Romanians Find Cure For Conficker 145
mask.of.sanity writes "BitDefender has released what it claims is the first vaccination tool to remove the notorious Conficker virus that infected some 9 million Windows machines in about three months.
The worm, also known as Downadup, exploits a bug in the Windows Server service used by Windows 2000, XP, Vista, Server 2003 and Server 2008. It spreads primarily through a buffer overflow vulnerability in Windows Server Service where it disables the operating system update service, security center, including Windows Defender, and error reporting.
The Romanian security vendor said its removal tool will delete all versions of Downadup and will not be detected by the virus."
Re:How long before it doesn't work? (Score:5, Informative)
they are not "distributing a worm", it's a tool for disinfection and I suspect that they'll need to take a page out of biology's book on dealing with dangerous microbes and evolve along with the worm. In other words, constantly update their tool as the worm adapts. So it's likely going to be quite dynamic.
Re:That many Windows Servers unprotected and onlin (Score:5, Informative)
In the first case blame the administrators (for not knowing how to properly protect a Windows server), in the second case blame Microsoft (for running servers on a desktop that should not be there in the first place). I would expect the second case as that I recall we have seen before, a virus exploiting a bug in a server function that can not even be stopped on a desktop.
Description of the Server service:
Supports file, print, and named-pipe sharing over the network for this computer. If this service is stopped, these functions will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start.
Dependant services: Computer Browser ("Maintains an updated list of computers on the network and supplies this list to computers designated as browsers. If this service is stopped, this list will not be updated or maintained.")
I think it starts automatically.
It can probably be disabled, but who knows...
Re:That many Windows Servers unprotected and onlin (Score:2, Informative)
You don't need the Server service. Or at least, I haven't needed it in the last 6 months or so. I even run IIS on my Windows box for ASP.NET development. Seems like something called 'Server' would be needed for that, right? Nope.
I would certainly disable it on all desktops. In fact, Google 'unnecessary windows services' for a list of other services that seem to serve no practical purpose.
Re:That many Windows Servers unprotected and onlin (Score:5, Informative)
This "server" service has nothing to do with what you might expect from a "server", i.e. being a big machine that hosts a lot of stuff like mail or webpages. This "server" service is an integral portion of Windows' ability to share files through the local network and access network printers. Also, some other services (IIRC the whole bunch that deals with networking, from WiFi to telephony) depends on it.
In other words, the term "server" is maybe a bit preposterous. It's just the thingie that enables networking on Windows machines.
So, IMO, it's neither. It's neither a "real" server crappily configured by admins that should get their hands tied and pushed into administration where they can't do no harm, nor is it MS's fault for putting something that only a server OS should have on a desktop. It's simply the network thingamajig gone bad.
Re:could have done with this yesterday... (Score:1, Informative)
Then use a live Windows CD such as BartPE or other preinstallation environment, together with the USB drive, and nuke the malware from there.
"Vaccination" (Score:1, Informative)
I do not think it means what you think it means.
Re:could have done with this yesterday... (Score:5, Informative)
We need a removal tool that can be run from a safe Linux environment (ie boot using a live disk etc. ...)
Well, the guys at bitdefender do have a rescue cd [bitdefender.com] that can be used to disinfect a windows machine.
Re:That many Windows Servers unprotected and onlin (Score:2, Informative)
Without elaborating what Windows Server service that might be... Are there really that many vulnerable, not firewalled Windows servers connected to the Internet? Or is this a Server function that has no business on a Desktop that is getting infected?
The Server service provides file/print sharing in Windows. Technically that means it should only run on servers, but think of the number of Windows boxes (e.g. on home networks) where people use file sharing between machines. You can stop it, though.
If you de-select 'File and Print sharing' in the Windows firewall exceptions page, you block access to the Server service. (If memory serves correctly, Windows XP SP2 and Windows Server 2003 SP1 block file/print sharing by default.)
Re:That many Windows Servers unprotected and onlin (Score:1, Informative)
Regarding "stalling" CONFICKER specifically:
( From http://www.xtremepccentral.com/forums/showthread.php?s=265edfd9cff2fd6ef1993571b23d1598&t=28430&page=3 [xtremepccentral.com] )
----
"A.) STALL SERVER SERVICE (if you don't need a LAN/WAN to connect to & all you do is hit the internet on a single standalone machine)...
AND
B.) It recommends you stall out indiscriminate usage of javascript also!
Between those 2 measures (&, possibly ALSO, a HOSTS file that stops access to this CONFICKER worm's control servers -> http://forums.opendns.com/comments.php?DiscussionID=3043 [opendns.com] which leads to said list here -> http://www.f-secure.com/weblog/archives/Downadup_Domain_Blocklist_February.txt [f-secure.com])?
Hey... YOU TELL ME, lol, IF it works, or not..."
----
It'll work... addtionally blocking ACL (access control lists) access to the autorun.inf files in the root of you drives helps also (vs. how it spreads from USB sticks etc. et al).
(Do all of the above, especially if you don't need to be sharing disks/folders/files from your system to users over the public internet or a local LAN/WAN (saving CPU cycles, RAM, &/or other forms of I/O as well you would be otherwise wasting because you are not using what the server service provides, file & print sharing), & it quite literally (@ least theoretically) should "PROOF YOU" vs. this worm).
APK
P.S.=> That was regarding the /. article titled (from near when this worm was discovered):
New Conficker Variant Increases Its Flexibility:
http://news.slashdot.org/article.pl?sid=09/02/20/239229 [slashdot.org]
on 02/20/3009 here on this website... apk
Re:could have done with this yesterday... (Score:3, Informative)
Here are some more, sorted by last release date:
http://www.freedrweb.com/livecd [freedrweb.com]
(Dr Web, February 2009)
http://dnl-eu3.kaspersky-labs.com/devbuilds/RescueDisk/ [kaspersky-labs.com]
(Kaspersky December 2008)
http://www.f-secure.com/linux-weblog/2008/11/ [f-secure.com]
(FSecure November 2008)
http://free-av.de/en/tools/12/avira_antivir_rescue_system.html [free-av.de]
(Avira, ???)
http://www.mwti.net/products/mwav/mwav.asp [mwti.net]
(MicroWorld, ???)
Re:Another link to the tool (Score:4, Informative)
ComboFix anyone? (Score:2, Informative)
http://www.bleepingcomputer.com/combofix/how-to-use-combofix [bleepingcomputer.com]
Once more around the block my friend (Score:3, Informative)
www.ubuntu.com/getubuntu/download
This gets old.
It is worth nothing more than a gratuitous +5 mod-up on Slashdot and a 0.83% share of the client desktop for Linux.
Time to dig deeper I think.
Cornflicker was dealt with in the January release of the Microsoft Windows Malicious Software Removal Tool [microsoft.com]
Deployment of the Microsoft Windows Malicious Software Removal Tool in an enterprise environment [microsoft.com]