New, Stealthy Conficker B++ Worm Discovered

← Back to Stories (view on slashdot.org)

New, Stealthy Conficker B++ Worm Discovered

Posted by CmdrTaco on Wednesday February 25, 2009 @04:03AM from the god-i-love-that-name dept.

nandemoari writes "A new variant of the Conficker/Downadup worm has been detected. The worm opens a backdoor on an infected machine and allows hackers remote control of infected PCs. Dubbed Conficker B++ (and not to be confused with Conficker B), the new variant of the worm opens a backdoor with auto-update functionality, allowing a hacker to distribute malware to infected machines. It's difficult to know exactly how long Conficker B++ has been circulating, but researchers first noticed it on February 6 of this year." If this seems familiar to you, it probably is.

60 of 87 comments (clear)

Why only B? by wjh31 · 2009-02-25 04:05 · Score: 1

are they expecting another even better/worse one after this?
1. Re:Why only B? by gEvil+(beta) · 2009-02-25 04:08 · Score: 1
  
  Whoever created this is still working on it. He's hoping to perfect it soon, and then we'll have Conficker A+.
  
  --
  This guy's the limit!
2. Re:Why only B? by Neon+Spiral+Injector · 2009-02-25 04:09 · Score: 3, Funny
  
  Then he can sell it on eBay as A++++++++++++++
3. Re:Why only B? by DesgarTadema · 2009-02-25 05:14 · Score: 1
  
  It's like with the USS Enterprise: there are a lot of letters left in the alphabet.
Detection by jetsci · 2009-02-25 04:05 · Score: 3, Interesting

Anyone know the procedure for detecting these? I imagine A/V companies setup 'honeypots' of sorts on high traffic networks and that but how do you detect something new like this? Do they track it through an old signature?

--
Bored at work? Play Game!
1. Re:Detection by iztehsux · 2009-02-25 05:09 · Score: 1
  
  I run a Nepenthes box on my network and I get collected hits from a variety of worms every single day. No sign of a Conficker worm trying to blast my net, but if something connects and gets detained, you can take it apart and look at it. Either way, it's pretty useful for tracking different random infected boxes and you could probably create a sig that uniquely identifies it.
profit motive by BigHungryJoe · 2009-02-25 04:07 · Score: 1

I'm assuming there's some sort of profit motive behind all this virus writing... is it to generate crappy run-of-network traffic for ad revenue? Identity theft? Extorting money from online businesses by threatening to turn your bot network on them? What?
1. Re:profit motive by Anonymous Coward · 2009-02-25 04:20 · Score: 5, Funny
  
  Sell anti-virus software.
2. Re:profit motive by Yvanhoe · 2009-02-25 04:27 · Score: 1
  
  Spam providers exist and will organize your "ad campaign" for a small fee. They need a bot to send millions of mail.
  Scamers and phishers need anonymate also, a botnet can provide this.
  There is also the very possible old-fashion extortion, mafia style.
  
  --
  The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
3. Re:profit motive by Lord+Ender · 2009-02-25 04:30 · Score: 4, Insightful
  Botnets can be profitable, however, someone skilled enough to write the malware necessary for botnet creation could likely be making better money in the private sector with a real job and no jail risk (in the US, at least). Most of the stuff I see comes from Eastern Europe or Asia, where law enforcement is unlikely to prosecute and there aren't decent Software industries hiring people with programming talent.
  So they make money by
  sending spam
  click-fraud (scamming web advertisers)
  stealing CC numbers
  DDoS extortion (yes, european banks have paid botnet owners' extortion demands to avoid getting DoSd.)
  --
  A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
4. Re:profit motive by Saint+Aardvark · 2009-02-25 04:37 · Score: 5, Interesting
  
  You laugh, but that situation is just what F-Secure describes for an unrelated bit of Facebook malware. FTFA:
  
  As we pointed out in yesterday's post, the timing of the Facebook "Error Check System" application and the subsequent Google search results pointing to rogue antivirus sites was almost too perfect to be a coincidence. It's entirely possible that the whole situation was designed to promote XP Antivirus variants such as "Antivirus 360" and "XP Police" (Rogue:W32/XPAntivirus). That's the formula, create something that spawns a search, then be ready to provide results that redirect to malicious sites. Either that or the bad guys are very quick on their feet and are ruthlessly opportunistic.... They're both.
  
  --
  Carousel is a lie!
5. Re:profit motive by domatic · 2009-02-25 04:39 · Score: 1
  
  DDoS extortion (yes, european banks have paid botnet owners' extortion demands to avoid getting DoSd.)
  You'd think large banks would be more able to "follow the money" better than most victims and swing the clout to do something about it once they have.
6. Re:profit motive by Zironic · 2009-02-25 05:20 · Score: 1
  
  [citation needed]
7. Re:profit motive by stevey · 2009-02-25 05:20 · Score: 3, Interesting
  
  That's not necessarily true - I mean the skills required to exploit a known security hole aren't terribly difficult.
  If you're familiar with a small amount of low-level coding you can easily follow cookbook-style tutorials to getting shellcode executed. At that point you're done.
  Sure you need to do some disguising, and you need to understand a bit of crypto to setup a key-verification for downloading updates.
  But I'd expect there are literally millions of coders still kicking around from the 80s/90s who did assembly programming under MS-DOS who would be able to write that kind of code - and because it isn't really really skilled work the chances are high that a significant proportion of those developers are unemployed.
8. Re:profit motive by Lord+Ender · 2009-02-25 07:13 · Score: 1
  
  I disagree with you.
  Point 1: Building and managing a botnet is not just "exploit[ing] a known security hole."
  Point 2: Your statement that computer programming is not "skilled work" is just bizarre.
  Point 3: Your statement that a "significant proportion" of "millions of coders" are unemployed isn't backed up by any evidence I've seen. Unemployment is high right now, but not among programmers.
  
  --
  A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
9. Re:profit motive by stevey · 2009-02-25 07:23 · Score: 1
  
  A botnet starts off with one machine, scanning the world for more vulnerable hosts and exploiting them in turn. Sure you'd do better if you were to have a few hundred to start with - but building a botnet, assuming you can create an exploit is almost trivial.
  I wasn't suggesting that computer programming is unskilled, merely that there are no real special skills required to exploit a security hole - which is what you were trying to imply.
  (i.e. Botnet writers are not so amazingly skilled that they would be snapped up in a hurry, which was the point you were trying to make.)
  As for unemployment, you could be right I'll not try to argue that either way really. My main point was that somebody capable of creating and controlling a botnet is not so very highly skilled that they're certain of a high paying job, which was your assertion.
10. Re:profit motive by Lord+Ender · 2009-02-25 07:51 · Score: 1
  
  Have you actually studied botnets? Especially modern ones like conficker? To build one, you need to get an exploit working, you need to write the virus component so that it spreads, and you need to write the server (bot) component. You must also include some tricks to disable security software, and perhaps implement a code obfuscation process which can't be easily reverse-engineered. On top of all that, you MUST have a sophisticated method for controlling the botnet that is highly scalable, extremely difficult to track, and extremely difficult to disable by ISPs.
  This isn't something that requires a super genius, but it's not something most college-educated entry-level programmers would be able to even do. Senior-level programmers would have trouble with it, as well. It's not kid's stuff.
  
  --
  A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
11. Re:profit motive by stevey · 2009-02-25 08:34 · Score: 1
  
  Yes I've studied them, partly because i used to code exploits in the past, and partly out of curiosity.
  I did say initially there are parts to them that require knowledge. The authentication steps to ensure the owner keeps control, and the rootkit components to hide them once installed would probably be the most challenging aspects of the net.
  But none of the pieces are individually hard to code (I've written several of them myself) and while a junior/entry-level programmer might struggle I'm not convinced they are particularly difficult to construct from start to finish.
  If anything I'm impressed that we see so few botnets!
12. Re:profit motive by dave562 · 2009-02-25 08:46 · Score: 1
  
  But I'd expect there are literally millions of coders still kicking around from the 80s/90s who did assembly programming under MS-DOS who would be able to write that kind of code - and because it isn't really really skilled work the chances are high that a significant proportion of those developers are unemployed.
  That's right. I cut my teeth on x86 ASM cracking warez and writing virii. Programming never really grabbed my attention though. All things considered it was much too dry and structured. I didn't want to spend my life writing functions and low level code. Push to stack, pop from stack, xor, nop, znj, blah blah blah. Once Microsoft came out with Win95 and started to cut off direct calls to the CPU, my rudimentary ASM skills become more or less obsolete.
  I'm still predicting that sooner or later, Apple via OSX is going to see a huge outbreak of malware. An x86 CPU is an x86 CPU. It will run the same low level code, whether that code is executed through Windows or OSX. It just seems like Apple has done a slightly better job of controlling access to the hardware than Microsoft has. The payloads are all ready to go. Someone just needs to find a chink in the armor. Once Apple gets enough market share to make it worth while, those chinks will be found. Until then, everyone will keep going after the low-hanging fruit that are the Windows boxen.
13. Re:profit motive by Lord+Ender · 2009-02-25 09:38 · Score: 1
  
  There is a difference between writing "a few" botnets, and writing one that actually works. Yours didn't work. You didn't have a control channel sophisticated enough to scale and avoid standard security controls.
  
  --
  A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
14. Re:profit motive by stevey · 2009-02-25 09:42 · Score: 1
  
  You misunderstand me - I didn't mean to say I've created and released botnets into the wild.
  I meant that with private networks I've created self-replicating code which actively scanned and infected new hosts and had a sophisticated control mechanism which allowed control, updates, and activities.
  Still I've either convinced you that writing a bot, and by extension creating a botnet, is not exceptionally difficult - or I haven't.
15. Re:profit motive by Narnie · 2009-02-25 10:36 · Score: 1
  
  They're creating a network to run Prime95 and win the EFF awards for finding prime numbers.
  
  --
  greed@All_Evils:~#
This is just a passing virus by BadAnalogyGuy · 2009-02-25 04:10 · Score: 5, Funny

No need to worry. I'd be more worried about Conficker C. Lots of opportunities to shoot you in the foot.
Then someone will undoubtedly create Conficker C++ and everyone will cry about how hard it is to understand and they will all flock to Conficker Java which promises a much cleaner object system.
But eventually you know that some idiot is going to write Conficker C# which looks suspiciously like Conficker Java, but after a while grows into this gigantic mess of quickfix designs.
So if you think Conficker B is bad, just wait a while.
1. Re:This is just a passing virus by jetsci · 2009-02-25 04:13 · Score: 1
  
  Did they already release Conficker-Basic?
  
  --
  Bored at work? Play Game!
2. Re:This is just a passing virus by Ian+Alexander · 2009-02-25 08:26 · Score: 1
  
  Well yeah, but you need the BASIC interpreter installed to run it, so it's not like it does anything on 99% of systems.
3. Re:This is just a passing virus by lennier · 2009-02-25 10:16 · Score: 1
  
  Forth Conficker powerful very is to used getting some takes but.
  
  --
  You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
Cornfucker national anthem... by Smidge207 · 2009-02-25 04:14 · Score: 1, Funny

*ahem* [taps microphone, clears throat again] *ahem*
And a five, six, seven, eight:
"Botnets, worldwide botnets.
What kind of boxes are on botnets?
Compaq, HP, Dell and Sony, TRUE!
Gateway, Packard Bell, maybe even Asus, too.
Are boxes, found on botnets.
All running Windows, FOO [fu]!"
=Smidge=

--
Is it just my observation, or is eldavojohn an idiot?
Old news? by davidwr · 2009-02-25 04:14 · Score: 1

Is it just me or has /. been reading like yesterday's news lately?

--
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
1. Re:Old news? by Logical+Zebra · 2009-02-25 04:18 · Score: 1
  
  That might be because it takes so long for stories to get approved...
  
  --
  I have a bad feeling about this...
2. Re:Old news? by AlterRNow · 2009-02-25 04:20 · Score: 3, Insightful
  
  News for nerds, stuff that matter[ed yesterday]!
  On another note, if the editor knew of the previous story.. why was it posted? I must admit, I'm not very knowledgeable on the editorial process of ./
  
  --
  The disappearing pencil trick. Let me show you it.
3. Re:Old news? by Duhfus · 2009-02-25 04:28 · Score: 3, Funny
  
  I must admit, I'm not very knowledgeable on the editorial process of ./
  
  Don't worry, the editors don't either.
4. Re:Old news? by Spatial · 2009-02-25 04:41 · Score: 3, Funny
  
  The editors are a great guy, they accidentally a dupe and don't afraid of anything.
5. Re:Old news? by icannotthinkofaname · 2009-02-25 05:37 · Score: 1
  
  I'm not very knowledgeable on the editorial process of ./
  Neither am I. Come to think of it, this is the first I've heard of the "editorial process of the current working directory." I ought to go googling later....
  Or is there some other dot-slash that's relevant to this story?
  
  --
  Let q be a radix > 1. I am in ur base-q, killing 10 d00ds.
6. Re:Old news? by Cthefuture · 2009-02-25 07:33 · Score: 1
  
  Meh, I would not have seen it if it wasn't posted today. Who cares about a few duplicates every once in a while. You get a fresh update and maybe some new people talking about it.
  
  --
  The ratio of people to cake is too big
7. Re:Old news? by AlterRNow · 2009-02-25 21:02 · Score: 1
  
  Nicely spotted
  
  --
  The disappearing pencil trick. Let me show you it.
But can it.... by SGDarkKnight · 2009-02-25 04:17 · Score: 3, Funny

cause five tankers in the Ellingson fleet to capsize?

--

...A no smoking section in a restaurant is like having a no peeing section in a swimming pool...
1. Re:But can it.... by Acapulco · 2009-02-25 05:02 · Score: 1
  
  "The little boat...flipped over." - Mr. The Plague
  
  --
  Slashdot. Unreadable news to annoy nerds. - wonkey_monkey
2. Re:But can it.... by V!NCENT · 2009-02-25 05:34 · Score: 1
  
  "A hacker planted the virus"
  -"Is that -?"
  "-That is mr. conflicker B++"
  -"Well then, put our servers under Linux control"
  "There's no such thing anymore, Duke. These computers are fully DRMised. It relies on satalite internet, which links our servers to Redmond"
  
  --
  Here be signatures
I can't seem to get a Linux copy of this worm by mrphoton · 2009-02-25 04:36 · Score: 1, Funny

I am feeling very left out, I can't seem to find Conficker B++ or even Conficker B in my yum repository. sigh... It is such a shame that linux is always behind the curve as far as new and exciting features are concerned.
1. Re:I can't seem to get a Linux copy of this worm by gzipped_tar · 2009-02-25 04:59 · Score: 1
  
  I am feeling very left out, I can't seem to find Conficker B++ or even Conficker B in my yum repository. sigh... It is such a shame that linux is always behind the curve as far as new and exciting features are concerned.
  'Coz the distro maintainers refused to include non-opensource binary blob in their repo.
  Make yourself heard. Chances are the malware author is considering opensourcing it too but no one's asking for it so far.
  
  --
  Colorless green Cthulhu waits dreaming furiously.
2. Re:I can't seem to get a Linux copy of this worm by icannotthinkofaname · 2009-02-25 05:39 · Score: 1
  
  Just install Wine and run it through that. /problem>
  
  --
  Let q be a radix > 1. I am in ur base-q, killing 10 d00ds.
Confusion by Dan+East · 2009-02-25 04:38 · Score: 1

Conflicker B++ should not be confused with Objective Conflicker B. Fortunately, they can easily be distinguished from one another - Objective Conflicker B has many more square brackets.

--
Better known as 318230.
How to detect Conficker C# by Dystopian+Rebel · 2009-02-25 04:42 · Score: 4, Funny

The only way to detect Conficker C# is that it requires the .NET runtime environment and MS SQL Server Express.

--
Rich And Stupid is not so bad as Working For Rich And Stupid.
1. Re:How to detect Conficker C# by b4dc0d3r · 2009-02-25 05:28 · Score: 1
  
  And once again mono prevalence increases due to viruses. Just like the good old days!
2. Re:How to detect Conficker C# by yanyan · 2009-02-25 05:39 · Score: 1
  
  That does it. Windows users have all the fun. This is just another sign that Linux will never, ever gain widespread acceptance. And that fabled Year of the Linux Desktop? Keep dreaming guys. I'm dumping Bubuntu Linux XP and moving to Windows. See you around suckers.
3. Re:How to detect Conficker C# by Vu1turEMaN · 2009-02-25 05:41 · Score: 1
  
  What are you talking about? Its in the .NET 3.5 Installer!
  Why do you think the full-package installer of 3.5 needs an internet connection to download more? Conspiracy!
Who is at risk? by Anonymous Coward · 2009-02-25 05:01 · Score: 2, Informative

Let's turn this blog positive.
What current anti-virus solution detects and removes this new variant ?,
Who is it risk?, people with updated anti virus solutions? or just people who don't use and update them?
Are people with Linux and OS-X at risk also ? What is the scope of it?
If Linux and OS-x are not threatened This might be another reason Not to use Windows ?
The answers to these will help people determine just how big a threat or not this new variant might be, and help them help themselves
1. Re:Who is at risk? by dave562 · 2009-02-25 08:51 · Score: 2, Informative
  
  The article spells it out. People who haven't applied the security patch that Microsoft released months ago are vulnerable. The rest of the world are just fine. So like usual, it comes down to the poor home users who get screwed while the corporate networks who actually have admins doing their job maintaining them are doing just fine. Luckily things are better and only the subset of home users who don't have automatic updates turned on are screwed.
2. Re:Who is at risk? by gad_zuki! · 2009-02-25 11:00 · Score: 1
  
  The patch stops the SMB vulnerability, but I believe the USB auto-run is just an executable. There's no vulnerability needed if the OS is going to run the autorun a file as administrator.
  MS should just globally disable autorun. This is getting out of hand. Half of these infections is probably some low-paid tech inserting the same usb drive into his customers computers. That seriously would not surprise me.
You heard about the infinite amount of monkey's? by SmallFurryCreature · 2009-02-25 05:25 · Score: 1

A bit like having an infinite amount of monkey's writing shakespear. Sadly they could only aford half a dozen monkey's but what they lack in numbers they make up for in poop slinging skills.

--

MMO Quests are like orgasms:
You may solo them, I prefer them in a group.
Armour Hot Dogs? by srobert · 2009-02-25 05:29 · Score: 2, Funny

Seems to go with the Armour Hot Dog song. Was that the intent?
so if I understand this correctly .... by nblender · 2009-02-25 05:57 · Score: 2, Interesting

We (the global 'we') had a chance to stop conflicker before this version came about; by working with the registrars and/or root nameservers; pre-emptively invalidating each of the algorithmically generated domain names on a day by day basis; preventing cornfucker from updating itself or receiving instructions on how to proceed. The authors noticed that we could do that and before we could think of it, modified it so that once we did think of it; it would be too late....
I clearly must not understand the intricacies of this....
My fantasy (because I won't be affected by this) is that once the owners of the botnet are sufficiently happy with their market-share, will instruct cornfucker to encrypt all files on everyone's PC and then wait for the moneh to start rolling in....
Proper naming convention, please by LordSnooty · 2009-02-25 06:43 · Score: 2, Interesting

Conficker/Downadup? B? B++? Is it time we had a proper naming scheme for these things? For this instance we've seen several companies getting together to coordinate a response - that's good. But even better, if everyone were to agree on the same name, WE could coordinate our response too.

And what kind of scheme? Well, how about following the convention of the hurricane trackers? 26 names assigned to each major piece of malware that appears throughout the year. This is a double bonus, as ending the practice of using the authors' chosen names might take away some of that bragging aspect. "Oh, you wrote Malware Julie did you?? Bwahaha"
1. Re:Proper naming convention, please by Culture20 · 2009-02-25 08:43 · Score: 1
  
  Conficker/Downadup? B? B++? Is it time we had a proper naming scheme for these things?
  You forgot Net-Worm.Win32.Kido.bt
  
  Well, how about following the convention of the hurricane trackers? 26 names assigned to each major piece of malware that appears throughout the year.
  Malware writers might get sloppy as they vie for the top names, trying to make sure that _their_ malware becomes a headline in just the right time to be named "Thor" or "Linus".
Functional malware by kkrajewski · 2009-02-25 07:59 · Score: 1

Don't about Conficker Lisp -- it overflows your buffers with parentheses.
When Change comes to viruses by lord_sarpedon · 2009-02-25 10:00 · Score: 1, Funny

I'd like to see an incredibly stealthy virus - one that stays out of the way to the point that it isn't detected for some number of years.
Have it patch key parts of the Windows kernel to degrade performance in subtle but believable ways...
Lobotomize the scheduler so that context switches occur much less often than they should for responsiveness.
Kick up the swappiness from Ridiculous (stock setting) to We've-gone-plaid
Divide the given buffer length for each I/O operation so that CPU usage goes up and throughput goes down.
I wonder if we'd _ever_ notice.

--
"Strangers have the best candy" -Me
1. Re:When Change comes to viruses by daveime · 2009-02-25 13:12 · Score: 2, Funny
  
  You just described Vista ...
Windows Update... by Narnie · 2009-02-25 10:21 · Score: 1

I still think Microsoft should hire these guys to revamp Windows Update.

--
greed@All_Evils:~#
1. Re:Windows Update... by Architect_sasyr · 2009-02-25 17:01 · Score: 1
  I'd have given a + mod but I have to make some points
  
  Verification of update paths is difficult to secure if you're going to permit just anyone from doing it (i.e. a "torrent" style update).
  A central authentication service, or a distributed-yet-centralised authentication service, is going to be necessary to deal with above step
  Microsoft have to update an entire OS and package, "worm guy" only has to update a few programs, and if something breaks he doesn't care
  Just a few, but there are a number of issues with distributed, safe, automatic updates. Mirroring out to secondary servers isn't a bad idea (a-la sourceforge or WSUS) but a corporation wants to maintain control over their product and who gets it. The most important one is probably the 3rd point though. Just something to think about before you go rag on an update system.
  
  /me kicks OS X server for breaking CPAN installs
  --
  Me failed English...
  FreeBSD over Linux. If my comments seem odd, this may explain...
Re:Screenshots by ImYourVirus · 2009-02-25 11:00 · Score: 1

goatse, goatse!!! do not open!!!

--
Why is common sense called that if it's not common?