New Conficker Variant Increases Its Flexibility

CWmike writes "Criminals behind the widespread Conficker worm have released a new version that could signal a major shift in the way the malware operates. The new variant, dubbed Conficker B++, was spotted three days ago by SRI International researchers, who published details of the new code on Thursday. To the untrained eye, the new variant looks almost identical to the previous version of the worm, Conficker B. But the B++ variant uses new techniques to download software, giving its creators more flexibility in what they can do with infected machines."

The Botnet National Anthem

[Chris+Tucker]

Botnets, worldwide botnets.
What kind of boxes are on botnets?

Compaq, HP, Dell and Sony, TRUE!
Gateway, Packard Bell, maybe even Asus, too.

Are boxes, found on botnets.
All running Windows, FOO!

Re:The Botnet National Anthem

If they run foo() then all operating systems are vulnerable!
O.M.G!

Re:The Botnet National Anthem

[Chris+Tucker]

I'd mod you up if I could.

Re:The Botnet National Anthem

[wisty]

YOU HAVE RECEIVED THE UNIX VIRUS!

This virus works on the honor system. Please
randomly delete some of your files and forward
this to everyone you know.

Re:The Botnet National Anthem

[CTRL-Frank]

AHAHAHAHAH I Love this

Re:The Botnet National Anthem

crap. It deleted /vmlinuz. I had to reinstall my system.

At least it wasn't one that fudges the 40th number it finds in every speadsheet.

This is slashdot right?

[blool]

Why is the summary so devoid of technical detail? You realize we don't read the articles right?

Re:This is slashdot right?

[WarJolt]

Because the article doesn't have any technical detail either. I would assume that the new features allow them to connect through some sort of peering mechanism, but the article doesn't go into detail.

Re:This is slashdot right?

[Psychotria]

Because the article doesn't have any technical detail either.

Well, the second linked-to article (the one by SRI) is chock full of technical details; and it's an interesting read.

Re:This is slashdot right?

[grizdog]

Because the article doesn't have any technical detail either. I would assume that the new features allow them to connect through some sort of peering mechanism, but the article doesn't go into detail.

Well, I thought there was some useful detail in the article, particularly this:

Overall, the modifications to Conficker B++ appear relatively minor as compared to the significant upgrade in functionality, performance, and reliability, that occurred from Conficker A to B. These smaller and more surgical changes to B appear to address some of the realities that are currently impacting Conficker's binary update strategy. In particular, in Conficker A and B, there appeared only one method to submit Win32 binaries to the digitial signature validation path, and ultimately to the CreateProcess API call. This path required the use of the Internet rendezvous point to download the binary through an HTTP transaction. Under Conficker B++, two new paths to binary validation and execution have been introduced to Conficker drones, both of which bypass the use of Internet Rendezvous points: an extension to the netapi32.dll patch and the new named pipe backdoor. These changes suggest a desire by the Conficker's authors to move away from a reliance on Internet rendezvous points to support binary update, and toward a more direct flash approach.

However, Conficker A and B did support through the previous netapi32.dll patch an ability to accept new DLLs, as long as the shell code submitted through the RPC buffer overflow matched the original Conficker infection shell code. This approach was limiting both in the requirement that direct flashing required an easily identifiable shellcode string and a single DLL method loading procedure, both of which are now subject to detection by security software. Conficker B++ dramatically increases the flexibilty of the direct flash mechanisms, offering an ability to load digitally signed Win32 executables directly to a Conficker host.

Re:This is slashdot right?

tl;dr

Re:This is slashdot right?

[sexconker]

Slashdot posters rarely read the fucking articles.
Slashdot readers often take down sites.

Slashdot readers are a (vastly) super set of Slashdot posters.

Also, submitted by CWmike?
Conficker Writer Mike!

Re:This is slashdot right?

[MichaelSmith]

Cripes with all the reliance they are placing on windows internals they will never get this thing ported to *nix. Its almost as bad as autocad.

Re:This is slashdot right?

[InsertWittyNameHere]

In short bot herders can now push updates to infected machines rather than relying on the infected machine to seek out and download updates.

Some quotes:

"a more efficient push-based updating service"

"the ability to accept and validate remotely submitted URLs and Win32 binaries, could signal a significant shift in the strategies used by Conficker's authors to upload and interact with their drones."

"comparing Conficker B with Conficker B++, we obtained a similarity score of 86.4%. "

"out of 297 subroutines in Conficker B, only 3 were modified in Conficker B++ and around 39 new subroutines were added. "

"Under Conficker B++, two new paths to binary validation and execution have been introduced to Conficker drones, both of which bypass the use of Internet Rendezvous points: an extension to the netapi32.dll patch and the new named pipe backdoor. These changes suggest a desire by the Conficker's authors to move away from a reliance on Internet rendezvous points to support binary update, and toward a more direct flash approach."

"Conficker B++ dramatically increases the flexibilty of the direct flash mechanisms, offering an ability to load digitally signed Win32 executables directly to a Conficker host. "

Re:This is slashdot right?

Yeah, AutoCad version 9 didn't even use standard C IO mechanisms but went directly to the bios it was a MESS.

Re:This is slashdot right?

[Narnie]

Microsoft should hire these guys to revamp Windows Update.

Re:This is slashdot right?

[Erikderzweite]

Not only did you read TFA, you follow the link from TFA! I'm sorry sir, but the usual question whether or not are you new here doesn't apply to you.
How did it come you have a slashdot account? By ./ standards you are not born yet!

Re:This is slashdot right?

[chris_mahan]

We are supposed to read the summaries too?

Meep Beep!

[djupedal]

If you're on the highway and Conficker goes beep beep.
Just step aside or might end up in a heap.
Conficker, Conficker runs on the road all day.
Even the coyote can't make him change his ways.

Conficker, the coyote's after you.
Conficker, if he catches you you're through.
Conficker, the coyote's after you.
Conficker, if he catches you you're through.

That coyote is really a crazy clown,
When will he learn he can never mow him down?
Poor little Conficker never bothers anyone,
Just runnin' down the road's his idea of having fun.

Re:Meep Beep!

[HTH+NE1]

Poor little Conficker never bothers anyone,
Just runnin' down the road's his idea of having fun.

And still true: it still hasn't done anything more than spread and try to keep itself from being purged.

With all the suspense and the scale of infection, whatever the payload is going to be, it'd better be something totally awesome!

Re:Meep Beep!

[theMoleofProduction]

Oh why don't you malware like you used to do?
Spread Conficker like you used to spew?
I haven't patched my OS since two-thousand-two,
Why don't you malware like you used to do?

Ain't had no Clamwin, or a firewall, or an update in a long long whiiiiiiile.
Can't get to Google or WinUpdate cuz they've hijacked my gosh darn hosts fiiiiile.

Oh why don't you scan ports like you used to do?
Treat my pendrive like a prostitute?
Haven't BSoDed in a day or two,
So why don't you malware like you used to do?

Re:Meep Beep!

[v1]

I know this is a very unpopular view with a lot of people, but I'd personally like to see a major worm like this pop a msg saying your computer has been taken over and is available to be used to harm others. you need to take your computer into the repair shop and get it cleaned up and protective software installed".

And then make windows unable to do anything but display that message when it boots.

Half the population would be picking up pitchforks, and the other half would be saying THANK you!

I for one am sick and tired of ignorant computer users getting their machines botnetted, blissfully unaware of the harm they are then contributing to. (and many of them are aware and just plain don't care)

Do the world a favor. MAKE them care.

Re:Meep Beep!

Microsoft would run a campaign 'informing' the people that this was all the fault of the freetard Linux and the only solution was Windows 7.

Re:Meep Beep!

[couchslug]

Malware that actually thinned the herd would make for a more robust herd.

Re:Meep Beep!

With all the suspense and the scale of infection, whatever the payload is going to be, it'd better be something totally awesome!

"The Rickroll To End All Rickrolls"

Re:Meep Beep!

[cbiltcliffe]

I've seen things like this before, and the user completely ignored it. Just clicked closed the window, and kept using the computer as before, for months.

Even one that asked me how to get rid of it didn't care that they were infected....they just didn't want to have to close the window all the time.

I think the only way to get them to care would be to keep track of the number of times the warning was closed, and once it hit 6, 10, or whatever, it would turn into a modal dialog with no close button, rendering the computer useless until it was fixed. Preferably with a big heading stating "Read this, idiot!!!"

Re:Meep Beep!

With all the suspense and the scale of infection, whatever the payload is going to be, it'd better be something totally awesome!

Maybe they're planning a big comeback for Stoned - to happen around 4/20, of course.

Re:Meep Beep!

I know this is a very unpopular view with a lot of people, but I'd personally like to see a major worm like this pop a msg saying your computer has been taken over and is available to be used to harm others. you need to take your computer into the repair shop and get it cleaned up and protective software installed".

If you truly believe it, make it happen.

Like all botnets, Conficker is a platform that's sold to the highest bidder. Send the authors enough cash, and you can have Conficker do what you like.

Re:Meep Beep!

I long for the "big formatting day". One day some super-darkside hacker *shall* be smart and the mob (russian or whatever) *shall* try to screw him and he'll fight back. He'll be pissed off (or maybe he'll just win some mega-lottery). In any case, at one point some super-darkside hacker shall have no incentive to use his 100 millions Winboxes botnet to send spam or anything. He'll lose interest and start the "big formatting day". 100 millions Winboxes wiped clean. No nothing on it. A clean hard disk.

That's going to be wild.

Next day you'll see adds "on xx.xx.2011, 15% of Windows machine suddenly stopped worked. On xx.xx.2011, 99.9% of Un*x computers kept working correctly. You decide".

But please, Windows fanbois, bring the monocrop fallacy etc.

Re:Meep Beep!

Next day you'll see adds "on xx.xx.2011, 15% of Windows machine suddenly stopped worked. On xx.xx.2011, 99.9% of Un*x computers kept working correctly. You decide".

No, we won't. Ads cost money, and nobody wants to spend money promoting something they have to give away for free.

The only reason Mozilla got an advert up is to push Google ad hits.

Re:Meep Beep!

[v1]

Tho I'd be willing to bet that shutting down their botnet would cost a lot more than the average spyware install or spam run. Since it would be their last sale.

But I bet you're right, they COULD be sold. I bet MS has enough money too. So if they REALLY wanted to get rid of it, I suppose they could pay them off? I don't see that happening though. it would set a nasty precedent that if you build a good enough botnet, MS will bury you in cash to go away. Though the botnet is already insanely profitable. Anyone have some hard (or at least relatively firm) numbers on how much a botnet such as conflicker can net for a herder? We've seen the posts here in the past where they had a full portal interface for people rending their services to send spam etc.

Re:Meep Beep!

[Raenex]

Says "couchslug".

Re:Meep Beep!

And still true: it still hasn't done anything more than spread and try to keep itself from being purged.

Posting as AC, because Conficker infected my company's lan and wan network last year, and totally downed the wan routers. Imagine over several thousand infected PCs pumping tons of data to each branch?

The initial infection came in through 1 source, and then took just an hour to spread out throughout the branches and by the 3rd hour started bringing down the routers.

The cleanup involved took up the whole IT dept and several service providers (mostly because some branches were very isolated) several weeks before the last one was eradicated.

so... read between the lines... why else is MS offering a huge reward for the makers?

Re:Meep Beep!

Uh, you missed the

And then make windows unable to do anything but display that message when it boots.

bit

Re:Meep Beep!

and many of them are aware and just plain don't care

[Citation Needed]

Readable link

[Seth+Kriticos]

Just in case someone really wants to read TFA, here is a link to the more eye friendly version (printer version): http://www.computerworld.com/action/article.do?command=printArticleBasic&taxonomyName=Network+Security&articleId=9128280&taxonomyId=142

Ps. Just because there is a "Slashdot this article with maximum clutter" button, you don't have to inherently click on it.

It's depressing.

That a vulnerability patched in October could become a problem.

You're not an idiot, are you?

Just because it's SOP for slashdotters not to RTFA, doesn't mean you have to be part of the cliché as well, do you? Show some initiative and click on the second link. Rad the very thorough analysis and report back here to intelligently discuss what you've learned with your fellow slashdotters. You'll be a better slashdot member for it.

Will it run on Linux?

[erroneus]

I'd seriously like to see some malware attacking Linux users. Ubuntu users might be a good target audience with good vulnerability and gullibility. But I would really like to see some attacks to see if Linux or its users are really so much better that Windows users. Further, I would like to see how much could be blocked and avoided.

Security isn't as much of a battle among common Linux users and frankly, I wonder how lax we generally are.

Re:Will it run on Linux?

[techno-vampire]

Security isn't as much of a battle among common Linux users and frankly, I wonder how lax we generally are.

The big problem, I think, would be the fact that most Linux users only install software from their distro's repositories. Most of them don't know how to unpack a tarball, go in with a terminal and use ./configure, make, make install. Unless you can slip something in by having a time delay before it activates, I really don't see how you're going to get much penetration. Not saying it can't be done, just that it's not going to be easy.

Re:Will it run on Linux?

Most of this crap is spread through bugs and holes in the Windows OS. Linux thankfully is not as crappy of an OS.

Not to mention the constantly nagging 'Windows Update' icon drives most people bonkers and they just keep hitting 'remind me later'. That is why things like Conficker run wild IMO.

Re:Will it run on Linux?

[Logic+Worshiper]

yum, rpm, sh and deb files are all Linux executables (depending what on what distro you use) and are all potentially dangerous. Mac is a much bigger target, but they don't even go after that. It's just easier to go after Windows because Windows provides the largest amount of infectable machines, and it's easier to write malware for it.

Re:Will it run on Linux?

[icannotthinkofaname]

I don't think that tarballs aren that big a deal. I've been running Ubuntu since around New Year's '09 or so, as my first exploration of the Linux world. I broke away from Windows because (a) I was bored of knowing my OS so well and (b) I've been looking for a balance between cheap and stable, and few things if any beat FOSS for that.

I quickly learned how to build a tarball, whether it's gzipped or bzipped, and I even had a couple of scripts to do it for me (lost them on a reinstall when I got Windows XP from a friend and failed to get grub back from a live disc, and I only keep Windows around because of my gaming addiction). I'll get around to re-writing those at some point and throwing them into /bin where they belong.

And if malware gets into my system, what's the worst that happens? I'm forced to reinstall my OS again? Gee, like I haven't wiped a hard disk before. >_> That'd be the other problem with attacking Linux systems: we probably don't care as much about whether we will have to reinstall it on a malicious attack, and we have probably been backing up important stuff anyway for a good long while now, too. In other words, we're not nearly the idiots that Windows users tend to be (and I have seen some real idiots somehow manage to use Windows; it's quite sad to watch, honestly).

Re:Will it run on Linux?

I wonder how much projects, particularly care about security!

I am worried that Windows world has improved in leaps and bounds mainly because so far they have been the most attractive target and that has forced them to change.

I get the impression that people think that just because you are running Linux you are magically protected from targeted attacks. A myth popularized by the "U foolz, M$ Windoze suxorz, install Linux" crowd.

We will start to see attacks as Linux gets more popular on the desktop. We should be prepaired. I don't want to see a Linux is not secure view among the normal users, just as Linux is getting popular on the desktop. Nor do I want my Linux machines to be compromised.

I hope the distros, if not the projects themselves take security seriously and have enough resources to throw at security.

~AC

Re:Will it run on Linux?

[Sir_Lewk]

You seem a little confused. Yum is a package manager, used primarily by redhat based distros. It *is* an executable, however there is not much to exploit, you don't "download and install a yum". Similarly, rpm is a program that is located on the host machine already. Alternatively you may have been refering to RPM packages which are not in fact executables but rather packages which rpm (the program previously mentioned) uses to install software. You could package malicious software in an RPM and have the user install it, though I must say that would be an impressive bit of social engineering, requiring the user to not only know what they are doing, but to not know enough to know better. Deb files are similar to RPM files (ie, not exectubles). "sh" as you call it, otherwise know as shell scripts, are in fact executables and would be the method I'd expect malware for linux to be spread. However, shell scripts are interpreted (by the shell, think batch files in windows/dos) and are thus easily inspected.

Truthfully though, I think the greatest defense linux users have against malware is the community aspect that has grown up around it. The community contains enough advanced users to recognize and identify any threats and average linux users are unlikely to run/install things they come across on their own.

Re:Will it run on Linux?

[bensafrickingenius]

You've been using Ubuntu for a little over a month (an admitted Linux virgin prior to that), and now you figure you're expert enough to start bashing Windows users? Wow, are you running an Advanced Placement distro of Ubuntu?

Re:Will it run on Linux?

[techno-vampire]

I don't think that tarballs aren that big a deal.

Neither do I, but then, we're probably not average Linux users. My sister's been using Ubuntu for over a year now. The other day, she had to download some better drivers for her printer. Even though the OEM's website gave complete instructions on how to install it, keystroke by keystroke, she still asked me to do it for her because she's never been comfortable with a CLI. If it's not in the Ubuntu repository and I'm not there to do the work, new software just doesn't get installed.

As far as reinstalling the OS goes, I dual-booted Windows/Linux for years before putting the childish toys of Gatesware behind me over a year ago. In all that time, I've had to reinstall because of mucking things up exactly twice, and I run Fedora, a geeky, unstable, constantly-changing distro. I don't even like restarting unless there's a kernel update; last time I did, I blew away over 23 days of uptime. If you're happy with nuking and reinstalling all the time, go for it. It's your box, not mine!

Re:Will it run on Linux?

[flyingfsck]

Hmm, actually there are a lot more Linux machines in the world than Windows - about 2.2 billion Linux vs 600 million Windows. Granted, most Linux machines are cell phones and routers, but when last have you herd of a virus infecting a router? Never? Thought so. The day when Cisco starts to build firewalls running Windows and Linux machines have to be hooked up behind dinky little Netgear or Linksys firewall devices running Windows, simply won't happen...

Re:Will it run on Linux?

[arth1]

Yum is a package manager, used primarily by redhat based distros. It *is* an executable,

Except that it is not. It is a python source code file. When you "execute" it, your system reads the shebang on the first line, and calls python with yum as an argument.

Re:Will it run on Linux?

So you're saying it's an executable. Good. Glad we got that cleared up.

Re:Will it run on Linux?

I think there are more places for spyware to hide inside $HOME than you would care to think of. There are a bunch of files that are executed at times like when X starts, when your window manager starts, and when specific applications start. Would you know how to purge all those files, if one were modified to run a nasty program?

So reinstalling a system is not a great solution, unless you plan to delete all your own files. (And yes, you could restore your home directory from backups, but how do you know whether the backups are infected?)

Re:Will it run on Linux?

[jadedoto]

Not all Ubuntu users are idiots when it comes to Linux. Someone had to create the distribution and someone has to maintain it. I use Ubuntu after years with Gentoo for the pure ease of how things work. And it's got a great community to help others ease into it. It's counter-productive to bash Ubuntu users. Really.

Re:Will it run on Linux?

[scientus]

all you need is a desktop file, and that can automatically then download a program, install to autostart with login and your golden., now since ubuntu does not set gksu to lock the screen you just ahve to snoop the sudo password and then you have root, baby, root. Its so stupid how non +x files will run

Re:Will it run on Linux?

[scientus]

thats wrong, rpm and deb are not executables and all require a root password to install and do anything at all. They are just compressed packages of files.

sh files require +x

Re:Will it run on Linux?

[scientus]

DCC SEND HAHAHAHAHAHAHAHAHA

Re:Will it run on Linux?

[Darkk]

What I do like the fact the .deb files via updates are signed by a trusted authority. Every once in awhile I would get an update saying this package can't be authenticated and asked me if I want to continue with the update. I usually say no unless I can actually trust the source.

Only time I ran into this is updating Open Office 3.0

Re:Will it run on Linux?

[icannotthinkofaname]

Never said expert, dude. Said I could install tarballs, and said that I have seen some idiot Windows users.

I was running a Kubuntu live USB one day, and the guy next to me asked me where all the "stuff" was. When he motioned to the desktop, I realized that he mentioned the icons, which were present in the school's Windows stuff, but not my Kubuntu live session. Decided to leave it at "This isn't Windows." Was about three seconds away from flooding his ears with shit he would never understand.

I have been asked multiple times by the same guy how to save stuff to a flash drive and how to remove it. I swear, if I weren't paranoid of getting into school trouble, I would have smacked the guy the first time he asked.

Granted, community college isn't the best place to find computer-oriented people (I swear, I am working on getting back into CMU), but it does give nice support to the argument that Windows users can, in fact, be idiots. I could have bashed these morons without installing Linux just because Microsoft Windows became boring as a computer experience.

By the way, is there such a thing as an Advanced Placement distro of Ubuntu that I could run? Or are you just suggesting that I install Debian? I'd consider it for the massive learning experience that I imagine is available.

Re:Will it run on Linux?

[icannotthinkofaname]

(And yes, you could restore your home directory from backups, but how do you know whether the backups are infected?)

Nice question. I bet if a solution had been found by now, it'd be as emphasized as possible for Windows users. If a solution were available, Conficker might have a harder time spreading through USB drives.

Or maybe I'm just an idiot and I don't think outside the box. Is there such a solution?

Re:Will it run on Linux?

[Sir_Lewk]

It may not be compiled machine code, but it IS an executable. Check to see that it has the executable bit set yourself.

Re:Will it run on Linux?

[arminw]

... and average linux users are unlikely to run/install things they come across on their own...

And that is also the reason why Linux will always be a beloved geek operating system that is too complicated for ordinary users. All programs are harder to install and get working properly, which fortunately also includes viruses and worms.

Re:Will it run on Linux?

There are a bunch of files that are executed at times like when X starts, when your window manager starts, and when specific applications start.

rm ./.* -rf
cp --no-preserve=ownership /etc/skel/* .

X or your desktop manager will rebuild whatever config files it needs, as will any programs that you run. You'll lose the existing configs and all your bookmarks, of course, but it doesn't matter because it was all suspicious anyway.

There is very little in those .files that you should bother backing up at all, and you have to exclude them from your backup script anyway or you'll be backing up a bunch of cache files (firefox's can be quite large...) that don't rdiff well, because they're cache files.

Re:Will it run on Linux?

Programs not in the repositories can be more difficult to install.

But if there's a deb, rpm, or whatever prepared for your distro, you can just double-click on it just like in windows. It's still a little bit harder (you have to select the correct package*) but it's not so bad as to be a real obstacle if the application writers were the least bit prepared.

*or one that's close enough for the package manager to know how to translate it.

Re:Will it run on Linux?

[zippthorne]

Yes. Download the Ubuntu Alternate Install CD.

It's not really any different once you've installed everything, but it's a text based installer with a lot more options. (full disk encryption, for one)

If you really want to impress the zealots, though, forget Ubuntu, and skip right past Gentoo and try your hand at LFS. (linux from scratch)

Re:Will it run on Linux?

[arth1]

Setting the executable bit on a file doesn't transform it into an executable. Try setting the execute bit on /etc/resolv.conf and see what that does.

If you add "#!/bin/tail +2" to the top of /etc/hosts, and chmod +x it, you can call it, and it will print out itself. That doesn't mean it's an executable. tail is the executable.
Likewise with yum, where python is the executable -- yum is the source file that python compiles, transparently to the user, when he types in "yum".

Re:Will it run on Linux?

[Sir_Lewk]

If you really want to be pedantic, then yes, Python is an interpreted programming language and a python program is not, for example, an ELF file. However, for the scope of this conversation explaining the difference between RPMs and yum, the presense of an exectutable bit and pythons interpreted nature make it perfectly reasonable to call them executables. In fact, it is not at all uncommon to refer to scripts as executables in nearly any situation. All of this is irrelevant to the topic at hand though and I suggest you attempt removing the stick from your ass.

Re:Will it run on Linux?

[dotgain]

Jeez, I sure hope all your pointless hair-splitting and knowledge-spewing made your dick bigger, because it sure added NOTHING to the discussion.

Re:Will it run on Linux?

[smoker2]

You ought to read your own sig.

Re:Will it run on Linux?

[icannotthinkofaname]

Linux from scratch? Ooh, cool. I gotta work my way up to that.

Will do some Googling later.

Re:Will it run on Linux?

[Sir_Lewk]

What a superb rebuttal! Truly now I see the error in my logic, thank you for your great insight.

URL Generation

[phantomcircuit]

Basically the code now generates a random URL based on the date obtained from a remote server and then verifies any updates on the generated URL with RSA.

Seems sort of obvious

Re:This is you on windows

[Chris+Tucker]

And they keep coming back to Windows.

"Oh, I KNOW Windows loves me. All the abuse is my fault. I deserve it!"

Forget antivirus, go after them for copyright

You know, like the feds used to take down the Mafia on tax violations.

http://sourceforge.net/projects/b-improved/

Holy shit! Another version?

[icannotthinkofaname]

Awesome. This is the greatest piece of malware I've ever seen. Conficker has done an absolutely wonderful job of becoming a real, recognized, major threat, even worming its way into several government systems.

The fact that it's evolving to continue its journey into every computer it can find is quite impressive to me. I don't think I've ever heard of a malware threat this bad. Conficker's botnet is now measured in percentage of Windows machines infiltrated. When you get a significant percentage of computers like, say, 30% of 90% of the Desktop OS market (or whatever M$'s current stranglehold is worth), that's something to be proud of.

I haven't heard of this actually doing anything malicious yet, and judging from some comments here, it hasn't actually done anything yet. But whatever it does do (after it disables and resets all the preferences and whatnot), I bet it's completely epic and noteworthy and huge and stuff. There's no way something giant isn't going down when all is said and done.

I applaud the efforts of the programmers who wrote this quite beautiful program and set it loose in the wild. I look forward to more developments, both in the program and the fight against it, and I look forward to laughing my ass off as it infiltrates Windows system after Windows system, while remembering how recently I converted to Linux. :)

When I saw B++

[kkrajewski]

I was all excited that someone had made an OO extention to the B programming language. We can only imagine the horror!

Re:Holy shit! Another version?

TROLL

If you're running as non-administrator....

[klubar]

If you're running as a non-adminstrator account (without write access to c:\windows (and system32) would this virus still proprogate? I've never quite understood why ordinary users have write access to system directories.

Re:If you're running as non-administrator....

[t_little]

It's not a virus, it's a worm - it exploits bugs in automated OS services to run the code. There doesn't even need to be a user logged in for this to spread. (It also scans local networks for weak passwords and attempts to install itself via autorun on removable media) However, there is no fundamental reason why those services should run with permission to install anything either.

Re:If you're running as non-administrator....

If you're running as a non-adminstrator account (without write access to c:\windows (and system32) would this virus still proprogate? I've never quite understood why ordinary users have write access to system directories.

Because it is the default setting.

Re:If you're running as non-administrator....

[dbIII]

As an example, the only reason some of the computers run MS Windows XP in my workplace is because some idiot wrote an in-house application under some bastard son of VB which needs write access to the root of the C: drive. To run this single user at a time database application the user needs to run as administrator. There are a lot of idiots doing such things.

While it's possible to make large mistakes with open software the majority of idiots are on the descendants of VB - however I have one python developer that has to turn off one core of his laptop to make his scripts run! Multi-cpu systems are so mainstream that there are even two processors in handheld nintento games yet developers write code that would be inadvisable in 1995!

To sum up - the reason people run as administrator is due to very poor software development and the stupid basket weaving approach we use to write most code instead of seeing things as projects.

Re:If you're running as non-administrator....

[tweak13]

I have one python developer that has to turn off one core of his laptop to make his scripts run!

Excuse my software development ignorance, but how the hell is he doing that? Breaking his code on multiple processors, I mean.

Re:If you're running as non-administrator....

[dbIII]

Somehow the 1960s problem of race conditions gets him if he has more than one processor running. I really do not understand how it can be so broken, but that is why he is insisiting on turning off the second CPU in the BIOS on the machines that use his stuff (ie. he doesn't get his software on the production cluster and waste 7 CPUs per node - he gets told to piss off and read a textbook).

As for the .net problem, it's a case of the configuration file for the application getting written the root of the system drive! It's a flat file database implemented poorly and among other wonders it has a lockfile in case two people are using it at the same time to prevent corruption. I really do not know why the programmer didn't look at one of the thousand examples of simple data handling done well, but it's basket weaving not engineering.

The annoying thing is some people were migrated from linux to XP with an X windows program just to use this in house bit of rubbish that requires ringing around to see who has locked the file before they can even use it. It is the only MS Windows specific application they use - thunderbird, firefox, openoffice etc is all cross platform and the majority of their work is done on a linux cluster which requires X Windows anyway (add $500 more after XP to use that).

Re:If you're running as non-administrator....

[BitZtream]

Do you know the difference between a virus and a worm, from your post, I don't think you do.

Viruses and Worms can both do everything you mention. Why are you pretending they are somehow different and that permissions changes don't effect both?

A worm is a virus that doesn't piggy back on another executable, it works stand alone, otherwise they can and do do all the same stuff. Proper permissions and fixing exploits will stop a virus AND a worm.

Lets go over your list:

it exploits bugs in automated OS services to run the code.

Done by both virus and worms and trojans and all sorts of other malware, this is not unique.

There doesn't even need to be a user logged in for this to spread.

Also true for viruses and worms alike, and many other types of malware.

Your post is not insightful, its is misleading and wrong.

What this particular type of malware is doesn't matter, the GP was correct in noticing the problem is mostly due to bad OS permissions which would mitigate most attacks, regardless of how they are spread.

Lets pretend for a moment however that you fix every permission problem and exploit on the OS itself. You end up with a 100% secure bug-free OS. You will still get infected by viruses and worms. The OS isn't always the attack vector, more often than not, its a stupid user. Works and viruses can still spread via stupid users allowing them to do so.

Re:If you're running as non-administrator....

[BitZtream]

You should probably pull out Filemon and see EXACTLY what its doing. Unless it is actively modifying files in the root directory, then there is no reason that it should have permissions to do so. There are plenty of ways with ACLs to allow the app to do what it wants to do without running as an admin. Does it create temp files there? Fine, let it 'CREATE' files, but not modify anything else. Does it need to modify files located there? Okay, let it, but explicitly deny it from everything else. You CAN fix a problem like that if you want to put the effort into it, NTFS ACLs are annoyingly powerful. Apps like this are a problem when they talk directly to hardware or they modify system files. If its VB, its also probably pretty simple to decompile it, find whats opening a file read/write instead of read only and either fix it, or move it to another directory if possible.

You simply need an admin or developer with a clue.

You also need to fire your python developer. If he/she is running multithreaded code they wrote then they either need to fix the bug or stop using multiple threads. Since this bug has persisted long enough for it to make it into one of your slashdot posts, its a safe bet your developer doesn't know how to deal with race conditions, that in and of itself is fine, the fact that he hasn't fixed the problem, or reverted to single threaded code makes him an idiot and a waste of your resources.

Your problems are ones of ignorance by your staff, nothing more.

Re:If you're running as non-administrator....

[dbIII]

The python developer has a lot of non-python knowlege that he's putting into code from his previous role as a scientist, so the choices are either to pair him with a real programmer that he will actually listen to, replace him with two people or wait until he actually learns how to program. For now a VM gets his useful stuff to work, maybe in 4 or 5 years he'll be taking a professional approach. Sadly I've seen a lot of people that cannot handle the concept of multiple threads - a pain when you are dealing with problems that are trivial to run in parallel.

The other thing was an electrical engineers hobby project in .net which came to the attention of management. Now I could muck about with ACLs but the reality is the application is broken is so many more ways that it is actually better to fix the application - changing a single line of code to put the config file in a different place IMHO is far better than fooling about with a permissions model I do not fully understand or agree with since I'm a *nix admin. The Microsoft security model can be compared to Britney Spear's underwear. Most of the time it isn't even there at all, and when it is there it is overly complicated but still doesn't cover much. I cannot count the number of times some idiot has locked files out from even from Admin access and then forgotten their password (why do people always change their passwords just before they go on holidays?) - but even then it's just an annoying and inconvenient process to get access again.

Anyway, my point is that a lot of the software that requires Admin access is really just crap written from an MSDOS mindset where you could do anything anywhere, and the example app was one of those. The single user, non-networked, single CPU mindset (the MSDOS mindset really) is where the python developer is now until eventually he will notice what those around him are doing.

Re:If you're running as non-administrator....

Why would you pay $500 for X-windows? Take my advice and ownload something free, then you can send me a percentage of the savings.

Re:Holy shit! Another version?

[John+Hasler]

> I haven't heard of this actually doing anything malicious yet, and judging from some
> comments here, it hasn't actually done anything yet.

Hasn't yet done anything that we know of. Yet.

Well, if you have deep pockets...

[NotQuiteReal]

and know the right (wrong) folks, maybe they will sell you the "package slot", and you can get your message out.

Of course, since you are kind of advocating an exclusive deal, it will probably cost more than the run of the mill spam or phishing campaign, which can be sold and sold again...

Also, IANAL, but I suspect doing bad things for the right reason would make you just as legally culpable as doing bad things, period.

Re:Well, if you have deep pockets...

[cheekyboy]

In that case you will never get caught because the current bot owners are not in jail and are selling services....

If they are untouchable, you're safe too.

Re:Well, if you have deep pockets...

[Darkk]

Makes me wonder why Microsoft posted a bounty for the author(s) of this worm.

It's like, "Oh shit, we can't patch against this worm so we need to nab the author!"

Microsoft can't come up with a patch fast enough without proper testing and time. They figured go after the source of the problem.

Honestly $250,000 bounty is chump change so if they up the ante to $1,000,000 then people will listen.

Re:Well, if you have deep pockets...

[Macthorpe]

It was patched a long time ago - last October, to be precise.

Re:Well, if you have deep pockets...

The patch has already been subverted. =)

Microsoft didn't fix the actual issue - they just made it harder to do.

No Exploits for Routers?

I am pretty sure there are some exploits going around for some home firewall routers. Sorry I can't be bothered to look it up.

Besides there are probably quite a few for Cisco IOS platform.

~AC

Re:Holy shit! Another version?

[RazzleDazzle]

When you get a significant percentage of computers like, say, 30% of 90% of the Desktop OS market (or whatever M$'s current stranglehold is worth), that's something to be proud of.

Man, it's too bad Redmond has a 90% infection rate of all Desktop OS workstations (or whatever MS's current stranglehold is worth).

Re:Holy shit! Another version?

[Darkk]

Correction.. Windows been infected by people! So infection rate is 100%

Mod Parent +1 Funny, but sadly True

See Subject

Where is the real infection info?

[Jartan]

The more I hear about this worm the more I'm confused that I'm not seeing it on certain computers I know must of been unpatched.

I've looked for info on how it spreads but the only thing I can ever find is that it uses an RPC exploit and that having print and file sharing on makes you vulnerable.

Is it being blocked by some routers that block file and printer sharing ports perhaps?

Re:Holy shit! Another version?

He may be a troll but he kinda speaks the truth. Whoever wrote this thing knew what they were doing and they knew it well. This is easily the biggest threat to Windows in years and *could* result with the year of the Linux desktop coming along in the next 10 years (oh, one can hope).

Re:Holy shit! Another version?

This is probably the most pathetic post I have ever read. You're applauding criminal activity because of some tiny personal grudge you have against a corporation?

You need a change of priorities.

Re:This is you on windows

And they keep coming back to Windows.

"Oh, I KNOW Windows loves me. All the abuse is my fault. I deserve it!"

In this case it actually is. This worm is only targeting all the smartasses turning off windows update because they think they know better (whether sysadmins or personal users). This was patched months ago.

Back to Basics

[Gazzonyx]

FWIW, you should give your python dev. a book and revoke his IDE until he can come back to you with a solution for setting the CPU affinity of his code. Pencil and paper coding is For His Own Good(TM) and everyone needs to go back to the basics (sometimes even BASIC) from time to time. It also builds character.

It gives you better perspective when you have a: problem, good book, pencil, paper, and no distractions/crutches. I know I need to do this from time to time (whiteboard, diagram, pseudocode, and a good reference for the language I'm using), when I'm spinning my wheels or neglecting good practices.

The next version will be even more harmful!!!

[master_p]

The next version will be...

C++!!!

And it will be considered harmful!!! :-)

Re:Holy shit! Another version?

[icannotthinkofaname]

No, I'm not applauding criminal activity because of a grudge. I'm applauding it for how widespread the program is and how it just refuses to die. It ain't every day you find a program as impressive as this one. How often has a piece of malware evolved to perpetuate itself, let alone multiple times?

This is a great effort on the programmers' parts, whether or not it actually does anything malicious to Windows systems.

future analysis?

The SRI report begins the second paragraph with "Early accounts of the exploit used by Conficker arose in September of 2009. "

Looks like their way ahead of the game, no?

oh. wait: it's just time travel stuff. nevermind.

Re:This is you on windows

"Oh, I KNOW Windows loves me" - by Chris Tucker (302549) on Friday February 20, @07:50PM (#26937217) Homepage

It does, because it does ME, & I have yet to be infected/infested for decades online now...

You can have the same results, simply IF you can read english & apply what is noted here to secure yourself (1-2 hrs. of work for YEARS of uptime, stability, & bugfree operation):

HOW TO SECURE Windows 2000/XP/Server 2003, & even VISTA, plus make it "fun-to-do", via CIS Tool Guidance:

http://www.tcmagazine.com/forums/index.php?s=e692b654cf47859bebf9e4380bec3a03&showtopic=2662

----

"All the abuse is my fault. I deserve it!" - by Chris Tucker (302549) on Friday February 20, @07:50PM (#26937217) Homepage

It's the fault of Microsoft for shipping OS in such a relatively unsecured state (&, it doesn't HAVE to be that way, because tools like SCW (server configuration wizard) exist in MS Windows variants, such as Windows Server 2003 for example, & it OUGHT to be run right after setup is completing... but, it's not, for example), &, the fault of the misguided fools that create these machinations...

I will say 1 thing in defense of the people that create malware in general (as I call it) - they ARE pointing out FUNDAMENTAL flaws that exist in default OS setups, but, that's about it, because their talents COULD be put to use elsewhere... but, as far as saying they are "talented" in this "art & science"?

Hey - ANYONE can be bogus & destructive: It's "TOO EASY"... quite another to be creative for useful things, vs. creating virus & such!

Anyhow/anyways:

NOW - IF you just "smarten up", & disable the SERVER service (which this worm exploits a bug in), because you generally (as an end-user on a single machine online via the internet only & NO home or work LAN/WAN connectivity needed) for 1 thing, & then watch it with javascript usage in your webbrowsers (meaning do NOT use it on "every site online under the sun", & ONLY on the sites you absolutely NEED javascript active for, for proper full function?

You CAN stay clean, & uninfected... &, even vs. THIS particular worm & its variants...

APK

Don't want to be hit by this worm? Take a read

"In short bot herders can now push updates to infected machines rather than relying on the infected machine to seek out and download updates." - by InsertWittyNameHere (1438813) on Friday February 20, @07:33PM (#26937071)

In short?

Hey, it's also relatively EASY to stall these "botmasters" (destructive script kiddies is more like it) from doing that... via VERY simple measures no less!

(Simply IF you can read english & apply what is noted here to secure yourself (1-2 hrs. of work for YEARS of uptime, stability, & bugfree operation)):

----

HOW TO SECURE Windows 2000/XP/Server 2003, & even VISTA, plus make it "fun-to-do", via CIS Tool Guidance:

http://www.tcmagazine.com/forums/index.php?s=e692b654cf47859bebf9e4380bec3a03&showtopic=2662

----

E.G. (per said article's points for securing a Windows based OS) ->:

A.) IF you just simply "smarten up", & disable the SERVER service, which MOST folks w/ a single home system & no LAN around do NOT even need (which this worm exploits a bug in), because you generally (as an end-user on a single machine online via the internet only & NO home or work LAN/WAN connectivity needed) for 1 thing

&

B.) Then watch it with javascript usage in your webbrowsers (meaning do NOT use it on "every site online under the sun", & ONLY on the sites you absolutely NEED javascript active for, for proper full function?

You CAN stay clean, & uninfected... &, even vs. THIS particular worm & its variants...

APK

P.S.=> It's the fault of Microsoft for shipping OS in such a relatively unsecured state (&, it doesn't HAVE to be that way, because tools like SCW (server configuration wizard) exist in MS Windows variants, such as Windows Server 2003 for example, & it OUGHT to be run right after setup is completing... but, it's not, for example), &, the fault of the misguided fools that create these machinations...

HOWEVER: I will say 1 thing in defense of the people that create malware in general (as I call it) - they ARE pointing out FUNDAMENTAL flaws that exist in default OS setups, but, that's about it, because their talents COULD be put to use elsewhere... but, as far as saying they are "talented" in this "art & science"?

Hey - ANYONE can be bogus & destructive: It's "TOO EASY"... quite another to be creative for useful things, vs. creating virus & such... apk

Stop SERVER service (for standalones) & javasc

Hey, don't want this in your systems?

Well - it's relatively EASY to stall these "botmasters" (destructive script kiddies is more like it) from doing that... via VERY simple measures no less!

(Simply IF you can read english & apply what is noted here to secure yourself (1-2 hrs. of work for YEARS of uptime, stability, & bugfree operation)):

----

HOW TO SECURE Windows 2000/XP/Server 2003, & even VISTA, plus make it "fun-to-do", via CIS Tool Guidance, & beyond:

http://www.tcmagazine.com/forums/index.php?s=e692b654cf47859bebf9e4380bec3a03&showtopic=2662 [tcmagazine.com]

----

E.G. (per said article's points for securing a Windows based OS) ->:

A.) IF you just simply "smarten up", & disable the SERVER service, which MOST folks w/ a single home system & no LAN around do NOT even need (which this worm exploits a bug in), because you generally (as an end-user on a single machine online via the internet only & NO home or work LAN/WAN connectivity needed) to waste CPU cycles, memory, & other forms of I/O server service needs (for sharing files/folders/printers etc. et al), for 1 thing

&

B.) Then watch it with javascript usage in your webbrowsers (meaning do NOT use it on "every site online under the sun", & ONLY on the sites you absolutely NEED javascript active for, for proper full function?

You CAN stay clean, & uninfected... &, even vs. THIS particular worm & its variants...

APK

P.S.=> It's the fault of Microsoft for shipping OS in such a relatively unsecured state (&, it doesn't HAVE to be that way, because tools like SCW (server configuration wizard) exist in MS Windows variants, such as Windows Server 2003 for example, & it OUGHT to be run right after setup is completing... but, it's not, for example), &, the fault of the misguided fools that create these machinations...

I will say 1 thing in defense of the people that create malware in general (as I call it) - they ARE pointing out FUNDAMENTAL flaws that exist in default OS setups, but, that's about it, because their talents COULD be put to use elsewhere... but, as far as saying they are "talented" in this "art & science"?

Hey - ANYONE can be bogus & destructive: It's "TOO EASY"... quite another to be creative for useful things, vs. creating virus & such, no questions asked... apk

Re:Where is the real infection info? HOW TO STOPIT

Hey, don't want this "Conficker" worm in your systems (patched OR unpatched even)?

Simple : Because it's relatively EASY to stall these "botmasters" (destructive script kiddies is more like it) from doing that... via VERY simple measures no less!

(Simply IF you can read english & apply what is noted here to secure yourself (1-2 hrs. of work for YEARS of uptime, stability, & bugfree operation)):

----

HOW TO SECURE Windows 2000/XP/Server 2003, & even VISTA, plus make it "fun-to-do", via CIS Tool Guidance, & beyond:

http://www.tcmagazine.com/forums/index.php?s=e692b654cf47859bebf9e4380bec3a03&showtopic=2662 [tcmagazine.com] [tcmagazine.com]

----

E.G. (per said article's points for securing a Windows based OS) ->:

A.) IF you just simply "smarten up", & disable the SERVER service, which MOST folks w/ a single home system & no LAN around do NOT even need (which this worm exploits a bug in), because you generally (as an end-user on a single machine online via the internet only & NO home or work LAN/WAN connectivity needed) to waste CPU cycles, memory, & other forms of I/O server service needs (for sharing files/folders/printers etc. et al), for 1 thing

&

B.) Then watch it with javascript usage in your webbrowsers (meaning do NOT use it on "every site online under the sun", & ONLY on the sites you absolutely NEED javascript active for, for proper full function?

You CAN stay clean, & uninfected... &, even vs. THIS particular worm & its variants...

APK

P.S.=> It's the fault of Microsoft for shipping OS in such a relatively unsecured state (&, it doesn't HAVE to be that way, because tools like SCW (server configuration wizard) exist in MS Windows variants, such as Windows Server 2003 for example, & it OUGHT to be run right after setup is completing... but, it's not, for example), &, the fault of the misguided fools that create these machinations...

I will say 1 thing in defense of the people that create malware in general (as I call it) - they ARE pointing out FUNDAMENTAL flaws that exist in default OS setups, but, that's about it, because their talents COULD be put to use elsewhere... but, as far as saying they are "talented" in this "art & science"?

Hey - ANYONE can be bogus & destructive: It's "TOO EASY"... quite another to be creative for useful things, vs. creating virus & such, no questions asked... apk

Re:Meep Beep! STOP THIS WORM EASILY

"I for one am sick and tired of ignorant computer users getting their machines botnetted, blissfully unaware of the harm they are then contributing to. (and many of them are aware and just plain don't care)" - by v1 (525388) on Friday February 20, @08:10PM (#26937367) Homepage

So was I, because professionally, it has eaten up a GOOD 80%++ or more of my days on the job with clients in cleansing their rigs of this madness-N-lunacy... so, I decided to put this around on the wire on 20 sites or so last year (for my "New Year's Resolution" of "DO A GOOD DEED")... &, it's done EXTREMELY well, especially vs. machinations like this new worm:

----

HOW TO SECURE Windows 2000/XP/Server 2003, & even VISTA, plus make it "fun-to-do", via CIS Tool Guidance, & beyond:

http://www.tcmagazine.com/forums/index.php?s=e692b654cf47859bebf9e4380bec3a03&showtopic=2662 [tcmagazine.com] [tcmagazine.com] [tcmagazine.com]

----

E.G. (per said article's points for securing a Windows based OS) ->:

----

A.) IF you just simply "smarten up", & disable the SERVER service, which MOST folks w/ a single home system & no LAN around do NOT even need to have running in that case (which this worm exploits a bug in), because you generally don't NEED it (as an end-user on a single machine online via the internet only & NO home or work LAN/WAN connectivity needed sharing files/folders/disks/printers etc.), thus, merely WASTING excess CPU cycles, memory, & other forms of I/O server service needs (for sharing files/folders/printers etc. et al), for 1 thing

&

B.) Then watch it with javascript usage in your webbrowsers (meaning do NOT use it on "every site online under the sun", & ONLY on the sites you absolutely NEED javascript active for, for proper full function?

----

You CAN stay clean, & uninfected... &, even vs. THIS particular worm & its variants...

It's the fault of Microsoft for shipping OS in such a relatively unsecured state (&, it doesn't HAVE to be that way, because tools like SCW (server configuration wizard) exist in MS Windows variants, such as Windows Server 2003 for example, & it OUGHT to be run right after setup is completing... but, it's not, for example), &, the fault of the misguided fools that create these machinations...

I will say 1 thing in defense of the people that create malware in general (as I call it) - they ARE pointing out FUNDAMENTAL flaws that exist in default OS setups, but, that's about it, because their talents COULD be put to use elsewhere... but, as far as saying they are "talented" in this "art & science"?

Hey - ANYONE can be bogus & destructive: It's "TOO EASY"... quite another to be creative for useful things, vs. creating virus & such, no questions asked...

APK

P.S.=>

"Do the world a favor. MAKE them care." - by v1 (525388) on Friday February 20, @08:10PM (#26937367) Homepage

Ah, "therein lies the rub"... lol!

Well, I agree, but... I don't *THINK* you can "make people care", until it strikes them personally... but, sooner or later, it usually does, costing them time, money, + aggravation to NO end - & IF folks don't get wind of this kind of info., or worse, don't care enough to APPLY it themselves (or, have a fairly computer + networking saavy person do it FOR them instead)? They keep guys who are in this field, PAID... sometimes?

Sometimes, I suspect it's actually guys in this field who are @ the heart of all this, because of my last statement - it creates a self-serving economy for them to profit by... how sad, IF I am correct on this note - but, face it: You cannot go "just whipping this stuff up", because yes, even MALWARES take some work to create + implement (thus, one HAS to assume they are pros, or were, @ some point in this field OR could be to some extent)... apk

Re:Where is the real infection info? HOW TO STOPIT

Wow, this was a stupid post. Nice spamvertisment though. Allow me to pick it apart.

A.) IF you just simply "smarten up", & disable the SERVER service, which MOST folks w/ a single home system & no LAN around do NOT even need

Most users now days do have multiple PCs, behind a NAT connected to broadband. If they didn't, this particular worm wouldn't be nearly as big of an issue, so your first solution doesn't apply to the group thats being targeted, useful, really. A lot of users use their home PC for work. Turning off the server service has other side effects as other service and apps expect it to be running. Blindling turning off services based on ignorant statements like this are why your Windows machine probably runs like shit. The guide you posted was written by an idiot. While I realize its a common thing to say 'turn off server and client' services, those people saying it have no clue how many other random seemingly unexpected subsystems are effected by doing so. Want to make your machine act weird and randomly slow, start turning of random service and reboot. You'll have all sorts of random little crap that doesn't work. Seriously, try it. Oh, wait, you probably did already, which means you probably also have all sorts of random little 'windows sucks' posts because stuff on your machine doesn't work right.

B.) Then watch it with javascript usage in your webbrowsers (meaning do NOT use it on "every site online under the sun", & ONLY on the sites you absolutely NEED javascript active for, for proper full function?

1993 called, they want their Internet back. Its far more annoying to browse the internet without javascript than to worry about this worm. I (still) have used IE for years, I have yet to be infected by a javascript attack. Thats rarely used and you're living in the 90s with a good dose of paranoia if you think javascript is all scary. There are FAR more effective ways to exploit a machine than using javascript. And the users who are going to get exploited by Javascript are going to be exploited in 15 other different ways by the same site. If they've got you to a dangerous site, you've already lost, little crap like this isn't going to save you.

I will say 1 thing in defense of the people that create malware in general (as I call it) - they ARE pointing out FUNDAMENTAL flaws that exist in default OS setups, but, that's about it, because their talents COULD be put to use elsewhere... but, as far as saying they are "talented" in this "art & science"?

You're an idiot. There is no 'defense'. Exploiting people and costing them money is not a service, it is a crime. Using a computer in any unauthorized way is a crime in the country I live in. We don't praise murderers, thieves, rapists, or arsonists for example when they take advantage of bad security. They are still scumbags, this is no different. You're an idiot for trying to justify this as 'pointing out the flaws' they aren't pointing them out, they are exploiting them. Point out flaws would just simply be saying 'he, you can do this bad stuff real easy by '. Pointing out flaws does not involve building massive bot nets which use massive amounts of bandwidth to annoy others.

Re:Where is the real infection info? HOW TO STOPIT

[BitZtream]

Sorry, I went and read some more of the article you posted, you really don't have a clue, stop giving out bad information.

Re:Where is the real infection info? HOW TO STOPIT

"Most users now days do have multiple PCs, behind a NAT connected to broadband." - by Anonymous Coward on Saturday February 21, @04:28PM (#26943791)

Most users I have serviced, as far as PAYING clients @ the home level the past year? DO NOT... who are you trying to fool here?

(AND, if they do? That same guide also recommends patching religiously... inclusive of the patch Microsoft issued for this very SERVER SERVICE RPC bug)

In fact, IF you read that guide you loudmouth? You'd have read the 3rd POINT in it, & it puts a loudmouth like YOU, into YOUR place... easily, you skimmer.

----

"1993 called, they want their Internet back" - by Anonymous Coward on Saturday February 21, @04:28PM (#26943791)

Well, 2009 is here, & "layered security" is THE trend out there, today, for security vs. these machinations...

OR

Doesn't this article tend to second that idea (such as using HOSTS files to block the servers these malware worms use, another idea that the article I put up notes that also works for stopping this, & other, worms like it, by stalling access to their command & control servers):

Resurrecting the Killfile: by Oliver Day of SECURITYFOCUS.COM

http://www.securityfocus.com/columnists/491

?

----

"You're an idiot. There is no 'defense'." - by Anonymous Coward on Saturday February 21, @04:28PM (#26943791)

Doesn't the A/C I am responding to sound JUST like some botmaster that my post here offends, because everything it notes (especially the guide I put up) stalls out tihs malware, & others like it... or, don't the findings of OTHERS tend to 2nd that for me?

NOW - As Far as others NOT seeing great results using said guide? Well - See here, read THRONKA's results using that guide I posted:

http://www.xtremepccentral.com/forums/showthread.php?t=28430&page=3

I'll let he (& others who have used it successfully for over a year vs. malwares no less IF NEED BE, because I can gather THEIR results, vs. your ANECDOTAL BULLSHIT w/ no proofs on your end) do so, for me...

APK

P.S.=> Some people *THINK* they can "classify" others PC use patterns, or what THEY have seen as THEIR personal sample-set, as the "end-all/be all" ultimately comprehensive solution... lol, like the fool I am replying to here ("he has seen it all", yea, right, lol), sorry to "blow your mind" wannabe, but, others I have cited here show quite otherwise vs. your mere 'anecdotal b.s.' from YOUR "vast experience" only... apk

RESULTS OF OTHERS IN THE URL INSIDE SHOW OTHERWISE

"you really don't have a clue" - by BitZtream (692029) on Saturday February 21, @04:31PM (#26943807)

OTHERS (in the URL below, See THRONKA's reply there) say QUITE otherwise vs. your ambiguous no detail b.s. reply:

http://www.xtremepccentral.com/forums/showthread.php?t=28430&page=3

AND, illustrate the success others now enjoy online via the points in that guide, actually work, vs. these types of malware machinations for the past year now...?

----

And, as far as myself being 'clueless'? Well, then how come I have appeared in respected publications for various programming & network engineering points I have come up with the past 13++ yrs. now have appeared in these:

Windows NT Magazine (now Windows IT Pro 1996), for work done for EEC Systems/SuperSpeed.com on PAID CONTRACT (writing portions of their SuperCache program) albeit, for their SuperDisk & HOW TO APPLY IT, took them to a finalist position @ MS Tech Ed, two years in a row iirc.

WINDOWS MAGAZINE, 1997, "Top Freeware & Shareware of the Year" issue page 210, #1/first entry in fact (my work is there)

PC-WELT FEB 1998 - page 84, again, my work is featured there

PC-WELT FEB 1999 - page 83, again, my work is featured there

CHIP Magazine 7/99 - page 100, my work is there

WINDOWS MAGAZINE, WINTER 1998 - page 92, insert section, MUST HAVE WARES, my work is again, there

GERMAN PC BOOK, Data Becker publisher "PC Aufrusten und Repairen" my work is contained in it

HOT SHAREWARE Numero 46 issue, pg. 54 (PC ware mag from Spain), my work is there, first one featured, yet again!

----

So - Have YOU, DONE THE SAME YOURSELF?

DOUBT IT... because I have YET to run into a "slashdot wannabe" with a mouth like yours online that has accomplished ANYTHING of worth in this art & science...

----

"stop giving out bad information." - by BitZtream (692029) on Saturday February 21, @04:31PM (#26943807)

So - What did I post that is "bad information"??

APK

P.S.=> For SOME reason? I don't think we will hear back from BitZtream on this, & ESPECIALLY with specifics -& especially vs. the results others have had & success using the guide I posted...

(See, I have noted that those that "bitch" about the guide I posted are USUALLY some botmaster idiot who is adversely affected by its points - simply because the points in my guide actually DO work vs. today's threats online, & lists exception areas + many types of layered security work-arounds that work vs. them)...

So, what do I see in "retaliation" usually from those that security guide's adversely affect who offer NO specifics? WELL - Replies like the one I am replying too... lol!

(HEY - What's the matter "BitZtream" (look @ that "L33T" name, lol)? Don't want others NOT being infected by YOUR botnet???) apk

Re:Where is the real infection info? HOW TO STOPIT

I think because the ac poster you replied to did not post an article that you may have been directing it at the poster apk who posted an article. The person you replied to did not and you stated he did and based on apk's reply to you he may have thought you were saying he had no clue. I read apks reply to you and I would have said the same to you in fact if I interpreted it as he did. I say that because I also had a difficult time determining who you were replying to as well. So I took a look at the other ac's reply to see if he had posted an article as you said and he had not. I can see why apk replied to you as he had after that other ac jerk was caught skimming because he had not read the third post in the article stating that if you have a home lan dont disable server service and apk never said to do so for anyone who is running a lan. People here amaze me at times and the fool who said that article at techconnect magazine's website was written by a fool is the fool. I read that article and covers most all the possible angles and catch 22s. Also later I found myself reading the other post apk put up from guru3d.com where others have had a malware free year by using that article's points.

Re:This is you on windows

[Chris+Tucker]

And yet, my Mac OS X install comes from the factory with all the security features turned on by default.

In my twenty some years of Mac OS usage, I have run into exactly ONE virus, on a used Color Classic I bought. A quick application of the freeware Disinfectant took care of that.

If you want to spend all that time, securing your Windows installs, go right ahead.

As long as MS continues to ship a product that, essentially, lies there, it's legs in the air, it's underwear nowhere to be seen, and loudly demanding:

"RAPE ME! RAPE ME RIGHT NOW, GODDAMMIT!"

You're going to be spending a lot of time tweaking your Windows installs.

Me, I prefer to click "Install", come back 30 minutes later, click a few more times and have a BY DEFAULT secure OS ready and waiting.

YMMV.

Re:This is you on windows

I'd have to STRONGLY wager that if (insert OS type here) was as dominant a force as Microsoft Windows is today (& has been for more than 19++ yrs. now in the world of personal computers @ least), MacOS X or Linux (or whatever) would be getting as much heat from the malware makers as does Windows today.

E.G.-> IF you were a malware maker today, wouldn't YOU target the biggest mass of users you could? Sure you would, & ESPECIALLY today (they've shifted from messing up your machine, to taking YOUR MONEY instead, or using your machine as a slave), & ESPECIALLY targetting the MOST USED OS THERE IS - Windows.

Thus, imo @ least?? IF Linux or MacOS X were "top dog", market-share-wise??? They'd be under the SAME type of fire by the misguided folks that make malwares.

APK

P.S.=> Trust me, because for instance/E.G.-> MALWARE THREAT TO GNOME and KDE: http://it.slashdot.org/article.pl?sid=09/02/17/1526244 - & also A Worm for your Apple: http://www.beskerming.com/commentary/2007/07/18/222/A_Worm_for_Your_Apple OR Worm Threat Forces Apple To Disable Software? -> http://it.slashdot.org/it/07/08/03/1451217.shtml &, the list goes on... want more? I will gladly supply them.

Thus, as you can see?

The other alternate OS types for X86 based computers also have vulnerable (or, potentially vulnerable) components, just as Microsoft products do... they just aren't as attacked because they are NOT used as much, & thus, present a more 'available' target mass... apk

Re:This is you on windows

[VeNoM0619]

This is the debate of Windows vs Linux that I see quite a bit, but never gets discussed:

When someone runs something in Windows, and it infects their machine it's "stupid windows". But, when someone runs something in Linux under ROOT, and infects their machine, it's "stupid user".

Yet (a few months ago) there was an article posting that most people run as admin in Windows, because software doesn't work. That's right, because of poorly designed software that doesn't work all the time, people have to run as admin. Now, I am not saying the software developers are to blame, but I feel they share some blame to this whole debate.

But for those who say Windows has poor security, I really want to know some figures on how much infection you can get when under a guest account, because technically you are under a rule by rule specific account under Linux.

Not a "new" variant

This variant isn't new, see: https://forums.symantec.com/t5/Malicious-Code/A-New-Downadup-Variant/ba-p/391186#A245

"However, the important point regarding Downadup is not whether this is another variant, but rather is it a new variant; i.e., if it has been released recently. Fortunately, Downadup.B++ / Conficker.C is not a newly released variant. This variant has been around since the main outbreak of Downadup, and most vendors already have detections for it."

and the p2p distribution feature discussed was previously discussed here:
https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/227

"So, another mechanism exists to distribute the payload files and it is more difficult to track and equally more difficult to shut down. The worm uses a (potentially inefficient) peer-to-peer (P2P) mechanism that allows it to share files between infections."

Re:This is you on windows

[Chris+Tucker]

"When someone runs something in Windows, and it infects their machine it's "stupid windows". But, when someone runs something in Linux under ROOT, and infects their machine, it's "stupid user"."

Exactly. It's no big deal for me to run Mac OS under a user account, and switch to root when I need to. Mainly for Software Update and when I'm installing something that needs the admin password.

(To be honest, half the time, I don't know if I'm root or not. OK, right now, not root.)

Should be the same with Linux. One doesn't need root to play a game or send email or play a video or anything else that takes up 90+% of the CPU cycles.

If any Windows software requires that it be run as root, then yes, stupid Windows and doubly stupid Windows software developers.

If any Mac OS software requires that it be run as root (save for installation), well, GODDAMN STUPID Mac OS and quadruply Mac OS developers!