Slashdot Mirror
Taming Conficker, the Easy Way
Dan Kaminsky writes "We may not know what the Conficker authors have in store for us on April 1st, but I doubt many network administrators want to find out. Maybe they don't have to: I've been working with the Honeynet Project'sTillmann Werner and Felix Leder, who have been digging into Conficker's profile on the network. What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will give you an honest answer. Tillmann and Felix have their own proof of concept scanner, and with the help of Securosis' Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys. We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend."
Wow. So this:
IT tech: Do you know if your workstation has a virus?
User: I don't know. It might. The other day I was typing something and something popped up I can't remember what it said but I think it had something to do with virus scanners but I can't remember and then there was this time I downloaded this thing and it said something about my computer being infected but I can't remember if I clicked it or not and then another one [etc etc etc for 20 minutes]
Which would happen once for every node on the network, would become this:
root@admin:~$ nmap 192.168.0.* -confickercheck
Nice. Seriously, nice. Now we just need to work out a way to remotely ask a computer if the printer cable is properly plugged in, and we're set.
I hate printers.
There is a virus infecting a huge number of systems and no one knows what it is destined to do.
Seems like a pretty GOOD reason to genuinely care, if you ask me.
It's supposed to be completely automatic, but actually you have to press this button.
Hi, I'm the author of Conficker and the payload is to get a first post on slashdot. Get ready assholes.
While I agree that caring about the poor widdle windows users is a boring hobby, there are reasons for it.
First, most of the "what will conficker do?" possibilities have the distinct potential to be unpleasant for everybody. We are almost definitely looking at extra spam, or worse.
Second, and ultimately more important, is the fact that Joe and Jane Average's feelings about computers and the internet are defined largely by a combination of their experiences with computers at home and at work, and stories in the media about computers. If their experience is one of unrelenting danger, constant infection, and identity theft and whatnot, they'll be much more supportive of draconian policy decisions. That is Bad.
Sure, actually caring about the newbs, as they do the same stupid things over and over, gets really old really fast; but, when they visit the internet, I want them to have a good time because we are well past the point where they will just leave if they don't like it. They'll vote for a bunch of police powers and be back. Nobody wants that.
My own pet theory (based on nothing but speculation) is that come April 1st, nothing will happen. And then someone will wave their hand and say "hey, I made conflicker" and get rich from interviews, while the rest of us giggle at the hilarity of this massively-hyped april fool.
"You can literally ask a server if it's infected with Conficker, and it will give you an honest answer." I asked and got no answer? Is there a specific language? I tried both english and norwegian.
to genuinely care about the hype surrounding this worm when no one knows what its destined to do, and the problem stems from a host operating system with a near two decade track record of this sort of stuff.
A few things:
1. If you have 1 million+ infected hosts, and all the bandwidth that these hosts have access to, and can use these resources to do whatever you please, you pose a serious threat to many groups with a presence on the internet and an interest in its wellbeing. Do I really need to spell it out to you why it's important to care?
2. No, the problem in this case stems from people not patching their systems when security updates are made available. Microsoft made the patch available _LONG_ before Conficker was even a problem. Microsoft released the patch on 15th October 2008. What does this tell you? It means that effectively 99%+ of infected machines are infected because they weren't patched, either due to ignorance, sloth, or a combination of.
If I never patched my Linux/BSD servers when security flaws were discovered, they'd be rooted pretty fast too. Fortunately, most of the OSS community knows that security patches are important and need to be applied, not ignored. Elements of the Windows world don't share this culture, and it needs to change, so that worms like Conficker aren't able to thrive.
I've often wondered why Microsoft just doesn't implement some sort of security in Windows like other OS's have. It might prevent this kind of thing.
You mean like patching the flaw MONTHS before Conficker was released?
What having something like an application which could scan for it and remove it? You could call it "Malicious Software Removal Tool" and get it to run when automatic updates are done which would be handy. You could also allow users to run it themselves if they wanted by, say, clicking on Start, Run and typing in mrt...
Oh wait...
I only please one person per day. Today is not your day. Tomorrow isn't looking good either. - Scott Adams
In fact, having double checked my information, the security patch that fixes the vulnerability that Conficker exploits was released prior to the creation and subsequent distribution of Conficker.
So, every single computer out there with a Conficker infection due to the exploit infection route could have been secured if patched. I would bet that would make for a gigantic reduction in the size of the Conficker botnet.
There is a virus infecting a huge number of systems and no one knows what it is destined to do.
Seems like a pretty GOOD reason to genuinely care, if you ask me.
Not really... we can be reasonably sure that Conficker is designed to do what the previous five generations of worms did, only more effectively: provide nodes of a botnet for hire, so criminals can send spam, threaten DDOS attacks etc. It's annoying, but the internet lives on. Why would the purpose suddenly become radically different just because the implementation has been improved?
My own pet theory (based on nothing but speculation) is that come April 1st, nothing will happen. And then someone will wave their hand and say "hey, I made conflicker" and get rich from interviews, while the rest of us giggle at the hilarity of this massively-hyped april fool.
Oh please let that "someone" stand up in the cube next to me. I could use some of that MS reward money right about now...
Oh, and it's gonna be kind of hard to get rich from interviews while occupying a cell in Gitmo. No, I doubt I'm overreacting here, in this day and age, this is an "act of terrorism".
Hi, I'm the author of Conficker and the payload is to get a first post on slashdot.
That's it? You wrote a worm to get a first post on Slashdot? Damn. How lame are you?
My blog
We figured this out on Friday, and got code put together for Monday.
And with the ability to be remotely updated, Conficker will be immune to this by Tuesday.
You can advertise in this sig from as little as £99.99 a month!
So where's the article detailing what was in the summary. NONE of the links has any details on what the summary claims. There's simply the "proof of concept scanner" but no info on any of the linked blogs about it, no info on the major sites linked about it....
Very crappy post, editors!
My Babylon
Haven't you ever played Uplink? It is in the nature of virus creators to attempt to destroy the Internet.
If this is the aim, why would it make sense for the worm to have a grand activation date, rather than just increasing the size of the botnet as fast as it can? Time is money, and if there are as many infected machines as its thought there are, then this is just wasted opportunity since it was released into the wild.
Genuine question. Maybe in its inactive state it makes it harder to trace and shutdown? But if not, it seems that if the purpose is a botnet it would be better to have it working as such from the get go.
Aide-toi, le Ciel t'aidera - Jeanne D'Arc.
Which would happen once for every node on the network, would become this:
root@admin:~$ nmap 192.168.0.* -confickercheck
But isn't possession of "hacker tools" such as nmap legally questionable in the UK and Germany?
http://it.slashdot.org/article.pl?sid=07/08/13/0218246&tid=172
http://yro.slashdot.org/article.pl?sid=08/01/03/2056223
So if you use nmap to clean your network, you may be open to criminal charges.
Those who can make you believe absurdities can make you commit atrocities. - Voltaire
Because it was created for E V I L ?
I think it's going to cause all computers to turn into a small thermonuclear bomb (that's what computers are made of, plutonium and Selenium!) and destroy the planet in the name of some stupid reason.
WE ARE ALL GOING TO DIE!!!! PLEASE START PANICKING NOW!
I'm already looting the vending machines in the lunch room and built a bunker near them with boxes of last years TPS reports, the recycling buckets make good helmets.
And they all said I over-react. Who's the fool now!
Do not look at laser with remaining good eye.
What always confuses me about these things is how this many computers end up unpatched. Automatic updating regularly is the default behavior of Windows, isn't it? So the users must be turning it off. Why? Who knows how to stop security patches from installing who doesn't also know why not to? Are all of these Conficker infectees business computers whose network admins turned the security updates off?
You took that seriously. How lame are you?
You took that seriously. How lame are you?
You took my post seriously, so how lame am I?
Guess my punchline wasn't snappy enough... :(
My blog
There is a virus infecting a huge number of systems and no one knows what it is destined to do.
Sir, if everyone followed your paranoid, alarmist thinking, then we'd all be afraid of Microsoft Windows itself.
Oh wait...
Rich And Stupid is not so bad as Working For Rich And Stupid.
McAfee Stinger for Conficker located at: http://vil.nai.com/vil/averttools.aspx
you could tell all people to try and open this web page: http://www.clamav.net/ or ping it. (also many other security sites, see list here http://mtc.sri.com/Conficker/addendumC/index.html#dns-prevention ) If they can't then ConfickerC is probably blocking them. I'm not sure this would work for cached domains, though.
I'll be honest, while normally the first post thing is pretty lame, writing a badass virus to do it would strike me as pretty cool and delightfully overkill.
"The cup is in turn designed for holding hot or cold liquids, and has an open rim and closed base." --US Patent #5425497
(Hat tip to an AC comment at El Reg). Just a warning - it runs like a dog. I found that a passive Honeypot like Honeybot works well and is easier to install.
Never email donotemail@WeAreSpammers.com
There is no 'grand activation date'. April 1st *or later* when it updates itself.. it's more likely to upgrade to conficker D than do anything else.
It's just not in the authors interest to do any damage - whilst people don't know they are infected they can participate in the botnet. If the virus makes itself obvious then all that potential revenue is destroyed.
The f-secure blog puts it best: http://www.f-secure.com/weblog/archives/00001636.html
For the same reason that a bomb technician doesn't reset the timer to zero just to see what the bomb does. Sure it may be a dud and do nothing, or it may be huge and blow up in their face.
Well, Conficker queries well known sites and checks the date on the HTTP headers. You can't just redirect DNS to "move the clock forward".
Pirated versions of Windows end up with automatic updating turned off as a way of getting around Microsoft's Genuine Advantage validation tests.
Sure you can. And add a transparent proxy to change the headers to the false, moved-forward time.
Oolite: Elite-like game. For Mac, Linux and Windows
*Bzzzzzzt!*
The comment system is temporarily disabled while we resolve this revolving door bug. Apologies for any inconvenience.
Finally had enough. Come see us over at https://soylentnews.org/
Because most viruses do not change the network behaviour of a host. Because most viruses are not visible from outside a host. Because this is a very rare case of a worm that actually changes the fingerprint of a host.
Slashdot: where don knuth is an idiot because he cant grasp the awesome power of php
I'd say as a rough guess, that 75% of viruses/trojans/malware nowadays turn off Windows Update as part of the infection process.
Somebody gets one of these fake Facebook spams, goes to the site in question to see Amanda Whatserface doing her striptease on stage, downloads Adobe_Player11.exe, so they can see the video, and bam. They're infected.
And before you bitch about them not having up to date antivirus.....I sent this file to virustotal.com a couple of days after I first got one of these spams, and it was detected as a known virus by a grand total of zero scanners.
Two flagged it as a suspicious file, and the rest (37 or so) let it sail on through.
Somebody gets hit with one of these things, and they'll have no A/V, no Auto Updates, and probably no firewall. They won't know it, because they'll also have no Security Center Service.
Or there's the possibility that they got infected, took their machine to a big-box moron to get it fixed, and the idiot in question cleaned the virus, but didn't enable all the disabled services. So again, no firewall, no Auto Updates.
It's not all because they're turned off intentionally.
"City hall" in German is "Rathaus" Kinda explains a few things......
When you've gone to make some coffee and you come back to the message "An important update required a restart of your computer." the first question you ask is "Where did my work go?" The second question is "How do I stop that happening again?"
Finally had enough. Come see us over at https://soylentnews.org/
I thought it was funny, one of the newscasters on 60 minutes said she just got "owned". It's funny since this is the same show Andy "I'm out of touch with reality" Rooney is on.
All that will be left is a box in Madagascar with it's ports closed.
ipc0nfig: ...why not just move the computer clock forward to April 1st, and see what Conficker does.
cdrudge:
For the same reason that a bomb technician doesn't reset the timer to zero just to see what the bomb does. Sure it may be a dud and do nothing, or it may be huge and blow up in their face.
I think ipc0nfig has a fair point - you could run an date-adjusted infected machine in a VM, isolated inside a virtual network, and monitor any disk/network activity.
Of course, you might not know what'll really happen unless you let it phone home, and even then you might not see what will happen on April 1st; but it might give more clues about which external addresses to block.
Oh, how convenient: a theory about God that doesn't involve looking through a telescope.
Until researchers "do something useful"? You mean like, uh, release information to antivirus software developers who in turn release tools to detect and remove the virus? Oh, wait, they already did that. What else do you expect the researchers to do? Personally go door to door, offer to come in and check your system for you? If a million people are still infected because they're too stupid to take advantage of any of the tools that (thanks to the researchers) are available to help them, there's not much else the researchers can do about that. They may be smart, but they're not magical.
seriously ? it is named "Malicious Software Removal Tool" ? so we could call it... "ms removal tool".
that's the best name of software coming from microsoft in a long time.
Rich
Now that the authors of Conficker know that their infected systems have a different signature on the network, what's to stop them from just plugging that particular hole and picking a new date?
Cinco de Mayo anybody?
If you're gonna be dumb, you gotta be tough.
"You must be logged on as a member of the Administrators group to run the tool."
A "user" can't run the MRT or apply automatic updates, you have to log in as an "administrator." If you regularly log in as a "user" you won't even be notified by Windows that there are updates available! This is why just about everyone who uses Windows logs in as administrator all the time. I think THAT is one of the most important security holes.
Help! Help! I'm being repressed!
What we really need are machines which can prevent viruses and/or worms BY DESIGN and IN ADVANCE, instead of reacting by means of virus scanners, patches and removal tools AFTER something went wrong.
As long as you let give the user freedom to install and run what he wants, you cannot possibly prevent him from running/installing malicious code which can take over as many functions as the user himself has (i.e., if he can send email, so can the code, etc.)
It's quite elementary, really: Windows Update sucks. Okay, that probably needs an explanation.
Would you rather:
a) Run Windows Update so Microsoft has backdoor access to update/patch/install software at random, as well as auditing your system for "compliance" and sending you a legal nastygram if you are caught running a "pirate" copy of Windows? Note: The detection algorithm for "Windows Genuine Authentication" has passed numerous false negatives and disabled people's computers before who purchased legitimate copies, -or-
b) Not update, download a software firewall, run a bunch of anti-malware scanners, and use Firefox, -or-
c) Do nothing, because "there's nothing important on my computer anyway."
Microsoft went through a lot of effort to make sure there were tons of unpatched systems out there when they started throwing up "windows genuine" everywhere, and having the average user jump through so many hoops. Then there's the two hour process of installing Service Pack 3. Who wants to waste two hours on a ginormous OS update when they can play WoW some more? And god help you if one of a thousand failure conditions crops up and it dies, telling you to reinstall the entire OS. The average Windows users is caught between knowing their systems are vulnerable and playing a rat race that requires knowledge and process they don't understand to keep their systems secure.
Big surprise when they choose the devil they know.
#fuckbeta #iamslashdot #dicemustdie
The following comment might be potentially stupid, but why not just move the computer clock forward to April 1st, and see what Conficker does.
In that sense we already know what will happen. Computers infected with Conficker will get a new update. The problem is, it uses a routine which generates 50 000 different host names, many of which are legitimate, and tries to download updates from each of them. The Conficker owner will have updates ready on some of those servers, so what we don't know is what that update contains. We can probably be sure it will contain a fix for the part that makes it detectable remotely, though.
You do realise that this is completely wrong?
Microsoft distributes security updates to _ALL_ editions of Windows that are currently maintained irrespective of the legality of the license. However, if you are not running a legal license, you can only receive updates through Automatic Updates, limited purely to security updates. Use of Windows/Microsoft Update and/or the downloading of non-security updates requires a valid license. The reasoning for this is to prevent exactly what you accuse Microsoft of not doing, reducing the risk of large viral/worm outbreaks and the impact of such outbreaks on Windows users, particularly those with legal licenses. Even if you completely fail WGA validation, you still will receive security updates through Automatic Updates.
Ideally, I'd prefer MS to permit security updates through the WU/MU frontend even if an invalid license is detected. I'm not sure what error message is displayed and if it prompts for Automatic Updates to be enabled or informs the user that they can still receive security updates through AU. However, the point remains that MS still permits a legal avenue of obtaining such updates, despite running an invalid license, at THEIR cost of distributing such updates.
There is no excuse for not being patched.
This is much like the "linux uses a command line, so it's better. I don't care if you don't want to learn arcane syntax".
Windows is hard to configure correctly. If you don't know the magic registry line, or which utility buried in the system folders to use, there's no way in hell you can make the fine-grained adjustment not to automatically restart. On the other hand, turning off system updates entirely is easy. I'd count the clicks if I had a windows box available, but I guarantee it's not that many.
Just another "DOJ fascist authoritarian totalitarian bootlicker" -- Zeio
I think the purpose of this virus is to try to take over the world.
No problem then - Pinky will find some way to screw it up
That was supposed to be "Thoughts from England"
"Thanks Dan! We'll be sure to patch this problem in the next Conficker update."
Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
dont admin windows much do you? you're right, you cant MANUALLY run updates, but the auto updates sure as hell get applied! wait... checking any of my 150 windows boxes running as user full time... yep! sure do!
You haven't been paying attention to the AV vendors for long have you? in 1997 McAfee merged with Network General and became Network Associates (nai.com) which also sold Sniffer. Then, in April 2004, McAfee became McAfee again when NAI tried to sell off the Sniffer product/Network General component (which was purchased by NetScout in November 2004). McAfee continued using the nai.com domain until June 30th of 2004, when archive.org shows nai.com redirecting to mcafee.com for the first time. vil.nai.com has been the Network Associates/McAfee Virus Information Library (and now the more generic "Threat Library") since at least 1999. (Incidentally, the "top 10 virus threats" in Oct 1999 included "Laroux", "Melissa" and "Happy99". My, how far we've come....)
you are probably 100% right that you can still get security updates through AU but it appears that theres a lot of PC's with automatic updates turned off or there wouldn't be such a large problem.
Joe User, legal or not, doesn't want some automated process going through his details, after all it could get him in trouble.
The reality of the policy doesn't matter since WGA started, it's the perception, thats kept a lot of people away from windows updates.
Even people with genuine licensed windows quite often have genuine not legal copies of office and although windows is legal for them they still won't touch the microsoft website in case they detect the illegal install of office.
Has activation and license verification done anything effective to reduce the number of pirated installs?
Blarney Quality Restaurant, Plants
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]
For more details, see the announcement at http://insecure.org.
-Fyodor