Conficker Worm Could Create World's Biggest Botnet 220
nk497 writes "The worm that's supposedly infected almost nine million PCs running Windows, dubbed Cornficker or Downadup, could lead to a massive botnet, security researchers have said. The worm initially spread to systems unpatched against MS08-067, but has since 'evolved and is now able to spread to patched computers through portable USB drives through brute-force password-guessing.'"
Re:Evolution (Score:4, Informative)
The vulnerability is detailed by October 23rd's Microsoft Security Bulletin MS08-067. [microsoft.com]
Re:How can it spread through USB sticks? (Score:5, Informative)
I dont use Windows much but I assumed MS had disabled or at least set the default to off of the autoexec.bat feature so how else could it spread just by plugging in a USB stick? Someone tell me this security hole the size of a planet isn't still enabled by default in Windows installs??
It posts an "execute" option in the autoplay dialog that looks almost exactly like the harmless "browse folder" option, complete with misleading folder icon. It's moderately clever, but of course still rquires autoplay to be enabled.
Re:How can it spread through USB sticks? (Score:2, Informative)
Re:How can it spread through USB sticks? (Score:5, Informative)
Re:How can it spread through USB sticks? (Score:5, Informative)
Re:Evolution (Score:2, Informative)
It has evolved - but not by natural selection. Some amount of evolution is accepted as a fact by everyone except young-earth creationists (those who believe the world is about 6000 years old). For example, we know that horses used to have toes and now they have hooves. But some believe this evolution is caused by natural selection and genetic variation, while others believe it was the act of a creator or designer. The evolution of wolves into domestic dogs is an example of evolution caused by man (you could call it artificial selection).
Re:follow the money. (Score:2, Informative)
Re:This is what baffles me... (Score:5, Informative)
Re:How can it spread through USB sticks? (Score:3, Informative)
Infect other computers. That's the whole point of putting itself on the USB stick in the first place.
Re:How can it spread through USB sticks? (Score:4, Informative)
See http://isc.sans.org/diary.html?storyid=5695
The option appears as :
Install or run program: Open folder to view files (Publisher not specified)
So people falling for it, would have clicked even on "Install virus and destroy your life ? YES/NO".
Finding unpatched servers (Score:2, Informative)
The guys at Winh4x [blogspot.com] have generated a script that detects servers missing the MS08-067 update.
Trivial for a worm to change the flag? (Score:5, Informative)
I would have to agree. I fought, what I think is this worm, at work for a week or so. If not, here is what I fought.
*Would disable Recovery console so you couldn't go back to an early date.
*Spread by USB thumb drive.
*Stick in a thumb drive, if the computer had AVG, it would detect it, but not be able to "heal" everything...but by this time it was too late.
One variant of it put in a root kit and blocked all access to antivirus sites. You could go anywhere on the Internet unless it happened to be an antivirus site.
This same one also blocked exe files if they happened to be something like Spybot search and destroy. It just wouldn't run anymore.
Also, it turns off the ability to change settings to view hidden files and folders, so you can't see the folders it adds.
My guess is, it is pretty freaking trivial for these people to do whatever they freaking want in Windows (except for probably disabling DRM!).
Transporter_ii
Re:How can it spread through USB sticks? (Score:2, Informative)
How does one disable autoplay in XP, without making a half dozen manual registry changes?
Through a policy (gpedit.msc).
http://support.microsoft.com/kb/953252 [microsoft.com]
The article is about 10 times as long as it needs to be, look for the subtitle "How to use Group Policy settings to disable all Autorun features".
Re:follow the money. (Score:3, Informative)
A nice idea in theory. Since I'm in exactly this business, allow me to illustrate how this works (or rather, how it doesn't).
You follow this trail to some registrar in, say, Uzbekistan. He will point you to Malaysia, where the server is located. So you phone your local Interpol office (let's assume you are on good terms with them and they actually listen when you call, as in my case. It helps when you point them to some bank scams first so they see you as someone who ain't just a waste of time). If they are inexperienced cops eager to make a bust, they will start writing letters towards Malaysia, asking for aid in their endeavour to shut that server down.
If they are experienced cops, they'll tell you "meh" and shrug their shoulders, knowing it's fruitless, or if it finally comes to a positive end and the server gets closed, it already changed location at least twice, rendering your "victory" pointless.
But let's find out who is behind it all. To save some space here, allow me to just point you to Wikipedia's article about the RBN [wikipedia.org]. I'm not saying this is a deal of the RBN, but it might give you an idea why following the money trail to find out who is behind it is about as pointless. You might even find out who did it. Doesn't do jack, though, if he's sitting in a country that has other problems.
The point is, countries usually don't care about it too much if their citizens break the law abroad, at least if they got enough problems with other crimes at home. And while I'm not really saying that it is so in this case, some countries could have a very keen interest in having someone around that has access to a worldwide network of botnet machines...