligent, especially in recent years, is a lot harder to prove.
2. Re:Patch and Pray: Windows is a costly liability by Abcd1234 · 2009-01-20 03:31 · Score: 3, Insightful
  
  The only reason why there hasn't been a class action lawsuit against Microsoft for their incompetence is that many misguided people STILL think that every 20 minutes of MS Word is worth 1 week of their time spent Patching and Praying and trying to recover data.
  Actually, I think it's more fundamental than that. I think the last 20 years of Microsoft dominance have convinced people that this is the *only way computers can work*. That it's impossible to do any better. So they've learned to live with the instability, the insecurity, the constant fear of losing work due to mysterious crashes and instabilities.
  Heck, just look at the praise lavished on XP. Compared to 95, XP is a quantum leap in terms of stability. And yet, in my experience, it's only just adequate. But compared to what people were used to, it's amazing!