Slashdot Mirror
Diagnose Conficker With Web-Based Eye Chart
thomsomc writes "Joe Stewart from the Conficker Working Group has created an eye chart that allows for online identification of Conficker B and C infections. Using basic knowledge of the blacklisting that Conficker employs to avoid attempting to infect IPs that belong to popular Anti-Virus and security firms (including Microsoft), the group whipped up this very simple test to see if you can load content from the various pages. If you can see all of the images, you're more than likely Conficker-free. According to Honeynet, 'This detection method should be more reliable than network scanning based tests. Happy scanning!'" Related: Tech Fragments notes in passing that nothing much seems to have come of conficker's dreaded April 1 deadline.
Am I the only one that read it as Jon Stewart and then spent a few minutes trying to figure out the joke on the page?
There are 10 kinds of people in the world; those that understand binary and those that do not.
a nice, easy, reliable way to detect a conficker infection.
great!
I'm glad the computer I'm using is not affected. I think it's funny how every few years the media picks up and runs with the new malware of the day. Remember that one that flashes the computer's BIOS? The one named after some famous artist?
Dog with head split in half.
Yesterday there was an warning about an Conficker infection on an FreeBSD. Now comes the eye chart with links to Linux and OpenBSD! OMG! This Conficker is worse than I imagined!
My w3m can not display the images!
Come on, it doesn't work in Lynx? I want my money back.
There's no -1 for "I don't get it."
Because there is so much money to be made by botnets these days, it has moved from a "look what I can do" feat to a real business in its own right (legality aside). It is widely assumed that Conficker is among the first of a new breed of very carefully produced viruses and worms, written by professional developers who are paid quite well for their computer security and anti-anti-virus skills.
This class of developer knows exactly how the anti-virus companies work. It should have been expected by the Conficker designers that their virus would be examined in isolated networks. The designers would therefore be able to take advantage of that (it's easy enough to detect -- no word from the master servers, no ability to further infect, etc), and that's what we saw yesterday. Planned panic for no reason. At this point, most people think Conficker is either no serious threat, or an April Fools' Day prank. These people could be very wrong.
With the pressure off, infected machines are now able to go about their intended business, which could be sending spam, using distributed computing, farming user data, coordinated attacks of one type or another, or merely a conspiracy to protect computers from infections (a virally spreading anti-virus utility that you can't detect, stop, or remove? ingenious!).
The merits of a secret anti-virus product are more down-to-earth than you might think; most high-end zombie masters write their viruses so that they can't be detected by users and so that they are the sole "pwners" of the system -- competition is bad in this field. What you end up with is zombie masters who are suddenly interested in maintaining your computer for you - virus-free (save their virus), clean, efficient. If this zombie master is your federal government, merely reserving the right to use ("draft") your system as a "minute man" for emergencies where your computing power or attacking capabilities are needed, that might be a fair "tax."
Use my userscript to add story images to Slashdot. There's no going back.
Clicked on the link, page unavaliable. A reload did work.
Should be in the summary: If the page doesn't load at all, that doesn't mean you're infected, that means "Poor Internet connection?" If the page loads but some of the images don't, THAT is a positive.
Whew, I haven't had that much relief since I accidentally ate that whole jar of exlax....
120 characters isn't enough to explain it.
Sucks when / is blocked, now, isn't it? :)
Looks like it's slashdotted... or my ubuntu machine has Conficker!
when the page gets slashdotted and doesn't load at all.
Conficker Eye Chart
Conficker Eye Chart
How to interpret:
If you see this above:It probably means this:
= Normal/Not Infected by Conficker (or using proxy)
= Possibly Infected by Conficker (C variant or greater)
= Possibly Infected by Conficker A/B variant
= Image loading turned off in browser?
Any other combination= Poor Internet connection?
Explanation:
Conficker (aka Downadup, Kido) is known to block access to over 100 anti-virus and security websites.
If you are blocked from loading the remote images in the first row of the top table above (AV/security sites) but not blocked from loading the remote images in the second row (websites of alternative operating systems) then your Windows PC may be infected by Conficker (or some other malicious software).
If you can see all six images in both rows of the top table, you are either not infected by Conficker, or you may be using a proxy server, in which case you will not be able to use this test to make an accurate determination, since Conficker will be unable to block you from viewing the AV/security sites.
F-Secure and the F-Secure Logo are trademarks of F-Secure Corporation.
SecureWorks and the SecureWorks Logo are registered trademarks of SecureWorks Inc.
Trend Micro and the T-Ball logo are trademarks or registered trademarks of Trend Micro Inc.
Try the em tag.
Help fight poverty: Punch a poor person.
(or, conversely, "hardcode" IP-to-URL equations for sites I like to speed up access to they, &
You may want to rethink that part. For one, unless you have pathetic DNS servers, I doubt you'd ever notice doing the lookups. And if just once, that IP happens to be down, or has moved, the time it would take you to figure out the problem, you'd have lost all the time you "saved".
Not really that useful here in the states, but would this work in China? Are any of these current URLs normally blocked anyways?
"When you see a unixer brainwashed beyond saving, kick him out of the door." - Xah Lee
I tried the VIC-20, 64, 128 and Plus-4
None of them show the pictures....
Someone set us up the spambot.
Spam was way down most of this year, until yesterday. Then it shot back up to where it was last year.
Clearly someone tagged 4/1 as the day to start the spambots back up. Whether this is directly related to the conficker thing I couldn't tell.
I can't see the chart at all! Shit shit shit!
http://pinopsida.com
Hey I saw a report on CBS news about how devastating this worm would be. So I'm sure that this isn't a slashdotted page, but the first in a cascade that will surly bring down the global internet!
...Conficker is patched to allow access to these specific images from these domains?
Pick your "Daily Show"-style punchline for this story:
Support Right To Repair Legislation.
What's wrong with the italics tag?
When our name is on the back of your car, we're behind you all the way!
All they have to do is fake the images on their servers and this test is toast. Give them another 4 hours to create a work around.
The people who made the chart apparently didn't think of server overload.
They should have posted a list of 26 links and told people to click on the link corresponding to the first letter of their name. Or something like that. Or gotten Google to host the page.
Considering how quickly and effectively we managed to slashdot this helpful site, It's pretty obvious that we are the worms.
And if you can see the top row and not the bottom one it means you work at Microsoft.
30 ms is 30 times faster than 0 ms?
wow.
every day http://en.wikipedia.org/wiki/Special:Random
It's got to be irony when, the day after April fools day, the day the virus in question was supposed to "detonate" for lack of a better word, the easiest method of detection is THIS.
Very cool.
I had a sucky sig.
What happens when those six sites see that they are getting leeched, and pull those images? Chaos ensues as man + dog believes themselves to be infected.
literally, 30x as fast!
:::PEDANT ALERT:::
Actually, 1ms would be 30x as fast as 30ms, or 29x faster.
Oms can't be represented as 'so many times as fast as" any number, but since 0ms is actually anything less than 0.5ms (assuming that you only have the one sig-fig) then we CAN say that 0ms is at least 60x as fast as 30ms, or at least 59x faster.
The creator of this post (Jacob Smith) hereby releases it, and all of his other posts, into the public domain.
While technologically simple (or because of it), this is a truely amazing idea! One of these once-in-a-lifetime ideas, in fact.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Ummm, yeah. First off, pinging the site tells you nothing except round trip time. Try something like 'time dig +short slashdot.org' Mine takes about 6 milliseconds of real time. Sure, the DNS server likely has it cached (which would be true of the OpenDNS servers).
I don't know about you, but I wouldn't notice a reduction of 6 milliseconds. Even 30 milliseconds I wouldn't notice. Depending on your setup, your local machine probably caches the results as well, so you're likely only doing that lookup once a day.
Lets say all 250 sites on average, cache locally for 24 hours, and you visit each site daily.
250 * 6 = 1500 milliseconds (1.5 seconds).
So if you hit every site, every day for a year, you've saved yourself a whopping 9 minutes. Congratulations. How long did it take you to setup those 250 sites in your HOSTS file and write the script to maintain them? I'm guessing I've got a few decades before you've "saved" as much time as those of us who haven't bothered with such a setup. Oh, and by then you'll likely have switched machines a few times and have had to have taken the time to move that whole setup over.
Separation of presentation and content
The em element provides meaning to the text in that you're emphasizing it, while the i element just makes it italic.
It's like using <h1>Blah</h1> for a header instead of <font size="6"><b>Blah</b></font>, which doesn't mean anything. The first will also be interpreted differently from the surrounding text by text browsers and screen readers, while the second may not.
No existe.
That conficker.c blocks anything with conficker in dns request. There's another one here, with a simpler interface: http://iv.cs.uni-bonn.de/fileadmin/user_upload/werner/cfdetector/
I didn't mean when /. is blocked, I meant when / is blocked.
Disco.
If I could transfer my mod points to you I would.
Help fight poverty: Punch a poor person.
I didn't mean what's wrong from a philosophical viewpoint. Someone asserted that the italics tags were not working, and I was pointing out that they were.
When our name is on the back of your car, we're behind you all the way!
Round trip time back from a DNS server is what is in question and I also see a 30 millisecond reply back here after pinging slashdot.org also. I don't have whatever toolkit you are using online in Windows 2000, and I think you are only trying to defend your erroneous reasoning by attempting to cut back down to 6 milliseconds from the 30 or more millisecond returns most people will see when resolving the url for slashdot to its ip address (which ping can do), only on your part via somekind of script kiddie madness that I am not aware of via your statement of 'time dig +short slashdot.org' (what exactly is that? Somekind of half-baked scripting language that most people don't have online via some second rate programming toolkit??). Given that I think your statement is complete horse maneur, it's more like he is saving 45 minutes or more a year as far as speed. I also note you won't even try to touch the security benefits of a hosts file though. Funny that.
Here is my improved version of the test... With proxy detection and text result output.
Conficker Tester
I would have to say that if stopbadware.org is blocking that website you mentioned, then the odds are strong it must be bad.
I'm not talking about ad banners, blacklisting sites to 127.0.0.1 or that sort of thing, just the basic time savings of having something like '216.34.181.45 slashdot.org' in your hosts file. The math doesn't add up. You won't save any time in the long run. I'm also assuming that a look up in the HOSTS file takes 0ms (which isn't actually true, but we'll stick with it).
If you really understand how DNS (and web surfing) works, you'll see that you're not saving any time, and you're giving up features that DNS provides.
Its not a bad idea for blacklisting sites, but don't fool yourself, you're not saving any time.
If / is blocked by StopBadware, all sites with a / anywhere in the URL get blocked.
Now realize that all sites HAVE a / anywhere in the URL.
And that that actually happened once, at least on Google's copy of the StopBadware database. ;)
First off, I agree with the security benefits, I never suggested there was anything wrong with those. I'm talking about the 250 sites your "saving" time on by doing the look ups in your hosts file.
My facts still stand. It will take you 27 years to start saving any time, and that's assuming you don't have to tweak your setup at all, or even move it to another machine.
Yeah, you're right. But compiling a linux kernel is easier than some of the things that I see her attempting to do with Windows. ;-)
Those who do study history are doomed to stand helplessly by while everyone else repeats it.
First off, the article you quote talks about getting the speed gains specifically because he is not loading ad banners and the like. I never denied that. I never denied the security benefits. I agree with all that.
What I'm saying is that in all reality you will not save net time when adding your favourite websites to your hosts file. As for running a local DNS server, there's no real advantage to that unless you have other needs outside this discussion. Its not like ever home user has a DNS server running.
Its apparent that you really don't understand what I'm trying to explain to you. If you actually think your saving time, then be happy with your amazing setup.
Ahh, but its not zero time for a lookup is it?
My point is, the time you invested in this setup will take 27 years to actually save you time. And that's only if you hit every site every day. If you only view 1/2 those sites every day, it'll take 54 years. And that's assuming you have the same computer for all those years, and never have to manually change anything.
Why are you still arguing irrelevant points?
It will take you over 30 years (and more than likely significantly longer than that) to save any time by having your favorite sites in your hosts file. That is what my point is and you have yet to refute that.
1. I've only ever been referring to placing your favourite sites in your hosts file. Any arguments regarding the other sites to reduce ads/malicious sites, etc. is simply a red herring.
2. You said your self it took you 3 days to set this up. I later pointed out that I'm estimating that has 20 hours of work.
3. The most you will save in time is 30 milliseconds per site per day.
4. Assuming you never invest any more time in your setup to maintain it or move it to another machine, you will only save 45 minutes of time per year. And that's only if you visit each of your 250 sites every day.
5. Given your initial investment of 20 hours, it will take you nearly 30 years to recoup your investment.
The speed gains in the securityfocus article are a result of the blocked ads. Read it again.
You have yet to refute my point that it will take you AT LEAST 27 years to actually save any time.
You do realize that in all my calculations, I've considered your lookup in your hosts file to take 0 time. All my calculations are using the time you told me of 30ms to do a lookup from your DNS server. So all your "proof" of faster lookups via a hosts file I've already agreed.
But you've invested more time in your setup then it will save you in the long run.
Do you even read my posts?
The time you invested in putting your 250 sites in your hosts file will take decades to pay back. I've never debated that there are security benefits to placing pointers to 127.0.0.1 in your hosts file. I've never disagreed that putting ad sites in your hosts file will speed up browsing.
I'm only discussing the 250 favourites sites you have. You don't seem to be able to understand that.
I'll state this once more in a different way and maybe you'll understand.
You have invested at least 20 hours in your setup. That puts you in the hole at 20 hours.
If you visit every one of your 250 sites in a day, you'll have saved seven and a half seconds that day. 20 hours/7.5 seconds is 9600 (20 hours * 60 minutes * 60 seconds). That means it will take you 9600 days of surfing every one of your 250 sites to make up the time you invested in your setup. (That's over 26 years). Now if you only visit 125 of those sites every day, it will take over 52 years to make up that time.
As far as your lookup time now in your hosts file, I'm counting that time as zero. Nothing, instantaneous. I'm giving you the best possible circumstances here to make your solution actually save time. If I was counting it against you, I'd reduce the 30ms and say your were only saving 29ms (or whatever).
Its clear you can't or won't understand what I'm trying to communicate to you. The time and effort involved in putting a list of your favorite sites into a host file will not realistically save you time in the long run. Its too much of an up front investment of your time.
What do my qualifications matter? You've yet to argue any of the facts I've posted above. Arguing the time it takes to do a lookup in your hosts file is pointless since I'm not counting that as taking any time. Arguing security benefits is pointless because I agree they are there (though I believe there are better ways).
I give up. You've invested 20 hours in your setup. You will not recover that time.
You seem very intent on posting tons of irrelevant information.
As I've said and you've agreed, you'll not recover the time you've invested. If you use a trusted DNS server, you virtually eliminate poisoning. I work (and have certifications) in IT Security. I know what I'm talking about.
You also lose all the advantages that DNS offers.
If you're happy with your setup, great, keep using it. But its not a good solution. Even the security benefits you claim can be had far easier. The same goes for ad blocking. OpenDNS blocks a lot of malware sites. Plugins for firefox virtually eliminate ads. All of that takes a few minutes to setup. If you want to waste days of your time that requires maintenance and doesn't offer any real improvements, go right ahead.
1) Hard coding your favourites into your hosts file will save time on lookups, I've never debated that fact. What I've said is the time invested isn't worth it. You still refuse to address that other than saying its your time and you'll do with what you like. Fine... but others should be aware that in the long run it won't save them any time and could cost them time.
2)Who cares how long it takes your script to run. My point has been how long it took for you to do the coding and the testing, and migrate your setup to other machines.
3)So your telling me that your senses are so fine tuned that when you type http://slashdot.org/ (or click a bookmark) you can tell a difference of .03 seconds in the load time of the site? Wow... I'm impressed.
Oh, and by the way. I've done a fair bit of coding in my day. I wrote several hundred thousand lines of code that runs a busy web hosting company's control panel. Interfacing with mail servers, ftp servers, dns servers, web servers, datbase servers, etc. It does incremental backups that are restorable by the user. I custom built the database backends. Its also useable by resellers to create custom frontends. It handles the frontend for billing (and I helped with the backend billing). That's one coding project I did. There've been many others and even though I'm no longer in a programming position I still find myself doing some coding.
I've been working professionally in IT for enough years. I've done security research at a University, and am now employed by a mid-sized telecommunications company as a lead IT security person. I've received awards from other IT managers in the company for finding and recommending fixes to security issues.
I'm the lead IT person on our PCI-DSS compliance project. I'm the lead IT person on our AV, IPS, and DLP implementations.
I've assisted on investigations on possible breaches.
I've written custom applications to do log analysis on our internal custom apps.
Question my qualifications all you want, and try to change the subject, and manipulate what I said all you want. It doesn't make you right, or distract from the points I've made. First, very few people are going to notice a savings of 30ms on the load time of their favourite sites (and that savings is only the FIRST time its loaded that day - depending the cache times). It doesn't change the fact that by using your setup, they lose a lot of the features that DNS provides.
I'm not going to waste my time on this anymore. You continually bring up security and performance gains from blocking ads. I've never disagreed with either point. I AGREE with them, though I think there are better ways to do it.
I'll stand by my point that hard coding your favourites sites into your HOSTS file is neither a timesaver (in the long run) nor is it particularly beneficial. If you believe it is, great. Have fun with it.
I won't be replying again.