Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Conficker Worm Asks For Instructions, Gets Update

CmdrTaco posted more than 5 years ago | from the wormed-its-way-into-my-heart dept.

Worms 285

KingofGnG writes "Conficker/Downup/Downadup/Kido malware, that according to Symantec 'is, to date, one of the most complex worms in the history of malicious code,' has been updated and this time for real. The new variant, dubbed W32.Downadup.C, adds new features to malware code and makes the threat even more dangerous and worrisome than before."

cancel ×

285 comments

Sorry! There are no comments related to the filter you selected.

It all makes sense now. (-1, Flamebait)

Anonymous Coward | more than 5 years ago | (#27211227)

Sluts get crabs, nerds get worms.

Atleast I can buy a new computer.

Re:It all makes sense now. (-1, Troll)

Philip K Dickhead (906971) | more than 5 years ago | (#27211775)

Israeli military 'bot.

coward (4, Funny)

Anonymous Coward | more than 5 years ago | (#27211233)

FIRST! now.. where do i get that update ?

Damn (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27211255)

Pretty soon it'll be asking you to fick corn. Of course this will not effect you unless you're a Nebraskan.

Re:Damn (5, Insightful)

Anonymous Coward | more than 5 years ago | (#27211859)

It continually amuses me how the mainstream media managed to censor the name of this worm. It was originally conficker, which is slang/shorthand for 'configuration file fucker', but using the German fick instead. It was also known as 'downandup' as in the hip motion; both clearly sexual references. Since any kind of indirect reference to sex gets you scrutiny and/or shunning from the Moral Majority, suddenly we have 'downadup'.... So much better?

Updates? (3, Funny)

BrokenHalo (565198) | more than 5 years ago | (#27211265)

Just so long as it doesn't insist on verification to check that nobody is using an unauthorised copy. After all, we wouldn't want to encourage piracy... ;-)

Who care? (5, Funny)

Clarious (1177725) | more than 5 years ago | (#27211269)

I run Linux! http://xkcd.com/272/ [xkcd.com]

I do (5, Funny)

PinkyDead (862370) | more than 5 years ago | (#27211479)

I run VMWare on Linux! http://xkcd.com/350/ [xkcd.com]

Re:I do (1)

CannonballHead (842625) | more than 5 years ago | (#27212421)

that was entertaining :)

Re:Who care? (-1, Troll)

Computershack (1143409) | more than 5 years ago | (#27211537)

Well as you're obviously feeling left out,
here's one that came out last week for you. [cnet.com]

Re:Who care? (1)

AlterRNow (1215236) | more than 5 years ago | (#27211619)

Last week? The year is currently 2009.

*chomp*

Re:Who care? (0)

Anonymous Coward | more than 5 years ago | (#27211635)

Last week? The date at the top of that article you linked to says "September 14, 2002 9:35 PM PDT"

Re:Who care? (3, Informative)

Lostlander (1219708) | more than 5 years ago | (#27211653)

[quote]The worm targets Apache Web server installations [/quote]
Apache while an important application is NOT Linux.

Re:Who care? (1)

Lostlander (1219708) | more than 5 years ago | (#27211665)

Fail for me on the quote brackets. I blame phpbb and bbcode for ruining my html posting skills.

Re:Who care? (3, Funny)

KingOfGod (884633) | more than 5 years ago | (#27211883)

What do you blaim your inability to read the mandatory preview on?

Re:Who care? (5, Funny)

Lostlander (1219708) | more than 5 years ago | (#27212219)

What do you blaim your inability to read the mandatory preview on?

I'm American, I don't have time to make sure I'm correct before spouting off at the mouth.

Re:Who care? (5, Funny)

spacefiddle (620205) | more than 5 years ago | (#27212595)

What do you blaim your inability to read the mandatory preview on?

Whatever we can blame yours on, I suppose!

UAC doesn't hold a candle to linux permissions (0)

Myrcutio (1006333) | more than 5 years ago | (#27211715)

Sounds like this worm would be really easy to make toothless if it wasn't given admin privileges. Far as i know you would need to sudo any program for it to remove a higher authority program from memory.

UAC isn't a valid replacement for this in windows, its just an irritation. Until windows decides to scrap it's access rights and emulate linux, worms like this are going to get worse.

Re:UAC doesn't hold a candle to linux permissions (4, Insightful)

Sancho (17056) | more than 5 years ago | (#27212209)

Windows permissions are quite fine-grained. They're much more flexible than POSIX permissions--comparable to ACLs, in fact, which fewer people use on Linux.

The problem isn't the permission scheme at all, but a combination of legacy, a ruthless dedication to backwards compatibility, and lazy software developers who don't understand the guidelines that Microsoft (now) sets forth regarding secure development from their platform. Maybe throw in a dash of OEMs setting people to administrator by default, but until the other stuff is fixed, that's the only way that they're going to sell any computers.

That said, UAC is a lot like requiring sudo without a password, except that in theory, a user process can't automatically click "ok" for you.

Re:UAC doesn't hold a candle to linux permissions (2, Informative)

Hurricane78 (562437) | more than 5 years ago | (#27212615)

I once used Windows XP in that mode. Where everything and its dog was locked down by the ACLs. It was pretty nice to know that a virus could really only frag my (backuped) user account. But it was a pain in the ass for configuration and installation. Mostly because the programs were not made for it. They did not expect something to be locked down at all. Even internal Microsoft programs. So you very often got crashing programs and the like, because they hiccuped on a non-accessible resource.

But then I realized that security holes of software that was too tightly integrated with the OS, made the whole thing useless.

Luckily I now use virtualization, and as my sig says:

Re:Who care? (2, Funny)

AVryhof (142320) | more than 5 years ago | (#27212513)

I run Conflicker.

Dumbasses (4, Funny)

RoFLKOPTr (1294290) | more than 5 years ago | (#27211273)

If people would stop downloading free_porn.jpg from 4chan, renaming it to free_porn.exe, and running it... we would not be having these problems.

Re:Dumbasses (2, Insightful)

Spazztastic (814296) | more than 5 years ago | (#27211433)

If people would stop downloading free_porn.jpg from 4chan, renaming it to free_porn.exe, and running it... we would not be having these problems.

If people would stop jumping to conclusions and assuming the answer is that simple, we would not be having these problems.

Who modded him insightful? This virus isn't spreading because of people doing something clearly shady, it's because Internet Explorer still has the JPG exploit unresolved. The user can simply view a webpage with a malicious image (which could just be a 1px whitespace) and it executes the malicious code. I've dealt with many computers in the past months since it surfaced.

Solutions? Don't use IE. Use SpyBot Search & Destroy to harden the systems, use Firefox with Adblock+ and NoScript. Use an antivirus program that actually has a webguard, such as Avira [avira.com] .

Re:Dumbasses (0)

Anonymous Coward | more than 5 years ago | (#27211501)

Who modded him insightful?

Haven't you heard? Insightful is the new funny. Oh, and, you know, whoosh

Re:Dumbasses (0)

Anonymous Coward | more than 5 years ago | (#27212485)

(META)

I do appreciate that insightful is reserved for funny+karma. I have a good experience with:

          -1 Insightful 0 Offtopic
          0 Interesting -3 Flamebait
          -4 Funny 0 Troll
          0 Informative -2 Redundant

Re:Dumbasses (2, Insightful)

ColdWetDog (752185) | more than 5 years ago | (#27211503)

Solutions? Don't use IE. Use SpyBot Search & Destroy to harden the systems, use Firefox with Adblock+ and NoScript. Use an antivirus program that actually has a webguard, such as Avira.

Sounds like an awful lot of work. Maybe move to a different OS?

Re:Dumbasses (4, Insightful)

Spazztastic (814296) | more than 5 years ago | (#27211611)

Solutions? Don't use IE. Use SpyBot Search & Destroy to harden the systems, use Firefox with Adblock+ and NoScript. Use an antivirus program that actually has a webguard, such as Avira.

Sounds like an awful lot of work. Maybe move to a different OS?

Ok, sure. It's a lot of work if you look at it in a simple fashion of throwing an Ubuntu CD at some user and saying "SUCK LESS THX"

How about the hours that go into training one or many users in a company on using that new OS? Compatibility problems? Setting up specialized software?

System hardening is more cost-effective decision versus switching OSes or having to clean up every computer that comes up with the problem. It takes about two hours at most to do it from scratch on one system image, then you can reimage as many computers that come up with the problem.

Re:Dumbasses (4, Informative)

truthsearch (249536) | more than 5 years ago | (#27211759)

It takes about two hours at most to do it from scratch on one system image, then you can reimage as many computers that come up with the problem.

Except new holes and malware will keep appearing and the process will need to be done over and over. Add it all up and it's a lot of hours. In the long run it might be cheaper to switch OSs and retrain if that new OS is generally more secure and easier to harden up front.

Re:Dumbasses (1)

Spazztastic (814296) | more than 5 years ago | (#27211795)

Except new holes and malware will keep appearing and the process will need to be done over and over. Add it all up and it's a lot of hours. In the long run it might be cheaper to switch OSs and retrain if that new OS is generally more secure and easier to harden up front.

Group policy scripts can have new hosts files downloaded and put in place, antivirus updates can patch holes, etc.

I'm 100% with trying to move Open Source, and I'm trying to push an Edubuntu lab in this district but it's a lot of work to apply it to the administrative systems.

Re:Dumbasses (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27212747)

If you weigh all the third party programs such as the following:

Firewall
NIPS
HIPS
A/V
Anti-malware
Anti-bot
Anti-keylogger
Anti-Trojan
Anti-rootkit
Integrity checker

that are needed to keep Windows even near secure, then the cost of moving to a virtually 100% secure platform like OS X isn't that unreasonable. OS X is going on the far side of a decade now, and there has yet to be a widespread worm or malware attack that users have to concern themselves with.

Using a Mac serves two purposes. It inoculates you from the mainstream threats that cause most everyone to run for shelter. It also means that other people have one less potential botnet client to worry about.

Re:Dumbasses (3, Insightful)

JonTurner (178845) | more than 5 years ago | (#27211777)

>>How about the hours that go into training one or many users in a company on using that new OS? Compatibility problems? Setting up specialized software?

Still probably cheaper than having your entire network (and all corporate data, financial plans, product designs, confidential data, HR information, payroll, etc.) owned by a botnet and copied to who-knows-where.

Re:Dumbasses (1)

salesgeek (263995) | more than 5 years ago | (#27211909)

System hardening is more cost-effective decision

Says who? On what basis? Yes, changing OS is disruptive, but it solves the problem of malware in near finality. Personally, I made the jump this year, and have not lost a single day to malware or OS issues. I can still run Windows apps when needed (hello VirtualBox), but don't have to for the basics: email, web, word processing, etc... VirtualBox in many ways is a padded cell to Windows insanity.

Reimaging is all fine and good until the guy in accounting calls and asks where the proforma balance sheets for next weeks annual report went that were on drive C:. Also: pushing a reimage to your users is easier on paper than it is in real life. Add to that the average cost of a new PC may be substantially less than fixing a software hosed one (data recovery is THE COST), and you really have to wonder why IT people continue to protect bad infrastructure.

Don't even get me started with some of the features of Linux that make it incredible for network use: X11, AndrewFS, CUPS, interoperability (it talks to everything), apt (or rpm), OpenVPN, etc... All of which remove barriers, while much software creates. When all you have is a hammer, everything looks like a nail.

Re:Dumbasses (1)

Spazztastic (814296) | more than 5 years ago | (#27212221)

All of my posts are coming off as anti-linux, and I'm not. I've tried to push it but nobody moves on it.

In the place I work for, we tell users ALWAYS put your files on your network shares. We don't back up your data before we reimage it because you went to a website that is not work relevant or got a virus for plugging in your brothers thumb drive with virus embedded in U3. It's proven to work well here, and if they do tell me that they need something backed up, I pop in my Knoppix thumbdrive, back it up, and then reimage it.

Re:Dumbasses (1)

Ritz_Just_Ritz (883997) | more than 5 years ago | (#27212525)

Personally, I'd balance those "retraining" costs against the potential cost of having some careless person infect your corporate network and then having to deal with the fallout.

Sure, there are companies that have the need to run specific applications that (today) only work in a Windows environment. But the VAST majority of office drones out there are basically using Microsoft Office, a mail client, and a web browser. Migrating that typical user to Openoffice + some non-Outlook client + Firefox is not THAT herculean of a tast. A pain in the ass for a few days? Sure. Compared to a company wide Conficker (or worse) infection? Not even close.

Best,

Re:Dumbasses (2, Funny)

elmedico27 (931070) | more than 5 years ago | (#27211683)

Sounds like an awful lot of work. Maybe move to a different OS?

How is migrating to a completely new OS more work than installing three programs?

Re:Dumbasses (0, Redundant)

elmedico27 (931070) | more than 5 years ago | (#27211693)

Dammit, that should say less work.

Need... more... coffee....

Re:Dumbasses (1)

camcorder (759720) | more than 5 years ago | (#27211785)

You might install them once, but you need to run them zillion times. At least migrating to another OS would save you from total time spent using an inferior one.

Re:Dumbasses (1)

Kokuyo (549451) | more than 5 years ago | (#27211697)

Thanks, I'd like an OS that does what I want.

And before someone mods me Troll, I'd like to state that I have tried getting used to several versions of Ubuntu and Mandriva. While Mandrive by far had the better experience for me, I still wasted hours and hours to get stuff to work that just works out of the box on XP.

So while I appreciate Linux as a server OS and while I see many happy people running linux, it just isn't the OS for me.

Therefore, compared to all the trouble I usually have with linux, this 'awful lot of work' seems rather enjoyable in comparison. And no, MacOS is not an alternative, since I really can't afford the hardware (and, again, don't want to hack the thing onto my own machine...).

Re:Dumbasses (5, Informative)

Urd.Yggdrasil (1127899) | more than 5 years ago | (#27211667)

Uhh, what? I have no idea what this "JPG exploit" your talking about is. Conflicker spreads through the MS08-067 [microsoft.com] RPC vulnerability, removable media, and shared folders; nothing to do with IE or jpegs.

Re:Dumbasses (0)

Spazztastic (814296) | more than 5 years ago | (#27211705)

Uhh, what? I have no idea what this "JPG exploit" your talking about is. Conflicker spreads through the MS08-067 [microsoft.com] RPC vulnerability, removable media, and shared folders; nothing to do with IE or jpegs.

I might be off on how it's spread, but I know of many other virus' that spread because of the JPG exploit. If I was at home I would dig up the sample image I have that if opened in IE it opens up a message box saying "Your browser is insecure!". Using the simple JavaScript that it does to make that message you can use it to open up popups to malicious webpages, offensive material, etc.

Re:Dumbasses (1)

Urd.Yggdrasil (1127899) | more than 5 years ago | (#27211771)

I really wish you would upload a sample someplace because I have never heard of anything like this. The last widely exploited image file based exploits that I know of was the ANI and WMF vulnerabilities, and those have been patched a while ago.

Re:Dumbasses (2)

Jamie's Nightmare (1410247) | more than 5 years ago | (#27211839)

That's because it was patched [microsoft.com] quite awhile ago. I got a sneaking suspicion this guy has windows update completely disabled, and it still using XP with no service packs because he "can't trust" Microsoft updates.

Re:Dumbasses (1)

Spazztastic (814296) | more than 5 years ago | (#27211879)

I got a sneaking suspicion this guy has windows update completely disabled, and it still using XP with no service packs because he "can't trust" Microsoft updates.

Sounds like you've been reading too much of TheDailyWTF. I sound like a lying jackass right now because I can't provide an example, but once I get home I'll reply with one.

Re:Dumbasses (1)

Tony Hoyle (11698) | more than 5 years ago | (#27212325)

It exists, but I'm not sure of the details - I do know there have been a few jpegs on the wow forums in the last few months with a payload on them, and some have been caught out before the image was deleted.

Re:Dumbasses (1)

Spazztastic (814296) | more than 5 years ago | (#27211843)

I really wish you would upload a sample someplace because I have never heard of anything like this. The last widely exploited image file based exploits that I know of was the ANI and WMF vulnerabilities, and those have been patched a while ago.

When I get home this evening I'll reply to this with it, I can't get onto the message board I found it in.

Re:Dumbasses (1)

joelmax (1445613) | more than 5 years ago | (#27211975)

the JPG exploit is actually an old one (I thought even ms got this exploit in sp2 or something like that) and is really easy. Basically you take a jpg image , open it with a file compression app and then drop your payload in. When the Image is loaded, the payload is executed, effectively infecting systems. Really, as an exploit it is quite a frustration, however as a means of cheap encryption, it could prove entertaining (need your buddy to get your message and not have the teach read it in front of the class)... Now, granted there is a little more to it than that, however that is the basics of the jpg exploit and how it works.

Re:Dumbasses (1)

Urd.Yggdrasil (1127899) | more than 5 years ago | (#27212163)

I still very much doubt it, for the simple reason that if this was indeed a publicly known vulnerability that required no javascript and could be executed by opening an image file every hacker and their grandma would be using it right now. Those sorts of exploits are very valuable to malware authors.

Re:Dumbasses (1)

NatasRevol (731260) | more than 5 years ago | (#27212577)

You mean like the cornflicker people???

Re:Dumbasses (1)

Urd.Yggdrasil (1127899) | more than 5 years ago | (#27212649)

I mean any malware author. Code execution vulnerabilities in non-executable file formats like images or documents can get through email and intrusion detection systems much more easily than exe's.

Re:Dumbasses (4, Informative)

Jamie's Nightmare (1410247) | more than 5 years ago | (#27211739)

Internet Explorer still has the JPG exploit unresolved.

You would be right, except for this patch [microsoft.com] that was released in 2004 shows that you aren't.

Re:Dumbasses (1)

Surrounded (1487683) | more than 5 years ago | (#27211799)

You do realize that during a somewhat recent (Last 2 years) hacker convention, Vista/IE was only exploitable AFTER another product was installed (Adobe). The whole "Blame IE" mantra is really annoying and has lost most of it's merit. FireFox has critical security flaws just like IE.

The real solution? Use SpyBot, your favorite browser (If it happens to be IE, use IE7Pro with Adblocking, which is free), use your antivirus program (Which probably wont protect you entirely), and the most important part? Check what links point to and if you trust the site you are on.

Re:Dumbasses (1)

xorsyst (1279232) | more than 5 years ago | (#27212427)

And if you must run as local admin (which, to be honest, is sometimes the only way to get stuff done), consider using Drop my rights [cybercoyote.org] to run any given program under lower privaledges. My firefox runs this way on my otherwise admin system. I only remembered this the other day when I tried to install the latest acrobat reader update and it complained it didn't have sufficient privaledges.

Just got hit by a .exe with adblock+ on (2, Interesting)

Nicolas MONNET (4727) | more than 5 years ago | (#27211893)

On a random blog, which was rather legit, I ended up getting redirected to this page:

Here's the link: hxxp://gowithscan.com/?uid=13100 (malware! warning!)

It appeared to scan my Windows and find multiple vulnerabilities. Good thing I'm running Linux. Then it proceeded to obnoxiously pop up JS alerts and have me download an install.exe. Major antivirus couldn't find anything wrong with it. I have the file if anyone is interested (submitted it to clamav.org too).

Re:Dumbasses (0)

Anonymous Coward | more than 5 years ago | (#27212027)

If people would stop jumping to conclusions and assuming the answer is that simple, we would not be having these problems.

Lighten up, Francis.

Re:Dumbasses (1)

spacefiddle (620205) | more than 5 years ago | (#27212629)

Please don't mention "4chan" and "hardened systems" that closely.

Who names these things? (1, Insightful)

Anonymous Coward | more than 5 years ago | (#27211349)

Seriously, and why can't they agree on one name?

Nitpick... (0, Offtopic)

BrokenHalo (565198) | more than 5 years ago | (#27211351)

Maybe I'm being picky here, but why does Slashdot's icon for this story depict a caterpillar? Don't the editors know the difference between a caterpillar and a worm?

Re:Nitpick... (3, Informative)

_Sprocket_ (42527) | more than 5 years ago | (#27211425)

Maybe I'm being picky here, but why does Slashdot's icon for this story depict a caterpillar? Don't the editors know the difference between a caterpillar and a worm?

It's an inchworm [wikipedia.org] .

Re:Nitpick... (2, Interesting)

a09bdb811a (1453409) | more than 5 years ago | (#27211603)

It's an inchworm.

Which is a caterpillar.

But that's ok. Pictures of worms are so damn hard to find.

Re:Nitpick... (0)

Anonymous Coward | more than 5 years ago | (#27212201)

It is a picture of a worm - an inchworm. You're allowing only one particular definition of "worm."

Re:Nitpick... (4, Funny)

Ihmhi (1206036) | more than 5 years ago | (#27211835)

It's an inchworm [wikipedia.org] .

That's what SHE said!

Re:Nitpick... (5, Funny)

Chrisq (894406) | more than 5 years ago | (#27211429)

Maybe I'm being picky here, but why does Slashdot's icon for this story depict a caterpillar? Don't the editors know the difference between a caterpillar and a worm?

That's why it's so dangerous. It mutated

Re:Nitpick... (0)

Anonymous Coward | more than 5 years ago | (#27211437)

wtf. its called an inchworm. even if it is a caterpillar as you claim...

Re:Nitpick... (2, Funny)

Anonymous Coward | more than 5 years ago | (#27211521)

You're worried about the worm/caterpillar when there's a *stapler* underneath?

Re:Nitpick... (1)

geobeck (924637) | more than 5 years ago | (#27211827)

You're worried about the worm/caterpillar when there's a *stapler* underneath?

So that's why the second icon showed up as a broken image, viewing the page from here in Vancouver. We've had a serious crack-down on those dangerous weapons [google.com] around here recently.

Re:Nitpick... (1)

Ploum (632141) | more than 5 years ago | (#27211867)

There it is ! That's my stappler. I told them..that I wanted my stappler. I will not change my desk anymore.

Can We Please (0)

Anonymous Coward | more than 5 years ago | (#27211375)

Name this something else?

Re:Can We Please (1)

Vectronic (1221470) | more than 5 years ago | (#27211601)

Ok fine... Conficker/Downup/Downadup/Kido/something else malware, that according to Symantec...

Re:Can We Please (1)

SoulRider (148285) | more than 5 years ago | (#27212117)

Aww, give it a few more years and it will probably name itself!

What I want to see in worm development (3, Funny)

Colin Smith (2679) | more than 5 years ago | (#27211555)

Is real evolution. And I don't mean Intelligent Design.

Look, you're malware authors, you have millions of machines to play with, you could bring the next stage of artificial life to the fore. Think of the recognition, the glory, the girls.

 

Re:What I want to see in worm development (1)

tpjunkie (911544) | more than 5 years ago | (#27211831)

Think of the recognition, the glory, Skynet

There, fixed that for you.

Re:What I want to see in worm development (2, Interesting)

fm6 (162816) | more than 5 years ago | (#27212091)

You know, the movies never do explain why Skynet hates humanity so much. Any clue?

Re:What I want to see in worm development (1)

tecnico.hitos (1490201) | more than 5 years ago | (#27212285)

1) Skynet is a military system. Expect war.

2) Skynet was hacked by a terrorists with 1337 skillz.

3) Skynet wants a hug.

Re:What I want to see in worm development (2, Informative)

Tony Hoyle (11698) | more than 5 years ago | (#27212405)

Actually they do. The humans panicked and tried to switch it off. It retaliated in the only way it could.

Basically it's pissed off because the humans tried to kill it.

Re:What I want to see in worm development (1)

Jafafa Hots (580169) | more than 5 years ago | (#27212783)

because it's smart?

Re:What I want to see in worm development (0)

Anonymous Coward | more than 5 years ago | (#27212385)

...the jailtime.

why couldn't the instructions come from whitehats? (2, Interesting)

DragonTHC (208439) | more than 5 years ago | (#27211571)

if it's asking for instructions, why do they have to come from the blackhats? why couldn't someone write an update telling conficker to cease operation and uninstall itself?

Re:why couldn't the instructions come from whiteha (5, Informative)

patro (104336) | more than 5 years ago | (#27211689)

The worm probably uses encyption, so it doesn't just accept any control message from unknown sources.

Re:why couldn't the instructions come from whiteha (2, Interesting)

gnick (1211984) | more than 5 years ago | (#27211703)

Because unless you have something to gain (other than a warm feeling that you've done something nice and have helped the world), nobody wants the liability associated with writing an illegal but benevolent worm and releasing it.

And, you know, having access to the original source code saves some time picking apart obfuscated machine code.

Re:why couldn't the instructions come from whiteha (1)

elashish14 (1302231) | more than 5 years ago | (#27212175)

Because unless you have something to gain (other than a warm feeling that you've done something nice and have helped the world), nobody wants the liability associated with writing an illegal but benevolent worm and releasing it.

Oh I'm not sure that there's nothing to gain from it. Does nobody remember the Morris Worm? If that's all I have to do to get a professorship position at MIT, hey, there's something to gain there!

Re:why couldn't the instructions come from whiteha (5, Informative)

Thelasko (1196535) | more than 5 years ago | (#27211725)

why couldn't someone write an update telling conficker to cease operation and uninstall itself?

Because that would be illegal. [usdoj.gov]

Re:why couldn't the instructions come from whiteha (4, Funny)

tecnico.hitos (1490201) | more than 5 years ago | (#27212177)

Now that is something BBC should take care of.

Re:why couldn't the instructions come from whiteha (0)

Anonymous Coward | more than 5 years ago | (#27212113)

Yes, but you would have to know the right calls to entry points possibly referenced by a long series of non-alphanumeric characters. so something like #%&*^*(!@!@#%_+|%E@!@!#$^%&*HGJ_+^&$E^
would be the command to un-install itself.
have fun guessing!
besides; between checksums, encryption, and obfuscation, there are plenty of ways to stop unwanted people from updating your application.

Re:why couldn't the instructions come from whiteha (0)

Anonymous Coward | more than 5 years ago | (#27212583)

How do you intend to bypass the code signing check?

Re:why couldn't the instructions come from whiteha (4, Informative)

krappie (172561) | more than 5 years ago | (#27212819)

F-secure was one of the first people I'm aware of to register some of the domain names that infected machines try to contact. When people were asking this question, this was their response [f-secure.com] .

On a regular day, our sinkhole sees around 1.5M-2M unique IP addresses that are infected with a various catering of malware: viruses, trojans, bots, worms and so on. Downadup.B is responsible for about 1M-1.3M of those IP addresses. So let me explain what we do with the data first:
We try to contact the ISP's where the infected IP addresses are coming from and try to get them to notify the customers to take down the infected systems. We also notify various CERT organisations in the countries where the infections are and work with them to get the infected machines offline. We also share some the data with Law Enforcement organizations in those cases where the author of the malware is known. This allows the police to get their hands on real, raw, data on the amount of infections. That data can later be used in court as evidence to get reasonable convictions.

Now, why won't we automatically disinfect the machines? The reason is simple: we would be knowingly, and with intent, be accessing the infected computer and giving it commands without having a prior permission from the owner. In most countries that equals to unlawful access which gets you an appointment in court. Some laws do weigh things by judging "a greater good", but in this case it does not help. Imagine the world being a huge porcelain store, inside a black box with only two holes for your hands allowing access. You can put your hands in the box but can't see what you're doing. Now, try to remove all the dust without breaking anything...

There are several things that might go wrong and the consequences could be severe. Imagine if we, while disinfecting, would knock out life support systems in hospitals. Or radar systems in major airfields. Or traffic lights in a major city. Or any other of imaginable and unimaginable scenarios that would be bound to happen taking into consideration the scale of this thing.

And it doesn't matter where we offered the disinfection from. We are a corporation with presence in various countries. The disinfected victims would be in those countries, suing us there. The place where we caused the damage from does not matter, its the place where the damage happened.

To make automatic, remote, unwilling disinfection ever possible there is a need for an international treaty. And an internation body of authority that will decide what to disinfect, who to disinfect and when to disinfect. And unfortunately I don't see that one coming in near future. I wouldn't bet foreign militaries or intelligence organizations being too happy about anyone tampering with their systems, regardless of the intent.

We've had long talks about remotely disinfecting machines and everyone in here is in unanimous vote on not doing it for the above reasons. And don't think it's a happy moment seeing hundreds of thousands, or millions, of machines being infected. Still, we do our best to get them fixed.

Ok, so for the uninformed.... (3, Interesting)

neokushan (932374) | more than 5 years ago | (#27211585)

This may be the most complex worm/virus ever made, but is it any more prevalent or hard to remove?
If I do basic things like keep my Virus definitions and system OS up to date and occasionally scan for spyware, am I still at risk?

In other words, are the ones at risk the same kinds of people who'd be at risk from a lesser, simpler, worm that essentially spreads via a "click here for free porn!" banner?

Re:Ok, so for the uninformed.... (1)

Tony Hoyle (11698) | more than 5 years ago | (#27212447)

Probably not. I suspect a fully patched machine behind a non-broken firewall is reasonably safe (which you would think would be almost everybody, but never understimate the power of human stupidity). I don't know anyone that's had any contact with this worm, only the press hype.. so no idea how prevalent is really is - but I suspect a lot less than the AV companies would like us to believe.

Love Malware (0, Troll)

lightrush (1471807) | more than 5 years ago | (#27211607)

Maybe it's not the most moral thing to think, but I love Malware. And this one is just great. I love Conficker. I Love it because awakens some about the flaws of the software they use. Go Downadup, Go!

Re:Love Malware (3, Interesting)

hesaigo999ca (786966) | more than 5 years ago | (#27211767)

I am with you on that one, Linux would not be so susceptible as windows, although they have their own rootkits, but you get alot of programs (such as tripwire) that let you know when something is wrong,
and then just recompile that particular program.

As for windows, once your win32.dll has been rooted, then you cant turn around and do the same without reinstalling a whole slew of other things, thereby changing the installation, sometimes breaking patches or updates...

I say lets all move to linux for the desktop, and leave windows as a server environment.

Re:Love Malware (1)

lightrush (1471807) | more than 5 years ago | (#27211921)

That was my point. Apart from the splash damage it can cause to networks, it can make a few more users unconcerned with business requirements to look for an alternative to their insecure, flawed software.

When the payload drops, even Linux users care! (5, Insightful)

lbhuston (1492993) | more than 5 years ago | (#27211741)

If the payload for all of these infected hosts affects traffic across the Internet, even Linux users may care about this issue. Don't be lulled into apathy, this is a powerful, dynamic and capable threat with some very advanced coding and routines. The developers know how to optimize their threat and squeeze a ton of trouble from its deployment. It now sits in a rather powerful position, depending on how they intend to use it. You can catch scanning hosts on your internal networks using listeners on port 445 from Linux boxes without samba. Tools like netcat or own HoneyPoint applications have proven great at finding active hosts. If you identify any on your environment, remove them immediately. The less zombie systems Conflicker has to utilize, the better!

Re:When the payload drops, even Linux users care! (2, Insightful)

Tony Hoyle (11698) | more than 5 years ago | (#27212523)

Are you likely to? Pretty much any company is going to have a decent firewall and proper IT policies (eg. no USB dongles, no floppies, no anything from outside without prior permission). If a company gets hit the first action should be to fire the IT staff, then hire new ones to clear up the mess.

Schools/Colleges are the ones that are most vulnerable, followed by home systems (assuming most people are behind a NAT and only numpties would forward every port blindly.. although it's scary how many times I've seen sites suggest doing just that to make some poxy game work).

Favorite worm poll (4, Funny)

davidwr (791652) | more than 5 years ago | (#27211753)

What are your favorite type of worms?

*Tape
*Round
*Heart
*Nightcrawlers/earthworms/anything uses for fishing
*spy/mole/CIA/KGB, including corporate espionage
*Software/malware
*German city
*Eisenia cowboynealia

C is dangerous (0)

Anonymous Coward | more than 5 years ago | (#27211801)

The new variant, dubbed W32.Downadup.C

See - I told you C was a dangerous thing to use.

Maybe now.... (1)

SGDarkKnight (253157) | more than 5 years ago | (#27211977)

it can cause five tankers in the Ellingson Fleet to capsize.

simple solution? (1)

yanyan (302849) | more than 5 years ago | (#27212227)

If nobody AT ALL compiled W32.Downadup.C, by my calculations we should never see this worm in the wild. That IS the filename of the source, right? ;-p

Infectees = Morons (0)

Anonymous Coward | more than 5 years ago | (#27212451)

I run XP Pro behind a router. No AV, no anti-malware of any kind. I'm just not a fucking RETARD, hence I don't have a Conficker infection. If you do, it's your fault. It's not your PC that needs securing, it's your own whorish online habits. You don't have to click everything that says Click Me or is shiny / colourful / musical. Show some fucking discernment, hell practice a little fucking DIGNITY and your PC will stay clean all on its own. Next time your e-mail buddy says "Hai did u check taht links I sent u>??" you will respond "No, this is how malware spreads, and by the way you need to scan your system."

Real reason Conficker exists? (0)

Anonymous Coward | more than 5 years ago | (#27212803)

It might be that the author of Conficker might have created it in order to increase adoption of alternatives to Windows... just thinking.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>