Conficker Worm Could Create World's Biggest Botnet

nk497 writes "The worm that's supposedly infected almost nine million PCs running Windows, dubbed Cornficker or Downadup, could lead to a massive botnet, security researchers have said. The worm initially spread to systems unpatched against MS08-067, but has since 'evolved and is now able to spread to patched computers through portable USB drives through brute-force password-guessing.'"

follow the money.

[leuk_he]

It should not be that hard to follow the money generates by this malware. Infecting 8 million PC should be a crime.

from the write down, it downloads data from

" hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe"

follow that money and the bad guys will be found quickly.

Re:follow the money.

[Richard+W.M.+Jones]

It's not like the FBI and Interpol and going to look at the bogus whois information and throw their hands up and say "oh noes". They can go and raid the registrar's offices and find out what IPs registered the domain, what credit cards (stolen or not) were used, and if they were stolen, where from and when. Furthermore the worm has a whole list of websites, so every single one of those can be checked in the same way, and even if they are all hijacked, there will be hundreds of potential clues about the perpetrators.

Personally, I am sick of spammers attempting to add comment spam to sites that I run, signing up for bogus accounts, sending massive amounts of spam, continuously trying ssh connections, running exploits etc the list goes on. The police need to do something to help us.

Rich.

Re:follow the money.

[mlush]

Personally, I am sick of spammers attempting to add comment spam to sites that I run, signing up for bogus accounts, sending massive amounts of spam, continuously trying ssh connections, running exploits etc the list goes on. The police need to do something to help us.

Rich.

I think you should be careful what you wish for. The Police could do something, they could turn the Internet into a Police State.

Re:How can it spread through USB sticks?

[k.a.f.]

I dont use Windows much but I assumed MS had disabled or at least set the default to off of the autoexec.bat feature so how else could it spread just by plugging in a USB stick? Someone tell me this security hole the size of a planet isn't still enabled by default in Windows installs??

It posts an "execute" option in the autoplay dialog that looks almost exactly like the harmless "browse folder" option, complete with misleading folder icon. It's moderately clever, but of course still rquires autoplay to be enabled.

Re:How can it spread through USB sticks?

[Spad]

Autorun is still enabled by default in Windows for all removable devices.

USB sticks are a little odd though as autorun only works for certain ones with a specific hardware flag set. I would guess it's trivial for this worm to change the flag to enable autorun, however.

Re:How can it spread through USB sticks?

[Zocalo]

Conficker basically does some social engineering. Unless Autorun is disabled (it still isn't by default) when you insert a USB stick on a Windows box you get a dialog box asking what you want to do. One of the options on the box appears as "Open folder to view files" which might sound innocuous, but is actually an "autorun.inf" option created by Conficker that in reality runs the virus. The only real clue that you have that something is amiss is that the real "Open folder" option is visible as below the Conficker generated fake.

Re:How can it spread through USB sticks?

[h3rmanni]

http://www.f-secure.com/weblog/ has screenshots showing how exactly it executes from USB sticks under Vista and Windows 7 beta.

Re:This is what baffles me...

[chalkyj]

It's poorly phrased. It doesn't create 250 domains per day, it CHECKS 250 domains per day. The botnet controller only needs to create one of those domains to upload new instructions.