Conficker Worm Could Create World's Biggest Botnet

← Back to Stories (view on slashdot.org)

Conficker Worm Could Create World's Biggest Botnet

Posted by kdawson on Monday January 19, 2009 @10:18PM from the holding-our-collective-breath dept.

nk497 writes "The worm that's supposedly infected almost nine million PCs running Windows, dubbed Cornficker or Downadup, could lead to a massive botnet, security researchers have said. The worm initially spread to systems unpatched against MS08-067, but has since 'evolved and is now able to spread to patched computers through portable USB drives through brute-force password-guessing.'"

19 of 220 comments (clear)

Evolution by KasperMeerts · 2009-01-19 22:20 · Score: 4, Funny

The worm initially spread to systems unpatched against MS08-067, but has since 'evolved
It hasn't evolved. This is clearly Intelligent Design and anyone denying this is a godless heathen!

--
As long as there are slaughterhouses, there will be battlefields.
1. Re:Evolution by jabithew · 2009-01-20 01:14 · Score: 4, Funny
  
  You forgot arguably the biggest driver of evolution; sexual selection.
  But then, this is slashdot, so maybe I shouldn't be surprised.
  
  --
  All intents and purposes. Not intensive purposes.
follow the money. by leuk_he · 2009-01-19 22:27 · Score: 5, Interesting

It should not be that hard to follow the money generates by this malware. Infecting 8 million PC should be a crime.
from the write down, it downloads data from
" hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe"
follow that money and the bad guys will be found quickly.
1. Re:follow the money. by calmofthestorm · 2009-01-19 22:36 · Score: 4, Insightful
  
  It should not be that hard to follow the money generates by this malware. Infecting 8 million PC should be a crime.
  It's a crime if it's spammers. It's not a crime if it's government or content industry.
  Bitterness aside, the main problem is that usually the people doing it are in a country where it is, for a number of reasons, difficult to track them down. Still, I agree that, short of keeping your OS up to date (if you /must/ use Windows), following the money is the best approach.
  
  --
  93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
2. Re:follow the money. by Richard+W.M.+Jones · 2009-01-19 23:07 · Score: 5, Insightful
  
  It's not like the FBI and Interpol and going to look at the bogus whois information and throw their hands up and say "oh noes". They can go and raid the registrar's offices and find out what IPs registered the domain, what credit cards (stolen or not) were used, and if they were stolen, where from and when. Furthermore the worm has a whole list of websites, so every single one of those can be checked in the same way, and even if they are all hijacked, there will be hundreds of potential clues about the perpetrators.
  Personally, I am sick of spammers attempting to add comment spam to sites that I run, signing up for bogus accounts, sending massive amounts of spam, continuously trying ssh connections, running exploits etc the list goes on. The police need to do something to help us.
  Rich.
  
  --
  libguestfs - tools for accessing and modifying virtual machine disk images
3. Re:follow the money. by timmarhy · 2009-01-19 23:31 · Score: 4, Insightful
  
  agreed 100%. until some serious pound me in the ass prison time is handed out to more than a few of these guys, it won't stop. better coordination with isp's is also the answer here, once these virus/spam sites are identified, for fucks sake blacklist them. this simple act would stop 100,000's of infected pc's from giving up information making the whole venture less profitable.
  
  --
  If you mod me down, I will become more powerful than you can imagine....
4. Re:follow the money. by maple_shaft · 2009-01-19 23:40 · Score: 4, Interesting
  
  This nasty virus has caused me to be up working overtime for the past two weeks.
  Well one hint to finding the assholes who wrote this virus is the fact that the virus willingly ignores computers originating within the Ukraine.
  That narrows it down to about 80 million people. ;-)
5. Re:follow the money. by ledow · 2009-01-19 23:43 · Score: 4, Interesting
  
  It sounds very simple but you're missing the bigger picture.
  How do we know that that virus has ANYTHING to do with trafficonverter.biz or that they knowingly provide that service? What are you going to do, shut down the website without a full legal investigation? Brilliant! I don't like slashdot, so I make a virus that looks like it gets its instructions from them, or from random comments posted on there. You've now made it incredibly easy for me to "social-DoS" a website. I can get them shutdown, or cause them lots of financial hassle to deal with the investigation, just by downloading something from them with my virus.
  Or say I want AVG out of business - I make the program download a particular older version of AVG to use a known vulnerability in it to propogate my virus or elevate its permissions. Or I just install it on every machine I infect forcibly. If people don't start associating AVG with malware (like that Antivirus 2008/2009 thing) then I've just given them the impression that it's a horrible piece of software that forces itself on you. Or I make sure that it's the only virus scanner that can or can't detect my virus - either way, I win in discrediting AVG.
  The fact is that a virus is an unwanted, untrusted application. Because it's untrusted, you can't just start shutting things down because you find a "clue" in that virus's code. That's why it takes *so* long to convict known virus-writers. International boundaries, legal obligations (hence why you can't just "take over" a botnet that has people's/company's PC's in it and issue random command to "clean it up"), verifiable evidence, there are a million holes.
  The problem is not that viruses make money. It's that viruses STILL WORK. That they STILL EXIST. That they are STILL CAUGHT by people. They've been around for 30-odd-years and they are more prevelant than ever and 99.9% of viruses operate on a single platform, targetting old, known, already-patched vulnerabilities. The fix for viruses is not to stop their creation by "persuasion" (removing revenue streams, harsher sentences, etc.) but to prevent them by technical means and ensure those means are adhered to. This means punishing users and operating systems that *don't* conform. Virus infections are a daily occurence and people are now blasé about them... I've had people casually mention having dozens of viruses on their machines and could I have a look if they bring it in next month, etc. The problem, again, is an OS that allows such things to exist and propogate so readily and simply (literally, I could write a Windows virus in a matter of hours with no previous knowledge and virtually zero documentation... Unix-based? Wouldn't know where to start because I would need to find a gaping hole in heavily-tested, proven-rugged, complex code that I can barely understand.
  My provider shuts customers off if they use port 139 (and others) on their PC's without having previously informed them that, basically, "I know what I'm doing". The Internet stops and all webpages are replaced by an automated message about how to install a firewall (which, thankfully, also includes the "I know what I'm doing" option). I do "know what I'm doing", I have several layers of protection on everything connected to the Internet but I've left this on. What we need is a massive opt-in that enforces this for the average person. My ISP can already scan every webpage and email for me for viruses and replace them with warning text. They need to extend this to be the default, with opt-out. Then when Joe-Idiot gets a virus, it's probably his own fault because he bypassed the safety barrier and thus you can throw him off if his IP starts spamming or trying to infect others.
  Even a simple method (e.g. an automated port scan every day, ala GRC.com's ShieldsUp and an email if open ports change). It's not a catch-all but it will certainly shock a few people if they realised just how open their PC's are and will warn companies and professionals when something happens that sho
6. Re:follow the money. by mlush · 2009-01-20 00:23 · Score: 5, Insightful
  
  Personally, I am sick of spammers attempting to add comment spam to sites that I run, signing up for bogus accounts, sending massive amounts of spam, continuously trying ssh connections, running exploits etc the list goes on. The police need to do something to help us.
  Rich.
  I think you should be careful what you wish for. The Police could do something, they could turn the Internet into a Police State.
How can it spread through USB sticks? by Viol8 · 2009-01-19 22:46 · Score: 4, Interesting

I dont use Windows much but I assumed MS had disabled or at least set the default to off of the autoexec.bat feature so how else could it spread just by plugging in a USB stick? Someone tell me this security hole the size of a planet isn't still enabled by default in Windows installs??
1. Re:How can it spread through USB sticks? by k.a.f. · 2009-01-19 22:51 · Score: 5, Informative
  
  I dont use Windows much but I assumed MS had disabled or at least set the default to off of the autoexec.bat feature so how else could it spread just by plugging in a USB stick? Someone tell me this security hole the size of a planet isn't still enabled by default in Windows installs??
  It posts an "execute" option in the autoplay dialog that looks almost exactly like the harmless "browse folder" option, complete with misleading folder icon. It's moderately clever, but of course still rquires autoplay to be enabled.
2. Re:How can it spread through USB sticks? by Spad · 2009-01-19 22:54 · Score: 5, Interesting
  
  Autorun is still enabled by default in Windows for all removable devices.
  USB sticks are a little odd though as autorun only works for certain ones with a specific hardware flag set. I would guess it's trivial for this worm to change the flag to enable autorun, however.
3. Re:How can it spread through USB sticks? by Zocalo · 2009-01-19 22:56 · Score: 5, Informative
  
  Conficker basically does some social engineering. Unless Autorun is disabled (it still isn't by default) when you insert a USB stick on a Windows box you get a dialog box asking what you want to do. One of the options on the box appears as "Open folder to view files" which might sound innocuous, but is actually an "autorun.inf" option created by Conficker that in reality runs the virus. The only real clue that you have that something is amiss is that the real "Open folder" option is visible as below the Conficker generated fake.
  
  --
  UNIX? They're not even circumcised! Savages!
4. Re:How can it spread through USB sticks? by h3rmanni · 2009-01-19 22:57 · Score: 5, Informative
  
  http://www.f-secure.com/weblog/ has screenshots showing how exactly it executes from USB sticks under Vista and Windows 7 beta.
5. Re:How can it spread through USB sticks? by Anonymous Coward · 2009-01-19 23:39 · Score: 4, Informative
  
  See http://isc.sans.org/diary.html?storyid=5695
  The option appears as :
  Install or run program: Open folder to view files (Publisher not specified)
  So people falling for it, would have clicked even on "Install virus and destroy your life ? YES/NO".
Re:ISP Blacklists by ChienAndalu · 2009-01-19 23:02 · Score: 4, Interesting

1) ISPs would have to put in effort and money to combat these things
Depending on the amount of traffic that worm generates, it might even be worth it.
Re:This is what baffles me... by chalkyj · 2009-01-19 23:30 · Score: 5, Informative

It's poorly phrased. It doesn't create 250 domains per day, it CHECKS 250 domains per day. The botnet controller only needs to create one of those domains to upload new instructions.
Trivial for a worm to change the flag? by transporter_ii · 2009-01-19 23:54 · Score: 4, Informative

I would have to agree. I fought, what I think is this worm, at work for a week or so. If not, here is what I fought.
*Would disable Recovery console so you couldn't go back to an early date.
*Spread by USB thumb drive.
*Stick in a thumb drive, if the computer had AVG, it would detect it, but not be able to "heal" everything...but by this time it was too late.
One variant of it put in a root kit and blocked all access to antivirus sites. You could go anywhere on the Internet unless it happened to be an antivirus site.
This same one also blocked exe files if they happened to be something like Spybot search and destroy. It just wouldn't run anymore.
Also, it turns off the ability to change settings to view hidden files and folders, so you can't see the folders it adds.
My guess is, it is pretty freaking trivial for these people to do whatever they freaking want in Windows (except for probably disabling DRM!).
Transporter_ii

--
Doctors destroy health, lawyers destroy justice, universities destroy knowledge, religion destroys spirituality
Re:Patch and Pray: Windows is a costly liability by Spad · 2009-01-20 02:03 · Score: 4, Insightful

*ALL* operating systems much be constantly patched to protect against the "latest" threats. Windows just gets the majority share of attention because there are millions of Windows boxes, many unpatched, many owned and operated by computer illiterate users who have little or no interest in securing them (And even in Vista, which is a vast improvement on XP from a security perspective, the default security leaves a lot to be desired).
Ok, they are *usually* less serious than this particular vulnerability, but my Ubuntu box downloads "critical" updates at least once a week on average.
Microsoft have made a lot of bad design decisions in their products, often in order to thwart competition, but them actually being incompetent or negligent, especially in recent years, is a lot harder to prove.