×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Conficker Worm Could Create World's Biggest Botnet

kdawson posted more than 5 years ago | from the holding-our-collective-breath dept.

Security 220

nk497 writes "The worm that's supposedly infected almost nine million PCs running Windows, dubbed Cornficker or Downadup, could lead to a massive botnet, security researchers have said. The worm initially spread to systems unpatched against MS08-067, but has since 'evolved and is now able to spread to patched computers through portable USB drives through brute-force password-guessing.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

220 comments

Evolution (4, Funny)

KasperMeerts (1305097) | more than 5 years ago | (#26526751)

The worm initially spread to systems unpatched against MS08-067, but has since 'evolved

It hasn't evolved. This is clearly Intelligent Design and anyone denying this is a godless heathen!

Re:Evolution (3, Informative)

gravos (912628) | more than 5 years ago | (#26526781)

Downadup and other such similar worms exploit a vulnerability in the Windows Server service: Server Service Vulnerability -- CVE-2008-4250 [nist.gov]

The vulnerability is detailed by October 23rd's Microsoft Security Bulletin MS08-067. [microsoft.com]

Attention Windows Clickarounds (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#26527081)

Yeah I'm talking to you. The wannabe computer programmer who thinks they are good at computers because they can click around the computer enough times and find the reboot button and 'fix' an inherently flawed windows system. You think you're cool because you can pirate photoshop but not know anything about it, get Microsoft Office for free but have the literacy of a 1st grader when writing a paper, and get a copy of Norton Anti-virus because your inherently flawed system is useless without Administrative privileges. Get a clue, you are not smart, you are just a corporate sheep for a company that will bury you if you ever tried to write any software that did anything remotely useful. You are a clickaround and all you know is your ugly gray existence that is Windows.

Want the source code to windows vista?

head -n 1000000 /dev/random > Windows.com

Mod up! (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#26527671)

Also: People who think they are a computer genius because they can install GNU/Linux and violate intellectual property rights.

Downloading music illegally is a crime committed by lazy, fatass "PHP programmers."

Pay!

http://www.madonna.com

Re:Evolution (1)

Yvanhoe (564877) | more than 5 years ago | (#26526783)

For once, I agree with this opinion...
Still not Ghost In The Shell :

Happy iniguration day (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26527115)

Coon, coon, black baboon,
Brutal, worthless, thieving goon,
Often high, thrives in jail,
his welfare check is in the mail!
Some 40 offspring had been had,
Not one will ever call him dad!
And yet he hollers day and night:
"I blames de white man fo my plight!
It's him spreads trash all round my shack!
It's him what makes me smoke dis crack!
He push my kind to burn and loot,
And sends de po-lice dat we shoot!
But inch by inch we takin' hold,
Like when de white bread starts to mold,
We'll overrun yo homes and soon-
dey be only fit fo de blackassed coon!"

Re:Evolution (1)

HungryHobo (1314109) | more than 5 years ago | (#26526837)

I have to agree although I wonder how big the pool of machines would have to be and how smart a programmer would have to be to make a worm which genuinely mutates...

Re:Evolution (1)

Urd.Yggdrasil (1127899) | more than 5 years ago | (#26526949)

I guess it would depend on how you define mutation in terms of a computer worm. If you mean it changes it's executable there is already alot of malware that uses polymorphic code [wikipedia.org] and a few that use metamorphic code [wikipedia.org] . If you mean changing the means of transmission, I'm sure a rudimentary form of mutation could occur using some sort of built in fuzzing and vulnerability analysis engine.

Re:Evolution (1)

aliquis (678370) | more than 5 years ago | (#26527179)

But even in the cases of mutating code the first code was intelligently designed (or not so it mutates in very bad ways :D)

Re:Evolution (1)

xouumalperxe (815707) | more than 5 years ago | (#26527261)

(or not so it mutates in very bad ways :D)

It would take a lot of computing power and/or time for random mutation to yield useful results. That's more or less half of evolution right there.

Re:Evolution (1)

aliquis (678370) | more than 5 years ago | (#26527807)

"It's not like we don't trust in evolution, it's just that we believe there's an intelligent mutating design!"

Re:Evolution (2, Informative)

Ed Avis (5917) | more than 5 years ago | (#26526977)

It has evolved - but not by natural selection. Some amount of evolution is accepted as a fact by everyone except young-earth creationists (those who believe the world is about 6000 years old). For example, we know that horses used to have toes and now they have hooves. But some believe this evolution is caused by natural selection and genetic variation, while others believe it was the act of a creator or designer. The evolution of wolves into domestic dogs is an example of evolution caused by man (you could call it artificial selection).

Re:Evolution (4, Funny)

jabithew (1340853) | more than 5 years ago | (#26527675)

You forgot arguably the biggest driver of evolution; sexual selection.

But then, this is slashdot, so maybe I shouldn't be surprised.

Re:Evolution (0)

Anonymous Coward | more than 5 years ago | (#26527413)

The worm initially spread to systems unpatched against MS08-067, but has since 'evolved

It hasn't evolved. This is clearly Intelligent Design and anyone denying this is a godless heathen!

Trying to apply the words "intelligent" and "design" to Windows makes you the AntiChrist.

Re:Evolution (0)

Anonymous Coward | more than 5 years ago | (#26527441)

The worm initially spread to systems unpatched against MS08-067, but has since 'evolved

It hasn't evolved. This is clearly Intelligent Design and anyone denying this is a godless heathen!

troll.

Re:Evolution (0)

Anonymous Coward | more than 5 years ago | (#26527501)

On another note, Why is this page asking me to log in even though I'm already logged in??

Re:Evolution (1)

ozbird (127571) | more than 5 years ago | (#26527867)

It hasn't evolved. This is clearly Intelligent Design and anyone denying this is a godless heathen!

Unlike Windows, which is clearly not Intelligent Design. (Windows 7 is not the messiah, either - it's just a naughty service pack.)

I for one... (-1, Redundant)

Anonymous Coward | more than 5 years ago | (#26526755)

Don't like worms.

Re:I for one... (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#26527111)

I say... TEQUILA!

follow the money. (5, Interesting)

leuk_he (194174) | more than 5 years ago | (#26526779)

It should not be that hard to follow the money generates by this malware. Infecting 8 million PC should be a crime.

from the write down, it downloads data from

" hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe"

follow that money and the bad guys will be found quickly.

Re:follow the money. (4, Insightful)

calmofthestorm (1344385) | more than 5 years ago | (#26526809)

It should not be that hard to follow the money generates by this malware. Infecting 8 million PC should be a crime.

It's a crime if it's spammers. It's not a crime if it's government or content industry.

Bitterness aside, the main problem is that usually the people doing it are in a country where it is, for a number of reasons, difficult to track them down. Still, I agree that, short of keeping your OS up to date (if you /must/ use Windows), following the money is the best approach.

Re:follow the money. (3, Interesting)

Anonymous Coward | more than 5 years ago | (#26527129)

You're assuming too much. Keeping Windows up to date?

One problem is the lifecycle support. SP1 isn't supported anymore, I believe, and even trying to manually install the patch won't work because it requires SP2 or higher to be done. (For XP, of course.)

SP2 won't necessarily work on all computers, for one reason or another. Some may choose not to go up to SP2 due to all that garbage installed with it. (I think a very annoying firewall is installed, and doesn't it tamper with Internet Explorer against one's wishes?)

At least for those people, they can go around doing workarounds. Of course, this will result in an OS eventually becoming non-functional for quite a bit of things.

Re:follow the money. (2, Insightful)

Cowmonaut (989226) | more than 5 years ago | (#26527639)

The Windows Firewall is greatly improved in SP3, but even the default un-patched firewall in XP is more or less a joke if you plan on doing any network sharing. So either way you have to deal with it. Also, I think it's SP3 you mean about the tampering with IE. It'll install IE7 if you want it or not unless you already had it installed. The only way to uninstall it without going through a big hassle is to have IE7 installed prior to installing SP3 if I remember right.

There are very few reasons to not install a service pack for Windows. I've not heard of any hardware compatibility issues, and for sure that is not a problem with new hardware. It may take forever, but from high end gaming systems to crappy E-Machines with at best 512MB of RAM, installing SP2 for XP is the only smart thing to do and doesn't slow the system down once its installed.

If anyone has some proof otherwise (as in links, not anecdotal) please correct me. But I've neither heard of nor seen an issue caused by SP2 that hasn't been patched for a long while (over a year or two).

Re:follow the money. (0)

Anonymous Coward | more than 5 years ago | (#26527887)

[RE: your sig]
Generation n: n's rate of increase is inversely proportional to the rate of distribution of the sig. In other words, as more people see it, more people will be seeing the same number, until eventually the last group of people all see (pulling a number out of my ass) "GENERATION 434212" and add "GENERATION 434213" to their sigs.

Re:follow the money. (0)

Anonymous Coward | more than 5 years ago | (#26527237)

Still, I agree that, short of keeping your OS up to date (if you /must/ use Windows), following the money is the best approach.

Software updates are all well and good, but no substitute for ther simple advice, "Don't run files with an executable component from a source you don't trust".

If you follow this advice, you have no real need of security updates; if you do not follow it, no amount of security updaes will help you.

Re:follow the money. (2, Insightful)

jonwil (467024) | more than 5 years ago | (#26526931)

Its a good bet that the machine or machines responding to the trafficconverter.biz domain name are either hacked (e.g. zombies) or obtained using stolen or fake credit cards and other ID.

The chances that the information listed for the account(s) owning trafficconverter.biz matches with the owners of this botnet is very little.

Re:follow the money. (5, Insightful)

Richard W.M. Jones (591125) | more than 5 years ago | (#26526975)

It's not like the FBI and Interpol and going to look at the bogus whois information and throw their hands up and say "oh noes". They can go and raid the registrar's offices and find out what IPs registered the domain, what credit cards (stolen or not) were used, and if they were stolen, where from and when. Furthermore the worm has a whole list of websites, so every single one of those can be checked in the same way, and even if they are all hijacked, there will be hundreds of potential clues about the perpetrators.

Personally, I am sick of spammers attempting to add comment spam to sites that I run, signing up for bogus accounts, sending massive amounts of spam, continuously trying ssh connections, running exploits etc the list goes on. The police need to do something to help us.

Rich.

Re:follow the money. (4, Insightful)

timmarhy (659436) | more than 5 years ago | (#26527103)

agreed 100%. until some serious pound me in the ass prison time is handed out to more than a few of these guys, it won't stop. better coordination with isp's is also the answer here, once these virus/spam sites are identified, for fucks sake blacklist them. this simple act would stop 100,000's of infected pc's from giving up information making the whole venture less profitable.

Re:follow the money. (-1, Offtopic)

montyzooooma (853414) | more than 5 years ago | (#26527651)

agreed 100%. until some serious pound me in the ass prison time is handed out to more than a few of these guys, it won't stop.

Exactly! After all that's how they managed to stop illegal drugs. Oh...

Re:follow the money. (5, Interesting)

maple_shaft (1046302) | more than 5 years ago | (#26527149)

This nasty virus has caused me to be up working overtime for the past two weeks.

Well one hint to finding the assholes who wrote this virus is the fact that the virus willingly ignores computers originating within the Ukraine.

That narrows it down to about 80 million people. ;-)

Re:follow the money. (2, Funny)

Erikderzweite (1146485) | more than 5 years ago | (#26527695)

This nasty virus has caused me to be up working overtime for the past two weeks.

Well one hint to finding the assholes who wrote this virus is the fact that the virus willingly ignores computers originating within the Ukraine.

That narrows it down to about 80 million people. ;-)

Ukraine has about 46 million people. And the situation is already being dealt with -- Russia has stopped to supply them with gas.

Re:follow the money. (5, Insightful)

mlush (620447) | more than 5 years ago | (#26527347)

Personally, I am sick of spammers attempting to add comment spam to sites that I run, signing up for bogus accounts, sending massive amounts of spam, continuously trying ssh connections, running exploits etc the list goes on. The police need to do something to help us.

Rich.

I think you should be careful what you wish for. The Police could do something, they could turn the Internet into a Police State.

Re:follow the money. (0, Troll)

Xest (935314) | more than 5 years ago | (#26527461)

"The police need to do something to help us."

Help you? Hah, who do you think your are the RIAA? We all know the police's priorities are the content industry and kiddie porn.

Re:follow the money. (1)

Giloo (1008735) | more than 5 years ago | (#26527609)

They will only do that for piracy issues, because someone is paying for that directly. Not sure how the maths work if you compare it to how much the taxpayers pay. I'd rather have my government/police work and actually spend money on fighting true spam/virii issues rather than going after P2P users..

Re:follow the money. (2, Informative)

Urd.Yggdrasil (1127899) | more than 5 years ago | (#26526983)

It is common practice for domains to be registered using stolen credit card numbers and phony registration information, as well as using bots within the net to act as proxies between you and the actual server, such as with fast flux [wikipedia.org] . That combined with the fact that the servers are generally hosted in countries that don't have a lot of money, man power, or motivation to track these types of operations down makes stopping them a very difficult process.

Re:follow the money. (1)

leuk_he (194174) | more than 5 years ago | (#26527139)

You missed the point. Someone is earning money with it. Follow that money, not the money sped on the ip number/dns, but the receiving money.

Forget tracking all those dns/ip's, that is no proof, only supporting evidence.

Re:follow the money. (1)

jabithew (1340853) | more than 5 years ago | (#26527735)

How are you going to follow the receiving money? Suppose they are making a botnet. They're then likely to sell it on to organised crime, the Kremlin or others known to engage in DDoS attacks. This is not the kind of transaction published in the FT.

In addition, if the botnet is used, someone will probably trigger this botnet from a throwaway client hacked into an unsecured wireless network or just using a network at a coffee shop. Steal a netbook and load Linux on it, and no problem. Organised crime probably have their own anonymized distribution channels.

Re:follow the money. (4, Interesting)

ledow (319597) | more than 5 years ago | (#26527165)

It sounds very simple but you're missing the bigger picture.

How do we know that that virus has ANYTHING to do with trafficonverter.biz or that they knowingly provide that service? What are you going to do, shut down the website without a full legal investigation? Brilliant! I don't like slashdot, so I make a virus that looks like it gets its instructions from them, or from random comments posted on there. You've now made it incredibly easy for me to "social-DoS" a website. I can get them shutdown, or cause them lots of financial hassle to deal with the investigation, just by downloading something from them with my virus.

Or say I want AVG out of business - I make the program download a particular older version of AVG to use a known vulnerability in it to propogate my virus or elevate its permissions. Or I just install it on every machine I infect forcibly. If people don't start associating AVG with malware (like that Antivirus 2008/2009 thing) then I've just given them the impression that it's a horrible piece of software that forces itself on you. Or I make sure that it's the only virus scanner that can or can't detect my virus - either way, I win in discrediting AVG.

The fact is that a virus is an unwanted, untrusted application. Because it's untrusted, you can't just start shutting things down because you find a "clue" in that virus's code. That's why it takes *so* long to convict known virus-writers. International boundaries, legal obligations (hence why you can't just "take over" a botnet that has people's/company's PC's in it and issue random command to "clean it up"), verifiable evidence, there are a million holes.

The problem is not that viruses make money. It's that viruses STILL WORK. That they STILL EXIST. That they are STILL CAUGHT by people. They've been around for 30-odd-years and they are more prevelant than ever and 99.9% of viruses operate on a single platform, targetting old, known, already-patched vulnerabilities. The fix for viruses is not to stop their creation by "persuasion" (removing revenue streams, harsher sentences, etc.) but to prevent them by technical means and ensure those means are adhered to. This means punishing users and operating systems that *don't* conform. Virus infections are a daily occurence and people are now blasé about them... I've had people casually mention having dozens of viruses on their machines and could I have a look if they bring it in next month, etc. The problem, again, is an OS that allows such things to exist and propogate so readily and simply (literally, I could write a Windows virus in a matter of hours with no previous knowledge and virtually zero documentation... Unix-based? Wouldn't know where to start because I would need to find a gaping hole in heavily-tested, proven-rugged, complex code that I can barely understand.

My provider shuts customers off if they use port 139 (and others) on their PC's without having previously informed them that, basically, "I know what I'm doing". The Internet stops and all webpages are replaced by an automated message about how to install a firewall (which, thankfully, also includes the "I know what I'm doing" option). I do "know what I'm doing", I have several layers of protection on everything connected to the Internet but I've left this on. What we need is a massive opt-in that enforces this for the average person. My ISP can already scan every webpage and email for me for viruses and replace them with warning text. They need to extend this to be the default, with opt-out. Then when Joe-Idiot gets a virus, it's probably his own fault because he bypassed the safety barrier and thus you can throw him off if his IP starts spamming or trying to infect others.

Even a simple method (e.g. an automated port scan every day, ala GRC.com's ShieldsUp and an email if open ports change). It's not a catch-all but it will certainly shock a few people if they realised just how open their PC's are and will warn companies and professionals when something happens that shouldn't, in a way that the results cannot be affected by a virus infection on your site (faking logs, etc.).

The primary methods of infection are:

Application compromise (e.g. downloading a crafted file in IE, Outlook, etc.)
Network traffic (e.g. spreading over Samba)
Operating system compromise (e.g. getting into the kernel by exploiting a race condition).

The problem is that the first two are *entirely* the fault of the operating system and permissioning - you don't trust programmers to write programs that take account of such issues, you just make the OS enforce permissions that ensure that, no matter what the program tries to do (unless it hits an OS compromise), it can't do anything stupid or nasty. With BIG FLASHY WARNINGS when you try to do stuff as an admin (if it's even possible to run as one). I can't even run some Linux daemons without them bailing out because they don't want to run as root, or because they couldn't properly drop to a unprivileged user. By default, root doesn't get PATH to some useful programs. The prompts change. Most things won't let you, by default, log in as an admin (SSH, etc.). Even some of my text editors throw a wobbler.

Remove this "users are privileged" crap... they DO NOT need to be. They don't even need to be ABLE to be an admin (e.g. make admin logins text only into a Recovery Console style system that allows command-line fixing of the OS but no graphical/user login). Even if it means a COW filesystem per application, rollback and "faking" admin rights to the program, sort the crap out. You can't trust the programmers not to TRY to use admin rights if they are available. But 99.9% of programs do NOT need to do anything as admin. This is the problem.

Re:follow the money. (1)

leuk_he (194174) | more than 5 years ago | (#26527195)

You are missing the point. I never said to showdown that site. that is a technical solution. the real problem with it is that there are people lcraeting this bot for money. Follow the money generated by the bot and you know who is behind it.

I never said, follow the traffic and ban that site. People get scammed out of money due to this trojan. real money, not internet bytes.

Police/law enforcement forces are authorized to ask the banks for information about this. And this is a case with over 8 million victims.

Re:follow the money. (2, Insightful)

ledow (319597) | more than 5 years ago | (#26527435)

My post did address your question, but maybe not as directly as necessary.

Which police? Which law enforcement? Which banks? Which victims? The problem is that such questions are not only difficult to answer but are severely hindered by international boundaries. It's nothing to do with how easy it is to catch the kid down the road doing this to you, it's about how to illicit information from a foreign country who really have no interest in helping you (it's hurting them too, most probably, but that's no incentive). There may even be laws in that country that prevent dissipation of that information outside the country's own law enforcement (Data Protection Acts etc.) Look at the trouble the record industry is having illiciting information on who uses an IP when they KNOW the IP and are represented in the same country as the user and have probable cause to ask for more information. Now imagine that I'm Russian, and the Russian record industry doesn't care what I do... *you* try and extract, based in a foreign country like the USA, the name and address of the Russian user who owns an Russian IP that you think was involved. It's nigh-on impossible, even when you KNOW who it was, let alone if you are just tracing through logs of potential proxies with the intention to seize those proxies to trace back to the original source, etc.

Basically, the law doesn't help you here at all because once you cross international boundaries, things get infinitely more complicated and it ends up costing too much money to even consider it. That's my point... sod the law (it may not even be illegal in the country of the author to do such things, so you can't rely on it) and use technical solutions to STOP THE CRIME BEING POSSIBLE in the first place. It's like whinging that kids keep stealing things out of your house because you have no garden walls, no locks on your doors, you leave the doors open all the time even if you are out and you put a large sign in the street saying "Please don't steal my things". OF COURSE it's against the law to take your things but you'll never get them all back because you'll never know who was walking past when you weren't there and taking a few simple technical measures makes the crime much, much, much more difficult.

Re:follow the money. (1)

leuk_he (194174) | more than 5 years ago | (#26527603)

You are right. THis is complex international police work. Not something me and the average slashdotter should do. But somebody should do it.

YOu are right that all we can do is put the lock on the door and help other people locking.

But remember that a real crime is in progress and there police powers should/could do something about it.

Now we can go back to make a fuss about thing we ca do something about.

Re:follow the money. (1)

PinkyDead (862370) | more than 5 years ago | (#26527813)

If at least one average slashdotter is not in a position to do something technically about this problem then who are you suggesting - I've just nipped over to flowerarranging.about.com and they're stumped.

The GP is absolutely correct, the police can't/won't do anything about it, it's up to technically minded individuals either working for Microsoft or an associated security software vendor to sort it out. And I'm full sure that at least some of them are average slashdotters or similar.

I've just read on theregister.co.uk about how theatres in hospitals are being shut down because of this thing and other security problems on Windows and frankly that's just not good enough.

Re:follow the money. (2, Interesting)

Joce640k (829181) | more than 5 years ago | (#26527367)

Dunno, but whay can't we remove trafficonverter.biz from the DNS for a few weeks?

You might say it's bad for them and "all smappers need to do to shut down a web site is...blah, blah" but that's ignoring how spammers work. If spammers learn that websites will be removed from DNS at the first sign of trouble then they won't use websites.

Spammers don't do it for political reasons, they're thieves who are trying to get money.

Re:follow the money. (1)

Crookdotter (1297179) | more than 5 years ago | (#26527599)

In a corporate environment I agree, but I reserve the right to mess up my windows or linux or mac box as much as I possibly can. Not that I do.

Re:follow the money. (2, Insightful)

jabithew (1340853) | more than 5 years ago | (#26527773)

Then when Joe-Idiot gets a virus, it's probably his own fault because he bypassed the safety barrier and thus you can throw him off if his IP starts spamming or trying to infect others.

Most ISP terms of service allow them to do this already. If they actually tried to enforce it, they wouldn't have any customers left.

Re:follow the money. (2, Insightful)

jrumney (197329) | more than 5 years ago | (#26527889)

What are you going to do, shut down the website without a full legal investigation?

Yes, sometimes the public interest outweighs the commercial interest of a business. It happens in meatspace every day for all kinds of reasons, from anonymous bomb threats to the president coming within 2 miles of the place.

ISP Blacklists (1, Interesting)

Devil's BSD (562630) | more than 5 years ago | (#26526793)

One thing about botnets... I don't really understand why there couldn't be a blacklist of known botnet controllers maintained by a trusted authority (SANS, or perhaps a collaboration of the leading AV vendors, for example) that ISPs could use to block their customers from connecting to. Or, they could even go one step further and shut off the customers connecting to botnets until they're sure the customers have cleaned their computers.

Re:ISP Blacklists (1, Insightful)

Anonymous Coward | more than 5 years ago | (#26526807)

I don't really understand why there couldn't be a blacklist of known botnet controllers maintained by a trusted authority

      Yes, this will work, especially when I can connect to my botnet through YOUR machine today. Your neighbor's machine tomorrow. Etc...

Re:ISP Blacklists (1)

IBBoard (1128019) | more than 5 years ago | (#26526887)

Ignoring any technical issues I can see two main issues with that:

1) ISPs would have to put in effort and money to combat these things
2) By actively trying to combat them they would then be more responsible for the ones they didn't catch

It's good in theory (just like stopping the spammers with measures ISPs could take) but the practice never seems to make sense to the corporates.

Re:ISP Blacklists (4, Interesting)

ChienAndalu (1293930) | more than 5 years ago | (#26526941)

1) ISPs would have to put in effort and money to combat these things

Depending on the amount of traffic that worm generates, it might even be worth it.

Re:ISP Blacklists (1)

IBBoard (1128019) | more than 5 years ago | (#26527627)

It might, but that assumes that the ISP puts in the effort and money to investigate whether it is worth it or not in the first place ;)

Re:ISP Blacklists (1)

Nursie (632944) | more than 5 years ago | (#26527155)

Wait,

are you telling me the the ISPs don't use services like spamhaus?

I think there could be a similar service for botnet control points.

Re:ISP Blacklists (3, Insightful)

Urd.Yggdrasil (1127899) | more than 5 years ago | (#26526911)

This would only work for centralized command and control mechanisms. More sophisticated bots use decentralized p2p type communication, as was with the storm worm last year. Conflicker uses a built in mechanism to generate new domains to contact each day, and while security firms are deploying blacklists based on the generator code, it could easily be changed in a new variant. This is of course not taking into account the difficulty one would have in getting ISP's to maintain a list of blacklisted domains that changes day to day.

Re:ISP Blacklists (1)

Zsub (1365549) | more than 5 years ago | (#26527269)

Which would be so easy you wouldn't be able to understand why they don't block them. It's called DNS and although it is not the cure-all I might make it out to be, it could help a lot.

Re:ISP Blacklists (1)

will_die (586523) | more than 5 years ago | (#26526937)

part of the problem with this one is that connects to one of 5 time servers to get the date. Once it has that information it follows a formula to determine what "master" web server to connected to; once connected to the "master" it downloads more software and can upload info. The people running the "master" have been generating a bunch sites each day using fake information, so each day you have figure out what the real site is and then get the blocked or shutdown. However once the new day come around you have all the clients attempting to reconnect to the new site.
With the way this thing is going it will be require for ISPs to monitor and then block the port and alert the zombie customers, but once this it is publicly known that this is going to happen the next days version of the software is going to have a different port in it.

Re:ISP Blacklists (1)

skolima (1159779) | more than 5 years ago | (#26527153)

Polish Telecom (TP S.A.) started using such blacklist on 20th December 2008. One of the first things that got blocked was gimp.org, which is on the same machine as irc.gimp.org, which in turn apparently is used by botnet controlers. Or used to be used. Net effect - gimp.org is unreachable, botnet traffic volume did not drop (the worms just switched to SSL encrypted communication instead of IRC).

Overlords (-1, Troll)

Anonymous Coward | more than 5 years ago | (#26526835)

I, for one, welcome our biggest [goatse.fr] botnet wielding overlords.

In other news, niggers.

How can it spread through USB sticks? (4, Interesting)

Viol8 (599362) | more than 5 years ago | (#26526851)

I dont use Windows much but I assumed MS had disabled or at least set the default to off of the autoexec.bat feature so how else could it spread just by plugging in a USB stick? Someone tell me this security hole the size of a planet isn't still enabled by default in Windows installs??

Re:How can it spread through USB sticks? (5, Informative)

k.a.f. (168896) | more than 5 years ago | (#26526893)

I dont use Windows much but I assumed MS had disabled or at least set the default to off of the autoexec.bat feature so how else could it spread just by plugging in a USB stick? Someone tell me this security hole the size of a planet isn't still enabled by default in Windows installs??

It posts an "execute" option in the autoplay dialog that looks almost exactly like the harmless "browse folder" option, complete with misleading folder icon. It's moderately clever, but of course still rquires autoplay to be enabled.

Re:How can it spread through USB sticks? (1)

modestgeek (1449921) | more than 5 years ago | (#26527445)

I'd hope that most companies are protected. Disabling autoplay is one of the most basic things done in group policy to help protect workstations. Well, also removing the user's ability to install random devices such as flash sticks.

Re:How can it spread through USB sticks? (2, Informative)

Urd.Yggdrasil (1127899) | more than 5 years ago | (#26526895)

It's autorun.inf not autoexec.bat, and it does require a bit of user interaction. Double clicking on it in explorer in XP will execute it but on systems running vista/7 it must rely on social engineering [sans.org] .

Re:How can it spread through USB sticks? (5, Interesting)

Spad (470073) | more than 5 years ago | (#26526907)

Autorun is still enabled by default in Windows for all removable devices.

USB sticks are a little odd though as autorun only works for certain ones with a specific hardware flag set. I would guess it's trivial for this worm to change the flag to enable autorun, however.

Re:How can it spread through USB sticks? (2, Insightful)

Whiney Mac Fanboy (963289) | more than 5 years ago | (#26527065)

I would guess it's trivial for this worm to change the flag to enable autorun, however.

Only after its executing....and if it's doing that, what's the point?

Re:How can it spread through USB sticks? (2, Informative)

Aladrin (926209) | more than 5 years ago | (#26527099)

Infect other computers. That's the whole point of putting itself on the USB stick in the first place.

Trivial for a worm to change the flag? (4, Informative)

transporter_ii (986545) | more than 5 years ago | (#26527203)

I would have to agree. I fought, what I think is this worm, at work for a week or so. If not, here is what I fought.

*Would disable Recovery console so you couldn't go back to an early date.
*Spread by USB thumb drive.
*Stick in a thumb drive, if the computer had AVG, it would detect it, but not be able to "heal" everything...but by this time it was too late.

One variant of it put in a root kit and blocked all access to antivirus sites. You could go anywhere on the Internet unless it happened to be an antivirus site.

This same one also blocked exe files if they happened to be something like Spybot search and destroy. It just wouldn't run anymore.

Also, it turns off the ability to change settings to view hidden files and folders, so you can't see the folders it adds.

My guess is, it is pretty freaking trivial for these people to do whatever they freaking want in Windows (except for probably disabling DRM!).

Transporter_ii

Re:How can it spread through USB sticks? (5, Informative)

Zocalo (252965) | more than 5 years ago | (#26526917)

Conficker basically does some social engineering. Unless Autorun is disabled (it still isn't by default) when you insert a USB stick on a Windows box you get a dialog box asking what you want to do. One of the options on the box appears as "Open folder to view files" which might sound innocuous, but is actually an "autorun.inf" option created by Conficker that in reality runs the virus. The only real clue that you have that something is amiss is that the real "Open folder" option is visible as below the Conficker generated fake.

Re:How can it spread through USB sticks? (3, Insightful)

ChienAndalu (1293930) | more than 5 years ago | (#26526961)

I really hate Microsoft for this kind of stupidity. They could have just made an option "autorun program from USB stick" with nothing customizable about it.

Re:How can it spread through USB sticks? (1, Insightful)

Anonymous Coward | more than 5 years ago | (#26527009)

And then users trying to install "Tax payment programs" will get lost not understanding what to do ("it says something about something to run and uh other confusing options.. oh computers are so hard to use..").

Beside, once social eng kicks in, any fix would just move the vulnerability point somewhere else.

The human brain is just thousands of times more vulnerable than any OS in the world :(

Re:How can it spread through USB sticks? (1, Insightful)

rolfwind (528248) | more than 5 years ago | (#26527353)

Perhaps retards shouldn't be allowed to be on computers. Sorry, if you're a computer user and don't get the concept of a file nor what running a programs means - elementary concepts really - perhaps you should just stay away. There is no other piece of equipment on this world where utter ignorance on behalf of the operator is so actively accepted.

Re:How can it spread through USB sticks? (1, Insightful)

Anonymous Coward | more than 5 years ago | (#26527633)

The problem is that there's no real metric for computer usage ability. As a linux user, I would be offended and irritated if the test asked questions about Microsoft and Microsoft products, which it undoubtedly would. Hell, even simple questions like "how do you copy files", "how do you kill malicious/stuck processes", "how do you install a program" are not OS agnostic. Since this thing would be rolled out large scale, the exam would either be multiple choice (ie. they don't check if your answer is valid, only that it's the same as their set of answers), or they'd hire some IT drop-out to individually examine you, who wouldn't realise that "cp file1 file2" is the valid way to copy files on a *nix machine and would subsequently fail you.

I guess they could make people fill in a form before they get their pre-built computer (as us *nix users mainly build our own or buy second hand to avoid paying for Windows), but that would still leave massive holes in the system (eg. people buying computers for their Aunt Tillies, the answer code being traded, shops selling computers with first-run imaging CDs to install the OS thus exploiting the non-pre-built clause, shops selling "second hand" *cough* computers). Sorry guy, but until computers are standardised at least to the level cars are (which would only lead to more (virii?)), it looks like we're stuck with stupid people getting themselves infected.

Re:How can it spread through USB sticks? (4, Informative)

Anonymous Coward | more than 5 years ago | (#26527145)

See http://isc.sans.org/diary.html?storyid=5695

The option appears as :

Install or run program: Open folder to view files (Publisher not specified)

So people falling for it, would have clicked even on "Install virus and destroy your life ? YES/NO".

Re:How can it spread through USB sticks? (1)

Fred_A (10934) | more than 5 years ago | (#26527503)

That would be great :

Infect your system from removable drive ?
[yes] [no] [file not found]

I wonder what most users would pick though.

Re:How can it spread through USB sticks? (1)

zeptobyte (1140111) | more than 5 years ago | (#26527335)

And it's difficult to notice and register that that is wrong. Particularly when the options USB sticks usually give are worthless or wrong. My iPod Touch says "Camera connected" when I plug it in, and gives me options for: * Microsoft Office Document Scanning * Microsoft Office Publisher * Microsoft Office Publisher * Microsoft Office Word * Microsoft Scanner and Camera Wizard * Photoshop * Photoshop No, I didn't make any mistakes with that list. So I'm probably not going to notice one other slightly strange option.

Re:How can it spread through USB sticks? (0)

Anonymous Coward | more than 5 years ago | (#26527389)

I assumed MS had disabled or at least set the default to off of the autoexec.bat feature so how else could it spread just by plugging in a USB stick?

autorun.inf?

Creamed, kernel, or cob? (2, Funny)

Stanislav_J (947290) | more than 5 years ago | (#26526981)

Do I just have a dirty mind, or did others upon first glance read this as the "Cornfucker" worm?

Re:Creamed, kernel, or cob? (2, Funny)

KillerLoop (202131) | more than 5 years ago | (#26527125)

In german, cornficker has exactly this meaning.

Re:Creamed, kernel, or cob? (1)

sapphire wyvern (1153271) | more than 5 years ago | (#26527391)

How are viruses and worms named, anyway? "Downadup" and "Conficker" are very... arbitrary names. Do they roll some dice and consult a table of vowel & consonant sounds or something?

(Reminds me of alien name generation tables from Traveller...)

Re:Creamed, kernel, or cob? (0)

Anonymous Coward | more than 5 years ago | (#26527555)

Conficker might be a pun on "configure" where "ficker" is the german word for "fucker". It fucks with your configuration which is an unpatched Windows ;)

This is what baffles me... (1)

advocate_one (662832) | more than 5 years ago | (#26527073)

"It creates 250 possible domains each day," it added. "We've registered some selected domains out of this pool and are monitoring the connections being made to them."

Why is it able to register domains automatically? This is where we should be working to block the verdamt thing... stopping the automatic registration of domains... make it take time and require money to actually create the domain...

Re:This is what baffles me... (5, Informative)

chalkyj (927554) | more than 5 years ago | (#26527093)

It's poorly phrased. It doesn't create 250 domains per day, it CHECKS 250 domains per day. The botnet controller only needs to create one of those domains to upload new instructions.

Obligatory (-1, Redundant)

Zoxed (676559) | more than 5 years ago | (#26527131)

But does it run under WINE ?

Re:Obligatory (0, Redundant)

oodaloop (1229816) | more than 5 years ago | (#26527475)

I hope so. I've been trying for days to get it to work in Ubuntu. I tried sudo apt-get cornficker and that didn't work. I didn't see it in the repositories. Anyone know of a good way to install it?

Finding unpatched servers (2, Informative)

Anonymous Coward | more than 5 years ago | (#26527157)

The guys at Winh4x [blogspot.com] have generated a script that detects servers missing the MS08-067 update.

I for one.. (0)

Anonymous Coward | more than 5 years ago | (#26527183)

... welcome our new beowulf clusters overlord.

From this day on, I shall say, imagine a cornfucker-net of

Cancel or allow ? (2, Interesting)

smoker2 (750216) | more than 5 years ago | (#26527287)

As it's windows anyway, can't MS issue a patch that asks a user for confirmation every time an outgoing request gets made ? Or at least keep logs that it can monitor for bot like activity. If you are getting more than a certain number of outgoing connections without any other user input, then it should flag it to the user as suspicious, via a report that appears on boot, and need confirmation before anything else can be executed.

You could still have trusted services, time.windows.com etc, but multiple requests when the browser hasn't registered a click for an hour should be regarded as suspicious. I realise this is the "wrong end of the stick", but we have to deal with things the way they are, not how we'd like them to be. At least being nagged will bring the publics awareness to the problem existing on their machines.

Another idea - use the mouse, so that if it's left unmoved for more than x amount of time the "watchdog" would lock the net down. If you need to leave something running like bittorrent, you can specifically add it as a trusted service, but never permanently. Anything other than BT accessing the net during that time period (or until you move the mouse again) will automatically be denied.

It seems to me that the wider community is having to carry the can for the sorry state of windows security, so making life inconvenient for those who leave their machines unpatched should be fair game.

Re:Cancel or allow ? (0)

Anonymous Coward | more than 5 years ago | (#26527493)

As it's windows anyway, can't MS issue a patch that asks a user for confirmation every time an outgoing request gets made ? Or at least keep logs that it can monitor for bot like activity. If you are getting more than a certain number of outgoing connections without any other user input, then it should flag it to the user as suspicious, via a report that appears on boot, and need confirmation before anything else can be executed.

No! You can't give users access to logs and other sorts of control or knowledge of what the OS is doing. You start down this road and next thing you know Windows is updating using something other than IE! Madness!!!

Re:Cancel or allow ? (1)

Xest (935314) | more than 5 years ago | (#26527547)

It'd be trivial for trojan developers to just emulate a move of the mouse, or a press of the keyboard or a button.

Re:Cancel or allow ? (0)

Anonymous Coward | more than 5 years ago | (#26527551)

Except that this would only inconvenience the people who actually patch their machines, because how should the other ones get your new PITA software?

Re:Cancel or allow ? (1)

Leaf Node (692630) | more than 5 years ago | (#26527587)

They already have that. It's called Windows Firewall. The default though is to Allow All outgoing. The reason that's the default is that if you know what you're doing then you'll turn it on and use it as the tool it was meant to be. If you don't know what you're doing then having it on won't do any good anyway, because you'll just automatically click 'Ok' or 'Allow' without reading the message.

Say it ain't so (2, Insightful)

damn_registrars (1103043) | more than 5 years ago | (#26527403)

It wasn't that long ago that someone declared the storm botnet had been cracked wide open [slashdot.org] , from which some people made the extremely erroneous extrapolation that botnets would become a thing of the past.

Well, I guess that almost held for two weeks. Maybe someday people will consider addressing the underlying cause of these problems instead of the symptoms.

Patch and Pray: Windows is a costly liability (2, Interesting)

Dystopian Rebel (714995) | more than 5 years ago | (#26527877)

The only reason why there hasn't been a class action lawsuit against Microsoft for their incompetence is that many misguided people STILL think that every 20 minutes of MS Word is worth 1 week of their time spent Patching and Praying and trying to recover data.

The argument that the vast Windows Ecosystem (700 m computers) is itself an argument for using Windows has been disproven by the Internet. If you have a network or connect to the Internet, Windows is a significant risk. And don't blame the users. That's as arrogant as the US makers of the cars that Nader condemned [wikipedia.org] in 1965. Windows is "Unsafe At Internet Speed".

The Windows operating system, which is a liability on any network, must be constantly patched to protect against the "latest" threats. Microsoft's only constructive answers to these exploits are "patch and pray" and also to cripple connectivity (Windows XP SP2).

There will always be smart Bad Guys. The Bad Guys who excel at being bad are MUCH more creative than Microsoft and they have clearly put Generalissimo Ballmero and his regiments to flight. If you have the worst possible defences, you can't expect to be left in peace. Using Windows today is like sending your cavalry to engage hostile tanks. You *will* get slaughtered at some point and if it doesn't happen immediately, it's because the tank crews took pity.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...