Using Conficker's Tricks To Root Out Infections

← Back to Stories (view on slashdot.org)

Using Conficker's Tricks To Root Out Infections

Posted by Soulskill on Wednesday April 22, 2009 @01:25AM from the fighting-fire-with-thermometers dept.

iago-vL writes "Despite having their domain blacklisted by Conficker, the folks at Nmap have released version 4.85BETA8, which promises better detection of the Conficker worm. How? By talking to it on its own peer-to-peer network! By sending encrypted messages to a suspect host, the tools will get Conficker.C and higher to reveal itself. This curious case of using Conficker's own tricks to find it is similar to the last method that we discussed. More information from the author is available, as well as a download for the new release (or, if you're a Conficker refugee, try a mirror instead)."

117 comments

Min score:

Reason:

Sort:

Am I the only one... by Bicx · 2009-04-22 01:31 · Score: 5, Interesting

that thinks Conficker is actually really cool? I mean, damage aside, it's pretty darn impressive.
1. Re:Am I the only one... by Rogerborg · 2009-04-22 01:34 · Score: 5, Funny
  
  Sharks are pretty cool too, right up to the point where they start chewing on your leg. I guess it takes distance to gain perspective.
  
  --
  If you were blocking sigs, you wouldn't have to read this.
2. Re:Am I the only one... by scubamage · 2009-04-22 01:43 · Score: 1
  
  I totally agree. Conficker is really kind of a marvel, and for a long time I couldn't decide whether I'd want to shake the author's hand, or kick him square in the nads. Though honestly I think some of the media drama helped.
3. Re:Am I the only one... by fuzzyfuzzyfungus · 2009-04-22 01:49 · Score: 5, Funny
  
  You have to have decent balance; but there is nothing stopping you from doing both. In fact, a friendly overture often puts the target at ease, making them easier to hit.
4. Re:Am I the only one... by Shrike82 · 2009-04-22 01:50 · Score: 3, Insightful
  
  You'll want to shake his hand right up to the point where his botnet of compromised machines manages to brute-force your bank account login and password and steals all your money.
  
  Then you'd procede to nad-kicking.
  
  --
  You can advertise in this sig from as little as £99.99 a month!
5. Re:Am I the only one... by value_added · 2009-04-22 01:53 · Score: 4, Funny
  
  Sharks are pretty cool too, right up to the point where they start chewing on your leg.
  I'd wager that if you're a shark, the "chewing on your leg" part would still be cool.
6. Re:Am I the only one... by Anonymous Coward · 2009-04-22 01:54 · Score: 1, Insightful
  
  Is this where the saying "Good from far, far from good" comes into play?
7. Re:Am I the only one... by DomNF15 · 2009-04-22 02:04 · Score: 3, Insightful
  
  I think I'll join the kick in nads faction - what would have been really cool is if the Conficker author had used his talent for something constructive, not destructive. I'm sure any IT professional who has spent hours dealing with the fallout of Conficker will agree, as I personally spent a good amount of time rebuilding machines that got infected.
8. Re:Am I the only one... by Binestar · 2009-04-22 02:05 · Score: 4, Insightful
  
  Seems like you should have spent a small amount of time patching the machines when the security updates were released instead of spending a good amount of time rebuilding them.
  
  --
  Do you Gentoo!?
9. Re:Am I the only one... by Shakrai · 2009-04-22 02:08 · Score: 1
  
  I'd wager that if you're a shark, the "chewing on your leg" part would still be cool.
  Depends on which human you are going after. Humans are known for being pretty dangerous pray, probably the most dangerous in the animal kingdom when you get right down to it. I'd imagine that if you are a shark and you run into Quint it's going to totally ruin your day ;)
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
10. Re:Am I the only one... by Anonymous Coward · 2009-04-22 02:10 · Score: 1, Insightful
  
  Yeah because "IT Professional" means he has (and has always had) full control over all the machines he touches. He couldn't, i don't know, fix customers broken computers as (part of) his job.
11. Re:Am I the only one... by Shakrai · 2009-04-22 02:13 · Score: 4, Insightful
  
  You'll want to shake his hand right up to the point where his botnet of compromised machines manages to brute-force your bank account login and password and steals all your money.
  Then you'd procede to nad-kicking.
  The only person I'd want to nad-kick in that scenario would be the moron IT person at my bank who didn't have his system configured to lock my account after X number of failed logon attempts.....
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
12. Re:Am I the only one... by Anonymous Coward · 2009-04-22 02:13 · Score: 0
  
  Quint? Quint got eaten.
  Brody blew the shark up.
13. Re:Am I the only one... by myxiplx · 2009-04-22 02:15 · Score: 2, Interesting
  
  Yup, damned impressive worm, if you read some of the detailed writeups it really highlights just how professional these things are now.
  It's doing us the world of good here - we've got pretty good security already, and getting budget for the next set of steps I want to take should be a whole lot easier now. All I'm having to do is point out just how widely Conficker spread, show some of the big names it hit, and then point out just how long it took them to clean their networks after the fact.
  All of a sudden a few pounds spent protecting the network look like a good idea :)
14. Re:Am I the only one... by Shakrai · 2009-04-22 02:16 · Score: 1
  
  Yeah but how many sharks did he kill before he got eaten? Statistically speaking that last shark got pretty lucky.
  Of course it was killed by a .30-06 shortly thereafter. Probably would have been in the best interest of the shark to stick to eating seals ;) They don't have opposable thumbs and aren't nearly as dangerous. Guess it would have been a pretty lousy movie if all the shark did was eat seals though......
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
15. Re:Am I the only one... by Binestar · 2009-04-22 02:19 · Score: 1
  
  If he's in the Geeksquad, I can see it not being his fault. It also keeps him in a job, and I can definately see a love/hate relation his there. But then, he claimed to be an "IT Professional" and I know that most people who claim to be an "IT Professional" mean they install/admin/maintain computers for a business. If said "IT Professional" doesn't have the pull to make sure a sane security policy is in place, then they get what they deserve and should use this instance to push through a sane security policy.
  
  --
  Do you Gentoo!?
16. Re:Am I the only one... by maxume · 2009-04-22 02:20 · Score: 2
  
  If my bank failed to prevent a brute force attack, I would find their head of security and kick him in the nads.
  Somewhere around 25 failed attempts (but probably far less than that), security really becomes more of a concern than convenience.
  
  --
  Nerd rage is the funniest rage.
17. Re:Am I the only one... by Lumpy · 2009-04-22 02:32 · Score: 1
  
  I can, GeekSquad usually means drooling moron. I regularly fix GeekSquad screwups for customers. Hell 9 times out of 10 the customers computer is screwed up more after coming back from the IneptSquad.
  
  --
  Do not look at laser with remaining good eye.
18. Re:Am I the only one... by nobodylocalhost · 2009-04-22 02:36 · Score: 1
  
  Lawyers are pretty cool too, right up to the point where they start suing on your ass. I guess it takes distance to gain perspective.
  Fixed it for you
  
  --
  Where is the "Ignorant" mod tag?
19. Re:Am I the only one... by Pvt_Ryan · 2009-04-22 02:38 · Score: 1
  
  Surely what they are doing is illegal.. DMCA & copyright in general. The conficker source has been posted online: http://mtc.sri.com/Conficker/contrib/#example-code , and I bet they didn't get written permission either.
  
  Lucky the conficker authors aren't more like the RIAA.
20. Re:Am I the only one... by russotto · 2009-04-22 02:39 · Score: 1
  
  I think I'll join the kick in nads faction - what would have been really cool is if the Conficker author had used his talent for something constructive, not destructive.
  Evil likely pays better. Though the retirement plan sucks.
21. Re:Am I the only one... by Architect_sasyr · 2009-04-22 02:43 · Score: 1
  
  Ok so it doesn't apply to the current round of updates, but I used to admin a server that couldn't be upgraded to 2000 SP4 - trying to do so would cause irreparable damage (Full restore from backup, every single time). It's one thing to abuse an admin for not applying a patch, it's another to be that admin and making sure that adding it will work ok. The only sane security policy in a situation like that is protecting the internal network, but you can't protect a file server from an SMB attack if you need it to be a file server - and if you can't patch it for whatever reason......
  
  --
  Me failed English...
  FreeBSD over Linux. If my comments seem odd, this may explain...
22. Re:Am I the only one... by icannotthinkofaname · 2009-04-22 02:46 · Score: 1
  
  You are not alone. I, too, am quite impressed by the efforts of the programmers.
  
  --
  Let q be a radix > 1. I am in ur base-q, killing 10 d00ds.
23. Re:Am I the only one... by Dorkmaster+Flek · 2009-04-22 02:46 · Score: 1
  
  Guess it would have been a pretty lousy movie if all the shark did was eat seals though......
  I think I saw that movie on Discovery Channel once.
  
  --
  I like to think of online DRM as something akin to a college -- you pay for lessons until you learn something.
24. Re:Am I the only one... by Mister+Whirly · 2009-04-22 02:48 · Score: 4, Funny
  
  "Probably would have been in the best interest of the shark to stick to eating seals "
  
  Undoubtedly. Everyone knows seals are terrible shots with rifles.
  
  "Guess it would have been a pretty lousy movie if all the shark did was eat seals though......"
  
  I would watch that movie over anything starring Kevin Costner or Ben Affleck any day!!
  
  --
  "But this one goes to 11!"
25. Re:Am I the only one... by Shrike82 · 2009-04-22 02:50 · Score: 1
  
  Yeah, I probably should have thought of a better example. You get the idea though, things are impressive until they bite you on the arse.
  
  --
  You can advertise in this sig from as little as £99.99 a month!
26. Re:Am I the only one... by Binestar · 2009-04-22 02:53 · Score: 4, Informative
  
  Ok so it doesn't apply to the current round of updates, but I used to admin a server that couldn't be upgraded to 2000 SP4 - trying to do so would cause irreparable damage (Full restore from backup, every single time). It's one thing to abuse an admin for not applying a patch, it's another to be that admin and making sure that adding it will work ok. The only sane security policy in a situation like that is protecting the internal network, but you can't protect a file server from an SMB attack if you need it to be a file server - and if you can't patch it for whatever reason......
  If you can't patch it for some reason you fix the reason the patch fails. If that involves a server upgrade to 2003, then so be it. Hell, you mentioned it's an SMB attack and you can't protect against that if you're a file server. While true in a sense, you *can* protect against it by making sure all the non-file servers on the network aren't vulnerable. Make sure you don't use that machine for anything other than the applications you need (certainly don't use it as a terminal server as well). Have a security policy in place that makes it so you can't add vulnerable computers to the network, have a firewall between the company and the internet, etc.
  
  This is something people don't understand until it happens to them, but security is serious business, if you have a server that has a must have application on it and you don't keep that thing #1: Backed up, #2: Up to date with security, you are just waiting for either data loss or time loss on the server.
  
  If you can't afford to replace a server in that condition, then you likely can't afford the IT professional you hired to run it.
  
  Hardware is inexpensive, especially considering you're running on Windows 2000 pre-SP4, you can get a low end server as a replacement and it'll be a very good upgrade. That's not even considering if you can replace with something other than windows or not!
  
  --
  Do you Gentoo!?
27. Re:Am I the only one... by Shakrai · 2009-04-22 02:56 · Score: 4, Funny
  
  Everyone knows seals are terrible shots with rifles.
  Yeah but they are pretty deadly with handguns ;)
  
  I would watch that movie over anything starring Kevin Costner or Ben Affleck any day!!
  What if we could feed them to sharks?
  
  --
  I want peace on earth and goodwill toward man.
  We are the United States Government! We don't do that sort of thing.
28. Re:Am I the only one... by snspdaarf · 2009-04-22 03:02 · Score: 1
  
  What if the seals were shooting them with handguns?
  
  --
  Why, without your clothes, you're naked, Miss Dudley!
29. Re:Am I the only one... by Mister+Whirly · 2009-04-22 03:05 · Score: 1
  
  "What if we could feed them to sharks?"
  That is a movie I would buy! But do they get fed to the sharks before or after the seals shoot them with handguns? Or maybe they could get shot while being eaten by sharks. Hey Hollywood, we actually have an original idea here for a movie. Pay attention!
  
  --
  "But this one goes to 11!"
30. Re:Am I the only one... by Mister+Whirly · 2009-04-22 03:18 · Score: 1
  
  I know a woman who wanted a modem installed in her system (this was about 5 years ago). She bought the modem, but couldn't figure out how to install the drivers. She called GeekSquad and they sent over one of their drooling morons. He proceeded to go into her computer room, close the door and was in there for 3 1/2 hours. He eventually came out and handed her a bill for 3 1/2 hours labor and traveling charges - it was just under $300 IIRC. To install a $20 modem. I told her she probably could have bought a brand new system that already had a modem for about $100 more...
  
  --
  "But this one goes to 11!"
31. Re:Am I the only one... by Lumpy · 2009-04-22 03:26 · Score: 1
  
  I prefer kicking in the NAD's the executive at that bank that decided to NOT issue all users SecureID keyfobs for their logins. conflicker can capture your login details all day long, if they dont have the secureID information they cant get logged in.
  Actually considering today's economy, I think just kicking any bank executive in the Nuts is a perfectly good thing to do.
  
  --
  Do not look at laser with remaining good eye.
32. Re:Am I the only one... by Anonymous Coward · 2009-04-22 03:56 · Score: 0
  
  What about a movie staring Kevin Costner AND Ben Affleck? I bet you'd watch that.
33. Re:Am I the only one... by Tubal-Cain · 2009-04-22 04:00 · Score: 1
  
  Yeah but they are pretty deadly with handguns ;)
  But they're no match for kittens with sniper rifles.
34. Re:Am I the only one... by DittoBox · 2009-04-22 04:07 · Score: 2, Insightful
  
  Some security updates can break poorly written "Enterprise" software. The kind that PHBs love.
  If they hadn't been fully tested with all the "Enterprise" software then he'd be utterly screwed if there were any problems.
  
  --
  Good. Cheap. Fast. Pick Two.
35. Re:Am I the only one... by kirillian · 2009-04-22 04:13 · Score: 1, Insightful
  
  I'm glad, Binestar, that you have a boss that gives you a large enough budget to do so...or that you make your own budget. It's nice to be in a comfortable situation like that. However, if you hadn't noticed, in today's current economy, the CEO's buy personal jets with the IT department's security budget and the lawyers dictate how everyone spends their money. Being an IT Professional means trying to do an impossible job with no manpower and no budget in most companies...personally...my boss wastes thousands upon thousands on his own personal pet projects, but is loathe to spend a few thousand to upgrade VITAL servers that are overworked. Security is important. However, sometimes, you have to work for/with idiots. You also have the infamous managers/bosses and their favorite people who have to have authorization to do EVERYTHING. So, you then have to deal with internal company security, hiding the fact that there is a super-user level account so that the boss CAN'T have access (because he's stupid enough to play around and destroy things). IT Professionals have a lot of other things to deal with. Idealism rarely has a place in the professional world - despite the fact that we wish it could.
36. Re:Am I the only one... by DomNF15 · 2009-04-22 04:15 · Score: 2, Informative
  
  When I get phone calls from people asking me to fix their Conficker infected PCs, my first comment to them isn't "Told you so! Seems like you should have spent a small amount of time patching your machine". Not only would that be bad business, but most people in that situation don't understand the fundamentals at work here. If they did, I wouldn't be getting calls in the first place. That's where I come in, fix/configure their PC appropriately, and educate them as best I can. Telling me I should have patched machines I have no control over after the fact isn't very helpful...
37. Re:Am I the only one... by Andy+Dodd · 2009-04-22 04:33 · Score: 1
  
  Sometimes there are cases where you're using a no-longer-maintained software tool that itself does not work on newer Windows version.
  At work we have a Windows NT machine that performs one specific function, the software that performs this function fails on Win2k/XP/Vista - it's THAT old and it's unmaintained.
  As a result that machine is firewalled off from the rest of the network.
  
  --
  retrorocket.o not found, launch anyway?
38. Re:Am I the only one... by cool_story_bro · 2009-04-22 05:04 · Score: 1
  
  I was dealing with an infected system, so I read as much about conficker as I could. Between the multiple infection vectors and the p2p network it sets up to update itself from the cloud and the ridiculous amount of effort required (in some cases) to remove it and patch the system without reinfection, I couldn't help but think of skynet
  
  --
  You must wait a little bit before using this resource; please try again later.
39. Re:Am I the only one... by RiotingPacifist · 2009-04-22 05:11 · Score: 1
  
  That's not the conficker source, that's merely source that perform the same actions as a subset of conficker. You do bring up the interesting point that as its difficult for a virus maker to copyright code, does that make most viruses are public domain?
  
  --
  IranAir Flight 655 never forget!
40. Re:Am I the only one... by louiswins · 2009-04-22 06:25 · Score: 1
  
  We're programmers here. That was the inclusive or.
41. Re:Am I the only one... by Lord+Ender · 2009-04-22 07:01 · Score: 1
  
  That's the wrong way to do it. That's a built-in DoS vulnerability. You should NEVER auto-lockout accounts. The frequency between authentication attempts should be increased with every failed attempt, and multiple failed attempts should alert security personnel (who may decide to block the IP address causing trouble).
  Auto-lockout is BAD BAD BAD. I don't care that it's the default config for Windows. You use it, you fail.
  
  --
  A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
42. Re:Am I the only one... by Anonymous Coward · 2009-04-22 07:06 · Score: 0
  
  But see, you're not the person that the GP was talking about. You've taken the necessary steps to protect the vulnerable machine.
  The problem is the "Wah wah wah, security is too hard and expensive," crowed. Guess what? It's not too hard, or too expensive. There are simple, inexpensive steps you can take to address the vast majority of your security problems. You took one of those steps--good on you!
43. Re:Am I the only one... by ash211 · 2009-04-22 07:53 · Score: 1
  
  No, you're not :)
  It's astounding how the group that produces and supports Conficker can do so many things correctly, from cryptographically signed updates distributed P2P to blocking cleaning software and DNS access to antivirus vendors, it's pretty spectacular.
  They definitely get the easy way out though, with such a narrowly defined scope. Without having to mess with users' input, GUIs, and all sorts of other peculiarities, it's a lot easier to get your code well-secured with malware than if you were writing a traditional application.
44. Re:Am I the only one... by PopeRatzo · 2009-04-22 07:57 · Score: 1
  
  I guess it takes distance to gain perspective.
  Distance or some simple precautions.
  
  --
  You are welcome on my lawn.
45. Re:Am I the only one... by PopeRatzo · 2009-04-22 07:59 · Score: 2, Funny
  
  Yeah but they are pretty deadly with handguns ;)
  
  Sure, haven't you ever heard of "conseal-carry"?
  
  --
  You are welcome on my lawn.
46. Re:Am I the only one... by PopeRatzo · 2009-04-22 08:00 · Score: 1
  
  What about a movie staring Kevin Costner AND Ben Affleck? I bet you'd watch that.
  Only if they had sex with each other.
  
  --
  You are welcome on my lawn.
47. Re:Am I the only one... by PopeRatzo · 2009-04-22 08:03 · Score: 1
  
  in today's current economy, the CEO's buy personal jets with the IT department's security budget
  
  No, they buy personal jets with TARP funds.
  
  --
  You are welcome on my lawn.
48. Re:Am I the only one... by PopeRatzo · 2009-04-22 08:05 · Score: 1
  
  Some security updates can break poorly written "Enterprise" software.
  You do realize that Star Trek was fictional, right?
  
  --
  You are welcome on my lawn.
49. Re:Am I the only one... by cp.tar · 2009-04-22 08:18 · Score: 1
  
  Some security updates can break poorly written "Enterprise" software.
  You do realize that Star Trek was fictional, right?
  ... but now it's true?
  
  --
  Ignore this signature. By order.
50. Re:Am I the only one... by Anonymous Coward · 2009-04-22 08:37 · Score: 0
  
  I'd wager that if you're a shark, the "chewing on your leg" part would still be cool.
  Sharks got legs?
51. Re:Am I the only one... by Anonymous Coward · 2009-04-22 08:41 · Score: 0
  
  There are people collecting this kind of malware and reading their descriptions for fun. F-Prot (for DOS) even had a special setting for them as "virus collection".
  It is a work of professional evil genius, no issue on that. I know 2 more viruses who were particularly interesting and probably was written just because they can. No kind of money involved.
  They are MSDOS-GoldBug which does amazing things like hiding in video cards memory and Win32.Hybris which is a state of art code hopefully no virus/malware developer will never achieve again. To give a clue about the complexity of code, it didn't bother with users addressbook to grab new mail addresses, it basically watched the tcp stream of windows for mail-like addresses.
  BTW, here is Goldbug description http://www.textfiles.com/virus/gold-bug.txt . This is Hybris http://www.viruslist.com/en/VirusList.html?page=0&mode=1&id=4112&key=00001000130000100044
52. Re:Am I the only one... by Ilgaz · 2009-04-22 08:46 · Score: 1
  
  Ever wonder how will people act when they see a real mafia guy/boss in their real life and have to deal with him? I mean the people buying "The Godfather Collection" or "The Sopranos"?
  Just imagine what can a guy like Tony Soprano can achieve in legit business as he can manage thousands of psychopaths for his own good, on the street.
  And, why doesn't Hollywood make a trilogy like "Mother Theresa"? Because nobody would watch it :) People like the evil, watching the evil I mean.
53. Re:Am I the only one... by kirillian · 2009-04-22 09:07 · Score: 1
  
  I was under the impression that they used the TARP funds to pay for their personal vacations, I mean, retreats where they discussed how they were going to blow the rest of their money...
54. Re:Am I the only one... by lennier · 2009-04-22 10:01 · Score: 1
  
  Some security updates can break poorly written "Enterprise" software.
  You do realize that Star Trek was fictional, right?
  ... but now it's true?
  Every second alien ship would take over the computer just by looking at it... yep, an eerily accurate prediction.
  
  --
  You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
55. Re:Am I the only one... by Binestar · 2009-04-22 12:13 · Score: 1
  
  I bet that machine also isn't getting infected with Conficker because you handled security in this situation properly.
  
  --
  Do you Gentoo!?
56. Re:Am I the only one... by Anonymous Coward · 2009-04-22 15:51 · Score: 0
  
  And interestingly, no actual damage. I mean, last I'd heard it hadn't actually been activated to do anything so far.
  Yeah I'm rather impressed by it. I don't have any Windows systems so I'm amused as well but Conficker's certainly ambitious.
  The other thing I find interesting is the occasional biological parallels that pop up with computer viruses. These viruses seem to circulate for ever, there's STILL nimda circulating for instance; in some cases (mainly with the word viruses) two would infect a single file, and end up with a 3rd behavior different from the original two.
57. Re:Am I the only one... by cp.tar · 2009-04-22 20:26 · Score: 1
  
  Every second alien ship would take over the computer just by looking at it... yep, an eerily accurate prediction.
  Now, is it because Open Source won, or because Microsoft won?
  
  --
  Ignore this signature. By order.
58. Re:Am I the only one... by Pvt_Ryan · 2009-04-22 23:07 · Score: 1
  
  Yes sadly I hadn't fully looked at the page before I pressed submit and the link had suggested that it was the fully code.
  
  I'd love to see the court case whereby a virus writer tried to assert his copyright, or DMCA on methods of disabling his code.
59. Re:Am I the only one... by GarryFre · 2009-04-23 02:46 · Score: 1
  
  Yeah, like the idea I had years ago. Write "Viruses" that act like antiviruses .. which remove or disable bad code after asking the user permission. There are all kinds of things that can be done to help people instead of hurt them or ruin their lives. I put those who write malware in the same class as people who poison a water supply or taking potshots at people with a scope rifle. They are playing with people's lives by creating havoc. How many companies went under or how many people lost their jobs because some virus was the straw that broke the camel's back, and unemployment is a disaster that many are suffering. How many have committed suicide, or lost their lives or family members because they could no longer afford medical care, and a healthy standard? Creeps that write viruses are in my opinion one step short of murder, if not actual blood guiltiness.
  
  --
  www.Migrainesoft.com - Computer giving you a headache? We can fix that!
60. Re:Am I the only one... by GarryFre · 2009-04-23 02:52 · Score: 1
  
  Why are they publishing source code for malware? That's like someone opening a vault of guns and inviting everyone to to come get one. I refuse to look at code to make a virus for the same reason I don't go looking to learn how to make a bomb ... I am not interested in harming others. They should not be publishing code to malware because some dunderhead will emulate it and make his own malware and swath of destruction. Why did you include that link?
  
  --
  www.Migrainesoft.com - Computer giving you a headache? We can fix that!
61. Re:Am I the only one... by Pvt_Ryan · 2009-04-23 10:42 · Score: 1
  
  It was for reference, and as was noted above, it is actually not the complete code, just the segment for port generation.
  
  Know thy enemy...
fyodor by Anonymous Coward · 2009-04-22 01:34 · Score: 0

Hey - didn't fyodor write nmap? And isn't he the guy that illegally hacked some poor kid's machine a couple of years ago via an X server and then posted a slashdot story about it?
Shouldn't he be in prison for that? Is nmap being developed behind bars or what?
1. Re:fyodor by Anonymous Coward · 2009-04-22 01:45 · Score: 1, Informative
  
  http://interviews.slashdot.org/comments.pl?sid=63874&cid=5938151
2. Re:fyodor by RiotingPacifist · 2009-04-22 05:18 · Score: 1
  
  [citation needed]
  anyway, imho, if it did happen, the kids fault for:
  1) being a dick
  2) running an unsecured computer while pretending to know about computers
  
  --
  IranAir Flight 655 never forget!
Protocol by s1lverl0rd · 2009-04-22 01:36 · Score: 2, Interesting

What if Conficker D changes its 'protocol' and marks every computer that sends an 'old message' as either a host that needs updating or a nmapping attacker/next victim?
1. Re:Protocol by Anonymous Coward · 2009-04-22 06:30 · Score: 0
  
  What if Conficker D changes its 'protocol' and marks every computer that sends an 'old message' as either a host that needs updating or a nmapping attacker/next victim?
  What if on the night you were conceived, your mom decided to give your dad head instead?>
  Posting AC cause you don't need to know my /. id, son.
Or... by Anonymous Coward · 2009-04-22 01:36 · Score: 2, Interesting

Easiest way to detect if you're infected: see if you can reach nmap.org
1. Re:Or... by RiotingPacifist · 2009-04-22 05:20 · Score: 2, Informative
  
  nmap can scan an entire network though, this is good news, especially if your pen testing and you find the network is full to the brim with bots.
  
  --
  IranAir Flight 655 never forget!
This sounds like a temporary measure... by Aklarr · 2009-04-22 01:37 · Score: 0

Doesn't this sound like a temporary measure in that eventually the author(s) of Conficker will pick up on this and stop this method of detection?
1. Re:This sounds like a temporary measure... by radtea · 2009-04-22 01:56 · Score: 4, Insightful
  
  Doesn't this sound like a temporary measure
  You say that like you think there's an alternative. There isn't.
  The viral ecology is an real ecology, where like all ecologies nothing is stable and everything is temporary.
  What this demonstrates, though, is that there are inherent limits to viral capabilities, because with added capability there is added vulnerability. This is true for OS's but it is equally true for viruses (yes, that is a correct English plural, ok?)
  So as virus programs get more complex and capable, they will generally also become more open to detection via exploitation of exactly those additional capabilities.
  
  --
  Blasphemy is a human right. Blasphemophobia kills.
2. Re:This sounds like a temporary measure... by TheP4st · 2009-04-22 02:14 · Score: 1
  
  FTFA:
  
  To scan you network quickly for Conficker infections before the next variant breaks this new techinque[sic], we recommend this command:
  
  nmap -p139,445 --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args checkconficker=1,safe=1 -T4 [target networks]
  
  If you have time for a slower but more comprehensive scan, use this instead:
  
  nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns -p- --script-args checkall=1,safe=1 -T4 [target networks]
  
  --
  "I have downloaded hundreds and hundreds of records, why would I care if somebody downloads ours?" Robin Pecknold
3. Re:This sounds like a temporary measure... by Anonymous Coward · 2009-04-22 02:28 · Score: 0
  
  "viruses" may be correct, but "an real ecology" isn't. But we're not here to pick nits. The meaning of your post is accurate.
4. Re:This sounds like a temporary measure... by Mr+Thinly+Sliced · 2009-04-22 02:54 · Score: 1
  
  Did you ever stop to think that maybe the original poster isn't from an English speaking country (e.g. America).
5. Re:This sounds like a temporary measure... by Mister+Whirly · 2009-04-22 03:32 · Score: 1
  
  What? I thought every country spoke English. But then again I am just a dumb American.
  
  --
  "But this one goes to 11!"
6. Re:This sounds like a temporary measure... by anegg · 2009-04-22 05:05 · Score: 1
  
  Offtopic: Due to the rather poor showing many Americans make posting with poor spelling and grammar, its somewhat understandable that one might assume a posting with poor spelling and/or grammer comes from a native English-like language speaker...
  Ontopic: Malware sucks. People who write malware and release it into the real world suck. I don't admire them any more than I would admire the perpetrators of a successful act of terrorism resulting in mass murder. A brilliant individual who chooses to use his/her skills to destroy society rather than build it up deserves scorn, not admiration. Destruction is rather easy. Construction is difficult. In a similar vein, I don't salute the use of malware to prove security vulnerabilities any more than I would clap for some bonehead who throws a rock through my window to show how easy it is to break into my house.
7. Re:This sounds like a temporary measure... by Lord+Ender · 2009-04-22 07:07 · Score: 1
  
  Viruses which only accept RSA-signed commands can be made more and more capable while being far less vulnerable.
  Your reductionism is overdone.
  
  --
  A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
8. Re:This sounds like a temporary measure... by Anonymous Coward · 2009-04-22 08:01 · Score: 0
  
  Since when do Americans speak English?
9. Re:This sounds like a temporary measure... by Geo++ · 2009-04-22 09:38 · Score: 1
  
  This just made me think: what if the conficker authors came forward to press charges under the DMCA for reverse engineering their code? Would they have a legal case against the white hats?
Clever but... by Shrike82 · 2009-04-22 01:38 · Score: 4, Insightful

Isn't the biggest problem with worms like Conficker the fact that most of the affected users are totally unaware that they have it. We already established that the worm exploits a vulnerability that was patched before its realease, and we've speculated that therefore it's mainly affecting users who are clueless about security, and therefore unlikely to even realise they have a problem?

From TFA:

To scan you network quickly for Conficker infections before the next variant breaks this new techinque, we recommend this command: nmap -p139,445 --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args checkconficker=1,safe=1 -T4 [target networks]
Now forgive me but people like my parents (running Windows 98 until last year, now on XP) with no idea about security, no anti-virus scanner (despite my lectures over the phone) and no idea what the symptoms of a virus, worm or other malware, are not going to find this information, nor know what to do with it if they did.

Computing professionals might have little trouble detecting and removing Conficker, or are safe in the knowledge that they were protected before its release, but we'll still have to deal with the consequences of a botnet comprised of infected computers belonging to people with little or no technical computer knowledge.

--
You can advertise in this sig from as little as £99.99 a month!
1. Re:Clever but... by flyingfsck · 2009-04-22 01:47 · Score: 3, Insightful
  
  Clearly, your parents don't have a problem. They have a child that can fix things for them. On the other hand, you have a problem, so you should install a reverse VNC client on their machine so they can connect to you for support.
  
  --
  Excuse me, but please get off my Pennisetum Clandestinum, eh!
2. Re:Clever but... by windsurfer619 · 2009-04-22 01:55 · Score: 1
  
  Isn't the biggest problem with worms like Conficker the fact that most of the affected users are totally unaware that they have it.
  How can you post a question without a question mark. Does this confuse your brain.
3. Re:Clever but... by 0racle · 2009-04-22 01:55 · Score: 1
  
  HINT: NMAP and related tools might not be aimed at people like your parents.
  
  You're talking about a user education problem, this is an article about a tool for IT professionals.
  
  --
  "I use a Mac because I'm just better than you are."
4. Re:Clever but... by Shrike82 · 2009-04-22 01:55 · Score: 1
  
  Clearly, your parents don't have a problem. They have a child that can fix things for them.
  Sadly for them they raised a lazy and selfish child, and I can't be bothered to manage their computer's security for them, even remotely. At some point my Dad's love of naked chicks will land him in trouble, as there's only so many "Free p0rn" e-mails you can open before something nasty gets you.
  
  --
  You can advertise in this sig from as little as £99.99 a month!
5. Re:Clever but... by fuzzyfuzzyfungus · 2009-04-22 02:00 · Score: 2, Informative
  
  The nmap based tools obviously aren't the right tool for the "clueless parents/noobs/whatever" case. If you have a large number of machines to check and at least one competent person, use nmap. If you need to test a noob's box over the phone, just have them open the Conficker eyechart and tell you whether the images load or not.
6. Re:Clever but... by Lord+Pillage · 2009-04-22 02:11 · Score: 1
  
  How can you post a question without a question mark. Does this confuse your brain.
  No?
  
  --
  try { Signature mysig = new CleverAttempt(); } catch(NonCleverSignatureException e) { postanyway(); }
7. Re:Clever but... by Sockatume · 2009-04-22 02:24 · Score: 1
  
  That's advice on how to automate scanning a large network of machines for infections. There's a trivial method for confirming that Conficker is present on a machine if you don't mind spending five minutes in front of it typing in URLs, and tools to remove it quite easily.
  
  --
  No kidding!!! What do you say at this point?
8. Re:Clever but... by ukyoCE · 2009-04-22 02:25 · Score: 2, Insightful
  
  I don't think the story is targeted at parents. It's targeted at sysadmins trying to clean Conficker off their network. Your parents won't run it, but perhaps Comcast will run it and get your parents fixed up. Or your parents' sysadmin at work will run it and fix their work computer.
  It's kind of silly to expect TFA is targeted at "your parents" when it's using nmap to scan a network...
9. Re:Clever but... by maxume · 2009-04-22 02:30 · Score: 1
  
  A couple of weeks ago, that site took the entertaining step of being down for some reason other than Conficker.
  
  --
  Nerd rage is the funniest rage.
10. Re:Clever but... by Shrike82 · 2009-04-22 02:54 · Score: 4, Funny
  
  There are two possibilities:
  
  1) I started writing a question, got distracted half way through and then finished the sentence as a statement
  2) I accidentally put a full stop instead of a question mark
  3) Conficker performed a man-in-the-middle attack and messed with my punctuation
  
  You can pick the answer you like best.
  
  --
  You can advertise in this sig from as little as £99.99 a month!
11. Re:Clever but... by Shrike82 · 2009-04-22 02:59 · Score: 1
  
  I know the article and others like it aren't aimed at clueless users, in fact I thought my post made that pretty clear. My point was that no matter how many clever solutions are created we're still going to be stuck with a sizeable array of computers that can be used for evil-doing, until an automatic detection and removal tool that can be simultaneously delivered and run on pretty much every infected machine at the same time is created.
  
  And I think we're all aware of how likely to happen that is...
  
  --
  You can advertise in this sig from as little as £99.99 a month!
12. Re:Clever but... by Shrike82 · 2009-04-22 03:04 · Score: 1
  
  It's kind of silly to expect TFA is targeted at "your parents" when it's using nmap to scan a network...
  Indeed, I should have been clearer in my post. What I meant to say was along the lines of "people like my parents, if their PC gets infected, are unlikely to ever remove the worm, and it'll be on their machine until the day they throw it out and buy a new one".
  
  Bottom line: a pretty big botnet exists, and despite numerous clever solutions that can help clean it off large networks quickly there will still be a lot of PCs infected for the foreseeable future.
  
  --
  You can advertise in this sig from as little as £99.99 a month!
13. Re:Clever but... by windsurfer619 · 2009-04-22 03:09 · Score: 1
  
  *puts on tinfoil robe and wizard hat*
  Musta been conficker!
14. Re:Clever but... by Shrike82 · 2009-04-22 03:22 · Score: 1
  
  So aggressive. You should chill out man. Or are you going for the "Most Agressive Twat on Slashdot" achievement?
  
  Like I've said to the many people before you who pointed out my confusing (and badly written) paragraph, I should have said something less about this particular solution, and more about how no solution that requires significant user intervention is going to "solve" the Conficker problem.
  
  --
  You can advertise in this sig from as little as £99.99 a month!
15. Re:Clever but... by Anonymous Coward · 2009-04-22 03:58 · Score: 0
  
  You might want to be a little more proactive with your parents. If they're using that computer to access bank accounts or whatever then not only could they have problems but you might lose your inheritance.
  Really, with a modern install like Ubuntu Jaunty (releasing tomorrow) even my 70-year-old parents have no problems using Linux. When they do need Windows (eg. TurboTax or whatever) they use a Windows VM that I set up for them. Simple, one-click "do Windows stuff" type thing with a clean snapshot that I can have them revert to if needed. With VMware Unity you can't even tell you're running Windows in a VM (other than the window decorations, heh).
  They do think about security though so they realize that Linux is not perfect but safer than Windows for their day-to-day surfing, etc.
16. Re:Clever but... by Spliffster · 2009-04-22 04:12 · Score: 1
  
  Isn't the biggest problem with worms like Conficker the fact that most of the affected users are totally unaware that they have it.
  Maybe yes, maybe nooo. I have a legit copy of windows XP at home (OEM, came with my computer). But i refuse to install WGA. So I am not sure if i get those patches (the windows update website doesn't work for me, however, eventually I get updates somehow). Also, i am not going to find all these hotfixes an appling them manually (my time is too valueable for this kind of shit).
  Because this is my gaming computer, i do not care much since i hardly ever boot into windows anymore and its the only windows install in my network.
17. Re:Clever but... by Anonymous Coward · 2009-04-22 04:19 · Score: 0
  
  Now forgive me but people like my parents (running Windows 98 until last year, now on XP) with no idea about security, no anti-virus scanner (despite my lectures over the phone) and no idea what the symptoms of a virus, worm or other malware, are not going to find this information, nor know what to do with it if they did.
  But that is a good thing. Tools like NMAP are targeted at the people who manage the network, not the people that use it, or own it.
  If your parents are running a network themselves and still running 98, then that is where the problem lies. They really need someone to do that for them (IE yourself, or a paid professional), and the odd part is you describe it like that is the case (IE you take care of their network/computer(s) for them) so what is the problem?
  The network admins like myself find such tools very useful however. Please don't put the tools down because people that shouldn't be using them won't know how to use them...
18. Re:Clever but... by Anonymous Coward · 2009-04-22 04:19 · Score: 0
  
  >How can you post a question without a question mark.
  WTF?
19. Re:Clever but... by Sockatume · 2009-04-22 04:34 · Score: 1
  
  I suppose there's just one possibility here, you started writing two possibilities and accidentally added a third or conficker done it.
  
  --
  No kidding!!! What do you say at this point?
20. Re:Clever but... by RiotingPacifist · 2009-04-22 05:30 · Score: 1
  
  but google wont let you down! the cache (link will change, but you can just Google the url for a new one), because the top 6 images are remotely hosted it will still work while the actual server is being ddosd and i doubt that the conficker guys are going to take down google.
  
  --
  IranAir Flight 655 never forget!
21. Re:Clever but... by cool_story_bro · 2009-04-22 07:01 · Score: 1
  
  whoosh
  
  --
  You must wait a little bit before using this resource; please try again later.
22. Re:Clever but... by Anonymous Coward · 2009-04-22 09:00 · Score: 0
  
  You are a dick. You parents should have just aborted.
23. Re:Clever but... by Ilgaz · 2009-04-22 09:33 · Score: 1
  
  Can you at least send them to http://housecall.antivirus.com/ ? It may find it and clean it. If they can't reach there, they could be infected, old time tricks like using hex url etc. may help.
  Now what we need is, ActiveX like installing antivirus (not joking) which will install with minimum user interaction. Housecall from Trend is a great favour to newbie users, especially after they got rid of "pay us to clean it" scheme but... It is still not a real antivirus to watch the system. It seems Kaspersky guys have a plan (Kaspersky Online Scanner Pro) but it may get pricey.
  I remember MCafee having kind of "antivirus subscription" back in the day, did they give up or things became too advanced to watch with a activex installed program? Not sure.
  BTW, no newbie around me got infected with Conficker because I actually forced them to install windows updates. My excuse was simple... "It is 2 AM at Redmond Washington and MS releases a security update, this can't be good". Thankfully they listened to the "2 AM" part and took it serious enough to run windows update. I made up the "2 AM" thing but it was really awkward time they released it and their number 1 media puppet made it news in a very off topic way. I knew something was going on. That update was the one closing the conficker hole. MS really knew that security issue will lead to very bad places.
Happy middle? by Anonymous Coward · 2009-04-22 01:51 · Score: 2, Funny

Shake his nads?
1. Re:Happy middle? by Trikki+Nikki! · 2009-04-22 02:38 · Score: 5, Funny
  
  I would just like to say that I read Slashdot at work, and in the future I would appreciate if you people could stop posting comments that cause me to giggle uncontrollably and thus urinate in my cubicle. It has become a great concern to my boss, as I am unable to explain the real reason behind my lack of bladder control. Thanks in advance.
  
  --
  i r in ur /.s girling up ur storiez
2. Re:Happy middle? by Anonymous Coward · 2009-04-22 03:30 · Score: 0
  
  Hey, up to +3 on your second post here on /., and already is looks like you're making quite a splash!
3. Re:Happy middle? by RiotingPacifist · 2009-04-22 05:16 · Score: 1
  
  just use netcat like the rest of us, that way you can always 'grep -v funny', when your bladder is full
  
  --
  IranAir Flight 655 never forget!
Hurrah for the Elite Conficker Posse! by Anonymous Coward · 2009-04-22 02:08 · Score: 0

Oh wait, this isn't them. OK I can't think of a clever snark, so hurrah for the smart folks at NMAP, and haha to the window-dressing Conficker Posse.
http://www.internetnews.com/security/article.php/3802626/Microsoft+Rounds+Up+Posse+to+Nab+Conficker.htm
Comment removed by account_deleted · 2009-04-22 03:05 · Score: 1

Comment removed based on user account deletion
Nmap? by xtracto · 2009-04-22 04:30 · Score: 2, Interesting

Isn't the guy who created nmap active on slashdot? (fyodor or something like that?)

--
Ubuntu is an African word meaning 'I can't configure Debian'
Evil pays if and only if... by DomNF15 · 2009-04-22 04:31 · Score: 1

it doesn't land you in jail, or has the potential prospect of landing you in jail. If there is even the possibility of going to jail, then for me, it doesn't pay. There's already enough to worry about aside from dropping the soap...
compile error by Anonymous Coward · 2009-04-22 06:21 · Score: 0

This sounds cool, and I figured I could build it and scan all our boxes here at work ... but it doesn't seem to compile (at least, under Solaris 10).
We need Fonkicker... by edsousa · 2009-04-22 07:12 · Score: 1

to kick Conficker's ass like in Terminator:SCC we have John Henry to fight Skynet...
Curious Yellow? by ZzzzSleep · 2009-04-22 12:31 · Score: 1

Curious Yellow here we come...

--
Emerald Astrology
Super Secret Conficker Identifier by symbolset · 2009-04-22 17:01 · Score: 1

I have discovered that almost all of the computers infected with Conficker apparently come with a sticker on the front for ready identification. It has a flag shape divided into red, green, blue and yellow quarters. If you have this flag sticker you might be at risk!

--
Help stamp out iliturcy.