Slashdot Mirror
Microsoft Warns of Copycat Conficker Worm
nk497 writes "Microsoft is warning that malware writers have adapted a four-year-old virus to use features of Conficker to take advantage of Windows flaws. Other similarities between the adapted Neeris worm and Conficker are that it downloads a copy of the worm from the attacking machine using HTTP, spreads via autorun, and uses a driver to patch the TCP/IP layer of the system. It even saw a traffic jump around the first of April, when the Conficker hype peaked. But the Microsoft researchers suggested Conficker may have copied Neeris, or that they're copying each other: 'It is possible that these miscreants somehow collaborate or at least are aware of each other's "products."'"
This is could one of two ways, either the viruses will try and outdo each other by doing more and more outrageous things to the victim's computer or (and let's face it, this would be more amusing) they'll try and kill each other to get sole ownership of the PC.
Either way, I'm glad I use Linux.
Summation 2
when will they ever get rid of that?
I work for the Department of Redundancy Department.
I, for one, am amazed to learn that criminal software developers behave quite similarly to ordinary ones. Reusing code, copying features from industry leaders, why, they probably even use revision control systems!
Seriously, though. It would be more of a surprise if they weren't doing this. Of course players in a competitive market are going to be watching each other and adopting each others best features.
You would think that Microsoft researchers would spend more time patching Windows rather than saying idiotic things like 'It is possible that these miscreants somehow collaborate or at least are aware of each other's "products."'.
Considering Conficker has been all over the news and the maker of Neeris would have to be working in a cave beside Osama not to have seen anything about it, I dare say it is more than freakin' likely they know of each others products.
Now if only Microsoft knew as much about Windows as these guys do, we might actually get updates that that were more valuable.
flinging poop since 1969
How long before each worm includes a copy of its source code in a git repository, searches out other variants of the same worm on the infected system or across the net, and randomly exchanges patches with them to create hybrid offspring? The worm would need some way to compile itself, of course (unless written in Javascript or other scripting language where the interpreter is included with Windows).
-- Ed Avis ed@membled.com
Actually, the patch was released even before conficker started appearing. The systems effected are the ones that dont update. "Conficker, aka Downadup, which began circulating in late November, exploits the MS08-067 vulnerability patched by Microsoft last October" http://www.theregister.co.uk/2009/01/19/conficker_worm_feed/
No, they are updating an old virus to use the new flaws. Think about it. If the old virus used the same security holes as Conficker then it would not need to be updated.
They will shortly be releasing a tool to test your system to make sure you have the real worm and not some impostor/pirate copy of the worm. This will be an extension of the WGA program.
I don't read your sig. Why are you reading mine?
"It is possible that these miscreants somehow collaborate or at least are aware of each other's 'products.'"
Well, no shit, Sherlock. Guess they must have Internet connection too, then...
With all the resources at Microsoft's disposal, you'd have thought that they'd have come up with a specific fix. Yes, I'm aware that regularly-patched machines are better protected, but the evidence is clear that many people don't do that; (and not just the pirates, either).
If Ms supplied something that detected/removed/protected against up&down, (free, with no 'Genuine Advantage / Validation' bs), then I'm sure pretty soon all the media would link to that & the sheeple would rush to download & install... How about it, Redmond?
It's more like "You turned off autoupdates and don't have antivirus software, so watch out".
Conficker only affects out-of-date systems made vulnerable by idiots turning off security systems to gain a small performance improvement.
But hey, don't let me interrupt your "Bash M$; get karma" rant...
You can advertise in this sig from as little as £99.99 a month!
Why, I very nearly dropped my monocle when I heard that the rascals might be cahoots! Perhaps they have some sort of network (a system of tubes, perhaps?) that allows them to share their diabolical plans! Fiendishly clever!
We must safeguard our computing engines! I say we must find these these rogues and hang them from the highest scaffold in the land!
I know theres tonnes of toolkit thats are being released by third parties because this worm is such an aggresive one. The issue is that people with unpatched systems are probably just as competent about the toolkits as they are about updating their system. Microsoft actually reacted to this threat quicker then most of the other exploits they experience.
I do believe that they did release a patch for this but due to WGA lot of people that have pirated copies have the auto-updates turned off. Leaving these holes open. Again there is nothing you can do if the user is the problem.
If Ms supplied something that detected/removed/protected against up&down, (free, with no 'Genuine Advantage / Validation' bs), then I'm sure pretty soon all the media would link to that & the sheeple would rush to download & install... How about it, Redmond?
The virus does it's best to block attempts at removal as you'd expect, but still, you seem to be referring to something along these lines with specific instructions on detection and removal from M$, or perhaps even the Windows Live safety scanner, which despite it's crappy sounding name apparently detects and removes it.
/. and bashing the evil corporation usually results in "sheeple" modding you up, but did you really think M$ wouldn't have thought about supplying people with the means to remove the virus? Did you even check before hitting submit?
Yes I know this is
You can advertise in this sig from as little as £99.99 a month!
Disagree. Windows security issues are a major concern for Microsoft's customers, and hence to them. Apple, BSD/*x and FOSS boosters, (and yes, I'm one) regularly point out how much more 'secure' their platforms are. (Of course, as debated endlessly here and elsewhere, that may be as much a function of market share as inherent design, although few informed people would seriously challenge the latter).
Of course, it's not just the OS, it's the apps. Ms makes a lot from selling 'Office' too, which has its own vulnerabilities.
So, since the competition is 'free' (*x & Ooo) and more secure, yes, I guess they do give a damn.
Thanks, I was actually aware of all that stuff.
Now I invite you to navigate to the page you linked to - where's the big red button marked 'Worried newbie? Click here to download/do online scan now'.
Links to that button should be all over the net.
They're not. Why?
Because the media are just as bigoted as you in hating Microsoft and a solution to a problem is no longer newsworthy.
You see stories all over the press about "this accident". You don't hear about the people that cleaned it up. "The internet in X places went down yesterday" - no followup of "The internet is back for those that suffered".
Honestly, if you stole Windows, then disable the updates, even though MS will still allow you to security patch your computer with an invalid key, you should not be surprised when you run into some sort of problem.
It's like stealing a plant from a store, refusing to water it, then when it dies you get mad at the store that you stole it from. Tough balls.
Copyright 2010. All rights reserved. This comment may not be copied in any way including, but not limited to caching.
That as to be the best way I have heard anyone ever say it.
Thanks, I was actually aware of all that stuff.
Oh, sorry, I must have misunderstood when you wrote "you'd have thought that they'd have come up with a specific fix", and it was utterly stupid of me to link to a page with a specific fix.
Now I invite you to navigate to the page you linked to - where's the big red button marked 'Worried newbie? Click here to download/do online scan now'.
For those unable to read, comprehend and follow instructions there are two big blue buttons that say "Get help now". Sorry they're not red.
Links to that button should be all over the net. They're not. Why?
Put "remove conficker" into Google and you're about three clicks away from a number of downloadable removal tools. Sorry, but anyone that can't be bothered to read a little and wants a bloody great red button to do everything for them probably shouldn't be using a computer at all.
You can advertise in this sig from as little as £99.99 a month!
While doing a bit of looking around for another post in this thread I found what's basically an idiot's guide to detecting conficker. It uses pictures to show you if you have it.
This tickled my funny bone for some reason; you have to love the lets-use-pictures approach!
You can advertise in this sig from as little as £99.99 a month!
Maybe one day the 'Imitation Worm' will install a Replica OS http://www.reactos.org/en/index.html just to completely confuse the fellow malware competition. At that point Microsoft will be 'off the hook' for inviting every form of malware possible, and the replacement/replica OS will finally get lots of user testing, and perhaps eventually get released as Beta. At that point the worm only needs to remember to blue-screen periodically and run the 'Windows Replica Advantage' utility just often enough to completely annoy the user so that they don't begin to suspect anything.
This is untrue. Conficker uses a variety of ways to spread itself. Such as installing itself as autorun on various volumes. It also includes a password attack to get admin access to a machine and infect SMB shares.
It may use additional methods as well. This is part of the reason conficker is getting so much press.
I disagree with that statement. IMHO, Windows users are either:
1. Concerned about viruses, but they think their machine has some magical immunity because they don't actually think their machine might ever be infected, OR:
2. Are totally clueless about viruses and spyware.
Even on forums where experienced users post, how many times have you seen a post that is something like: "I don't use anti-virus, I'm just careful where I browse and my PC has never been infected"? Replace "never been" for "I've never been aware" and you might get something close to the truth.
Again, IMHO, Windows users for one reason or another are not significantly concerned about viruses.
One of my colleagues keeps asking why people create viruses -- I keep telling him that today, they do it for profit, but he seems to have a hard time wrapping his mind around that concept. I don't think he is atypical and I think that he, like many others, just doesn't understand how harmful viruses and spyware are and hence doesn't recognize the seriousness of the threat.
The real "Libtards" are the Libertarians!
Because the media are just as bigoted as you in hating Microsoft
Don't hate Ms - check my posting history. Still think they could do a lot more on security, tho'.
Thank God there's no software copyright claims being made between these virus writers...
Says to use single quotation marks inside of double quotes.
It's all fun and games till someone divides by 0. Then it's hilarious.
With all the resources at Microsoft's disposal, you'd have thought that they'd have come up with a specific fix. Yes, I'm aware that regularly-patched machines are better protected, but the evidence is clear that many people don't do that; (and not just the pirates, either).
How about if Microsoft would mod the "malicious software removal tool" to patch only the vulnerabilities that any removed malware exploited?
I don't see the downside to this scenario. Anyone?
More music, fewer hits
sed 's/2b: unpatched/2b: unexploited/'
Me and my mad previewz skillz.
More music, fewer hits
(Of course, as debated endlessly here and elsewhere, that may be as much a function of market share as inherent design, although few informed people would seriously challenge the latter).
Which part of the "inherent design" of Windows makes it less secure ?
Look, if you're running an illegitimate copy of Windows, and you have problems with it, tough. (If you're running a legit copy that WGA thinks is illegitimate, complain to Microsoft. Or make a voodoo doll of Steve Balmer, and put it in front of Gilligan's Island reruns. Or whatever. It isn't really my problem, except if it happens to me when I boot up Windows to play a game.)
My objection is that anybody running an unpatched copy of Windows makes my life more difficult. If people would figure out some way not to join botnets, we'd all be better off, including Microsoft.
"When you have eliminated the unacceptable, whatever is left, however improbable, must be the truthiness" - Holmes
Are any of the techniques you mentioned immune to a real-time virus scanner on a PC with up-to-date patches?
You can advertise in this sig from as little as £99.99 a month!
But it was spreading via autorun.inf on removable media too, and that was something MS didn't "fix" for WinXP until very recently (if one was only installing the auto-updates). Even then, protection requires non-automatic changes from a user/admin.
They do have their malware removal tool and have free anti-virus software coming out.
http://www.pcworld.com/businesscenter/article/154146/microsoft_drops_onecare_antivirus_product.html
That being said, there will probably still be the Genuine Disadvantage stuff.
Microsoft, Apple, Google, Amazon what's the difference? All steal money from devs and control with walled gardens.
I understand your argument, but couldn't one conversely blame Microsoft? After all, if they didn't expressly prevent these machines from getting updates, this wouldn't be as big of a problem.
For the last time, PIN Number and ATM Machine are redundancies!
FYI, Symantec has a gratis removal tool available here. In case that helps anyone unfortunate enough to be using Windows AND infected by Conficker :P
Geeks like to think that they can ignore politics, you can leave politics alone, but politics won't leave you alone.-rms
I hope you're not trying to imply that it's impossible to be safe on Windows without anti-virus. Being careful about where you browse is stupid, as any site can get hacked to spread malware.
Using common sense, like not blindly opening attachments, being behind a NAT router and/or firewall and using a web browser that isn't IE that gets updated regularly goes a long way towards being malware-free. You can go even further and implement a whitelist for programs (instead of the anti-virus blacklist, which is one of the most dumb security practices).
Security is a process, not a product.
They only give a damn about security issues that are public. Unknown ones they just sit on, as has been demonstrated several times with vulnerabilities like the Windows meta file one.
but not... the SYMPTOM!
</frank-n-furter>
> It also includes a password attack to get admin access to a machine
RT virus scans and patches won't save you from that.
The funny thing is that its nearly impossible to prove the negative of "they just haven't been aware of the infection on their machine!" Your Linux box has a secret virus that only a few people know about, and has managed to hide itself so well you don't even realize you have it! Prove I'm wrong. How are you going to do that? I suppose you could run anti-virus, at which point I could say that your anti-virus just doesn't know about it. You could do checksums, until I say that it uses a weakness in the algorithm to make sure that it has the same checksum as the affected.
To prove a system - any system - virus free involves a massive amount of effort auditing the files, code, and underlying firmware. And pretty much every Linux admin out there does not go through that kind of effort. Their claims of being virus free are due to the fact of very few un-patched exploits, next-to-no in-the-wild viruses, and the fact that no suspicious activity is detected. In much the same way, I can be reasonably sure that my Windows machines aren't infected by viruses, despite not running a virus checker. If I keep my patches up to date, don't run unknown binaries, don't observe any unexpected behavior, and see no unexpected network traffic, I can be reasonably sure that my machine is not infected.
Its not impossible, as I have done it. And yes, this has been tested. Several times. I've had friends and techs come around with bootable virus-check disks just itching to prove me wrong, and walking away empty handed. So, you're wrong. You can be virus free on Windows without a virus checker. It just takes due-diligence.
If Ms supplied something that detected/removed/protected against up&down, (free, with no 'Genuine Advantage / Validation' bs), then I'm sure pretty soon all the media would link to that & the sheeple would rush to download & install... How about it, Redmond?
They do.
Malicious Software Removal Tool
Download Link
Technical Details
You'll note said tool does not require any validation to download, anyone can download it regardless of the legality of their copy of Windows; no validation or genuine advantage required, period.
This tool is also regularly distributed via Automatic Updates/Windows Updates to help clean out any infections that computers that use these services may have contracted, either because they weren't patched, or some other mechanism that isn't due to a software vuln (e.g. USB Key Transmission).
The only thing that could be improved upon is combining the two together, but there are some people who have legitimate reasons for wanting to do one and not the other (generally, detect and remove but not necessarily patch). They are few and far between, but they do exist. And really, if you can be capable of going to a website and manually download a removal tool, you should also be able to enable AU or manually periodically go to WU/MU.
In summary: They have published the fix, free, and a removal tool, also free. Learn what you are talking about, everything you just said is already done.
Unless they're able to recognise the mailicous code in memory, as good virus scanners are.
You can advertise in this sig from as little as £99.99 a month!
Except they really do not. The *next* generation is *supposed* to do behaviour monitoring instead of definition files, but the current generation does not.
Also, conficker disables most AV Scanners, making the point moot.
Except they really do not. The *next* generation is *supposed* to do behaviour monitoring instead of definition files, but the current generation does not.
No "behaviour monitoring" is necesary if the scanner recognises the code being exectued is a virus. And most modern scanners do have behaviour monitoring in the form of intelligent heuristics that can (sometimes) detect threats that aren't defined in a virus definition file.
Also, conficker disables most AV Scanners, making the point moot.
Only if it's allowed to execute, which it shouldn't be if a good real-time scanner with an up-to-date DAT file is present on the system.
You can advertise in this sig from as little as £99.99 a month!
yes. The autorun feature.
You must wait a little bit before using this resource; please try again later.