Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Worms Operating Systems Security Software Windows

Microsoft Warns of Copycat Conficker Worm 86

Posted by timothy
from the ignore-the-host-organism-please dept.
nk497 writes "Microsoft is warning that malware writers have adapted a four-year-old virus to use features of Conficker to take advantage of Windows flaws. Other similarities between the adapted Neeris worm and Conficker are that it downloads a copy of the worm from the attacking machine using HTTP, spreads via autorun, and uses a driver to patch the TCP/IP layer of the system. It even saw a traffic jump around the first of April, when the Conficker hype peaked. But the Microsoft researchers suggested Conficker may have copied Neeris, or that they're copying each other: 'It is possible that these miscreants somehow collaborate or at least are aware of each other's "products."'"
This discussion has been archived. No new comments can be posted.

Microsoft Warns of Copycat Conficker Worm

Comments Filter:
  • Uh oh (Score:5, Insightful)

    by Rik Sweeney (471717) on Tuesday April 07, 2009 @08:26AM (#27488163) Homepage

    This is could one of two ways, either the viruses will try and outdo each other by doing more and more outrageous things to the victim's computer or (and let's face it, this would be more amusing) they'll try and kill each other to get sole ownership of the PC.

    Either way, I'm glad I use Linux.

  • autorunamuk (Score:2, Funny)

    by v1 (525388)

    when will they ever get rid of that?

  • Shocking... (Score:5, Insightful)

    by fuzzyfuzzyfungus (1223518) on Tuesday April 07, 2009 @08:30AM (#27488239) Journal
    I, for one, am amazed to learn that criminal software developers behave quite similarly to ordinary ones. Reusing code, copying features from industry leaders, why, they probably even use revision control systems!

    Seriously, though. It would be more of a surprise if they weren't doing this. Of course players in a competitive market are going to be watching each other and adopting each others best features.
    • by Ed Avis (5917) <ed@membled.com> on Tuesday April 07, 2009 @08:47AM (#27488523) Homepage

      How long before each worm includes a copy of its source code in a git repository, searches out other variants of the same worm on the infected system or across the net, and randomly exchanges patches with them to create hybrid offspring? The worm would need some way to compile itself, of course (unless written in Javascript or other scripting language where the interpreter is included with Windows).

      • because the strain would have to be identifiable. this means greater detection by virus scanners and the possibility of being exploited by rogue creations.

        the authors more than likely have a code repository on their systems that they share with each other. hell, search hard enough and you can find this code shared on their personal websites. the innovative authors take pieces of code from others and re-release the source. another favorite is decompiling code from an author who chooses not to help others

      • by chappel (1069900)

        How long before each worm compares copies of other source code, checks it for copyright and patent infringement, and automatically fires off legal threats?

      • The worm would need some way to compile itself, of course (unless written in Javascript or other scripting language where the interpreter is included with Windows).

        A way of getting around this would be to code your virus in a self-modifying assembled object. Ah, there's hope for us old Real Programmers [pbm.com] yet. Just when you kiddies thought we were all getting a bit smelly... ;-P
    • Miscreants! (Score:5, Funny)

      by GogglesPisano (199483) on Tuesday April 07, 2009 @09:15AM (#27488905)

      Why, I very nearly dropped my monocle when I heard that the rascals might be cahoots! Perhaps they have some sort of network (a system of tubes, perhaps?) that allows them to share their diabolical plans! Fiendishly clever!

      We must safeguard our computing engines! I say we must find these these rogues and hang them from the highest scaffold in the land!

    • Thank God there's no software copyright claims being made between these virus writers...
  • You would think that Microsoft researchers would spend more time patching Windows rather than saying idiotic things like 'It is possible that these miscreants somehow collaborate or at least are aware of each other's "products."'.
    Considering Conficker has been all over the news and the maker of Neeris would have to be working in a cave beside Osama not to have seen anything about it, I dare say it is more than freakin' likely they know of each others products.
    Now if only Microsoft knew as much about Window
  • by mspohr (589790) on Tuesday April 07, 2009 @08:53AM (#27488589)
    I can see that Microsoft is concerned that some people might be getting an imitation worm. They are warning that there is only one real conficker worm.

    They will shortly be releasing a tool to test your system to make sure you have the real worm and not some impostor/pirate copy of the worm. This will be an extension of the WGA program.

    • Maybe one day the 'Imitation Worm' will install a Replica OS http://www.reactos.org/en/index.html [reactos.org] just to completely confuse the fellow malware competition. At that point Microsoft will be 'off the hook' for inviting every form of malware possible, and the replacement/replica OS will finally get lots of user testing, and perhaps eventually get released as Beta. At that point the worm only needs to remember to blue-screen periodically and run the 'Windows Replica Advantage' utility just often enough to compl
  • by Bearhouse (1034238) on Tuesday April 07, 2009 @08:58AM (#27488649)

    "It is possible that these miscreants somehow collaborate or at least are aware of each other's 'products.'"

    Well, no shit, Sherlock. Guess they must have Internet connection too, then...

    With all the resources at Microsoft's disposal, you'd have thought that they'd have come up with a specific fix. Yes, I'm aware that regularly-patched machines are better protected, but the evidence is clear that many people don't do that; (and not just the pirates, either).

    If Ms supplied something that detected/removed/protected against up&down, (free, with no 'Genuine Advantage / Validation' bs), then I'm sure pretty soon all the media would link to that & the sheeple would rush to download & install... How about it, Redmond?

    • I know theres tonnes of toolkit thats are being released by third parties because this worm is such an aggresive one. The issue is that people with unpatched systems are probably just as competent about the toolkits as they are about updating their system. Microsoft actually reacted to this threat quicker then most of the other exploits they experience.
    • by Shrike82 (1471633)

      If Ms supplied something that detected/removed/protected against up&down, (free, with no 'Genuine Advantage / Validation' bs), then I'm sure pretty soon all the media would link to that & the sheeple would rush to download & install... How about it, Redmond?

      The virus does it's best to block attempts at removal as you'd expect, but still, you seem to be referring to something along these lines [microsoft.com] with specific instructions on detection and removal from M$, or perhaps even the Windows Live safety scanner, which despite it's crappy sounding name apparently detects and removes it.

      Yes I know this is /. and bashing the evil corporation usually results in "sheeple" modding you up, but did you really think M$ wouldn't have thought about supplying people with the means

      • Thanks, I was actually aware of all that stuff.

        Now I invite you to navigate to the page you linked to - where's the big red button marked 'Worried newbie? Click here to download/do online scan now'.

        Links to that button should be all over the net.
        They're not. Why?

        • by reashlin (1370169)
          Because the media are just as bigoted as you in hating Microsoft and a solution to a problem is no longer newsworthy.

          You see stories all over the press about "this accident". You don't hear about the people that cleaned it up. "The internet in X places went down yesterday" - no followup of "The internet is back for those that suffered".
          • Because the media are just as bigoted as you in hating Microsoft

            Don't hate Ms - check my posting history. Still think they could do a lot more on security, tho'.

        • by Shrike82 (1471633)

          Thanks, I was actually aware of all that stuff.

          Oh, sorry, I must have misunderstood when you wrote "you'd have thought that they'd have come up with a specific fix", and it was utterly stupid of me to link to a page with a specific fix.

          Now I invite you to navigate to the page you linked to - where's the big red button marked 'Worried newbie? Click here to download/do online scan now'.

          For those unable to read, comprehend and follow instructions there are two big blue buttons that say "Get help now". Sorry they're not red.

          Links to that button should be all over the net. They're not. Why?

          Put "remove conficker" into Google and you're about three clicks away from a number of downloadable removal tools. Sorry, but anyone that can't be bothered to read a little and wants a

    • With all the resources at Microsoft's disposal, you'd have thought that they'd have come up with a specific fix. Yes, I'm aware that regularly-patched machines are better protected, but the evidence is clear that many people don't do that; (and not just the pirates, either).

      How about if Microsoft would mod the "malicious software removal tool" to patch only the vulnerabilities that any removed malware exploited?

      • benefit 1: that installation will no longer be vulnerable to that particular infection, in spite of the fact that the user disabled automatic updates.
      • benefit 2a: the user will not be able to scream "ZOMG M$ forcing software on MY computar! That is MY BOX, I choose teh softwareZ!" (I'm not fluid in tard-speak, obviously. Also, it is apparently OK for malware writers to
    • They do have their malware removal tool and have free anti-virus software coming out.
      http://www.pcworld.com/businesscenter/article/154146/microsoft_drops_onecare_antivirus_product.html [pcworld.com]

      That being said, there will probably still be the Genuine Disadvantage stuff.
    • FYI, Symantec has a gratis removal tool available here [symantec.com]. In case that helps anyone unfortunate enough to be using Windows AND infected by Conficker :P
    • by Ralish (775196)

      If Ms supplied something that detected/removed/protected against up&down, (free, with no 'Genuine Advantage / Validation' bs), then I'm sure pretty soon all the media would link to that & the sheeple would rush to download & install... How about it, Redmond?

      They do.

      Malicious Software Removal Tool [microsoft.com]
      Download Link [microsoft.com]
      Technical Details [microsoft.com]

      You'll note said tool does not require any validation to download, anyone can download it regardless of the legality of their copy of Windows; no validation or genuine advantage required, period.

      This tool is also regularly distributed via Automatic Updates/Windows Updates to help clean out any infections that computers that use these services may have contracted, either because they weren't patched, or some other mechanism tha

  • MAD Magazine (Score:1, Offtopic)

    by m0s3m8n (1335861)
    Sounds like "Spy vs. Spy".
  • by Shrike82 (1471633) on Tuesday April 07, 2009 @10:23AM (#27489903)
    While doing a bit of looking around for another post in this thread I found what's basically an idiot's guide to detecting conficker. It uses pictures to show you if you have it [confickerw...ggroup.org].

    This tickled my funny bone for some reason; you have to love the lets-use-pictures approach!
  • Says to use single quotation marks inside of double quotes.

The only problem with being a man of leisure is that you can never stop and take a rest.

Working...