Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
Worms Networking Security News

New Conficker Variant Increases Its Flexibility 120

Posted by Soulskill
from the those-yoga-classes-really-helped dept.
CWmike writes "Criminals behind the widespread Conficker worm have released a new version that could signal a major shift in the way the malware operates. The new variant, dubbed Conficker B++, was spotted three days ago by SRI International researchers, who published details of the new code on Thursday. To the untrained eye, the new variant looks almost identical to the previous version of the worm, Conficker B. But the B++ variant uses new techniques to download software, giving its creators more flexibility in what they can do with infected machines."
This discussion has been archived. No new comments can be posted.

New Conficker Variant Increases Its Flexibility

Comments Filter:
  • by Chris Tucker (302549) on Friday February 20, 2009 @07:04PM (#26936809) Homepage

    Botnets, worldwide botnets.
    What kind of boxes are on botnets?

    Compaq, HP, Dell and Sony, TRUE!
    Gateway, Packard Bell, maybe even Asus, too.

    Are boxes, found on botnets.
    All running Windows, FOO!

    • Re: (Score:3, Funny)

      by Anonymous Coward

      If they run foo() then all operating systems are vulnerable!
      O.M.G!

  • by blool (798681) on Friday February 20, 2009 @07:05PM (#26936817)
    Why is the summary so devoid of technical detail? You realize we don't read the articles right?
    • by WarJolt (990309)

      Because the article doesn't have any technical detail either. I would assume that the new features allow them to connect through some sort of peering mechanism, but the article doesn't go into detail.

      • by Psychotria (953670) on Friday February 20, 2009 @07:18PM (#26936933)

        Because the article doesn't have any technical detail either.

        Well, the second linked-to article (the one by SRI) is chock full of technical details; and it's an interesting read.

      • by grizdog (1224414) on Friday February 20, 2009 @07:21PM (#26936957) Homepage

        Because the article doesn't have any technical detail either. I would assume that the new features allow them to connect through some sort of peering mechanism, but the article doesn't go into detail.

        Well, I thought there was some useful detail in the article, particularly this:

        Overall, the modifications to Conficker B++ appear relatively minor as compared to the significant upgrade in functionality, performance, and reliability, that occurred from Conficker A to B. These smaller and more surgical changes to B appear to address some of the realities that are currently impacting Conficker's binary update strategy. In particular, in Conficker A and B, there appeared only one method to submit Win32 binaries to the digitial signature validation path, and ultimately to the CreateProcess API call. This path required the use of the Internet rendezvous point to download the binary through an HTTP transaction. Under Conficker B++, two new paths to binary validation and execution have been introduced to Conficker drones, both of which bypass the use of Internet Rendezvous points: an extension to the netapi32.dll patch and the new named pipe backdoor. These changes suggest a desire by the Conficker's authors to move away from a reliance on Internet rendezvous points to support binary update, and toward a more direct flash approach.

        However, Conficker A and B did support through the previous netapi32.dll patch an ability to accept new DLLs, as long as the shell code submitted through the RPC buffer overflow matched the original Conficker infection shell code. This approach was limiting both in the requirement that direct flashing required an easily identifiable shellcode string and a single DLL method loading procedure, both of which are now subject to detection by security software. Conficker B++ dramatically increases the flexibilty of the direct flash mechanisms, offering an ability to load digitally signed Win32 executables directly to a Conficker host.

    • by InsertWittyNameHere (1438813) on Friday February 20, 2009 @07:33PM (#26937071)

      In short bot herders can now push updates to infected machines rather than relying on the infected machine to seek out and download updates.

      Some quotes:

      "a more efficient push-based updating service"

      "the ability to accept and validate remotely submitted URLs and Win32 binaries, could signal a significant shift in the strategies used by Conficker's authors to upload and interact with their drones."

      "comparing Conficker B with Conficker B++, we obtained a similarity score of 86.4%. "

      "out of 297 subroutines in Conficker B, only 3 were modified in Conficker B++ and around 39 new subroutines were added. "

      "Under Conficker B++, two new paths to binary validation and execution have been introduced to Conficker drones, both of which bypass the use of Internet Rendezvous points: an extension to the netapi32.dll patch and the new named pipe backdoor. These changes suggest a desire by the Conficker's authors to move away from a reliance on Internet rendezvous points to support binary update, and toward a more direct flash approach."

      "Conficker B++ dramatically increases the flexibilty of the direct flash mechanisms, offering an ability to load digitally signed Win32 executables directly to a Conficker host. "

    • We are supposed to read the summaries too?

  • Meep Beep! (Score:2, Funny)

    by djupedal (584558)

    If you're on the highway and Conficker goes beep beep.
    Just step aside or might end up in a heap.
    Conficker, Conficker runs on the road all day.
    Even the coyote can't make him change his ways.

    Conficker, the coyote's after you.
    Conficker, if he catches you you're through.
    Conficker, the coyote's after you.
    Conficker, if he catches you you're through.

    That coyote is really a crazy clown,
    When will he learn he can never mow him down?
    Poor little Conficker never bothers anyone,
    Just runnin' down the road's his idea of ha

    • Re:Meep Beep! (Score:5, Insightful)

      by HTH NE1 (675604) on Friday February 20, 2009 @07:32PM (#26937067)

      Poor little Conficker never bothers anyone,
      Just runnin' down the road's his idea of having fun.

      And still true: it still hasn't done anything more than spread and try to keep itself from being purged.

      With all the suspense and the scale of infection, whatever the payload is going to be, it'd better be something totally awesome!

      • Re:Meep Beep! (Score:5, Interesting)

        by v1 (525388) on Friday February 20, 2009 @08:10PM (#26937367) Homepage Journal

        I know this is a very unpopular view with a lot of people, but I'd personally like to see a major worm like this pop a msg saying your computer has been taken over and is available to be used to harm others. you need to take your computer into the repair shop and get it cleaned up and protective software installed".

        And then make windows unable to do anything but display that message when it boots.

        Half the population would be picking up pitchforks, and the other half would be saying THANK you!

        I for one am sick and tired of ignorant computer users getting their machines botnetted, blissfully unaware of the harm they are then contributing to. (and many of them are aware and just plain don't care)

        Do the world a favor. MAKE them care.

        • and know the right (wrong) folks, maybe they will sell you the "package slot", and you can get your message out.

          Of course, since you are kind of advocating an exclusive deal, it will probably cost more than the run of the mill spam or phishing campaign, which can be sold and sold again...

          Also, IANAL, but I suspect doing bad things for the right reason would make you just as legally culpable as doing bad things, period.
          • Re: (Score:2, Insightful)

            by cheekyboy (598084)

            In that case you will never get caught because the current bot owners are not in jail and are selling services....

            If they are untouchable, you're safe too.

        • by couchslug (175151)

          Malware that actually thinned the herd would make for a more robust herd.

        • I've seen things like this before, and the user completely ignored it. Just clicked closed the window, and kept using the computer as before, for months.

          Even one that asked me how to get rid of it didn't care that they were infected....they just didn't want to have to close the window all the time.

          I think the only way to get them to care would be to keep track of the number of times the warning was closed, and once it hit 6, 10, or whatever, it would turn into a modal dialog with no close button, rendering

      • Re: (Score:1, Funny)

        by Anonymous Coward

        With all the suspense and the scale of infection, whatever the payload is going to be, it'd better be something totally awesome!

        "The Rickroll To End All Rickrolls"

    • Oh why don't you malware like you used to do?
      Spread Conficker like you used to spew?
      I haven't patched my OS since two-thousand-two,
      Why don't you malware like you used to do?

      Ain't had no Clamwin, or a firewall, or an update in a long long whiiiiiiile.
      Can't get to Google or WinUpdate cuz they've hijacked my gosh darn hosts fiiiiile.

      Oh why don't you scan ports like you used to do?
      Treat my pendrive like a prostitute?
      Haven't BSoDed in a day or two,
      So why don't you malware like you used to do?

  • Readable link (Score:3, Informative)

    by Seth Kriticos (1227934) on Friday February 20, 2009 @07:18PM (#26936931)
    Just in case someone really wants to read TFA, here is a link to the more eye friendly version (printer version): http://www.computerworld.com/action/article.do?command=printArticleBasic&taxonomyName=Network+Security&articleId=9128280&taxonomyId=142 [computerworld.com]

    Ps. Just because there is a "Slashdot this article with maximum clutter" button, you don't have to inherently click on it.
  • It's depressing. (Score:2, Insightful)

    by Anonymous Coward

    That a vulnerability patched in October could become a problem.

  • by erroneus (253617)

    I'd seriously like to see some malware attacking Linux users. Ubuntu users might be a good target audience with good vulnerability and gullibility. But I would really like to see some attacks to see if Linux or its users are really so much better that Windows users. Further, I would like to see how much could be blocked and avoided.

    Security isn't as much of a battle among common Linux users and frankly, I wonder how lax we generally are.

    • Security isn't as much of a battle among common Linux users and frankly, I wonder how lax we generally are.

      The big problem, I think, would be the fact that most Linux users only install software from their distro's repositories. Most of them don't know how to unpack a tarball, go in with a terminal and use ./configure, make, make install. Unless you can slip something in by having a time delay before it activates, I really don't see how you're going to get much penetration. Not saying it can't be done,

      • yum, rpm, sh and deb files are all Linux executables (depending what on what distro you use) and are all potentially dangerous. Mac is a much bigger target, but they don't even go after that. It's just easier to go after Windows because Windows provides the largest amount of infectable machines, and it's easier to write malware for it.
        • by Sir_Lewk (967686)

          You seem a little confused. Yum is a package manager, used primarily by redhat based distros. It *is* an executable, however there is not much to exploit, you don't "download and install a yum". Similarly, rpm is a program that is located on the host machine already. Alternatively you may have been refering to RPM packages which are not in fact executables but rather packages which rpm (the program previously mentioned) uses to install software. You could package malicious software in an RPM and have t

          • by arth1 (260657)

            Yum is a package manager, used primarily by redhat based distros. It *is* an executable,

            Except that it is not. It is a python source code file. When you "execute" it, your system reads the shebang on the first line, and calls python with yum as an argument.

            • by Sir_Lewk (967686)
              It may not be compiled machine code, but it IS an executable. Check to see that it has the executable bit set yourself.
              • by arth1 (260657)

                Setting the executable bit on a file doesn't transform it into an executable. Try setting the execute bit on /etc/resolv.conf and see what that does.

                If you add "#!/bin/tail +2" to the top of /etc/hosts, and chmod +x it, you can call it, and it will print out itself. That doesn't mean it's an executable. tail is the executable.
                Likewise with yum, where python is the executable -- yum is the source file that python compiles, transparently to the user, when he types in "yum".

                • by Sir_Lewk (967686)
                  If you really want to be pedantic, then yes, Python is an interpreted programming language and a python program is not, for example, an ELF file. However, for the scope of this conversation explaining the difference between RPMs and yum, the presense of an exectutable bit and pythons interpreted nature make it perfectly reasonable to call them executables. In fact, it is not at all uncommon to refer to scripts as executables in nearly any situation. All of this is irrelevant to the topic at hand though a
                • by dotgain (630123)
                  Jeez, I sure hope all your pointless hair-splitting and knowledge-spewing made your dick bigger, because it sure added NOTHING to the discussion.
          • by Darkk (1296127)

            What I do like the fact the .deb files via updates are signed by a trusted authority. Every once in awhile I would get an update saying this package can't be authenticated and asked me if I want to continue with the update. I usually say no unless I can actually trust the source.

            Only time I ran into this is updating Open Office 3.0

          • by arminw (717974)

            ... and average linux users are unlikely to run/install things they come across on their own...

            And that is also the reason why Linux will always be a beloved geek operating system that is too complicated for ordinary users. All programs are harder to install and get working properly, which fortunately also includes viruses and worms.

        • by scientus (1357317)

          thats wrong, rpm and deb are not executables and all require a root password to install and do anything at all. They are just compressed packages of files.

          sh files require +x

      • I don't think that tarballs aren that big a deal. I've been running Ubuntu since around New Year's '09 or so, as my first exploration of the Linux world. I broke away from Windows because (a) I was bored of knowing my OS so well and (b) I've been looking for a balance between cheap and stable, and few things if any beat FOSS for that.

        I quickly learned how to build a tarball, whether it's gzipped or bzipped, and I even had a couple of scripts to do it for me (lost them on a reinstall when I got Windows XP

        • You've been using Ubuntu for a little over a month (an admitted Linux virgin prior to that), and now you figure you're expert enough to start bashing Windows users? Wow, are you running an Advanced Placement distro of Ubuntu?
          • Re: (Score:2, Insightful)

            by jadedoto (1242580)
            Not all Ubuntu users are idiots when it comes to Linux. Someone had to create the distribution and someone has to maintain it. I use Ubuntu after years with Gentoo for the pure ease of how things work. And it's got a great community to help others ease into it. It's counter-productive to bash Ubuntu users. Really.
          • Never said expert, dude. Said I could install tarballs, and said that I have seen some idiot Windows users.

            I was running a Kubuntu live USB one day, and the guy next to me asked me where all the "stuff" was. When he motioned to the desktop, I realized that he mentioned the icons, which were present in the school's Windows stuff, but not my Kubuntu live session. Decided to leave it at "This isn't Windows." Was about three seconds away from flooding his ears with shit he would never understand.

            I have been

            • Yes. Download the Ubuntu Alternate Install CD.

              It's not really any different once you've installed everything, but it's a text based installer with a lot more options. (full disk encryption, for one)

              If you really want to impress the zealots, though, forget Ubuntu, and skip right past Gentoo and try your hand at LFS. (linux from scratch)

        • I don't think that tarballs aren that big a deal.

          Neither do I, but then, we're probably not average Linux users. My sister's been using Ubuntu for over a year now. The other day, she had to download some better drivers for her printer. Even though the OEM's website gave complete instructions on how to install it, keystroke by keystroke, she still asked me to do it for her because she's never been comfortable with a CLI. If it's not in the Ubuntu repository and I'm not there to do the work, new softwar

      • by scientus (1357317)

        all you need is a desktop file, and that can automatically then download a program, install to autostart with login and your golden., now since ubuntu does not set gksu to lock the screen you just ahve to snoop the sudo password and then you have root, baby, root. Its so stupid how non +x files will run

    • Hmm, actually there are a lot more Linux machines in the world than Windows - about 2.2 billion Linux vs 600 million Windows. Granted, most Linux machines are cell phones and routers, but when last have you herd of a virus infecting a router? Never? Thought so. The day when Cisco starts to build firewalls running Windows and Linux machines have to be hooked up behind dinky little Netgear or Linksys firewall devices running Windows, simply won't happen...
  • Basically the code now generates a random URL based on the date obtained from a remote server and then verifies any updates on the generated URL with RSA.

    Seems sort of obvious

  • by Anonymous Coward

    You know, like the feds used to take down the Mafia on tax violations.

    http://sourceforge.net/projects/b-improved/ [sourceforge.net]

  • Awesome. This is the greatest piece of malware I've ever seen. Conficker has done an absolutely wonderful job of becoming a real, recognized, major threat, even worming its way into several government systems.

    The fact that it's evolving to continue its journey into every computer it can find is quite impressive to me. I don't think I've ever heard of a malware threat this bad. Conficker's botnet is now measured in percentage of Windows machines infiltrated. When you get a significant percentage of compu

    • > I haven't heard of this actually doing anything malicious yet, and judging from some
      > comments here, it hasn't actually done anything yet.

      Hasn't yet done anything that we know of. Yet.

    • When you get a significant percentage of computers like, say, 30% of 90% of the Desktop OS market (or whatever M$'s current stranglehold is worth), that's something to be proud of.

      Man, it's too bad Redmond has a 90% infection rate of all Desktop OS workstations (or whatever MS's current stranglehold is worth).

  • by kkrajewski (1459331) on Friday February 20, 2009 @08:18PM (#26937415) Journal
    I was all excited that someone had made an OO extention to the B programming language [wikipedia.org]. We can only imagine the horror!
  • If you're running as a non-adminstrator account (without write access to c:\windows (and system32) would this virus still proprogate? I've never quite understood why ordinary users have write access to system directories.
    • Re: (Score:2, Insightful)

      by t_little (91171)
      It's not a virus, it's a worm - it exploits bugs in automated OS services to run the code. There doesn't even need to be a user logged in for this to spread. (It also scans local networks for weak passwords and attempts to install itself via autorun on removable media) However, there is no fundamental reason why those services should run with permission to install anything either.
      • by BitZtream (692029)

        Do you know the difference between a virus and a worm, from your post, I don't think you do.

        Viruses and Worms can both do everything you mention. Why are you pretending they are somehow different and that permissions changes don't effect both?

        A worm is a virus that doesn't piggy back on another executable, it works stand alone, otherwise they can and do do all the same stuff. Proper permissions and fixing exploits will stop a virus AND a worm.

        Lets go over your list:

        it exploits bugs in automated OS servic

    • Re: (Score:3, Interesting)

      by dbIII (701233)
      As an example, the only reason some of the computers run MS Windows XP in my workplace is because some idiot wrote an in-house application under some bastard son of VB which needs write access to the root of the C: drive. To run this single user at a time database application the user needs to run as administrator. There are a lot of idiots doing such things.

      While it's possible to make large mistakes with open software the majority of idiots are on the descendants of VB - however I have one python develop

      • by tweak13 (1171627)

        I have one python developer that has to turn off one core of his laptop to make his scripts run!

        Excuse my software development ignorance, but how the hell is he doing that? Breaking his code on multiple processors, I mean.

        • Re: (Score:3, Interesting)

          by dbIII (701233)
          Somehow the 1960s problem of race conditions gets him if he has more than one processor running. I really do not understand how it can be so broken, but that is why he is insisiting on turning off the second CPU in the BIOS on the machines that use his stuff (ie. he doesn't get his software on the production cluster and waste 7 CPUs per node - he gets told to piss off and read a textbook).

          As for the .net problem, it's a case of the configuration file for the application getting written the root of the syst

          • FWIW, you should give your python dev. a book and revoke his IDE until he can come back to you with a solution for setting the CPU affinity of his code. Pencil and paper coding is For His Own Good(TM) and everyone needs to go back to the basics (sometimes even BASIC) from time to time. It also builds character.

            It gives you better perspective when you have a: problem, good book, pencil, paper, and no distractions/crutches. I know I need to do this from time to time (whiteboard, diagram, pseudocode, and
      • by BitZtream (692029)

        You should probably pull out Filemon and see EXACTLY what its doing. Unless it is actively modifying files in the root directory, then there is no reason that it should have permissions to do so. There are plenty of ways with ACLs to allow the app to do what it wants to do without running as an admin. Does it create temp files there? Fine, let it 'CREATE' files, but not modify anything else. Does it need to modify files located there? Okay, let it, but explicitly deny it from everything else. You CAN

        • by dbIII (701233)
          The python developer has a lot of non-python knowlege that he's putting into code from his previous role as a scientist, so the choices are either to pair him with a real programmer that he will actually listen to, replace him with two people or wait until he actually learns how to program. For now a VM gets his useful stuff to work, maybe in 4 or 5 years he'll be taking a professional approach. Sadly I've seen a lot of people that cannot handle the concept of multiple threads - a pain when you are dealin
  • The more I hear about this worm the more I'm confused that I'm not seeing it on certain computers I know must of been unpatched.

    I've looked for info on how it spreads but the only thing I can ever find is that it uses an RPC exploit and that having print and file sharing on makes you vulnerable.

    Is it being blocked by some routers that block file and printer sharing ports perhaps?

  • The next version will be...

    C++!!!

    And it will be considered harmful!!! :-)

Dennis Ritchie is twice as bright as Steve Jobs, and only half wrong. -- Jim Gettys

Working...