Slashdot Mirror
Conficker Worm Asks For Instructions, Gets Update
KingofGnG writes "Conficker/Downup/Downadup/Kido malware, that according to Symantec 'is, to date, one of the most complex worms in the history of malicious code,' has been updated and this time for real. The new variant, dubbed W32.Downadup.C, adds new features to malware code and makes the threat even more dangerous and worrisome than before."
FIRST! now.. where do i get that update ?
Just so long as it doesn't insist on verification to check that nobody is using an unauthorised copy. After all, we wouldn't want to encourage piracy... ;-)
I run Linux! http://xkcd.com/272/
If people would stop downloading free_porn.jpg from 4chan, renaming it to free_porn.exe, and running it... we would not be having these problems.
Maybe I'm being picky here, but why does Slashdot's icon for this story depict a caterpillar? Don't the editors know the difference between a caterpillar and a worm?
It's an inchworm.
Maybe I'm being picky here, but why does Slashdot's icon for this story depict a caterpillar? Don't the editors know the difference between a caterpillar and a worm?
That's why it's so dangerous. It mutated
I run VMWare on Linux! http://xkcd.com/350/
Genesis 1:32 And God typed
You're worried about the worm/caterpillar when there's a *stapler* underneath?
Is real evolution. And I don't mean Intelligent Design.
Look, you're malware authors, you have millions of machines to play with, you could bring the next stage of artificial life to the fore. Think of the recognition, the glory, the girls.
Deleted
if it's asking for instructions, why do they have to come from the blackhats? why couldn't someone write an update telling conficker to cease operation and uninstall itself?
They're using their grammar skills there.
This may be the most complex worm/virus ever made, but is it any more prevalent or hard to remove?
If I do basic things like keep my Virus definitions and system OS up to date and occasionally scan for spyware, am I still at risk?
In other words, are the ones at risk the same kinds of people who'd be at risk from a lesser, simpler, worm that essentially spreads via a "click here for free porn!" banner?
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
It's an inchworm.
Which is a caterpillar.
But that's ok. Pictures of worms are so damn hard to find.
Comment removed based on user account deletion
The worm probably uses encyption, so it doesn't just accept any control message from unknown sources.
Because unless you have something to gain (other than a warm feeling that you've done something nice and have helped the world), nobody wants the liability associated with writing an illegal but benevolent worm and releasing it.
And, you know, having access to the original source code saves some time picking apart obfuscated machine code.
He's getting rather old, but he's a good mouse.
why couldn't someone write an update telling conficker to cease operation and uninstall itself?
Because that would be illegal.
One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
If the payload for all of these infected hosts affects traffic across the Internet, even Linux users may care about this issue. Don't be lulled into apathy, this is a powerful, dynamic and capable threat with some very advanced coding and routines. The developers know how to optimize their threat and squeeze a ton of trouble from its deployment. It now sits in a rather powerful position, depending on how they intend to use it. You can catch scanning hosts on your internal networks using listeners on port 445 from Linux boxes without samba. Tools like netcat or own HoneyPoint applications have proven great at finding active hosts. If you identify any on your environment, remove them immediately. The less zombie systems Conflicker has to utilize, the better!
Check out HoneyPoint, our tools for combatting the insider threat! http://www.microsolved.com/honeypoint/
What are your favorite type of worms?
*Tape
*Round
*Heart
*Nightcrawlers/earthworms/anything uses for fishing
*spy/mole/CIA/KGB, including corporate espionage
*Software/malware
*German city
*Eisenia cowboynealia
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
I am with you on that one, Linux would not be so susceptible as windows, although they have their own rootkits, but you get alot of programs (such as tripwire) that let you know when something is wrong,
and then just recompile that particular program.
As for windows, once your win32.dll has been rooted, then you cant turn around and do the same without reinstalling a whole slew of other things, thereby changing the installation, sometimes breaking patches or updates...
I say lets all move to linux for the desktop, and leave windows as a server environment.
It's an inchworm.
That's what SHE said!
Random Thoughts From A Diseased Mind (Not For Dummies)
It continually amuses me how the mainstream media managed to censor the name of this worm. It was originally conficker, which is slang/shorthand for 'configuration file fucker', but using the German fick instead. It was also known as 'downandup' as in the hip motion; both clearly sexual references. Since any kind of indirect reference to sex gets you scrutiny and/or shunning from the Moral Majority, suddenly we have 'downadup'.... So much better?
On a random blog, which was rather legit, I ended up getting redirected to this page:
Here's the link: hxxp://gowithscan.com/?uid=13100 (malware! warning!)
It appeared to scan my Windows and find multiple vulnerabilities. Good thing I'm running Linux. Then it proceeded to obnoxiously pop up JS alerts and have me download an install.exe. Major antivirus couldn't find anything wrong with it. I have the file if anyone is interested (submitted it to clamav.org too).
http://209.85.173.132/search?hl=en&q=cache:kingofgng.com/eng/2009/03/16/conficker-worm-asks-for-instructions-and-gets-an-update/&btnG=Search
In Soviet Russia ^H^H^H America, The bank finances YOU!
Now that is something BBC should take care of.
The good, the evil and the vacuum tubes.
Windows permissions are quite fine-grained. They're much more flexible than POSIX permissions--comparable to ACLs, in fact, which fewer people use on Linux.
The problem isn't the permission scheme at all, but a combination of legacy, a ruthless dedication to backwards compatibility, and lazy software developers who don't understand the guidelines that Microsoft (now) sets forth regarding secure development from their platform. Maybe throw in a dash of OEMs setting people to administrator by default, but until the other stuff is fixed, that's the only way that they're going to sell any computers.
That said, UAC is a lot like requiring sudo without a password, except that in theory, a user process can't automatically click "ok" for you.
I once used Windows XP in that mode. Where everything and its dog was locked down by the ACLs. It was pretty nice to know that a virus could really only frag my (backuped) user account. But it was a pain in the ass for configuration and installation. Mostly because the programs were not made for it. They did not expect something to be locked down at all. Even internal Microsoft programs. So you very often got crashing programs and the like, because they hiccuped on a non-accessible resource.
But then I realized that security holes of software that was too tightly integrated with the OS, made the whole thing useless.
Luckily I now use virtualization, and as my sig says:
Any sufficiently advanced intelligence is indistinguishable from stupidity.
F-secure was one of the first people I'm aware of to register some of the domain names that infected machines try to contact. When people were asking this question, this was their response.
It doesn't require a password if you're running on an account that would otherwise be an admin. If you need elevation on a standard account, you have to enter the username and password of an account that does have admin privileges.
Really cool stuff! I want this toy!!! Can't believe that authors support Windows platform only! :)
.
W32.Downadup.C
Risk Level 2: Low
Currently hooked on AMP
...Anthem!
Botnets, worldwide botnets.
What kind of boxes are on botnets?
Compaq, HP, Dell and Sony, TRUE!
Gateway, Packard Bell, maybe even Asus, too.
Are boxes, found on botnets.
All running Windows, FOO!
-------
Why, yes, I AM a smug bastard who's running Mac OS X. Thanks for asking!
Guaranteed! This comment 100% Anthrax free!
That said, UAC is a lot like requiring sudo without a password, except that in theory, a user process can't automatically click "ok" for you.
Actually, according to what I've read (though I've never tried it), you can set UAC to require a password input.
Let q be a radix > 1. I am in ur base-q, killing 10 d00ds.
I was looking for information on this last night and wasn't able to find much.
Is there a way (on a ASA/PIX specifically) to block the outbound connections made by this worm so that you can contain the traffic to the local network and also log the hosts that are infected?
The only thing I found was someone making reference to blocking http://ipaddr/search?q= requests but I couldn't find any backup for that claim. TIA
Error: Sig not found.
Yes, someone else pointed out that UAC requests a password if you aren't an administrator--which is, of course, correct. I fell into the same trap of assuming that users will be administrators, since that's how things tend to be in the real world (when not in a locked down environment, of course.) Of course, if you're not running as an administrator, the original complaint is moot. UAC is a compromise between making day-to-day users "Limited Accounts" and software which makes bad assumptions.
As a side note, I ran Windows 2000 for a fairly long while as a regular user. Most things worked fine, but the ones that didn't were incredibly irritating. Tracking down what permissions were required to get things to run was a pain. As a side-side note, I eventually stopped using Antivirus because it never found any viruses--either I wasn't getting them (in which case, why bother?) or it wasn't finding the ones I had (in which case, why bother?)
Of course, the poster to whom I replied implied (with his subject line) that UAC was comparable to Unix permissions, which is really like comparing Apples(tm) to oranges. S/he seemed completely ignorant of the fact that Windows does have permissions (which I noted are actually ACLs--more granular than Unix default permissions.)
It's not that simple in a corporate environment (i.e., LAN). We do packet filtering and proxy at our ingress and egress points, we stay up-to-date with patches (WSUS), and AV (ESET), and we've disabled a number of unnecessary Windows services, but still, occasionally infections get through. Sometimes this is because a consultant or freelancer walks through the door and plugs into our network; sometimes it's because a laptop user brings something back with them. Sometimes, yes, it's our own users who are stupid, and the defenses we have in place do not catch them. So far, we've been able to limit damage, but as for stopping it completely-- this has been hard to achieve. As far as we can tell, the only way to accomplish this is to ditch Windows.
Besides, if you don't run AV, how do you know you don't have something? Do you trawl your firewall logs daily? At the moment, Conficker is pretty much just sitting there, waiting to do something. You might not even know you have it.
I once used Windows XP in that mode. Where everything and its dog was locked down by the ACLs. It was pretty nice to know that a virus could really only frag my (backuped) user account.
I know you meant "backed-up," but now I'm picturing a creature that walks with its back.
Don't you wish your girlfriend was a geek like me?
The last time I tried to lock down windows boxes and user accounts, it all came to a screeching halt because the accounting people had to have Quickbooks and Quickbooks absolutely would not run any time it decided (seemingly randomly) that it just had to modify it's own .exe with an update before it could even conceive of doing anything else ever again.
Net result, either make the most security sensitive app in the organization vulnerable full time, make everything vulnerable part time by giving the office people (who only knew how to use Windows by rote) an admin account, or create an endless stream of urgent support requests at the worst possible times.
That's not strictly Windows' or MS's fault, except that they're the ones who "trained" all those 3rd party developers to assume everybody is root all the time.
ZOMFG!!!
a linux virus infected 3500 machines 7 years ago!?
man, you put me to silence about win-vs-linux security!
I will instantly stop mocking windows for the dozens of botnets that spawn every day and have several hundred million PCs infected so far and infect tens of thousands of PCs every day...
The MAFIAA is a bunch of mindless jerks who will be the first up against the wall when the revolution comes
Yes, someone else pointed out that UAC requests a password if you aren't an administrator--which is, of course, correct.
It's not even non-admin users that I'm talking about. You can apparently require the password to be entered on UAC prompt, even for an Admin account. Ooh, let me go find it....
http://en.wikipedia.org/wiki/User_Account_Control#Features
From that link:
There are a number of configurable UAC settings. It is possible to:[10]
* Require administrators to re-enter their password for heightened security;
* Require the user to press Ctrl+Alt+Del as part of the authentication process for heightened security;
* Disable Admin Approval Mode (UAC prompts for administrators) entirely;
(emphasis added)
In theory, your WinSudo could have the same level of protection as a sudo command prefix, based on what I read here.
Again, though, like I said, I haven't actually messed with UAC settings before in Vista. I could be mistaken, because the Internet isn't perfect.
Let q be a radix > 1. I am in ur base-q, killing 10 d00ds.
That's pretty spiffy, actually! I think it might even beat out gksudo, since ctrl-alt-del generates a non-maskable interrupt.
What's the proper voice to read this in? Comic Book Guy? Morgan (Freeman)? Alan Rickman? There should be a video montage somewhere...please don't leave out Dogs and cats living together!
WARNING: Smartphones have side effects--most of them undocumented.