Slashdot Mirror

← Back to Stories (view on slashdot.org)

New, Stealthy Conficker B++ Worm Discovered

Posted by CmdrTaco on from the god-i-love-that-name dept.

nandemoari writes "A new variant of the Conficker/Downadup worm has been detected. The worm opens a backdoor on an infected machine and allows hackers remote control of infected PCs. Dubbed Conficker B++ (and not to be confused with Conficker B), the new variant of the worm opens a backdoor with auto-update functionality, allowing a hacker to distribute malware to infected machines. It's difficult to know exactly how long Conficker B++ has been circulating, but researchers first noticed it on February 6 of this year." If this seems familiar to you, it probably is.

18 of 87 comments (clear)

  1. Detection by jetsci · · Score: 3, Interesting

    Anyone know the procedure for detecting these? I imagine A/V companies setup 'honeypots' of sorts on high traffic networks and that but how do you detect something new like this? Do they track it through an old signature?

    --
    Bored at work? Play Game!
  2. Re:Why only B? by Neon+Spiral+Injector · · Score: 3, Funny

    Then he can sell it on eBay as A++++++++++++++

  3. This is just a passing virus by BadAnalogyGuy · · Score: 5, Funny

    No need to worry. I'd be more worried about Conficker C. Lots of opportunities to shoot you in the foot.

    Then someone will undoubtedly create Conficker C++ and everyone will cry about how hard it is to understand and they will all flock to Conficker Java which promises a much cleaner object system.

    But eventually you know that some idiot is going to write Conficker C# which looks suspiciously like Conficker Java, but after a while grows into this gigantic mess of quickfix designs.

    So if you think Conficker B is bad, just wait a while.

  4. But can it.... by SGDarkKnight · · Score: 3, Funny

    cause five tankers in the Ellingson fleet to capsize?

    --

    ...A no smoking section in a restaurant is like having a no peeing section in a swimming pool...
  5. Re:Old news? by AlterRNow · · Score: 3, Insightful

    News for nerds, stuff that matter[ed yesterday]!

    On another note, if the editor knew of the previous story.. why was it posted? I must admit, I'm not very knowledgeable on the editorial process of ./

    --
    The disappearing pencil trick. Let me show you it.
  6. Re:profit motive by Anonymous Coward · · Score: 5, Funny

    Sell anti-virus software.

  7. Re:Old news? by Duhfus · · Score: 3, Funny

    I must admit, I'm not very knowledgeable on the editorial process of ./

    Don't worry, the editors don't either.

  8. Re:profit motive by Lord+Ender · · Score: 4, Insightful

    Botnets can be profitable, however, someone skilled enough to write the malware necessary for botnet creation could likely be making better money in the private sector with a real job and no jail risk (in the US, at least). Most of the stuff I see comes from Eastern Europe or Asia, where law enforcement is unlikely to prosecute and there aren't decent Software industries hiring people with programming talent.

    So they make money by

    • sending spam
    • click-fraud (scamming web advertisers)
    • stealing CC numbers
    • DDoS extortion (yes, european banks have paid botnet owners' extortion demands to avoid getting DoSd.)
    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
  9. Re:profit motive by Saint+Aardvark · · Score: 5, Interesting

    You laugh, but that situation is just what F-Secure describes for an unrelated bit of Facebook malware. FTFA:

    As we pointed out in yesterday's post, the timing of the Facebook "Error Check System" application and the subsequent Google search results pointing to rogue antivirus sites was almost too perfect to be a coincidence. It's entirely possible that the whole situation was designed to promote XP Antivirus variants such as "Antivirus 360" and "XP Police" (Rogue:W32/XPAntivirus). That's the formula, create something that spawns a search, then be ready to provide results that redirect to malicious sites. Either that or the bad guys are very quick on their feet and are ruthlessly opportunistic.... They're both.

    --
    Carousel is a lie!
  10. Re:Old news? by Spatial · · Score: 3, Funny

    The editors are a great guy, they accidentally a dupe and don't afraid of anything.

  11. How to detect Conficker C# by Dystopian+Rebel · · Score: 4, Funny

    The only way to detect Conficker C# is that it requires the .NET runtime environment and MS SQL Server Express.

    --
    Rich And Stupid is not so bad as Working For Rich And Stupid.
  12. Who is at risk? by Anonymous Coward · · Score: 2, Informative

    Let's turn this blog positive.

      What current anti-virus solution detects and removes this new variant ?,
      Who is it risk?, people with updated anti virus solutions? or just people who don't use and update them?
    Are people with Linux and OS-X at risk also ? What is the scope of it?
    If Linux and OS-x are not threatened This might be another reason Not to use Windows ?
      The answers to these will help people determine just how big a threat or not this new variant might be, and help them help themselves

     

    1. Re:Who is at risk? by dave562 · · Score: 2, Informative

      The article spells it out. People who haven't applied the security patch that Microsoft released months ago are vulnerable. The rest of the world are just fine. So like usual, it comes down to the poor home users who get screwed while the corporate networks who actually have admins doing their job maintaining them are doing just fine. Luckily things are better and only the subset of home users who don't have automatic updates turned on are screwed.

  13. Re:profit motive by stevey · · Score: 3, Interesting

    That's not necessarily true - I mean the skills required to exploit a known security hole aren't terribly difficult.

    If you're familiar with a small amount of low-level coding you can easily follow cookbook-style tutorials to getting shellcode executed. At that point you're done.

    Sure you need to do some disguising, and you need to understand a bit of crypto to setup a key-verification for downloading updates.

    But I'd expect there are literally millions of coders still kicking around from the 80s/90s who did assembly programming under MS-DOS who would be able to write that kind of code - and because it isn't really really skilled work the chances are high that a significant proportion of those developers are unemployed.

  14. Armour Hot Dogs? by srobert · · Score: 2, Funny

    Seems to go with the Armour Hot Dog song. Was that the intent?

  15. so if I understand this correctly .... by nblender · · Score: 2, Interesting
    We (the global 'we') had a chance to stop conflicker before this version came about; by working with the registrars and/or root nameservers; pre-emptively invalidating each of the algorithmically generated domain names on a day by day basis; preventing cornfucker from updating itself or receiving instructions on how to proceed. The authors noticed that we could do that and before we could think of it, modified it so that once we did think of it; it would be too late....

    I clearly must not understand the intricacies of this....

    My fantasy (because I won't be affected by this) is that once the owners of the botnet are sufficiently happy with their market-share, will instruct cornfucker to encrypt all files on everyone's PC and then wait for the moneh to start rolling in....

  16. Proper naming convention, please by LordSnooty · · Score: 2, Interesting

    Conficker/Downadup? B? B++? Is it time we had a proper naming scheme for these things? For this instance we've seen several companies getting together to coordinate a response - that's good. But even better, if everyone were to agree on the same name, WE could coordinate our response too.

    And what kind of scheme? Well, how about following the convention of the hurricane trackers? 26 names assigned to each major piece of malware that appears throughout the year. This is a double bonus, as ending the practice of using the authors' chosen names might take away some of that bragging aspect. "Oh, you wrote Malware Julie did you?? Bwahaha"

  17. Re:When Change comes to viruses by daveime · · Score: 2, Funny

    You just described Vista ...