Slashdot Mirror
Downadup Worm — When Will the Next Shoe Drop?
alphadogg writes "The Downadup worm — also called Conflicker — has now infected an estimated 10 million PCs worldwide, and security experts say they expect to see a dangerous second-stage payload dropped soon. 'It has the potential to infect about 30% of Windows systems online, a potential 300 to 350 million PCs,' says Don Jackson, director of threat intelligence in the counter threat unit at SecureWorks. The worm, first identified in November and suspected to have originated in the Ukraine, is quickly ramping up, and while Downadup today is not malicious in the sense of destroying files — its main trick is to block users from accessing antivirus sites to obtain updates to protect against it — the worm is capable of downloading second-stage code for darker purposes."
the worm is capable of downloading second-stage code for darker purposes."
So it might download vista?
And now we rediscover why monocultures don't work (and are generally not found) in nature.
It is a miracle that curiosity survives formal education. - Einstein
I, for one, would like to welcome our new Ukrainian Worm Overlords.
Use a hardware router, use a real anti-virus program that actually publishes updates everyday (Nod32 for me), and use a browser where you can kill anything that tries to auto install itself (firefox, chrome, etc).
And don't forward or respond to chain emails!
When you see it divert fractions of pennies into a bank account they control.
You'll all thank me when I deploy the second stage to install and run SETI@home and discover alien intelligence.
-Virus Author
Windows is actually far more secure than Linux. Get the facts, people.
.. that I can't get windows apps to do what i want without crashing, but it runs teh evil viruses perfectly?
They whose government reduces their essential liberties for temporary security, receive neither liberty nor security.
Windows has been ready for the desktop for years now.
When will it be ready to connect to the internet is another issue entirely, and I wouldn't recommend anyone waiting to see the day - they'll see their retirement checks long before it happens.
When will Windows be ready for the desktop? Srsly.
Microsoft patched this and issued the fix through Windows Update a month before the worm was even in existence. It's only stupid fucks who don't update their OS that've got infected.
I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
If this thing is a malicious software delivery system, wouldn't it be possible to hijack it and have it download something that removes it?
Fun with Anagarams! LADS HOST, SHALT DOS. HAS DOLTS. AD SLOTHS, HATS SOLD. ASS HO, LTD.
See, this is why Micro$oft is correct with DRM and giving users less control. If M$ controlled every aspect of the computer - what programs you can install/run, what websites you visit this worm would not infect a single computer because a patch was available.
That's what I thought the article was about when I read the headline...
"The Downadup worm - also called Conflicker - has now infected an estimated 10 million PCs worldwide,
Ashamed of being fucked with, victims call "conficker" now "conflicker" or with the euphemism "downadup". It does not matter, it all adds up down there if you are screwed with.
In Taiwan, hooker finds you!
And dont use email, or browse or or or..
Only way to be 100% safe is to not be online at all.
---- Booth was a patriot ----
"If we were a proper country like Soviet Russia they would get the Siberian wolf blowjob by now."
Thanks to the internet, not only do I know that for some people that would not be a punishment,
but that others wish they were the wolf.
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
3/10
"If for any reason you're not satisfied with our service, I hate you."
There's a more technical examination of the virus at https://forums.symantec.com/t5/Malicious-Code/Downadup-Small-Improvements-Yield-Big-Returns/ba-p/381717
"Politicians and diapers must be changed often, and for the same reason."
Creating a virus could be like finding x > 0 such that f(x) = 0 where
f(x) = sin(log(x)) [Windows]
f(x) = 1 [Linux].
I.e. it might not always be possible.
You mean Africa, with 20% of population infected with AIDS.
Taiwan has 0.1% of population infected.
This computer worm is indeed trickly. It inserts code via vulnerabilities, guesses passwords, spreads via domains if possible, and so on.
Downadup vs Morris - which one will prevail?
Round One, Fight!
"From where do you want to get pwned today?"
It's 2009... I can't believe we're still dealing with this crap in 2009.
You are in a maze of twisty little passages, all alike.
I wasn't aware that worms wore shoes. Lucky this thing isn't a centipede, or worse a millipede. We'd never hear the end of those other shoes dropping if it were!
And I'm using it to 'infect' their pc's with Linux. It'll stop all future virii as well as creating a wave of happiness. Dark purposes, it's all how you look at it. Sure they'll hate me for a while, but then they'll love me and i'll reveal my identity and be a hero!
But it's "Ukraine", not "The Ukraine".
At least, that's what Ukrainians say.
Just sayin... And that's what the Ukrainian rocket scientist I know says also.
deleting the extra space after periods so i can stay relevant, yeah.
Uh huh, sure you are.
If you were truly a Linux power user, then you'd know that the Linux/UNIX security model is not conducive to the spread of viruses since any program attempting to modify system files would require root access first.
^^vv<><>BA
Windows is actually far more secure than Linux. Get the facts, people.
... Please don't feed the trolls.
Only to idiots, are orders laws.
-- Henning von Tresckow
Microsoft patched this and issued the fix through Windows Update a month before the worm was even in existence. It's only stupid fucks who don't update their OS that've got infected.
Ahh.. that's all right then.. So you are saying more than the thirty percent mentioned will be getting it..
It is difficult to get a man to understand something when his job depends on not understanding it.
Moot point unless the only way you do anything as root is through a shell in one of the virtual terminalsor xdm. If you ever give your root password in a logged in X session, or as your user (su or sudo) your machine can be compromised. su, bash, etc. can all be replaced with sinister versions, and the next time you su to root, your password is captured.
--
WHO ATE MY BREAKFAST PANTS?
Interestingly you can already be 99,9999% safe simply by using a Mac or Linux.
Neither e-mail nor browsing applications are broken per se - it's that one operating system.
Where do I go to get a script that searches for it and removes it?
I'm sure I have coworkers that need this removed from their computers at work..
--- We need more Ron Paul!
I never said Linux couldn't be compromised, alas, I routinely need to install security patches because new exploits are discovered all the time.
What I said was "the Linux/UNIX security model is not conducive to the spread of viruses". Getting rooted locally is quite a bit different then spreading viruses to other Linux machines that would also need to be exploited for the virus to get root access.
^^vv<><>BA
Is the movie coming out?
A computer worm that spreads through low security networks, memory sticks, and PCs without the latest security updates is posing a growing threat to users blitheringly stupid enough to still think Windows is not ridiculously and unfixably insecure by design.
Despite many years' warnings that Microsoft regards security as a marketing problem and has only ever done the absolute minimum it can get away with, millions of users who click on any rubbish they see in the hope of pictures of female tennis stars having wardrobe malfunctions still fail to believe that taking Windows out on the Internet is like standing bent over in the street in downtown Gomorrah, naked, arse greased up and carrying a flashing neon sign saying "COME AND GET IT."
Microsoft cannot believe people have not applied the patch for the problem, just because they keep trying to use Windows Genuine Advantage to break legally-bought systems. "Don't they trust us?" asked marketing marketer Steve Ballmer.
Millions of smug Mac users and the four hundred smug Linux users pointed and laughed, having long given up trying to convince their Windows-using friends to see sense. "There's a reason the Unix system on Mac OS X is called Darwin," said appallingly smug Mac user Arty Phagge.
"It can't be stupid if everyone else runs it," said Windows user Joe Beleaguered, who had lost all his email, business files, MP3s and porn again. "Macs cost more than Windows PCs."
"Yes," said Phagge. "Yes, they do."
Ubuntu Linux developer Hiram Nerdboy frantically tried to get our attention about something or other, but we can't say we care.
http://rocknerd.co.uk
Interestingly, security through obscurity is not real security.
Just get a Mac already. Seriously.
And yet, the exact same security model is present in Windows Vista- users need to provide an administrative password to elevate security privileges for a process that requires administrator-level access, or, even if you are logged in as administrator, you need to provide confirmation to conduct administrator-flagged actions.
This is the premise behind Vista's UAC.
Notice how universally it is panned as being useless, despite being exactly the type of security model you advocate?
"It is possible to commit no errors and still lose. That is not a weakness. That is life." -Peak Performance
Don't be so down. On the up side, it is also capable of downloading cheerfully singing chipmunks.
And after reading your link (I didn't bother to click because you were wrong regardless), it even validates my point further down the page. Good job showing everyone you fail at reading.
Well, considering that OS X and Linux are on something like 15% of all computers and the users don't use any anti-virus because they don't "need" it...
Not a Twitter sockpuppet... but I wish I was.
I've never had to deal with it, and as I don't "do" Windows, I probably never will. However, I get the impression that Vista's UAC is hated because it pops up that dialog for every, single, solitary change that's made while you're installing a program, even though you've already given the Administrator password. And, while I'm thinking of it, UAC may be based on the Linux security model, but it's certainly not a copy of it. In Linux, you give the password once, when the installation program starts, and and that's all the authorization needed. I've done system updates with forty or more packages being downloaded and installed, with old versions removed, and except for checking with me to make sure that I want it to go ahead (It asks me once, and once only, for the entire transaction.) It Just Works.
Good, inexpensive web hosting
I think the parent just dissed homoculture. No pun intended, mentioning "parent" in this sentence.
Seriously, to continue the metaphor, mixed environments may be safer for the herd, but it still sucks if YOUR family gets stricken, even if for the greater good.
That's 15% between the two (I'm sure Apple probably has the larger slice of that 15%), and they still don't make up the overwhelming majority. Call me when either one hits a market share of 30%. Those operating systems have holes too. Just because the majority of the people in the virus scene ignore them doesn't mean they aren't there.
I don't remember Linux asking confirmation for every root-user action.
Try again next week.
Yup, it's effectively modeled on the "su" principle, but as you say it requests frequently rather than once per session/task or for say a timed period. The trouble is, as you say, it pops up so often it's actually more counter productive than useful.
It's the first thing i disable, i don't enjoy it asking me twice for every minor change i do. I'll take the risks without it.
Not only that, 90% of typical users do not want to be pestered all the time; they just want to use the damn computer..
If you were truly a Linux power user, then you'd know that the Linux/UNIX security model is not conducive to the spread of viruses since any program attempting to modify system files would require root access first.
There's not much the average virus needs to do that requires "modifying system files".
It's not the "security model" that's non-conducive to viruses spreading in Linux, it's the users.
Is that the site that compares smoking pot to shooting heroin?
An infected system can be updated to get a more destructive payload. No, really? Now that's new, no worm or trojan ever did that before!
A compromised system is open for additional infections to be chosen by the one that compromised it. C'mon, people, at least you here should react with a "no shit, sherlock!"
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
And how does that relate to the point I made?
By using OSX or linux you get both, the benefit of a system that was designed with security in mind and the benefit of a system that isn't targeted much by worm writers.
Every time we have something like this, there's a scream, a panic, a pity party. Hey, how about someone provides some SOLID information, like a reputable link to a means of checking and clearing YOUR system, a list of AV providers who have updated their detection. Otherwise you read this and you are left wondering and worrying. Maybe this should be a mandatory part of any such posting - here is "Problem A" or "Threat B" _and_ a link to how the flaming duck to check if you have it.
Well then, I think I'll stick to my "fringe" OS. Thank you very much.
Fail. Although Linux users are indeed generally more educated on the finer points of computing, there seems to be this persistent myth that Linux doesn't get viruses because it has such a small user base. Linux servers control a major portion of www. If those aren't prime targets then what is? Plain and simple, the Linux security model is superior.
^^vv<><>BA
no, it only works on 30% of machines.
If you mod me down, I will become more powerful than you can imagine....
Well done. You've also just answered why 2/3 of Americans without broadband don't want it.
Back in the nineties, I encountered a worm whose payload was to steal cycles on machines to participate in one of the RSA factoring challenges. I got a call just as Christmas break started from someone at another university saying that someone on our network was trying to brute force machines on their net.
The culprit was a new SGI machine with a default root password that had been installed without the knowledge of anyone in the computer centre. When I checked to see what it was doing, it was (a) trying to spread itself, and (b) participating in a public RSA factoring challenge.
Prime numbers are exactly what Alan Greenspan says they are -S. Minsky
It doesn't matter how bad and unsafe Windows is. Microsoft Windows is like the air. People are going to keep breathing it no matter who farted in the room. People live in the most polluted places because that's where they live, that's where they work, that's where they play. I could tell you all day long about this other place... with clean air, that's safe, that's stable and all that... and most people might be intrigued but very few will vacation there and even fewer will actually move there. This is how people work.
Linux needs an Apple logo before the masses will move to it.
Yeah, but good practices like having "no open ports" and "don't execute files in every damned media you mount" are good security practices. Practices that Windows fails at. Still.
Help stamp out iliturcy.
You can find a complete and total permanent fix here or here. There are other sources, but you get the picture. We're 23 years into this Microsoft Malware problem and it's only getting worse.
Any other answer you get to this question is completely bogus.
Help stamp out iliturcy.
Did some research to try to quantify that "many"...
Based on a search at secunia.com there were a total of 10 Linux privilege escalation bugs reported for 2008.
Of those, 5 were in proprietary software packages for Linux: Acrobat Reader, MaxDB, Avaya, SSH Tectia Client, and Red Hat Enterprise Linux. Not interesting for ordinary desktop users.
Of the other 5, 1 was in KDE, so that wouldn't affect 100% of Linux users, let's be generous (the most popular free distros use Gnome) and say that's 50% of users.
Of the other 4, 1 seems to work on general Linux systems (sys_remap_file_pages() bug).
Of the other 3, 1 requires the USBLCD driver to be used or only gives group privilege escalation, 1 requires Intel G33 series or newer chipset, and 1 requires that the kernel is running as VMI guest on a x86 system. How many boxes does that cover? Not many, except perhaps for the Intel chipsets --- let's say another 50% (because I have no idea what market share Intel has).
So that's something like 2, maybe 2.5 bugs in all of 2008. Is that "many"? Matter of opinion.
Isn't targeted much by worm writers yet. That's the key difference. Once market share grows, people will start poking holes in it. Sure, they probably are more secure than Windows in a lot of ways, but that doesn't mean someone couldn't find exploits if they really wanted to.
I can't believe people still haven't heard of Noscript
It (along with adblock plus) is the reason Firefox is the most secure browser.
If this were really happening, what would you think?
WARNING: dont click on this link, just copy the wget command to a shell. Dont say I didn't warn you...
I don't care. I don't let random pages execute scripts. In fact, I have a policy of strictly not enabling scripts on any page linked from slashdot...
UAC does exactly what it is supposed to do- it pops an elevation prompt for every process that requires elevation. As far as I'm aware, you can't 'chain' processes (although whether or not you should be able to, IMNSHO, is debatable.)
Things like requiring UAC confirmation to do things like delete certain desktop shortcuts? Probably not terribly useful if you're the user, but perfectly understandable in the security context. Those shortcuts are not located in the user's home folder, but in a common home folder the user does not have access to that places them on all user's desktops. Accessing that common folder requires elevation because it messes with all the users on the system.
That said, if your system is properly configured, you shouldn't run into UAC prompts at most more than once or twice on an average day.
The problem, as you say, is that 90% of typical users want to just use the computer. Which is why the typical user's computer is infested with crap; they don't care about security, and never will. The resulting mess is not so much the fault of the operating system, which does its best to warn the user (and which the user then dutifully goes ahead and ignores) but the fault of the user.
Like this worm, for example- a security vulnerability for which a security patch was made available months ago. Any user who is still vulnerable is vulnerable because of their own lack of action.
"It is possible to commit no errors and still lose. That is not a weakness. That is life." -Peak Performance
What makes you think that a virus requires root access, or needs to modify system files?
..and before you go on that a virus can't do much to harm your system if it doesnt have root..
You have drunk some fairly ignorant koolaid, it seems.
The modern virus doesn't try to harm your system. Usualy they try to harm other peoples systems, or fill other peoples e-mail boxes and other such stuff, by using your system and network connection. They can do this using programs and services that your regular account has full rights to access and leverage, be it linux, windows, or os/x.
The idea that this security model is somehow preventative is completely ignorant. You get these viruses by being stupid, and they don't need root privlidges for that. The odds are that if you are stupid you are going to give 'em the keys to the kingdom anyways, not that they need it.
"His name was James Damore."
I've just moved my sister over to Ubuntu after she got infected with this POS mess - We've been trying to clean her Windows partition for a week and a half now, and the damn thing seems to be just about unkillable.
The interesting thing is - I set up her PC, and at this point we have no idea how the damn thing got in. She *did* have automatic updates turned on, antivirus, doesn't own a USB key, spybot, ad aware, the whole nine yards, even unto having a secure password.
And at this point, it looks as if the windows partition will need reformatted and re-done from the ground up.
Whatever it used, it sure wasn't something patched in October of '08.
Pug
An Invisible Entity of Vast Power whose existence must be taken on faith alone: Liberal Media
If you're warning against clicking the link, don't include it in your own post. Thank you.
My sig will be released in 2015 third quarter. Rating pending.
Fail. Although Linux users are indeed generally more educated on the finer points of computing, there seems to be this persistent myth that Linux doesn't get viruses because it has such a small user base.
That is an important factor. However, by far the biggest reason is - as I said - because Linux users don't represent anything like the exploitability as Windows users.
It's not because there are fewer of them - although that certainly plays a non-trivial part - it's because Linux users are far (*FAR*) less likely to let a virus into their system, either by leaving known security holes unpatched, or by the more common method of being socially engineered into executing it.
Linux servers control a major portion of www. If those aren't prime targets then what is?
Desktop PCs run by ignorant end users outnumber Linux servers tens of thousands to one. Why would you try to aim a virus whose success is largely predicated on a low level of knowledge and experience from the victim, at systems run by seasoned professionals ?
Or, to put it another way, not only will you be able to exploit something like 50,000+ desktop PCs to every web server, when you do exploit the average desktop PC, chances are extremely low it will ever be detected, so you basically have the run of the machine. However, if you exploit the average web server, chances are extremely high your intrusion will be detected and fixed within a matter of hours or days.
Plain and simple, the Linux security model is superior.
The classic UNIX security model (as used by most Linux installs) is demonstrably inferior to Windows NT's.
THIS is a Dick Roll.
http://www.accountkiller.com/removal-requested
Maybe the major linux distros don't have open ports by default but some, like ubuntu, sure mount external mass storage devices with a+x flags by default.
Malware for OSX is being written already (remember infected pirated iWork on torrents?). But full-scale infections like that of Downadup are yet to be seen.
practice a little proper surf handling and you wont even need a anti virus software or spyware. Firefox scans downloads, and you can see the ftp origins anyways before you download it. Where you go what you do has a lot to do with protecting your PC, and antivirus programs are bloated and useless for the most part. Activate your drive logs and use SDfix or combo fix (http://www.myantispyware.com/2007/11/09/sdfix-free-trojan-remover-tool/ )if need be firefox has a little window that shows you all your cookies. If you don't want to relog on to all your accounts by deleting all your cookies...
Every time new virus or worm hits about half of PC world I wonder what the mystic keeps people using Windows. I think it is a kind of mental disaster that may be compared to drug addiction. Is it market inertia? Is it some kind of world domination conspiracy of American government? Or what it could be? People think that worms and viruses are normal for any computer and no one from i.e. Apple of FOSS community do not bother to explain that viruses and worms can live only in Windows.
Who can explain why people still buying that piece of crap?
In order for a 'virus' to work, it has to inject code into a binary or a script. The parents point is that a regular account does *not* have write-rights to any of the programs and services he uses.
Given the lacklustre security history of NT servers and desktops, the world eagerly awaits your demonstration.
You know, as a guy who learnt to install solaris before he learnt to install windows 3.1, and a linux user since 1995, and openbsd sine 1997 or so, I count myself as a pretty knowledgeable unix person.
And it makes me cringe everytime I see some newbie spout these lines.
Here are some facts to enlighten you:
1) The Morris worm did not run on windows.
2) Dr. Cohen, you know, the guy who did the original research on computer viruses, did his research on unix and vms.
Now, I will grant you that the situation has improved since then, but certainly not to the extent that you're now treating it as snake oil - no, UNIX will not fix everything and make you coffee as well.
Given the lacklustre security history of NT servers and desktops, the world eagerly awaits your demonstration.
Per-user ACLs vs User/Group/Other.
All OS objects have ACLs, vs applying permissions only via filesystem abstractions.
Superuser vs none.
Fact: Did you know that if you haven't applied the patch then the worm exploits the service itself and no password cracking is required?
Did you know this isn't the first exploit on this service? Don't you think it's reasonable to expect there will be another one?
The key difference is that the Unices have had a security model from day 1 while windows started as a single-user system.
Linux alone (not counting other Unices) is approaching 20% market-share in the server market which is potentially more attractive to malware writers because the hosts are usually better connected and better equipped. The reason we rarely see botnets span significantly into the server-area is not that the bad guys wouldn't be trying (look at your server-logs sometime) or because the average server-admin was better qualified (look at the millions of broken default installs from various hosting providers). The reason is that it's, on average, a much harder target.
Unix systems have proper firewalling, capability constraints, process accounting etc. built in. They're more transparent and easier to harden - which is exactly what would happen if we'd start to see more widespread attacks.
The mechanics of software security are not exactly rocket science when layered bottom up. Windows is troubled because they basically sprinkled one thin layer of "security powder" on the outside of an otherwise wide open core. Consequently your "personal firewall" is implemented as an afterthought and can be trivially bypassed from an unprivileged account. Such tricks are a bit harder to pull off on OSX or linux.
Newbie huh? I work in information security at a fortune 100 company. I manage 1000 Solaris 10 servers and have been running Linux (Slackware) exclusively for nearly a decade.
Sure, Linux viruses do in fact exist. Are they widespread? No they are not, because they are not easily spread to other Linux boxes.
FYI, worms and a viruses are not the same thing. Although Linux worms are also uncommon.
^^vv<><>BA
So what is a "Siberian wolf blowjob" then? I googled the phrase and your comment was the only result.
Yup, newbie. If you can't even take the time to read Dr. Cohen's PhD dissertation to understand why the "security model" you were talking about did not work (and what has changed to reduce that issue in recent years), but instead tell me that you manage 1000 servers and so on, you're a newbie or a pfy. Working in a F100 company in security is not such a big fucking deal, I have that on my resume too, 5 years of that shit. So what?
And I understand the differences between worms and viruses. But you're splitting hairs.
Surely the major isps which hold 99% of all users, could just block the ips/dns names/hosts that the bad guys use in eastern europe/russia.
Personally, unless you have friends in said country, I would firewall *ALL* of ips in said countries at the client/business level.
Is there a country based block configurator? or whitelist western countries only, if there was a simple gui app that did this for windows/linux/routers and made free, it would help a lot of users be protected.
Or the ISP could ask you on application of account - block all of russia/china/EastEU ?
Liberty freedom are no1, not dicks in suits.
The NT kernel might have better security than Unix, but none of that is available to most NT users (pre-Vista). I don't know about XP Pro, but XP Home has very limited flexibility for permissions.
Slow down, cowboy! It has been 4 hours since you last posted. You must wait another few hours.
Not to be a total pedantic ass, but isn't the name of the virus "Cornficker", not "CornFLicker"? Cornficker is bad enough, but I must say Cornflicker makes the mind reel...
Tiller's Rule: Never use a word in written form that you've only heard and never read. You will end up looking foolish.
I'm a local repair shop computer tech and I've seen this twice in the last 3 months. This virus is horrible to try and get rid of. So far no damage done to files, but note to anyone who is looking to remove it if gotten it part of the infection installs itself as a device driver for the machine. So enable hidden device drivers in the device manager and there will be one that sticks out under non-plug and play devices. I don't recall the name but it shows a .sys at the end which the others don't...