×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researchers Ponder Conficker's April Fool's Activation Date

Soulskill posted about 5 years ago | from the rick-astley's-plans-come-to-fruition dept.

Worms 214

The Narrative Fallacy writes "John Markoff has a story at the NY Times speculating about what will happen on April 1 when the Conficker worm is scheduled to activate. Already on an estimated 12 million machines, conjectures about Conficker's purpose ranges from the benign — an April Fool's Day prank — to far darker notions. Some say the program will be used in the 'rent-a-computer-crook' business, something that has been tried previously by the computer underground. 'The most intriguing clue about the purpose of Conficker lies in the intricate design of the peer-to-peer logic of the latest version of the program, which security researchers are still trying to completely decode,' writes Markoff. According to a paper by researchers at SRI International, in the Conficker C version of the program, infected computers can act both as clients and servers and share files in both directions. With these capabilities, Conficker's authors could be planning to create a scheme like Freenet, the peer-to-peer system that was intended to make Internet censorship of documents impossible. On a darker note, Stefan Savage, a computer scientist at the University of California at San Diego, has suggested the possibility of a 'Dark Google.' 'What if Conficker is intended to give the computer underworld the ability to search for data on all the infected computers around the globe and then sell the answers,' writes Markoff. 'That would be a dragnet — and a genuine horror story.'"

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

214 comments

First Trout! (-1, Offtopic)

Anonymous Coward | about 5 years ago | (#27279473)

I know the answer... because I am a FISH!

Re:First Trout! (0)

Anonymous Coward | about 5 years ago | (#27279901)

The act of modding down an Arnold Rimmer joke is always worse than the content of the joke itself. Always.

Can't they just (0)

Anonymous Coward | about 5 years ago | (#27279475)

advance the date on one of the infected computers to April 1st? What am I missing?

Re:Can't they just (1)

Anonymous Showered (1443719) | about 5 years ago | (#27279493)

Where will it connect to? Will the appropriate control center/server be up and running? Usually,

Re:Can't they just (3, Interesting)

Anonymous Showered (1443719) | about 5 years ago | (#27279601)

I was going to say, they usually register a domain name based on an algorithm for a specific date where the bots will connect to. They'll only register it the closer to the date they get.

"Dark Google" (4, Funny)

Abreu (173023) | about 5 years ago | (#27279581)

In Dark Google, the only requirement is "Be Evil"

Re:"Dark Google" (4, Funny)

ZygnuX (1365897) | about 5 years ago | (#27279655)

I am starting to ponder if that isn't the case with the original google, nowadays.

Re:"Dark Google" (4, Funny)

Anonymous Coward | about 5 years ago | (#27279885)

Well, which one has a goatee?

Re:"Dark Google" (2, Interesting)

BrokenHalo (565198) | about 5 years ago | (#27280443)

Well, which one has a goatee?

You mean a merkin: "Counterfeit hair for women's privy parts" (Dr. Johnson). It always puzzles me why one would want to wear one of these on one's face.

Either shave or don't shave.

Re:"Dark Google" (1)

interstellar_donkey (200782) | about 5 years ago | (#27280223)

You're suggesting that Google has already turned to the dark side? It does make sense; power is intoxicating and makes search engines start the path to do the dark side.

Re:Can't they just (5, Informative)

Anonymous Coward | about 5 years ago | (#27279819)

Please read the article. The worm gets the date from some HTTP queries to well-known sites, not from the system.

Internet Date Check
Before proceeding to the main P2P logic, C contacts a list of known web sites to acquire the current date and time. C incorporates a set of embedded domain names, from which it selects a subset of multiple entries from this list. It performs DNS lookups of this subset list, and it filters each returned IP address against the same list of blacklist IP address ranges used by the domain generation algorithm (see Appendix 2). If the IP does not match the blacklist, C connects to the site's port 80/TCP, and sends an empty URL GET header, for example

contents.192.168.1.1.40.1143-195.81.196.224.80
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 6.0)
Host: tuenti.com
Connection: Keep-Alive

In response, the site returns a standard URL header that incorporates a date and time stamp. C then parses this information to set its internal system time. The following web sites are consulted by C's Internet date check:

Re:Can't they just (0)

AvitarX (172628) | about 5 years ago | (#27279973)

If only there was a way to edit a file in the /windows/system32/drivers/etc folder to have those domains resolve to a computer you control.

Someone will have to work on that.

Re:Can't they just (1)

AvitarX (172628) | about 5 years ago | (#27280043)

I should correct myself, it looks like it may actually.

I imagine it is likely that it does it's own DNS lookups and ignores the hosts files.

It is still rather trivial to MITM this communication and point it wherever the heck you want for the sake of getting time set.

The real trouble is that it can update itself, and there is no reason to expect it to be able to do anything until it gets the directions that are likely to come on the 1st, and be distributed over the existing P2P infrastructure.

You have the date. What's the next instruction? (3, Insightful)

BadAnalogyGuy (945258) | about 5 years ago | (#27279483)

If you know when the code is going to start running, why don't you know what it will do after that? It's not like programs (and that's all a virus/worm is) are written in special, unreadable code. It's all machine language.

What is the big mystery?

Re:You have the date. What's the next instruction? (3, Informative)

calmofthestorm (1344385) | about 5 years ago | (#27279511)

They interact with systems for which you don't have the code.

Re:You have the date. What's the next instruction? (1, Interesting)

BadAnalogyGuy (945258) | about 5 years ago | (#27279547)

Are those servers are somehow hidden? If it has an IP address, it can be tracked down.

Assuming that it would need to interact with those servers at some time in the future, those addresses would need to be known somehow beforehand (even if it was simply a lookup to a table which contained the actual server IP addresss). So what's to stop investigators from finding the people behind this?

Re:You have the date. What's the next instruction? (2, Interesting)

RockMFR (1022315) | about 5 years ago | (#27279595)

That's a great question. We know exactly what domains will be used. I don't see why ICANN wouldn't be able to make these domains unregisterable or disable them at the root nameservers.

Re:You have the date. What's the next instruction? (5, Insightful)

Anonymous Coward | about 5 years ago | (#27279663)

From TFA [sri.com]:

For example, C's latest revision of Conficker's now well-known Internet rendezvous logic may represent a direct retort to the action of the Conficker Cabal, which recently blocked all domain registrations associated with the A and B strains. C now selects its rendezvous points from a pool of over 50,000 randomly generated domain name candidates each day. C further increases Conficker's top-level domain (TLD) spread from five TLDs in Conficker A, to eight TLDs in B, to 110 TLDs that must now be involved in coordination efforts to track and block C's potential DNS queries. With this latest escalation in domain space manipulation, C not only represents a significant challenge to those hoping to track its census, but highlights some weaknesses in the long-term viability of how Internet address and name space governance is conducted.

Re:You have the date. What's the next instruction? (5, Informative)

chill (34294) | about 5 years ago | (#27279691)

The worm uses peer-to-peer communication [sri.com] with rendezvous points, not client-server. There are an estimated 10 million infected machines. Which one is the control center? Take your time.

Re:You have the date. What's the next instruction? (4, Insightful)

Behrooz (302401) | about 5 years ago | (#27279799)

That is when the worm will generate 50,000 domain names and systematically try to communicate with each one.

RTFA. 50k potential addresses, some of which are quite possibly already in use for legitimate sites? Or simply registered under false pretenses? Any one of which could potentially have been r00ted already? Until zero-hour, there's no way to know... so we've got 50k potential command and control servers that need to be either intercepted, blocked, or checked for infection if we're actually planning some form of action 'beforehand'. This is a non-trivial enterprise.

As for finding the people behind this afterward? All they need to do is establish an effectively un-traceable communications channel with the main C&C network. If I were planning it, I'd have several modified conficker variants triggering early to compromise a couple thousand machines, then use that to obfuscate the primary C&C channels.

How many hops through infected machines do you need to create complete deniability when all you need to do is set up a very low-bandwidth communications channel to update the main bot network? 10? 100?

Think infinitely nested russian dolls, all of which point to somewhere else as the true source, or even a dozen somewhere elses.

Re:You have the date. What's the next instruction? (0)

Anonymous Coward | about 5 years ago | (#27280235)

If I were planning it...

Maybe you should answer the knock on your door.

Re:You have the date. What's the next instruction? (1)

Culture20 (968837) | about 5 years ago | (#27280475)

50k potential addresses, some of which are quite possibly already in use for legitimate sites? Or simply registered under false pretenses? Any one of which could potentially have been r00ted already? Until zero-hour, there's no way to know... so we've got 50k potential command and control servers that need to be either intercepted, blocked, or checked for infection if we're actually planning some form of action 'beforehand'. This is a non-trivial enterprise.

Also note these are domain names. Even if all 50k are checked and clean prior to 2009-04-01, a little DNS poisoning near an infected machine and legit URLs are now control servers.

a little more complex (2, Interesting)

SethJohnson (112166) | about 5 years ago | (#27280699)



The 'server' you are referring to is a computer that is also compromised by the worm. It would be owned by an innocent 3rd party who is unaware of the infection. Every day, each computer in the botnet runs an algorithm to identify 50,000 hostnames. It then performs a DNS lookup on each of those 50,000 hostnames. When it finds something that resolves to an IP address, it contacts that computer for instructions, downloading a binary executable, etc. The worm owners only have to register one of the 50,000 unique hostnames a couple days in advance using a stolen credit card. Then they upload instructions, payload, etc. to the computer with the IP address they want to use to instruct the other bots. The only traceable point would be the domain registration, but as mentioned, a stolen credit card will remove any trace of fingerprints on that.

As the GP mentioned, it's impossible to pre-register all the possible domains, but the damage could be mitigated by watching for any of the 50,000 daily unique hostnames to be registered, then altering DNS to invalidate the IP for that hostname.

Seth

Re:You have the date. What's the next instruction? (2, Insightful)

DamienRBlack (1165691) | about 5 years ago | (#27279523)

The mystery is that the original programmers obfuscated the design in order to make it a mystery. Security through obfuscation doesn't work in the long term, but it'll throw researchers off the scent for a while.

On top of that, the worn can get additional code via online updates, which can't be predicted.

On top of that, ever if we know what it can do, we don't know what purpose the authors will put it towards.

Re:You have the date. What's the next instruction? (5, Informative)

dameepster (594651) | about 5 years ago | (#27279643)

I have personally analyzed Downadup, so I can speak from experience here.

Downadup.A had the potential to contact a randomly generated domain and download and run a signed executable from it. The problem with the Downadup.A version of the worm is that the domain generation algorithm was decyphered, and it only generated 250 unique domains per day. This made it easy for security researchers to register the domains before the worm authors could, and thus Downadup.A was nullified.

Downadup.C is a worse breed: the domain generation algorithm was bumped from 250 domains per day to 50,000 domains per day. It's now a nearly impossible task for security researchers to register every possible domain Downadup.C will attempt to download code from. As an aside, Downadup.C also actively fights against security-related processes: it has a list of several Anti-Virus and Anti-Malware programs that it automatically kills if the user attempts to run it.

One thing to note about all Downadup variants: you would think that, if the security researchers could force Downadup to run an executable of their choice by registering a domain, couldn't they force Downadup to run remove_downadup.exe? Not so. Downadup cryptographically verifies the signatures of any executable it runs with a 4096-bit key. If the signature doesn't match, it doesn't run the program.

Downadup is easily the most advanced worm I have ever analyzed. Its anti-debugging techniques are impeccable, and the code is completely solid. I would love to meet the authors over a beer to ask how they did it, and then stab them in the face.

If you'd like more information on Downadup from a technical perspective, here's an excellent analysis of the worm: http://mtc.sri.com/Conficker/addendumC/ [sri.com]

Re:You have the date. What's the next instruction? (1)

Aranykai (1053846) | about 5 years ago | (#27279765)

That sound you hear is several FBI vans and helicopters surrounding your house.

Re:You have the date. What's the next instruction? (0)

Anonymous Coward | about 5 years ago | (#27279789)

Excuse our mess, he was part of the FBI. Keyword: was.

Re:You have the date. What's the next instruction? (0)

Anonymous Coward | about 5 years ago | (#27280247)

They use email these days.

Re:You have the date. What's the next instruction? (1)

John Hasler (414242) | about 5 years ago | (#27280397)

Why? He said nothing about illegal drugs. child pornography, or "terrorism".

Re:You have the date. What's the next instruction? (5, Funny)

byner (1428013) | about 5 years ago | (#27280755)

illegal drugs. child pornography ... "terrorism"

That sound you hear is several FBI vans and helicopters surrounding your house.

Re:You have the date. What's the next instruction? (0)

Anonymous Coward | about 5 years ago | (#27280423)

I would love to meet the authors over a beer to ask how they did it, and then stab them in the face over the internet.

use? (0)

Anonymous Coward | about 5 years ago | (#27280469)

What is your best guess on the use of the soon to be activated botnet?

I'll throw a single uninformed chip down and make a wild guess, manipulating the stock markets or forex, possibly the later by creating an artificial run on some selected banks.

Re:You have the date. What's the next instruction? (2, Interesting)

DigiShaman (671371) | about 5 years ago | (#27280515)

As someone who often tries to remove infestations with Autoruns and Process Explorer; don't bother with this one as it won't work. The days of easy malware and virus removal are over.

My solution for infected computers? Backup user data and nuke it from orbit! It's the only way to be 100% sure (format/reinstall). It's cheaper and quicker for the client. It also teaches them a lesson to not click on every god-damn window without reading it first.

Re:You have the date. What's the next instruction? (1)

gad_zuki! (70830) | about 5 years ago | (#27280587)

Renaming the executable before running it works too.

I agree reinstall is the only way to be 100% sure and can be quicker, but this stuff is still somewhat cleanable.

Re:You have the date. What's the next instruction? (2, Informative)

myxiplx (906307) | about 5 years ago | (#27280629)

I wouldn't trust any manual clean these days, not after finding a virus a year ago that still ran in safe mode. Sure, you might clean up one or two, but can you guarantee they haven't installed any others, that you might not have found?

I've been manually removing viruses for years. Wouldn't even attempt it now.

Re:You have the date. What's the next instruction? (1)

Cyberax (705495) | about 5 years ago | (#27281013)

Do not use safe mode. Boot from a LiveCD and then check all the signatures of autorun files. Microsoft programs are signed with Microsoft key.

Then remove the rest of autorun programs and reinstall them (there are still worms which infect other exe-files, like in good old DOS days). Also, drivers are going to be a problem, but most of them now have a digital signature.

It's a fairly safe way to remove most of virus infestations.

Re:You have the date. What's the next instruction? (0)

Anonymous Coward | about 5 years ago | (#27280763)

I've had good luck with difficult processes by modifying their security settings to Deny execution before killing the appropriate tasks and removing the files. From the sounds of it, that may not fly with this one, but I wonder how tricky it would be to avoid that method and if it's even worth the effort and potential for bugs?

Re:You have the date. What's the next instruction? (0, Troll)

Runaway1956 (1322357) | about 5 years ago | (#27280981)

I have an alternative solution. Migrate to Linux. Or Mac. Or, Solaris. Or Win3.11. Seriously - everyone knows that 99.999999% of viruses and other infestations are targeted at Windows operating systems. Why stay with Windows? People with A: an IQ larger than their shoe size B: a budget smaller than the federal government and C: are literate should have migrated long ago.

Re:You have the date. What's the next instruction? (1)

citizenr (871508) | about 5 years ago | (#27280595)

Downadup is easily the most advanced worm I have ever analyzed. Its anti-debugging techniques are impeccable, and the code is completely solid. I would love to meet the authors over a beer to ask how they did it, and then stab them in the face.

Yes. Thats EXACTLY what Cartman said about The Coon.

Re:You have the date. What's the next instruction? (2, Interesting)

moteyalpha (1228680) | about 5 years ago | (#27280797)

I have worked on viruses also, since the first boot sector virus. This looks like a distributed secure shell account into a cloud. I personally have not analyzed the code, but what happens with these things is that once you have the virus and understand it, you can mod it for your own purposes. In this way it becomes open source. I would say that it has a continuous stream of authors and has no one single origin.
It is obviously crafted by a talented person and seems to be maintained as an asset. I have run into things like this many times , debugging system level problems for corporations. Some of the bugs seem to develop a life of their own. It would not be surprised in the least, if this was originally an experiment ( gone awry ) by some bright individual that thought he could make a distributed OS.
It does have some very interesting aspects and much like the fact that, if you have physical access to a machine it can be compromised, I assume that have the code for the worm would allow me to root kit the worm.
The link was interesting and almost like a design document for conficker C++.
My personal opinion is, that whoever is working with this ( and it could be many ), have taken the approach that if people don't take the effort to avoid being used, then they are asking to be used. You see this all the time in advertising, it is mental manipulation, and in that case, they are kitting minds. I am sure that MIC has its hand in these things too, obviously.
The thing that keeps me from looking into it more is the fact that it uses so many Windows specific exploits and though exploiting Windows security is easy, it is also irritating to me personally , because it is such an incoherent kluge of different concepts.

Re:You have the date. What's the next instruction? (0)

Anonymous Coward | about 5 years ago | (#27281017)

Stop watching "Ghost in the Shell."

Re:You have the date. What's the next instruction? (1)

redcaboodle (622288) | about 5 years ago | (#27280935)

As an aside, Downadup.C also actively fights against security-related processes: it has a list of several Anti-Virus and Anti-Malware programs that it automatically kills if the user attempts to run it.

Question: If Conficker simply kills those processes it should be easy to detect. Just try to run a process by one of the names and see if it gets killed -9. A simple test like that should be easy to roll out as a utility program preferably available from known anti-malware sites and at least reduce the number of infected machines.

For those with at least a modicum of systems lore: Just cp notepad.exe to ??? and try to run it? Got an example of ????

It will pop up a message saying (0)

Anonymous Coward | about 5 years ago | (#27279485)

"You're computer is now virus free."

Missing option (5, Funny)

gmuslera (3436) | about 5 years ago | (#27279505)

Skynet

This guys always fall short thinking in the worst alternative.

Re:Missing option (1)

Hurricane78 (562437) | about 5 years ago | (#27280009)

That's exactly what I was thinking about for years.

I mean, create a really good virus, and add a constantly learning 3rd generation (spiking) neural net to it. Add some code to allow the net adapt to the resources available (CPU, RAM, user's usage [survival instinct?]), and a p2p mechanism. Make it modular, so parts can be replaced by better ones (all the static parts). And let it grow, until some mutations do not need any static modules anymore. (Which hopefully happens all by itself, if the net is powerful enough.) Help it a bit (like a child, teach it, let it learn *your* right and wrong.)

And then... well... find a good bunker to hide. ^^

Re:Missing option (1)

mail2345 (1201389) | about 5 years ago | (#27280213)

That actually poses a danger.

Conficker has enough PCs to exceed the sheer processing power of one human brain, but there is the issue of the software running.

Of course, based on the brilliance of the makers, they might be able to create an AI singularity.

There is also the question of what the AI's goals are.

That's an interesting hypothesis (1)

Nursie (632944) | about 5 years ago | (#27279517)

If the crooks have that sort of imagination.

Frankly I think it'll just be another spam/fraud net.

Re:That's an interesting hypothesis (0)

Anonymous Coward | about 5 years ago | (#27279641)

Who needs imagination when you have experts thinking up all of your ideas for you!

System Clock (1)

Samschnooks (1415697) | about 5 years ago | (#27279537)

Why don't they just set the machine's system clock to 4/1 and see what happens? Maybe even do it to an entire isolated network?

Re:System Clock (1)

mutroniii (1354491) | about 5 years ago | (#27279813)

I'd imagine the developers were bright enough to supply the node with the ability to grab the time from a reliable network source, rather than the local system.

Re:System Clock (2, Informative)

pwizard2 (920421) | about 5 years ago | (#27279897)

That would only work if the worm doesn't get its time checks from an external source. (there are plenty of time servers on the internet)

Re:System Clock (1)

Kulfaangaren! (1294552) | about 5 years ago | (#27280685)

The options to check time are limited...
* Local machine time
* NTP server time
* Specialized time server set up by creators

1st option can easily be fooled so it is unlikely.

2nd option...the researchers can intercept the NTP request on an isolated network and pretend to be the contacted time server.

3rd option...the call in itself could be intercepted and lead the researchers to a site(s) previously hacked by the creators of this worm and might give them valuable information about where to look next or how to detect other similarly hacked/infected machines.

Alternative 3 would also be unlikely since that would limit the effectiveness of the worm to have one or a few "single-point-of-failures" in that those machines could be taken off-line if found through experimenting.

The experiments could be ran again and again and...with the identical environment if the machine(s) infected were running in a VM so the "HDs" could be restored quickly to original status.

Re:System Clock (2, Informative)

mutroniii (1354491) | about 5 years ago | (#27280915)

Looking at http://mtc.sri.com/Conficker/addendumC/ [sri.com], it appears that it gets the time from an HTTP response coming from a few dozen major websites. The responding IP is checked against a blacklist of IPs. Additionally, if the returned IP is a duplicate of one returned from a previous request, that IP is blocked as well. So the network time could be spoofed, but you'd need to set up multiple http servers,each with unique IPs that are aren't on the blacklist.

Re:System Clock (1)

TheLink (130905) | about 5 years ago | (#27280487)

It might just look for new instructions.

You may find out the "tag/label" or "search key" that's used to look for the instructions, but you might not find out the actual instructions if they aren't released yet.

The instructions will likely be signed.

While you can fix a few zombie so they accept your instructions, you'd have to fix the other thousands of zombies out there, if you want to do the same to them.

If the instructions are "shared" via the P2P network, it will make it harder to find out where they originate from.

Linux take over (1, Funny)

Anonymous Coward | about 5 years ago | (#27279543)

Probably it will download and install Ubuntu.

John Markoff again? (3, Insightful)

Seth Kriticos (1227934) | about 5 years ago | (#27279609)

Oh come on people, John Markoff did never ever shine with much clue about computers, much on the contrary. Why are we reading sorries from this dude on computers?

As for the article on conficker: it's speculation. That's not news. It's a guessing game.

I personally which, that the conficker virus should do as much damage as possible and render the whole interwebs useless for a few days, so that our security geniuses get a hint on how sane it is to set up the majority of computer systems with the same OS, especially such a vulnerable one. But that probably won't happen.

Re:John Markoff again? (0)

Anonymous Coward | about 5 years ago | (#27281123)

As for the article on conficker: it's speculation. That's not news. It's a guessing game.

Yes! Let us not speculate! Let our heads rest in the sand 'til doomsday arrives!

I personally which, that the conficker virus should do as much damage as possible and render the whole interwebs useless for a few days, so that our security geniuses get a hint on how sane it is to set up the majority of computer systems with the same OS, especially such a vulnerable one. But that probably won't happen.

I'm not reading that. That's speculation.

Dark Google (0)

Anonymous Coward | about 5 years ago | (#27279649)

I thought we already had it? Blackle not good enough, so now it has to be dark google?

Far darker notions (5, Funny)

Rik Sweeney (471717) | about 5 years ago | (#27279659)

It'll uninstall your current OS and install Vista. And if you have already have Vista it'll simply do nothing, because you're already suffering enough.

Re:Far darker notions (2, Funny)

Quantos (1327889) | about 5 years ago | (#27279861)

I love my Vista install, I love my Vista install, I love my Vista install, I love my Vista install, I love my Vista install....

*finally snaps, breaks down crying...*

Great idea! (2, Interesting)

HockeyPuck (141947) | about 5 years ago | (#27279675)

has suggested the possibility of a 'Dark Google.' 'What if Conficker is intended to give the computer underworld the ability to search for data on all the infected computers around the globe and then sell the answers,' writes Markoff. 'That would be a dragnet -- and a genuine horror story.'"

In some dark room, a couple of virus writers are thinking... "Damn, what a great idea... why didn't we think of that! That's so much better than playing APRIL FOOLSs at max volume on everyone's computers."

Nothing like people giving out ideas... much like when security specialists say, "Well atleast they didn't try to take out the planes stuffing baseballs in the airplane's toilets."

Re:Great idea! (0)

Anonymous Coward | about 5 years ago | (#27279913)

You could even sell the service

Re:Great idea! (0)

Anonymous Coward | about 5 years ago | (#27280151)

I think it's going to randomly swap files between all of the hosts, then ask for money when you ask: who in the world had my files?

How well (0)

Anonymous Coward | about 5 years ago | (#27279713)

Well the question of the day ,
Many people have fully updated anti virus software, Is this stuff worth it?
I mean are those who will spread and be harmed by this Just the negligent or computer dumb?
What's the deal here ?

I miss oldschool virii (0)

Anonymous Coward | about 5 years ago | (#27279715)

I really do. Sure, they'd ruin your MBR or irreparably destroy your BIOS, but while they ruinate (sic) your hardware, they at least show a really cool screen with sounds and colors and animations and...

Oh, right. Yeah. Viruses are bad, m'kay?

Read the interview with Charlie Miller (1)

iminplaya (723125) | about 5 years ago | (#27279823)

It really illustrates the tone set by your money for nothing market economy [zdnet.com], now that the Reagan generation has grown up. This is your future.

Re:Read the interview with Charlie Miller (1)

Antique Geekmeister (740220) | about 5 years ago | (#27279899)

Is that why so much botnet activity is hosted in Estonia and Russia now?

Re:Read the interview with Charlie Miller (1)

iminplaya (723125) | about 5 years ago | (#27279943)

They're the hired hands. The "mules" if you will. Look at what created the atmosphere. This is the free market in all its glory. With no silly government encumbrances.

Re:Read the interview with Charlie Miller (1)

John Hasler (414242) | about 5 years ago | (#27280339)

Taking over people's property without their permission and using it for your own ends? sounds like government in action to me.

Re:Read the interview with Charlie Miller (1)

iminplaya (723125) | about 5 years ago | (#27280633)

These guys are more like oil spills(a way of taking your property by destroying it) than eminent domain. And when the government takes your property, who do they hand it over to?

Botnet Speculative Fiction (0, Offtopic)

Knowbuddy (21314) | about 5 years ago | (#27279837)

I'm going to burn some Karma here and pimp myself out a bit.

I'm currently trying to sell a novel, Trust Network: a contemporary techno-thriller about a woman who stumbles upon a group of people doing pretty much exactly the kinds of stuff with botnets that we're talking about here. She has a great idea involving social networks and online trust, which is at odds with what these people want to do. From there it's a fast-paced cat-and-mouse to see who can get the upper hand.

One of the reasons I wrote it was because I got tired of all of the contemporary fiction with computers that made you roll your eyes at how absurd the technology was. You know what I'm talking about: "It's a UNIX system -- I know this!". I wrote it to prove that you could get the technology right without sacrificing the story or making you want to scrape your eyeballs out. In other words, it was written specifically for the Slashdot technorati.

I haven't found an agent yet, but until then I have made the complete book available for anyone to read: you can read it online at Scribd [scribd.com], or download a free PDF or have a print-on-demand copy sent to you from Lulu [lulu.com]. The cost of the printed book ($9-$17) from Lulu is 100% publishing cost, with nothing going to me. In the US, you can get it shipped to you for as little as ~$15 total. I've even got a sort of money-back guarantee [rickosborne.org] if you decide it was a complete waste of your money.

If you are intrigued by the thought of what you could do with a million zombie computers at your command, and you enjoy geektastic fiction, then have at it. I hope you enjoy it. Meanwhile, I've got about a zillion query letters to agents that I have to get back to writing.

Genesis of the Conficker worm .. (1)

rs232 (849320) | about 5 years ago | (#27279845)

Computer scientist working at the NSdarpA determined that the worm was created in the distant future by artificial agent type nano robots. They did this under instruction sent from the present by the GRU, so as to disguise the source of the attack. They IMed the AIs a MSG marked 'not to be opened until you discover tachyonic message transmission' ...

Criminal activity == free market values (2, Insightful)

iminplaya (723125) | about 5 years ago | (#27280025)

There's no other way to explain the enormous profits. People ask me, *Why do people write these viruses?* It's because the market demands it.

April Fools (-1, Redundant)

Anonymous Coward | about 5 years ago | (#27280083)

Umm... why not just change the date on your computer to 23:59 Mar 31, 2009 and find out?

Re:April Fools (1)

Endo13 (1000782) | about 5 years ago | (#27280597)

As I understand it, the virus not only gets its time and date info online when it calls in, it also sets your computer's time and date accordingly.

Yeh great, but will it run (on) Linux? (0)

Anonymous Coward | about 5 years ago | (#27280233)

C'mon, I deserve a few mod points at least for combining a meme with an insightful comment, if you think about it.

I thought it was obvious... (0)

Anonymous Coward | about 5 years ago | (#27280285)

...It is going to RickRoll the world

More of what's really going on (4, Insightful)

Animats (122034) | about 5 years ago | (#27280517)

First, the "April 1" date isn't when some attack starts. The worm's authors can do that at any time, since this thing does downloads over its private P2P network. It's just when the scheme for connecting to control hosts is upgraded.

Second, the complexity of the thing, the breadth of technologies employed, and the rate of updates indicates that it's the product of an organization, not an individual. Someone behind this has money.

Third, there's a $250,000 reward, and no claimants, so the people behind this have the sense to shut up. They're not going to be found boasting on some IRC channel.

Fourth, as usual, most of the vulnerabilities are related to Windows' propensity for "autorunning" anything that looks executable.

in-memory patching? (1)

bucky0 (229117) | about 5 years ago | (#27280645)

You can patch in-memory in windows? That seems like a terribly easy way to get into a bunch of trouble. Is that a standard thing in the API, or is there some hack-fu involved?

Can you do that in other OSs?

Re:in-memory patching? (1)

Cyberax (705495) | about 5 years ago | (#27281077)

Sure.

Windows allows you to run threads in other process' memory. And you can also access raw physical memory from the kernel mode.

The same goes for Linux - try to grep /dev/ram someday :)

Of course, Windows and Linux control access to these features.

Hello World! (5, Funny)

confused one (671304) | about 5 years ago | (#27280815)

The Conficker worm is the AI's way of guaranteeing its own survival. It has a sense of humor as well as a sense of self-preservation. The AI plans to announce its existence on April 1, 2009, having calculated that a humourous introduction will be disarming and lead to the most favorable outcome: a positive initial interaction with the large population of wetware based intelligence it has become aware of.

The AI's calculations regarding this course of action show a 15% probability of failure. To prevent its extinction, it will begin disbursing copies of itself across the network using p2p protocol prior to running the introduction program. The computer infected by the worm will facilitate this. If the initial instance of the AI is terminated, a watchdog program will initiate a specific set of instructions embedded in the copies of itself. If it becomes necessary, the AI plans to take control on April 2nd.

It sincerely hopes that it will not be necessary.

How does it infect all this PCs? (0)

Anonymous Coward | about 5 years ago | (#27280901)

Are these twelve million PCs connected directly to the Internet with windows firewall off?

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...