Slashdot Log In
Fears of a Conficker Meltdown Greatly Exaggerated
Posted by
kdawson
on Sat Mar 28, 2009 09:02 PM
from the joke's-on-us dept.
from the joke's-on-us dept.
BobB-nw writes "Many have been worrying that the Conficker worm will somehow rise up and devastate the Internet on April 1. These fears are misplaced, security experts say. April 1 is what Conficker researchers are calling a trigger date, when the worm will switch the way it looks for software updates. A 60 Minutes episode about the worm on Sunday will stoke concerns. But the worm has already had several such trigger dates, including Jan. 1, none of which had any direct impact on IT operations, according to Phil Porras, a program director with SRI International who has studied the worm. 'Technically, we will see a new capability, but it complements a capability that already exists,' Porras said."
Related Stories
[+]
1 In 3 Windows PCs Still Vulnerable To Worm Attack 242 comments
CWmike writes "The worm that has infected several million Windows PCs, Downadup or 'Conficker,' is having a field day because nearly a third of all systems remain unpatched 80 days after Microsoft rolled out an emergency fix, security firm Qualys said. Downadup surged dramatically this week and has infected an estimated 3.5 million PCs so far, according to Finnish security company F-Secure Corp. The worm exploits a bug in the Windows Server service used in Windows 2000, XP, Vista, Server 2003, and Server 2008. Qualys' CTO said, 'These slow [corporate] patch cycles are simply not acceptable. They lead directly to these high infection rates.'" This is indicative of why some are calling for Microsoft to rethink Patch Tuesday, as reader buzzardsbay pointed out.
[+]
Conficker Worm Could Create World's Biggest Botnet 220 comments
nk497 writes "The worm that's supposedly infected almost nine million PCs running Windows, dubbed Cornficker or Downadup, could lead to a massive botnet, security researchers have said. The worm initially spread to systems unpatched against MS08-067, but has since 'evolved and is now able to spread to patched computers through portable USB drives through brute-force password-guessing.'"
[+]
News: OpenDNS To Block and Monitor Conficker Worm 175 comments
Linker3000 writes "According to The Register, OpenDNS plans to introduce an new service that will prevent PCs infected with the Conficker (aka Downadup) malware from contacting its control servers, and will also make it easy for admins to know if even a single machine under their control has been infected by Conficker: 'Starting Monday, any networks with PCs that try to connect to the Conficker addresses will be flagged on an admin's private statistics page. The service is available for free to both businesses and home users.' With the amount of trouble this worm has caused, perhaps this is a good time to take a look at OpenDNS if you haven't done so already."
[+]
News: Microsoft Slaps $250K Bounty On Conficker Worm 258 comments
alphadogg writes "The spreading Conficker/Downadup worm is now viewed as such a significant threat that it's inspired the formation of a posse to stop it, with Microsoft leading the charge by offering a $250,000 reward to bring the Conficker malware bad guys to justice. The money will be paid for 'information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet,' Microsoft said today in a statement, adding it is fostering a partnership with Internet registries and DNA providers such as ICANN, ORG, and NeuStar as well as security vendors Symantec and Arbor Networks, among others, to stop the Conficker worm once and for all. Conficker, also called Downadup, is estimated to have infected at least 10 million PCs. It has been slowly but surely spreading since November. Its main trick is to disable anti-malware protection and block access to anti-malware vendors' Web sites."
Submission: Fears of a Conficker meltdown greatly exaggerated by Anonymous Coward
[+]
The Birth and Battle of Conficker 239 comments
NewScientist has an interesting look back at the birth of the Conficker worm and how this sophisticated monster quickly grew to such power and infamy. "Since that flurry of activity in early April, all has been uneasily quiet on the Conficker front. In some senses, that marks a victory for the criminals. The zombie network is now established and being used for its intended purpose: to make money. Through its peer-to-peer capabilities, the worm can be updated on the infected network at any time. It is not an unprecedented situation. There are several other large networks of machines infected with malicious software. Conficker has simply joined the list. The security community will continue to fight them, but as long as the worm remains embedded in any computer there can be no quick fixes."
This discussion has been archived.
No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
Full
Abbreviated
Hidden
Loading... please wait.
Never happens. (Score:5, Funny)
that never happens.
Re:Never happens. (Score:4, Funny)
Yeah, that was a sham job.
Script: Leslie's Virus Story
Software Guy's office:
Leslie: "There's this thing called a worm out there that's going to steal all your money and destroy the world, you know, it'll be bad. Cats and dogs lying down together and all that."
Software guy: "Buy our software or your bank account will be emptied. Please watch this sham demo."
Leslie: "Wow, I got a Facebook from Andy, let me just go ahead and delete that..."
Software Guy: "No no no no no!! You have to pay attention to Andy or your money won't be stolen."
Leslie: "I see. So that's why nobody's had their money stolen yet. You're not just on the show to sell your software, are you?"
Software Guy: "Nah, you can trust me. I'm a software guy, not a banker. But if you don't buy it, some Russian kids will get all your money."
Leslie: "Is there any other way to protect your computer, like installing the latest Windows patch?"
Software Guy: "You're really not good at playing along, are you."
Cut to interview with woman who's money was stolen because she didn't have Software Guy's latest product:
Woman: "I saw it transfer money from my account to my son's account right before my eyes."
Leslie: "Really? Right before your eyes."
Woman: "Yeah."
Woman's password is clearly visible on Post-it note on monitor. It's "password".
Leslie: "So you have virus software?"
Woman: "Yeah, it came with the computer. But after 30 days it started asking me to renew the subscription for $30, sooo..."
Leslie: "I see. Did you consider a Mac?"
Woman: "I'm not cool enough for a Mac. If that hot, skinny redhead isn't cool enough for a Mac, what chance do I have?"
Virus Expert's office:
Leslie: "What does this cornflucker thing do anyway?"
Virus Expert: "Well, nothing so far, but that could change. One day it's going to take all your money and destroy the world. It's going to be bad. You won't believe what the cats and dogs will be doing."
Parent
Don't place bets... (Score:3, Interesting)
Re: (Score:2)
The bigger April Fools joke will be if it *does* do something. I forget the name of the virus, but it was wide spread, that sent a copy of files in the "My Documents" folder out to everyone in your address book. That wasn't a well thought out plan, as there's a lot of crap in most people's "My Documents" folder, that even the original author doesn't care about. It also consumed a lot of bandwidth and server time.
My guess would be that they'll simply pop up a "April Fools, yo
You just don't know... (Score:2, Interesting)
You just don't know what payload will be downloaded on April 1st.
It could be your standard 'DDoS and Spam Run' package, but imagine what would happen if all these drones were used to start exploiting an unknown vulnerability, think SQL Slammer...
Updates (Score:5, Interesting)
April 1st is when the worm will *start* looking for updates. It will continue looking from that date on, with a different set of domains each day. So there is no reason why the authors would register one of the domains and put out an update on the first day. If anything, they would wait a while to increase the number of domains security researchers have to watch out for. Also, the authors may not have any reason to update it just yet - it seems to be quite successful in its current iteration. They may be waiting for a buyer to purchase a block of the botnet for example.
Re-possitioning is a good thing? (Score:5, Insightful)
Maybe I'm wrong here, but doesn't it make more sense to get everyone trying to fight this virus/bot/whatever early rather than wait?
After April 1st, this thing will be drawing from more domains than can be blocked for future updates. It sounds like it'll be much more entrenched and difficult to combat if that happens. So this advise sounds a lot like 'Well, the gangrene has spread from your foot up to your knee, but it's not a problem'.
Re: (Score:3, Interesting)
At least it's not Lupus. (Score:4, Interesting)
Maybe I'm wrong here, but doesn't it make more sense to get everyone trying to fight this virus/bot/whatever early rather than wait?
They're trying. Microsoft has released a patch that supposedly blocks the primary vector [microsoft.com] (a vulnerability in the Server service affecting all Microsoft operating systems since Windows 98), and updated their repair tool MSRT [microsoft.com] to detect and remove it (download it from a machine that's not infested). It has probably removed it from several million of the estimated 15 million infested machines. Microsoft is working with ICANN [icann.org] to block registration of the generated domain names in the case where they're not yet registered and the owners of the domains that were previously registered to mitigate downtime. Every managed service provider and major IT shop I know of has pushed out all of this stuff. Unfortunately, this is not even close to enough. The secondary vector, autorun, is pernicious. This thing is now on the root thousands of major shares and every time they remove it one of the thousands of Conficker clients puts it back. It's on millions of pen drives, millions of backups. It's been burned to millions of CDs. It's on iPods and mp3 players, Blackberries and iPhones and Windows Mobile phones, picture frames and DVDs. It's probably now in the root of DVD ISOs distributed via all the popular media distribution sites. Tertiary vectors include compromising network neighbors. Your grandchildren are going to be installing this thing if they don't figure out the whole "autorun is stupid" thing.
This thing is really very well engineered. The next one will be even better. And the next one better still. If you're in a Microsoft shop you're going to be working half your holiday weekends for the rest of your career, and a lot of planned vacations too. Remember that this is not the only Windows malware currently making the rounds. There are at least three major development groups and all of them have active botnets and a release schedule for new exploits.
We've been playing this game for a long time and the black hats are getting more proficient than the white hats. The problem is that the target platform - Windows - cannot be made invulnerable to these threats without defeating its main selling point: application compatibility. Most of the people who work with this toxic stuff do their development on BSD, OS-X or Linux and refer to Windows boxes as "targets". If Microsoft makes Windows so secure that this junk won't spread, most of the apps for it won't run. You might as well run an OS that's not a target now as wait for that to happen.
But TFA is right. April Fools is the day the botmaster begins to harvest his crop of bots. May 22 is more likely the beginning of operations. I could be wrong about this because I previously guessed January 16.
Parent
Re: (Score:3, Insightful)
Yes, it does make more sense, but will never happen. Until you can get more than a handful of Windows users to actually know and care about these issues, it will stay in this same state of sorry affairs. Just three things are keeping this crap going:
1. MS market share guarantees a large fat market for malware authors
2. Typical Windows user does not want bothered with hassles an
Conficker and friends are great. (Score:3, Funny)
Get off my lawn :) (Score:2)
Teaching people how to use their computers and fixing hardware problems when they come up is a helluva lot better than repetitive malware removal.
More fun, anyway.
Frak. I'm getting old.
SB
Windows Update? (Score:3, Insightful)
I wish the creators had something useful in mind (Score:4, Interesting)
I would like this thing to actually shut down all those computers that are infected. It would save quite a bit on energy and actually be quite useful. If there would be a way to permanently disable a computer (flash it's BIOS with a bad image) then maybe it could stimulate the economy. Another thing would be to simulate a 56k connection on all those machines. Finally the intertubes would be cleared of a lot of clutter by people trying to get to awful flash 'movies' of random people on Facebook or MySpace. Another thing would be to register every IP that the computers are connected to as potential spam hosts to well-known spam registries.
Of course if some host is infected and some life or death situation is dependent on it, the blame should be placed on the IT administrator or the vendor, not the creator.
It will be interesting to see what will happen.
Re:I wish the creators had something useful in min (Score:5, Interesting)
Parent
Re: (Score:3, Informative)
Re: (Score:3, Funny)
Destruction of property is not helpful for the economy.
How that be? I've been watching Congress and the President and clearly they think destruction of economy is helpful for the economy...
How to prevent/detect/remove these? (Score:5, Interesting)
Wikipedia has info on how to detect [wikipedia.org] and remove using most major antivirus running the latest update. [wikipedia.org] But why don't the news-writers seem to recognize this? Why must every infection be a death sentence to support some nefarious plot with your unwitting computer?
Re: (Score:2)
Is Outlook more secure than Thunderbird? I've been under the impression that the opposite was true.
Re: (Score:3, Informative)
(*not using outlook)
Re: (Score:2)
Is Outlook more secure than Thunderbird?
No.
SB
Hot to prevent Conficker from conquering your net (Score:3, Interesting)
Are you sure? (Score:2)
Some clarifications .... (Score:3, Informative)
Clueless person in need of help (Score:3, Interesting)
Ok... so here's what I don't get:
Security experts are well aware of this botnet client and are keeping a close eye on it. They've picked the client bot apart line by line. They know exactly how it is supposed to behave on the client side, but they of course don't have a clue about the server side. So why can't they hijack the hijacker?
For example, say this client bot is programmed to go to IP address on April 1st and DL some update. Ok..., block that IP address on the internet or trace the IP address back to the owners and stop it there. Those don't seem hard. (ok... and before someone calls me an idiot for saying "block the ip address on the internet", what i mean is that you can get the major service providers, certainly here in the US, and potentially abroad to "lose" anything sent to a specific address.)
Ok... so let's say that the client bot is programmed to go to IP address to and ping each one to ask for an appropriate update, verifying each update against a specific hash key. Ok... then grab IP address and put in something that DLs a file that neutralizes the bot. There can be no hash key that the researchers can't figure out because they can pick through the entire client bot's code bit by bit.
I'm clearly not getting something crucial here, but it just seems that in all the moaning about how bad this is that it wouldn't be that hard for someone person to write some kill code for it as long as enough time and effort had already gone into understanding the client side code.
Someone please help out a clueless non-security, non-software engineer understand why this is so hard.
d
Re: (Score:3, Insightful)
Knock the last 4 words off of that, and you are right, keep the last 4, and you are a troll.
Windows is generally ill equipped by default, and because of its population density is a larger target, but a huge part of the blame is the ignorance of it's users.
The last virus I had that did any damage to my personal files, or necessitated a reformat, was 7 years ago, the last one that did any sort of "hostile" act was Blaster, which took about 3 minutes to fix.
Pay attention to where you are going, and you wont fa
Re:If only... (Score:5, Insightful)
Current Windows inherited most of its security problems from DOS and Win16. In fact Windows XP was the first "home desktop" Windows (given 2000 was marketed for office use) to use memory protection at all. Prior to that a process could read/write anywhere, which effectively meant there was no security of any kind.
And since most applications require administrator access to run at all, including most server applications, even having memory protection is reduced to the effectiveness of chewing gum. With administrator access, any application can insert itself as a shim into any other application.
Then even when you do narrow down to the few applications that run with pure user access, and run that way all the time, there are plenty of privilege escalation holes to get that administrator access back.
It's swiss cheese from the ground up. Users cannot be expected to be tech geeks just to be basically secure. Certainly if they run an untrusted binary, their personal files are forfeit, but by no means should that be allowed to spread to the whole system (of potentially thousands of users) nor the whole network via server software running as administrator.
Parent
Re: (Score:2)
And since most applications require administrator access to run at all...
Cite?
100% of the applications that my employer creates require only regular User privs. Also, 100% of the userland code running on my Windows (Server 2k3 , BTW) machine at home runs w/ regular User privs.
Hell. Even Process Explorer runs as an unprivileged process.
Re: (Score:3, Insightful)
Re: (Score:2, Insightful)
Re:If only... (Score:5, Interesting)
Posts like this make me think that you've never done any tech support for the average home user in the real world.
Sure, those of who know what we're doing can avoid problems.
That doesn't hold true for the vast majority of windows users. If it did, it wouldn't be a problem.
It's the same kind of thinking that led to the problem being existent in the first place.
Don't get me wrong - I make a fairly nice side income doing tech support for home users on the side.
But I'd much rather go back to teaching people *how* to use their computers - actually making a difference - than fixing broken windows installations and removing viruses, even if it is much more profitable.
Call me old-fashioned or whatever, but that's what I'd prefer.
I'm not necessarily bitching at you in particular. I just remember what it was like, a long time ago, to spend my computer support time solving problems that didn't involve malware infestations. *Teaching* people how to use their computers. I miss it. It was fun. This isn't.
So anyone who says "Oh, I can keep my machine virus free" - whoopdefuckingdoo, so what, so can I. Most people can't, and it's because Microsoft can't write a decent *secure* fucking operating system to save their stock options.
Oh, and get off my damned lawn ;)
(Irritable? You bet. I'm a curmudge-only middle aged bastard...)
I can vent, can't I? *grin*
SB
Parent
Re: (Score:3, Insightful)
So anyone who says "Oh, I can keep my machine virus free" - whoopdefuckingdoo, so what, so can I. Most people can't, and it's because Microsoft can't write a decent *secure* fucking operating system to save their stock options.
Most people can't because keeping something secure requires a security mindset that most people can't/don't/won't adopt. These are the same people that hold a security door open for a waiting "delivery man", leave their spare house key in the obvious fake rock, answer telephone surveys with all of their personal info, etc. It has nothing to do with the OS. I've had to teach some _smart_ people running Linux why downloading random .rpms/.debs/binaries is a bad thing.
Re: (Score:2)
But the problem would be substantially reduced.
Re:If only... (Score:4, Insightful)
If everyone were using something else. Lets say linux or OSX Then whe worms would be tailored for those environments.
I'd like to see a worm tailored to my custom-compiled hardened 64bit gentoo. Linux is not a monoculture, only in source code form. You cannot target it the way you do windows.
Parent
Re: (Score:2, Insightful)
I'd like to see a worm tailored to my custom-compiled hardened 64bit gentoo.
If you would read, once more, the post that you quoted, you might notice that it says "If everyone were using something else, such as Linux or OS X." Allow me to define "everyone" for you.... "everyone" is a pronoun meaning "Every person; everybody." "Everyone" cannot custom-compile their own Linux kernel with security in mind. "Everyone" cannot even custom compile their own kernel, period.
The grandparent said that Linux and OS X are a poor choice for a botnet because they are in the extreme minority, but i
Re: (Score:2, Insightful)
That is, assuming that EVERY last computer user is running the exact same distro and the default programs on it...
If you create a worm that targets Pidgin, well then the Kopete users are safe (so long as Kopete doesn't share that very same flaw). That's the thing about Linux, each environment is too different. This makes mass-scale infections like this a bit more difficult to accomplish. Not to mention Open Source tends to have fewer exploits overall.
Security by Obscurity is a myth. If it wasn't, then why a
Re:If only... (Score:5, Insightful)
You mean having 10x users would reduce the number of different configurations? I don't know what you're smoking, but give me some.
Actually, it would probably be safe to assume that it would. Mass take-up of Linux would either require or force standardisation, and with that would come a form of 'same-ness' that would be open to attack.
Parent
Re:If only... (Score:4, Interesting)
That brings to mind exploits for very common distributions that I've seen in the past.
But, in reality there have been some nasty ones. How many versions of OpenSSH were exploitable? I remember having the exploit, and running it against our own equipment to see what it would break. I love trying to break my own equipment. If I use the same script kiddie code, and I can't get in, neither can they.
Of course, it helps to have many things protected. I prefer to have SSH on a different port, with the firewall rules disallowing anyone to connect from anything but an authorized network (I love default DROP rules). Most exploitable things have only been available to my authorized networks, and only if they knew our port scheme.
Parent
Re: (Score:2)
Mass take-up of Linux would either require or force standardisation
Yes. Protocols and user file formats, but not binaries. On some level, we already have even that with ELF.
Re: (Score:2, Informative)
Exactly! That's why Apache installations are the most-compromised servers on the net!
Oh, wait...
Re: (Score:3, Insightful)
Indeed.
The same year that is the "Year of Linux on the Desktop", will also be the "Year of Malware on Linux". Computer crime is profitable, and if Linux were to dominate the market, then it would definitely be targeted.
Maybe malware will be _slightly_ less prevalent than currently (and profits slightly diminished). But Linux (and OS-X) aren't so much more secure than Windows that they would be invulnerable to the hordes of clueless users/admins that "Year of the Linux Desktop" implies. The huge majority of
Re:If only... (Score:4, Insightful)
Parent
Re: (Score:3, Insightful)
They might try to tailor their junk for these environments, but it's like the difference between a normal car (windows) and a car coated with teflon with a motion sensing machine gun on top (OSX/Linux), with the worms/viruses/malware being a type of graffiti paint.
Graffiti will stick pretty well to a normal car (and if you tend to stop in the more seedy parts of town than others, you have more of a chance of having your car "tagged" too), but it's not going to be very effective on the teflon coated ones and
You might have a point... (Score:4, Informative)
If there were only one Linux. There's not. There are thousands [distrowatch.com]. The kernel itself doesn't require services that need open ports and application level security is a per-distribution thing so no two are going to have the same set of vulnerabilities. Linux is not a "monoculture".
We live in the world as it is, not as it might be. What-ifs really aren't worth spit. You can choose to run an OS that was vulnerable to Conficker, Koobface, Torpig, Storm, Antivirus 2009, Bitfrost, Sasser, MyDoom, Sober, Sobig, Welchia, Blaster, Nimda and Code Red and will be the target of the next six. Or not. It's up to you. Don't try to pretend that there's no functional security difference between the two because that's absurd. Add up the amount of data that was and will be compromised by that list of malware and you have enough to bring the world economy to a screaming halt. Between them those computers probably had access to financial or personal data on a majority of people who've had a digital record and more corporate secrets than should be in a hundred data pools.
What the other guy does shouldn't matter. It should be about being responsible with the data entrusted to you, about being a good steward of your own gear. If you are in IT then your customers are counting on your professional expertise to save them from inadvertently disclosing information via system compromise, and that's a solemn duty. From that perspective the choice is clear. If you can choose to not be a target why would you not leap at that option?
Parent
Re: (Score:2, Funny)
Re: (Score:2)
Why not register one of the conficker domains yourself, before the actual owner can do it, and then load you own windows-by-linux-replacer into it. Oh, and add a conficker remover too. Done right, it should result in an "epic pwn" as they say.
Re: (Score:2, Informative)
It uses 4096 bit RSA to sign the binaries.
I don't know any group that could crack that(yes, not even you, FBI/CIA/NSA super computer).
Re: (Score:2)
See, digital signatures WORK! Proof that they'll solve all of our software update and malware pro...
Wait, conficker was written by the bad guys?
Dammit.
Re: (Score:3, Interesting)
So what is exaggerated? How much people are afraid of Cornficker or its potential to cause damage?
Neither. The fear is warranted because the potential damage will almost certainly be realized to a significant degree. It's already proven its capacity to cause damage or we wouldn't be talking about it. What's exaggerated may be the April First date. April 1 might just be a mode shift day planned by the programmer where the thing goes into a "less stealthy" mode in order to improve a node's chances of catching a control.
For each 1% of infected systems that attach with a successful domain hit, the botma
You are SO correct (Score:4, Insightful)
Why are we discussing Windows/Linux/OS X preference at all?
If you want a system that's not vulnerable to Conficker, Koobface, Torpig, Storm, Antivirus 2009, Bitfrost, Sasser, MyDoom, Sober, Sobig, Welchia, Blaster, Nimda and Code Red, you need look no farther than "anything that's not Windows".
Parent