The Birth and Battle of Conficker

NewScientist has an interesting look back at the birth of the Conficker worm and how this sophisticated monster quickly grew to such power and infamy. "Since that flurry of activity in early April, all has been uneasily quiet on the Conficker front. In some senses, that marks a victory for the criminals. The zombie network is now established and being used for its intended purpose: to make money. Through its peer-to-peer capabilities, the worm can be updated on the infected network at any time. It is not an unprecedented situation. There are several other large networks of machines infected with malicious software. Conficker has simply joined the list. The security community will continue to fight them, but as long as the worm remains embedded in any computer there can be no quick fixes."

Correction

[HangingChad]

The security community will continue to fight them, but as long as the worm remains embedded in any Windows computer there can be no quick fixes.

Fixed that for ya.

Re:Correction

...except that the standard user can't do much to damage the system.

So what? The problem isn't the local system being damaged, the problem is endless spam and DoS attacks. These work equally well from unprivileged users on both Linux and Windows.

The worst they can do is to nuke their own files.

Which, for a user, is the worst thing that can happen.

As the OP said, all desktop operating systems have crap security. The one thing they protect is the one thing that matters least.

Re:Correction

[AceofSpades19]

Uh, if those windows machines actually ran "windows update" there would be no conficker. So if Desktop Linux had the same users, they may not run "ubuntu update". Why? Because the last time they updated their machine stopped working properly Think that will never happen? See: https://answers.launchpad.net/ubuntu/+question/24523 Notice that user actually understands "grub" and "kernels" and knows where to find help. Other users might just never update. If the O/S ever has millions of users, these users start to add up.

This is why I run a stable distro that doesn't break everything all the time. Debian stable for example, I think it would be highly unlikely for anything to break during an update.

Re:"Watch me" service

OpenDNS already have a system set up where, if you use their DNS servers, it will tell you if it detects any Confiker-type activity on your network. Non-intrusive, transparent to the end-user, and quite effective.

Re:"Watch me" service

I ran an ISP only a few years ago. The number one source of identifying hacked PC's was abuse messages coming to our admin accounts. It didn't take our support staff long to lock out and call the customer. Many would say, "yes, the computer has been running slow lately", and thanked us for fixing their virus.

We also monitored our MRTG graphs. If we noticed strange spikes in traffic, our network people would investigate. One time we had to shut down a chess server at a high school. I will say this was in a rural area where just getting ADSL in at all was difficult. We didn't have enough bandwidth back to MAE East to allow it on a multi-point circuit with many other oversubscribed customers. But, more often than not, it would be a hacked machine. We would cut it off and everyone else would get fast Internet back.

Of course much is changing. Where it used to be Internet servers with root-kits, now its at the user end. An IDS should be part of any Internetwork. Even allowing the millions of spam hitting can kill the most robust SMTP system. As for Conflicker, blocking and monitoring its known ports doesn't require any "Bush era type" spying. It is just good networking. A good ISP will protect its address space from being put in a db. Of course, when it does happen, going to the db usually outs the hacked address space. For many years, colleges were the worst offenders. But it could be one customer on a dial up line that pings you.

The part that really gets me today is that most Wintel users don't have a DART (ERD) disk since they ain't MSCE'ed. I've quickly fixed many a PC with them. While the public is better educated when opening email, many still don't protect their browsers. I'm glad to see Win7 will be browser neutral in Europe. I would like to see Mozilla put up a list of recommended plug-ins on installation to at least get NoScript to more Firefox users. For you finger pointers out there, Java/Flash run on all the major web servers (and can be platform independent servers themselves).

Combating hackers goes back to the pre-browser days (yes children, we used to gopher). Much of the early hacking led us to an open Internet (yes, it used to be a closed university/military network). Much of the early hacking was for chat, games, and Usenet. Today it is organized crime. Hacker ISP's run a lot of this business. I was glad to see one closed down recently, but there are many more still running. Add to that the server farms with many hacked servers, and we are here today. Powerful bot-nets controlled by the highest bidder. Some day, some stupid "green card spam" will crash everything again (yes, that is when we lost Usenet). Every ISP and server farm should be responsible and not be part of the problem.
-John Clark

Re:"Watch me" service

[Opportunist]

"So? Ffffft.

How likely is that to happen? Almost zero? Fffft. And when it happens? My bank will cover the loss so I shut up and don't make a stink about it, so does Visa, so? Ffffft."

That's how this is perceived. It's no biggie. The money that may be lost will be covered by the financial institutions that don't want people to lose faith in online transactions. And that's about all people care about when it comes to identity theft.