Slashdot Mirror
Fears of a Conficker Meltdown Greatly Exaggerated
BobB-nw writes "Many have been worrying that the Conficker worm will somehow rise up and devastate the Internet on April 1. These fears are misplaced, security experts say. April 1 is what Conficker researchers are calling a trigger date, when the worm will switch the way it looks for software updates. A 60 Minutes episode about the worm on Sunday will stoke concerns. But the worm has already had several such trigger dates, including Jan. 1, none of which had any direct impact on IT operations, according to Phil Porras, a program director with SRI International who has studied the worm. 'Technically, we will see a new capability, but it complements a capability that already exists,' Porras said."
that never happens.
... either way. The only certainty is security experts have differing opinion on this.
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
So many headaches like this would be avoided if people had enough of a clue to NOT USE WINDOWS!
"Can't do that"
"Doesn't work that way"
"Coooommmeonnnnn"
You just don't know what payload will be downloaded on April 1st.
It could be your standard 'DDoS and Spam Run' package, but imagine what would happen if all these drones were used to start exploiting an unknown vulnerability, think SQL Slammer...
April 1st is when the worm will *start* looking for updates. It will continue looking from that date on, with a different set of domains each day. So there is no reason why the authors would register one of the domains and put out an update on the first day. If anything, they would wait a while to increase the number of domains security researchers have to watch out for. Also, the authors may not have any reason to update it just yet - it seems to be quite successful in its current iteration. They may be waiting for a buyer to purchase a block of the botnet for example.
I.O.U One Sig.
Maybe I'm wrong here, but doesn't it make more sense to get everyone trying to fight this virus/bot/whatever early rather than wait?
After April 1st, this thing will be drawing from more domains than can be blocked for future updates. It sounds like it'll be much more entrenched and difficult to combat if that happens. So this advise sounds a lot like 'Well, the gangrene has spread from your foot up to your knee, but it's not a problem'.
Help keep my job interesting. And more relevant. Geez, now I'm in league with the narcs - if there's no crooks, I'm out of a job.
Build your own energy sources from scratch. http://otherpower.com/
Seems like Windows Update is always failing with random errors. Maybe MS could buy up this technology to fix their own? ;)
Here's hoping for no such meltdown.
This thing going stupid on April 1st would just add to my birthday present.
"Happy birthday, Orb. Now get back on the phones, we're all hands on deck for lusers calling in with that Conficker crap."
Now, of course, I'm wondering just where can someone stick the cork to stem the possible flow that this little barstard is going to cause to divert the most damage?
Also, just how big does the cork have to be?
One of these days, I am going to flip out. When I flip out, I'll be back in five minutes.
So what is exaggerated? How much people are afraid of Cornficker or its potential to cause damage?
I would like this thing to actually shut down all those computers that are infected. It would save quite a bit on energy and actually be quite useful. If there would be a way to permanently disable a computer (flash it's BIOS with a bad image) then maybe it could stimulate the economy. Another thing would be to simulate a 56k connection on all those machines. Finally the intertubes would be cleared of a lot of clutter by people trying to get to awful flash 'movies' of random people on Facebook or MySpace. Another thing would be to register every IP that the computers are connected to as potential spam hosts to well-known spam registries.
Of course if some host is infected and some life or death situation is dependent on it, the blame should be placed on the IT administrator or the vendor, not the creator.
It will be interesting to see what will happen.
Custom electronics and digital signage for your business: www.evcircuits.com
And your inability to spell out your words or use proper grammar makes you so much better, yes?
I've been following storm, and that has dropped off the face of slashdot, and other worms, this latest conflicker is getting an article once or twice a week, but unless i missed something, how does one prevent/detect/remove these worms? All the news articles seem to think that its a foregone conclusion that your (or someone you care about) system WILL BE ASSIMILATED. I run windows, but I practice safe browsing ( I wrap that rascal by not downloading willy nilly, using outlook for e-mail, and use no-script and abp in firefox, all of which is running on an up to date windows XP build running behind a NAT router), am I infected? Will AVG tell me if I am? Would NAV or {other antivirus} tell me?
Wikipedia has info on how to detect and remove using most major antivirus running the latest update. But why don't the news-writers seem to recognize this? Why must every infection be a death sentence to support some nefarious plot with your unwitting computer?
Is it sad that I am more likely to recognize you and your posts by your sig than your name or UID?
If there would be a way to permanently disable a computer (flash it's BIOS with a bad image) then maybe it could stimulate the economy.
I'm pretty sure that the broken window fallacy would say otherwise.
I misread the title as "News of a Conficker Meltdown Greatly Exaggerated" but was sadly disappointed to find it otherwise.
Can fears even be exaggerated? Exacerbated, perhaps?
I'm just waiting for someone to realise that April 1st was a spoof, and the attach will actually happen March 31st!
And your inability to spell out your words or use proper grammar makes you so much better, yes?
Oh, yes, yes, most certainly! One must agree, wholeheartedly and enthusiastically, with such wonderful, and certainly unique, criticisms of the tragedies caused by the improper use of grammar! It is quite clear, and heartbreaking, the terrible misunderstandings and misfortunes that today's youth bring upon themselves, through the lack of proper control of their suffixes and prefixes, intonations and pronunciations! One must not forget that, in addition to the sins of grammar, they sin also by the use of impure operating systems! Oh! And what horrible programming habits! So lacking in proper manners of commenting, and of course, syntax -- but oh! The time! I must be going, I am so very late, I have an appointment with the priest to discuss a matter of utmost importance, to clear up some terrible sins -- just imagine, I have written a couple of letters to a Swiss friend who is quite ill with a brain tumor, and, well, you see, I made some mistakes, graphing a few words with a quite grotesque mistake in accentuation. I just never managed to quite master her language. It is positively terrifying, the prospect that she might live to read these letters! Well, the reverend must have some suggestion! Ta-ta!
Build your own energy sources from scratch. http://otherpower.com/
I was looking for some cheap schadenfreude...
Yes, because everyone is an idiot but you. They're not smart enough to deserve the internet. Let us take their PCs from them.
Space Shuttle was a program that strapped humans to an explosion and tried to stab through the sky with fire and math
Teaching people how to use their computers and fixing hardware problems when they come up is a helluva lot better than repetitive malware removal.
More fun, anyway.
Frak. I'm getting old.
SB
It's old. The more humans I meet, the more I like my cats. At least they are honest.
Why are we discussing Windows/Linux/OS X preference at all? Does anyone have even the slightest clue how ignorant these statements sound? Replies like "My custom compiled super secure xxxxxx install is impervious to all attacks from anyone..." are inflammatory and pose no useful, relevant, or even accurate account of how things work in the real world. Don't be dumb. That's the best advise anyone can give. Someone please drop a comment that has useful information regarding the subject. It may actually contribute to understanding why this is doing what it is doing. When the aim of the ploy is understood, we can take steps to mitigate the damage and prevent future nonsense from happening.
Good grief it sucks to be associated with idiots like you.
Respectfully,
A programmer/technologist/"IT" guy
If there were only one Linux. There's not. There are thousands. The kernel itself doesn't require services that need open ports and application level security is a per-distribution thing so no two are going to have the same set of vulnerabilities. Linux is not a "monoculture".
We live in the world as it is, not as it might be. What-ifs really aren't worth spit. You can choose to run an OS that was vulnerable to Conficker, Koobface, Torpig, Storm, Antivirus 2009, Bitfrost, Sasser, MyDoom, Sober, Sobig, Welchia, Blaster, Nimda and Code Red and will be the target of the next six. Or not. It's up to you. Don't try to pretend that there's no functional security difference between the two because that's absurd. Add up the amount of data that was and will be compromised by that list of malware and you have enough to bring the world economy to a screaming halt. Between them those computers probably had access to financial or personal data on a majority of people who've had a digital record and more corporate secrets than should be in a hundred data pools.
What the other guy does shouldn't matter. It should be about being responsible with the data entrusted to you, about being a good steward of your own gear. If you are in IT then your customers are counting on your professional expertise to save them from inadvertently disclosing information via system compromise, and that's a solemn duty. From that perspective the choice is clear. If you can choose to not be a target why would you not leap at that option?
Help stamp out iliturcy.
Maybe I'm wrong here, but doesn't it make more sense to get everyone trying to fight this virus/bot/whatever early rather than wait?
They're trying. Microsoft has released a patch that supposedly blocks the primary vector (a vulnerability in the Server service affecting all Microsoft operating systems since Windows 98), and updated their repair tool MSRT to detect and remove it (download it from a machine that's not infested). It has probably removed it from several million of the estimated 15 million infested machines. Microsoft is working with ICANN to block registration of the generated domain names in the case where they're not yet registered and the owners of the domains that were previously registered to mitigate downtime. Every managed service provider and major IT shop I know of has pushed out all of this stuff. Unfortunately, this is not even close to enough. The secondary vector, autorun, is pernicious. This thing is now on the root thousands of major shares and every time they remove it one of the thousands of Conficker clients puts it back. It's on millions of pen drives, millions of backups. It's been burned to millions of CDs. It's on iPods and mp3 players, Blackberries and iPhones and Windows Mobile phones, picture frames and DVDs. It's probably now in the root of DVD ISOs distributed via all the popular media distribution sites. Tertiary vectors include compromising network neighbors. Your grandchildren are going to be installing this thing if they don't figure out the whole "autorun is stupid" thing.
This thing is really very well engineered. The next one will be even better. And the next one better still. If you're in a Microsoft shop you're going to be working half your holiday weekends for the rest of your career, and a lot of planned vacations too. Remember that this is not the only Windows malware currently making the rounds. There are at least three major development groups and all of them have active botnets and a release schedule for new exploits.
We've been playing this game for a long time and the black hats are getting more proficient than the white hats. The problem is that the target platform - Windows - cannot be made invulnerable to these threats without defeating its main selling point: application compatibility. Most of the people who work with this toxic stuff do their development on BSD, OS-X or Linux and refer to Windows boxes as "targets". If Microsoft makes Windows so secure that this junk won't spread, most of the apps for it won't run. You might as well run an OS that's not a target now as wait for that to happen.
But TFA is right. April Fools is the day the botmaster begins to harvest his crop of bots. May 22 is more likely the beginning of operations. I could be wrong about this because I previously guessed January 16.
Help stamp out iliturcy.
Destruction of property is not helpful for the economy. Any money that people have to spend on computers, they can't spend on something else. Sorry no free lunch here.
Don't be a target. Use some system that doesn't have these problems.
Help stamp out iliturcy.
posting anonymous because I know the windows users will mod me down, but as an uninvolved bystander (I wont name my platform but I no longer touch windows) I find the whole thing incredibly amusing. can you imagine if a particular model of a particular car manufactures electronics system could be compromised by filling up at a particular fuel station; possibly turning the cars into moving timebombs on a certain date. do you think we'd all be sitting around wondering what is going to happen on that day? no fucking way, that model car would be recalled as a danger to public safety. but because its windows and everyone is too scared to cut the fucking cord we end up in this situation where we know terrible shit is going to happen april 1st and nobody is doing anything about it at all.
I know my network will be running smoothly on april 1st; I hope my ISP can say the same. I really hope everyone infected with conficker gets their hdd zeroed. these days it seems like things have to get so far beyond bad before people get motivated to change their bad habits it's just not funny... even as someone who's not directly affected by the stupidity.
Why are we discussing Windows/Linux/OS X preference at all?
If you want a system that's not vulnerable to Conficker, Koobface, Torpig, Storm, Antivirus 2009, Bitfrost, Sasser, MyDoom, Sober, Sobig, Welchia, Blaster, Nimda and Code Red, you need look no farther than "anything that's not Windows".
Help stamp out iliturcy.
Flamebait? I thought it was funny myself.
I think your misanthropic streak is showing here.
Would be counter productive. Cant make any money off the botnet that way.
Really, even crashing the infected PC is the same. The days of 'dangerous' viruses have long since past.
---- Booth was a patriot ----
If some fuckwit walked up my street with a hammer smashing car windows every day, then destroying the hammer would certainly help the economy.
Destruction of property is helpful for the economy if the property is doing more harm than good.
Most ironic would be that after update they would patch Windows up to lastest update, clean themselves and leave informational message on screen about computer security. That would rock :)
user@ubuntubox:~$ stfu This server is going down for shutdown NOW!
That's what we do to people that aren't "smart enough to deserve" their cars. Why not?
Generally linux users are more computer savvy and don't go opening every email attachment they get.
Microsoft aggravates my tourettes syndrome.
Security experts claim fears of a global internet meltdown have been gr
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
there is no reason why the authors would register one of the domains and put out an update on the first day. If anything, they would wait a while to increase the number of domains security researchers have to watch out for.
Well, as far as I understood this, every bot is looking for an update on 50.000 different domains each day. This would mean that waiting any day will not increase the namespace as every day has a different unique namespace of 50,000 domains.
Apart from this, there are many reasons which I can think of that would make it logical for the authors to drop an update now. E.g. the virus makers could have advanced the bot where it could be able to better defeat against mechanisms deployed by security software against it. Also, AFAIK the Conficker designers put tremendous efforts into this which is why I think that we are dealing with a team of several specialists: programmers, exploit writers, networking specialists, cryptographers. I would blindly guess that this kind of organisation of criminal energy would likely be leaded by someone, probably someone who would expect a ROI on it pretty soon.
Just my 2 cents
Destruction of property is not helpful for the economy.
How that be? I've been watching Congress and the President and clearly they think destruction of economy is helpful for the economy...
You are in a maze of twisty little passages, all alike.
Of course this could all get changed or enhanced with an update that could occur on April 1st.
Now, what I want to point out with this comment is that you can end up with a complete infected LAN by only having overlooked or spared out just one system that remained unpatched and here is why:
If you happen to end up with an infection of a system and you log in as domain admin to it the virus has got everything it needs to spread to every system, particularly to the central file server. And if you do not happen to run an AV client for real-time monitoring there or if an updated version is not detected by the systems AV client signatures, you can get infected pretty badly.
When Conficker has domain admin privileges, it creates scheduled processes to execute a copy of itself on remote systems. In order to prevent this, you can either disable the scheduling process or you can write-protect the Root folder on your central file server.
So you might want to CYA and make sure that:
lol same here. I also can not watch CSI or any other show like that on TV. However I will sometimes mutter "Mess with the best, die like the rest" just to see if anyone gets just joke :)
Ok... so here's what I don't get:
Security experts are well aware of this botnet client and are keeping a close eye on it. They've picked the client bot apart line by line. They know exactly how it is supposed to behave on the client side, but they of course don't have a clue about the server side. So why can't they hijack the hijacker?
For example, say this client bot is programmed to go to IP address on April 1st and DL some update. Ok..., block that IP address on the internet or trace the IP address back to the owners and stop it there. Those don't seem hard. (ok... and before someone calls me an idiot for saying "block the ip address on the internet", what i mean is that you can get the major service providers, certainly here in the US, and potentially abroad to "lose" anything sent to a specific address.)
Ok... so let's say that the client bot is programmed to go to IP address to and ping each one to ask for an appropriate update, verifying each update against a specific hash key. Ok... then grab IP address and put in something that DLs a file that neutralizes the bot. There can be no hash key that the researchers can't figure out because they can pick through the entire client bot's code bit by bit.
I'm clearly not getting something crucial here, but it just seems that in all the moaning about how bad this is that it wouldn't be that hard for someone person to write some kill code for it as long as enough time and effort had already gone into understanding the client side code.
Someone please help out a clueless non-security, non-software engineer understand why this is so hard.
d
all language nazi's will burne in heil!
So UIDs are up to a mil and half now, huh?
Help stamp out iliturcy.
I didn't even know that this virus existed until yesterday, and it's like the pistachio scare--seriously, why doesn't the media just go ahead and say you're going to die (or at the very least our computers will)?
If wishes were fishes, we'd all cast nets. If wishes were horses, beggars might ride.
The lesson is that wishes aren't fishes, and they're not horses either. Also, some Linux Distro doesn't have 80% of the desktop market and what the world might be like if that happened is irrelevant. We live in the world we're in and what-ifs aren't worth anything against known threats. In the here-and-now world if you run Windows you're subjecting yourself to the monoculture that bred Conficker, Koobface, Torpig, Storm, Antivirus 2009, Bitfrost, Sasser, MyDoom, Sober, Sobig, Welchia, Blaster, Nimda and Code Red. If you're not, then you're not. It's really that simple.
Also, you guys usually post this template crap AC. Are you tiring of this 'turf account?
Help stamp out iliturcy.