Conficker Downloads Payload 273
nk497 writes "Conficker seems to finally be doing something, a week after hype around the worm peaked on April Fool's Day. It has now downloaded components from the Waledac botnet, which could contain rootkit capabilities. Trend Micro security expert Rik Ferguson said: 'These components have so far been missing, but could this finally be the "other boot dropping" that we have all been been waiting for?' Ferguson also suggested that people behind Conficker could be the very same who are running Waledac and created the Storm botnet. 'It tallies with some of the assumptions people have made about Conficker — that the first variant was actively trying to avoid the Ukraine because Waledac was Eastern European,' Ferguson added."
actual article (Score:5, Informative)
Re:I gotta ask (Score:5, Informative)
Conficker gets it's time from a lot of different time servers, not the local machine. I think the author might have thought about that when designing the worm...
Re:I gotta ask (Score:5, Informative)
Conficker doesn't use the internal system clock; it polls various websites to find out the real date.
If it can't connect to those websites, or gets an unexpected response, it assumes it's in a closed network and holes up.
Re:I gotta ask (Score:5, Informative)
Why didn't someone infected with this, say last month, change their pc clock ahead...
First of all, I'm sure that the payload itself wasn't made available until the last minute.
Second, if it were me who wrote the virus, I would have written it to *start* looking for a payload, start looking in no particular place, and continue looking until it's been found. Considering that it's getting its payload from an established botnet, it could just be poking around looking for machines that can give it its payload and the payload wasn't made available until today.
When you have control of as many machines as the Storm or Waledac botnets, the world really is your oyster. You're not restricted by IPs, and if your botnet is large enough, you can just iterate through addresses looking for a system that has your payload for you. Without access to the botnet or the payload, it doesn't matter how much you reverse engineer or adjust your clock, you just can't predict what will happen in the future.
Re:I gotta ask (Score:3, Informative)
You certianly can man in the middle attack it. slowly skew the time with your own NTP server.. then look to where it's going to ask for it's next feeding and then attack that vector. and yes you CAN attack a P2P distribution vector.
Re:Potato Blight for computers (Score:2, Informative)
Aside from pointing out the flaws in your analogy, and the fact a patch was released four months before this exploit arrived, I think you are overlooking the massive systemic benefits of homogeny.
One could argue that computing and the Internet would not be as ubiquitous as they are today without having had a defacto standard. There is an even stronger argument at the cost savings to businesses and governments in not having to train and retrain new employees on how to use numerous computer systems.
And as far as "companies getting taken offline," there is no excuse for leaving production systems unpatched for four months. Microsoft could not make it easier to apply security updates unless they came onsite and installed them for you. That's not as much a convicted monopolist issue as it is shoddy, lazy network management.
Ever have one of those moments... (Score:5, Informative)
When you realize you are uncontrollably in love with someone? That you and this person sitting beside you are soul mates? That you were meant for each other?
That moment for me came a few weeks ago. Yes, my wife and I have been married several years, but she was a Windows user when we met. Sure, she'd grown up in a diverse family - both Macs and PCs, but most of her experience was on Windows.
About a year ago I replaced Windows with Ubuntu on the family laptop. She kind of grudgingly went along with it.
Then, last week we were watching the news when the anchor broke the story of conficker. Without missing a beat, she turned to me and in roll-your-eyes-I-can't-believe-they're-so-stupid kind of voice said:
"That's a Windows thing, isn't it?"
"Yep," I replied.
"Hmmm. Sucks to be them, I guess..."
Linux evangelists take note: sometimes it takes people *years* to come around. But when they do, when they realize they no longer have to WORRY about viruses and other Windows-specific crap, it's priceless.
Ridiculous or not. (Score:4, Informative)
Incidentally the British didn't deliberately starve the people - after they'd woken up to the trouble, they did ship in large amounts of aid and close the ports to food exports.
As you say, there has been a great deal of bunk written about the Hunger in Ireland in the late 1840s. However, you may have added to it.
Irish ports were closed to food exports in the previous famine in 1783, but not at any time in the 1840s or 1850s. Ireland remained an exporter of food (mostly grain & cattle) in great quantity during the Hunger. What food aid arrived in Ireland was the result of charities, not the British government. In fact, the British attempted to prevent food aid from arriving from some other countries. http://en.wikipedia.org/wiki/Great_Irish_Famine [wikipedia.org]
There was also a lesser famine in Scotland at the same time, caused by the same over-reliance on potatoes which were hit by potato blight. http://en.wikipedia.org/wiki/Highland_Potato_Famine [wikipedia.org] This caused great hardship in the Highlands, but food aid provided directly by the British government meant there were relatively few deaths from starvation or malnutrition-related diseases.
Re:Potato Blight for computers (Score:2, Informative)
I run an unpatched machine with an obscure system that some friend of mine wrote. Probably anything but secure, knowing his code, but oddly, no spyware, no malware, no nothing. Why? Because it's no market either.
When you have a hundred systems all having an equal market share, any given threat can only infect 1% of the existing machines (provided they are not binary compatible). That is economically uninteresting for the malware businesses.
It is also uninteresting for software developers so you have a system without malware and almost useless because you just don't have any software to run on it. Also you can't comunicate with other peoples systems because yours is incompatible and different. Unfortunately the malware is the price we have to pay for having access to such a big network. If we had hundred different incompatible systems it would be a nightmare to write any software that runs on all of them (be it good or bad software). With some sort of common standard is easy (for certain values of easy) to develop software that can run everywhere, good software and evil software.
Re:Holidy Weekend. (Score:4, Informative)
Re:Holidy Weekend. (Score:3, Informative)
I think of it differently. Han is an experienced criminal in Star Wars. Luke is still quite naive.
Han says that the MF made the Kessel run in less than twelve parsecs, obviously not a measure of time. Luke asks if that is fast. Han then knows that Luke is an interstellar NOOB. While not nice, this type of behavior was something that made Han Solo interesting in the first films. He went from a selfish smuggler that would have ejected his passengers in space to a selfless leader.
But like the another change made to the story, where Greedo fires first to make Han not the aggressor, the back-story was created to make Han nicer. I guess we just can't have mean, selfish, egotistical smugglers nowadays.