Forgot your password?
typodupeerror
Worms Security

Conficker Downloads Payload 273

Posted by CmdrTaco
from the still-the-best-name-ever dept.
nk497 writes "Conficker seems to finally be doing something, a week after hype around the worm peaked on April Fool's Day. It has now downloaded components from the Waledac botnet, which could contain rootkit capabilities. Trend Micro security expert Rik Ferguson said: 'These components have so far been missing, but could this finally be the "other boot dropping" that we have all been been waiting for?' Ferguson also suggested that people behind Conficker could be the very same who are running Waledac and created the Storm botnet. 'It tallies with some of the assumptions people have made about Conficker — that the first variant was actively trying to avoid the Ukraine because Waledac was Eastern European,' Ferguson added."
This discussion has been archived. No new comments can be posted.

Conficker Downloads Payload

Comments Filter:
  • april fools (Score:5, Funny)

    by gEvil (beta) (945888) on Thursday April 09, 2009 @08:52AM (#27516819)
    Downloading its payload and going live a week after April 1? Now that's the way to do an April Fools joke.
  • Holidy Weekend. (Score:5, Interesting)

    by GreggBz (777373) on Thursday April 09, 2009 @08:55AM (#27516859) Homepage
    Bots and spammers typically wait for the holiday weekends; like playing your starters against their backups.
    • by mrops (927562)

      Bots, spammers and organizations doing layoff.

      There, now its corrected.

    • by skeeto (1138903) on Thursday April 09, 2009 @10:05AM (#27517719)

      like playing your starters against their backups.

      Could you change that into a car analogy? Thanks!

      • by thedonger (1317951) on Thursday April 09, 2009 @10:10AM (#27517793)

        It's like showing up to a street race in a rickety-looking Ford Escort which secretly houses a small block V8 with nitrous.

        It's like a porn star showing up to a naked pool party for men with erectile dysfunction.

        It's like bringing a gun to a knife fight.

      • by Culture20 (968837) on Thursday April 09, 2009 @10:46AM (#27518281)

        like playing your starters against their backups.

        Could you change that into a car analogy? Thanks!

        It's like playing your things that you turn the key in that makes your engine go vroom!vroom! against their things that go Beeeeep Beeeeeep Beeeeep.

  • april fools? (Score:5, Insightful)

    by pickle_in_being (1522709) on Thursday April 09, 2009 @08:57AM (#27516873)
    I think it would have been more logical for conficker to download it's payload on the 1st of April itself, so that people would take the threat less serious.
    • Re:april fools? (Score:5, Interesting)

      by Norsefire (1494323) * on Thursday April 09, 2009 @09:17AM (#27517051) Journal
      Everyone was expecting that and was prepared for it. A week later, everyone's forgotten about it. Also with this timing if something starts going wrong now it will be difficult to get anyone to fix it until Tuesday.
    • Re: (Score:2, Interesting)

      by MeisterVT (1309831)

      In this case everyone was growing to expect just that, and would therefore be taking it seriously. Or at least people that could do something about it would. Now, since nothing much has happened people are lulled into a false sense of security and become lax or start considering the threat that something big was happening on 4/1 the real joke.

      Now that the hype has supsided, what better time to strike? I think that dovetails nicely with GreggBZ's earlier post about the holiday weekend (for some of us).

  • by MosesJones (55544) on Thursday April 09, 2009 @08:57AM (#27516875) Homepage

    One of the major causes of the Potato famine in Ireland was the reliance on a single product (the potato) and an inability to shift to a more varied diet. Things like ILoveYou and Conflicker are preying on exactly the same homogeneous environment as they know that hitting one element yields massive results.

    Now given that this homogeneity has been driven in part via a convicted monopolist then it really is interesting how little political attention this gets. Arguably these sorts of attacks are more of a modern challenge than "traditional" terrorism and against a background of economic woe we can all do without a bunch of companies getting taken offline for a few days or suffering from industrial espionage.

    We don't learn from history, we don't apply history to new cases we just stand back in amazement after letting homogeneity develop at the impact that a relatively simple flaw can have across a large group of people.
     

    • by Ed Avis (5917) <ed@membled.com> on Thursday April 09, 2009 @09:09AM (#27516967) Homepage

      Yeah, because obviously the answer is to have a hundred different systems with a hundred different sets of vulnerabilities. That will be much easier to keep patched.

      • by entirely_fluffy (756018) on Thursday April 09, 2009 @09:19AM (#27517083)
        >Yeah, because obviously the answer is to have a hundred different systems >with a hundred different sets of vulnerabilities. That will be much easier >to keep patched. well, actually, this really is the answer - you never get rid of vulnerabilities but you can put enough variation in them that specialised viruses become less effective.
      • That was the suggestion.
         

      • Patch? (Score:5, Insightful)

        by SmallFurryCreature (593017) on Thursday April 09, 2009 @09:36AM (#27517337) Journal
        Why would you need to patch if nobody has a clue about how to attack your system?

        well, actually you got a point but you come at it from the wrong angle.

        The problem is that thanks to the net, EVERY COMPUTER IS THE SAME. Internet capable...

        Effecticly, this is to sexually transmitted virusses as all of us screwing everyone else at the same. The internet is a gangbang of computers.

        What this leads to is that no matter how obscure your OS and the bugs on it, someone somewhere will know about it and have, thanks to the sheer size of the net, have thousands if not hundreds of thousands of targets.

        There may not be many amiga's left but if they were all infected, it would still be a nice botnet.

        • Re: (Score:3, Funny)

          What is this sex of which you speak?

        • Re: (Score:2, Interesting)

          Why would you need to patch if nobody has a clue about how to attack your system?

          Because if even one system in your heterogeneous environment is exploitable you have just given them an easy backdoor to the rest of your system. If all systems aren't patched up you've only created a false sense of security and you've increased your maintenance costs many magnitudes higher for some "security through obscurity" scheme.

          • Re: (Score:2, Insightful)

            by hesiod (111176)

            Because if even one system in your heterogeneous environment is exploitable you have just given them an easy backdoor to the rest of your system

            Sure, if your sysadmin is an idiot. If one box being compromised results in full access to all boxes on the network, your system is poorly designed. Unless, perhaps, that one box is an LDAP/AD server or something.

            • Re: (Score:2, Interesting)

              Sure, if your sysadmin is an idiot. If one box being compromised results in full access to all boxes on the network, your system is poorly designed.

              Strawman argument. No where in my statement did I say anything about having full access to every other box on the network through that one node. But, once an attacker has an inlet into the network they can then move on to compromise other systems which may have greater access to other parts of the network. The simple fact of the matter is that the systems on the network are going to have to have some level of access to each other otherwise there is no point in networking them up together.

        • Effecticly, this is to sexually transmitted virusses as all of us screwing everyone else at the same.

          I could make a really tasteless "screw the pooch" joke now concerning how to beat the STD problem, but I guess in the name of taste I'll abstain.

      • I run an unpatched machine with an obscure system that some friend of mine wrote. Probably anything but secure, knowing his code, but oddly, no spyware, no malware, no nothing. Why? Because it's no market either.

        When you have a hundred systems all having an equal market share, any given threat can only infect 1% of the existing machines (provided they are not binary compatible). That is economically uninteresting for the malware businesses.

        And yes, malware is a business. It follows the laws of capitalism. I

      • "Yeah, because obviously the answer is to have a hundred different systems with a hundred different sets of vulnerabilities. That will be much easier to keep patched"

        Well, at least then things like Conficker would be stopped dead in their tracks, and a vulnerability in a particular system wouldn't lead to the kind of thing like the currrent virus/spam/phishing epidemic.
    • Re: (Score:3, Funny)

      by Cornwallis (1188489)
      So I understand you to mean I should stop using my potatoe to surf the web?
    • Re: (Score:2, Informative)

      by bazonic (463550)

      Aside from pointing out the flaws in your analogy, and the fact a patch was released four months before this exploit arrived, I think you are overlooking the massive systemic benefits of homogeny.

      One could argue that computing and the Internet would not be as ubiquitous as they are today without having had a defacto standard. There is an even stronger argument at the cost savings to businesses and governments in not having to train and retrain new employees on how to use numerous computer systems.

      And as f

      • by hesiod (111176)

        there is no excuse for leaving production systems unpatched for four months.

        We have a particular set of servers for an application, and the company that made the software in question (FujiFilm's Synapse PACS) does not want patches installed on those servers, or the workstations that run the client app until they confirm it doesn't conflict with their software. Thankfully, this particular patch was approved, but there are other MS patches that have not been approved in over a year (or there was when I last checked, anyway). Similarly, some other devices (like an Ultrasound machine

      • "One could argue that computing and the Internet would not be as ubiquitous as they are today without having had a defacto standard"

        There is a defacto standard, it's called TCP/IP, SMTP and HTML

        "There is an even stronger argument at the cost savings to businesses and governments in not having to train and retrain new employees on how to use numerous computer systems"

        Invoking the ole cost of training FUD, I see

        According to DELL 'the fundamental approach to the design and use of Desktop Computers
    • by Omestes (471991)

      The problem isn't homogeneity, since if the full of the big three OSs carried a 1/3rd of the market, malware devs would just pick on and stick to it, evening out the load. this would actually make defense harder, since you'd have to cover all three.

      The problem is end users not knowing squat about security or safety (with a heaping helping of the main OS out there being rather patchy in security).

      With an educated user, most computers are almost completely secure. Most viruses, worms, etc.. rely on the use

  • Eye chart (Score:5, Funny)

    by Drakin020 (980931) on Thursday April 09, 2009 @09:07AM (#27516947)

    On a side note, that eye chart the Conflicker Group had up no longer works.

    http://www.confickerworkinggroup.org/infection_test/cfeyechart.html [confickerw...ggroup.org]

  • I gotta ask (Score:3, Interesting)

    by Anonymous Coward on Thursday April 09, 2009 @09:12AM (#27517005)

    Why didn't someone infected with this, say last month, change their pc clock ahead to April 1 to see if it downloaded stuff or not? Then April 2, then April 3, etc.
    Duh.

    • Re:I gotta ask (Score:5, Informative)

      by Anonymous Coward on Thursday April 09, 2009 @09:17AM (#27517053)

      Conficker gets it's time from a lot of different time servers, not the local machine. I think the author might have thought about that when designing the worm...

    • by Ilgaz (86384)

      I think it has counter measures against it too. It is not a trivial VBasic junk. It is one of the most advanced professional worms to date.
      Even basic shareware has counter measures against messing with clock like that.
      Don't forget that it is not only local code, it gets payload with p2p. So if you can fool it with date, you won't be able to fool the host part.

      • Even basic shareware has counter measures against messing with clock like that.

        Yet somehow the windows vista beta didn't :o

        • You have to understand the difference. On one hand you have software written by professionals with high skill, a good quality control, nice paychecks and other motivations, strict deadlines and a quite professional, ambitious and goal focused leadership.

          And then you pit that against MS. C'mon, be fair!

      • Re: (Score:3, Informative)

        by Lumpy (12016)

        You certianly can man in the middle attack it. slowly skew the time with your own NTP server.. then look to where it's going to ask for it's next feeding and then attack that vector. and yes you CAN attack a P2P distribution vector.

        • Re: (Score:2, Interesting)

          by maxume (22995)

          The AC is confused though; researchers did all of that, they even have some sort of access to the randomly generated domain list (I get the impression that they have the algorithm, rather than doing some sort of playforward attack as is being discussed here) that is checked for downloads. The core issue is that there had not been anything to download, so all they were able to do was (potentially) confound the operators.

          I would go so far as to say that they have been attacking the p2p vector, but since it re

    • Re:I gotta ask (Score:5, Informative)

      by Z34107 (925136) on Thursday April 09, 2009 @09:21AM (#27517115)

      Conficker doesn't use the internal system clock; it polls various websites to find out the real date.

      If it can't connect to those websites, or gets an unexpected response, it assumes it's in a closed network and holes up.

    • Re:I gotta ask (Score:5, Informative)

      by MyDixieWrecked (548719) on Thursday April 09, 2009 @09:22AM (#27517127) Homepage Journal

      Why didn't someone infected with this, say last month, change their pc clock ahead...

      First of all, I'm sure that the payload itself wasn't made available until the last minute.

      Second, if it were me who wrote the virus, I would have written it to *start* looking for a payload, start looking in no particular place, and continue looking until it's been found. Considering that it's getting its payload from an established botnet, it could just be poking around looking for machines that can give it its payload and the payload wasn't made available until today.

      When you have control of as many machines as the Storm or Waledac botnets, the world really is your oyster. You're not restricted by IPs, and if your botnet is large enough, you can just iterate through addresses looking for a system that has your payload for you. Without access to the botnet or the payload, it doesn't matter how much you reverse engineer or adjust your clock, you just can't predict what will happen in the future.

  • Ahhhhhh... (Score:5, Funny)

    by buttfscking (1515709) on Thursday April 09, 2009 @09:23AM (#27517135)
    This sure is entertaining from over here on Linux Island! *sips drink*
  • by castironpigeon (1056188) on Thursday April 09, 2009 @09:26AM (#27517193)
    Isn't anyone else curious to see what happens next?! I can just imagine millions of computer users starting their computers Monday morning and seeing their new goatse-themed desktop. Oh the lols...
    • Re: (Score:3, Funny)

      Remove the stone of geek!...Append the stone of evil genius!

      Although if that does happen, expect a call from some well dressed men in a nice car, with blacked out windows, on Monday afternoon.

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (2) Thank you for your generous donation, Mr. Wirth.

Working...