.CA Registrar Trying To Preempt Conficker

← Back to Stories (view on slashdot.org)

.CA Registrar Trying To Preempt Conficker

Posted by timothy on Tuesday March 24, 2009 @02:13PM from the circling-the-wagons dept.

clover kicker writes "The CBC reports that the group managing Canada's .ca internet domain is working to foil an internet worm set to attack starting April Fool's Day. 'This is the first virus that's really focused on domain names as part of propagating the virus itself,' said Byron Holland, CEO of the Canadian Internet Registration Authority, a non-profit organization that represents those who hold a .ca domain. CIRA's strategy includes pre-emptively registering and isolating previously unregistered .ca domain names that Conficker C is expected to try and generate, said a news release issued by the group. That would make those names unavailable for anyone to register in order to set up a website to host the worm's 'command and control' file. A list of the names has been predicted by security experts based on the worm's code. In addition, CIRA is investigating and monitoring activity at names on the list that have already been registered and will 'take appropriate action if suspicious activity is detected.'"

113 of 227 comments (clear)

Re:GREAT! by X0563511 · 2009-03-24 14:27 · Score: 1

Except nobody is in the driver seat at the moment.
This is a way of trying to keep anyone from stepping in.

--
For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
Hrm by Niris · 2009-03-24 14:31 · Score: 5, Interesting

Am I the only one hoping this thing turns out HUGE? It'd be interesting to see what happens.
1. Re:Hrm by perryizgr8 · 2009-03-24 15:03 · Score: 1
  
  yeah, it will be good for the future of computers as well. all the idiots who click on 'allow' when the background dims without reading are going to get fucked up.
  
  --
  Wealth is the gift that keeps on giving.
2. Re:Hrm by Anonymous Coward · 2009-03-24 15:04 · Score: 1, Funny
  
  Anti-virus software becomes live CDs that require a reboot to use. When you run it, it either replies "Your computer is fine" or "You must reinstall Windows".
3. Re:Hrm by tuxgeek · 2009-03-24 15:04 · Score: 3, Funny
  
  I'm sure there are a variety of *nix users out there anxiously waiting on the sidelines with popcorn and a soda ready for the show to begin.
  We can only hope for some explosions to make it interesting.
  
  --
  "Suppose you were an idiot...and suppose you were a member of Congress...but I repeat myself." Mark Twain
4. Re:Hrm by toonces33 · 2009-03-24 15:17 · Score: 5, Interesting
  
  Yeah, until we get the phone call from someone who needs help disinfecting a Windows machine. Then it isn't quite as entertaining. I am of the opinion that the internet is dying, precisely because of stuff like this. It just gets worse and worse every year, bandwidth requirements for spam and other garbage keep climbing, and nobody has a plan for how to shut these things down once and for all.
5. Re:Hrm by wvmarle · 2009-03-24 18:21 · Score: 1
  
  For me... well yes and no. I'm really wondering what it is going to do in the first place.
  Yes: because it could be a wake-up call to computer security. But then I have been thinking that since the i-love-you virus or what was it, the first one to propagate by e-mailing itself to everyone in the outlook address book. Many people know or at least should know about viruses and worms by now, but many/most still don't care.
  No: because in case of a truly malicious attack the results could be quite horrible for the infected users, the Internet or even the world as a whole.
6. Re:Hrm by Anonymous Coward · 2009-03-24 19:44 · Score: 2, Insightful
  
  This is because there's just no way to do it without destroying what makes the internet such a good thing in the first place.
7. Re:Hrm by Yvanhoe · 2009-03-24 19:46 · Score: 3, Funny
  
  Hell yeah ! Carry on little skynet !
  
  --
  The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
8. Re:Hrm by troll8901 · 2009-03-24 20:29 · Score: 2, Funny
  
  bandwidth requirements for spam and other garbage keep climbing
  What? BitTorrent isn't number one traffic anymore? This is not acceptable!
  *ducks*
9. Re:Hrm by troll8901 · 2009-03-24 20:32 · Score: 2, Informative
  
  in case of a truly malicious attack the results could be quite horrible for the infected users, the Internet or even the world as a whole.
  For us desktop and server technicians - Ka Ching !!
10. Re:Hrm by cp.tar · 2009-03-24 21:03 · Score: 1
  
  Well, Conficker has P2P functionality...
  I think it would be really really fun if it turned out to share everyone's music and video. Especially if MAFIAA computers got infected in the process.
  Popcorn time indeed.
  
  --
  Ignore this signature. By order.
11. Re:Hrm by nmg196 · 2009-03-24 21:21 · Score: 2, Funny
  
  Am I the only one hoping like hell that someone will release this virus for the Mac and Linux platforms? :)
12. Re:Hrm by kbahey · 2009-03-24 23:18 · Score: 1
  
  No.
  I don't use Windows, so I will not be directly affected.
  But it may have an impact on the internet itself. Think about wasted bandwidth, web sites putting measures against it, domain registrars requiring more Draconian measures for registring domains (imagine having to send paperwork, while you don't have to now), ...etc.
  
  --
  2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
13. Re:Hrm by FrozenFOXX · 2009-03-25 03:56 · Score: 1
  
  Yeah, until we get the phone call from someone who needs help disinfecting a Windows machine. Then it isn't quite as entertaining.
  Unless it's your job (as in something you'd claim on taxes) just say, "no." It worked for me. After a few times of, "I need to download a file," or, "I think I have a virus...what's a backup," and the venerable, "I need to install [insert piece of crap software], can you help me," being denied they stopped calling me. Are family relations any better? No, but they're not any worse, and teh simple fact is that I *don't* do that kinda thing anymore: at work, at home, or anywhere else. Even if I *wanted* to I couldn't help them, and now I'm a happier person.
  
  --
  "Just a fox, a whisper."
Re:Obama Policies Will Bankrupt USA Tsarkon Report by Niris · 2009-03-24 14:32 · Score: 2, Funny

Got your tin foil hat ready, too? :D
I feel left out... by erroneus · 2009-03-24 14:37 · Score: 5, Funny

My wife runs MacOS and I have my Linux... I really wish I could get involved in the party. Will Cornfucker run under Wine?
1. Re:I feel left out... by vistapwns · 2009-03-24 15:23 · Score: 2, Funny
  
  As soon as your OS is used by more than 50 people, you'll be invited. :)
  
  --
  "...I think the Microsoft hatred is a disease." - Linus Torvalds
2. Re:I feel left out... by JimXugle · 2009-03-24 16:00 · Score: 3, Funny
  
  No. It uses a vulnerability in the Windows File and Printer sharing daemon to inject a DLL file into svchost.exe.
  I suggest filing a bug with SAMBA and Wine, respectively.
  
  --
  -jX
  
  Don't you just love politics? It's like a comedy of errors.
3. Re:I feel left out... by erroneus · 2009-03-24 16:08 · Score: 4, Funny
  
  Oh your elitist, mob-rule attitude is not helpful. Some of us aren't fortunate enough to be able to afford Microsoft software. The wife's Mac OS X came with her machine and my computer did come with Windows installed on it but I didn't create the restore media before my machine was trashed with malware. So instead of buying software, I got free software. It works just fine though. Well enough to post here, view all sorts of porn that would have trashed my computers again if I were running Windows, and aside from playing games and DRM media, I can do anything I ever wanted to do.
  It is only during events like those created by cornfucker that I really begin to feel left out of the party.
4. Re:I feel left out... by Hucko · 2009-03-24 18:26 · Score: 1
  
  Yes, so the solution is to keep peddling the environment that makes this easy? I'm bewildered by what people put themselves through to be able to run excel macros.
  
  --
  Semi-automatic amateur armchair Australian philosopher; conjecture ready at any moment...
5. Re:I feel left out... by cp.tar · 2009-03-24 20:59 · Score: 2, Funny
  
  I recall a test of viruses under Wine, a while ago... apparently, only a few of the tested viruses would even run, but none were able to do anything dangerous.
  Some have used this as an argument that Wine is not nearly compatible enough.
  
  --
  Ignore this signature. By order.
6. Re:I feel left out... by roaddemon · 2009-03-24 23:40 · Score: 4, Funny
  
  Oh the irony: "Some of us aren't fortunate enough to be able to afford Microsoft software. The wife's Mac OS X..."
7. Re:I feel left out... by KillerBob · 2009-03-25 00:54 · Score: 3, Funny
  
  nono.. that's why he can't afford Windows... he had to sell the car and remortgage the house to buy the Mac.
  
  --
  If you believe everything you read, you'd better not read. - Japanese proverb
8. Re:I feel left out... by skeeto · 2009-03-25 07:22 · Score: 1
  
  As soon as your OS is used by more than 50 people
  If we are going to make comparisons based on popularity don't forget that the most popular restaurant in the world is McDonald's.
Tactics? by nubsac · 2009-03-24 14:39 · Score: 4, Insightful

It seizes to amaze me as to why they would make this public, 8 days before conficker is "supposed" to become active.
It's like telling your enemy "Hey, I know where and when your going to strike"
We know it's capable to updating itself, this just gives the author an 8 day head start on writing a new pseudo random URL generator.
1. Re:Tactics? by Anonymous Coward · 2009-03-24 14:46 · Score: 2, Funny
  
  "grammer" nazi?
2. Re:Tactics? by ninjapiratemonkey · 2009-03-24 14:47 · Score: 1
  
  It's been public knowledge since they first discovered the "C" variant. This is just an update on what's being done about it.
  
  --
  01110000 01010111 01101110 00110011 01100100
3. Re:Tactics? by Anonymous Coward · 2009-03-24 15:00 · Score: 1, Insightful
  
  People misusing ceases irritates me almost as much as people saying "I could care less". That's all well and good, if you care a great deal about something, but what people mean when they say it (and Americans are the guiltiest of all when it comes to this) is "I couldn't care less".
4. Re:Tactics? by Kral_Blbec · 2009-03-24 15:06 · Score: 1
  
  Hey, I in ur baze iz an im taken ur domainz...
5. Re:Tactics? by kbahey · 2009-03-24 15:50 · Score: 2, Informative
  
  Yes, it should have been done quietly. Perhaps it is a PR thing "our .ca domains are not vulnerable"? Who knows.
  As I >pointed out in another comment, the author(s) scan all the info about Conficker and then modify it to protect itself against the defenses. They did that by releasing the C variant to select domains out of a random number of 50,000 total, after the initial 250 got outed in B.
  I bet that there will be a D variant shortly before April 1st, and it will have more defenses and convolutions.
  Interesting to watch this unravel nonetheless.
  
  --
  2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
6. Re:Tactics? by qengho · 2009-03-24 15:54 · Score: 4, Informative
  
  It seizes to amaze me as to why they would make this public, 8 days before conficker is "supposed" to become active.
  Assuming English isn't your first language: "It never ceases to amaze me" is what you meant, i.e. "I'm always surprised."
7. Re:Tactics? by Amazing+Quantum+Man · 2009-03-24 16:11 · Score: 1
  
  Unless they mean "I could care less [... if I really, really tried hard]".
  
  --
  Fascism starts when the efficiency of the government becomes more important than the rights of the people.
8. Re:Tactics? by grcumb · 2009-03-24 16:47 · Score: 3, Interesting
  
  It seizes to amaze me as to why they would make this public, 8 days before conficker is "supposed" to become active.
  It's like telling your enemy "Hey, I know where and when your going to strike"
  We know it's capable to updating itself, this just gives the author an 8 day head start on writing a new pseudo random URL generator.
  Others have already answered to the effect that publicly coordinating actions doesn't significantly raise the exposure in this particular case.
  But going beyond that, are you sure that they're not manoeuvring in the face of the enemy, trying to elicit a response? Once you've got a subject under observation, sometimes the best way to learn its true nature is to poke it and see what it does.
  
  --
  Crumb's Corollary: Never bring a knife to a bun fight.
9. Re:Tactics? by Anonymous Coward · 2009-03-24 17:28 · Score: 1, Informative
  
  He (or she or it) said (or typed) that he (or she or it) was a "grammer" nazi, not a "spelling" nazi. There are many different types of nazis in this world. Please learn to distinguish among them. Thank you for your cooperation.
10. Re:Tactics? by Arthur+Grumbine · 2009-03-24 17:29 · Score: 1
  
  Once you've got a subject under observation, sometimes the best way to learn its true nature is to poke it and see what it does.
  Once I heard about the possible Russian roots of Conficker, I've been wondering if it's the computer security industry that is actually what is under observation here. Put on your tinfoil hat for this:
  Putin: Ve need to assess ze defensive capabilities of ze UK and ze US computer infrastructure. How do you propose ve do zis?
  KGB IT Security Chief: I can put ze team zat vuz verking on ze Georgia "projekt" on it. Ve'll see vhat ze can come up vith.
  ...months later...
  Putin: Vut iz ze progress vith ze "security test"?
  KGB IT: Zey have bin predictable. Ve vill fully activate it on ze 'Fools Day'.
  Putin: Eeexccccelllent...by ze vay, vhy are ve speaking bad English?!
  
  --
  Now that I think about it, I'm pretty sure everything I just said is completely wrong.
11. Re:Tactics? by Yvanhoe · 2009-03-24 19:49 · Score: 1
  
  "they", "we" are a public effort of a great scale only because they openly share information. Being public is the only way of having enough momentum to fight back.
  
  --
  The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
12. Re:Tactics? by SnowZero · 2009-03-24 20:11 · Score: 1
  
  I could cease to care less.
13. Re:Tactics? by Anonymous Coward · 2009-03-24 20:29 · Score: 3, Funny
  
  You would be a naziism nazi, then?
14. Re:Tactics? by ukyoCE · 2009-03-25 01:03 · Score: 1
  
  Isn't the auto-generated domain the only way it can update itself? Where do you think all of these compromised computers are going to get the new URL generator from?
  And why do they need the URL generator, if they can contact the compromised machines without it?
15. Re:Tactics? by KillerBob · 2009-03-25 01:04 · Score: 1
  
  If they were smart, they'd have kept that little tidbit secret... quietly shuffle the domains off into never-land to help protect the world at large, and still allow them to be registered.
  Have they never heard of a honey pot? Registering a domain in Canada requires you sign several contracts, become a member in CIRA, give them rights to your first born, etc.. Anonymous domain registration is not allowed in Canada, and until quite recently, registering a .CA domain name was restricted to Canadian citizens. It seems that if they know what domains the virus writer is going to try to register, let them register it and then you've got their home address and name.
  
  --
  If you believe everything you read, you'd better not read. - Japanese proverb
16. Re:Tactics? by KillerBob · 2009-03-25 01:07 · Score: 1
  
  If you're going to correct somebody on something as silly as that, at least get it right....
  Grammar = the spelling/construction of sentences to form semantic meaning.
  Grammer = An actor, most notable for his role as Dr. Frasier Crane in Cheers and Frasier.
  
  --
  If you believe everything you read, you'd better not read. - Japanese proverb
17. Re:Tactics? by baKanale · 2009-03-25 01:42 · Score: 1
  
  Hey, maybe he's epileptic.
18. Re:Tactics? by Amazing+Quantum+Man · 2009-03-25 01:56 · Score: 1
  
  Oh, I'm soooo sorry that you have never heard of sarcasm.
  
  --
  Fascism starts when the efficiency of the government becomes more important than the rights of the people.
19. Re:Tactics? by oloron · 2009-03-25 03:24 · Score: 1
  
  where is the money coming from to pay for these domain names?
20. Re:Tactics? by qengho · 2009-03-25 03:35 · Score: 1
  
  Fixated on "seizes" I guess.
Source code by ManuelH · 2009-03-24 14:47 · Score: 2, Insightful

Anyone knows where can I take the Confiker source code? Must be enlighting!

--
Mother used to said If you want you find a way But mother never danced through fire shower
1. Re:Source code by digitalunity · 2009-03-24 16:46 · Score: 1
  
  I'd pay even for just the comments, assuming the developer had the sense to make his code maintainable.
  
  --
  You can't legislate goodness. Let each to his own destiny, by will of his freely made choices.
April Fools!!! by gsgriffin · 2009-03-24 14:50 · Score: 5, Funny

is all the worm pops on the screen and does. Now how much money did you spend trying to ward off this script? That will be the real joke.

--
jsut athnoer menagiensls ltitle psrhae for you to dcoede. Why do we wtsae our tmie dnoig tihs?
1. Re:April Fools!!! by cp.tar · 2009-03-24 21:09 · Score: 1
  
  And then, relieved, people forget to remove it. And on April 2nd, when it is no longer a joke, the real fun begins.
  
  --
  Ignore this signature. By order.
Can't somebody just... by ninjapiratemonkey · 2009-03-24 14:50 · Score: 1

Can't somebody just upload their own code to one of said targeted sites? From what I've heard, the virus checks all sites on its list. So anyone could just upload some code to disable the virus, assuming it contacts their site first. Other than the fact that it's probably illegal to do that, even to disable the virus, why hasn't anyone tried this? Like in another country where it wouldn't be illegal? I'd imagine that no one would push for a criminal case against someone who stopped the worm...

--
01110000 01010111 01101110 00110011 01100100
1. Re:Can't somebody just... by Sir_Lewk · 2009-03-24 14:55 · Score: 2, Informative
  
  No. Conflicker will only download/run cryptographically signed code.
  
  --
  "linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
2. Re:Can't somebody just... by petermgreen · 2009-03-24 15:00 · Score: 1
  
  IIRC the authors were smart enough to use digital signatures to protect against that.
  
  --
  note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
3. Re:Can't somebody just... by ninjapiratemonkey · 2009-03-24 15:09 · Score: 1
  
  I hadn't heard that before, so thanks. Is this true for all variants, or just the C variant?
  
  --
  01110000 01010111 01101110 00110011 01100100
4. Re:Can't somebody just... by X0563511 · 2009-03-24 15:11 · Score: 1
  
  ... which makes me worry about what else might be in store.
  They are already way past the script-kiddie stage.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
5. Re:Can't somebody just... by Splab · 2009-03-24 17:12 · Score: 1
  
  Also its set to go off on 1. April, so when the internet is down and nukes are flying people are just going to laugh thinking its a hoax.
6. Re:Can't somebody just... by erayd · 2009-03-24 17:26 · Score: 1
  
  All variants.
  
  --
  Forget world peace, bring on -1 pointless
7. Re:Can't somebody just... by EvanED · 2009-03-24 17:28 · Score: 1
  
  Interesting that today's malware is more secure than program updaters of not that long ago. (And let's face it, also more than 99% of people out there downloading programs who don't bother to check the hash or signature, including myself.)
8. Re:Can't somebody just... by EvanED · 2009-03-24 18:40 · Score: 1
  
  True, but: (1) in some sense, package managers have in general been ahead of their time from a Windows point of view. (2) Package managers are really not all that old -- a quick glance of Wikipedia indicates Apt is just over a decade old, and the first version that included it was almost exactly a decade ago. Presumably checking signatures is more recent than that; looking here, it seems that feature is about 6 years old and was only part of Debian proper in the last 4. Even by internet time, that isn't all that long ago (still long after the dot-com bust for instance).
9. Re:Can't somebody just... by EvanED · 2009-03-24 18:47 · Score: 1
  
  Oh, and (3) the 99% was a little bit of an exaggeration, but the fact that anyone using a package manager implicitly checks signatures won't affect that so much since there aren't that many people doing that in general. ;-) What is actually decreasing the percentage a bit is the fact that Vista, when it displays a UAC prompt for a program, checks the program for a digital signature and displays information about the program and publisher in the UAC prompt. It's also possible to set up Vista so that it will automatically deny rights to programs without a signature. This is a far step from saying people care -- realistically speaking if I run an installer and it says that there's no signature, even I am almost certainly going to grant permission anyway -- so in some sense it's still not as good as the package manager approach, but it is probably affecting the number of people who check for digital signatures in an informed way more than package managers now.
Re:ugh by Plutonite · 2009-03-24 15:06 · Score: 4, Insightful

Look, we don't hate you for what you write - it may well be true. It just has nothing to do with this story, OK? It really is offtopic. In fact I agree with a lot of what you wrote (and disagree with some twisted facts too) but I think the moderators are right modding you down to hell, and maybe banning your IP range. You are annoying people. Annoyed people don't listen. Find a forum to discuss this in a sane way and people might listen.
Helps, but not much ... by kbahey · 2009-03-24 15:14 · Score: 4, Informative

I saw the article today on CBC (Canada's equivalent of the BBC).
This effort may help, but given that the worm has so many other TLDs to choose from, it may not help much. Making the 110 TLDs only 109 (or even 75 if other TLD authorities do the same) will not help that much.
Moreover, there is another mechanism which is not very clear, whereby the infected nodes will contact each other via a See Peer to Peer protocl. So, once the botnet gets going, the need for the domain name (so called "Internet Rendevouz points") may diminish.
Also, the article contains some inaccuracies:

"... expected to launch its attack once the system date on an infected machine is on or after April 1, 2009".
Actually, the worm author(s) are aware that the user may change the clock of the PC to avoid the worm from triggering. So they query several well known sites and check the date/time on the HTTP headers to make this defense point moot. See Internet Date Checking

"... will try to generate and connect to 50,000 web URLs a day ..."
It will query only 500 out of 50,000 generated domain names. See the domain generation algorithm.
I bet there will be a revision D shortly before April 1st, and the author(s) will address many of the potential defenses in revision C.

--
2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
1. Re:Helps, but not much ... by Dr.+Cody · 2009-03-24 15:42 · Score: 5, Funny
  
  I saw the article today on CBC (Canada's equivalent of the BBC).
  Well, that would certainly explain the "C," wouldn't it?
2. Re:Helps, but not much ... by wvmarle · 2009-03-24 18:26 · Score: 1
  
  "... will try to generate and connect to 50,000 web URLs a day ..."
  
  It will query only 500 out of 50,000 generated domain names.
  This part I still don't get. It means that either the authors plan to register a huge number of domains (very unlikely as in it makes it way too obvious who is behind this worm), or only about 1% of the infected hosts will succeed in connecting to the correct host to receive instructions. Still a large number of course, but how about the other 99% of infected hosts? Are they just going to sit idle? Or if using that p2p functionality to propagate instructions: how are they going to find each other?
3. Re:Helps, but not much ... by shird · 2009-03-24 18:49 · Score: 1
  
  They use a huge amount to make it impossible for people to put a watch-list on every domain. 50,000 per day, over months is a number too large to watch every domain. People are anxious about the April 1st, but that's unlikely to be when an update occurs. That's just when the worm starts looking for updates. An update is more likely to come much later, or whenever they require pushing out a spambot etc.
  You only need a subset to connect to the rendez-vous domain. The worm keeps a list of the last 100 or so IPs that are confirmed to be infected. It then pushes out the update to them. So 1% is actually an ideal number (ie 1 in 100). These guys are quite smart, and are using the latest crypto-algorithms, published just weeks before the worm had the update, so they know their stuff.
  
  --
  I.O.U One Sig.
4. Re:Helps, but not much ... by kbahey · 2009-03-24 23:03 · Score: 1
  
  Ideally, yes, all of them cooperating would help a lot.
  But note that the TLDs belong to different entities/countries with varying levels of competence/funding. Some are very small islands that have a cool TLD, run by small outfits.
  Getting them all to agree to act and coordinate it all would not be realistic.
  Let us hope I am wrong. I don't use Windows, but I think this worm will have an impact on the internet itself.
  
  --
  2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
5. Re:Helps, but not much ... by kbahey · 2009-03-24 23:15 · Score: 1
  
  Here is my educated guess:
  It is based on probability.
  The author(s) of the worm would register just 500 (or so) of the 50,000 domains. That is 1% as you said.
  The worm then generates the 50,000 random names, and tries to contact a sample of 500 of these.
  It has to just succeed in contacting one of them, and downloading a payload.
  There is also the peer to peer protocol, which is not fully understood (the SRI researches say that studying it is an "ongoing concern"), but will allow nodes to act as client and/or servers and exchange payloads without the internet rendevouz points, which are the above domains.
  So, they just have to initially have some domains, and distribute a payload through it. After that the payload can dictate another distribution method.
  
  --
  2bits.com, Inc: Drupal, WordPress, and LAMP performance tuning.
6. Re:Helps, but not much ... by AchilleTalon · 2009-03-25 02:53 · Score: 1
  
  All this started with ABC and since then spread like a worm.
  
  --
  Achille Talon
  Hop!
What's in a name? by schmidt349 · 2009-03-24 15:34 · Score: 3, Funny

I think I've heard every lexically significant variation on the name of this damn worm by now. I have no idea what "Conficker" actually means or to what it refers, but so far on this thread people have called it "Conflicker," "Cornflicker," and best of all "Cornfucker."
I think another name for it is "Downadup," which I always read as either "Downandup" or "Download a Duplicate."
Who gets to name the worms? We know that this one employs neat tricks like code signing peer-to-peer driven software updates and that it might be used for a sort of "evil Google" that people can use to data mine financial stuff and so on. Couldn't we lobby for a more rational taxonomy, so we could call this one "Cryptographically Labyrinthine Internet-Traveling ORganized Information Stumbler?"
1. Re:What's in a name? by icannotthinkofaname · 2009-03-24 16:09 · Score: 1
  
  I have no idea what "Conficker" actually means or to what it refers
  It sounds like the English word, "configure." Also, "ficken" is German for "to fuck", so one would imagine that, like any good piece of malware, it fucks with your configuration.
  I forget where I read that, so [citation needed]. Sorry. I swear, I saw it on Wikipedia, but it's not there now....
  
  --
  Let q be a radix > 1. I am in ur base-q, killing 10 d00ds.
2. Re:What's in a name? by mail2345 · 2009-03-24 16:11 · Score: 1
  
  Conficker means
  Configuration(conf) F*cker(ficker).
  
  And yes, the fs are overlapping.
3. Re:What's in a name? by cez · 2009-03-24 16:22 · Score: 1, Funny
  
  Bad idea, the CLITORIS can not be found by man... certainly not a slashdotter.
  
  --
  Walk with Music;
4. Re:What's in a name? by cp.tar · 2009-03-24 21:14 · Score: 1
  
  Bad idea, the CLITORIS can not be found by man... certainly not a slashdotter.
  Ever since there has been a bright red clitoris on every ThinkPad, this hasn't been true.
  
  --
  Ignore this signature. By order.
Re:GREAT! by cez · 2009-03-24 15:43 · Score: 1

Except nobody is in the driver seat at the moment.
Incorrect... someone is most certainly in the driver seat. Botnets aren't autonomous sytems that spawn out of control. They are replicated and controlled spawned instances, nodes or bots in a net mind you, doing whatever whomever is pulling the strings would like.

--
Walk with Music;
Cryptographic Signing, Peer to peer by Demonantis · 2009-03-24 15:46 · Score: 1

Sound like this worm has some significant financial backing. Whats even more crazy is a patch has been sent out for the worm already by Microsoft and people are still having issues.
1. Re:Cryptographic Signing, Peer to peer by bobbozzo · 2009-03-24 17:55 · Score: 1
  
  And slammer is still very active after 6 years...
  
  --
  Nothing to see here; Move along.
Re:ugh by cez · 2009-03-24 15:51 · Score: 2, Insightful

lmao, you had me at:

If you wanted the trolling to stop, let a troll per week post a front page story or something.
now I'd subscribe again for that. It would have to be lottery style or something mad random... way too many trolls out there with too much time on their hands.

--
Walk with Music;
Re:GREAT! by Anonymous Coward · 2009-03-24 15:51 · Score: 1

Yeah, you know how they control this one?
BY THE MECHANISM .CA IS TRYING TO THWART YOU FUCKING RETARD.
Why the HELL did you feel qualified to comment on this?
i just got off the toilet by Anonymous Coward · 2009-03-24 16:02 · Score: 1, Funny

i shit out an obama, stimulus plan and all!

plop!
Re:GREAT! by cez · 2009-03-24 16:07 · Score: 1

Planning on post-moderm triage by blacking out the algorithm for it's DNS awareness channels is all good and dandy...and in all liklihood wouldn't affect normal business operations of DNS (unless someone had really bad taste in domain names)... but who knows what algorithms lay dormant that could be changed with the flick of a bit or hell, updated. What do you think these thugs change control and turnover is? Just saying disclosing certain aspects of how you are actually fighting it, and learning how to combat prevent and spread awareness for it aren't mutually exclusive but not necessarily the same thing.
As far as who I am to comment on it, well... I'm someone who's commenting on it.

--
Walk with Music;
Learn to say by ethana2 · 2009-03-24 16:12 · Score: 1

'no.' Let the show begin.
Seems like a futile attempt by billcopc · 2009-03-24 16:30 · Score: 4, Insightful

It's cute that they're trying to preempt the worm, but to be effective they pretty much have to disable ALL potential domains. Miss one, and the worm will find it.
What I don't get is how people can still be surprised/impressed/scared by these things. Today's viruses have little in common with their elegant, obfuscated ancestors. Any twit can assemble a "virus" by tapping into the OS' libraries. Today's worms are essentially package managers, so anything you can do with legitimate software like emailing, flashing your BIOS or opening ports on your firewall, a virus can do the same things. It simply has to talk to its software repository, pull down the pieces it needs and proceed with its dirty deeds.
Hell, a tiny perl script could turn standard tools like Yum and Emerge into virus delivery agents. They already possess all the required functionality...

--
-Billco, Fnarg.com
1. Re:Seems like a futile attempt by robinesque · 2009-03-24 17:40 · Score: 1
  
  What? Good luck installing gentoo on cygwin.
2. Re:Seems like a futile attempt by rdebath · 2009-03-24 20:28 · Score: 2, Informative
  
  On the contrary, conficker looks very much like something that harkens back to the bad old days. True it doesn't have the hard memory constraints of a boot sector virus but it's not bloated nor is it just a primitive script.
  It uses strong crypto to protect it's updates, it uses peer to peer to distribute it's updates and code obfuscation that puts the best of the old school to shame. The obfuscation is so good in fact that it's proving to be a serious barrier to pulling apart the new peer to peer code; it can't stop it being decoded but it may be able to delay it past 1st April.
  Even this little technique of generating domain names to check for update distribution points is very unusual.
  All this does mean that people are worried. The botnet that exists has sufficient potential for damage in the hands of anyone but these people have shown an unusual level of technical skill for botnet builders and there is a clear danger that they have come up with a new and interesting use for the botnet.
  All things considered it may be the best result if it's just being sold to a spammer for a few dollars a machine.
3. Re:Seems like a futile attempt by Arancaytar · 2009-03-24 21:35 · Score: 1
  
  Today's viruses have little in common with their elegant, obfuscated ancestors.
  So have you found a way to keep inelegant viruses from being dangerous?
Re:Obama Policies Will Bankrupt USA Tsarkon Report by KingMotley · 2009-03-24 16:33 · Score: 1

And how does hiring ELIZA make you feel?
Can you expand on that?
Are you sure?
Re:GREAT! by cez · 2009-03-24 16:34 · Score: 2, Insightful

The people who analyzed it know what algorithms lay dormant and could be changed with the flick of a bit.
I know I shouldn't feed the trolls, but if these people who "analyzed" it only know what they've been able to observer or provoke it to do. I must have missed where they completely reverse engineered it and created a fix.
They figured out 1 of a myriad of its activities and service mediums let alone been able to crack one of its control channels. I'm all for fighting the good fight, but saying we understand this or have analyzed it thoroughly is naive.

--
Walk with Music;
The obvious question by symbolset · 2009-03-24 16:36 · Score: 1

Have you tried OS-X or Ubuntu? I heard they're not prone to this sort of thing.

--
Help stamp out iliturcy.
Re:Obama Policies Will Bankrupt USA Tsarkon Report by wampus · 2009-03-24 16:43 · Score: 1

You are just *SO* cute? Would you like to tell me about DRM and Open Office, too?
Re:Obama Policies Will Bankrupt USA Tsarkon Report by Hucko · 2009-03-24 17:39 · Score: 1

This has to be the most comprehensive spamming I've seen on this site for a while.

--
Semi-automatic amateur armchair Australian philosopher; conjecture ready at any moment...
The root cause IMO by Onyma · 2009-03-24 17:44 · Score: 2, Insightful

Isn't one of the root causes of all this the fact that the exploit was released into the wild? I am highly against it every time I see one of the security "researchers" releasing these holes into the public knowledge base. Had this exploit been kept quiet with Microsoft rolling out an important update that quietly patched it I believe we wouldn't be in this situation.

It's like someone announcing on a street corner that the bricks on the south wall of a bank were found to be very thin, but don't worry... we'll get to adding a little more mortar soon enough. Don't any body make use of this information though as that wouldn't be nice of you.

I understand the concept of motivating the software manufacturers to move on fixing bugs but is this really a worthwhile outcome to achieve this goal? I tend to believe if some "researchers" hadn't just kept their mouths shut and found alternate means to have this dealt with April 1 would still only be "Fool's Day".

I also suspect that some of these "information releases" are often done for ulterior motives as well. Possibly to say "look at what I found" and quite possibly to just watch the target OS/product go down vs. your alternate favourite OS/product.

I am not an expert on Conficker's exact history nor this specific exploit, but I do feel my comments above are generally accurate to many announced exploits in general.

--
Play me online? Well you know that I'll beat you. If I ever meet you I'll "/sbin/shutdown -h now" you. -Weird Al, kinda.
1. Re:The root cause IMO by Swiper · 2009-03-24 18:18 · Score: 1
  
  I agree. What happened to the implicit agreement that flaws are first reported to the software manufacturer, and only if they block any cooperation does it get released to other research groups to see if they can mend it and then and only then to the public to force the manufacturer to do something?
  
  --
  ~We demand rigidly defined areas of uncertainty~
2. Re:The root cause IMO by shentino · 2009-03-24 22:21 · Score: 2, Insightful
  
  The flaw in your argument is trusting MS to be timely about its updates.
  I'd say tell the vendors, and give them about a month.
  If they haven't fixed it by then, there's a chance that someone else has found it, and publishing it won't hurt anything else, and may actually help by putting pressure on the vendor for a fix.
  Keeping an exploit under wraps only works if the vendor is responsive enough so that they don't get beat by a different "researcher" looking to use the hole for his own gain.
3. Re:The root cause IMO by Yvanhoe · 2009-03-24 22:36 · Score: 2, Insightful
  
  First, some exploits are made through reverse engineering of MS patches and then targets unpatched machines. This procedure has even been automatized, meaning that a virus could be created in the very first minutes a patch is rolled out of Redmond.
  
  Second, the general ethics about flaws disclosure is to inform the manufacturer first, but to keep in mind that even if you are a talented security researcher, there are numerous malicious talented security researcher and that if the manufacturer doesn't react, there is a moral duty to inform users that some software in some configuration might be at risk. If you are a small guy with little reputation, you have to release details in order to be taken seriously.
  
  And it works. Most of the time.
  
  --
  The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
4. Re:The root cause IMO by cffrost · 2009-03-24 23:46 · Score: 2, Insightful
  
  Isn't one of the root causes of all this the fact that the exploit was released into the wild?
  No. Microsoft was (made) aware of the vulnerability and had a patch available on 2008-10-18. According to Symantec's malware database, W32/Conficker.A was first seen on 2008-11-24. If all vulnerable machines had been patched in a timely fashion, Conficker would not have spread.
  
  Full-disclosure motivates vendors to patch their vulnerable software, and allows administrators and users to take precautions (independent of the vendor's action or inaction). For more information on why full-disclosure is preferable to security-through-obscurity, consult writings by Bruce Schneier. One interesting example that Schneier points out is that NSA releases many publicly-available security guides and tools; NSA is aware that these releases can be utilized by friends and foes alike.
  
  --
  Thank you, Edward Snowden.
  
  "Arguments from authority are worthless." —Carl Sagan
5. Re:The root cause IMO by Anonymous Coward · 2009-03-24 23:53 · Score: 1, Insightful
  
  It's like someone announcing on a street corner that the bricks on the south wall of a bank were found to be very thin, but don't worry... we'll get to adding a little more mortar soon enough. Don't any body make use of this information though as that wouldn't be nice of you.
  Except banks have insurance, so even if someone breaks in, their customers don't need to worry.
  Not so with Microsoft. If you get hit with Conficker, don't expect to see a single cent from Microsoft, to cover any loss you may suffer.
  If banks had no insurance, and someone breaking in meant that all their customers lost their money, I can guarantee you that those customers would want to know which bank is easy to break in to. Because their only safety would be to not put their money in that bank.
  As a Microsoft customer, your only defence is to know exactly where the hole is, and set up your own defence. If a security researcher doesn't inform you, you have no defence at all.
Re:ugh by Mystra_x64 · 2009-03-24 18:17 · Score: 2, Insightful

Maybe ACs should be disabled until at least 30 comments are written or something...

--
Quick way to get 30% Funny 70% Troll: defend Opera browser on /.
Re:ugh by pxlmusic · 2009-03-24 18:32 · Score: 1

maybe. there has to be a happy medium somehow.

--
"If for any reason you're not satisfied with our service, I hate you."
Re:GREAT! by jack2000 · 2009-03-24 18:38 · Score: 1

Heard of decompiling? eh? THEY know EXACTLY, what it does and can do.
Re:GREAT! by someone1234 · 2009-03-24 19:50 · Score: 1

Well, it could be changed just as easily.
If you already own a control server, you can also 'update' your zombies.
By telling that they will monitor the .ca domain, the controller can easily avoid hitting the previously predicted names, and either avoid .ca (very easy), or generate new names.

--
Patents Drive Free Software as Hurricanes Drive Construction Industry
RegistrY, not registrAR by telso · 2009-03-24 20:07 · Score: 1

CIRA is the registrY for the .ca ccTLD, and is the manager for the entire domain name space, selling domains "wholesale" to registrARs, which sell them "retail" to the public. Come on, the CBC got it right, can't /.?
1. Re:RegistrY, not registrAR by Clover_Kicker · 2009-03-25 06:10 · Score: 1
  
  D'oh, I screwed up the submission. Blame me.
2. Re:RegistrY, not registrAR by telso · 2009-03-25 06:25 · Score: 1
  
  But it's so much more fun to blame editors (I know, being one myself). And to be fair, it's not like the names aren't slightly confusing to us registrANTs!
Re:Obama Policies Will Bankrupt USA Tsarkon Report by Maelwryth · 2009-03-24 22:27 · Score: 1

"This has to be the most comprehensive spamming I've seen on this site for a while."
I wouldn't mind so much if he/she made decent use of white space. I can't even read it without my eyes twisting up.

--
I reserve the write to mangle english.
Directly from /b/ by Yvanhoe · 2009-03-24 22:43 · Score: 1

Sometimes a regular poster says something that could be held against him by his company/government/stepmother. It is occasional, but the 1% of times it is used for insightfulness is worth the 99% it is used for trolls. Just browse at +1 if you are really annoyed. Don't look at it and it will go away. Slashdot used to have far more noise in the -1 realm.

--
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
Full Disclosure by Anonymous Coward · 2009-03-24 22:59 · Score: 2, Insightful

> Isn't one of the root causes of all this the fact that the exploit was released into the wild?
Yes and no.
In the bad old days before full disclosure, vendors would threaten security researchers. That lead to the bad guys knowing everything and being able to hack with impunity, the security researchers being considered the "bad guys" even though they weren't doing anything bad with the holes they found, and the general public being totally ignorant of all the security problems out there.
In other words, back when no one called out the vendors putting out shoddy products, all we had were shoddy products.
So the practice of not disclosing security vulnerabilities actually hurts the good guys far more than it hurts the bad guys, even if it sometimes leads to cases like this one.
Re:Obama Policies Will Bankrupt USA Tsarkon Report by Hucko · 2009-03-25 00:45 · Score: 1

You read it? you are a sadomachist

--
Semi-automatic amateur armchair Australian philosopher; conjecture ready at any moment...
Re:ugh by KillerBob · 2009-03-25 00:58 · Score: 1

Oh probably. Do you think they'll be able to channel an answer?

--
If you believe everything you read, you'd better not read. - Japanese proverb
Re:CIRA does NOT represent .ca owners! by AchilleTalon · 2009-03-25 03:03 · Score: 1

True! Just to correct a wrong information in their database about yourself (company) you need a pile of paperwork and legal processing of your request before sending it to them. Conclusion, leave the wrong informations in their database asis and move on. You even cannot just call them to tell them or ask your registrar to do the work.
R-I-D-I-C-U-L-O-U-S

--
Achille Talon
Hop!
Re:CIRA does NOT represent .ca owners! by Kenshin · 2009-03-25 04:15 · Score: 1

I've registered 3 .ca domain names, and not encountered any sort of problems or difficulties. At all.
I don't know which .ca registrar you're dealing with, but the ones I've dealt with are fine.

--
Does it make you happy you're so strange?
Re:ugh by Arterion · 2009-03-25 09:40 · Score: 1

This is almost as good as mad libs!

--
"That which does not kill us makes us stranger." -Trevor Goodchild
Wait to see who registers those domains... by beguyld · 2009-03-25 19:33 · Score: 1

Why not see who registers the domains _and_ supplies downloads to existing bots?
Obviously the people who created this worm won't be stupid about it, but perhaps some clues could be gathered.
And if it gets really hard, maybe the guys from 24 or CSI can put one of their top people on it. They seem to do amazing things in figuring out multiple levels of hiding...
toyotabedzrock by toyotabedzrock · 2009-03-26 06:47 · Score: 1

Why don't they just instruct the worm to upload an executable that will delete the worm and then itself? Or if the previous is no possible due to authentication built in they could cause a buffer overun in the worm. Maybe they could even use the buffer overun to delete or damage the worm so it can't run again.