Slashdot Mirror

← Back to Stories (view on slashdot.org)

After 1 Year, Conficker Infects 7M Computers

Posted by Soulskill on from the happy-anniversary-now-run-an-antivirus dept.

alphadogg writes "The Conficker worm has passed a dubious milestone. It has now infected more than 7 million computers, security experts estimate. On Thursday, researchers at the volunteer-run Shadowserver Foundation logged computers from more than 7 million unique IP addresses, all infected by the known variants of Conficker. They have been able to keep track of Conficker infections by cracking the algorithm the worm uses to look for instructions on the Internet and placing their own 'sinkhole' servers on the Internet domains it is programmed to visit. Conficker has several ways of receiving instructions, so the bad guys have still been able to control PCs, but the sinkhole servers give researchers a good idea how many machines are infected."

35 of 95 comments (clear)

  1. Ding! by Mazda6s · · Score: 5, Funny

    Gratz

  2. Cleaning job by Acapulco · · Score: 2, Interesting

    Is there a way for the researchers to use the sinkhole to clean the worm?

    Maybe they can inject instructions to the worm so it shutsdown but not before it spreads the "fix" to other computers? So along counting the number of PC's infected they also help in cleaning the worm. Impossible?

    --
    Slashdot. Unreadable news to annoy nerds. - wonkey_monkey
    1. Re:Cleaning job by Anonymous Coward · · Score: 5, Informative

      Maybe they can inject instructions to the worm so it shutsdown but not before it spreads the "fix" to other computers?

      Conficker is notable because it isn't a total piece of script kiddie crap. It uses asymmetric crypto to only accept instructions from the creator. It also patches the hole on the way in, so you couldn't even reinfect Conficked boxes with a cleaner.

    2. Re:Cleaning job by linguizic · · Score: 2, Funny

      Wasn't that an episode of Stargate SG-1?

      --
      Does this sig remind you of Agatha Christie?
    3. Re:Cleaning job by migla · · Score: 3, Funny

      I don't know if that was an episode of SG1, but you sig does remind me of Agatha Christie.

      --
      Some of my favourite people are from th US; Vonnegut, Chomsky, Bill Hicks.
    4. Re:Cleaning job by migla · · Score: 3, Informative

      That would depend on whether the authors chose encryption that could be decrypted in a billion years with the combined computing power of today or if they chose some smaller number or a larger one.

      --
      Some of my favourite people are from th US; Vonnegut, Chomsky, Bill Hicks.
    5. Re:Cleaning job by icebike · · Score: 5, Informative

      Is there a way for the researchers to use the sinkhole to clean the worm?
       

      Probably not.

      But YOU CAN HELP:

      Just Click the the CornFlicker Eye Chart to test your machine:

      http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

      You can read about it in the link posted in TFA.

      --
      Sig Battery depleted. Reverting to safe mode.
    6. Re:Cleaning job by shentino · · Score: 2, Insightful

      It's not just that.

      Being a good samaratin like that often fails because of the risk you'll mess up and get slammed with a lawsuit. Simply by participating in the affair you become jointly and severally liable if anything goes wrong.

    7. Re:Cleaning job by buchner.johannes · · Score: 2, Insightful

      Is there a way for the researchers to use the sinkhole to clean the worm?
        Maybe they can inject instructions to the worm so it shutsdown but not before it spreads the "fix" to other computers? So along counting the number of PC's infected they also help in cleaning the worm. Impossible?

      If you just sniff traffic, that doesn't mean you can inject instructions. And even if, how do you make sure *you* don't ruin the users computers? It is a ethical problem as soon as you mess with other peoples machines; These Botnet hijackers explain that too.
      So, no, researchers are not going to do that. Also, too complex technically.

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    8. Re:Cleaning job by dangitman · · Score: 4, Funny

      Probably not.
      But YOU CAN HELP:
      Just Click the the CornFlicker Eye Chart to test your machine:

      Do you think I'm some kind of patsy? I'm not getting suckered into your virus propagation scam!

      --
      ... and then they built the supercollider.
    9. Re:Cleaning job by Runaway1956 · · Score: 2, Interesting

      I would cite the various "good samaritan" laws, as well as implied consent. The braindead gave implied consent to have viral infections cleaned from their computers by having an infection to start with.

      FFS - everyone worries about being sued, so they do nothing. You bet your arse, if I were smart enough to program the virus to self destruct, I would do so in an instant. No thoughts about being sued, period.

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    10. Re:Cleaning job by Interoperable · · Score: 2, Informative

      They have yet to demonstrate that their device is capable of quantum computation. Rather than address that they've made it compute with larger registers of bits but don't seem to have ever verified that an "answer" from it is correct; it could be spitting out classical random numbers for all anyone knows. Furthermore, the guys who developed the theory for an adiabatic quantum computer (the type of computer that D-Wave is making) say D-Wave doesn't seem to understand the theory and can't possibly be making true claims. See the criticism section of the Wikipedia article, it has some good links.

      --
      So if this is the future...where's my jet pack?
  3. Action not words! by basketcase · · Score: 2, Insightful

    Are these researchers doing anything about it? Have they handed the IP lists with timestamps over to the appropriate ISPs or corporate network administrators so that the infected systems can be dealt with? Did they even put up a page where you can check yourself or your network?

    Merely counting the infected is nothing but mental masturbation. Even the lame government census has moved beyond simply counting.

    1. Re:Action not words! by thePowerOfGrayskull · · Score: 3, Informative

      ? Did they even put up a page where you can check yourself or your network?

      Yes

    2. Re:Action not words! by buchner.johannes · · Score: 2, Informative

      The researchers behind this botnet hijack did report to the appropriate people: http://www.youtube.com/watch?v=2GdqoQJa6r4&feature=youtube_gdata
      And they also say counting IP addresses is off by a factor of 10.

      so 7 million IP adddresses really mean 700.000 computers

      Analysing is always the first step, I'm sure they or other people are coming up with something. Like selling their malware remover software ;-)

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
  4. I'm safe! by dword · · Score: 4, Funny
    I've read that Antivirus 2009 removes conflicker, so I have installed it. Now I have to get rid of the other viruses I'm getting warnings about and for that I only need
    • Cyber Security
    • Alpha Antivirus
    • Braviax
    • Windows Police Pro
    • Antivirus Pro 2010
    • PC Antispyware 2010
    • FraudTool.MalwareProtector.d
    • Winshield2009.com
    • Green AV
    • Windows Protection Suite
    • Total Security 2009
    • Windows System Suite
    • Antivirus BEST
    • System Security
    • Personal Antivirus
    • System Security 2009
    • Malware Doctor
    • Antivirus System Pro
    • WinPC Defender
    • Anti-Virus-1
    • Spyware Guard 2008
    • System Guard 2009
    • Antivirus 2010
    • Antivirus Pro 2009
    • Antivirus 360
    • MS Antispyware 2009

    or

    • A Unix-based operating system (such as OS X or Ubuntu)
    1. Re:I'm safe! by maxume · · Score: 4, Insightful

      It's too bad there isn't a tiresome mod.

      --
      Nerd rage is the funniest rage.
    2. Re:I'm safe! by icebike · · Score: 2, Insightful

      Half the things you listed are malware themselves.

      But your point is well taken regarding just about any flavor of Linux or OSX.

      When Windows 7, fresh out of the box from Redmond nags you go get an antivirus that says something right there.

      First it says Microsoft has no confidence in the ability of this version to stop any malware.

      Second it transfers blame to a sketchy industry that had grown up based on a dodgy OS, and actually lobbied Microsoft not to lock them out, demanding the same holes in the OS that allow viruses in, in order to install their slow-ware.

      If Windows 7 was half the Operating system Microsoft claims it is it wouldn't need an antivirus. It would just delete your user account every time you switched to your guest account like OSX and be done with it. (Hey, its a joke. No flames..).

      --
      Sig Battery depleted. Reverting to safe mode.
    3. Re:I'm safe! by thePowerOfGrayskull · · Score: 3, Informative

      Argue all you want, but you can't deny that such malware is a whole lot less likely to download and install itself on a Unix-based system.

    4. Re:I'm safe! by dword · · Score: 4, Informative

      Half the things you listed are malware themselves.
      Half? They're ALL malware (except for the last one, of course ;)

      Signed,
      Proud and happy user of Windows 7, OS X and Ubuntu

    5. Re:I'm safe! by buchner.johannes · · Score: 4, Funny

      because its ./configure script fails

      --
      NB: The message above might reflect my opinion right now, but not necessarily tomorrow or next year.
    6. Re:I'm safe! by Jeremy+Erwin · · Score: 2, Funny

      "checking for wine.... yes"

    7. Re:I'm safe! by cerberusss · · Score: 2, Funny

      To be honest, for most of the listed software, there was an RPM for RedHat 6.1. Unfortunately, the RPM depended on another RPM which we couldn't find.

      --
      8 of 13 people found this answer helpful. Did you?
  5. Not really 7m at all by Yobgod+Ababua · · Score: 5, Informative

    Everyone should read the original page, particularly the Introduction and section explaining how to interpret their population numbers.
    Here's a relevant quote:

    "The daily numbers should represent the potential maximum level of the infection, but in previous test cases usually prove to be much less than that maximum. So, take the range of 25% to 75% of the values that we display as the possible infection population and you will be close to the real value."

    So the people actually providing these numbers are really saying that the current number of infections is likely to be between 1,750,000 and 5,250,000.

    1. Re:Not really 7m at all by ColdWetDog · · Score: 3, Funny

      So the people actually providing these numbers are really saying that the current number of infections is likely to be between 1,750,000 and 5,250,000.

      Thanks, I feel so much better now.

      --
      Faster! Faster! Faster would be better!
  6. Re:Research = do not touch. by migla · · Score: 2, Funny

    Damages schmamages. It's only money. Just get someone who hasn't got any money to front the operation and damages wont mean a thing.

    --
    Some of my favourite people are from th US; Vonnegut, Chomsky, Bill Hicks.
  7. Re:Research = do not touch. by maharb · · Score: 4, Informative

    Except jail time.

  8. Conflicker? by gmuslera · · Score: 2, Funny

    Its name should be Legion by now.

  9. Hmm by Anonymous Coward · · Score: 5, Funny

    Conficker broke 7 Million Infections...
    Microsoft just released Windows 7...

    Has anyone ever seen Conficker and Windows 7 in the same room together?

  10. I think there is one way by xant · · Score: 2, Interesting

    Figure out how to trace a significant percentage of those IPs to their IP blocks to their ISPs. Notify the ISPs. Start a coalition among them to shut off infected customers with a message explaining why and how to fix. Start an advertising campaign to get public support for this and help pressure ISPs to join even though it is not in their short-term self-interest; sell it to them as good PR at this point. Ask them to send a coupon to customers who disinfect, with prorated hours to reimburse the customer for time spent disconnected due to the infection; 90% will never collect on it anyway. Again, pitch this as good PR. Ask them to do this again for the next major infection, again for good PR. (As far as I'm concerned, big companies can crow to the rafters about all their good deeds, as long as they actually do them.)

    It's pretty hard to kill this off with tech, but policy might work.

    --
    It's rare that you're presented with a knob whose only two positions are Make History and Flee Your Glorious Destiny.
  11. Re:Good point by Anonymous Coward · · Score: 4, Insightful

    Second time? Citation needed, seriously.

    Apart from self-contained data loss bugs that corrupt single files or bork their own data, the only difference between them is the identity of the data affected--deleting your user folder is no more or less "destructive" than deleting the Program Files folder or the System32 folder or any other combination of important data.

    More to the point, you have a short and selective memory. On the Windows side, the number of data loss bugs in the Microsoft KB is staggering--many of which far more easily triggered than the Snow Leopard bug (which PC World was unable to reproduce). There have been plenty of famous and significant data loss bugs in Windows' history, like the Windows 98SE shutdown bug, the Windows 2000 ATA bug, and even the Windows XP bug that ate the user data folders, quite similar to the Snow Leopard bug: http://www.v3.co.uk/vnunet/news/2116562/winxp-bug-ate.

    How about the similar data loss bug in the Linux kernel a few years ago: http://news.cnet.com/2100-1001-976427.html. A simple Google search will reveal several more, before and since, in the kernel and in distribution packages.

    Then there's the infamous Mozilla bug that wiped out the entire Program Files directory on Windows: http://www.mozillazine.org/talkback.html?article=4264

    It's not just user-level software development, either. Just look at Intel's repeated data loss bugs in their SSDs.

    All the big names have let a bug like this slip at one time or another. It's unfortunate, but inevitable.

  12. So disappointing by ndogg · · Score: 4, Interesting

    I know I'm a terrible person for thinking this, but I was really curious about the chaos that was to ensue once Conficker's creators brought the hammer down.

    *sigh*

    Alright, so hell is that way, right? --->

    --
    // file: mice.h
    #include "frickin_lasers.h"
    1. Re:So disappointing by Civil_Disobedient · · Score: 2, Interesting

      I was really curious about the chaos that was to ensue once Conficker's creators brought the hammer down.

      The most effective pathogens are the ones that keep their host alive as long as possible, because then they have best chances of re-infecting the healthy. BotNets are no different. If you "bring the hammer down," you lose everything.

      This is the reason why influenza is a far more dangerous killer than, say, Ebola.

  13. Windows virus devastates complacent idiots by David+Gerard · · Score: 2, Funny

    A computer worm that spreads through low security networks, memory sticks, and PCs without the latest security updates is posing a growing threat to users blitheringly stupid enough to still think Windows is not ridiculously and unfixably insecure by design.

    Despite many years’ warnings that Microsoft regards security as a marketing problem and has only ever done the absolute minimum it can get away with, millions of users who click on any rubbish they see in the hope of pictures of female tennis stars having wardrobe malfunctions still fail to believe that taking Windows out on the Internet is like standing bent over in the street in downtown Gomorrah, naked, arse greased up and carrying a flashing neon sign saying “COME AND GET IT.”

    Microsoft cannot believe people have not applied the patch for the problem, just because they keep trying to use Windows Genuine Advantage to break legally-bought systems. “Don’t they trust us?” asked marketing marketer Steve Ballmer.

    Millions of smug Mac users and the four hundred smug Linux users pointed and laughed, having long given up trying to convince their Windows-using friends to see sense. “There’s a reason the Unix system on Mac OS X is called Darwin,” said appallingly smug Mac user Arty Phagge.

    “It can’t be stupid if everyone else runs it,” said Windows user Joe Beleaguered, who had lost all his email, business files, MP3s and porn again. “Macs cost more than Windows PCs.”

    “Yes,” said Phagge. “Yes, they do.”

    Ubuntu Linux developer Hiram Nerdboy frantically tried to get our attention about something or other, but we can’t say we care.

    --
    http://rocknerd.co.uk
  14. A lot more than 7m by sea4ever · · Score: 2, Funny

    A good set of these computers which are infected are going to be on dial-up connections, and they might have been offline at the time, also another large set are going to be behind firewalls and what-not which are supposed to prevent whatever on earth the firewalls were originally for, so even though only 7m unique IPs connected, a lot more didn't get the chance. There are probably a lot of 'offline' conficker-infected PCs out there. :) Let's hope that it starts using itself as one large cloud-computing system and acts as a tracker to replace TPB. and *when* will it upgrade it's host computers to linux? Surely it wants to become stronger. :)