Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security The Internet

Fears of a Conficker Meltdown Greatly Exaggerated 143

BobB-nw writes "Many have been worrying that the Conficker worm will somehow rise up and devastate the Internet on April 1. These fears are misplaced, security experts say. April 1 is what Conficker researchers are calling a trigger date, when the worm will switch the way it looks for software updates. A 60 Minutes episode about the worm on Sunday will stoke concerns. But the worm has already had several such trigger dates, including Jan. 1, none of which had any direct impact on IT operations, according to Phil Porras, a program director with SRI International who has studied the worm. 'Technically, we will see a new capability, but it complements a capability that already exists,' Porras said."
This discussion has been archived. No new comments can be posted.

Fears of a Conficker Meltdown Greatly Exaggerated

Comments Filter:
  • by coniferous ( 1058330 ) on Saturday March 28, 2009 @09:13PM (#27375355) Homepage
    The Media...? Exaggerating?

    that never happens.

    /Here, have some cool aid.

    • Mainstream media isn't exaggerating it, they've barely mentioned it. It's the on-line media that can't quit talking about it. How many Slashdot articles?
      • Can't get much mainstream than 60 minutes and evening news coverage.
        • by danwesnor ( 896499 ) on Sunday March 29, 2009 @08:08PM (#27383291)

          Yeah, that was a sham job.

          Script: Leslie's Virus Story

          Software Guy's office:

          Leslie: "There's this thing called a worm out there that's going to steal all your money and destroy the world, you know, it'll be bad. Cats and dogs lying down together and all that."
          Software guy: "Buy our software or your bank account will be emptied. Please watch this sham demo."
          Leslie: "Wow, I got a Facebook from Andy, let me just go ahead and delete that..."
          Software Guy: "No no no no no!! You have to pay attention to Andy or your money won't be stolen."
          Leslie: "I see. So that's why nobody's had their money stolen yet. You're not just on the show to sell your software, are you?"
          Software Guy: "Nah, you can trust me. I'm a software guy, not a banker. But if you don't buy it, some Russian kids will get all your money."
          Leslie: "Is there any other way to protect your computer, like installing the latest Windows patch?"
          Software Guy: "You're really not good at playing along, are you."

          Cut to interview with woman who's money was stolen because she didn't have Software Guy's latest product:

          Woman: "I saw it transfer money from my account to my son's account right before my eyes."
          Leslie: "Really? Right before your eyes."
          Woman: "Yeah."

          Woman's password is clearly visible on Post-it note on monitor. It's "password".

          Leslie: "So you have virus software?"
          Woman: "Yeah, it came with the computer. But after 30 days it started asking me to renew the subscription for $30, sooo..."
          Leslie: "I see. Did you consider a Mac?"
          Woman: "I'm not cool enough for a Mac. If that hot, skinny redhead isn't cool enough for a Mac, what chance do I have?"

          Virus Expert's office:

          Leslie: "What does this cornflucker thing do anyway?"
          Virus Expert: "Well, nothing so far, but that could change. One day it's going to take all your money and destroy the world. It's going to be bad. You won't believe what the cats and dogs will be doing."

  • Don't place bets... (Score:3, Interesting)

    by w0mprat ( 1317953 ) on Saturday March 28, 2009 @09:15PM (#27375375)
    ... either way. The only certainty is security experts have differing opinion on this.
  • by Anonymous Coward

    You just don't know what payload will be downloaded on April 1st.

    It could be your standard 'DDoS and Spam Run' package, but imagine what would happen if all these drones were used to start exploiting an unknown vulnerability, think SQL Slammer...

  • Updates (Score:5, Interesting)

    by shird ( 566377 ) on Saturday March 28, 2009 @09:22PM (#27375443) Homepage Journal

    April 1st is when the worm will *start* looking for updates. It will continue looking from that date on, with a different set of domains each day. So there is no reason why the authors would register one of the domains and put out an update on the first day. If anything, they would wait a while to increase the number of domains security researchers have to watch out for. Also, the authors may not have any reason to update it just yet - it seems to be quite successful in its current iteration. They may be waiting for a buyer to purchase a block of the botnet for example.

    • Re: (Score:2, Funny)

      by troll8901 ( 1397145 )

      Also, the authors may not have any reason to update it just yet - it seems to be quite successful in its current iteration. They may be waiting for a buyer to purchase a block of the botnet for example.

      No, it's because the authors slipped the deadline again.

  • by Felix Da Rat ( 93827 ) on Saturday March 28, 2009 @09:30PM (#27375501)

    Maybe I'm wrong here, but doesn't it make more sense to get everyone trying to fight this virus/bot/whatever early rather than wait?

    After April 1st, this thing will be drawing from more domains than can be blocked for future updates. It sounds like it'll be much more entrenched and difficult to combat if that happens. So this advise sounds a lot like 'Well, the gangrene has spread from your foot up to your knee, but it's not a problem'.

    • Re: (Score:3, Interesting)

      Actually, I think the better solution would be... "they" obviously have the domain generating algorithm. Major ISPs could EASILY with a little ingenuity could identify which of their customers are infected. Cut them off, send them a letter, and make it really really clear that if they continue to "abuse ISP resources", they are liable for cleanup costs, plus penalties. And they have to agree to it before they get their service back. I'm sure there is some sort of slippery slope of abuse that I'm not quite s
      • by Splab ( 574204 )

        Really?

        The worm tries against 50.000 new domains every day. That is quite a big number to match against - also the ISP needs some incentive to throw money at keeping this database up to date, there are no money in blocking the worm.

        Also the algorithm might hit innocent domains once in a while causing you to threaten innocent users.

    • by symbolset ( 646467 ) on Sunday March 29, 2009 @01:30AM (#27376945) Journal

      Maybe I'm wrong here, but doesn't it make more sense to get everyone trying to fight this virus/bot/whatever early rather than wait?

      They're trying. Microsoft has released a patch that supposedly blocks the primary vector [microsoft.com] (a vulnerability in the Server service affecting all Microsoft operating systems since Windows 98), and updated their repair tool MSRT [microsoft.com] to detect and remove it (download it from a machine that's not infested). It has probably removed it from several million of the estimated 15 million infested machines. Microsoft is working with ICANN [icann.org] to block registration of the generated domain names in the case where they're not yet registered and the owners of the domains that were previously registered to mitigate downtime. Every managed service provider and major IT shop I know of has pushed out all of this stuff. Unfortunately, this is not even close to enough. The secondary vector, autorun, is pernicious. This thing is now on the root thousands of major shares and every time they remove it one of the thousands of Conficker clients puts it back. It's on millions of pen drives, millions of backups. It's been burned to millions of CDs. It's on iPods and mp3 players, Blackberries and iPhones and Windows Mobile phones, picture frames and DVDs. It's probably now in the root of DVD ISOs distributed via all the popular media distribution sites. Tertiary vectors include compromising network neighbors. Your grandchildren are going to be installing this thing if they don't figure out the whole "autorun is stupid" thing.

      This thing is really very well engineered. The next one will be even better. And the next one better still. If you're in a Microsoft shop you're going to be working half your holiday weekends for the rest of your career, and a lot of planned vacations too. Remember that this is not the only Windows malware currently making the rounds. There are at least three major development groups and all of them have active botnets and a release schedule for new exploits.

      We've been playing this game for a long time and the black hats are getting more proficient than the white hats. The problem is that the target platform - Windows - cannot be made invulnerable to these threats without defeating its main selling point: application compatibility. Most of the people who work with this toxic stuff do their development on BSD, OS-X or Linux and refer to Windows boxes as "targets". If Microsoft makes Windows so secure that this junk won't spread, most of the apps for it won't run. You might as well run an OS that's not a target now as wait for that to happen.

      But TFA is right. April Fools is the day the botmaster begins to harvest his crop of bots. May 22 is more likely the beginning of operations. I could be wrong about this because I previously guessed January 16.

    • Re: (Score:3, Insightful)

      by rts008 ( 812749 )

      Maybe I'm wrong here, but doesn't it make more sense to get everyone trying to fight this virus/bot/whatever early rather than wait?

      Yes, it does make more sense, but will never happen. Until you can get more than a handful of Windows users to actually know and care about these issues, it will stay in this same state of sorry affairs. Just three things are keeping this crap going:
      1. MS market share guarantees a large fat market for malware authors
      2. Typical Windows user does not want bothered with hassles an

  • by h00manist ( 800926 ) on Saturday March 28, 2009 @09:44PM (#27375629) Journal
    Help keep my job interesting. And more relevant. Geez, now I'm in league with the narcs - if there's no crooks, I'm out of a job.
  • Windows Update? (Score:3, Insightful)

    by Anonymous Coward on Saturday March 28, 2009 @09:45PM (#27375649)
    Seems like Windows Update is always failing with random errors. Maybe MS could buy up this technology to fix their own? ;)
    • Re: (Score:2, Insightful)

      by symbolset ( 646467 )

      I doubt Microsoft could agree to the license terms.

    • Re: (Score:1, Interesting)

      by Anonymous Coward

      My favorite is how it's an "unknown error".

      Bullshit! There's no such thing as a fucking unknown error. If it's unknown then how do you know there's an error? Tell me THAT!

  • Here's hoping for no such meltdown.
    This thing going stupid on April 1st would just add to my birthday present.

    "Happy birthday, Orb. Now get back on the phones, we're all hands on deck for lusers calling in with that Conficker crap."

    Now, of course, I'm wondering just where can someone stick the cork to stem the possible flow that this little barstard is going to cause to divert the most damage?
    Also, just how big does the cork have to be?

    • Why not register one of the conficker domains yourself, before the actual owner can do it, and then load you own windows-by-linux-replacer into it. Oh, and add a conficker remover too. Done right, it should result in an "epic pwn" as they say.

      • Re: (Score:2, Informative)

        by mail2345 ( 1201389 )
        Has been mentioned before.

        It uses 4096 bit RSA to sign the binaries.

        I don't know any group that could crack that(yes, not even you, FBI/CIA/NSA super computer).
      • by Trahald ( 698493 )
        Because Conficker uses signed and verified downloads.
        • by Anpheus ( 908711 )

          See, digital signatures WORK! Proof that they'll solve all of our software update and malware pro...

          Wait, conficker was written by the bad guys?

          Dammit.

    • Re: (Score:2, Interesting)

      "Now get back on the phones, we're all hands on deck for lusers calling in with that Conficker crap."

      Of course, with all the media hype over Conficker, combined with the fact that it is April Fool's Day, and it seems likely you're going to be getting a lot of calls from people who think they're Confickered just because they finally started paying attention to how slow their malware (non-Conficker) infested computer is. Along with potential pranksters calling in...I don't envy you...

      At least Slashdot's April Fools jokes may bring you a smile...

  • by guruevi ( 827432 ) on Saturday March 28, 2009 @09:58PM (#27375753)

    I would like this thing to actually shut down all those computers that are infected. It would save quite a bit on energy and actually be quite useful. If there would be a way to permanently disable a computer (flash it's BIOS with a bad image) then maybe it could stimulate the economy. Another thing would be to simulate a 56k connection on all those machines. Finally the intertubes would be cleared of a lot of clutter by people trying to get to awful flash 'movies' of random people on Facebook or MySpace. Another thing would be to register every IP that the computers are connected to as potential spam hosts to well-known spam registries.

    Of course if some host is infected and some life or death situation is dependent on it, the blame should be placed on the IT administrator or the vendor, not the creator.

    It will be interesting to see what will happen.

    • by lessthan ( 977374 ) on Saturday March 28, 2009 @11:11PM (#27376189)
      Yes, because everyone is an idiot but you. They're not smart enough to deserve the internet. Let us take their PCs from them.
    • Re: (Score:3, Informative)

      by Korin43 ( 881732 )
      Destruction of property is not helpful for the economy. Any money that people have to spend on computers, they can't spend on something else. Sorry no free lunch here.
      • Re: (Score:1, Insightful)

        by Anonymous Coward

        If some fuckwit walked up my street with a hammer smashing car windows every day, then destroying the hammer would certainly help the economy.

        Destruction of property is helpful for the economy if the property is doing more harm than good.

      • Re: (Score:3, Funny)

        Destruction of property is not helpful for the economy.

        How that be? I've been watching Congress and the President and clearly they think destruction of economy is helpful for the economy...

    • by Pecisk ( 688001 )

      Most ironic would be that after update they would patch Windows up to lastest update, clean themselves and leave informational message on screen about computer security. That would rock :)

  • by TinBromide ( 921574 ) on Saturday March 28, 2009 @10:03PM (#27375791)
    I've been following storm, and that has dropped off the face of slashdot, and other worms, this latest conflicker is getting an article once or twice a week, but unless i missed something, how does one prevent/detect/remove these worms? All the news articles seem to think that its a foregone conclusion that your (or someone you care about) system WILL BE ASSIMILATED. I run windows, but I practice safe browsing ( I wrap that rascal by not downloading willy nilly, using outlook for e-mail, and use no-script and abp in firefox, all of which is running on an up to date windows XP build running behind a NAT router), am I infected? Will AVG tell me if I am? Would NAV or {other antivirus} tell me?

    Wikipedia has info on how to detect [wikipedia.org] and remove using most major antivirus running the latest update. [wikipedia.org] But why don't the news-writers seem to recognize this? Why must every infection be a death sentence to support some nefarious plot with your unwitting computer?
    • Is Outlook more secure than Thunderbird? I've been under the impression that the opposite was true.

    • Don't be a target. [distrowatch.com] Use some system that doesn't have these problems.

    • First let's make sure that every admin in charge of a network understands and has acted accordingly on the "traditional" ways of infection. Conficker/Downadup spreads currently via three methods:
      • It exploits the MS08-067 vulnerability to infect via the network.
      • It uses the Autostart mechanisms for spreading via network shares and removable devices (except for media that identify themselves as removable media such as USB sticks on WindowsXP and later)
      • It tries to bruteforce shares as user Administrator and wit
  • I'm just waiting for someone to realise that April 1st was a spoof, and the attach will actually happen March 31st!
  • I was looking for some cheap schadenfreude...

  • by Anonymous Coward

    Why are we discussing Windows/Linux/OS X preference at all? Does anyone have even the slightest clue how ignorant these statements sound? Replies like "My custom compiled super secure xxxxxx install is impervious to all attacks from anyone..." are inflammatory and pose no useful, relevant, or even accurate account of how things work in the real world. Don't be dumb. That's the best advise anyone can give. Someone please drop a comment that has useful information regarding the subject. It may actually

    • You are SO correct (Score:4, Insightful)

      by symbolset ( 646467 ) * on Sunday March 29, 2009 @03:32AM (#27377471) Journal

      Why are we discussing Windows/Linux/OS X preference at all?

      If you want a system that's not vulnerable to Conficker, Koobface, Torpig, Storm, Antivirus 2009, Bitfrost, Sasser, MyDoom, Sober, Sobig, Welchia, Blaster, Nimda and Code Red, you need look no farther than "anything that's not Windows".

      • Or just learn basic security:

        -Disable autorun
        -Use Firefox
        -Keep MalwareBytes update
        -Scan regularly
        -Unplug your router at night
        -Check msconfig regularly for new entries
        -Use Process Explorer instead of Task Manager (much more informative)

        Then there's Deep Freeze.

        Using those precautions, I've only been infected twice. Once by a flash drive infector (I immediately obliterated it and turned off autorun) and the other by a wannabe Trojan that got picked up by MalwareBytes in seconds.

        I'm not terri
  • hilarious (Score:2, Interesting)

    by Anonymous Coward
    posting anonymous because I know the windows users will mod me down, but as an uninvolved bystander (I wont name my platform but I no longer touch windows) I find the whole thing incredibly amusing. can you imagine if a particular model of a particular car manufactures electronics system could be compromised by filling up at a particular fuel station; possibly turning the cars into moving timebombs on a certain date. do you think we'd all be sitting around wondering what is going to happen on that day? no f
    • As usual it will pass mostly unnoticed. A botnet can be used in much more profitable ways than simply wiping the disk. And maybe it will be used to send more SPAM affecting every mail user regardless of what operating system they are using.
    • Even if the HDD were zeroed, the people would take their PCs in to the shop to be fixed or they would just go out and buy another. And then go back to doing the same stupid things they were doing before. People have argued that the problem is a need for education, but ultimately that will never work on a global scale. There are too many people out there who view the PC as an appliance and just want to be entertained and not educated. Even the Linux user is bombarded by spam. While they might not be vu
    • Following is much too long. I'm worried about tl;dr but I haven't had sufficient coffee to figure out how to condense this.

      I don't know whether it was parent post's intention, but a sudden insight flashed through my head that government could require a safety recall on operating systems that <strike>have defective security by design</strike> are hosts to huge botnets.

      It could be a tiered recall, where IT departments of hospital networks and similar high risk environments are required to par

  • Would be counter productive. Cant make any money off the botnet that way.

    Really, even crashing the infected PC is the same. The days of 'dangerous' viruses have long since past.

    • Cant make any money off the botnet that way. Really, even crashing the infected PC is the same. The days of 'dangerous' viruses have long since past.

      "Because he thought it was good sport. Because some men aren't looking for anything logical, like money. They can't be bought, bullied, reasoned or negotiated with. Some men just want to watch the world burn." --Alfred Pennyworth

  • by Anonymous Coward on Sunday March 29, 2009 @07:51AM (#27378375)
    • Conficker A and B infect computers by exploiting MS08-067. Conficker B also infects by installing itself as an AutoRun trojan on any removeable media it can find.
    • On already-infected computers, Conficker A and B will attempt to download an additional payload from any of 250 random hostnames, generated daily. Conficker C does not do this until April 1, after which it will generate a pool of 50000 hostnames every day and randomly pick 500 of those to attempt. This is what the articles were referring to.
    • The payload is RC4-encrypted and RSA-signed. Conficker executes it blindly. These payloads have so far been used only to install newer versions of Conficker.
  • Generally linux users are more computer savvy and don't go opening every email attachment they get.

  • Security experts claim fears of a global internet meltdown have been gr
  • by i_b_don ( 1049110 ) on Monday March 30, 2009 @04:08AM (#27385649)

    Ok... so here's what I don't get:

    Security experts are well aware of this botnet client and are keeping a close eye on it. They've picked the client bot apart line by line. They know exactly how it is supposed to behave on the client side, but they of course don't have a clue about the server side. So why can't they hijack the hijacker?

    For example, say this client bot is programmed to go to IP address on April 1st and DL some update. Ok..., block that IP address on the internet or trace the IP address back to the owners and stop it there. Those don't seem hard. (ok... and before someone calls me an idiot for saying "block the ip address on the internet", what i mean is that you can get the major service providers, certainly here in the US, and potentially abroad to "lose" anything sent to a specific address.)

    Ok... so let's say that the client bot is programmed to go to IP address to and ping each one to ask for an appropriate update, verifying each update against a specific hash key. Ok... then grab IP address and put in something that DLs a file that neutralizes the bot. There can be no hash key that the researchers can't figure out because they can pick through the entire client bot's code bit by bit.

    I'm clearly not getting something crucial here, but it just seems that in all the moaning about how bad this is that it wouldn't be that hard for someone person to write some kill code for it as long as enough time and effort had already gone into understanding the client side code.

    Someone please help out a clueless non-security, non-software engineer understand why this is so hard.

    d

Don't tell me how hard you work. Tell me how much you get done. -- James J. Ling

Working...