Slashdot Mirror

← Back to Stories (view on slashdot.org)

Conficker Worm Asks For Instructions, Gets Update

Posted by CmdrTaco on from the wormed-its-way-into-my-heart dept.

KingofGnG writes "Conficker/Downup/Downadup/Kido malware, that according to Symantec 'is, to date, one of the most complex worms in the history of malicious code,' has been updated and this time for real. The new variant, dubbed W32.Downadup.C, adds new features to malware code and makes the threat even more dangerous and worrisome than before."

35 of 285 comments (clear)

  1. coward by Anonymous Coward · · Score: 4, Funny

    FIRST! now.. where do i get that update ?

  2. Updates? by BrokenHalo · · Score: 3, Funny

    Just so long as it doesn't insist on verification to check that nobody is using an unauthorised copy. After all, we wouldn't want to encourage piracy... ;-)

  3. Who care? by Clarious · · Score: 5, Funny

    I run Linux! http://xkcd.com/272/

    1. Re:Who care? by Lostlander · · Score: 3, Informative

      [quote]The worm targets Apache Web server installations [/quote]
      Apache while an important application is NOT Linux.

    2. Re:Who care? by __aaxwdb6741 · · Score: 3, Funny

      What do you blaim your inability to read the mandatory preview on?

    3. Re:Who care? by Lostlander · · Score: 5, Funny

      What do you blaim your inability to read the mandatory preview on?

      I'm American, I don't have time to make sure I'm correct before spouting off at the mouth.

    4. Re:Who care? by spacefiddle · · Score: 5, Funny

      What do you blaim your inability to read the mandatory preview on?

      Whatever we can blame yours on, I suppose!

      --
      That which does not kill us makes us... st
    5. Re:Who care? by node+3 · · Score: 4, Informative

      Apache while an important application is NOT Linux.

      Very few Windows viruses attack the Windows kernel.

      Linux, the kernel, is one thing, and immune to an Apache exploit. Linux, the OS, generally includes Apache.

  4. Dumbasses by RoFLKOPTr · · Score: 4, Funny

    If people would stop downloading free_porn.jpg from 4chan, renaming it to free_porn.exe, and running it... we would not be having these problems.

    1. Re:Dumbasses by Spazztastic · · Score: 4, Insightful

      Solutions? Don't use IE. Use SpyBot Search & Destroy to harden the systems, use Firefox with Adblock+ and NoScript. Use an antivirus program that actually has a webguard, such as Avira.

      Sounds like an awful lot of work. Maybe move to a different OS?

      Ok, sure. It's a lot of work if you look at it in a simple fashion of throwing an Ubuntu CD at some user and saying "SUCK LESS THX"

      How about the hours that go into training one or many users in a company on using that new OS? Compatibility problems? Setting up specialized software?

      System hardening is more cost-effective decision versus switching OSes or having to clean up every computer that comes up with the problem. It takes about two hours at most to do it from scratch on one system image, then you can reimage as many computers that come up with the problem.

      --
      Posts not to be taken literally. Almost everything is sarcasm.
    2. Re:Dumbasses by Urd.Yggdrasil · · Score: 5, Informative

      Uhh, what? I have no idea what this "JPG exploit" your talking about is. Conflicker spreads through the MS08-067 RPC vulnerability, removable media, and shared folders; nothing to do with IE or jpegs.

    3. Re:Dumbasses by truthsearch · · Score: 4, Informative

      It takes about two hours at most to do it from scratch on one system image, then you can reimage as many computers that come up with the problem.

      Except new holes and malware will keep appearing and the process will need to be done over and over. Add it all up and it's a lot of hours. In the long run it might be cheaper to switch OSs and retrain if that new OS is generally more secure and easier to harden up front.

      --
      Developers: We can use your help.
    4. Re:Dumbasses by JonTurner · · Score: 3, Insightful

      >>How about the hours that go into training one or many users in a company on using that new OS? Compatibility problems? Setting up specialized software?

      Still probably cheaper than having your entire network (and all corporate data, financial plans, product designs, confidential data, HR information, payroll, etc.) owned by a botnet and copied to who-knows-where.

    5. Re:Dumbasses by Nethead · · Score: 4, Funny

      milw0rm.com Mothers I'd Like to Worm?

      --
      -- I have a private email server in my basement.
  5. Re:Nitpick... by _Sprocket_ · · Score: 3, Informative

    Maybe I'm being picky here, but why does Slashdot's icon for this story depict a caterpillar? Don't the editors know the difference between a caterpillar and a worm?

    It's an inchworm.

  6. Re:Nitpick... by Chrisq · · Score: 5, Funny

    Maybe I'm being picky here, but why does Slashdot's icon for this story depict a caterpillar? Don't the editors know the difference between a caterpillar and a worm?

    That's why it's so dangerous. It mutated

  7. I do by PinkyDead · · Score: 5, Funny

    I run VMWare on Linux! http://xkcd.com/350/

    --
    Genesis 1:32 And God typed :wq!
    1. Re:I do by Anonymous Coward · · Score: 4, Funny

      http://xkcd.com/493/

      isn't he great ? XD

  8. What I want to see in worm development by Colin+Smith · · Score: 3, Funny

    Is real evolution. And I don't mean Intelligent Design.

    Look, you're malware authors, you have millions of machines to play with, you could bring the next stage of artificial life to the fore. Think of the recognition, the glory, the girls.

     

    --
    Deleted
  9. Ok, so for the uninformed.... by neokushan · · Score: 3, Interesting

    This may be the most complex worm/virus ever made, but is it any more prevalent or hard to remove?
    If I do basic things like keep my Virus definitions and system OS up to date and occasionally scan for spyware, am I still at risk?

    In other words, are the ones at risk the same kinds of people who'd be at risk from a lesser, simpler, worm that essentially spreads via a "click here for free porn!" banner?

    --
    +1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
  10. Re:why couldn't the instructions come from whiteha by patro · · Score: 5, Informative

    The worm probably uses encyption, so it doesn't just accept any control message from unknown sources.

  11. Re:why couldn't the instructions come from whiteha by Thelasko · · Score: 5, Informative

    why couldn't someone write an update telling conficker to cease operation and uninstall itself?

    Because that would be illegal.

    --
    One of our competitors trademarked the term "hypothesis". From now on, we will call them "boneheaded ideas".
  12. When the payload drops, even Linux users care! by lbhuston · · Score: 5, Insightful

    If the payload for all of these infected hosts affects traffic across the Internet, even Linux users may care about this issue. Don't be lulled into apathy, this is a powerful, dynamic and capable threat with some very advanced coding and routines. The developers know how to optimize their threat and squeeze a ton of trouble from its deployment. It now sits in a rather powerful position, depending on how they intend to use it. You can catch scanning hosts on your internal networks using listeners on port 445 from Linux boxes without samba. Tools like netcat or own HoneyPoint applications have proven great at finding active hosts. If you identify any on your environment, remove them immediately. The less zombie systems Conflicker has to utilize, the better!

    --
    Check out HoneyPoint, our tools for combatting the insider threat! http://www.microsolved.com/honeypoint/
  13. Favorite worm poll by davidwr · · Score: 4, Funny

    What are your favorite type of worms?

    *Tape
    *Round
    *Heart
    *Nightcrawlers/earthworms/anything uses for fishing
    *spy/mole/CIA/KGB, including corporate espionage
    *Software/malware
    *German city
    *Eisenia cowboynealia

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  14. Re:Love Malware by hesaigo999ca · · Score: 3, Interesting

    I am with you on that one, Linux would not be so susceptible as windows, although they have their own rootkits, but you get alot of programs (such as tripwire) that let you know when something is wrong,
    and then just recompile that particular program.

    As for windows, once your win32.dll has been rooted, then you cant turn around and do the same without reinstalling a whole slew of other things, thereby changing the installation, sometimes breaking patches or updates...

    I say lets all move to linux for the desktop, and leave windows as a server environment.

  15. Re:Nitpick... by Ihmhi · · Score: 4, Funny

    It's an inchworm.

    That's what SHE said!

    --
    Random Thoughts From A Diseased Mind (Not For Dummies)
  16. Re:Damn by Anonymous Coward · · Score: 5, Insightful

    It continually amuses me how the mainstream media managed to censor the name of this worm. It was originally conficker, which is slang/shorthand for 'configuration file fucker', but using the German fick instead. It was also known as 'downandup' as in the hip motion; both clearly sexual references. Since any kind of indirect reference to sex gets you scrutiny and/or shunning from the Moral Majority, suddenly we have 'downadup'.... So much better?

  17. Google Cache Link by hostguy2004 · · Score: 3, Informative

    http://209.85.173.132/search?hl=en&q=cache:kingofgng.com/eng/2009/03/16/conficker-worm-asks-for-instructions-and-gets-an-update/&btnG=Search

    --
    In Soviet Russia ^H^H^H America, The bank finances YOU!
  18. Re:why couldn't the instructions come from whiteha by tecnico.hitos · · Score: 4, Funny

    Now that is something BBC should take care of.

    --
    The good, the evil and the vacuum tubes.
  19. Re:UAC doesn't hold a candle to linux permissions by Sancho · · Score: 4, Insightful

    Windows permissions are quite fine-grained. They're much more flexible than POSIX permissions--comparable to ACLs, in fact, which fewer people use on Linux.

    The problem isn't the permission scheme at all, but a combination of legacy, a ruthless dedication to backwards compatibility, and lazy software developers who don't understand the guidelines that Microsoft (now) sets forth regarding secure development from their platform. Maybe throw in a dash of OEMs setting people to administrator by default, but until the other stuff is fixed, that's the only way that they're going to sell any computers.

    That said, UAC is a lot like requiring sudo without a password, except that in theory, a user process can't automatically click "ok" for you.

  20. Re:why couldn't the instructions come from whiteha by krappie · · Score: 4, Informative

    F-secure was one of the first people I'm aware of to register some of the domain names that infected machines try to contact. When people were asking this question, this was their response.

    On a regular day, our sinkhole sees around 1.5M-2M unique IP addresses that are infected with a various catering of malware: viruses, trojans, bots, worms and so on. Downadup.B is responsible for about 1M-1.3M of those IP addresses. So let me explain what we do with the data first:
    We try to contact the ISP's where the infected IP addresses are coming from and try to get them to notify the customers to take down the infected systems. We also notify various CERT organisations in the countries where the infections are and work with them to get the infected machines offline. We also share some the data with Law Enforcement organizations in those cases where the author of the malware is known. This allows the police to get their hands on real, raw, data on the amount of infections. That data can later be used in court as evidence to get reasonable convictions.

    Now, why won't we automatically disinfect the machines? The reason is simple: we would be knowingly, and with intent, be accessing the infected computer and giving it commands without having a prior permission from the owner. In most countries that equals to unlawful access which gets you an appointment in court. Some laws do weigh things by judging "a greater good", but in this case it does not help. Imagine the world being a huge porcelain store, inside a black box with only two holes for your hands allowing access. You can put your hands in the box but can't see what you're doing. Now, try to remove all the dust without breaking anything...

    There are several things that might go wrong and the consequences could be severe. Imagine if we, while disinfecting, would knock out life support systems in hospitals. Or radar systems in major airfields. Or traffic lights in a major city. Or any other of imaginable and unimaginable scenarios that would be bound to happen taking into consideration the scale of this thing.

    And it doesn't matter where we offered the disinfection from. We are a corporation with presence in various countries. The disinfected victims would be in those countries, suing us there. The place where we caused the damage from does not matter, its the place where the damage happened.

    To make automatic, remote, unwilling disinfection ever possible there is a need for an international treaty. And an internation body of authority that will decide what to disinfect, who to disinfect and when to disinfect. And unfortunately I don't see that one coming in near future. I wouldn't bet foreign militaries or intelligence organizations being too happy about anyone tampering with their systems, regardless of the intent.

    We've had long talks about remotely disinfecting machines and everyone in here is in unanimous vote on not doing it for the above reasons. And don't think it's a happy moment seeing hundreds of thousands, or millions, of machines being infected. Still, we do our best to get them fixed.

  21. Re:UAC doesn't hold a candle to linux permissions by nullforce · · Score: 3, Insightful

    It doesn't require a password if you're running on an account that would otherwise be an admin. If you need elevation on a standard account, you have to enter the username and password of an account that does have admin privileges.

  22. Does it work under Linux? I want this toy! :) by alukin · · Score: 4, Funny

    Really cool stuff! I want this toy!!! Can't believe that authors support Windows platform only! :)

  23. dangerous and worrisome? threat level 2 by wealthychef · · Score: 3, Interesting
    The link in the article does not seem to support the hysterical tone of the summary. It says:

    .
    W32.Downadup.C
    Risk Level 2: Low

    --
    Currently hooked on AMP
  24. Time for another chorus of the Botnet National... by Chris+Tucker · · Score: 3, Funny

    ...Anthem!

    Botnets, worldwide botnets.
    What kind of boxes are on botnets?

    Compaq, HP, Dell and Sony, TRUE!
    Gateway, Packard Bell, maybe even Asus, too.

    Are boxes, found on botnets.
    All running Windows, FOO!

    -------

    Why, yes, I AM a smug bastard who's running Mac OS X. Thanks for asking!

    --
    Guaranteed! This comment 100% Anthrax free!