Slashdot Mirror

← Back to Stories (view on slashdot.org)

Conficker Worm Asks For Instructions, Gets Update

Posted by CmdrTaco on from the wormed-its-way-into-my-heart dept.

KingofGnG writes "Conficker/Downup/Downadup/Kido malware, that according to Symantec 'is, to date, one of the most complex worms in the history of malicious code,' has been updated and this time for real. The new variant, dubbed W32.Downadup.C, adds new features to malware code and makes the threat even more dangerous and worrisome than before."

6 of 285 comments (clear)

  1. Re:Dumbasses by Urd.Yggdrasil · · Score: 5, Informative

    Uhh, what? I have no idea what this "JPG exploit" your talking about is. Conflicker spreads through the MS08-067 RPC vulnerability, removable media, and shared folders; nothing to do with IE or jpegs.

  2. Re:why couldn't the instructions come from whiteha by patro · · Score: 5, Informative

    The worm probably uses encyption, so it doesn't just accept any control message from unknown sources.

  3. Re:why couldn't the instructions come from whiteha by Thelasko · · Score: 5, Informative

    why couldn't someone write an update telling conficker to cease operation and uninstall itself?

    Because that would be illegal.

    --
    One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
  4. Re:Dumbasses by truthsearch · · Score: 4, Informative

    It takes about two hours at most to do it from scratch on one system image, then you can reimage as many computers that come up with the problem.

    Except new holes and malware will keep appearing and the process will need to be done over and over. Add it all up and it's a lot of hours. In the long run it might be cheaper to switch OSs and retrain if that new OS is generally more secure and easier to harden up front.

    --
    Developers: We can use your help.
  5. Re:why couldn't the instructions come from whiteha by krappie · · Score: 4, Informative

    F-secure was one of the first people I'm aware of to register some of the domain names that infected machines try to contact. When people were asking this question, this was their response.

    On a regular day, our sinkhole sees around 1.5M-2M unique IP addresses that are infected with a various catering of malware: viruses, trojans, bots, worms and so on. Downadup.B is responsible for about 1M-1.3M of those IP addresses. So let me explain what we do with the data first:
    We try to contact the ISP's where the infected IP addresses are coming from and try to get them to notify the customers to take down the infected systems. We also notify various CERT organisations in the countries where the infections are and work with them to get the infected machines offline. We also share some the data with Law Enforcement organizations in those cases where the author of the malware is known. This allows the police to get their hands on real, raw, data on the amount of infections. That data can later be used in court as evidence to get reasonable convictions.

    Now, why won't we automatically disinfect the machines? The reason is simple: we would be knowingly, and with intent, be accessing the infected computer and giving it commands without having a prior permission from the owner. In most countries that equals to unlawful access which gets you an appointment in court. Some laws do weigh things by judging "a greater good", but in this case it does not help. Imagine the world being a huge porcelain store, inside a black box with only two holes for your hands allowing access. You can put your hands in the box but can't see what you're doing. Now, try to remove all the dust without breaking anything...

    There are several things that might go wrong and the consequences could be severe. Imagine if we, while disinfecting, would knock out life support systems in hospitals. Or radar systems in major airfields. Or traffic lights in a major city. Or any other of imaginable and unimaginable scenarios that would be bound to happen taking into consideration the scale of this thing.

    And it doesn't matter where we offered the disinfection from. We are a corporation with presence in various countries. The disinfected victims would be in those countries, suing us there. The place where we caused the damage from does not matter, its the place where the damage happened.

    To make automatic, remote, unwilling disinfection ever possible there is a need for an international treaty. And an internation body of authority that will decide what to disinfect, who to disinfect and when to disinfect. And unfortunately I don't see that one coming in near future. I wouldn't bet foreign militaries or intelligence organizations being too happy about anyone tampering with their systems, regardless of the intent.

    We've had long talks about remotely disinfecting machines and everyone in here is in unanimous vote on not doing it for the above reasons. And don't think it's a happy moment seeing hundreds of thousands, or millions, of machines being infected. Still, we do our best to get them fixed.

  6. Re:Who care? by node+3 · · Score: 4, Informative

    Apache while an important application is NOT Linux.

    Very few Windows viruses attack the Windows kernel.

    Linux, the kernel, is one thing, and immune to an Apache exploit. Linux, the OS, generally includes Apache.