Slashdot Mirror
Conficker Worm Asks For Instructions, Gets Update
KingofGnG writes "Conficker/Downup/Downadup/Kido malware, that according to Symantec 'is, to date, one of the most complex worms in the history of malicious code,' has been updated and this time for real. The new variant, dubbed W32.Downadup.C, adds new features to malware code and makes the threat even more dangerous and worrisome than before."
if it's asking for instructions, why do they have to come from the blackhats? why couldn't someone write an update telling conficker to cease operation and uninstall itself?
They're using their grammar skills there.
This may be the most complex worm/virus ever made, but is it any more prevalent or hard to remove?
If I do basic things like keep my Virus definitions and system OS up to date and occasionally scan for spyware, am I still at risk?
In other words, are the ones at risk the same kinds of people who'd be at risk from a lesser, simpler, worm that essentially spreads via a "click here for free porn!" banner?
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
It's an inchworm.
Which is a caterpillar.
But that's ok. Pictures of worms are so damn hard to find.
Because unless you have something to gain (other than a warm feeling that you've done something nice and have helped the world), nobody wants the liability associated with writing an illegal but benevolent worm and releasing it.
And, you know, having access to the original source code saves some time picking apart obfuscated machine code.
He's getting rather old, but he's a good mouse.
I am with you on that one, Linux would not be so susceptible as windows, although they have their own rootkits, but you get alot of programs (such as tripwire) that let you know when something is wrong,
and then just recompile that particular program.
As for windows, once your win32.dll has been rooted, then you cant turn around and do the same without reinstalling a whole slew of other things, thereby changing the installation, sometimes breaking patches or updates...
I say lets all move to linux for the desktop, and leave windows as a server environment.
On a random blog, which was rather legit, I ended up getting redirected to this page:
Here's the link: hxxp://gowithscan.com/?uid=13100 (malware! warning!)
It appeared to scan my Windows and find multiple vulnerabilities. Good thing I'm running Linux. Then it proceeded to obnoxiously pop up JS alerts and have me download an install.exe. Major antivirus couldn't find anything wrong with it. I have the file if anyone is interested (submitted it to clamav.org too).
You know, the movies never do explain why Skynet hates humanity so much. Any clue?
I've always wanted to create a worm that required users to follow an annoyingly long sequence of instructions for it to spread. Then monitor how much it spreads.
Something like download JessicaAlbaNude.jpg. Rename it to JessicaAlbaNude.tar. Download tar.exe. type tar -xvf JessicaAlbaNude.tar. cd src. Edit Makefile to set appropriate flags....
.
W32.Downadup.C
Risk Level 2: Low
Currently hooked on AMP
I was looking for information on this last night and wasn't able to find much.
Is there a way (on a ASA/PIX specifically) to block the outbound connections made by this worm so that you can contain the traffic to the local network and also log the hosts that are infected?
The only thing I found was someone making reference to blocking http://ipaddr/search?q= requests but I couldn't find any backup for that claim. TIA
Error: Sig not found.
Yes, someone else pointed out that UAC requests a password if you aren't an administrator--which is, of course, correct. I fell into the same trap of assuming that users will be administrators, since that's how things tend to be in the real world (when not in a locked down environment, of course.) Of course, if you're not running as an administrator, the original complaint is moot. UAC is a compromise between making day-to-day users "Limited Accounts" and software which makes bad assumptions.
As a side note, I ran Windows 2000 for a fairly long while as a regular user. Most things worked fine, but the ones that didn't were incredibly irritating. Tracking down what permissions were required to get things to run was a pain. As a side-side note, I eventually stopped using Antivirus because it never found any viruses--either I wasn't getting them (in which case, why bother?) or it wasn't finding the ones I had (in which case, why bother?)
Of course, the poster to whom I replied implied (with his subject line) that UAC was comparable to Unix permissions, which is really like comparing Apples(tm) to oranges. S/he seemed completely ignorant of the fact that Windows does have permissions (which I noted are actually ACLs--more granular than Unix default permissions.)
The last time I tried to lock down windows boxes and user accounts, it all came to a screeching halt because the accounting people had to have Quickbooks and Quickbooks absolutely would not run any time it decided (seemingly randomly) that it just had to modify it's own .exe with an update before it could even conceive of doing anything else ever again.
Net result, either make the most security sensitive app in the organization vulnerable full time, make everything vulnerable part time by giving the office people (who only knew how to use Windows by rote) an admin account, or create an endless stream of urgent support requests at the worst possible times.
That's not strictly Windows' or MS's fault, except that they're the ones who "trained" all those 3rd party developers to assume everybody is root all the time.