Slashdot Mirror
Fears of a Conficker Meltdown Greatly Exaggerated
BobB-nw writes "Many have been worrying that the Conficker worm will somehow rise up and devastate the Internet on April 1. These fears are misplaced, security experts say. April 1 is what Conficker researchers are calling a trigger date, when the worm will switch the way it looks for software updates. A 60 Minutes episode about the worm on Sunday will stoke concerns. But the worm has already had several such trigger dates, including Jan. 1, none of which had any direct impact on IT operations, according to Phil Porras, a program director with SRI International who has studied the worm. 'Technically, we will see a new capability, but it complements a capability that already exists,' Porras said."
that never happens.
April 1st is when the worm will *start* looking for updates. It will continue looking from that date on, with a different set of domains each day. So there is no reason why the authors would register one of the domains and put out an update on the first day. If anything, they would wait a while to increase the number of domains security researchers have to watch out for. Also, the authors may not have any reason to update it just yet - it seems to be quite successful in its current iteration. They may be waiting for a buyer to purchase a block of the botnet for example.
I.O.U One Sig.
Maybe I'm wrong here, but doesn't it make more sense to get everyone trying to fight this virus/bot/whatever early rather than wait?
After April 1st, this thing will be drawing from more domains than can be blocked for future updates. It sounds like it'll be much more entrenched and difficult to combat if that happens. So this advise sounds a lot like 'Well, the gangrene has spread from your foot up to your knee, but it's not a problem'.
Help keep my job interesting. And more relevant. Geez, now I'm in league with the narcs - if there's no crooks, I'm out of a job.
Build your own energy sources from scratch. http://otherpower.com/
Seems like Windows Update is always failing with random errors. Maybe MS could buy up this technology to fix their own? ;)
Current Windows inherited most of its security problems from DOS and Win16. In fact Windows XP was the first "home desktop" Windows (given 2000 was marketed for office use) to use memory protection at all. Prior to that a process could read/write anywhere, which effectively meant there was no security of any kind.
And since most applications require administrator access to run at all, including most server applications, even having memory protection is reduced to the effectiveness of chewing gum. With administrator access, any application can insert itself as a shim into any other application.
Then even when you do narrow down to the few applications that run with pure user access, and run that way all the time, there are plenty of privilege escalation holes to get that administrator access back.
It's swiss cheese from the ground up. Users cannot be expected to be tech geeks just to be basically secure. Certainly if they run an untrusted binary, their personal files are forfeit, but by no means should that be allowed to spread to the whole system (of potentially thousands of users) nor the whole network via server software running as administrator.
Sam ty sig.
I would like this thing to actually shut down all those computers that are infected. It would save quite a bit on energy and actually be quite useful. If there would be a way to permanently disable a computer (flash it's BIOS with a bad image) then maybe it could stimulate the economy. Another thing would be to simulate a 56k connection on all those machines. Finally the intertubes would be cleared of a lot of clutter by people trying to get to awful flash 'movies' of random people on Facebook or MySpace. Another thing would be to register every IP that the computers are connected to as potential spam hosts to well-known spam registries.
Of course if some host is infected and some life or death situation is dependent on it, the blame should be placed on the IT administrator or the vendor, not the creator.
It will be interesting to see what will happen.
Custom electronics and digital signage for your business: www.evcircuits.com
I've been following storm, and that has dropped off the face of slashdot, and other worms, this latest conflicker is getting an article once or twice a week, but unless i missed something, how does one prevent/detect/remove these worms? All the news articles seem to think that its a foregone conclusion that your (or someone you care about) system WILL BE ASSIMILATED. I run windows, but I practice safe browsing ( I wrap that rascal by not downloading willy nilly, using outlook for e-mail, and use no-script and abp in firefox, all of which is running on an up to date windows XP build running behind a NAT router), am I infected? Will AVG tell me if I am? Would NAV or {other antivirus} tell me?
Wikipedia has info on how to detect and remove using most major antivirus running the latest update. But why don't the news-writers seem to recognize this? Why must every infection be a death sentence to support some nefarious plot with your unwitting computer?
Is it sad that I am more likely to recognize you and your posts by your sig than your name or UID?
If everyone were using something else. Lets say linux or OSX Then whe worms would be tailored for those environments.
I'd like to see a worm tailored to my custom-compiled hardened 64bit gentoo. Linux is not a monoculture, only in source code form. You cannot target it the way you do windows.
Posts like this make me think that you've never done any tech support for the average home user in the real world.
Sure, those of who know what we're doing can avoid problems.
That doesn't hold true for the vast majority of windows users. If it did, it wouldn't be a problem.
It's the same kind of thinking that led to the problem being existent in the first place.
Don't get me wrong - I make a fairly nice side income doing tech support for home users on the side.
But I'd much rather go back to teaching people *how* to use their computers - actually making a difference - than fixing broken windows installations and removing viruses, even if it is much more profitable.
Call me old-fashioned or whatever, but that's what I'd prefer.
I'm not necessarily bitching at you in particular. I just remember what it was like, a long time ago, to spend my computer support time solving problems that didn't involve malware infestations. *Teaching* people how to use their computers. I miss it. It was fun. This isn't.
So anyone who says "Oh, I can keep my machine virus free" - whoopdefuckingdoo, so what, so can I. Most people can't, and it's because Microsoft can't write a decent *secure* fucking operating system to save their stock options.
Oh, and get off my damned lawn ;)
(Irritable? You bet. I'm a curmudge-only middle aged bastard...)
I can vent, can't I? *grin*
SB
It's old. The more humans I meet, the more I like my cats. At least they are honest.
You mean having 10x users would reduce the number of different configurations? I don't know what you're smoking, but give me some.
Actually, it would probably be safe to assume that it would. Mass take-up of Linux would either require or force standardisation, and with that would come a form of 'same-ness' that would be open to attack.
Yes, because everyone is an idiot but you. They're not smart enough to deserve the internet. Let us take their PCs from them.
Space Shuttle was a program that strapped humans to an explosion and tried to stab through the sky with fire and math
While what you say is technically true, (no OS is completely immune to malware) Linux simply has more hurdles that malware must jump over before a system can be infected. (people typically not running as root, fewer ports open, most software coming from "sterile" sources like official repositories, etc.) At least one of these obstacles is usually enough to stop most infection attempts before any damage is done. However, when users get lazy or careless and bypass these lines of defense, infection is possible if there is a type of malware able to exploit the opportunity at that exact moment.
"It is a denial of justice not to stretch out a helping hand to the fallen; that is the common right of humanity."
They might try to tailor their junk for these environments, but it's like the difference between a normal car (windows) and a car coated with teflon with a motion sensing machine gun on top (OSX/Linux), with the worms/viruses/malware being a type of graffiti paint.
Graffiti will stick pretty well to a normal car (and if you tend to stop in the more seedy parts of town than others, you have more of a chance of having your car "tagged" too), but it's not going to be very effective on the teflon coated ones and the owner is going to have to be silly enough to log in as root to disable the guns so the criminals can get close enough in the first place.
The argument that the reason why windows is being attacked is because it has a majority share is an ass backwards way of thinking about the issue.
Windows is targeted because it's "security" is inherently flawed, it's security isn't flawed because it's being targeted. The fact that it has a majority share is just an added bonus for these people, but it has nothing to do with the underlying problem, (though it certainly does help the problem grow by orders of magnitude).
I'm reminded of Dan Dennett's Ted Talk where he insightfully points out that, we don't like chocolate cake because it's sweet, it's sweet because we like it.
Another way of looking at it is like this... Houses aren't unoccupied, unalarmed and filled with artwork, expensive stereos and silverware because someone wants to break into them, someone wants to break into them because they are unoccupied, unalarmed and filled with artwork, expensive stereos and silverware.
If OSX or Linux took a majority share of the desktop, the problem wouldn't shift like you are thinking it would. Granted, there would be an uptick in attempts and there will inevitably even be a few holes to patch up that were previously unknown, but there certainly won't be an equivalent to the 100,000+ viruses that exist for Windows.
If there were only one Linux. There's not. There are thousands. The kernel itself doesn't require services that need open ports and application level security is a per-distribution thing so no two are going to have the same set of vulnerabilities. Linux is not a "monoculture".
We live in the world as it is, not as it might be. What-ifs really aren't worth spit. You can choose to run an OS that was vulnerable to Conficker, Koobface, Torpig, Storm, Antivirus 2009, Bitfrost, Sasser, MyDoom, Sober, Sobig, Welchia, Blaster, Nimda and Code Red and will be the target of the next six. Or not. It's up to you. Don't try to pretend that there's no functional security difference between the two because that's absurd. Add up the amount of data that was and will be compromised by that list of malware and you have enough to bring the world economy to a screaming halt. Between them those computers probably had access to financial or personal data on a majority of people who've had a digital record and more corporate secrets than should be in a hundred data pools.
What the other guy does shouldn't matter. It should be about being responsible with the data entrusted to you, about being a good steward of your own gear. If you are in IT then your customers are counting on your professional expertise to save them from inadvertently disclosing information via system compromise, and that's a solemn duty. From that perspective the choice is clear. If you can choose to not be a target why would you not leap at that option?
Help stamp out iliturcy.
That brings to mind exploits for very common distributions that I've seen in the past.
But, in reality there have been some nasty ones. How many versions of OpenSSH were exploitable? I remember having the exploit, and running it against our own equipment to see what it would break. I love trying to break my own equipment. If I use the same script kiddie code, and I can't get in, neither can they.
Of course, it helps to have many things protected. I prefer to have SSH on a different port, with the firewall rules disallowing anyone to connect from anything but an authorized network (I love default DROP rules). Most exploitable things have only been available to my authorized networks, and only if they knew our port scheme.
Serious? Seriousness is well above my pay grade.
Maybe I'm wrong here, but doesn't it make more sense to get everyone trying to fight this virus/bot/whatever early rather than wait?
They're trying. Microsoft has released a patch that supposedly blocks the primary vector (a vulnerability in the Server service affecting all Microsoft operating systems since Windows 98), and updated their repair tool MSRT to detect and remove it (download it from a machine that's not infested). It has probably removed it from several million of the estimated 15 million infested machines. Microsoft is working with ICANN to block registration of the generated domain names in the case where they're not yet registered and the owners of the domains that were previously registered to mitigate downtime. Every managed service provider and major IT shop I know of has pushed out all of this stuff. Unfortunately, this is not even close to enough. The secondary vector, autorun, is pernicious. This thing is now on the root thousands of major shares and every time they remove it one of the thousands of Conficker clients puts it back. It's on millions of pen drives, millions of backups. It's been burned to millions of CDs. It's on iPods and mp3 players, Blackberries and iPhones and Windows Mobile phones, picture frames and DVDs. It's probably now in the root of DVD ISOs distributed via all the popular media distribution sites. Tertiary vectors include compromising network neighbors. Your grandchildren are going to be installing this thing if they don't figure out the whole "autorun is stupid" thing.
This thing is really very well engineered. The next one will be even better. And the next one better still. If you're in a Microsoft shop you're going to be working half your holiday weekends for the rest of your career, and a lot of planned vacations too. Remember that this is not the only Windows malware currently making the rounds. There are at least three major development groups and all of them have active botnets and a release schedule for new exploits.
We've been playing this game for a long time and the black hats are getting more proficient than the white hats. The problem is that the target platform - Windows - cannot be made invulnerable to these threats without defeating its main selling point: application compatibility. Most of the people who work with this toxic stuff do their development on BSD, OS-X or Linux and refer to Windows boxes as "targets". If Microsoft makes Windows so secure that this junk won't spread, most of the apps for it won't run. You might as well run an OS that's not a target now as wait for that to happen.
But TFA is right. April Fools is the day the botmaster begins to harvest his crop of bots. May 22 is more likely the beginning of operations. I could be wrong about this because I previously guessed January 16.
Help stamp out iliturcy.
Why are we discussing Windows/Linux/OS X preference at all?
If you want a system that's not vulnerable to Conficker, Koobface, Torpig, Storm, Antivirus 2009, Bitfrost, Sasser, MyDoom, Sober, Sobig, Welchia, Blaster, Nimda and Code Red, you need look no farther than "anything that's not Windows".
Help stamp out iliturcy.