New Conficker Variant Increases Its Flexibility 120
CWmike writes "Criminals behind the widespread Conficker worm have released a new version that could signal a major shift in the way the malware operates. The new variant, dubbed Conficker B++, was spotted three days ago by SRI International researchers, who published details of the new code on Thursday. To the untrained eye, the new variant looks almost identical to the previous version of the worm, Conficker B. But the B++ variant uses new techniques to download software, giving its creators more flexibility in what they can do with infected machines."
The Botnet National Anthem (Score:5, Funny)
Botnets, worldwide botnets.
What kind of boxes are on botnets?
Compaq, HP, Dell and Sony, TRUE!
Gateway, Packard Bell, maybe even Asus, too.
Are boxes, found on botnets.
All running Windows, FOO!
Re: (Score:3, Funny)
If they run foo() then all operating systems are vulnerable!
O.M.G!
Re: (Score:1)
I'd mod you up if I could.
Re:The Botnet National Anthem (Score:5, Funny)
This virus works on the honor system. Please
randomly delete some of your files and forward
this to everyone you know.
Re: (Score:1)
AHAHAHAHAH I Love this
Re:This is you on windows (Score:4, Insightful)
And they keep coming back to Windows.
"Oh, I KNOW Windows loves me. All the abuse is my fault. I deserve it!"
Re: (Score:1, Interesting)
In this case it actually is. This worm is only targeting all the smartasses turning off windows update because they think they know better (whether sysadmins or personal users). This was patched months ago.
Re: (Score:2, Interesting)
"Oh, I KNOW Windows loves me" - by Chris Tucker (302549) on Friday February 20, @07:50PM (#26937217) Homepage
It does, because it does ME, & I have yet to be infected/infested for decades online now...
You can have the same results, simply IF you can read english & apply what is noted here to secure yourself (1-2 hrs. of work for YEARS of uptime, stability, & bugfree operation):
HOW TO SECURE Windows 2000/XP/Server 2003, & even VISTA, plus make it "fun-to-do", via CIS Tool Guidance:
http://www.tcmagazine.com/forums/index.php?s=e692b654cf47859bebf9e4380bec3a03&showtopic=2662 [tcmagazine.com]
----
"All the abuse is my fault. I deserve it!" - by Chris Tucker (302549) on Friday February 20, @07:50PM (#26937217) Homepage
It's the fault of Mic
Re: (Score:1)
And yet, my Mac OS X install comes from the factory with all the security features turned on by default.
In my twenty some years of Mac OS usage, I have run into exactly ONE virus, on a used Color Classic I bought. A quick application of the freeware Disinfectant took care of that.
If you want to spend all that time, securing your Windows installs, go right ahead.
As long as MS continues to ship a product that, essentially, lies there, it's legs in the air, it's underwear nowhere to be seen, and loudly demandi
Re: (Score:1, Interesting)
I'd have to STRONGLY wager that if (insert OS type here) was as dominant a force as Microsoft Windows is today (& has been for more than 19++ yrs. now in the world of personal computers @ least), MacOS X or Linux (or whatever) would be getting as much heat from the malware makers as does Windows today.
E.G.-> IF you were a malware maker today, wouldn't YOU target the biggest mass of users you could? Sure you would, & ESPECIALLY today (they've shifted from messing up your machine, to taking YOUR MO
Re: (Score:2)
When someone runs something in Windows, and it infects their machine it's "stupid windows". But, when someone runs something in Linux under ROOT, and infects their machine, it's "stupid user".
Yet (a few months ago) there was an article posting that most people run as admin in Windows, because software doesn't work. That's right, because of poorly designed software that doesn't work all the time, people have to run as
Re: (Score:1)
"When someone runs something in Windows, and it infects their machine it's "stupid windows". But, when someone runs something in Linux under ROOT, and infects their machine, it's "stupid user"."
Exactly. It's no big deal for me to run Mac OS under a user account, and switch to root when I need to. Mainly for Software Update and when I'm installing something that needs the admin password.
(To be honest, half the time, I don't know if I'm root or not. OK, right now, not root.)
Should be the same with Linux. One
This is slashdot right? (Score:4, Interesting)
Re: (Score:1)
Because the article doesn't have any technical detail either. I would assume that the new features allow them to connect through some sort of peering mechanism, but the article doesn't go into detail.
Re:This is slashdot right? (Score:5, Informative)
Because the article doesn't have any technical detail either.
Well, the second linked-to article (the one by SRI) is chock full of technical details; and it's an interesting read.
Re:This is slashdot right? (Score:4, Insightful)
Not only did you read TFA, you follow the link from TFA! I'm sorry sir, but the usual question whether or not are you new here doesn't apply to you. ./ standards you are not born yet!
How did it come you have a slashdot account? By
Re:This is slashdot right? (Score:5, Funny)
Because the article doesn't have any technical detail either. I would assume that the new features allow them to connect through some sort of peering mechanism, but the article doesn't go into detail.
Well, I thought there was some useful detail in the article, particularly this:
Overall, the modifications to Conficker B++ appear relatively minor as compared to the significant upgrade in functionality, performance, and reliability, that occurred from Conficker A to B. These smaller and more surgical changes to B appear to address some of the realities that are currently impacting Conficker's binary update strategy. In particular, in Conficker A and B, there appeared only one method to submit Win32 binaries to the digitial signature validation path, and ultimately to the CreateProcess API call. This path required the use of the Internet rendezvous point to download the binary through an HTTP transaction. Under Conficker B++, two new paths to binary validation and execution have been introduced to Conficker drones, both of which bypass the use of Internet Rendezvous points: an extension to the netapi32.dll patch and the new named pipe backdoor. These changes suggest a desire by the Conficker's authors to move away from a reliance on Internet rendezvous points to support binary update, and toward a more direct flash approach.
However, Conficker A and B did support through the previous netapi32.dll patch an ability to accept new DLLs, as long as the shell code submitted through the RPC buffer overflow matched the original Conficker infection shell code. This approach was limiting both in the requirement that direct flashing required an easily identifiable shellcode string and a single DLL method loading procedure, both of which are now subject to detection by security software. Conficker B++ dramatically increases the flexibilty of the direct flash mechanisms, offering an ability to load digitally signed Win32 executables directly to a Conficker host.
Re:This is slashdot right? (Score:5, Funny)
Re:This is slashdot right? (Score:5, Informative)
In short bot herders can now push updates to infected machines rather than relying on the infected machine to seek out and download updates.
Some quotes:
"a more efficient push-based updating service"
"the ability to accept and validate remotely submitted URLs and Win32 binaries, could signal a significant shift in the strategies used by Conficker's authors to upload and interact with their drones."
"comparing Conficker B with Conficker B++, we obtained a similarity score of 86.4%. "
"out of 297 subroutines in Conficker B, only 3 were modified in Conficker B++ and around 39 new subroutines were added. "
"Under Conficker B++, two new paths to binary validation and execution have been introduced to Conficker drones, both of which bypass the use of Internet Rendezvous points: an extension to the netapi32.dll patch and the new named pipe backdoor. These changes suggest a desire by the Conficker's authors to move away from a reliance on Internet rendezvous points to support binary update, and toward a more direct flash approach."
"Conficker B++ dramatically increases the flexibilty of the direct flash mechanisms, offering an ability to load digitally signed Win32 executables directly to a Conficker host. "
Re:This is slashdot right? (Score:5, Funny)
Re: (Score:1)
We are supposed to read the summaries too?
Meep Beep! (Score:2, Funny)
If you're on the highway and Conficker goes beep beep.
Just step aside or might end up in a heap.
Conficker, Conficker runs on the road all day.
Even the coyote can't make him change his ways.
Conficker, the coyote's after you.
Conficker, if he catches you you're through.
Conficker, the coyote's after you.
Conficker, if he catches you you're through.
That coyote is really a crazy clown,
When will he learn he can never mow him down?
Poor little Conficker never bothers anyone,
Just runnin' down the road's his idea of ha
Re:Meep Beep! (Score:5, Insightful)
Poor little Conficker never bothers anyone,
Just runnin' down the road's his idea of having fun.
And still true: it still hasn't done anything more than spread and try to keep itself from being purged.
With all the suspense and the scale of infection, whatever the payload is going to be, it'd better be something totally awesome!
Re:Meep Beep! (Score:5, Interesting)
I know this is a very unpopular view with a lot of people, but I'd personally like to see a major worm like this pop a msg saying your computer has been taken over and is available to be used to harm others. you need to take your computer into the repair shop and get it cleaned up and protective software installed".
And then make windows unable to do anything but display that message when it boots.
Half the population would be picking up pitchforks, and the other half would be saying THANK you!
I for one am sick and tired of ignorant computer users getting their machines botnetted, blissfully unaware of the harm they are then contributing to. (and many of them are aware and just plain don't care)
Do the world a favor. MAKE them care.
Well, if you have deep pockets... (Score:2)
Of course, since you are kind of advocating an exclusive deal, it will probably cost more than the run of the mill spam or phishing campaign, which can be sold and sold again...
Also, IANAL, but I suspect doing bad things for the right reason would make you just as legally culpable as doing bad things, period.
Re: (Score:2, Insightful)
In that case you will never get caught because the current bot owners are not in jail and are selling services....
If they are untouchable, you're safe too.
Re: (Score:2)
Makes me wonder why Microsoft posted a bounty for the author(s) of this worm.
It's like, "Oh shit, we can't patch against this worm so we need to nab the author!"
Microsoft can't come up with a patch fast enough without proper testing and time. They figured go after the source of the problem.
Honestly $250,000 bounty is chump change so if they up the ante to $1,000,000 then people will listen.
Re:Well, if you have deep pockets... (Score:4, Informative)
It was patched a long time ago - last October [theregister.co.uk], to be precise.
Re: (Score:2)
Malware that actually thinned the herd would make for a more robust herd.
Re: (Score:2)
Says "couchslug".
Re: (Score:2)
I've seen things like this before, and the user completely ignored it. Just clicked closed the window, and kept using the computer as before, for months.
Even one that asked me how to get rid of it didn't care that they were infected....they just didn't want to have to close the window all the time.
I think the only way to get them to care would be to keep track of the number of times the warning was closed, and once it hit 6, 10, or whatever, it would turn into a modal dialog with no close button, rendering
Re: (Score:2)
Tho I'd be willing to bet that shutting down their botnet would cost a lot more than the average spyware install or spam run. Since it would be their last sale.
But I bet you're right, they COULD be sold. I bet MS has enough money too. So if they REALLY wanted to get rid of it, I suppose they could pay them off? I don't see that happening though. it would set a nasty precedent that if you build a good enough botnet, MS will bury you in cash to go away. Though the botnet is already insanely profitable.
Re: (Score:1, Funny)
With all the suspense and the scale of infection, whatever the payload is going to be, it'd better be something totally awesome!
"The Rickroll To End All Rickrolls"
Re: (Score:1)
Oh why don't you malware like you used to do?
Spread Conficker like you used to spew?
I haven't patched my OS since two-thousand-two,
Why don't you malware like you used to do?
Ain't had no Clamwin, or a firewall, or an update in a long long whiiiiiiile.
Can't get to Google or WinUpdate cuz they've hijacked my gosh darn hosts fiiiiile.
Oh why don't you scan ports like you used to do?
Treat my pendrive like a prostitute?
Haven't BSoDed in a day or two,
So why don't you malware like you used to do?
Readable link (Score:3, Informative)
Ps. Just because there is a "Slashdot this article with maximum clutter" button, you don't have to inherently click on it.
It's depressing. (Score:2, Insightful)
That a vulnerability patched in October could become a problem.
Will it run on Linux? (Score:2, Insightful)
I'd seriously like to see some malware attacking Linux users. Ubuntu users might be a good target audience with good vulnerability and gullibility. But I would really like to see some attacks to see if Linux or its users are really so much better that Windows users. Further, I would like to see how much could be blocked and avoided.
Security isn't as much of a battle among common Linux users and frankly, I wonder how lax we generally are.
Re: (Score:2)
The big problem, I think, would be the fact that most Linux users only install software from their distro's repositories. Most of them don't know how to unpack a tarball, go in with a terminal and use ./configure, make, make install. Unless you can slip something in by having a time delay before it activates, I really don't see how you're going to get much penetration. Not saying it can't be done,
Re: (Score:1)
Re: (Score:2)
You seem a little confused. Yum is a package manager, used primarily by redhat based distros. It *is* an executable, however there is not much to exploit, you don't "download and install a yum". Similarly, rpm is a program that is located on the host machine already. Alternatively you may have been refering to RPM packages which are not in fact executables but rather packages which rpm (the program previously mentioned) uses to install software. You could package malicious software in an RPM and have t
Re: (Score:2)
Except that it is not. It is a python source code file. When you "execute" it, your system reads the shebang on the first line, and calls python with yum as an argument.
Re: (Score:2)
Re: (Score:2)
Setting the executable bit on a file doesn't transform it into an executable. Try setting the execute bit on /etc/resolv.conf and see what that does.
If you add "#!/bin/tail +2" to the top of /etc/hosts, and chmod +x it, you can call it, and it will print out itself. That doesn't mean it's an executable. tail is the executable.
Likewise with yum, where python is the executable -- yum is the source file that python compiles, transparently to the user, when he types in "yum".
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
What I do like the fact the .deb files via updates are signed by a trusted authority. Every once in awhile I would get an update saying this package can't be authenticated and asked me if I want to continue with the update. I usually say no unless I can actually trust the source.
Only time I ran into this is updating Open Office 3.0
Re: (Score:2)
... and average linux users are unlikely to run/install things they come across on their own...
And that is also the reason why Linux will always be a beloved geek operating system that is too complicated for ordinary users. All programs are harder to install and get working properly, which fortunately also includes viruses and worms.
Re: (Score:1)
thats wrong, rpm and deb are not executables and all require a root password to install and do anything at all. They are just compressed packages of files.
sh files require +x
Re: (Score:1)
I don't think that tarballs aren that big a deal. I've been running Ubuntu since around New Year's '09 or so, as my first exploration of the Linux world. I broke away from Windows because (a) I was bored of knowing my OS so well and (b) I've been looking for a balance between cheap and stable, and few things if any beat FOSS for that.
I quickly learned how to build a tarball, whether it's gzipped or bzipped, and I even had a couple of scripts to do it for me (lost them on a reinstall when I got Windows XP
Re: (Score:2)
Re: (Score:2, Insightful)
Re: (Score:1)
Never said expert, dude. Said I could install tarballs, and said that I have seen some idiot Windows users.
I was running a Kubuntu live USB one day, and the guy next to me asked me where all the "stuff" was. When he motioned to the desktop, I realized that he mentioned the icons, which were present in the school's Windows stuff, but not my Kubuntu live session. Decided to leave it at "This isn't Windows." Was about three seconds away from flooding his ears with shit he would never understand.
I have been
Re: (Score:2)
Yes. Download the Ubuntu Alternate Install CD.
It's not really any different once you've installed everything, but it's a text based installer with a lot more options. (full disk encryption, for one)
If you really want to impress the zealots, though, forget Ubuntu, and skip right past Gentoo and try your hand at LFS. (linux from scratch)
Re: (Score:1)
Linux from scratch? Ooh, cool. I gotta work my way up to that.
Will do some Googling later.
Re: (Score:2)
Neither do I, but then, we're probably not average Linux users. My sister's been using Ubuntu for over a year now. The other day, she had to download some better drivers for her printer. Even though the OEM's website gave complete instructions on how to install it, keystroke by keystroke, she still asked me to do it for her because she's never been comfortable with a CLI. If it's not in the Ubuntu repository and I'm not there to do the work, new softwar
Re: (Score:1)
(And yes, you could restore your home directory from backups, but how do you know whether the backups are infected?)
Nice question. I bet if a solution had been found by now, it'd be as emphasized as possible for Windows users. If a solution were available, Conficker might have a harder time spreading through USB drives.
Or maybe I'm just an idiot and I don't think outside the box. Is there such a solution?
Re: (Score:1)
all you need is a desktop file, and that can automatically then download a program, install to autostart with login and your golden., now since ubuntu does not set gksu to lock the screen you just ahve to snoop the sudo password and then you have root, baby, root. Its so stupid how non +x files will run
Re: (Score:2)
Re: (Score:1)
DCC SEND HAHAHAHAHAHAHAHAHA
URL Generation (Score:2)
Basically the code now generates a random URL based on the date obtained from a remote server and then verifies any updates on the generated URL with RSA.
Seems sort of obvious
Forget antivirus, go after them for copyright (Score:1, Funny)
You know, like the feds used to take down the Mafia on tax violations.
http://sourceforge.net/projects/b-improved/ [sourceforge.net]
Holy shit! Another version? (Score:2, Insightful)
Awesome. This is the greatest piece of malware I've ever seen. Conficker has done an absolutely wonderful job of becoming a real, recognized, major threat, even worming its way into several government systems.
The fact that it's evolving to continue its journey into every computer it can find is quite impressive to me. I don't think I've ever heard of a malware threat this bad. Conficker's botnet is now measured in percentage of Windows machines infiltrated. When you get a significant percentage of compu
Re: (Score:2)
> I haven't heard of this actually doing anything malicious yet, and judging from some
> comments here, it hasn't actually done anything yet.
Hasn't yet done anything that we know of. Yet.
Re: (Score:2)
When you get a significant percentage of computers like, say, 30% of 90% of the Desktop OS market (or whatever M$'s current stranglehold is worth), that's something to be proud of.
Man, it's too bad Redmond has a 90% infection rate of all Desktop OS workstations (or whatever MS's current stranglehold is worth).
Re: (Score:2)
Correction.. Windows been infected by people! So infection rate is 100%
Re: (Score:1)
No, I'm not applauding criminal activity because of a grudge. I'm applauding it for how widespread the program is and how it just refuses to die. It ain't every day you find a program as impressive as this one. How often has a piece of malware evolved to perpetuate itself, let alone multiple times?
This is a great effort on the programmers' parts, whether or not it actually does anything malicious to Windows systems.
When I saw B++ (Score:3, Funny)
If you're running as non-administrator.... (Score:2)
Re: (Score:2, Insightful)
Re: (Score:2)
Do you know the difference between a virus and a worm, from your post, I don't think you do.
Viruses and Worms can both do everything you mention. Why are you pretending they are somehow different and that permissions changes don't effect both?
A worm is a virus that doesn't piggy back on another executable, it works stand alone, otherwise they can and do do all the same stuff. Proper permissions and fixing exploits will stop a virus AND a worm.
Lets go over your list:
Re: (Score:3, Interesting)
While it's possible to make large mistakes with open software the majority of idiots are on the descendants of VB - however I have one python develop
Re: (Score:2)
I have one python developer that has to turn off one core of his laptop to make his scripts run!
Excuse my software development ignorance, but how the hell is he doing that? Breaking his code on multiple processors, I mean.
Re: (Score:3, Interesting)
As for the .net problem, it's a case of the configuration file for the application getting written the root of the syst
Back to Basics (Score:2)
It gives you better perspective when you have a: problem, good book, pencil, paper, and no distractions/crutches. I know I need to do this from time to time (whiteboard, diagram, pseudocode, and
Re: (Score:2)
You should probably pull out Filemon and see EXACTLY what its doing. Unless it is actively modifying files in the root directory, then there is no reason that it should have permissions to do so. There are plenty of ways with ACLs to allow the app to do what it wants to do without running as an admin. Does it create temp files there? Fine, let it 'CREATE' files, but not modify anything else. Does it need to modify files located there? Okay, let it, but explicitly deny it from everything else. You CAN
Re: (Score:2)
Where is the real infection info? (Score:2)
The more I hear about this worm the more I'm confused that I'm not seeing it on certain computers I know must of been unpatched.
I've looked for info on how it spreads but the only thing I can ever find is that it uses an RPC exploit and that having print and file sharing on makes you vulnerable.
Is it being blocked by some routers that block file and printer sharing ports perhaps?
Re: (Score:2)
Sorry, I went and read some more of the article you posted, you really don't have a clue, stop giving out bad information.
The next version will be even more harmful!!! (Score:2)
The next version will be...
C++!!!
And it will be considered harmful!!! :-)