Slashdot Mirror

← Back to Stories (view on slashdot.org)

Diagnose Conficker With Web-Based Eye Chart

Posted by timothy on from the smoke-test-sanity-check-trial-balloon dept.

thomsomc writes "Joe Stewart from the Conficker Working Group has created an eye chart that allows for online identification of Conficker B and C infections. Using basic knowledge of the blacklisting that Conficker employs to avoid attempting to infect IPs that belong to popular Anti-Virus and security firms (including Microsoft), the group whipped up this very simple test to see if you can load content from the various pages. If you can see all of the images, you're more than likely Conficker-free. According to Honeynet, 'This detection method should be more reliable than network scanning based tests. Happy scanning!'" Related: Tech Fragments notes in passing that nothing much seems to have come of conficker's dreaded April 1 deadline.

49 of 180 comments (clear)

  1. Jon Stewart? by ender1598 · · Score: 5, Funny

    Am I the only one that read it as Jon Stewart and then spent a few minutes trying to figure out the joke on the page?

    --
    There are 10 kinds of people in the world; those that understand binary and those that do not.
    1. Re:Jon Stewart? by Anonymous Coward · · Score: 3, Funny

      Haha, me too. Give this a !jonstewart tag.

    2. Re:Jon Stewart? by piojo · · Score: 3, Informative

      How can the first post be modded Redundant when he says something that is not a meme or a common sentiment?

      --
      A cat can't teach a dog to bark.
    3. Re:Jon Stewart? by Spazztastic · · Score: 4, Informative

      How can the first post be modded Redundant when he says something that is not a meme or a common sentiment?

      Because someone with mod points is either trolling or doesn't understand the meaning of the word. Just another flaw in the system.

      --
      Posts not to be taken literally. Almost everything is sarcasm.
    4. Re:Jon Stewart? by RevRagnarok · · Score: 5, Funny

      Just another flaw in the system.

      Come and see the flaws inherent in the system! Help! Help! I'm being modded down!

      --
      I should put something clever here. Maybe someday.
    5. Re:Jon Stewart? by Vu1turEMaN · · Score: 3, Insightful

      the question is: how many other topics can we find that are !jonstewart?

      answer: 99% of them wooooooooooooo

    6. Re:Jon Stewart? by Bootarn · · Score: 3, Funny

      I love the sweet irony of including links to alternate OSes in the test. If those dissapear, is it possible that you're infected with a Microsoft made worm?

    7. Re:Jon Stewart? by moxley · · Score: 4, Funny

      This perfectly illustrates one of the unspoken rules of Slashdot culture:

      *If the sole point of your post is to either complain, call a moderation unfair, or ask for an explanation about a moderation, be prepared for your post to be modded in exactly the same way.*

      It's really a wonderful cultural practice, and is preparing interworldnettubez denizens everywhere for what they can expect when asking similar questions of real world "moderators" like cops and politicians.

      Let's all keep up the good work!

       

  2. sweet by rbrausse · · Score: 5, Insightful

    a nice, easy, reliable way to detect a conficker infection.

    great!

    1. Re:sweet by ShieldW0lf · · Score: 5, Funny

      a nice, easy, reliable way to detect a conficker infection.

      As long as it doesn't get slashdotted... that might cause a new panic :P

      --
      -1 Uncomfortable Truth
    2. Re:sweet by RiotingPacifist · · Score: 4, Funny

      i panicked for a sec, im on linux but thanks to virgin media the bottom two images didn't load. thankfully the chart said: any other combo = shite internet!

      --
      IranAir Flight 655 never forget!
    3. Re:sweet by Jamie's+Nightmare · · Score: 2, Informative

      The site is slow, but I found a copy here.

      I'm going to make my own page based on this idea because there was no reason to put the stupid Linux and BSD logos on the page. That's just being a douche bag.

      --
      "When you see a unixer brainwashed beyond saving, kick him out of the door." - Xah Lee
    4. Re:sweet by imemyself · · Score: 4, Informative

      Assuming you don't use a transparent proxy, then you would still get false negatives. The "eye chart" test won't work with proxies, not because of caching, but because with a non-transparent proxy Conficker wouldn't see that your computers are actually communicating with the security people's IP ranges.

      --
      Every time you post an article on Slashdot, I kill a server. Think of the servers!
    5. Re:sweet by Chabil+Ha' · · Score: 5, Funny

      The chart or the virus?

      --
      We're all hypocrites. We all have hidden parts, it's the contrast between them that make us more a hypocrite than others
    6. Re:sweet by supernova_hq · · Score: 3, Funny

      Considering he is hot-linking images to 3 other servers, he is potentially slashdotting 4 servers with 1 link!!!

    7. Re:sweet by moose_hp · · Score: 5, Informative

      The reason there are logos there is to test that your browser can actually display images before you start panicking that you don't see the logos from the anti-virus. They are also good to compare download times in case that your Internet connection is just slow at that time.

      I copied to source code into an Apache server here, changed the logos on the lower row to point to images on the respective sites (instead of local images) and downloaded the "description" images. Works like a charm, we already found an infected laptop.

      --
      DON'T PANIC.
    8. Re:sweet by Matt+Perry · · Score: 4, Funny

      shite internet!

      Just be glad you aren't using Sunni internet.

      --
      Slashdot: Failed Car Analogies. Amateur Lawyering. Anecdote Battles.
    9. Re:sweet by hawk · · Score: 2, Funny

      *shudder*

      That's totally out of control. Page after page of shameless hussies lifting their burkas to flash their ankles!

      hask

  3. I see a dog. by memorycardfull · · Score: 5, Funny

    Dog with head split in half.

    1. Re:I see a dog. by interkin3tic · · Score: 4, Funny

      Funny, I see a penguin, a blowfish, the devil, and some boring corporate logos. No dogs. You must have Confiker R variant (Rorschach variant)

    2. Re:I see a dog. by agnosticanarch · · Score: 4, Funny

      I was going to explain it, but I got caught up looking at the pretty butterfly.

      --
      I contend that we are both atheists. I just believe in one fewer god than you do.
    3. Re:I see a dog. by JWSmythe · · Score: 3, Funny

          Well, there are only two kinds of people in the world. Those with ADD and ......

         

      --
      Serious? Seriousness is well above my pay grade.
  4. Lynx support? by MrEricSir · · Score: 4, Funny

    Come on, it doesn't work in Lynx? I want my money back.

    --
    There's no -1 for "I don't get it."
    1. Re:Lynx support? by MBCook · · Score: 5, Funny

      Works here.

      You must be infected.

      --
      Comment forecast: Bits of genius surrounded by a sea of mediocrity.
  5. If Conficker was designed by a security guru... by Khopesh · · Score: 5, Interesting

    Because there is so much money to be made by botnets these days, it has moved from a "look what I can do" feat to a real business in its own right (legality aside). It is widely assumed that Conficker is among the first of a new breed of very carefully produced viruses and worms, written by professional developers who are paid quite well for their computer security and anti-anti-virus skills.

    This class of developer knows exactly how the anti-virus companies work. It should have been expected by the Conficker designers that their virus would be examined in isolated networks. The designers would therefore be able to take advantage of that (it's easy enough to detect -- no word from the master servers, no ability to further infect, etc), and that's what we saw yesterday. Planned panic for no reason. At this point, most people think Conficker is either no serious threat, or an April Fools' Day prank. These people could be very wrong.

    With the pressure off, infected machines are now able to go about their intended business, which could be sending spam, using distributed computing, farming user data, coordinated attacks of one type or another, or merely a conspiracy to protect computers from infections (a virally spreading anti-virus utility that you can't detect, stop, or remove? ingenious!).

    The merits of a secret anti-virus product are more down-to-earth than you might think; most high-end zombie masters write their viruses so that they can't be detected by users and so that they are the sole "pwners" of the system -- competition is bad in this field. What you end up with is zombie masters who are suddenly interested in maintaining your computer for you - virus-free (save their virus), clean, efficient. If this zombie master is your federal government, merely reserving the right to use ("draft") your system as a "minute man" for emergencies where your computing power or attacking capabilities are needed, that might be a fair "tax."

    --
    Use my userscript to add story images to Slashdot. There's no going back.
    1. Re:If Conficker was designed by a security guru... by Anonymous Coward · · Score: 5, Informative

      No, they didn't plan on misleading the public about April 1st. Even the real(not PR driven) security researches didn't think anything bad would happen. The public and news sites were just using it as an excuse to make a fuss again.

      Conficker has already had a few of these dates, April 1st is just the date it starts actively looking for any future updates to the worm. As long as everything is going well so far, they won't update it.

  6. Slashdotted scare by interkin3tic · · Score: 5, Informative

    Clicked on the link, page unavaliable. A reload did work.

    Should be in the summary: If the page doesn't load at all, that doesn't mean you're infected, that means "Poor Internet connection?" If the page loads but some of the images don't, THAT is a positive.

    1. Re:Slashdotted scare by nwf · · Score: 2, Informative

      Same here. Reloading did work. Thankfully, I'm clean!

      --
      I don't know, but it works for me.
  7. Thank god by diablovision · · Score: 4, Funny

    Whew, I haven't had that much relief since I accidentally ate that whole jar of exlax....

    --
    120 characters isn't enough to explain it.
  8. Re:Very nice & interesting technique by bhtooefr · · Score: 4, Funny

    My HOSTS file uses data from reputable sources like STOPBADWARE.ORG

    Sucks when / is blocked, now, isn't it? :)

  9. Slashdotted by 56 · · Score: 4, Funny

    Looks like it's slashdotted... or my ubuntu machine has Conficker!

  10. This is gonna cause mass hysteria.. by gsmalleus · · Score: 2, Insightful

    when the page gets slashdotted and doesn't load at all.

    1. Re:This is gonna cause mass hysteria.. by AlexCorn · · Score: 2, Insightful

      I think it's already there... I got it to actually load 1 out of 6 trys

      Well that's why it's slashdotted... people are loading it six times!

  11. Mirror by Anonymous Coward · · Score: 5, Funny

    Conficker Eye Chart

    Conficker Eye Chart




    How to interpret:

    If you see this above:It probably means this:

    = Normal/Not Infected by Conficker (or using proxy)
    = Possibly Infected by Conficker (C variant or greater)
    = Possibly Infected by Conficker A/B variant
    = Image loading turned off in browser?
    Any other combination= Poor Internet connection?

    Explanation:

    Conficker (aka Downadup, Kido) is known to block access to over 100 anti-virus and security websites.

    If you are blocked from loading the remote images in the first row of the top table above (AV/security sites) but not blocked from loading the remote images in the second row (websites of alternative operating systems) then your Windows PC may be infected by Conficker (or some other malicious software).

    If you can see all six images in both rows of the top table, you are either not infected by Conficker, or you may be using a proxy server, in which case you will not be able to use this test to make an accurate determination, since Conficker will be unable to block you from viewing the AV/security sites.

    F-Secure and the F-Secure Logo are trademarks of F-Secure Corporation.

    SecureWorks and the SecureWorks Logo are registered trademarks of SecureWorks Inc.

    Trend Micro and the T-Ball logo are trademarks or registered trademarks of Trend Micro Inc.

    1. Re:Mirror by Onymous+Coward · · Score: 4, Insightful

      Ha.

      Anyway, the page is a clever idea.

      Here's another interpretation to add to the list: Some of the sites that the page pulls images from are Slashdotted.

  12. Re:Jon Stewart by thedonger · · Score: 3, Informative

    And I sure am glad Taco et al chose to disable the italics tag

    Try the em tag.

    --
    Help fight poverty: Punch a poor person.
  13. Useful in China? by Jamie's+Nightmare · · Score: 2, Interesting

    Not really that useful here in the states, but would this work in China? Are any of these current URLs normally blocked anyways?

    --
    "When you see a unixer brainwashed beyond saving, kick him out of the door." - Xah Lee
  14. Nothing? by blair1q · · Score: 2, Interesting

    Someone set us up the spambot.

    Spam was way down most of this year, until yesterday. Then it shot back up to where it was last year.

    Clearly someone tagged 4/1 as the day to start the spambots back up. Whether this is directly related to the conficker thing I couldn't tell.

    1. Re:Nothing? by Renraku · · Score: 3, Interesting

      I can't take credit for saying this as I'm only parroting it from another source, Fark I believe, but someone said it was well-known in the security industry that April 1st is by far the most common date for new malware to go live, and is also a common date for existing malware to update.

      Probably to maximize confusion.

      --
      Job? I don't have time to get a job! Who will sit around and bitch about being broke and unemployed then?
  15. Oh shit by atomicthumbs · · Score: 4, Funny

    I can't see the chart at all! Shit shit shit!

    --
    http://pinopsida.com
  16. How long before... by Anonymous Coward · · Score: 2, Interesting

    ...Conficker is patched to allow access to these specific images from these domains?

    1. Re:How long before... by moose_hp · · Score: 4, Insightful

      Then we (it's open source after all!) modify the test to use iframes (ewwww... but useful in this situations) to actually load the full pages, once Conficker gets updated so it allows the pages, we move to actually downloading the patches with a message like "if the file doesn't download, you're probably infected", by the time Conficker gets good enought to actually allow the patches but modifing them on the fly so they are not useful (just random noise with the same size and filename), then we're screwed.

      Maybe I shouldn't give them ideas. I bet the author of Confickr reads slashdot.

      --
      DON'T PANIC.
    2. Re:How long before... by Ian+Alexander · · Score: 2, Funny

      Maybe I shouldn't give them ideas. I bet the author of Confickr reads slashdot.

      Considering that s/he actually gets shit done I highly doubt it.

  17. Pick your punchline by Comboman · · Score: 4, Funny

    Am I the only one that read it as Jon Stewart and then spent a few minutes trying to figure out the joke on the page?

    Pick your "Daily Show"-style punchline for this story:

    • If we can diagnose computer viruses with an eye-chart, does that mean McAffee can tell me if I need glasses?
    • Users of dual-boot computers should consult the bifocal eye-chart.
    • Your mother was right! If your computer visits those nasty virus-infected pron sites, you WILL go blind.
    --
    Support Right To Repair Legislation.
  18. Re:Jon Stewart by camperdave · · Score: 2, Insightful

    What's wrong with the italics tag?

    --
    When our name is on the back of your car, we're behind you all the way!
  19. How long before they ruin this test by aarenz · · Score: 5, Interesting

    All they have to do is fake the images on their servers and this test is toast. Give them another 4 hours to create a work around.

    1. Re:How long before they ruin this test by wytcld · · Score: 3, Insightful

      Not if they're blacklisting. Only if they're redirecting. And if they were redirecting they'd presumably already have fake site mirrors set up, including these images, so the test would have never worked.

      --
      "with their freedom lost all virtue lose" - Milton
  20. Oops by Wilson_6500 · · Score: 4, Funny

    Considering how quickly and effectively we managed to slashdot this helpful site, It's pretty obvious that we are the worms.

  21. Another option for the eye chart by fava · · Score: 5, Funny

    And if you can see the top row and not the bottom one it means you work at Microsoft.