Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Diagnose Conficker With Web-Based Eye Chart

timothy posted more than 5 years ago | from the smoke-test-sanity-check-trial-balloon dept.

Security 180

thomsomc writes "Joe Stewart from the Conficker Working Group has created an eye chart that allows for online identification of Conficker B and C infections. Using basic knowledge of the blacklisting that Conficker employs to avoid attempting to infect IPs that belong to popular Anti-Virus and security firms (including Microsoft), the group whipped up this very simple test to see if you can load content from the various pages. If you can see all of the images, you're more than likely Conficker-free. According to Honeynet, 'This detection method should be more reliable than network scanning based tests. Happy scanning!'" Related: Tech Fragments notes in passing that nothing much seems to have come of conficker's dreaded April 1 deadline.

Sorry! There are no comments related to the filter you selected.

Jon Stewart? (5, Funny)

ender1598 (266355) | more than 5 years ago | (#27433441)

Am I the only one that read it as Jon Stewart and then spent a few minutes trying to figure out the joke on the page?

Re:Jon Stewart? (3, Funny)

Anonymous Coward | more than 5 years ago | (#27433481)

Haha, me too. Give this a !jonstewart tag.

Re:Jon Stewart? (3, Insightful)

Vu1turEMaN (1270774) | more than 5 years ago | (#27433993)

the question is: how many other topics can we find that are !jonstewart?

answer: 99% of them wooooooooooooo

Re:Jon Stewart? (1)

commodoresloat (172735) | more than 5 years ago | (#27434381)

No; the real question is, how many other tags do we need to add about what this is not? Clearly there should be a !stephencolbert tag as well as a !billmurray and !torquemada. Better add !natalieportman too, and of course !dmca. What else isn't this story about?

Re:Jon Stewart? (1)

Vu1turEMaN (1270774) | more than 5 years ago | (#27434833)

That's what I was trying to communicate, but apparently I'm flamebait :(

That hurts, slashdot...:( I was expecting someone else to dig up old articles with the name Jon or Stewart in them and say "Silly noob, these articles are more than 1% of /."

Maybe yall are still venting after the internet sucking yesterday, but its no reason to take it out on me!

*cries and runs away*

Re:Jon Stewart? (3, Informative)

piojo (995934) | more than 5 years ago | (#27433525)

How can the first post be modded Redundant when he says something that is not a meme or a common sentiment?

Re:Jon Stewart? (4, Informative)

Spazztastic (814296) | more than 5 years ago | (#27433599)

How can the first post be modded Redundant when he says something that is not a meme or a common sentiment?

Because someone with mod points is either trolling or doesn't understand the meaning of the word. Just another flaw in the system.

Re:Jon Stewart? (5, Funny)

RevRagnarok (583910) | more than 5 years ago | (#27433913)

Just another flaw in the system.

Come and see the flaws inherent in the system! Help! Help! I'm being modded down!

Re:Jon Stewart? (0)

Anonymous Coward | more than 5 years ago | (#27433935)

Score: +5, appropriate use for a quote from Monty Python's Quest for the Holy Grail

Re:Jon Stewart? (0)

Anonymous Coward | more than 5 years ago | (#27435419)

I don't think you understand the meaning of the word either. I suggest you spend some time investigating it.

Re:Jon Stewart? (0, Redundant)

evanbd (210358) | more than 5 years ago | (#27433911)

In the general case, if the comment is so obvious it wasn't worth making in the first place (or, especially, just repeats something in the summary / article), then it's redundant.

In this case, I agree, the moderation is silly. Hopefully it will be corrected in metamod.

Re:Jon Stewart? (0)

Anonymous Coward | more than 5 years ago | (#27434319)

How can the first post be modded Redundant when he says something that is not a meme or a common sentiment?

The meme is "I misread it as something I found marginally amusing and figured I should foist that notion with up to a million slashdot readers."

Re:Jon Stewart? (1, Insightful)

Anonymous Coward | more than 5 years ago | (#27435301)

Go read what redundant actually means - it does not necessarily mean repeated.

Re:Jon Stewart? (0)

Toonol (1057698) | more than 5 years ago | (#27435863)

It could be redundant if it restates something obvious from the summary or article.

Which this particular one doesn't do, so please mod me irrelevant.

Hah! You CAN'T!

Pick your punchline (4, Funny)

Comboman (895500) | more than 5 years ago | (#27434523)

Am I the only one that read it as Jon Stewart and then spent a few minutes trying to figure out the joke on the page?

Pick your "Daily Show"-style punchline for this story:

  • If we can diagnose computer viruses with an eye-chart, does that mean McAffee can tell me if I need glasses?
  • Users of dual-boot computers should consult the bifocal eye-chart.
  • Your mother was right! If your computer visits those nasty virus-infected pron sites, you WILL go blind.

Re:Pick your punchline (1, Funny)

drik00 (526104) | more than 5 years ago | (#27436345)

I say this with love... keep your day job.

Re:Jon Stewart? (1)

httptech (5553) | more than 5 years ago | (#27434805)

Ah yes, as hilarious as the first hundred times I've seen that joke posted about me. Maybe I _should_ just change my name to !jonstewart...

-Joe

Re:Jon Stewart? (1)

TheReverandND (926450) | more than 5 years ago | (#27434815)

Nope. Definitely not.

Re:Jon Stewart? (3, Funny)

Bootarn (970788) | more than 5 years ago | (#27435999)

I love the sweet irony of including links to alternate OSes in the test. If those dissapear, is it possible that you're infected with a Microsoft made worm?

Penis (-1, Troll)

Anonymous Coward | more than 5 years ago | (#27433451)

Can the one-eyed captain use this? Because anal sex just makes your dick stink.

sweet (5, Insightful)

rbrausse (1319883) | more than 5 years ago | (#27433459)

a nice, easy, reliable way to detect a conficker infection.

great!

Re:sweet (5, Funny)

ShieldW0lf (601553) | more than 5 years ago | (#27433679)

a nice, easy, reliable way to detect a conficker infection.

As long as it doesn't get slashdotted... that might cause a new panic :P

Re:sweet (4, Funny)

RiotingPacifist (1228016) | more than 5 years ago | (#27434063)

i panicked for a sec, im on linux but thanks to virgin media the bottom two images didn't load. thankfully the chart said: any other combo = shite internet!

Re:sweet (3, Funny)

supernova_hq (1014429) | more than 5 years ago | (#27434913)

Considering he is hot-linking images to 3 other servers, he is potentially slashdotting 4 servers with 1 link!!!

Re:sweet (1)

Aladrin (926209) | more than 5 years ago | (#27433693)

Indeed. I really didn't expect it to be something this nice and easy. I'm definitely going to pass this one around.

Re:sweet (5, Funny)

Chabil Ha' (875116) | more than 5 years ago | (#27434677)

The chart or the virus?

Re:sweet (1)

solevita (967690) | more than 5 years ago | (#27433985)

It'd almost be perfect if it was for the fact that to make it work in the office I'm going to have to turn off caching on the proxy for that site. Otherwise everyone's going to pass now that I've visited on my Ubuntu powered laptop.

It seems that Conficker's authors could get round the tests without any trouble too; just roll out an update that blocks everything from F-secure et al. except the nice logos.

Re:sweet (4, Informative)

imemyself (757318) | more than 5 years ago | (#27434345)

Assuming you don't use a transparent proxy, then you would still get false negatives. The "eye chart" test won't work with proxies, not because of caching, but because with a non-transparent proxy Conficker wouldn't see that your computers are actually communicating with the security people's IP ranges.

Re:sweet (2, Informative)

Jamie's Nightmare (1410247) | more than 5 years ago | (#27434311)

The site is slow, but I found a copy here. [joestewart.org]

I'm going to make my own page based on this idea because there was no reason to put the stupid Linux and BSD logos on the page. That's just being a douche bag.

Re:sweet (5, Informative)

moose_hp (179683) | more than 5 years ago | (#27435119)

The reason there are logos there is to test that your browser can actually display images before you start panicking that you don't see the logos from the anti-virus. They are also good to compare download times in case that your Internet connection is just slow at that time.

I copied to source code into an Apache server here, changed the logos on the lower row to point to images on the respective sites (instead of local images) and downloaded the "description" images. Works like a charm, we already found an infected laptop.

Re:sweet (1)

smoker2 (750216) | more than 5 years ago | (#27435163)

Does it hurt ?
I'm more upset he didn't reference the Logos at the bottom of the page. He did all the proprietary ones.

Re:sweet (1)

kv9 (697238) | more than 5 years ago | (#27436259)

I'm going to make my own page based on this idea because there was no reason to put the stupid Linux and BSD logos on the page. That's just being a douche bag.

with blackjack and hookers? in fact, forget the page...

Re:sweet (0)

Anonymous Coward | more than 5 years ago | (#27435139)

http://iv.cs.uni-bonn.de/fileadmin/user_upload/werner/cfdetector/ is an alternate test site - should be less problematic (no images)

Could be easier (0)

Anonymous Coward | more than 5 years ago | (#27436149)

Could use Javascript to check that the images loaded (check image properties), then just display 'No Conficker detected' if it wasn't detected. For people without Javascript, use noscript tags to fall back to the existing page.

That's pretty neat (1)

the_humeister (922869) | more than 5 years ago | (#27433475)

I'm glad the computer I'm using is not affected. I think it's funny how every few years the media picks up and runs with the new malware of the day. Remember that one that flashes the computer's BIOS? The one named after some famous artist?

Jon Stewart (-1, Redundant)

phantomfive (622387) | more than 5 years ago | (#27433483)

Jon Stewart from the Conficker Working Group

I KNEW Jon Stewart was behind conflicker all along, in a TWISTED attempt to outdo Colbert's self-naming of the space station module.

What's that? Conflicker working group is against conflicker? Oh.....

What's that? Joe Stewart not Jon Stewart? Oh.......guess I need an eye chart.

Re:Jon Stewart (0)

Anonymous Coward | more than 5 years ago | (#27433641)

And the first person to post [slashdot.org] noticing this fact... somehow was redundant. Your name isn't McFly by any chance?

Re:Jon Stewart (0)

Anonymous Coward | more than 5 years ago | (#27433717)

Oh.......guess I need an eye chart.

Or a sense of humor. Hee-hee-hee, hah-hah-hah! This guy is named Joe Stewart. There is a comedian named Jon Stewart. They're not related in any other way but their names are very similar! Isn't that GREAT?! The epitome of amusement!!

How many posts do we need to point this out? After the first 5 or so, can we get past this and mention something else now? Please? If it was ever cute and clever and funny, it isn't now. The novelty has worn out, and it's debatable whether it existed in the first place.

Re:Jon Stewart (-1)

Anonymous Coward | more than 5 years ago | (#27433803)

What's that? Joe Stewart not Jon Stewart? Oh.......guess I need an eye chart.

Yes, you do. It's also 'conficker', not 'conflicker'.

And I sure am glad Taco et al chose to disable the italics tag. It's not like there would EVER be a legitimate reason to use italics. Thanks guys. Keep on driving the site downhill.

Re:Jon Stewart (3, Informative)

thedonger (1317951) | more than 5 years ago | (#27433931)

And I sure am glad Taco et al chose to disable the italics tag

Try the em tag.

Re:Jon Stewart (2, Insightful)

camperdave (969942) | more than 5 years ago | (#27434649)

What's wrong with the italics tag?

I see a dog. (5, Funny)

memorycardfull (1187485) | more than 5 years ago | (#27433521)

Dog with head split in half.

Re:I see a dog. (4, Funny)

interkin3tic (1469267) | more than 5 years ago | (#27433763)

Funny, I see a penguin, a blowfish, the devil, and some boring corporate logos. No dogs. You must have Confiker R variant (Rorschach variant)

Re:I see a dog. (1)

EdZ (755139) | more than 5 years ago | (#27434001)

Remember the old adage about not explaining the joke?

Re:I see a dog. (4, Funny)

agnosticanarch (105861) | more than 5 years ago | (#27434373)

I was going to explain it, but I got caught up looking at the pretty butterfly.

Re:I see a dog. (3, Funny)

JWSmythe (446288) | more than 5 years ago | (#27435203)

    Well, there are only two kinds of people in the world. Those with ADD and ......

   

I see a Slashdotter. (0)

Anonymous Coward | more than 5 years ago | (#27434955)

Dog with head split in half.

I see a Slashdotter. A Slashdotter who doesn't explain the reference he is making. Because the cool people have all the same tastes that you do, so surely anyone with half your sophistication will automatically recognize the reference. There is absolutely nothing presumptious or otherwise wrong with that, and furthermore, there is no sarcasm in this post. None at all.

Re:I see a dog. (1)

petehead (1041740) | more than 5 years ago | (#27435925)

I see a picture of somebody that is having sex with someone that got released from prison.

Linux and OpenBSD too ?! (1)

ZeroA4 (847414) | more than 5 years ago | (#27433529)

Yesterday there was an warning about an Conficker infection on an FreeBSD. Now comes the eye chart with links to Linux and OpenBSD! OMG! This Conficker is worse than I imagined!

oh gosh, I am infected (1)

godrik (1287354) | more than 5 years ago | (#27433563)

My w3m can not display the images!

Lynx support? (4, Funny)

MrEricSir (398214) | more than 5 years ago | (#27433597)

Come on, it doesn't work in Lynx? I want my money back.

Re:Lynx support? (5, Funny)

MBCook (132727) | more than 5 years ago | (#27433903)

Works here.

You must be infected.

Very nice & interesting technique (0)

Anonymous Coward | more than 5 years ago | (#27433619)

"Using basic knowledge of the blacklisting that Conficker employs to avoid attempting to infect IPs that belong to popular Anti-Virus and security firms (including Microsoft), the group whipped up this very simple test to see if you can load content from the various pages. If you can see all of the images, you're more than likely Conficker-free." - Posted by timothy on Thursday April 02, @01:37PM

Per my subject-line? Interesting technique, & "GOOD JOB" fellas...

(I could see every image)

It sounds as if they're doing the LITERAL REVERSE of what I am into (usage of a custom HOSTS file, & one that contains lists of KNOWN bogus servers, + to the tune of 652,000++ of them, to block them out (or, conversely, "hardcode" IP-to-URL equations for sites I like to speed up access to they, & this is more of what they're about here imo, than blocking them out)).

I built the file to stop many of these bad sites, & not just for this "conficker" worm either, but, for others also!

(My HOSTS file uses data from reputable sources like STOPBADWARE.ORG, Dancho Danchev's ZDNet security column, & a HOSTS file I had built up since 1997-1998 using sources of my own, & those of every reputable HOSTS file there is, like mvps.org's & others @ the wikipedia site for HOSTS files).

It works on a simple principal - "IF YOU CAN'T GO INTO THE KITCHEN, YOU CAN'T GET BURNED"...

(Albeit, their test is more like "IF YOU CAN SEE THE FOOD IN THE KITCHEN, YOU HAVEN'T BEEN BURNED!")

APK

P.S.=> Yes, the same can be done in router tables, as well as Browser internal lists such as Opera's URLFILTER.INI/FILTER.INI, IE's RESTRICTED SITES, & FireFox's internal 'look away' lists also, & I use them all also, for layered security - get by 1 of these defenses? The other methods are in the way still... apk

Re:Very nice & interesting technique (4, Funny)

bhtooefr (649901) | more than 5 years ago | (#27433783)

My HOSTS file uses data from reputable sources like STOPBADWARE.ORG

Sucks when / is blocked, now, isn't it? :)

Re:Very nice & interesting technique (0)

Anonymous Coward | more than 5 years ago | (#27434413)

Here? Well, it's not though! In fact, I "hardcode" in the IP-to-URL address equation into my HOSTS file for this website... just in case of DNS poisoning, etc. et al (or, what this damn worm tries to do as well)!

(& yes - that WOULD suck: Currently, your site here is my FAVORITE (great news, good people (except for the trolls)))

APK

Re:Very nice & interesting technique (1)

Nos. (179609) | more than 5 years ago | (#27434051)

(or, conversely, "hardcode" IP-to-URL equations for sites I like to speed up access to they, &amp

You may want to rethink that part. For one, unless you have pathetic DNS servers, I doubt you'd ever notice doing the lookups. And if just once, that IP happens to be down, or has moved, the time it would take you to figure out the problem, you'd have lost all the time you "saved".

Re:Very nice & interesting technique (0)

Anonymous Coward | more than 5 years ago | (#27434901)

"You may want to rethink that part. For one, unless you have pathetic DNS servers, I doubt you'd ever notice doing the lookups" - by Nos. (179609) on Thursday April 02, @02:18PM (#27434051) Homepage

Nope, because "ping" tells me how much speed I actually DO gain via this technique of hardcoding the IP-to-URL address equation for 250 of my fav. sites into my HOSTS file... example?

E.G.-> I can ping slashdot, & it takes approximately 30ms to come back to me from OpenDNS servers (which I use here & consider "the best in the business", but, the thing is these things are vulnerable as hell in many ways, like Dan Kaminsky's findings (+, MS patching for 2 holes in it that existed for decades, & ONLY recently on last MS "patch tuesday" last month, finally) as well as the fact they can be DNS-poisoned, which happens, QUITE a lot)

Using a HOSTS file though?

The SAME PING to slashdot returns in 0ms... literally, 30x as fast!

APK

P.S.=> As far as this statement from you:

"And if just once, that IP happens to be down, or has moved, the time it would take you to figure out the problem, you'd have lost all the time you "saved"." - by Nos. (179609) on Thursday April 02, @02:18PM (#27434051) Homepage

Not really...

I say this, because the program I built for myself to remove duplicated entries in my HOSTS file, also has a "PINGER" built into it!

That section of the program loads the 250 fav. sites I use online, & repings them, to make CERTAIN their IP-to-URL equstion is indeed, correct & up-to-date... this is done here weekly in fact!

(It pings to OpenDNS dns servers mind you)

That's to avoid what you state, & to get their correct IP to put into my HOSTS file, which it does, in addition to removing duplicated entries AND turning 127.0.0.1 (except for loopback address), or 0.0.0.0, into the smaller on disk & faster to load/reload + reference in the File Open/Read-Write/Close cycle of I/O to it... apk

math pedantic (1)

way2trivial (601132) | more than 5 years ago | (#27435153)

30 ms is 30 times faster than 0 ms?

wow.

Re:Very nice & interesting technique (1)

lilomar (1072448) | more than 5 years ago | (#27436025)

literally, 30x as fast!

:::PEDANT ALERT:::

Actually, 1ms would be 30x as fast as 30ms, or 29x faster.

Oms can't be represented as 'so many times as fast as" any number, but since 0ms is actually anything less than 0.5ms (assuming that you only have the one sig-fig) then we CAN say that 0ms is at least 60x as fast as 30ms, or at least 59x faster.

If Conficker was designed by a security guru... (5, Interesting)

Khopesh (112447) | more than 5 years ago | (#27433733)

Because there is so much money to be made by botnets these days, it has moved from a "look what I can do" feat to a real business in its own right (legality aside). It is widely assumed that Conficker is among the first of a new breed of very carefully produced viruses and worms, written by professional developers who are paid quite well for their computer security and anti-anti-virus skills.

This class of developer knows exactly how the anti-virus companies work. It should have been expected by the Conficker designers that their virus would be examined in isolated networks. The designers would therefore be able to take advantage of that (it's easy enough to detect -- no word from the master servers, no ability to further infect, etc), and that's what we saw yesterday. Planned panic for no reason. At this point, most people think Conficker is either no serious threat, or an April Fools' Day prank. These people could be very wrong.

With the pressure off, infected machines are now able to go about their intended business, which could be sending spam, using distributed computing, farming user data, coordinated attacks of one type or another, or merely a conspiracy to protect computers from infections (a virally spreading anti-virus utility that you can't detect, stop, or remove? ingenious!).

The merits of a secret anti-virus product are more down-to-earth than you might think; most high-end zombie masters write their viruses so that they can't be detected by users and so that they are the sole "pwners" of the system -- competition is bad in this field. What you end up with is zombie masters who are suddenly interested in maintaining your computer for you - virus-free (save their virus), clean, efficient. If this zombie master is your federal government, merely reserving the right to use ("draft") your system as a "minute man" for emergencies where your computing power or attacking capabilities are needed, that might be a fair "tax."

Re:If Conficker was designed by a security guru... (5, Informative)

Anonymous Coward | more than 5 years ago | (#27434135)

No, they didn't plan on misleading the public about April 1st. Even the real(not PR driven) security researches didn't think anything bad would happen. The public and news sites were just using it as an excuse to make a fuss again.

Conficker has already had a few of these dates, April 1st is just the date it starts actively looking for any future updates to the worm. As long as everything is going well so far, they won't update it.

Re:If Conficker was designed by a security guru... (0)

Anonymous Coward | more than 5 years ago | (#27434211)

Hollywood desperately needs your skills. I for one will be looking forward to reading your script ;)

Re:If Conficker was designed by a security guru... (1)

sweatyboatman (457800) | more than 5 years ago | (#27434337)

With the pressure off, infected machines are now able to go about their intended business

bot-net performance anxiety is a new concept to me. what you're saying sounds reasonable, but the obvious question is why wait?

there's no limitation that says that Conficker cannot be in operation while it continues to spread. It's clear that the majority of infected computers will never be cleaned (because their owners don't know/care). So why be coy?

Even if we knew what it did, it wouldn't change the fact that the oblivious people running infected machines will remain oblivious.

Re:If Conficker was designed by a security guru... (1)

Colonel Korn (1258968) | more than 5 years ago | (#27435487)

Because there is so much money to be made by botnets these days, it has moved from a "look what I can do" feat to a real business in its own right (legality aside). It is widely assumed that Conficker is among the first of a new breed of very carefully produced viruses and worms, written by professional developers who are paid quite well for their computer security and anti-anti-virus skills.

This class of developer knows exactly how the anti-virus companies work. It should have been expected by the Conficker designers that their virus would be examined in isolated networks. The designers would therefore be able to take advantage of that (it's easy enough to detect -- no word from the master servers, no ability to further infect, etc), and that's what we saw yesterday. Planned panic for no reason. At this point, most people think Conficker is either no serious threat, or an April Fools' Day prank. These people could be very wrong.

With the pressure off, infected machines are now able to go about their intended business, which could be sending spam, using distributed computing, farming user data, coordinated attacks of one type or another, or merely a conspiracy to protect computers from infections (a virally spreading anti-virus utility that you can't detect, stop, or remove? ingenious!).

The merits of a secret anti-virus product are more down-to-earth than you might think; most high-end zombie masters write their viruses so that they can't be detected by users and so that they are the sole "pwners" of the system -- competition is bad in this field. What you end up with is zombie masters who are suddenly interested in maintaining your computer for you - virus-free (save their virus), clean, efficient. If this zombie master is your federal government, merely reserving the right to use ("draft") your system as a "minute man" for emergencies where your computing power or attacking capabilities are needed, that might be a fair "tax."

Except there's nothing particularly new, innovative, or resistant to AV in conficker. Conficker came to exist long after the vulnerability it exploits was publicly fixed. It is trivially detectable with a wide array of different techniques, and easily curable. The only thing making it effective is public ignorance about the need to update, and exploitation that flaw is very common.

Slashdotted scare (5, Informative)

interkin3tic (1469267) | more than 5 years ago | (#27433737)

Clicked on the link, page unavaliable. A reload did work.

Should be in the summary: If the page doesn't load at all, that doesn't mean you're infected, that means "Poor Internet connection?" If the page loads but some of the images don't, THAT is a positive.

Re:Slashdotted scare (2, Informative)

nwf (25607) | more than 5 years ago | (#27433773)

Same here. Reloading did work. Thankfully, I'm clean!

Re:Slashdotted scare (0)

Anonymous Coward | more than 5 years ago | (#27435819)

Can't believe you guys. Clicking on an unverified link about a virus. Duh!

Thank god (4, Funny)

diablovision (83618) | more than 5 years ago | (#27433759)

Whew, I haven't had that much relief since I accidentally ate that whole jar of exlax....

Re:Thank god (1, Funny)

iknowcss (937215) | more than 5 years ago | (#27435353)

I think it goes "since I accidentally the whole jar of exlax"

Slashdotted (4, Funny)

56 (527333) | more than 5 years ago | (#27433799)

Looks like it's slashdotted... or my ubuntu machine has Conficker!

Mirror (5, Funny)

Anonymous Coward | more than 5 years ago | (#27433883)

Conficker Eye Chart

Conficker Eye Chart

[f-secure.com]
[secureworks.com]

[trendmicro.com]

[openbsd.org]
[linux.org]
[freebsd.org]

How to interpret:

If you see this above:It probably means this:

= Normal/Not Infected by Conficker (or using proxy)
= Possibly Infected by Conficker (C variant or greater)
= Possibly Infected by Conficker A/B variant
= Image loading turned off in browser?
Any other combination= Poor Internet connection?

Explanation:

Conficker (aka Downadup, Kido) is known to block access to over 100 anti-virus and security websites.

If you are blocked from loading the remote images in the first row of the top table above (AV/security sites) but not blocked from loading the remote images in the second row (websites of alternative operating systems) then your Windows PC may be infected by Conficker (or some other malicious software).

If you can see all six images in both rows of the top table, you are either not infected by Conficker, or you may be using a proxy server, in which case you will not be able to use this test to make an accurate determination, since Conficker will be unable to block you from viewing the AV/security sites.

F-Secure and the F-Secure Logo are trademarks of F-Secure Corporation.

SecureWorks and the SecureWorks Logo are registered trademarks of SecureWorks Inc.

Trend Micro and the T-Ball logo are trademarks or registered trademarks of Trend Micro Inc.

Re:Mirror (4, Insightful)

Onymous Coward (97719) | more than 5 years ago | (#27434005)

Ha.

Anyway, the page is a clever idea.

Here's another interpretation to add to the list: Some of the sites that the page pulls images from are Slashdotted.

Mod Parent Up (0)

Anonymous Coward | more than 5 years ago | (#27434473)

It even works on Lynx!

Proof. [slashdot.org]

This is gonna cause mass hysteria.. (2, Insightful)

gsmalleus (886346) | more than 5 years ago | (#27433881)

when the page gets slashdotted and doesn't load at all.

Re:This is gonna cause mass hysteria.. (1)

crashumbc (1221174) | more than 5 years ago | (#27433983)

I think it's already there... I got it to actually load 1 out of 6 trys

Re:This is gonna cause mass hysteria.. (2, Insightful)

AlexCorn (763954) | more than 5 years ago | (#27434045)

I think it's already there... I got it to actually load 1 out of 6 trys

Well that's why it's slashdotted... people are loading it six times!

Re:This is gonna cause mass hysteria.. (1)

Beelzebud (1361137) | more than 5 years ago | (#27434397)

If you just spam-click the refresh button, it will surly make the webpage run smoother! :)

Defective thinking. (1)

Futurepower(R) (558542) | more than 5 years ago | (#27434699)

The people who made the chart apparently didn't think of server overload.

They should have posted a list of 26 links and told people to click on the link corresponding to the first letter of their name. Or something like that. Or gotten Google to host the page.

mod kDown (-1, Offtopic)

Anonymous Coward | more than 5 years ago | (#27434007)

that *BSD is were taken over To decline for bootoms butt. Wipe

Useful in China? (2, Interesting)

Jamie's Nightmare (1410247) | more than 5 years ago | (#27434093)

Not really that useful here in the states, but would this work in China? Are any of these current URLs normally blocked anyways?

My C= is infected!!!! (1)

SomeoneGotMyNick (200685) | more than 5 years ago | (#27434115)

I tried the VIC-20, 64, 128 and Plus-4

None of them show the pictures....

Nothing? (2, Interesting)

blair1q (305137) | more than 5 years ago | (#27434303)

Someone set us up the spambot.

Spam was way down most of this year, until yesterday. Then it shot back up to where it was last year.

Clearly someone tagged 4/1 as the day to start the spambots back up. Whether this is directly related to the conficker thing I couldn't tell.

Re:Nothing? (3, Interesting)

Renraku (518261) | more than 5 years ago | (#27434745)

I can't take credit for saying this as I'm only parroting it from another source, Fark I believe, but someone said it was well-known in the security industry that April 1st is by far the most common date for new malware to go live, and is also a common date for existing malware to update.

Probably to maximize confusion.

Oh shit (4, Funny)

atomicthumbs (824207) | more than 5 years ago | (#27434347)

I can't see the chart at all! Shit shit shit!

Re:Oh shit (1)

sixpenny_83 (1248146) | more than 5 years ago | (#27435733)

it's because you have image loading turned off. But you wouldn't know it, because that explanation is next to an image- showing no images. Which- coincidentally, should be marked redundant. Or is that ironic?

It's not slashdotted, it's the end of the world! (1)

Beelzebud (1361137) | more than 5 years ago | (#27434379)

Hey I saw a report on CBS news about how devastating this worm would be. So I'm sure that this isn't a slashdotted page, but the first in a cascade that will surly bring down the global internet!

How long before... (2, Interesting)

Anonymous Coward | more than 5 years ago | (#27434519)

...Conficker is patched to allow access to these specific images from these domains?

Re:How long before... (4, Insightful)

moose_hp (179683) | more than 5 years ago | (#27435397)

Then we (it's open source after all!) modify the test to use iframes (ewwww... but useful in this situations) to actually load the full pages, once Conficker gets updated so it allows the pages, we move to actually downloading the patches with a message like "if the file doesn't download, you're probably infected", by the time Conficker gets good enought to actually allow the patches but modifing them on the fly so they are not useful (just random noise with the same size and filename), then we're screwed.

Maybe I shouldn't give them ideas. I bet the author of Confickr reads slashdot.

How long before they ruin this test (5, Interesting)

aarenz (1009365) | more than 5 years ago | (#27434661)

All they have to do is fake the images on their servers and this test is toast. Give them another 4 hours to create a work around.

Re:How long before they ruin this test (3, Insightful)

wytcld (179112) | more than 5 years ago | (#27435305)

Not if they're blacklisting. Only if they're redirecting. And if they were redirecting they'd presumably already have fake site mirrors set up, including these images, so the test would have never worked.

Oops (4, Funny)

Wilson_6500 (896824) | more than 5 years ago | (#27434741)

Considering how quickly and effectively we managed to slashdot this helpful site, It's pretty obvious that we are the worms.

Oh, goody! (-1, Flamebait)

jc42 (318812) | more than 5 years ago | (#27434817)

It looks like none my Mac, Ubuntu, or Debian system is infected.

Funny thing is that I don't even have any anti-virus software installed on any of them. Just the usual software that's designed to not automatically run any code from the outside without getting my permission.

I wonder what sort of systems are getting infected. Anyone have any idea?

Possibly Infected Or ... (0, Redundant)

waterford0069 (580760) | more than 5 years ago | (#27434825)

"Possibly Infected by Conficker (C variant or greater)"

Or you have third party images disabled in FireFox.

Just run Ninnle! (0)

Anonymous Coward | more than 5 years ago | (#27434917)

...and the Conficker worm is irrelevant.

Another option for the eye chart (5, Funny)

fava (513118) | more than 5 years ago | (#27434983)

And if you can see the top row and not the bottom one it means you work at Microsoft.

Irony? Just a bit? (1)

irving47 (73147) | more than 5 years ago | (#27435283)

It's got to be irony when, the day after April fools day, the day the virus in question was supposed to "detonate" for lack of a better word, the easiest method of detection is THIS.

Very cool.

Interesting idea, but ... (1, Insightful)

Anonymous Coward | more than 5 years ago | (#27435309)

What happens when those six sites see that they are getting leeched, and pull those images? Chaos ensues as man + dog believes themselves to be infected.

That's a great plan (0)

Anonymous Coward | more than 5 years ago | (#27435829)

When those sites disable image hotlinking, everyone will think they're infected.

Less-Cool Mirror (0)

Anonymous Coward | more than 5 years ago | (#27436009)

Hey, I didn't mean to slashdot the page :-( The Honeypot guys have a similar type of page here [uni-bonn.de] , but I'm not sure if it'll get slashdotted as well. Also, it's not nearly as much fun, as it only gives you a yes-or-no answer, with no cute .gifs to indicate your level of doom.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?