Conficker Worm Could Create World's Biggest Botnet 220
nk497 writes "The worm that's supposedly infected almost nine million PCs running Windows, dubbed Cornficker or Downadup, could lead to a massive botnet, security researchers have said. The worm initially spread to systems unpatched against MS08-067, but has since 'evolved and is now able to spread to patched computers through portable USB drives through brute-force password-guessing.'"
Re:ISP Blacklists (Score:1, Insightful)
I don't really understand why there couldn't be a blacklist of known botnet controllers maintained by a trusted authority
Yes, this will work, especially when I can connect to my botnet through YOUR machine today. Your neighbor's machine tomorrow. Etc...
Re:follow the money. (Score:5, Insightful)
It should not be that hard to follow the money generates by this malware. Infecting 8 million PC should be a crime.
It's a crime if it's spammers. It's not a crime if it's government or content industry.
Bitterness aside, the main problem is that usually the people doing it are in a country where it is, for a number of reasons, difficult to track them down. Still, I agree that, short of keeping your OS up to date (if you /must/ use Windows), following the money is the best approach.
Re:ISP Blacklists (Score:3, Insightful)
Re:follow the money. (Score:3, Insightful)
Its a good bet that the machine or machines responding to the trafficconverter.biz domain name are either hacked (e.g. zombies) or obtained using stolen or fake credit cards and other ID.
The chances that the information listed for the account(s) owning trafficconverter.biz matches with the owners of this botnet is very little.
Re:How can it spread through USB sticks? (Score:4, Insightful)
I really hate Microsoft for this kind of stupidity. They could have just made an option "autorun program from USB stick" with nothing customizable about it.
Re:follow the money. (Score:5, Insightful)
It's not like the FBI and Interpol and going to look at the bogus whois information and throw their hands up and say "oh noes". They can go and raid the registrar's offices and find out what IPs registered the domain, what credit cards (stolen or not) were used, and if they were stolen, where from and when. Furthermore the worm has a whole list of websites, so every single one of those can be checked in the same way, and even if they are all hijacked, there will be hundreds of potential clues about the perpetrators.
Personally, I am sick of spammers attempting to add comment spam to sites that I run, signing up for bogus accounts, sending massive amounts of spam, continuously trying ssh connections, running exploits etc the list goes on. The police need to do something to help us.
Rich.
Re:How can it spread through USB sticks? (Score:1, Insightful)
And then users trying to install "Tax payment programs" will get lost not understanding what to do ("it says something about something to run and uh other confusing options.. oh computers are so hard to use..").
Beside, once social eng kicks in, any fix would just move the vulnerability point somewhere else.
The human brain is just thousands of times more vulnerable than any OS in the world :(
Re:How can it spread through USB sticks? (Score:3, Insightful)
I would guess it's trivial for this worm to change the flag to enable autorun, however.
Only after its executing....and if it's doing that, what's the point?
Re:follow the money. (Score:4, Insightful)
Re:follow the money. (Score:5, Insightful)
Personally, I am sick of spammers attempting to add comment spam to sites that I run, signing up for bogus accounts, sending massive amounts of spam, continuously trying ssh connections, running exploits etc the list goes on. The police need to do something to help us.
Rich.
I think you should be careful what you wish for. The Police could do something, they could turn the Internet into a Police State.
Re:How can it spread through USB sticks? (Score:1, Insightful)
Perhaps retards shouldn't be allowed to be on computers. Sorry, if you're a computer user and don't get the concept of a file nor what running a programs means - elementary concepts really - perhaps you should just stay away. There is no other piece of equipment on this world where utter ignorance on behalf of the operator is so actively accepted.
Say it ain't so (Score:3, Insightful)
Well, I guess that almost held for two weeks. Maybe someday people will consider addressing the underlying cause of these problems instead of the symptoms.
Re:follow the money. (Score:3, Insightful)
My post did address your question, but maybe not as directly as necessary.
Which police? Which law enforcement? Which banks? Which victims? The problem is that such questions are not only difficult to answer but are severely hindered by international boundaries. It's nothing to do with how easy it is to catch the kid down the road doing this to you, it's about how to illicit information from a foreign country who really have no interest in helping you (it's hurting them too, most probably, but that's no incentive). There may even be laws in that country that prevent dissipation of that information outside the country's own law enforcement (Data Protection Acts etc.) Look at the trouble the record industry is having illiciting information on who uses an IP when they KNOW the IP and are represented in the same country as the user and have probable cause to ask for more information. Now imagine that I'm Russian, and the Russian record industry doesn't care what I do... *you* try and extract, based in a foreign country like the USA, the name and address of the Russian user who owns an Russian IP that you think was involved. It's nigh-on impossible, even when you KNOW who it was, let alone if you are just tracing through logs of potential proxies with the intention to seize those proxies to trace back to the original source, etc.
Basically, the law doesn't help you here at all because once you cross international boundaries, things get infinitely more complicated and it ends up costing too much money to even consider it. That's my point... sod the law (it may not even be illegal in the country of the author to do such things, so you can't rely on it) and use technical solutions to STOP THE CRIME BEING POSSIBLE in the first place. It's like whinging that kids keep stealing things out of your house because you have no garden walls, no locks on your doors, you leave the doors open all the time even if you are out and you put a large sign in the street saying "Please don't steal my things". OF COURSE it's against the law to take your things but you'll never get them all back because you'll never know who was walking past when you weren't there and taking a few simple technical measures makes the crime much, much, much more difficult.
Re:How can it spread through USB sticks? (Score:1, Insightful)
The problem is that there's no real metric for computer usage ability. As a linux user, I would be offended and irritated if the test asked questions about Microsoft and Microsoft products, which it undoubtedly would. Hell, even simple questions like "how do you copy files", "how do you kill malicious/stuck processes", "how do you install a program" are not OS agnostic. Since this thing would be rolled out large scale, the exam would either be multiple choice (ie. they don't check if your answer is valid, only that it's the same as their set of answers), or they'd hire some IT drop-out to individually examine you, who wouldn't realise that "cp file1 file2" is the valid way to copy files on a *nix machine and would subsequently fail you.
I guess they could make people fill in a form before they get their pre-built computer (as us *nix users mainly build our own or buy second hand to avoid paying for Windows), but that would still leave massive holes in the system (eg. people buying computers for their Aunt Tillies, the answer code being traded, shops selling computers with first-run imaging CDs to install the OS thus exploiting the non-pre-built clause, shops selling "second hand" *cough* computers). Sorry guy, but until computers are standardised at least to the level cars are (which would only lead to more (virii?)), it looks like we're stuck with stupid people getting themselves infected.
Re:follow the money. (Score:3, Insightful)
The Windows Firewall is greatly improved in SP3, but even the default un-patched firewall in XP is more or less a joke if you plan on doing any network sharing. So either way you have to deal with it. Also, I think it's SP3 you mean about the tampering with IE. It'll install IE7 if you want it or not unless you already had it installed. The only way to uninstall it without going through a big hassle is to have IE7 installed prior to installing SP3 if I remember right.
There are very few reasons to not install a service pack for Windows. I've not heard of any hardware compatibility issues, and for sure that is not a problem with new hardware. It may take forever, but from high end gaming systems to crappy E-Machines with at best 512MB of RAM, installing SP2 for XP is the only smart thing to do and doesn't slow the system down once its installed.
If anyone has some proof otherwise (as in links, not anecdotal) please correct me. But I've neither heard of nor seen an issue caused by SP2 that hasn't been patched for a long while (over a year or two).
Re:follow the money. (Score:3, Insightful)
Then when Joe-Idiot gets a virus, it's probably his own fault because he bypassed the safety barrier and thus you can throw him off if his IP starts spamming or trying to infect others.
Most ISP terms of service allow them to do this already. If they actually tried to enforce it, they wouldn't have any customers left.
Re:follow the money. (Score:3, Insightful)
Yes, sometimes the public interest outweighs the commercial interest of a business. It happens in meatspace every day for all kinds of reasons, from anonymous bomb threats to the president coming within 2 miles of the place.
Re:How can it spread through USB sticks? (Score:3, Insightful)
I must admit, it is cleverly done. Put me in front of a Windows machine with default settings and I'd probably select the topmost option.
Still, it's an epic fail to enable such autostart of random programs from USB stick. It is sacrificing essential security for questionable convenience.
Re:Patch and Pray: Windows is a costly liability (Score:5, Insightful)
*ALL* operating systems much be constantly patched to protect against the "latest" threats. Windows just gets the majority share of attention because there are millions of Windows boxes, many unpatched, many owned and operated by computer illiterate users who have little or no interest in securing them (And even in Vista, which is a vast improvement on XP from a security perspective, the default security leaves a lot to be desired).
Ok, they are *usually* less serious than this particular vulnerability, but my Ubuntu box downloads "critical" updates at least once a week on average.
Microsoft have made a lot of bad design decisions in their products, often in order to thwart competition, but them actually being incompetent or negligent, especially in recent years, is a lot harder to prove.
Re:follow the money. (Score:3, Insightful)
Which is all fine and dandy, until you realize that text files can have an executable component, if there is a buffer overflow or some other kind of incorrect data handling in notepad.
There is no such thing as a non-executable file.
Re:Evolution (Score:1, Insightful)
b) Didn't TFA give the same information, and then go on to say that the worm had been developed to the point where this was no longer the only vulnerability? (granted it's via usb drive, which is pretty lame, but still the point remains...)
Re:follow the money. (Score:1, Insightful)
The problem is not that viruses make money. It's that viruses STILL WORK. That they STILL EXIST. That they are STILL CAUGHT by people. They've been around for 30-odd-years and they are more prevelant than ever and 99.9% of viruses operate on a single platform, targetting old, known, already-patched vulnerabilities. The fix for viruses is not to stop their creation by "persuasion" (removing revenue streams, harsher sentences, etc.) but to prevent them by technical means and ensure those means are adhered to.
Most virus infections (and "exploits" in general) aren't the result of technical problems, but human ones. Ergo, technical solutions won't work.
You cannot secure a platform against viruses where the end user can execute arbitrary code. It just ain't possible.
The problem, again, is an OS that allows such things to exist and propogate so readily and simply (literally, I could write a Windows virus in a matter of hours with no previous knowledge and virtually zero documentation... Unix-based? Wouldn't know where to start because I would need to find a gaping hole in heavily-tested, proven-rugged, complex code that I can barely understand.
Most viruses don't exploit 'gaping holes' in the OS, they exploit the end user. If you can code up a Windows virus in a "matter of hours", then you should have no trouble whatsoever writing one for "Unix" in a similar timeframe. Just write it the same way you would on Windows.
My provider shuts customers off if they use port 139 (and others) on their PC's without having previously informed them that, basically, "I know what I'm doing". The Internet stops and all webpages are replaced by an automated message about how to install a firewall (which, thankfully, also includes the "I know what I'm doing" option).
That option is not "I know what I'm doing", it's "defeat the purpose". Or, to the typically ignorant end user, the "make it work" option.
The primary methods of infection are:
The primary mode of infection is the user doing something "dumb", like installing CometCursor, or a smiley pack, or something else that malware can piggyback in on.
Only after that, does malware actually start trying to do 'tricky' things like attacking application, network, or OS vulnerabilities.
The problem is that the first two are *entirely* the fault of the operating system and permissioning - you don't trust programmers to write programs that take account of such issues, you just make the OS enforce permissions that ensure that, no matter what the program tries to do (unless it hits an OS compromise), it can't do anything stupid or nasty.
Please define "stupid or nasty" in an objective and algorithmic fashion.
Remove this "users are privileged" crap... they DO NOT need to be. They don't even need to be ABLE to be an admin (e.g. make admin logins text only into a Recovery Console style system that allows command-line fixing of the OS but no graphical/user login). Even if it means a COW filesystem per application, rollback and "faking" admin rights to the program, sort the crap out.
Won't work. Some things genuinely do need to be installed system-wide, like hardware drivers, OS updates, and the like.
You can't trust the programmers not to TRY to use admin rights if they are available. But 99.9% of programs do NOT need to do anything as admin. This is the problem.
No, it's not. Admin privileges are highly overrated in this context. The list of things a piece of malware might want to do, that it cannot do from a regular user account, is vanishingly small.
Re:follow the money. (Score:3, Insightful)
Most ISP terms of service allow them to do this already. If they actually tried to enforce it, they wouldn't have any customers left.
That's a fair comment, but I don't think it's true. Given the near-monopoloy position of ISPs, the customer either can't leave, or would think long and hard before doing so.
The real issue I think is that it will cost the ISP real money (in terms of added call volume to their support weenies). If they allow their infected customers to pollute the internet, then the cost is passed down the line to those who are forced to deal with the problem. That makes it someone else's problem.
Perfectly reasonable strategy, of course, and one that's based in human nature. Good samaritans aren't frightened of "getting involved", but rather prefer someone else to do what needs to be done so that "someone else" shoulders any and all burdens or costs.
Re:Patch and Pray: Windows is a costly liability (Score:4, Insightful)
The only reason why there hasn't been a class action lawsuit against Microsoft for their incompetence is that many misguided people STILL think that every 20 minutes of MS Word is worth 1 week of their time spent Patching and Praying and trying to recover data.
Actually, I think it's more fundamental than that. I think the last 20 years of Microsoft dominance have convinced people that this is the *only way computers can work*. That it's impossible to do any better. So they've learned to live with the instability, the insecurity, the constant fear of losing work due to mysterious crashes and instabilities.
Heck, just look at the praise lavished on XP. Compared to 95, XP is a quantum leap in terms of stability. And yet, in my experience, it's only just adequate. But compared to what people were used to, it's amazing!