Slashdot Mirror
Conficker Worm Asks For Instructions, Gets Update
KingofGnG writes "Conficker/Downup/Downadup/Kido malware, that according to Symantec 'is, to date, one of the most complex worms in the history of malicious code,' has been updated and this time for real. The new variant, dubbed W32.Downadup.C, adds new features to malware code and makes the threat even more dangerous and worrisome than before."
FIRST! now.. where do i get that update ?
Just so long as it doesn't insist on verification to check that nobody is using an unauthorised copy. After all, we wouldn't want to encourage piracy... ;-)
I run Linux! http://xkcd.com/272/
If people would stop downloading free_porn.jpg from 4chan, renaming it to free_porn.exe, and running it... we would not be having these problems.
Seriously, and why can't they agree on one name?
Maybe I'm being picky here, but why does Slashdot's icon for this story depict a caterpillar? Don't the editors know the difference between a caterpillar and a worm?
Name this something else?
I run VMWare on Linux! http://xkcd.com/350/
Genesis 1:32 And God typed
Is real evolution. And I don't mean Intelligent Design.
Look, you're malware authors, you have millions of machines to play with, you could bring the next stage of artificial life to the fore. Think of the recognition, the glory, the girls.
Deleted
if it's asking for instructions, why do they have to come from the blackhats? why couldn't someone write an update telling conficker to cease operation and uninstall itself?
They're using their grammar skills there.
This may be the most complex worm/virus ever made, but is it any more prevalent or hard to remove?
If I do basic things like keep my Virus definitions and system OS up to date and occasionally scan for spyware, am I still at risk?
In other words, are the ones at risk the same kinds of people who'd be at risk from a lesser, simpler, worm that essentially spreads via a "click here for free porn!" banner?
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
Maybe it's not the most moral thing to think, but I love Malware. And this one is just great. I love Conficker. I Love it because awakens some about the flaws of the software they use. Go Downadup, Go!
Comment removed based on user account deletion
The worm probably uses encyption, so it doesn't just accept any control message from unknown sources.
Comment removed based on user account deletion
Because unless you have something to gain (other than a warm feeling that you've done something nice and have helped the world), nobody wants the liability associated with writing an illegal but benevolent worm and releasing it.
And, you know, having access to the original source code saves some time picking apart obfuscated machine code.
He's getting rather old, but he's a good mouse.
Sounds like this worm would be really easy to make toothless if it wasn't given admin privileges. Far as i know you would need to sudo any program for it to remove a higher authority program from memory.
UAC isn't a valid replacement for this in windows, its just an irritation. Until windows decides to scrap it's access rights and emulate linux, worms like this are going to get worse.
why couldn't someone write an update telling conficker to cease operation and uninstall itself?
Because that would be illegal.
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
If the payload for all of these infected hosts affects traffic across the Internet, even Linux users may care about this issue. Don't be lulled into apathy, this is a powerful, dynamic and capable threat with some very advanced coding and routines. The developers know how to optimize their threat and squeeze a ton of trouble from its deployment. It now sits in a rather powerful position, depending on how they intend to use it. You can catch scanning hosts on your internal networks using listeners on port 445 from Linux boxes without samba. Tools like netcat or own HoneyPoint applications have proven great at finding active hosts. If you identify any on your environment, remove them immediately. The less zombie systems Conflicker has to utilize, the better!
Check out HoneyPoint, our tools for combatting the insider threat! http://www.microsolved.com/honeypoint/
What are your favorite type of worms?
*Tape
*Round
*Heart
*Nightcrawlers/earthworms/anything uses for fishing
*spy/mole/CIA/KGB, including corporate espionage
*Software/malware
*German city
*Eisenia cowboynealia
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
The new variant, dubbed W32.Downadup.C
See - I told you C was a dangerous thing to use.
It continually amuses me how the mainstream media managed to censor the name of this worm. It was originally conficker, which is slang/shorthand for 'configuration file fucker', but using the German fick instead. It was also known as 'downandup' as in the hip motion; both clearly sexual references. Since any kind of indirect reference to sex gets you scrutiny and/or shunning from the Moral Majority, suddenly we have 'downadup'.... So much better?
On a random blog, which was rather legit, I ended up getting redirected to this page:
Here's the link: hxxp://gowithscan.com/?uid=13100 (malware! warning!)
It appeared to scan my Windows and find multiple vulnerabilities. Good thing I'm running Linux. Then it proceeded to obnoxiously pop up JS alerts and have me download an install.exe. Major antivirus couldn't find anything wrong with it. I have the file if anyone is interested (submitted it to clamav.org too).
it can cause five tankers in the Ellingson Fleet to capsize.
Yes, but you would have to know the right calls to entry points possibly referenced by a long series of non-alphanumeric characters. so something like #%&*^*(!@!@#%_+|%E@!@!#$^%&*HGJ_+^&$E^
would be the command to un-install itself.
have fun guessing!
besides; between checksums, encryption, and obfuscation, there are plenty of ways to stop unwanted people from updating your application.
http://209.85.173.132/search?hl=en&q=cache:kingofgng.com/eng/2009/03/16/conficker-worm-asks-for-instructions-and-gets-an-update/&btnG=Search
In Soviet Russia ^H^H^H America, The bank finances YOU!
Because unless you have something to gain (other than a warm feeling that you've done something nice and have helped the world), nobody wants the liability associated with writing an illegal but benevolent worm and releasing it.
Oh I'm not sure that there's nothing to gain from it. Does nobody remember the Morris Worm? If that's all I have to do to get a professorship position at MIT, hey, there's something to gain there!
I have left slashdot and am now on Soylent News. FUCK YOU DICE.
Now that is something BBC should take care of.
The good, the evil and the vacuum tubes.
If nobody AT ALL compiled W32.Downadup.C, by my calculations we should never see this worm in the wild. That IS the filename of the source, right? ;-p
I run XP Pro behind a router. No AV, no anti-malware of any kind. I'm just not a fucking RETARD, hence I don't have a Conficker infection. If you do, it's your fault. It's not your PC that needs securing, it's your own whorish online habits. You don't have to click everything that says Click Me or is shiny / colourful / musical. Show some fucking discernment, hell practice a little fucking DIGNITY and your PC will stay clean all on its own. Next time your e-mail buddy says "Hai did u check taht links I sent u>??" you will respond "No, this is how malware spreads, and by the way you need to scan your system."
How do you intend to bypass the code signing check?
It might be that the author of Conficker might have created it in order to increase adoption of alternatives to Windows... just thinking.
F-secure was one of the first people I'm aware of to register some of the domain names that infected machines try to contact. When people were asking this question, this was their response.
Hardening Windows is a fools errand. It has repeated been demonstrated that new Windows vulnerabilities are constantly developing and the lag time before Microsoft patches them can be years.
Switching to Linux and learning to use it is a one time event. Constantly patching and protecting Windows is an ongoing and never completed task.
Facebook is billions of individual "Skinner Boxes." And if you use it you are the pigeon!
why couldn't someone write an update telling conficker to cease operation and uninstall itself?
How do you expect to make any money doing that?
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
Really cool stuff! I want this toy!!! Can't believe that authors support Windows platform only! :)
.
W32.Downadup.C
Risk Level 2: Low
Currently hooked on AMP
"Says who? On what basis?" - by salesgeek (263995) on Monday March 16, @12:31PM (#27211909) Homepage
Says end users who have tried this guide in the URL below is who, & here is one such person (for himself, his family, his friends, AND paying customers also):
----
HOW TO SECURE Windows 2000/XP/Server 2003 & even VISTA, + make it "fun-to-do", via CIS Tool Guidance (& beyond):
http://www.tcmagazine.com/forums/index.php?s=9783f30ecf36d1be841544233b95fdf8&showtopic=2662&st=0&start=0
----
USER FEEDBACK/TESTIMONIAL:
----
http://www.xtremepccentral.com/forums/showthread.php?s=c96cb88da236d4122a8aef2235caec6b&t=28430&page=3
"I was told last week by a co worker who does active directory administration, and he said I was doing overkill. I told him yes, but I just eliminated the half life in windows that you usually get. He said good point. So from 2008 till 2009. No speed decreases, its been to a lan party, moved around in a move, and it still NEVER has had the OS reinstalled besides the fact I imaged the drive over in 2008.
Great stuff!
My client STILL Hasn't called me back in regards to that one machine to get it locked down for the kid. I am glad it worked and I am sure her wallet is appreciated too now that it works. Speaking of which, I need to call her to see if I can get some leads.
APK - I will say it again, the guide is FANTASTIC! Its made my PC experience much easier. Sandboxing was great. Getting my host file updated, setting services to system service, rather than system local. (except AVG updater, needed system local)"
THRONKA @ www.xtremepccentral.com
----
Yes, changing OS is disruptive, but it solves the problem of malware in near finality" - by salesgeek (263995) on Monday March 16, @12:31PM (#27211909) Homepage
So does this testimonial from only 1 person who enjoys virus/spyware/worms/trojan/rootkit & malware-in-general FREE operations, & FOR MORE THAN 1++ yr. now, especially in the face of worms like CONFICKER lately even... w/out 'downtime' associated with moving folks to a new OS platform, & certainly one they are NOT familiar with.
APK
P.S.=> Now, I strongly wager that IF it is ever "the year of Linux on the desktop"? It too will be as strongly assaulted as is Windows today & for the past 2 decades now by malware authors, simply because it is the MOST used OS there is. They're after the LARGEST POSSIBLE TARGET after all, & the monies or other critical information users stash on their PC's - you make "Linux #1"?? It'll get hit just the same as Windows has been for a decade++ now or more... apk
Oh I'm not sure that there's nothing to gain from it. Does nobody remember the Morris Worm? If that's all I have to do to get a professorship position at MIT, hey, there's something to gain there!
Oh, you mean they let Robert Morris out of jail? I kind of assumed he'd be out on parole by now...but I didn't know about the teaching post. Ah, I looked it up...Associate Professor at MIT, no less (http://en.wikipedia.org/wiki/Internet_Worm). And looks like he never had to do any hard time.
I feel a certain fondness for Morris, because I worked for the same company where he was a summer intern once. Sigh...my brush with fame. You have to give him points for originality: after all, his was the first worm. And it was 100% Unix compatible. Of course, the fact that his dad worked for the NSA as a computer security specialist may have given him something of an advantage...
Great men are almost always bad men--Lord Acton's Corollary
How do you default block all of those one or two pixel web bugs in firefox? Windows and linux. Thanks in advance, I seem to be missing that somehow. I see how to block servers by default or individual images, but not how to block all images based on size.
...Anthem!
Botnets, worldwide botnets.
What kind of boxes are on botnets?
Compaq, HP, Dell and Sony, TRUE!
Gateway, Packard Bell, maybe even Asus, too.
Are boxes, found on botnets.
All running Windows, FOO!
-------
Why, yes, I AM a smug bastard who's running Mac OS X. Thanks for asking!
Guaranteed! This comment 100% Anthrax free!
I was looking for information on this last night and wasn't able to find much.
Is there a way (on a ASA/PIX specifically) to block the outbound connections made by this worm so that you can contain the traffic to the local network and also log the hosts that are infected?
The only thing I found was someone making reference to blocking http://ipaddr/search?q= requests but I couldn't find any backup for that claim. TIA
Error: Sig not found.
It's interesting to see this shift.
It is now trying to protect the existing infections.
Im a gamer, not a grammer major. This post is full of spelling and grammer mistakes.
Really? So you have never needed to patch or update any of your Linux boxes? Amazing!
All computer security is an ongoing and never completed task. It isn't something with a "do this one time and you are set forever" solution. Remaining vigilant is certainly not a "fools errand", as you suggest.
"But this one goes to 11!"
In many cases I have found the obfuscated machine code to be more readable.
I must have an early beta release then; my file just reads W32.fear4rear.C
http://mtc.sri.com/Conficker/
Both Conficker A and B clients incorporate a binary validation mechanism to ensure that a downloaded binary has been signed by the Conficker authors.
LITTLE BOXES (with apologies to Malvina Reynolds & Pete Seger)
Little boxes on the internet
Little boxes with no security
Little boxes running Conficker
Little boxes all the same
There's a Dell one, and an Asus one
And a HP one and a Sony one,
And they have the Conficker
And they all spread it just the same
And the people on the internet
Represent a great diversity
But no one taught them to use their boxes
And they all learned just the same
They all use Windows, and don't use AV
And open executables
And now they're all in the botnet
And help expand it every day
Sorry that's all I could come up with while at work :P
"The first time I got drunk, I got married. The second time I bought a chimpanzee, after that I stayed sober" Arian Seid
May be risk is low for consumer computer. Worm does nothing harmful. We'll speak about real risk when botnet build with this worm will DDoS YOUR site.
*German city
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
THIS! If you read the academic analysis of the trojan/worm it will refuse to update itself unless the new payload is signed using the original 4096-bit encryption key.
OpenDNS is now working with Kaspersky to keep up on those domains and stop resolving. It's got other optional phishing filters, plus it's free and faster than Comcast's DNS.
This worm was originally written by a Second Life character, and transmitted to the real world by a hapless idiot there screwing without a virtual condom.
any other links?
Living in Chile
ZOMFG!!!
a linux virus infected 3500 machines 7 years ago!?
man, you put me to silence about win-vs-linux security!
I will instantly stop mocking windows for the dozens of botnets that spawn every day and have several hundred million PCs infected so far and infect tens of thousands of PCs every day...
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
I've used mandy for years and recently tried a few others because of the very issues that you mention. Over time I've learned how to simply invoke urpmi to get any package that I need and haven't needed to hand edit a config file in 5 years. Having said that, though, may I suggest Sabayon, when the experimental bug takes you again. I think you'll be pleasantly surprised at it's abilities.
VERY well done, indeed!
I bow thrice in thy honored direction!
Guaranteed! This comment 100% Anthrax free!
Amazing. the worm has already spread to change its own threat level.
We're all going to die.
If you can read this, I forgot to post anonymously.
Known to work in XP,
1, Make sure you have SP3
2, Reboot into safe mode
3, Shave your crotch, and apply the cream
4, wait 3 hours then reboot normally
5, if problem persists repeat steps 3 and 4
Proudly Butchering code for 20 years
The module is named downadup.c not downandup.c, so unless you are suggesting the virus writers are PC, get a clue!
The implications of these connections are as follows. The systems that performed these connections employed applications that computed a set of Conficker A domain names. However, these systems employed the Conficker B URL string request, which Conficker A victims are incapable of producing. Furthermore, Conficker B victims include a trigger to prevent connections to any Internet rendezvous points prior to 1 January 2009. This temporal trigger, along with the targeting of a Conficker A domain, indicates that these victims cannot be running B. Thus, these connections must either be associated with a hand-generated request with awareness of variant B's URL format, or a variant application that combined both functions with A and B, i.e., a hybrid test application. The Kiev Ukraine geolocation of connection 1 offers further potential interest because Kiev is also associated as a registered location of Baka Software (baka.kiev.ua).
Is it that difficult to get a warrant and a search for these guys? It seems pretty obvious to me they are responsible.
I.O.U One Sig.
What's the proper voice to read this in? Comic Book Guy? Morgan (Freeman)? Alan Rickman? There should be a video montage somewhere...please don't leave out Dogs and cats living together!
WARNING: Smartphones have side effects--most of them undocumented.
Their job is to sell virus protection, not to automatically cleanse millions of infections, let alone destroy the virus before it causes havoc.
I just read several articles on this virus, including TFA and some links on that page, as well as few other sources.
Something started bothering me about all this.
I asked myself, "What damage is it doing?", and, aside from some DDOS attacks, which appear unintended and pretty limited in scope, there is really only one thing left.
It appears to be inoculating computers against tampering by MICROSOFT, and not much else. Now, that statement might sound obvious, but the intent may not be so obvious.
Suppose, just for a moment, that the person/persons behind this virus are acting from a purely ALTRUISTIC motivation, and that their goal is not to remove control of computers, but to keep Microsoft from doing whatever the hell it is they want to do?
"Microsoft Genuine Advantage" and numerous other "protections" are used by Microsoft to slipstream DRM onto everyone's machines, this virus blocks it, along with all the other sneaky, under-handed stuff Microsoft does with "patches" and "hotfixes".
I got modded troll in another post when I stated, jokingly, that everything that I did to keep Microsoft's fingers out of my Windows machine, manually, this virus does as well. This virus stonewalls Microsoft in almost precisely the same fashion I did.
Another thing that got me thinking was the fact I could not find a single source that said that this virus cripples AV software, rather then just protects itself from it. If it keeping the rest of the AV software functioning, just what, exactly, is this virus damaging?
Aside from the OBVIOUS issue of having something out of your control on your machine, how is what this thing is doing any different from what Microsoft itself is doing?
Could this all be the efforts of some, well-intentioned, Irate Microsoft Hater trying to protect us all from the Borg assimilation?
It sounds like these worms would be so much more elegantly architected using erlang. When will the worm industry finally escape its Windows/x86 ASM legacy and enter the wonderful world of distributed, functional dynamic programming?
I must be dumb.
If they knew which domain(s) worm will contact for updates, why didn't they ("authorities", let's say) give worm the updates? They could've disabled it or do million other things.
Welp.
Does anybody know if Microsoft has ever offered a reward for the capture of a virus creater, as they have with this one?
Reference:
http://www.microsoft.com/presspass/press/2009/feb09/02-12ConfickerPR.mspx
It's as if they are leaving their fingerprints all over the crime scene.
Modding me -1 troll doesn't make me wrong.
I don't know what you're talking about. I don't see this alleged update anywhere in Synaptic.
Surely I'm not the only one sitting here with a mental image of the Conficker worm Authors and their intentions. Hitler-esq guy sitting in front of computer "heheheh" "All your base are belong to us" Surely????? - Come on mad power tripping malware author.
+n insightful
Well, my sister-in-law called and her computer won't boot. Another *&)(* rootkit/worm/virus, most likely. And I just disinfected it at Christmas. Who knows which one this time around. It could be a game that the kids downloaded, or it could be something else. So in the end, running Linux hasn't helped me at all :-). If I could just get them to use Firefox, it would probably help some...
I guess this counts as a shameless plug, but I wrote about this using a sci-fi, self replicating minefield as an analogy: Controlling a Minefield. As someone else said, it simply comes down to digital signatures, though it doesn't even need to even be that complicated to do simple things.
Any method of generating a problem and its solution at the same time, where the problem is very difficult to solve, would work.
For a simple approach as an example, before the worms are spread, various one-time commands could be set up by first finding two large primes, multiplying them together, and storing that composite in the worms and associate it with a command. Finding the two primes from the composite is impractical, but if the authors wants to issue a command, they just broadcast the two primes. It would be easy for the worms to verify that these are the correct primes, and then execute the corresponding command.
This can also be done with the knapsack problem.
GNU SLASH LINUX, you insensitive clod!