Slashdot Mirror
.CA Registrar Trying To Preempt Conficker
clover kicker writes "The CBC reports that the group managing Canada's .ca internet domain is working to foil an internet worm set to attack starting April Fool's Day. 'This is the first virus that's really focused on domain names as part of propagating the virus itself,' said Byron Holland, CEO of the Canadian Internet Registration Authority, a non-profit organization that represents those who hold a .ca domain. CIRA's strategy includes pre-emptively registering and isolating previously unregistered .ca domain names that Conficker C is expected to try and generate, said a news release issued by the group. That would make those names unavailable for anyone to register in order to set up a website to host the worm's 'command and control' file. A list of the names has been predicted by security experts based on the worm's code. In addition, CIRA is investigating and monitoring activity at names on the list that have already been registered and will 'take appropriate action if suspicious activity is detected.'"
Now confickr will omit .ca domains, good job telling everyone!
amg 1
look, i like Slashdot, but occasionally wonder if the anon feature is even worth it anymore.
i see this fucking troll at the top of thread after thread and i'm just sick of it. /rant
"If for any reason you're not satisfied with our service, I hate you."
Am I the only one hoping this thing turns out HUGE? It'd be interesting to see what happens.
Got your tin foil hat ready, too? :D
My wife runs MacOS and I have my Linux... I really wish I could get involved in the party. Will Cornfucker run under Wine?
It's like telling your enemy "Hey, I know where and when your going to strike"
We know it's capable to updating itself, this just gives the author an 8 day head start on writing a new pseudo random URL generator.
Anyone knows where can I take the Confiker source code? Must be enlighting!
Mother used to said If you want you find a way But mother never danced through fire shower
is all the worm pops on the screen and does. Now how much money did you spend trying to ward off this script? That will be the real joke.
jsut athnoer menagiensls ltitle psrhae for you to dcoede. Why do we wtsae our tmie dnoig tihs?
Can't somebody just upload their own code to one of said targeted sites? From what I've heard, the virus checks all sites on its list. So anyone could just upload some code to disable the virus, assuming it contacts their site first. Other than the fact that it's probably illegal to do that, even to disable the virus, why hasn't anyone tried this? Like in another country where it wouldn't be illegal? I'd imagine that no one would push for a criminal case against someone who stopped the worm...
01110000 01010111 01101110 00110011 01100100
I have lost the instructions on how to put a greased yoda doll up my ass can ne1 halp thnx
Blah blah blah, if you people spent the time that it took to write that rambling diarrhea towards actually helping the country, the world would be a better place.
I saw the article today on CBC (Canada's equivalent of the BBC).
This effort may help, but given that the worm has so many other TLDs to choose from, it may not help much. Making the 110 TLDs only 109 (or even 75 if other TLD authorities do the same) will not help that much.
Moreover, there is another mechanism which is not very clear, whereby the infected nodes will contact each other via a See Peer to Peer protocl. So, once the botnet gets going, the need for the domain name (so called "Internet Rendevouz points") may diminish.
Also, the article contains some inaccuracies:
Actually, the worm author(s) are aware that the user may change the clock of the PC to avoid the worm from triggering. So they query several well known sites and check the date/time on the HTTP headers to make this defense point moot. See Internet Date Checking
It will query only 500 out of 50,000 generated domain names. See the domain generation algorithm.
I bet there will be a revision D shortly before April 1st, and the author(s) will address many of the potential defenses in revision C.
2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
I think I've heard every lexically significant variation on the name of this damn worm by now. I have no idea what "Conficker" actually means or to what it refers, but so far on this thread people have called it "Conflicker," "Cornflicker," and best of all "Cornfucker."
I think another name for it is "Downadup," which I always read as either "Downandup" or "Download a Duplicate."
Who gets to name the worms? We know that this one employs neat tricks like code signing peer-to-peer driven software updates and that it might be used for a sort of "evil Google" that people can use to data mine financial stuff and so on. Couldn't we lobby for a more rational taxonomy, so we could call this one "Cryptographically Labyrinthine Internet-Traveling ORganized Information Stumbler?"
The post-secondary institute, where I teach at, has been fighting this worm for the past two weeks. They've had to go to each computer in person to disinfect it - that is thousands of computers. It is not a fun time in the IT dept. The worm tries a brute force password attack against usernames it finds on the infected PCs. The security at the institute is set up if you fail at 3 login attempts then the user is locked out for 20 minutes. The result was that students and staff were being randomly locked out of the system throughout the past week due to the worm's brute force attack on a PC that they had once logged in to at a class, the library or lab. It appears it was spread through the use of USB drives. So all staff laptops and usb drives had to be manually checked and disinfected.
Sound like this worm has some significant financial backing. Whats even more crazy is a patch has been sent out for the worm already by Microsoft and people are still having issues.
See, that's why you hire ELIZA.
We'll nuke you from orbit, it's the only way to be sure.
Also do you happen to know the mall ninja? http://lonelymachines.org/mall-ninjas/
Good, now I know where to pick up supplies.
Cache of guns. $10,000
Cache of ammunition: $10,000
Gold and silver conins: $10,000
Shooting a militant conspiracy nut in the head while he goes to check his mail, with the ATF and FBI standing back watching and laughing, but technically seeing "nothing": Priceless
Serious? Seriousness is well above my pay grade.
i shit out an obama, stimulus plan and all!
plop!
Some untrained black thug just gunned down 4 cops in california, two of which were SWAT members.
You think kicking down doors wont result in death, you will find out one day.
'no.' Let the show begin.
It's cute that they're trying to preempt the worm, but to be effective they pretty much have to disable ALL potential domains. Miss one, and the worm will find it.
What I don't get is how people can still be surprised/impressed/scared by these things. Today's viruses have little in common with their elegant, obfuscated ancestors. Any twit can assemble a "virus" by tapping into the OS' libraries. Today's worms are essentially package managers, so anything you can do with legitimate software like emailing, flashing your BIOS or opening ports on your firewall, a virus can do the same things. It simply has to talk to its software repository, pull down the pieces it needs and proceed with its dirty deeds.
Hell, a tiny perl script could turn standard tools like Yum and Emerge into virus delivery agents. They already possess all the required functionality...
-Billco, Fnarg.com
And how does hiring ELIZA make you feel?
Can you expand on that?
Are you sure?
I just wish to say how amusing I find the above poster. The Right wingers are such good losers arent they?
In the light of the way the previous administration used the US constituion as toilet paper, any rational person sees the Obama adminstration as a quality unit.
Right wingers, they kick and scream, make up any lie they can think of and still get ignored, they find this very annoying and then spit their dummies and resort to spam and trolling.
You can post as much of this as you like but no one cares at all about your delusions.
Thanks for the laughs!
Have you tried OS-X or Ubuntu? I heard they're not prone to this sort of thing.
Help stamp out iliturcy.
You are just *SO* cute? Would you like to tell me about DRM and Open Office, too?
You're obviously a blind left winger. As a libertarian, I can see that BOTH left wingers and right wingers behave exactly the same way. Face it, you left wingers are no better.
grammar nazis are a buzz kill
This is a friggin blog.
No body is writing laws or contracts here.
If you don't understand something, then ask for clarification.
Your derision is self-righteous and not very friendly. This is a discussion on Conflicker not on Grammar.
This has to be the most comprehensive spamming I've seen on this site for a while.
Semi-automatic amateur armchair Australian philosopher; conjecture ready at any moment...
Your derision is self-righteous and not very friendly.
Thanks! That's just what I was aiming for! Derision is seldom humble or friendly, and it may broaden your view a little to realise nerds come in many forms, one of which happens to be the grammar nazi.
Isn't one of the root causes of all this the fact that the exploit was released into the wild? I am highly against it every time I see one of the security "researchers" releasing these holes into the public knowledge base. Had this exploit been kept quiet with Microsoft rolling out an important update that quietly patched it I believe we wouldn't be in this situation.
It's like someone announcing on a street corner that the bricks on the south wall of a bank were found to be very thin, but don't worry... we'll get to adding a little more mortar soon enough. Don't any body make use of this information though as that wouldn't be nice of you.
I understand the concept of motivating the software manufacturers to move on fixing bugs but is this really a worthwhile outcome to achieve this goal? I tend to believe if some "researchers" hadn't just kept their mouths shut and found alternate means to have this dealt with April 1 would still only be "Fool's Day".
I also suspect that some of these "information releases" are often done for ulterior motives as well. Possibly to say "look at what I found" and quite possibly to just watch the target OS/product go down vs. your alternate favourite OS/product.
I am not an expert on Conficker's exact history nor this specific exploit, but I do feel my comments above are generally accurate to many announced exploits in general.
Play me online? Well you know that I'll beat you. If I ever meet you I'll "/sbin/shutdown -h now" you. -Weird Al, kinda.
Exactly, he could be trying to get the two-thousand-five-hundred dollar reward good ol' Microsoft are offering.
It's a good thing the public is coming together against this threat inherent in computers, that we'll never be able to eliminate. It'd be really sad if it were just to correct unnecessary flaws in a particular vendor's system, that said vendor should have fixed.
CIRA is the registrY for the .ca ccTLD, and is the manager for the entire domain name space, selling domains "wholesale" to registrARs, which sell them "retail" to the public. Come on, the CBC got it right, can't /.?
Holy crap! you don't have any tinfoil hats?! You're already doomed
Go home and shave your giant head of smell with your bad self
"This has to be the most comprehensive spamming I've seen on this site for a while."
I wouldn't mind so much if he/she made decent use of white space. I can't even read it without my eyes twisting up.
I reserve the write to mangle english.
Sometimes a regular poster says something that could be held against him by his company/government/stepmother. It is occasional, but the 1% of times it is used for insightfulness is worth the 99% it is used for trolls. Just browse at +1 if you are really annoyed. Don't look at it and it will go away. Slashdot used to have far more noise in the -1 realm.
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
> Isn't one of the root causes of all this the fact that the exploit was released into the wild?
Yes and no.
In the bad old days before full disclosure, vendors would threaten security researchers. That lead to the bad guys knowing everything and being able to hack with impunity, the security researchers being considered the "bad guys" even though they weren't doing anything bad with the holes they found, and the general public being totally ignorant of all the security problems out there.
In other words, back when no one called out the vendors putting out shoddy products, all we had were shoddy products.
So the practice of not disclosing security vulnerabilities actually hurts the good guys far more than it hurts the bad guys, even if it sometimes leads to cases like this one.
You read it? you are a sadomachist
Semi-automatic amateur armchair Australian philosopher; conjecture ready at any moment...
Oh the irony: "Some of us aren't fortunate enough to be able to afford Microsoft software. The wife's Mac OS X..."
If time is money, some of us can't afford (or be bothered) to fight with wireless drivers and shitty GUIs.
[/troll]
1) Microsoft's inability or unwillingness to secure their OS and other software (e.g. IE)
2) User's inability or unwillingness to learn how to properly administer their machine. (Turnning off file and print sharing since you probably don't need it.)
Byron Holland, CEO of the Canadian Internet Registration Authority, a non-profit organization that represents those who hold a .ca domain.
The Canadian Internet Registration Authority (CIRA), is the organization that has a Canadian government monopoly on .CA domain names. CIRA then accredits registrars to do the work.
CIRA is the most annoying registration authority I have dealt with.
CIRA is sitting on a huge pile of cash, which the board funnels to their pet projects. CIRA charges ridiculous fees to the registrars for each domain name, much more than other domain names (.com, .net, .org, etc).
The registration & maintenance process for .ca names is onerous and ridiculous. With a normal domain name, you go to the registrar's website, fill out the form, pay by credit card, and that's it. When you need to make changes, you log on to the registrar's website, make your changes, click the save button, and that's it.
Not so with .ca. After you go through the process with a registrar, you then have to go CIRA, create another account, and go through the process again. Look, if CIRA doesn't trust the registrars, then they shouldn't be registrars. And if you made a mistake while registering, like a typo in your name or you accidentally clicked "individual" instead of "corporation", correcting it requires an arm & a leg of documentation, photocopied driver's licenses, signed corporate resolutions, etc.
In fact, it is so annoying to change the details on a .ca domain name that TUCOWS (a large registrar) actually says don't bother.
And if you go to a CIRA annual meeting, the rules are even more ridiculous. A company with a .ca domain name would typically designate one of their IT people to go and represent them. But if that IT person personally owns an unrelated .ca domain name (like www.firstnamelastname.ca), it's not allowed - he/she can't represent the company.
Not surprisingly, .CA domain names are much less popular than .com - most Canadian businesses & organizations prefer the .com name.
So...let me get this straight.
Canada actually has the internets?
Clearly this America's first step in the pending invasion of Canada! Invade Canada!!!! America, #$&* yeah!
Why not see who registers the domains _and_ supplies downloads to existing bots?
Obviously the people who created this worm won't be stupid about it, but perhaps some clues could be gathered.
And if it gets really hard, maybe the guys from 24 or CSI can put one of their top people on it. They seem to do amazing things in figuring out multiple levels of hiding...
Why don't they just instruct the worm to upload an executable that will delete the worm and then itself? Or if the previous is no possible due to authentication built in they could cause a buffer overun in the worm. Maybe they could even use the buffer overun to delete or damage the worm so it can't run again.
all you need too do is:
1) Disable file and printer sharing. Congrats conffikker can go confikker itself.
2) Change the privileges so only the administrator can make changes too the registry and user account privileges. It is found under the administrative tools sections of the windows control panel.
3) An anti spyware/mal-ware tool such as spybot.