×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Romanians Find Cure For Conficker

timothy posted more than 5 years ago | from the cheer-goes-up dept.

Worms 145

mask.of.sanity writes "BitDefender has released what it claims is the first vaccination tool to remove the notorious Conficker virus that infected some 9 million Windows machines in about three months. The worm, also known as Downadup, exploits a bug in the Windows Server service used by Windows 2000, XP, Vista, Server 2003 and Server 2008. It spreads primarily through a buffer overflow vulnerability in Windows Server Service where it disables the operating system update service, security center, including Windows Defender, and error reporting. The Romanian security vendor said its removal tool will delete all versions of Downadup and will not be detected by the virus."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

145 comments

How convenient! (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#27177807)

Fucking gypsies.

How long before it doesn't work? (3, Insightful)

idiotwithastick (1036612) | more than 5 years ago | (#27177811)

TFA even says that the worm can update itself, so how does BitDefender plan to distribute the worm if the worm can be updated to shut down everything that may harm it?

Re:How long before it doesn't work? (5, Informative)

wizardforce (1005805) | more than 5 years ago | (#27177949)

they are not "distributing a worm", it's a tool for disinfection and I suspect that they'll need to take a page out of biology's book on dealing with dangerous microbes and evolve along with the worm. In other words, constantly update their tool as the worm adapts. So it's likely going to be quite dynamic.

Re:How long before it doesn't work? (4, Insightful)

NeverVotedBush (1041088) | more than 5 years ago | (#27179119)

I'm more curious why Microsoft itself can't do something like this and why a third-party company, presumably without benefit of Microsoft's source code, is able to diagnose the problem, remove the infection, and "fix" Windows.

Instead, Microsoft is laying off workers. Perhaps they should concentrate on fixing these issues even faster -- which would probably be better for their public perception of being a virus haven -- instead of cutting staff to appease stockholder's lust for profits.

In the long run, producing a quality OS and fixing these kinds of vulnerabilities promptly would do far more good for their bottom line.

Re:How long before it doesn't work? (0, Troll)

PopeRatzo (965947) | more than 5 years ago | (#27179671)

I'm more curious how many people would actually install any "fix" that comes from Eastern Europe.

Maybe they could make something that pops up in my browser and tells me that I've got the Cornflicker Virus and then offers to fix it for me if I just click "Continue".

And maybe I'll just forget the whole thing. So what if my machine is infected. I've got four cores going at once, so there's plenty of cycles to go around.

Re:How long before it doesn't work? (1, Funny)

Anonymous Coward | more than 5 years ago | (#27179751)

Congratulations. You have successfully made yourself look racist, shortsighted, ignorant and apathetic all in one single posting on Slashdot. Maybe next time you can shoot for doing it in just two sentences.

Re:How long before it doesn't work? (2, Insightful)

cronco (1435465) | more than 5 years ago | (#27180063)

Kaspersky is made by Russians and it has quite a few users, I believe.

Re:How long before it doesn't work? (3, Insightful)

Anonymous Coward | more than 5 years ago | (#27180007)

Microsoft does. They release a utility about once a month that targets and removes malware from a system. It is distributed automatically via Windows Updates but can also be downloaded and run manually. Of course since worms like this often disable Windows Update the automatic clean up vector is closed.

Vulnerabilities exist in every system. If by "quality" you mean that it has no vulnerabilities then you are limited to running software that has only about 10 lines of code produced by the upper level students in CS101 classes, and even then some will slip by.

It's not like Microsoft sits there and ignores these issues when they are reported. They have to be triaged, confirmed, fixed and thoroughly tested to ensure that the fix does resolve the issue without causing further problems. As is very often the case the vulnerabilities are fixed long before the exploit goes wild, but many machines remain vulnerable because that machine had not been updated for whatever reason.

Re:How long before it doesn't work? (1)

houghi (78078) | more than 5 years ago | (#27180183)

Companies think short term.
On the one hand you have others that solve your problems without your need to invest anything. On the other hand you can lay of people that saves you money. Sounds like a scale with on one side lead and helium on the other side.

Another link to the tool (4, Insightful)

MadUndergrad (950779) | more than 5 years ago | (#27177835)

Re:Another link to the tool (1, Insightful)

Anonymous Coward | more than 5 years ago | (#27177863)

I checked and the bd_rem_tool isn't available on ubuntu.com, particularly that page. Perhaps you are mistaken or fucking stupid?

Re:Another link to the tool (0)

Anonymous Coward | more than 5 years ago | (#27178231)

Whooosh...

Re:Another link to the tool (0)

Anonymous Coward | more than 5 years ago | (#27179023)

Because it's smart and funny to try to pose a misdirection as an alternate page. Grow up.

Re:Another link to the tool (-1, Troll)

Hurricane78 (562437) | more than 5 years ago | (#27179421)

No. Because Ubuntu is the cure for Windows virii. Past, present and future.

But you would not get it, when teached with a two by four, would ya...?

Re:Another link to the tool (0)

Anonymous Coward | more than 5 years ago | (#27179713)

I suppose you'd praise your doctor for suggesting an amputation when you came in with a broken finger, hm?

Re:Another link to the tool (5, Funny)

thatskinnyguy (1129515) | more than 5 years ago | (#27178159)

I used that same tool on another virus. Haven't had an issue since!

Re:Another link to the tool (2, Interesting)

Jurily (900488) | more than 5 years ago | (#27178623)

I used that same tool on another virus. Haven't had an issue since!

Me too. I can't find drive C: ever since.

Re:Another link to the tool (5, Funny)

Computershack (1143409) | more than 5 years ago | (#27178631)

I used that same tool on another virus. Haven't had an issue since!

I found that non of my games would work and my wifi is now broken too.

Re:Another link to the tool (3, Informative)

Cowmonaut (989226) | more than 5 years ago | (#27179417)

Sad but true. The pain that is WiFi on Linux is a bigger hurdle than the games IMO. I'd take Linux on my laptop if I could do so without extensive work to get the WiFi working. And the laptops with Linux that the WiFi works on don't meet my needs.

Re:Another link to the tool (2, Interesting)

Culture20 (968837) | more than 5 years ago | (#27179469)

I have a broadcom card in my laptop. Since 8.04 LTS, I haven't even had to touch the command line to set up the wifi (I obviously do for other reasons). After logging in, it popped up an icon for restricted drivers (poor name, that. I thought it was drivers I _shouldn't_ install). Clicked my graphics card and wifi card. Done.

Re:Another link to the tool (1)

slimjim8094 (941042) | more than 5 years ago | (#27179737)

What exactly doesn't work? The two (three?) most-common brands (Intel, Broadcom, Maxwell) have open-source drivers (with a firmware blob in the case of broadcom)

Is it an external card, by USB or something?

Re:Another link to the tool (2, Insightful)

Colonel Korn (1258968) | more than 5 years ago | (#27179939)

What exactly doesn't work? The two (three?) most-common brands (Intel, Broadcom, Maxwell) have open-source drivers (with a firmware blob in the case of broadcom)

Is it an external card, by USB or something?

My very common internal Broadcom card didn't work in 8.04 a couple months ago until I spent an evening on the internet finding and trying a few different sets of command line fixes. The problem was that most of them that were in Ubuntu help pages included a typo (or more than one) somewhere that didn't let me just copy/paste each line. I did manage to get it to work, but a few days later I stopped using Ubuntu because my laptop was too sluggish with it.

Re:Another link to the tool (0)

Anonymous Coward | more than 5 years ago | (#27179949)

Why is linking to Ubuntu, which while a great OS and better alternative to MS - really has nothing to do with the article considered insightful?

Yes, we all know, Ubuntu > windows. I use it too, but really, that is SSDD.

Great (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27177913)

When do we get a cure for whatever the Romanian 'cure' does after it removes Conficker?

That many Windows Servers unprotected and online?? (1, Insightful)

wvmarle (1070040) | more than 5 years ago | (#27177925)

[...]some 9 million Windows machines [...]. The worm [...] exploits a bug in the Windows Server service...

Without elaborating what Windows Server service that might be... Are there really that many vulnerable, not firewalled Windows servers connected to the Internet? Or is this a Server function that has no business on a Desktop that is getting infected?

In the first case blame the administrators (for not knowing how to properly protect a Windows server), in the second case blame Microsoft (for running servers on a desktop that should not be there in the first place). I would expect the second case as that I recall we have seen before, a virus exploiting a bug in a server function that can not even be stopped on a desktop.

Re:That many Windows Servers unprotected and onlin (5, Informative)

A Friendly Troll (1017492) | more than 5 years ago | (#27177965)

In the first case blame the administrators (for not knowing how to properly protect a Windows server), in the second case blame Microsoft (for running servers on a desktop that should not be there in the first place). I would expect the second case as that I recall we have seen before, a virus exploiting a bug in a server function that can not even be stopped on a desktop.

Description of the Server service:

Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.

Dependant services: Computer Browser ("Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained.")

I think it starts automatically.

It can probably be disabled, but who knows...

Re:That many Windows Servers unprotected and onlin (1)

wvmarle (1070040) | more than 5 years ago | (#27177997)

OK thanks for the info.

Sounds like that having the Server service listen to localhost/loopback (assuming there is such a thing in Windows) only would close the infection vector... it should definitely not be listening to incoming connections from other computers without being explicitly instructed to do so. So we can shove this on Microsoft's poor design.

And after the recent discussion here on /. about User Access Control in XP/Vista/Win7 it again makes me wonder whether Windows as it is can be fixed at all. Its security seems broken beyond repair.

Re:That many Windows Servers unprotected and onlin (2, Informative)

Anonymous Coward | more than 5 years ago | (#27178133)

You don't need the Server service. Or at least, I haven't needed it in the last 6 months or so. I even run IIS on my Windows box for ASP.NET development. Seems like something called 'Server' would be needed for that, right? Nope.

I would certainly disable it on all desktops. In fact, Google 'unnecessary windows services' for a list of other services that seem to serve no practical purpose.

Re:That many Windows Servers unprotected and onlin (1, Informative)

Anonymous Coward | more than 5 years ago | (#27178753)

Regarding "stalling" CONFICKER specifically:

( From http://www.xtremepccentral.com/forums/showthread.php?s=265edfd9cff2fd6ef1993571b23d1598&t=28430&page=3 [xtremepccentral.com] )

----

"A.) STALL SERVER SERVICE (if you don't need a LAN/WAN to connect to & all you do is hit the internet on a single standalone machine)...

AND

B.) It recommends you stall out indiscriminate usage of javascript also!

Between those 2 measures (&, possibly ALSO, a HOSTS file that stops access to this CONFICKER worm's control servers -> http://forums.opendns.com/comments.php?DiscussionID=3043 [opendns.com] which leads to said list here -> http://www.f-secure.com/weblog/archives/Downadup_Domain_Blocklist_February.txt [f-secure.com])?

Hey... YOU TELL ME, lol, IF it works, or not..."

----

It'll work... addtionally blocking ACL (access control lists) access to the autorun.inf files in the root of you drives helps also (vs. how it spreads from USB sticks etc. et al).

(Do all of the above, especially if you don't need to be sharing disks/folders/files from your system to users over the public internet or a local LAN/WAN (saving CPU cycles, RAM, &/or other forms of I/O as well you would be otherwise wasting because you are not using what the server service provides, file & print sharing), & it quite literally (@ least theoretically) should "PROOF YOU" vs. this worm).

APK

P.S.=> That was regarding the /. article titled (from near when this worm was discovered):

New Conficker Variant Increases Its Flexibility:

http://news.slashdot.org/article.pl?sid=09/02/20/239229 [slashdot.org]

on 02/20/3009 here on this website... apk

Its required for Message Queueing Service (2, Interesting)

unity100 (970058) | more than 5 years ago | (#27179223)

which is an additional service that increases the latencies greatly in Xp pro and vista and up. ie, it can bring down a 400 ms world of warcraft connection to 120 ms ping in average case.

Re:That many Windows Servers unprotected and onlin (1)

PReDiToR (687141) | more than 5 years ago | (#27180123)

I think you're pushing people towards this [blackviper.com] site, or another like it.

I found BV's list years ago and it helped me turn off a lot of services that I didn't need. I was under the impression that my copy of WindowsXP was faster and more stable than other peoples'.
At least, it got to 7 years old without needing to be reformatted and reinstalled. Pretty good for Windows if you ask me.

I stopped using Windows a couple of years ago so it doesn't matter to me now, but for all those people that haven't gone Linux yet this site can help keep your box up a bit longer.

Re:That many Windows Servers unprotected and onlin (1)

ion.simon.c (1183967) | more than 5 years ago | (#27178303)

Sounds like this permits sharing of those items over SMB?

So, if you're not "sharing" anything on that server, then you can turn this off, yes?

Also, I wonder if this service's interaction w/ the SMB Browsers would cause any adverse affects WRT browsing "Network Neighborhood" from a machine with this service disabled.

Ideas to actually secure yourself vs. CONFICKER (0)

Anonymous Coward | more than 5 years ago | (#27178693)

The Server Service can be disabled IF you don't need to share disks/folders/files OR printers from a particular machine to other machines on your network (be that on a local home or work LAN/WAN, or, over the public internet)...

( & yes, this would "proof you" vs. this CONFICKER worm (along w/ altering ACL's (most people use right-click on filename, SECURITY tab (need to enable SIMPLE FILE SHARING option in Explorer Tools/Folder Options menus/submenus to get this tab to appear)) on the autorun.inf file in the root of your drives as well so nothing can get to it except perhaps the SYSTEM "user-entity" with FULL control rights, others can use ICACLS.EXE).

I do all of that here on a single machine connected to the internet here @ home, & it works just fine, no problems result because I am not sharing disks/files/folders from this system...

(I additionally got ahold of the known list of servers this CONFICKER worm uses & equated them to 0 inside my HOSTS file (this can be done on Windows 2000/XP/Server 2003, & on VISTA/Server 2008/Windows 7, you use 0.0.0.0 instead of 0 (since the 12/09/2008 MS "Patch Tuesday" patches made using the superior/smaller/faster 0 impossible in a HOSTS file in VISTA/Server 2008/Windows 7))).

APK

P.S.=> Unlike the article title, which imo is actually somewhat MISLEADING? This actually WOULD function as a cure, not just a removal tool, providing you don't actually need to serve up files from shared disks/folders, AND it has another "hidden benefit" in that you are no longer wasting CPU cycles, RAM, &/or other forms of I/O running a service you may not actually NEED running in the SERVER service (set to startup type DISABLED via services.msc rightclick or doubleclick properties menu for reconfiguring it)... apk

Re:That many Windows Servers unprotected and onlin (0)

Anonymous Coward | more than 5 years ago | (#27179343)

This service is only needed if
a) You are on a LAN
b) Want to enable samba sharing
c) Want to share or use shared printer (not networked printers, printers hooked up to someones desktop)

Re:That many Windows Servers unprotected and onlin (1)

Muledeer007 (1127983) | more than 5 years ago | (#27180091)

Been disabled on my company laptop for three years running. I've only seen two things affected by disabling the server service - 1) I can't connect to my machine from another for file tranfer (works the other way around) and 2) Network administration cannont take control of my machine or access my hard drive ....sad

Re:That many Windows Servers unprotected and onlin (0)

Anonymous Coward | more than 5 years ago | (#27178009)

server is the NAME of a service in windows... which "Supports file, print, and named-pipe sharing over the network for this computer"

Re:That many Windows Servers unprotected and onlin (5, Informative)

Opportunist (166417) | more than 5 years ago | (#27178167)

This "server" service has nothing to do with what you might expect from a "server", i.e. being a big machine that hosts a lot of stuff like mail or webpages. This "server" service is an integral portion of Windows' ability to share files through the local network and access network printers. Also, some other services (IIRC the whole bunch that deals with networking, from WiFi to telephony) depends on it.

In other words, the term "server" is maybe a bit preposterous. It's just the thingie that enables networking on Windows machines.

So, IMO, it's neither. It's neither a "real" server crappily configured by admins that should get their hands tied and pushed into administration where they can't do no harm, nor is it MS's fault for putting something that only a server OS should have on a desktop. It's simply the network thingamajig gone bad.

Re:That many Windows Servers unprotected and onlin (1)

smoker2 (750216) | more than 5 years ago | (#27178443)

As in Linux, you have servers whose job it is to provide services. This can be internally or externally. X server, mail server, print server etc.

Re:That many Windows Servers unprotected and onlin (1)

amnezick (1253408) | more than 5 years ago | (#27178545)

well .. it's linux you're talking about. Linux and server are often met in the same sentece so people have no problem when hearing: "Your Linux has X server problems and needs reconfiguration." But the second they hear "Your File sharing Server service is disabled and you need to enable it" for windows they go like "wait; what? server?!? on my win-machine??"

see? it's just a matter of perception.

Re:That many Windows Servers unprotected and onlin (1)

Opportunist (166417) | more than 5 years ago | (#27179075)

More likely, people running Linux don't automatically connect "server" with "big, fat machine, swallowing jiggawatts of power and operates only with liquid helium flowing around it".

Re:That many Windows Servers unprotected and onlin (0)

Anonymous Coward | more than 5 years ago | (#27179957)

Its just a leftover from MS's war with Novel. Print servers and file servers were VERY (still are) common. Every desktop ships with the capability of sharing files both ways was very appealing to IT managers of the day. Instead of a VERY (at the time) expensive (and complex to use) Novel license and dedicated set of servers.

Back in the NT3.5/4/2000 days what was the diff between desktop (the pro ver) and server? A few registry bits.

Also back when I learned about servers and clients the prof would always draw the line back to itself on the server. Why? A server can be a 'client' even to itself. It is a subtle distinction.

Re:That many Windows Servers unprotected and onlin (4, Interesting)

s13g3 (110658) | more than 5 years ago | (#27178367)

You seem to be working under the assumption that most servers have real admins.

Fact of the matter is, outside the very largest of companies, a very large majority of internet connected servers are run by small to medium size business who do not have a full-time IT department and/or often cannot either afford all the necessary equipment and software and man-hours necessary to secure against these threats, esp. since good security often winds up annoying a high-level manager who insists that they should be able to log in to the network and all their apps without a password and insists they have passwords to every computer in the building and that they can use myspace messenger and browse the web from the DNS server if they want to (which they will).

Also, many many many web servers are hosted with hosting companies like the one I work for where less than 5% of the 10,000+ physical servers have anything like a knowledgeable admin and are instead run by idiots in India who use cracked VoipSwitch software (which is itself virus infected, but they keep using it anyway even though the virus causes them to have to re-install every week or two). Or you get people who want to run their own website but simply don't have the skills to maintain it properly, but are convinced they don't need a real admin either... or a firewall... or anti-virus.

Oh, and the desktop has nothing to do with anything - these services would exists and be just as exploitable regardless of a GUI, as it's not the GUI that is being exploited - it's the poorly coded system services and libraries that aren't subject to any kind of external or peer review that are written by people who usually don't even know exactly what they are coding, leaving plenty of room for exploits to bad code crop up.

Funny, now that I think about it, MS treats the coding of it's OS similar to a terrorist operation, small groups of people working on compartmentalized tasks, never knowing who is doing exactly what or what the desired end-product actually is. This may be a great idea if you're a terrorist organization trying to get away with something and trying to prevent a loss of the whole project due to the capture of one or more cells, but this is not a good way to write software - I think the past 10+ years of shoddy performance and infection/exploit history of MS products should be a clear enough sign of the problem, but the MS execs are obviously too blind or ignorant to figure this out for themselves.

Re:That many Windows Servers unprotected and onlin (4, Interesting)

wvmarle (1070040) | more than 5 years ago | (#27178449)

Funny, now that I think about it, MS treats the coding of it's OS similar to a terrorist operation, small groups of people working on compartmentalized tasks, never knowing who is doing exactly what or what the desired end-product actually is.

Funny, now I think of it, this is EXACTLY how the whole Linux development goes on. You have a bunch doing the kernel, doing X, doing Gnome, doing Gimp, doing OOo, etc. All doing little parts of what is going to be the operating system, without having a clue of what the end product even could be. They just make sure that their little piece works fine. And for the software to communicate with each other they use some standard protocols.

Microsoft has at least some top management that will define the final look and feel (at least I assume so, any reasonable OS company would do so). So the little parts do not need to know the total, they just need to know what THEY have to do.

For example the printer server (like CUPS). They have to make sure they can address all kinds of printers on all kinds of ports, and then produce some interface for other software to talk to the printer server. The printer server people don't need to know the total picture. They just have to make sure their printer server works, and that they can answer requests according to specifications.

It seems the problem of Windows development may be that they do NOT work like that. That they want to keep it as a whole, finding interfaces to talk to all different programs in different ways, instead of standardising and creating independent components. Like Linux where you can add the components you need, and depending on the components you have a business work station (include word processor, image viewer, e-mail software), a multimedia station (install Gimp, some video editor, video and music players), or a server (do not install any GUI, instead Postfix, Apache and the rest).

The reason all these little programs can talk to each other is that they use certain standards. All open standards, official or not, some may have developed their own standard. But they use standard file formats, standard interfaces (named pipe, sockets, network) that other software also uses, and thus they can be patched together and generally work fine with each other. And then the distro producers (Mandriva, Ubuntu, Debian) test and make sure all works as expected, and optionally add bits of glue or eye candy to the whole.

Microsoft could be well off by starting to work like that. Kernel and GUI separate. Split off IE and Media Player. Set some goals for the new version, plan for each part what functionality it has to provide and how it is going to provide this to the outside world (e.g. API), and when the parts are done, glue them together. It may just work.

Re:That many Windows Servers unprotected and onlin (1)

scubamage (727538) | more than 5 years ago | (#27179603)

QFT Parent. My current company is small, and I've been literally begging them for months to...
  • a) Put AV on all machines that leave our premise (because most of them connect back in, trusting it to the customer isn't good enough).
  • b) Let me install an IDS/IPS, (but have been told that the benefits don't outweigh the 10K it'll cost for 3 GigE taps, and a server that can deal with that much data without croaking).
  • c) Get on a one month delay before installing windows updates on all servers/workstations. Time for QC, but still mostly up to date.

Funny enough most of my requests have been met with a financial excuse like, "we can't afford that." Seems that this is changing now that our CEO and CFO both have virii on their machines. I guess getting infected made the threat seem more real?

Re:That many Windows Servers unprotected and onlin (2, Informative)

jonnyt886 (1252670) | more than 5 years ago | (#27178735)

Without elaborating what Windows Server service that might be... Are there really that many vulnerable, not firewalled Windows servers connected to the Internet? Or is this a Server function that has no business on a Desktop that is getting infected?

The Server service provides file/print sharing in Windows. Technically that means it should only run on servers, but think of the number of Windows boxes (e.g. on home networks) where people use file sharing between machines. You can stop it, though.

If you de-select 'File and Print sharing' in the Windows firewall exceptions page, you block access to the Server service. (If memory serves correctly, Windows XP SP2 and Windows Server 2003 SP1 block file/print sharing by default.)

so what? (4, Interesting)

dblackshell (1450807) | more than 5 years ago | (#27177959)

ESETs ThreatSense technology (heuristically) recognizes all the variants... F-Secure did a conflicker removal tool in 27th of February...

And above all that I'm skeptic about the "delete all versions" phrase, because BidDefender as a (bloated) AV that it is, is pretty much signature based, and has very weak heuristic detection...

Re:so what? (0)

Anonymous Coward | more than 5 years ago | (#27179699)

Funny, BD has found infections that AVG, Trendmicro, Kaspersky, etc. have completely missed. It even removed several rootkits and I was able to boot afterward(Trendmicro found one and the system was left in an entirely unusable state "system administrator has disabled task manager/registry edit" with NO way of restoring them and trust me I tried). It's also not as big as you seem to be implying. I can download a copy in under a couple minutes. Maybe you're thinking of Norton or Macafee?

could have done with this yesterday... (5, Interesting)

advocate_one (662832) | more than 5 years ago | (#27177981)

yesterday I was forced to dust off and nuke a Vista laptop from orbit... (afer using Knoppix to rescue the data first)

We need a removal tool that can be run from a safe Linux environment (ie boot using a live disk etc., then run the tool from a USB drive)... not running it from inside windows where the Conficker is already running

Re:could have done with this yesterday... (0)

Anonymous Coward | more than 5 years ago | (#27178047)

We do. It's called "debootstrap".

Re:could have done with this yesterday... (2, Interesting)

advocate_one (662832) | more than 5 years ago | (#27178095)

We do. It's called "debootstrap".

har, har... that's as pointless as the ubuntu link troll earlier... The laptop runs Vista because of the applications that have to run on it, it those apps ran in Linux, then I wouldn't have had the problem in the first place...

Re:could have done with this yesterday... (0)

Anonymous Coward | more than 5 years ago | (#27178169)

Yeah, except the average Ubuntu user doesn't know what debootstrap is.

But seriously: why don't you run a copy of Windows in some VM, mount a data partition read-write, and not allow changes to the Windows root? Then you get the best of both worlds (except for dealing with peripherals... but that doesn't sound like your use case?)

Re:could have done with this yesterday... (1)

Jamie's Nightmare (1410247) | more than 5 years ago | (#27178445)

Any idea as to how this machine got infected in the first place? Was the firewall disabled? Windows updates disabled? Who do you believe dropped the security ball in this instance?

I'm also interested in why you can't remove the virus from inside Windows. While I have no personal experience with Conflicker myself and I haven't done bench work since 2006, in practice I found anything could be removed in safe mode with the right tools [microsoft.com] and knowledge.

Re:could have done with this yesterday... (1)

Computershack (1143409) | more than 5 years ago | (#27178653)

Any idea as to how this machine got infected in the first place?

Like 99% of infections, user stupidity. Sadly, if these users were using Linux, the same would happen because the security prompt would come up and they'd shove in their password and you're off. With Ubuntu having massive popularity amongst Windows converts, it makes it more and more likely as targetting one distribution is fairly easy.

Re:could have done with this yesterday... (1, Informative)

Anonymous Coward | more than 5 years ago | (#27178207)

Then use a live Windows CD such as BartPE or other preinstallation environment, together with the USB drive, and nuke the malware from there.

Re:could have done with this yesterday... (5, Informative)

sami_potirca (464900) | more than 5 years ago | (#27178409)

We need a removal tool that can be run from a safe Linux environment (ie boot using a live disk etc. ...)

Well, the guys at bitdefender do have a rescue cd [bitdefender.com] that can be used to disinfect a windows machine.

Re:could have done with this yesterday... (3, Interesting)

Savior_on_a_Stick (971781) | more than 5 years ago | (#27178839)

My experience has been that *nix livecd based rescue disks aren't worth spit.

The reason given by Kaspersky for discontinuing their linux based rescue cd was that in order to effectively access and safely make changes to the windows data structures.

In essence, they had to engineer a mini windows.
And given the nature of how av works, it stands to reason that the extent of the emulation have to be very exact for the package to be effective.

That's why they switched to a PE based rescue disk.

I use ubuntu as one tool against malware.
I require those using usb sticks to bring them by my desk periodically. Insert/mount/visually delete any file in the root that shouldn't be there - move on.

I also have a desktop that runs Ubuntu with xp in a vm used only for certain specific apps.

The xp vm has no internet or lan access, other than imap and smtp to a specific address, and with the snapshot function, I can reroll the xp vm in a moment should I find that I missed a hole and something got in anyway.

I like Ubuntu, but it does have one notable negative effect - it's lowered the bar to linux entry to the point now where every tool that can double click wubi now thinks that makes them an expert, and that their opinion is well informed, when it really isn't.

That's not a condemnation of linux or the efforts to bring *nix to the masses - it's just the nature of the beast.

Re:could have done with this yesterday... (0)

Anonymous Coward | more than 5 years ago | (#27179775)

Soo... your experience with the BitDefender live CD is that Kaspersky discontinued theirs. And yet you feel informed enough to comment.

Re:could have done with this yesterday... (2, Informative)

eulernet (1132389) | more than 5 years ago | (#27179151)

Here are some more, sorted by last release date:

http://www.freedrweb.com/livecd [freedrweb.com]
(Dr Web, February 2009)
http://dnl-eu3.kaspersky-labs.com/devbuilds/RescueDisk/ [kaspersky-labs.com]
(Kaspersky December 2008)
http://www.f-secure.com/linux-weblog/2008/11/ [f-secure.com]
(FSecure November 2008)
http://free-av.de/en/tools/12/avira_antivir_rescue_system.html [free-av.de]
(Avira, ???)
http://www.mwti.net/products/mwav/mwav.asp [mwti.net]
(MicroWorld, ???)

Re:could have done with this yesterday... (0)

Anonymous Coward | more than 5 years ago | (#27178857)

This can easily be done using BartPE with a virus scanner plugin. In fact, I think this is how most virus scanning should be done IMO, since the locks and hiding mechanisms usually don't work like this. BartePE on a USB stick to be able to update the virus scanner without burning a CD, as they are going the way of floppies. Not sure BartPE will install to a USB stick though.

Re:could have done with this yesterday... (1)

Magada (741361) | more than 5 years ago | (#27178981)

not running it from inside windows where the Conficker is already running

Why not? It seems to work allright.

It's a Trap (-1, Troll)

WallyDrinkBeer (1136165) | more than 5 years ago | (#27177983)

No thanks. This is a fix from a strange company in a country that is not America. How can that be a good idea?

Re:It's a Trap (0)

Anonymous Coward | more than 5 years ago | (#27178069)

I hope that was sarcasm....

Re:It's a Trap (0)

Anonymous Coward | more than 5 years ago | (#27178275)

I hope he knows that Romania made the best Anti-Virus solution ever, RAV (Romanian Anti Virus) and that Microsoft bought it. Too bad they never used it.

Paranoia, the destroyer (0, Troll)

greg1104 (461138) | more than 5 years ago | (#27178023)

It's good to see something involving Romania and security that's positive for a [ic3.gov] change [www.ziua.ro]. Wait, do we know where the authors of Conficker came from? Hmmmm...

Confiker... old FUD (0)

Anonymous Coward | more than 5 years ago | (#27178049)

the Romanians did not find a cure for Confiker.. well put it this way.. if they just idd they are about 30 days too late. AV, as bad as it is, does in fact detect all variation and all the so called C&C nodes are now in blackholes.. so if just today the Romanian firm is trying to pimp their protection they are as you put it: "a dollar short and a day late". OLD NEWS

Re:Confiker... old FUD (1)

Computershack (1143409) | more than 5 years ago | (#27178663)

There posts someone who hasn't been keeping up to things. Conficker now has over 50,000 new domains PER DAY and push technology is now being used as well so saying the C&C nodes are now blackholes and it's useless is just plain wrong. The only person 30 days late here is you.

Romulans. (4, Funny)

Twide (1142927) | more than 5 years ago | (#27178077)

Well, usually the Romulans keep to themselves instead of sharing all this information, for all we know, it could be them that started it!

Something must be up in the Star Empire.

*Appends To Trek Journal*

Re:Romulans. (1)

SeaFox (739806) | more than 5 years ago | (#27178573)

Sadly, I also read it as "Romulans". But I just finished watching a random Star Trek TNG clip on YouTube, so I have an excuse.

It can't be helped (0, Troll)

Idiomatick (976696) | more than 5 years ago | (#27178125)

Obligatory... Here is the link to the cure [ubuntu.com]

Re:It can't be helped (4, Funny)

JazzLad (935151) | more than 5 years ago | (#27178195)

No, this is The Cure [thecure.com]

Re:It can't be helped (1, Funny)

Anonymous Coward | more than 5 years ago | (#27178353)

Dear god... then what was the disease?

Oh right. Seventies suburbia. It was worth chewing a leg off.

another quality kdawson link (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#27178263)

old old fucking news. conficker has had removal tools for a month. fuck your a dud.

"Vaccination" (1, Informative)

Anonymous Coward | more than 5 years ago | (#27178311)

Vaccination tool to remove...

I do not think it means what you think it means.

Some finnish guy also has a cure (-1, Flamebait)

hkon (46756) | more than 5 years ago | (#27178357)

He's called it Linux. It came out 15 years ago today.

Re:Some finnish guy also has a cure (0, Flamebait)

lxs (131946) | more than 5 years ago | (#27178369)

Does he still pronounce leenooks as leenooks?

BitDefender Tool Unsuccessful (0)

Anonymous Coward | more than 5 years ago | (#27178459)

i just ran the bd tool on a conficker-infected XP SP2. it said that it found the infection; it then killed some processes and then prompted for a reboot. before rebooting, however, i ran http://www.enigmasoftware.com/a1/download/cfremover.exe - it detected the infection as well. after rebooting, i ran both tools again. bd tool found no infection. but the infection was still present - its presence was confirmed by enigma's removal tool. the enigma tool is able to successfully remove the infection.

Re:BitDefender Tool Unsuccessful (0)

Anonymous Coward | more than 5 years ago | (#27179035)

Maybe you should have rebooted when it told you to?

quickscan (1)

Jaymzu (544354) | more than 5 years ago | (#27178481)

on bdtools.net there seems to be a link to a sister site that can perform a quick check on your system. However I'd suggest using the IP address (http://91.199.104.31/)instead of the link since it points to bd.com which will most likely be filtered the virus

So confusing! (1, Insightful)

Anonymous Coward | more than 5 years ago | (#27178509)

How exactly do you prevent this worm?

Disable autoplay? Autoplay is a feature though.
Disable network sharing? How annoying.
The KB958644 patch? Does that protect you, or does it simply prevent one method of catching it?

A cold is a cold, and although preventing it from entering your computer is an idea, the goal should be making the computer immune to whatever the vulnerability is.

I should have a say on what programs (what a computer virus is) are allowed to run.

What's worse is Microsoft's apparent unwillingness to let SP1 machines get patched. SP2 is more than a fix or update, it's messing with Internet Explorer adding a pop-up blocker, and it adds a firewall to your computer regardless of whether you want it. These things, coupled with some people's unwillingness to do such a thing to their computer, will probably result in more infections.

Mod me down for "rant". I am not sure if anything I said is considered constructive, other than my hint at that Microsoft should let SP1 machines be patched for major worms such as this.

F-Secure has had a removal tool (0)

Anonymous Coward | more than 5 years ago | (#27178583)

available for months:

http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml [f-secure.com]

I don't know that I'd be willing to run anything from some unheard of company, especially from Romania!

Also, I thought the Windows Malicious Software Removal tool was removing Conficker now. Anyone know if that's the case or not?

WTF!? Who cares? (0, Troll)

Anachragnome (1008495) | more than 5 years ago | (#27178781)

"It spreads primarily through a buffer overflow vulnerability in Windows Server Service where it disables the operating system update service, security center, including Windows Defender, and error reporting."

I disabled all that shit, myself, intentionally. I'm serious.

After I realized that one of the recent "hotfixes" from Microsoft installed a spyware "plugin" in Firefox, off that shit went. For good.

Sorry to be a pedantic ass but... (0, Offtopic)

AbRASiON (589899) | more than 5 years ago | (#27178939)

Is the correct term "cure" for removing a software virus?
The first 10 seconds after reading this I was trying to figure out "what's the conficker virus, who is it killing?" etc.

I would've thought fix / solution / tool / patch / antivirus routine would be better than 'cure'

I could be wrong though, I've been using PC's for 18years now and despite plenty of piracy I've never had a virus, so I've never had to cure one.

Canonical Released an Removal Tool Free (-1, Redundant)

Anonymous Coward | more than 5 years ago | (#27179255)

it's called Ubuntu antivirus

http://www.ubuntu.com/products/whatisubuntu

Well that's all fine and dandy... (1)

cronco (1435465) | more than 5 years ago | (#27179491)

But it was also the Romanians that managed to get the mainframe of their jail system infected with Downandup and the whole database was wiped out. At least that's how the media here reoprted it. "Luckily" there was a back-up plan. A very "old-school" back-up plan.

That's right. The back-up was on dead trees. So now they have put all that data in by hand.

Talk about a bipolar country.

Nice, but this is Conficker we're talking about. (1)

icannotthinkofaname (1480543) | more than 5 years ago | (#27179585)

inb4 Conficker evolves to evade and/or destroy this tool.

Seriously, there was already a fix pushed out for this. Conficker grew to overcome it, which is why the problem still exists today. There is no way this project is going to be this simple. These Romanians are in for a fight if they truly want to cure the Conficker epidemic.

Anonymous (0)

Anonymous Coward | more than 5 years ago | (#27180137)

From wikipedia: On 15 October 2008 Microsoft released a patch (MS08-067) to fix the vulnerability.[28] Removal tools are available from Microsoft,[29], BitDefender [30], ESET[31], Symantec[32], Sophos[33] and Kaspersky Lab while McAfee[34] can remove it with an On-Demand Scan.[35]"
Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...