Slashdot Mirror

← Back to Stories (view on slashdot.org)

Conficker Worm Asks For Instructions, Gets Update

Posted by CmdrTaco on from the wormed-its-way-into-my-heart dept.

KingofGnG writes "Conficker/Downup/Downadup/Kido malware, that according to Symantec 'is, to date, one of the most complex worms in the history of malicious code,' has been updated and this time for real. The new variant, dubbed W32.Downadup.C, adds new features to malware code and makes the threat even more dangerous and worrisome than before."

1 of 285 comments (clear)

  1. Re:Dumbasses by Quothz · · Score: 0, Flamebait

    What does it mean to "open a JPG image with a file compression app"? I open WinZip and put the file in a new archive? Then I add some malicious program to the zip file? I don't see how this would work.

    While the precise details escape me, it helps if you're aware that .jpg -is- a compressed format, in much the same way that .zip or .rar are compressed formats (although .jpg is deliberately designed to be a lossy compression format). Bitmaps (.bmp) and .tif are the major uncompressed image formats. When you decompress a .jpg, you end up with a .bmp or .tif.

    I believe the overflow caused by that old virus was built into the compression algorithm. No need to decompress a .jpg first, in that case; start with a .bmp and compress it to .jpg, including the code to cause the overflow and make with the damage. You obviously cannot do this with standard compression programs; you'd need one written to insert the code within the compression process.

    When the recipient tries t'look at the pretty picture, a specific piece of data from the image (which you put there) is too big for its buffer, and starts writing all willy-nilly onto adjacent memory. That "extra" data turns out to be the virus, and it's now resident in memory, able to execute with the same privileges as the user.

    More or less. Buffer overflowery is a bit over my head, but I think that's a decent rough picture.