New Conficker Variant Increases Its Flexibility

CWmike writes "Criminals behind the widespread Conficker worm have released a new version that could signal a major shift in the way the malware operates. The new variant, dubbed Conficker B++, was spotted three days ago by SRI International researchers, who published details of the new code on Thursday. To the untrained eye, the new variant looks almost identical to the previous version of the worm, Conficker B. But the B++ variant uses new techniques to download software, giving its creators more flexibility in what they can do with infected machines."

The Botnet National Anthem

[Chris+Tucker]

Botnets, worldwide botnets.
What kind of boxes are on botnets?

Compaq, HP, Dell and Sony, TRUE!
Gateway, Packard Bell, maybe even Asus, too.

Are boxes, found on botnets.
All running Windows, FOO!

Re:The Botnet National Anthem

If they run foo() then all operating systems are vulnerable!
O.M.G!

Re:The Botnet National Anthem

[wisty]

YOU HAVE RECEIVED THE UNIX VIRUS!

This virus works on the honor system. Please
randomly delete some of your files and forward
this to everyone you know.

This is slashdot right?

[blool]

Why is the summary so devoid of technical detail? You realize we don't read the articles right?

Re:This is slashdot right?

[Psychotria]

Because the article doesn't have any technical detail either.

Well, the second linked-to article (the one by SRI) is chock full of technical details; and it's an interesting read.

Re:This is slashdot right?

[grizdog]

Because the article doesn't have any technical detail either. I would assume that the new features allow them to connect through some sort of peering mechanism, but the article doesn't go into detail.

Well, I thought there was some useful detail in the article, particularly this:

Overall, the modifications to Conficker B++ appear relatively minor as compared to the significant upgrade in functionality, performance, and reliability, that occurred from Conficker A to B. These smaller and more surgical changes to B appear to address some of the realities that are currently impacting Conficker's binary update strategy. In particular, in Conficker A and B, there appeared only one method to submit Win32 binaries to the digitial signature validation path, and ultimately to the CreateProcess API call. This path required the use of the Internet rendezvous point to download the binary through an HTTP transaction. Under Conficker B++, two new paths to binary validation and execution have been introduced to Conficker drones, both of which bypass the use of Internet Rendezvous points: an extension to the netapi32.dll patch and the new named pipe backdoor. These changes suggest a desire by the Conficker's authors to move away from a reliance on Internet rendezvous points to support binary update, and toward a more direct flash approach.

However, Conficker A and B did support through the previous netapi32.dll patch an ability to accept new DLLs, as long as the shell code submitted through the RPC buffer overflow matched the original Conficker infection shell code. This approach was limiting both in the requirement that direct flashing required an easily identifiable shellcode string and a single DLL method loading procedure, both of which are now subject to detection by security software. Conficker B++ dramatically increases the flexibilty of the direct flash mechanisms, offering an ability to load digitally signed Win32 executables directly to a Conficker host.

Re:This is slashdot right?

[MichaelSmith]

Cripes with all the reliance they are placing on windows internals they will never get this thing ported to *nix. Its almost as bad as autocad.

Re:This is slashdot right?

[InsertWittyNameHere]

In short bot herders can now push updates to infected machines rather than relying on the infected machine to seek out and download updates.

Some quotes:

"a more efficient push-based updating service"

"the ability to accept and validate remotely submitted URLs and Win32 binaries, could signal a significant shift in the strategies used by Conficker's authors to upload and interact with their drones."

"comparing Conficker B with Conficker B++, we obtained a similarity score of 86.4%. "

"out of 297 subroutines in Conficker B, only 3 were modified in Conficker B++ and around 39 new subroutines were added. "

"Under Conficker B++, two new paths to binary validation and execution have been introduced to Conficker drones, both of which bypass the use of Internet Rendezvous points: an extension to the netapi32.dll patch and the new named pipe backdoor. These changes suggest a desire by the Conficker's authors to move away from a reliance on Internet rendezvous points to support binary update, and toward a more direct flash approach."

"Conficker B++ dramatically increases the flexibilty of the direct flash mechanisms, offering an ability to load digitally signed Win32 executables directly to a Conficker host. "

Re:This is slashdot right?

[Narnie]

Microsoft should hire these guys to revamp Windows Update.

Re:This is slashdot right?

[Erikderzweite]

Not only did you read TFA, you follow the link from TFA! I'm sorry sir, but the usual question whether or not are you new here doesn't apply to you.
How did it come you have a slashdot account? By ./ standards you are not born yet!

Meep Beep!

[djupedal]

If you're on the highway and Conficker goes beep beep.
Just step aside or might end up in a heap.
Conficker, Conficker runs on the road all day.
Even the coyote can't make him change his ways.

Conficker, the coyote's after you.
Conficker, if he catches you you're through.
Conficker, the coyote's after you.
Conficker, if he catches you you're through.

That coyote is really a crazy clown,
When will he learn he can never mow him down?
Poor little Conficker never bothers anyone,
Just runnin' down the road's his idea of having fun.

Re:Meep Beep!

[HTH+NE1]

Poor little Conficker never bothers anyone,
Just runnin' down the road's his idea of having fun.

And still true: it still hasn't done anything more than spread and try to keep itself from being purged.

With all the suspense and the scale of infection, whatever the payload is going to be, it'd better be something totally awesome!

Re:Meep Beep!

[v1]

I know this is a very unpopular view with a lot of people, but I'd personally like to see a major worm like this pop a msg saying your computer has been taken over and is available to be used to harm others. you need to take your computer into the repair shop and get it cleaned up and protective software installed".

And then make windows unable to do anything but display that message when it boots.

Half the population would be picking up pitchforks, and the other half would be saying THANK you!

I for one am sick and tired of ignorant computer users getting their machines botnetted, blissfully unaware of the harm they are then contributing to. (and many of them are aware and just plain don't care)

Do the world a favor. MAKE them care.

Readable link

[Seth+Kriticos]

Just in case someone really wants to read TFA, here is a link to the more eye friendly version (printer version): http://www.computerworld.com/action/article.do?command=printArticleBasic&taxonomyName=Network+Security&articleId=9128280&taxonomyId=142

Ps. Just because there is a "Slashdot this article with maximum clutter" button, you don't have to inherently click on it.

It's depressing.

That a vulnerability patched in October could become a problem.

Will it run on Linux?

[erroneus]

I'd seriously like to see some malware attacking Linux users. Ubuntu users might be a good target audience with good vulnerability and gullibility. But I would really like to see some attacks to see if Linux or its users are really so much better that Windows users. Further, I would like to see how much could be blocked and avoided.

Security isn't as much of a battle among common Linux users and frankly, I wonder how lax we generally are.

Re:Will it run on Linux?

[jadedoto]

Not all Ubuntu users are idiots when it comes to Linux. Someone had to create the distribution and someone has to maintain it. I use Ubuntu after years with Gentoo for the pure ease of how things work. And it's got a great community to help others ease into it. It's counter-productive to bash Ubuntu users. Really.

Re:This is you on windows

[Chris+Tucker]

And they keep coming back to Windows.

"Oh, I KNOW Windows loves me. All the abuse is my fault. I deserve it!"

Holy shit! Another version?

[icannotthinkofaname]

Awesome. This is the greatest piece of malware I've ever seen. Conficker has done an absolutely wonderful job of becoming a real, recognized, major threat, even worming its way into several government systems.

The fact that it's evolving to continue its journey into every computer it can find is quite impressive to me. I don't think I've ever heard of a malware threat this bad. Conficker's botnet is now measured in percentage of Windows machines infiltrated. When you get a significant percentage of computers like, say, 30% of 90% of the Desktop OS market (or whatever M$'s current stranglehold is worth), that's something to be proud of.

I haven't heard of this actually doing anything malicious yet, and judging from some comments here, it hasn't actually done anything yet. But whatever it does do (after it disables and resets all the preferences and whatnot), I bet it's completely epic and noteworthy and huge and stuff. There's no way something giant isn't going down when all is said and done.

I applaud the efforts of the programmers who wrote this quite beautiful program and set it loose in the wild. I look forward to more developments, both in the program and the fight against it, and I look forward to laughing my ass off as it infiltrates Windows system after Windows system, while remembering how recently I converted to Linux. :)

When I saw B++

[kkrajewski]

I was all excited that someone had made an OO extention to the B programming language. We can only imagine the horror!

Re:If you're running as non-administrator....

[t_little]

It's not a virus, it's a worm - it exploits bugs in automated OS services to run the code. There doesn't even need to be a user logged in for this to spread. (It also scans local networks for weak passwords and attempts to install itself via autorun on removable media) However, there is no fundamental reason why those services should run with permission to install anything either.

Re:If you're running as non-administrator....

[dbIII]

As an example, the only reason some of the computers run MS Windows XP in my workplace is because some idiot wrote an in-house application under some bastard son of VB which needs write access to the root of the C: drive. To run this single user at a time database application the user needs to run as administrator. There are a lot of idiots doing such things.

While it's possible to make large mistakes with open software the majority of idiots are on the descendants of VB - however I have one python developer that has to turn off one core of his laptop to make his scripts run! Multi-cpu systems are so mainstream that there are even two processors in handheld nintento games yet developers write code that would be inadvisable in 1995!

To sum up - the reason people run as administrator is due to very poor software development and the stupid basket weaving approach we use to write most code instead of seeing things as projects.

Re:Well, if you have deep pockets...

[cheekyboy]

In that case you will never get caught because the current bot owners are not in jail and are selling services....

If they are untouchable, you're safe too.

Re:If you're running as non-administrator....

[dbIII]

Somehow the 1960s problem of race conditions gets him if he has more than one processor running. I really do not understand how it can be so broken, but that is why he is insisiting on turning off the second CPU in the BIOS on the machines that use his stuff (ie. he doesn't get his software on the production cluster and waste 7 CPUs per node - he gets told to piss off and read a textbook).

As for the .net problem, it's a case of the configuration file for the application getting written the root of the system drive! It's a flat file database implemented poorly and among other wonders it has a lockfile in case two people are using it at the same time to prevent corruption. I really do not know why the programmer didn't look at one of the thousand examples of simple data handling done well, but it's basket weaving not engineering.

The annoying thing is some people were migrated from linux to XP with an X windows program just to use this in house bit of rubbish that requires ringing around to see who has locked the file before they can even use it. It is the only MS Windows specific application they use - thunderbird, firefox, openoffice etc is all cross platform and the majority of their work is done on a linux cluster which requires X Windows anyway (add $500 more after XP to use that).

Re:Well, if you have deep pockets...

[Macthorpe]

It was patched a long time ago - last October, to be precise.

Re:This is you on windows

"Oh, I KNOW Windows loves me" - by Chris Tucker (302549) on Friday February 20, @07:50PM (#26937217) Homepage

It does, because it does ME, & I have yet to be infected/infested for decades online now...

You can have the same results, simply IF you can read english & apply what is noted here to secure yourself (1-2 hrs. of work for YEARS of uptime, stability, & bugfree operation):

HOW TO SECURE Windows 2000/XP/Server 2003, & even VISTA, plus make it "fun-to-do", via CIS Tool Guidance:

http://www.tcmagazine.com/forums/index.php?s=e692b654cf47859bebf9e4380bec3a03&showtopic=2662

----

"All the abuse is my fault. I deserve it!" - by Chris Tucker (302549) on Friday February 20, @07:50PM (#26937217) Homepage

It's the fault of Microsoft for shipping OS in such a relatively unsecured state (&, it doesn't HAVE to be that way, because tools like SCW (server configuration wizard) exist in MS Windows variants, such as Windows Server 2003 for example, & it OUGHT to be run right after setup is completing... but, it's not, for example), &, the fault of the misguided fools that create these machinations...

I will say 1 thing in defense of the people that create malware in general (as I call it) - they ARE pointing out FUNDAMENTAL flaws that exist in default OS setups, but, that's about it, because their talents COULD be put to use elsewhere... but, as far as saying they are "talented" in this "art & science"?

Hey - ANYONE can be bogus & destructive: It's "TOO EASY"... quite another to be creative for useful things, vs. creating virus & such!

Anyhow/anyways:

NOW - IF you just "smarten up", & disable the SERVER service (which this worm exploits a bug in), because you generally (as an end-user on a single machine online via the internet only & NO home or work LAN/WAN connectivity needed) for 1 thing, & then watch it with javascript usage in your webbrowsers (meaning do NOT use it on "every site online under the sun", & ONLY on the sites you absolutely NEED javascript active for, for proper full function?

You CAN stay clean, & uninfected... &, even vs. THIS particular worm & its variants...

APK