Slashdot Mirror
Taming Conficker, the Easy Way
Dan Kaminsky writes "We may not know what the Conficker authors have in store for us on April 1st, but I doubt many network administrators want to find out. Maybe they don't have to: I've been working with the Honeynet Project'sTillmann Werner and Felix Leder, who have been digging into Conficker's profile on the network. What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will give you an honest answer. Tillmann and Felix have their own proof of concept scanner, and with the help of Securosis' Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys. We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend."
Wow. So this:
IT tech: Do you know if your workstation has a virus?
User: I don't know. It might. The other day I was typing something and something popped up I can't remember what it said but I think it had something to do with virus scanners but I can't remember and then there was this time I downloaded this thing and it said something about my computer being infected but I can't remember if I clicked it or not and then another one [etc etc etc for 20 minutes]
Which would happen once for every node on the network, would become this:
root@admin:~$ nmap 192.168.0.* -confickercheck
Nice. Seriously, nice. Now we just need to work out a way to remotely ask a computer if the printer cable is properly plugged in, and we're set.
I hate printers.
There is a virus infecting a huge number of systems and no one knows what it is destined to do.
Seems like a pretty GOOD reason to genuinely care, if you ask me.
It's supposed to be completely automatic, but actually you have to press this button.
Hi, I'm the author of Conficker and the payload is to get a first post on slashdot. Get ready assholes.
While I agree that caring about the poor widdle windows users is a boring hobby, there are reasons for it.
First, most of the "what will conficker do?" possibilities have the distinct potential to be unpleasant for everybody. We are almost definitely looking at extra spam, or worse.
Second, and ultimately more important, is the fact that Joe and Jane Average's feelings about computers and the internet are defined largely by a combination of their experiences with computers at home and at work, and stories in the media about computers. If their experience is one of unrelenting danger, constant infection, and identity theft and whatnot, they'll be much more supportive of draconian policy decisions. That is Bad.
Sure, actually caring about the newbs, as they do the same stupid things over and over, gets really old really fast; but, when they visit the internet, I want them to have a good time because we are well past the point where they will just leave if they don't like it. They'll vote for a bunch of police powers and be back. Nobody wants that.
My own pet theory (based on nothing but speculation) is that come April 1st, nothing will happen. And then someone will wave their hand and say "hey, I made conflicker" and get rich from interviews, while the rest of us giggle at the hilarity of this massively-hyped april fool.
"You can literally ask a server if it's infected with Conficker, and it will give you an honest answer." I asked and got no answer? Is there a specific language? I tried both english and norwegian.
to genuinely care about the hype surrounding this worm when no one knows what its destined to do, and the problem stems from a host operating system with a near two decade track record of this sort of stuff.
A few things:
1. If you have 1 million+ infected hosts, and all the bandwidth that these hosts have access to, and can use these resources to do whatever you please, you pose a serious threat to many groups with a presence on the internet and an interest in its wellbeing. Do I really need to spell it out to you why it's important to care?
2. No, the problem in this case stems from people not patching their systems when security updates are made available. Microsoft made the patch available _LONG_ before Conficker was even a problem. Microsoft released the patch on 15th October 2008. What does this tell you? It means that effectively 99%+ of infected machines are infected because they weren't patched, either due to ignorance, sloth, or a combination of.
If I never patched my Linux/BSD servers when security flaws were discovered, they'd be rooted pretty fast too. Fortunately, most of the OSS community knows that security patches are important and need to be applied, not ignored. Elements of the Windows world don't share this culture, and it needs to change, so that worms like Conficker aren't able to thrive.
I've often wondered why Microsoft just doesn't implement some sort of security in Windows like other OS's have. It might prevent this kind of thing.
You mean like patching the flaw MONTHS before Conficker was released?
What having something like an application which could scan for it and remove it? You could call it "Malicious Software Removal Tool" and get it to run when automatic updates are done which would be handy. You could also allow users to run it themselves if they wanted by, say, clicking on Start, Run and typing in mrt...
Oh wait...
I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
In fact, having double checked my information, the security patch that fixes the vulnerability that Conficker exploits was released prior to the creation and subsequent distribution of Conficker.
So, every single computer out there with a Conficker infection due to the exploit infection route could have been secured if patched. I would bet that would make for a gigantic reduction in the size of the Conficker botnet.
There is a virus infecting a huge number of systems and no one knows what it is destined to do.
Seems like a pretty GOOD reason to genuinely care, if you ask me.
Not really... we can be reasonably sure that Conficker is designed to do what the previous five generations of worms did, only more effectively: provide nodes of a botnet for hire, so criminals can send spam, threaten DDOS attacks etc. It's annoying, but the internet lives on. Why would the purpose suddenly become radically different just because the implementation has been improved?
My own pet theory (based on nothing but speculation) is that come April 1st, nothing will happen. And then someone will wave their hand and say "hey, I made conflicker" and get rich from interviews, while the rest of us giggle at the hilarity of this massively-hyped april fool.
Oh please let that "someone" stand up in the cube next to me. I could use some of that MS reward money right about now...
Oh, and it's gonna be kind of hard to get rich from interviews while occupying a cell in Gitmo. No, I doubt I'm overreacting here, in this day and age, this is an "act of terrorism".
Hi, I'm the author of Conficker and the payload is to get a first post on slashdot.
That's it? You wrote a worm to get a first post on Slashdot? Damn. How lame are you?
My blog
We figured this out on Friday, and got code put together for Monday.
And with the ability to be remotely updated, Conficker will be immune to this by Tuesday.
You can advertise in this sig from as little as £99.99 a month!
So where's the article detailing what was in the summary. NONE of the links has any details on what the summary claims. There's simply the "proof of concept scanner" but no info on any of the linked blogs about it, no info on the major sites linked about it....
Very crappy post, editors!
My Babylon
Hook, line and sinker. That's what trolls are for.
No actually, the fact that the supposed cure for the disease, or rather remote diagnostic, takes advantage of the fact that Windows by default lets such probes detect _anything_.
Haven't you ever played Uplink? It is in the nature of virus creators to attempt to destroy the Internet.
The most common infection vector is because people run executables from untrusted sources. And now Tillmann and Felix expect us to download a scanner and run it on our systems ?
Next time someone recommends GTA for driving schools ....
If this is the aim, why would it make sense for the worm to have a grand activation date, rather than just increasing the size of the botnet as fast as it can? Time is money, and if there are as many infected machines as its thought there are, then this is just wasted opportunity since it was released into the wild.
Genuine question. Maybe in its inactive state it makes it harder to trace and shutdown? But if not, it seems that if the purpose is a botnet it would be better to have it working as such from the get go.
Aide-toi, le Ciel t'aidera - Jeanne D'Arc.
You took that seriously. How lame are you?
If this were really happening, what would you think?
Which would happen once for every node on the network, would become this:
root@admin:~$ nmap 192.168.0.* -confickercheck
But isn't possession of "hacker tools" such as nmap legally questionable in the UK and Germany?
http://it.slashdot.org/article.pl?sid=07/08/13/0218246&tid=172
http://yro.slashdot.org/article.pl?sid=08/01/03/2056223
So if you use nmap to clean your network, you may be open to criminal charges.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Because it was created for E V I L ?
I think it's going to cause all computers to turn into a small thermonuclear bomb (that's what computers are made of, plutonium and Selenium!) and destroy the planet in the name of some stupid reason.
WE ARE ALL GOING TO DIE!!!! PLEASE START PANICKING NOW!
I'm already looting the vending machines in the lunch room and built a bunker near them with boxes of last years TPS reports, the recycling buckets make good helmets.
And they all said I over-react. Who's the fool now!
Do not look at laser with remaining good eye.
What always confuses me about these things is how this many computers end up unpatched. Automatic updating regularly is the default behavior of Windows, isn't it? So the users must be turning it off. Why? Who knows how to stop security patches from installing who doesn't also know why not to? Are all of these Conficker infectees business computers whose network admins turned the security updates off?
You took that seriously. How lame are you?
You took that seriously. How lame are you?
There is a virus infecting a huge number of systems and no one knows what it is destined to do.
Sir, if everyone followed your paranoid, alarmist thinking, then we'd all be afraid of Microsoft Windows itself.
Oh wait...
Rich And Stupid is not so bad as Working For Rich And Stupid.
McAfee Stinger for Conficker located at: http://vil.nai.com/vil/averttools.aspx
you could tell all people to try and open this web page: http://www.clamav.net/ or ping it. (also many other security sites, see list here http://mtc.sri.com/Conficker/addendumC/index.html#dns-prevention ) If they can't then ConfickerC is probably blocking them. I'm not sure this would work for cached domains, though.
The following comment might be potentially stupid, but why not just move the computer clock forward to April 1st, and see what Conficker does. If it uses a internet time server to verify date, then just have the DNS for internet time server point to an internal time server. No?
I'll be honest, while normally the first post thing is pretty lame, writing a badass virus to do it would strike me as pretty cool and delightfully overkill.
"The cup is in turn designed for holding hot or cold liquids, and has an open rim and closed base." --US Patent #5425497
Actually, it's just a conspiracy from all of us security-types. We haven't had a good global-scale emergency in a while and were getting a bit bored.
There really is no a conficker. In fact, the name itself is an anagram for "Dan Kaminsky pwns joo"
"The cup is in turn designed for holding hot or cold liquids, and has an open rim and closed base." --US Patent #5425497
(Hat tip to an AC comment at El Reg). Just a warning - it runs like a dog. I found that a passive Honeypot like Honeybot works well and is easier to install.
Never email donotemail@WeAreSpammers.com
Why isn't this the standard method for /all/ virus scanning? Remote scans are the only method which has ever seemed sane to me.. why would you run software to detect if the software you're running has been compromised? That's why I don't run virus scanners: it's pointless.
Give me a program that I can run on a "known good" system (for example, a system which boots off write-once media) and which monitors the local network for suspicious activity. I'll run that one.
-- 'The' Lord and Master Bitman On High, Master Of All
delightfully overkill
By "delightfully overkill" do you mean something like installing a fully-populated IBM Z10 Enterprise Class E64 for reading e-mail, surfing the web and playing a game or two of solitaire?
My blog
There is no 'grand activation date'. April 1st *or later* when it updates itself.. it's more likely to upgrade to conficker D than do anything else.
It's just not in the authors interest to do any damage - whilst people don't know they are infected they can participate in the botnet. If the virus makes itself obvious then all that potential revenue is destroyed.
The f-secure blog puts it best: http://www.f-secure.com/weblog/archives/00001636.html
It is not necessarily a grand activation date.
It is just one of the (many) predefined dates where the worm switches auto-update mechanism.
It has a current auto-update mechanism, so a new payload could be handed out anyway, whether or not the April 1st code exists or not.
I was thinking more like using 1000lb of thermite to cut an SUV in half, but you get the idea.
"The cup is in turn designed for holding hot or cold liquids, and has an open rim and closed base." --US Patent #5425497
Pirated versions of Windows end up with automatic updating turned off as a way of getting around Microsoft's Genuine Advantage validation tests.
Only the non-pirated ones.
"Good news, everyone!"
That happens - There's a class of admin who won't apply MS updates unless they think it affects them directly, and sometimes not even then. They are the people who've gone beyond healthy paranoia (don't change what's working) to stupidity (don't apply critical security updates because they might break stuff).
There's also dumb firewalls/proxies that won't let the updates through.
There's no excuse for a business to be infected with conficker... if it happened here half the IT would find themselves on the street. Home users you can excuse somewhat.. they don't know how to look after their machines and may switch off updates for some reason eg. they don't want to pay for the bandwidth.
Kind of the ultimate hack, no?
Use some n00b's computer to do your bidding and get first post on a geek tech board that said n00b doesn't even know exists, forget about has ever visited.
Yeah.....that's pretty cool.
"City hall" in German is "Rathaus" Kinda explains a few things......
Because most viruses do not change the network behaviour of a host. Because most viruses are not visible from outside a host. Because this is a very rare case of a worm that actually changes the fingerprint of a host.
Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
Joe and Jane Average's feelings about computers and the internet are defined largely by a combination of their experiences with computers at home and at work, and stories in the media about computers. If their experience is one of unrelenting danger, constant infection, and identity theft and whatnot, they'll be much more supportive of draconian policy decisions.
It also doesn't help that all the mainstream media coverage of this has called it a "computer worm/virus" (no mention of the target software), and the people they interview are more interested in fear mongering than giving any security advice at all.
"Knowledge is the only instrument of production that is not subject to diminishing returns" -Journal of Political Econom
I have no mod points, but the links in the actual story have zero information on actually running a scan. I'm scanning my office network right now solely because of this comment.
I'd say as a rough guess, that 75% of viruses/trojans/malware nowadays turn off Windows Update as part of the infection process.
Somebody gets one of these fake Facebook spams, goes to the site in question to see Amanda Whatserface doing her striptease on stage, downloads Adobe_Player11.exe, so they can see the video, and bam. They're infected.
And before you bitch about them not having up to date antivirus.....I sent this file to virustotal.com a couple of days after I first got one of these spams, and it was detected as a known virus by a grand total of zero scanners.
Two flagged it as a suspicious file, and the rest (37 or so) let it sail on through.
Somebody gets hit with one of these things, and they'll have no A/V, no Auto Updates, and probably no firewall. They won't know it, because they'll also have no Security Center Service.
Or there's the possibility that they got infected, took their machine to a big-box moron to get it fixed, and the idiot in question cleaned the virus, but didn't enable all the disabled services. So again, no firewall, no Auto Updates.
It's not all because they're turned off intentionally.
"City hall" in German is "Rathaus" Kinda explains a few things......
When you've gone to make some coffee and you come back to the message "An important update required a restart of your computer." the first question you ask is "Where did my work go?" The second question is "How do I stop that happening again?"
Finally had enough. Come see us over at https://soylentnews.org/
I thought it was funny, one of the newscasters on 60 minutes said she just got "owned". It's funny since this is the same show Andy "I'm out of touch with reality" Rooney is on.
In mainstream media coverage, calling something a "computer virus" is equivalent to mentioning the target software. At that technical level, there are "computers" there are "macs" and there might be, ever so occasionally, a story about the strange and incomprehensible world of "linux".
Or you could go and manually download the updates. Its not that hard really. Sure, you can't get all the updates, but any of the critical ones can be downloaded and installed manually. Really, to be honest, it isn't MS's responsibility to ensure that your illegal software works and is secure, that is your problem. MS isn't really fucking anyone over by not offering updates to pirate copies, you never paid them, so they don't give you anything. Nothing in life is free, there is always a cost of some kind. You buy a legit copy, you get updates and support; you download an illegal copy, its your own problem.
Really all those people with illegal copies should just smarten up. If you are smart enough to download and install an illegal copy of windows, you should be smart enough to manually download the updates that are critical off of the MS website without using the windows update site. People with this attitude are really frustrating because all that they do is further perpetuate the problem. In this case, all any illegal user has to do is go to http://support.microsoft.com/ and type MS08-067. Not hard, don't need to be a genius to do it, nor do you need any "L33t hax" or 3rd party groups providing it.
All that will be left is a box in Madagascar with it's ports closed.
I was thinking about a RAID array of 1980's calculator wrist watches.
They won't know it, because they'll also have no Security Center Service.
So what you are saying is that these virii actually improve windows?
Until researchers "do something useful"? You mean like, uh, release information to antivirus software developers who in turn release tools to detect and remove the virus? Oh, wait, they already did that. What else do you expect the researchers to do? Personally go door to door, offer to come in and check your system for you? If a million people are still infected because they're too stupid to take advantage of any of the tools that (thanks to the researchers) are available to help them, there's not much else the researchers can do about that. They may be smart, but they're not magical.
seriously ? it is named "Malicious Software Removal Tool" ? so we could call it... "ms removal tool".
that's the best name of software coming from microsoft in a long time.
Rich
there are people who complain that any update they install slows down their box, so they turn off autoupdate and just reinstall when the malware starts bogging their OS. these are mostly the guys who think they know computers because they can fiddle with the control panel but know nothing about how software really works. they just assert th
FWIW:
This works great on machines that don't have windows firewall active. If windows firewall is active, you get a "no response" from the script.
Now that the authors of Conficker know that their infected systems have a different signature on the network, what's to stop them from just plugging that particular hole and picking a new date?
Cinco de Mayo anybody?
If you're gonna be dumb, you gotta be tough.
Ah come on, it would be funny. I'd do it if I could be bothered getting the necessary expertise.
... and then come april 1st, nothing happens except several million people have the words "HA HA" overlaid on their display for the duration of the day.
Getting the media in an uproar, keeping so many IT guys edgy
"You must be logged on as a member of the Administrators group to run the tool."
A "user" can't run the MRT or apply automatic updates, you have to log in as an "administrator." If you regularly log in as a "user" you won't even be notified by Windows that there are updates available! This is why just about everyone who uses Windows logs in as administrator all the time. I think THAT is one of the most important security holes.
Help! Help! I'm being repressed!
I think the purpose of this virus is to try to take over the world.
The good, the evil and the vacuum tubes.
What we really need are machines which can prevent viruses and/or worms BY DESIGN and IN ADVANCE, instead of reacting by means of virus scanners, patches and removal tools AFTER something went wrong.
As long as you let give the user freedom to install and run what he wants, you cannot possibly prevent him from running/installing malicious code which can take over as many functions as the user himself has (i.e., if he can send email, so can the code, etc.)
It's quite elementary, really: Windows Update sucks. Okay, that probably needs an explanation.
Would you rather:
a) Run Windows Update so Microsoft has backdoor access to update/patch/install software at random, as well as auditing your system for "compliance" and sending you a legal nastygram if you are caught running a "pirate" copy of Windows? Note: The detection algorithm for "Windows Genuine Authentication" has passed numerous false negatives and disabled people's computers before who purchased legitimate copies, -or-
b) Not update, download a software firewall, run a bunch of anti-malware scanners, and use Firefox, -or-
c) Do nothing, because "there's nothing important on my computer anyway."
Microsoft went through a lot of effort to make sure there were tons of unpatched systems out there when they started throwing up "windows genuine" everywhere, and having the average user jump through so many hoops. Then there's the two hour process of installing Service Pack 3. Who wants to waste two hours on a ginormous OS update when they can play WoW some more? And god help you if one of a thousand failure conditions crops up and it dies, telling you to reinstall the entire OS. The average Windows users is caught between knowing their systems are vulnerable and playing a rat race that requires knowledge and process they don't understand to keep their systems secure.
Big surprise when they choose the devil they know.
#fuckbeta #iamslashdot #dicemustdie
WGA if it wasn't for that then perhaps more people would be patched and up to date.
It would be remarkably funny if these infected machines turned on microsofts websites and perhaps a lesson learned for microsoft.
Although I understand patching microsofts unpaid user base might not sit well with microsoft, by not doing so they put their paying customers at risk.
Blarney Quality Restaurant, Plants
Really, to be honest, it isn't MS's responsibility to ensure that your illegal software works and is secure, that is your problem. MS isn't really fucking anyone over by not offering updates to pirate copies, you never paid them, so they don't give you anything.
Ho hum. The point is that everybody, including all MS's *paying* customers, suffer from the effects of the illegal installs not being patched - these PCs will be spambots (affects everybody) or launching DDos attacks (affects the attacked site and its customers even if *they* are all legal and patched). The owners of the infected machines may not even notice they are affected so they may suffer *less* than some of the legal/patched machine owners.
I don't mind the bubble so much. If I close my eyes it goes away!
You do realise that this is completely wrong?
Microsoft distributes security updates to _ALL_ editions of Windows that are currently maintained irrespective of the legality of the license. However, if you are not running a legal license, you can only receive updates through Automatic Updates, limited purely to security updates. Use of Windows/Microsoft Update and/or the downloading of non-security updates requires a valid license. The reasoning for this is to prevent exactly what you accuse Microsoft of not doing, reducing the risk of large viral/worm outbreaks and the impact of such outbreaks on Windows users, particularly those with legal licenses. Even if you completely fail WGA validation, you still will receive security updates through Automatic Updates.
Ideally, I'd prefer MS to permit security updates through the WU/MU frontend even if an invalid license is detected. I'm not sure what error message is displayed and if it prompts for Automatic Updates to be enabled or informs the user that they can still receive security updates through AU. However, the point remains that MS still permits a legal avenue of obtaining such updates, despite running an invalid license, at THEIR cost of distributing such updates.
There is no excuse for not being patched.
This is much like the "linux uses a command line, so it's better. I don't care if you don't want to learn arcane syntax".
Windows is hard to configure correctly. If you don't know the magic registry line, or which utility buried in the system folders to use, there's no way in hell you can make the fine-grained adjustment not to automatically restart. On the other hand, turning off system updates entirely is easy. I'd count the clicks if I had a windows box available, but I guarantee it's not that many.
Just another "DOJ fascist authoritarian totalitarian bootlicker" -- Zeio
If I never patched my Linux/BSD servers when security flaws were discovered, they'd be rooted pretty fast too.
But with many(most?) linux/bsd distributions once installed you only get security patches, with windows if you want a secure box you also get hit with whatever usability changes/bugfixes they choose to push through the update channels. Additionally all distros i use take special care to not mess up your configuration files without warning you first, i don't think windows does you that courtesy either.
IranAir Flight 655 never forget!
I think the purpose of this virus is to try to take over the world.
No problem then - Pinky will find some way to screw it up
That was supposed to be "Thoughts from England"
On the other hand, turning off system updates entirely is easy.
Yes, you go to Control Panel, Automatic Updates and click "Turn off Automatic Updates". Alternatively, you could click "Download updates for me, but let me choose when to install them", which is on the same dialog.
This is not a UI discovery problem.
Obviously it will be run by PENGUINS!
Agent K: A *person* is smart. People are dumb, stupid, panicky animals, and you know it.
Well, it'll remove the nag screens, which could be considered an improvement.
But I'm not sure the method is the best way to go about that....
"City hall" in German is "Rathaus" Kinda explains a few things......
Interesting. The site is legit, but.... you would think McAfee would provide these links from a page on their main mcafee.com domain, instead of vil.nai.com (although whois confirms that McAfee does indeed own this domain).
Also, I find it disturbing that McAfee doesn't provide a SSL certificate for this page to confirm the site's identity. Seems to me that this page would be a high-profile target for hijacking, especially considering that most people will blindly download and run the executables that it contains.
Very very true, and a good point. The thing is though, even the illegal users can take the time to get these critical updates and install them rather easily (And that is my point). Sloth and ignorance isn't an excuse. The only illegal users that I really do feel bad for are the ones that have the illegal copies because someone else installed it for them. They, on average do not know how a computer works, and are being made vulnerable by the people who installed the software (That young whippersnapper grandson that is oh so handy with the computer... you know the one, usually they are more dangerous than knowledgable). Its the people who are out there installing xp illegally, disabling updates, not maintaining their systems that make this potential issue so bad. Not MS (Wow, I never thought I would be saying that). MS put the fix out there, anyone can download it without need of passing WGA certification, so even all the kiddies with their hacked xp install could be protected. Hell, there are even wga and activation cracks out there for xp that allow windows updates to get through, so if they are going to take the time to pirate, why not do it right??
Personally, with whatever comes down the pipe on this one, be it a DDOS, SPAM, etc.... for once, I wont blame MS.. I'll blame the people with unpatched (And easily patchable) illegal installs for not taking the time to manually download the update, simply shrugging the shoulders and saying, "If I get something, I'll wipe" is an apathetic and lazy approach.
"Thanks Dan! We'll be sure to patch this problem in the next Conficker update."
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
They'll vote for a bunch of police powers and be back.
The sad irony here is that all the "policy decisions" and "police powers" on the planet aren't going to stop something like this from happening. It's the very fact that we have a global interconnected network of general-purpose computers that facilitates this phenomenon, and trying to stay ahead of the bad guys is a perpetual, daunting, and impossible game; the only way to 100% ensure that any given computer is completely safe from infection is to completely disconnect it from everything else and never ever connect any mass storage devices or media that doesn't come from 100% trusted sources (which is almost nothing).
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
dont admin windows much do you? you're right, you cant MANUALLY run updates, but the auto updates sure as hell get applied! wait... checking any of my 150 windows boxes running as user full time... yep! sure do!
Comment removed based on user account deletion
you are probably 100% right that you can still get security updates through AU but it appears that theres a lot of PC's with automatic updates turned off or there wouldn't be such a large problem.
Joe User, legal or not, doesn't want some automated process going through his details, after all it could get him in trouble.
The reality of the policy doesn't matter since WGA started, it's the perception, thats kept a lot of people away from windows updates.
Even people with genuine licensed windows quite often have genuine not legal copies of office and although windows is legal for them they still won't touch the microsoft website in case they detect the illegal install of office.
Has activation and license verification done anything effective to reduce the number of pirated installs?
Blarney Quality Restaurant, Plants
Sure! It goes like this (excerpts from the Cygwin FAQ):
... and ...
;-)
The Cygwin Setup program will prompt you for a "root" directory. The default is C:\cygwin, but you can change it . [Emphasis added]
In the past, there had been genuine bugs that would cause problems for people who installed in C:\, but we believe those are gone now.
So as you can see, it would have gone fine for me if I was foolish enough to use Windows in the first place
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Well whether the "grand activation date" is determined by settings in the code or by a hidden author releasing the new payload, the case is the same - it isn't doing anything yet but at some date will be turned on, whatever behaviour "on" turns out to be. So the question remains that if the purpose is something like DOS or spam and the network is already huge, which it is, why are they squandering the useful lifetime of this virus?
Aide-toi, le Ciel t'aidera - Jeanne D'Arc.
Exactly. I don't use the internet like I used to. Has the threats out their changed my usage of, and the amount of time I spend on the internet? You bet. I got better things to spend time on. My wife just recently downloaded a simple scrip that deployed SHuer on her PC. Then my PC says "an object is trying to access LSass.dll but has not been granted those rights." Great, spend loads of time to remove the infections, or reinstall windows and spend loads of time getting it back to the way it was. Time to give Ubuntu another chance?
With Cygwin, / != C:\ ... let me know how it goes.
It works pretty much the same once the rm command works its way down to /cygdrive.
Automatic updates runs as a system service under the local system account so your computer will automatically receive and install automatic updates even if your login has only restricted rights.
Unless you turn on this option in your group policy:
Computer Configuration -> Administrative Templates -> Windows Components -> Windows Update -> Allow non-administrators to receive update notifications.
Set it to enabled and then even your limited users will be able to see that they have updates to install.
for Windows server admins who aren't experienced Python users, I put together this quick overview of steps to use scs on a Windows network. http://bobsfieldnotes.blogspot.com/
Could infection be prevented on a clean machine, by just creating the conficker mutexes when starting a machine, before the virus gets a chance? All you'd need is a small tool that would start as early as possible during boot.
This same tool could also be used as a simple test for infection. If the mutexes are already there, it means the machine is infected.
This is not the sig you're looking for.
No, the name 'ms removal tool' was already taken. It can be found on many linux install discs.
Forget the profit, I'm waiting for the ???!
if you don't run your system as a local admin there is very little chance that you can get a virus like conflicker. Removing admin rights from users will prevent 99% of spyware and viruses.
Back in the '60s and '70s, when the current "drug war" was getting its start, some municipalities passed "narcotics paraphernalia" laws banning possession of anything that "could be used" for preparing or consuming controlled substances.
Aluminum foil was used to improvise "pipe screens" by lining a pipe bowl or a hole in a toilet paper roll and poking small holes in it with a pin. So these laws ended up banning aluminum foil. (Don't recall if this eventually got them struck down ...)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Nah people don't mind having a drive with 80% fragmentation. Thats all I've seen on PC's with WGA bitching loudly every 15 minutes. Oh and you can't logon after some period of time.
Maybe I'm doing it wrong. For me, this tool is not so quick and easy.
The scanner.py is not giving me hits against infected machines. The only way I get hits is to scan using Stinger from safe mode (safe mode is needed to delete the files).
For the record, of my workstations 90% plus were patched. It was a few workstations that were missed plus a weak password on the rest that got us in trouble.
You can search "conficker" on picasa to seen the screenshots of the scanner.py failing to detect anything on an infected machine. Also, there is no firewall running on this PC.
While technology has certainly changed and the consequences have increased due to a company's online presence, or an individual for that matter, the hype surrounding Conficker reminds me of the infamous Michelangelo Virus doing its deed on March 6. A quick google search revealed an archived memo sent out at Stanford. I'll paste it here as not to /. their webservers unnecessarily; how kind of me. lol!
-- Stanford memo 03/01/1993 --
"NEWS RELEASE
03/01/93
CONTACT: Stanford University News Service (415) 723-****
Michelangelo virus due to strike again March 6
STANFORD -- Employees who use an IBM PC, PS/2 or compatible computer should be aware that there is a small chance their computers have been infected with an infamous computer virus.
The "Michelangelo" virus, which is an especially destructive strain, may erase parts of a user's hard drive. This can happen every March 6, which is the famous artist's birthday, according to security officials in the Stanford Data Center.
The computer must be turned on sometime March 6 for the virus to do any damage. Since March 6 falls on a Saturday this year, the risk of any damage is relatively low, according to Bill Bauriedel, the Data Center's security chief.
However, he said, it is simply good practice to run an anti-virus program periodically to check for the presence of one or more viruses. Michelangelo is only one of more than 700 identified viruses that can infect a computer.
"Even though you may not have the Michelangelo virus, your computer may be infected with something else," Bauriedel said. "While probably not as dangerous as Michelangelo, these other viruses should be disinfected as well - once disinfected, they can't spread from your machine to someone else's machine."
Staffers and faculty who have a Forsythe account and use Samson can download an antivirus program called F-PROT. For instructions on how to perform the download, issue these two commands:
USE WYL.GB.SEC.FPROT and PRINT.
Users without a Forsythe account can exchange a blank floppy for the antivirus program either at the consulting office on the second floor of Sweet Hall or at the Information Security Office in Spruce Hall, room F19.
For more information on matters of computer security, contact ******* at 723-****.
930301Arc3381.html"
At the end. Except this is an infinite loop....
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]
For more details, see the announcement at http://insecure.org.
-Fyodor
Well, I have to give him credit for not 'begging the question'.(could not help myself, sorry) ;-)
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
The last comparison/shootout/review of home/personal use AV software I heard about was touting NOD32 as top dog, with Avast Home and AVG Free as second and third, respectively.*
I do not know if NOD32 has a free for personal use version or not, but both of the others are free for personal use.(both also have paid for business versions that are more net capable)
Have also heard good things about BitDefender.
I have used both Avast and AVG(but not NOD32), and use one of the two on the rare occasion I work on friend's or family's computers. They both have worked well for all.
*This was about a year-year and a half ago. Find a reputable writeup(anantech, tom's hardware, etc. for more current info) and check them out.
update: A quick google check shows BitDefender to be in the top three ranking wherever I check, and NOD32 stays in the top six, with both of the others being in the top ten. BitDefender and NOD32 have free trials, but will set you back $25-40 USD to keep after the trial, AVG and Avast both still have free home versions.
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
I was under the impression that AU could raise the privileges of a Non-Admin user? I noticed the option on the N-lite install I was playing with last night.
# cat
Damn, my RAM is full of cats. MEOW!!
Set the date forward to April 1st and see what happens with an infected machine with a packet sniffer? If it goes out to the net to check remote time servers packet sniff to see where its looking and forge answers?
Actually, the no of clicks to disable automatic updates is the same as the no required to configure it to ask for permission before installing them. .conf file somewhere...~
But I do agree that it is hard to configure some stuff in Windows, compared to Linux where everything is in an obscure
Most human behaviour can be explained in terms of identity.
Does your ISP have a role to play here?