Taming Conficker, the Easy Way 288
Dan Kaminsky writes "We may not know what the Conficker authors have in store for us on April 1st, but I doubt many network administrators want to find out. Maybe they don't have to: I've been working with the Honeynet Project'sTillmann Werner and Felix Leder, who have been digging into Conficker's profile on the network. What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will give you an honest answer. Tillmann and Felix have their own proof of concept scanner, and with the help of Securosis' Rich Mogull and the multivendor Conficker Working Group, enterprise-class scanners should already be out from Tenable (Nessus), McAfee/Foundstone, nmap, ncircle, and Qualys. We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend."
Wow! (Score:5, Insightful)
Wow. So this:
IT tech: Do you know if your workstation has a virus?
User: I don't know. It might. The other day I was typing something and something popped up I can't remember what it said but I think it had something to do with virus scanners but I can't remember and then there was this time I downloaded this thing and it said something about my computer being infected but I can't remember if I clicked it or not and then another one [etc etc etc for 20 minutes]
Which would happen once for every node on the network, would become this:
root@admin:~$ nmap 192.168.0.* -confickercheck
Nice. Seriously, nice. Now we just need to work out a way to remotely ask a computer if the printer cable is properly plugged in, and we're set.
Re:Wow! (Score:4, Insightful)
I don't know about you, but on my network I run a centrally administered virus scanner. It seems quite a bit easier than asking every user!
Re:Wow! (Score:4, Insightful)
If only all malware was this easy to detect. Unfortunately, despite the proliferation of automatic virus scanners, "firewalls," and various other techniques, infections still occur.
The main problem is the current monoculture in desktop operating systems. No matter what you think of Microsoft, no matter what you think of Windows, you have to admit that having 90% marketshare of a single OS on desktop operating systems is the biggest part of the problem. The second biggest part of the problem was not designing network security into the OS from day one, but instead attempting to bolt it on on an OS that has always been designed to be a highly integrated one-size-fits-all solution.
Re: (Score:2, Interesting)
The second biggest part of the problem was not designing network security into the OS from day one, but instead attempting to bolt it on on an OS that has always been designed to be a highly integrated one-size-fits-all solution.
How is "network security" any more (or less) "bolted on" in Windows NT vs UNIX (or Linux) ?
What exactly do you mean by "network security" ?
Re:Wow! (Score:4, Interesting)
Noone said that network security isn't "bolted on" in UNIX.
But there are other machines which are definately invulnerable to the attack methods used by worms like conficker (typically modifying program flow by injecting executable code and altering address pointers, so the injected code will be executed).
For example, IBM's AS/400 / iSeries 400 / eServer i5 (/ or whatever the name is today) has built-in (hardware-supported) pointer protection and separate address-stack and data-stack.
Actually, that is the reason why the CPUs are sometimes called "65-bit CPUs" instead of "64-bit CPUs" - the 65th bit is a tag flag (in memory, it's stored in the ECC area).
The details can be read in the book "The Inside Story of the IBM iSeries" by Frank G. Soltis.
What we really need are machines which can prevent viruses and/or worms BY DESIGN and IN ADVANCE, instead of reacting by means of virus scanners, patches and removal tools AFTER something went wrong.
Better, yes, but no solution for PEBKAC (Score:3, Insightful)
What we really need are machines which can prevent viruses and/or worms BY DESIGN and IN ADVANCE, instead of reacting by means of virus scanners, patches and removal tools AFTER something went wrong.
As long as you let give the user freedom to install and run what he wants, you cannot possibly prevent him from running/installing malicious code which can take over as many functions as the user himself has (i.e., if he can send email, so can the code, etc.)
Re: (Score:3, Insightful)
Actually, most infections today occur thanks to social engineering. The biggest liability is still what's between the keyboard and the chair.
But not in Germany or UK? (Score:5, Interesting)
Which would happen once for every node on the network, would become this:
root@admin:~$ nmap 192.168.0.* -confickercheck
But isn't possession of "hacker tools" such as nmap legally questionable in the UK and Germany?
http://it.slashdot.org/article.pl?sid=07/08/13/0218246&tid=172 [slashdot.org]
http://yro.slashdot.org/article.pl?sid=08/01/03/2056223 [slashdot.org]
So if you use nmap to clean your network, you may be open to criminal charges.
Re: (Score:2)
Forget nmap; Windows is just one big hacker suite.
Re:But not in Germany or UK? (Score:4, Insightful)
Not in the UK, according to the articles that you linked to. The prosecution have to show that you intended to use the tool to commit a crime - possession is not enough. Did you actually read the links that you posted?
Re:But not in Germany or UK? (Score:4, Informative)
Not in the UK, according to the articles that you linked to. The prosecution have to show that you intended to use the tool to commit a crime - possession is not enough. Did you actually read the links that you posted?
Yes, I did. According to the linked article, if you distribute a "hacker tool" that somebody else then uses for an illegal purpose, you're on the hook under UK law. Even if you commit no crime with it.
Re: (Score:2)
So, did you then confuse possession and distribution? I still don't see how possession of nmap, neither committing a crime nor intending to, is illegal under that reading.
Re: (Score:3, Funny)
Ok so you did read it. And I'll assume that you are aware of what you wrote the first time. And I'll assume that you read my response. The only possible logical conclusions are either a) you don't know the different between possession and distribution (thanks blueg3), or b) you are an idiot. I'm not as generous as blueg3, I think you lack the intellectual faculties to post on slashdot. It's a low bar, but by god you've hit it.
I'm going to try though, and see if you could understand with a little coaching, a
Re:But not in Germany or UK? (Score:4, Informative)
IIRC the actual standard has been reduced to 'could be useful to commit a crime'.
Several people in this country currently have criminal convictions for possessing certain books because they 'may be useful to someone planning a terrorist attack'
Not WERE planning attack. Not were part of a group of known terrorists with known events behind them. Just 'may be useful to someone planning a terrorist attack'.
Trust the law in this country? Hell no!
Re: (Score:3, Interesting)
Someone I know was personally investigated by the local police as possible dope growers (some years ago, when it was still entirely illegal in the state of California, where all this transpired) because they were known to possess shovels. Not a joke. The police came and inspected the bamboo grove that apparently triggered the inspection... This is not a third-hand story, either. Or even second-hand, to me :)
Re:Wow! (Score:5, Funny)
If you have even half-assed antivirus in a corporate environment, you'll be able to log into the admin console, and see what machines are infected.
You can also see when a machine was last in contact with the controller, so if a virus kills the A/V on a machine, it will stop contacting. Anything that's been over a week since contact automatically should be physically investigated.
Of course, you could be using Norton Internet Security 2009 on your corporate machines, which doesn't have this capability. But if you are, you're an incompetent moron, and shouldn't be trusted with a Gameboy, forget a multi-computer corporate network.
Re:Wow! (Score:5, Funny)
Re: (Score:2)
What about those worms or trojans or viruses that have built in rootkits, therefor avoid being detected by most AV programs?
Nmap 4.85BETA5 just released (Score:5, Informative)
nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]
For more details, see the announcement at http://insecure.org [insecure.org].
-Fyodor
Re: (Score:3, Funny)
rm -rf /*
for a sec i thought u said
rm -rf /.
lols at that....
Re: (Score:2, Interesting)
"rm -rf /*" does not remove "/.conficker"
"rm -rf /." (or just "rm -rf /") does.
Re:Wow! (Score:4, Informative)
Re:Wow! (Score:4, Informative)
You'll want to exclude at least /dev and /proc from that command if you want it to complete. I actually just prefer dd for ease of destruction.
Re: (Score:3, Informative)
The -f will skip over anything that can't be done, you know.
/dev? I'll answer that for you: No more deleted files. Everything prior to it getting to /dev is gone, but the rest is left. By going directly to the device with DD you'll complete the overwrite.
What happens when your HD node is deleted from
Re: (Score:3, Insightful)
Somehow I think that command would selectively work on the uninfected machines, and fail on the infected ones.
Re:Wow! (Score:5, Informative)
To be fair, you can do something similar in Windows; but it sure isn't the soul of wit [msdn.com].
Am i doing it wrong? (Score:5, Funny)
Re:Am i doing it wrong? (Score:4, Funny)
Use the mouse. It's quaint but it works. A Scottish accent may be helpful as well. ;)
Re:Am i doing it wrong? (Score:4, Funny)
So how do you use a mouse with a Scottish accent? Curious minds are dying to know.
Comment removed (Score:5, Funny)
Re:Am i doing it wrong? (Score:5, Informative)
So how do you use a mouse with a Scottish accent? Curious minds are dying to know.
http://www.youtube.com/watch?v=wzRziK-kZtQ [youtube.com]
Just drop your geek card in the slot by the door as you leave.
Re:Am i doing it wrong? (Score:4, Insightful)
Much like the rest of the English speaking world, really.
Potential problem (Score:5, Funny)
We figured this out on Friday, and got code put together for Monday.
And with the ability to be remotely updated, Conficker will be immune to this by Tuesday.
Re: (Score:3, Funny)
+1 Dance, monkeys, dance !
So... (Score:5, Insightful)
So where's the article detailing what was in the summary. NONE of the links has any details on what the summary claims. There's simply the "proof of concept scanner" but no info on any of the linked blogs about it, no info on the major sites linked about it....
Very crappy post, editors!
Re:So... (Score:5, Insightful)
The technical details are not complicated -- Conficker, in all its variants, makes NetpwPathCanonicalize() work quite a bit differently than either the unpatched or the patched MS08-067 version -- but I'll let Tillmann and Felix describe this in full in their "Know Your Enemy" paper, due out any day now with all sorts of interesting observations about this annoying piece of code. (We didn't think it made sense to hold up the scanner while finishing up a few final edits on the paper.)
Re: (Score:2)
If that's the case, then it's not a remote detection tool rather something locally. Surely there are plenty of other ways to see you're infected eg. you haven't run windows update in over 6 months is a good sign.
Re:So... (Score:4, Funny)
So we have an unsubstantiated sentence by "Dan Kaminsky"? Who doesn't happen to be one of the researchers, so how does he know what he knows? That's usually the standard in "journalism", quote sources otherwise I can write a lot of stuff that's just talking out of my ass.
Re:So... (Score:5, Interesting)
I actually worked with the researchers on this. (This is Dan.)
Re:So... (Score:4, Informative)
Looks to me like you just use the smb checker script. If you have the latest source from SVN, omething like this should work:
nmap -sS --script smb-check-vulns.nse -p 139,445 -v -d -P0 -oA outputfilename hostornetworktoscan
Re:So... (Score:4, Informative)
Hey guys,
I'm the author of that script, and that's exactly right. I posted a full explanation on my blog [skullsecurity.org].
Re:So... (Score:4, Informative)
WARNING: These checks are dangerous, and are very likely to bring down a server. These should not be run in a production environment unless you (and, more importantly, the business) understand the risks!
As a system administrator, performing these kinds of checks is crucial, because a lot more damage can be done by a worm or a hacker using this vulnerability than by a scanner. Penetration testers, on the other hand, might not want to use this script -- crashing services is not generally a good way of sneaking through a network.
If you set the script parameter 'unsafe', then scripts will run that are almost (or totally) guaranteed to crash a vulnerable system; do NOT specify unsafe in a production environment! And that isn't to say that non-unsafe scripts will not crash a system, they're just less likely to.
MS08-067 -- Checks if a host is vulnerable to MS08-067, a Windows RPC vulnerability that can allow remote code execution. Checking for MS08-067 is very dangerous, as the check is likely to crash systems. On a fairly wide scan conducted by Brandon Enright, we determined that on average, a vulnerable system is more likely to crash than to survive the check. Out of 82 vulnerable systems, 52 crashed.
I don't get it ... (Score:2, Interesting)
The most common infection vector is because people run executables from untrusted sources. And now Tillmann and Felix expect us to download a scanner and run it on our systems ?
Next time someone recommends GTA for driving schools ....
McAfee Stinger for Conficker (Score:3, Informative)
or other way.. (Score:5, Interesting)
Re: (Score:3, Funny)
Window HOWTO (Score:5, Informative)
(Hat tip to an AC comment at El Reg [theregister.co.uk]). Just a warning - it runs like a dog. I found that a passive Honeypot like Honeybot [atomicsoft...utions.com] works well and is easier to install.
mod parent up (Score:2)
I have no mod points, but the links in the actual story have zero information on actually running a scan. I'm scanning my office network right now solely because of this comment.
Re: (Score:3, Informative)
Re: (Score:3, Informative)
I actually installed both Impacket and Crypto, just to get rid of that warning.
In any case, I'm running this on LANs, so there are no firewalls on the way. I'm not randomly scanning people on the internet. And yes, I am authorized to do this kind of thing on these networks.
why isn't this the standard method for all scans? (Score:2)
Why isn't this the standard method for /all/ virus scanning? Remote scans are the only method which has ever seemed sane to me.. why would you run software to detect if the software you're running has been compromised? That's why I don't run virus scanners: it's pointless.
Give me a program that I can run on a "known good" system (for example, a system which boots off write-once media) and which monitors the local network for suspicious activity. I'll run that one.
Re: (Score:3, Informative)
Because most viruses do not change the network behaviour of a host. Because most viruses are not visible from outside a host. Because this is a very rare case of a worm that actually changes the fingerprint of a host.
60 minutes segment (Score:3, Funny)
I thought it was funny, one of the newscasters on 60 minutes said she just got "owned". It's funny since this is the same show Andy "I'm out of touch with reality" Rooney is on.
why so many systems aren't patched (Score:3, Interesting)
It's quite elementary, really: Windows Update sucks. Okay, that probably needs an explanation.
Would you rather:
a) Run Windows Update so Microsoft has backdoor access to update/patch/install software at random, as well as auditing your system for "compliance" and sending you a legal nastygram if you are caught running a "pirate" copy of Windows? Note: The detection algorithm for "Windows Genuine Authentication" has passed numerous false negatives and disabled people's computers before who purchased legitimate copies, -or-
b) Not update, download a software firewall, run a bunch of anti-malware scanners, and use Firefox, -or-
c) Do nothing, because "there's nothing important on my computer anyway."
Microsoft went through a lot of effort to make sure there were tons of unpatched systems out there when they started throwing up "windows genuine" everywhere, and having the average user jump through so many hoops. Then there's the two hour process of installing Service Pack 3. Who wants to waste two hours on a ginormous OS update when they can play WoW some more? And god help you if one of a thousand failure conditions crops up and it dies, telling you to reinstall the entire OS. The average Windows users is caught between knowing their systems are vulnerable and playing a rat race that requires knowledge and process they don't understand to keep their systems secure.
Big surprise when they choose the devil they know.
Reply from Conficker authors (Score:3, Insightful)
"Thanks Dan! We'll be sure to patch this problem in the next Conficker update."
Re:i find it so hard (Score:5, Insightful)
There is a virus infecting a huge number of systems and no one knows what it is destined to do.
Seems like a pretty GOOD reason to genuinely care, if you ask me.
Re:i find it so hard (Score:5, Funny)
Hi, I'm the author of Conficker and the payload is to get a first post on slashdot. Get ready assholes.
Re:i find it so hard (Score:4, Funny)
Hi, I'm the author of Conficker and the payload is to get a first post on slashdot.
That's it? You wrote a worm to get a first post on Slashdot? Damn. How lame are you?
-1 Whoosh (Score:2)
You took that seriously. How lame are you?
Re:-2 Whoosh (Score:2, Funny)
You took that seriously. How lame are you?
You took that seriously. How lame are you?
Re: (Score:2, Funny)
You took my post seriously, so how lame am I?
Guess my punchline wasn't snappy enough... :(
Re:-1 Whoosh (Score:5, Funny)
The comment system is temporarily disabled while we resolve this revolving door bug. Apologies for any inconvenience.
Re: (Score:3, Funny)
I'll be honest, while normally the first post thing is pretty lame, writing a badass virus to do it would strike me as pretty cool and delightfully overkill.
Re: (Score:2)
Kind of the ultimate hack, no?
Use some n00b's computer to do your bidding and get first post on a geek tech board that said n00b doesn't even know exists, forget about has ever visited.
Yeah.....that's pretty cool.
Re: (Score:2)
I was thinking more like using 1000lb of thermite to cut an SUV in half, but you get the idea.
Re:i find it so hard (Score:5, Insightful)
There is a virus infecting a huge number of systems and no one knows what it is destined to do.
Seems like a pretty GOOD reason to genuinely care, if you ask me.
Not really... we can be reasonably sure that Conficker is designed to do what the previous five generations of worms did, only more effectively: provide nodes of a botnet for hire, so criminals can send spam, threaten DDOS attacks etc. It's annoying, but the internet lives on. Why would the purpose suddenly become radically different just because the implementation has been improved?
Re:i find it so hard (Score:4, Funny)
Re:i find it so hard (Score:5, Funny)
Re: (Score:3, Interesting)
If this is the aim, why would it make sense for the worm to have a grand activation date, rather than just increasing the size of the botnet as fast as it can? Time is money, and if there are as many infected machines as its thought there are, then this is just wasted opportunity since it was released into the wild.
Genuine question. Maybe in its inactive state it makes it harder to trace and shutdown? But if not, it seems that if the purpose is a botnet it would be better to have it working as such from
Re:i find it so hard (Score:4, Informative)
There is no 'grand activation date'. April 1st *or later* when it updates itself.. it's more likely to upgrade to conficker D than do anything else.
It's just not in the authors interest to do any damage - whilst people don't know they are infected they can participate in the botnet. If the virus makes itself obvious then all that potential revenue is destroyed.
The f-secure blog puts it best: http://www.f-secure.com/weblog/archives/00001636.html [f-secure.com]
Re: (Score:2)
It is not necessarily a grand activation date.
It is just one of the (many) predefined dates where the worm switches auto-update mechanism.
It has a current auto-update mechanism, so a new payload could be handed out anyway, whether or not the April 1st code exists or not.
Re:i find it so hard (Score:4, Funny)
Because it was created for E V I L ?
I think it's going to cause all computers to turn into a small thermonuclear bomb (that's what computers are made of, plutonium and Selenium!) and destroy the planet in the name of some stupid reason.
WE ARE ALL GOING TO DIE!!!! PLEASE START PANICKING NOW!
I'm already looting the vending machines in the lunch room and built a bunker near them with boxes of last years TPS reports, the recycling buckets make good helmets.
And they all said I over-react. Who's the fool now!
Re: (Score:3, Funny)
There is a virus infecting a huge number of systems and no one knows what it is destined to do.
Sir, if everyone followed your paranoid, alarmist thinking, then we'd all be afraid of Microsoft Windows itself.
Oh wait...
Re:i find it so hard (Score:5, Insightful)
First, most of the "what will conficker do?" possibilities have the distinct potential to be unpleasant for everybody. We are almost definitely looking at extra spam, or worse.
Second, and ultimately more important, is the fact that Joe and Jane Average's feelings about computers and the internet are defined largely by a combination of their experiences with computers at home and at work, and stories in the media about computers. If their experience is one of unrelenting danger, constant infection, and identity theft and whatnot, they'll be much more supportive of draconian policy decisions. That is Bad.
Sure, actually caring about the newbs, as they do the same stupid things over and over, gets really old really fast; but, when they visit the internet, I want them to have a good time because we are well past the point where they will just leave if they don't like it. They'll vote for a bunch of police powers and be back. Nobody wants that.
Re: (Score:2)
Joe and Jane Average's feelings about computers and the internet are defined largely by a combination of their experiences with computers at home and at work, and stories in the media about computers. If their experience is one of unrelenting danger, constant infection, and identity theft and whatnot, they'll be much more supportive of draconian policy decisions.
It also doesn't help that all the mainstream media coverage of this has called it a "computer worm/virus" (no mention of the target software), and the people they interview are more interested in fear mongering than giving any security advice at all.
Re: (Score:2)
Re:i find it so hard (Score:5, Interesting)
Oh please confess... (Score:3, Insightful)
My own pet theory (based on nothing but speculation) is that come April 1st, nothing will happen. And then someone will wave their hand and say "hey, I made conflicker" and get rich from interviews, while the rest of us giggle at the hilarity of this massively-hyped april fool.
Oh please let that "someone" stand up in the cube next to me. I could use some of that MS reward money right about now...
Oh, and it's gonna be kind of hard to get rich from interviews while occupying a cell in Gitmo. No, I doubt I'm overreacting here, in this day and age, this is an "act of terrorism".
Re: (Score:2, Insightful)
Re: (Score:2, Funny)
Re: (Score:2)
Actually, it's just a conspiracy from all of us security-types. We haven't had a good global-scale emergency in a while and were getting a bit bored.
There really is no a conficker. In fact, the name itself is an anagram for "Dan Kaminsky pwns joo"
Re:i find it so hard (Score:5, Insightful)
to genuinely care about the hype surrounding this worm when no one knows what its destined to do, and the problem stems from a host operating system with a near two decade track record of this sort of stuff.
A few things:
1. If you have 1 million+ infected hosts, and all the bandwidth that these hosts have access to, and can use these resources to do whatever you please, you pose a serious threat to many groups with a presence on the internet and an interest in its wellbeing. Do I really need to spell it out to you why it's important to care?
2. No, the problem in this case stems from people not patching their systems when security updates are made available. Microsoft made the patch available _LONG_ before Conficker was even a problem. Microsoft released the patch on 15th October 2008. What does this tell you? It means that effectively 99%+ of infected machines are infected because they weren't patched, either due to ignorance, sloth, or a combination of.
If I never patched my Linux/BSD servers when security flaws were discovered, they'd be rooted pretty fast too. Fortunately, most of the OSS community knows that security patches are important and need to be applied, not ignored. Elements of the Windows world don't share this culture, and it needs to change, so that worms like Conficker aren't able to thrive.
Re:i find it so hard (Score:5, Informative)
So, every single computer out there with a Conficker infection due to the exploit infection route could have been secured if patched. I would bet that would make for a gigantic reduction in the size of the Conficker botnet.
Re:i find it so hard (Score:5, Insightful)
Microsoft distributes security updates to _ALL_ editions of Windows that are currently maintained irrespective of the legality of the license. However, if you are not running a legal license, you can only receive updates through Automatic Updates, limited purely to security updates. Use of Windows/Microsoft Update and/or the downloading of non-security updates requires a valid license. The reasoning for this is to prevent exactly what you accuse Microsoft of not doing, reducing the risk of large viral/worm outbreaks and the impact of such outbreaks on Windows users, particularly those with legal licenses. Even if you completely fail WGA validation, you still will receive security updates through Automatic Updates.
Ideally, I'd prefer MS to permit security updates through the WU/MU frontend even if an invalid license is detected. I'm not sure what error message is displayed and if it prompts for Automatic Updates to be enabled or informs the user that they can still receive security updates through AU. However, the point remains that MS still permits a legal avenue of obtaining such updates, despite running an invalid license, at THEIR cost of distributing such updates.
There is no excuse for not being patched.
Re: (Score:3, Interesting)
you are probably 100% right that you can still get security updates through AU but it appears that theres a lot of PC's with automatic updates turned off or there wouldn't be such a large problem.
Joe User, legal or not, doesn't want some automated process going through his details, after all it could get him in trouble.
The reality of the policy doesn't matter since WGA started, it's the perception, thats kept a lot of people away from windows updates.
Even people with genuine licensed windows quite often hav
Re: (Score:2, Interesting)
Re: (Score:2, Informative)
Re: (Score:2)
Only the non-pirated ones.
Re: (Score:2)
That happens - There's a class of admin who won't apply MS updates unless they think it affects them directly, and sometimes not even then. They are the people who've gone beyond healthy paranoia (don't change what's working) to stupidity (don't apply critical security updates because they might break stuff).
There's also dumb firewalls/proxies that won't let the updates through.
There's no excuse for a business to be infected with conficker... if it happened here half the IT would find themselves on the str
Re:i find it so hard (Score:4, Informative)
I'd say as a rough guess, that 75% of viruses/trojans/malware nowadays turn off Windows Update as part of the infection process.
Somebody gets one of these fake Facebook spams, goes to the site in question to see Amanda Whatserface doing her striptease on stage, downloads Adobe_Player11.exe, so they can see the video, and bam. They're infected.
And before you bitch about them not having up to date antivirus.....I sent this file to virustotal.com a couple of days after I first got one of these spams, and it was detected as a known virus by a grand total of zero scanners.
Two flagged it as a suspicious file, and the rest (37 or so) let it sail on through.
Somebody gets hit with one of these things, and they'll have no A/V, no Auto Updates, and probably no firewall. They won't know it, because they'll also have no Security Center Service.
Or there's the possibility that they got infected, took their machine to a big-box moron to get it fixed, and the idiot in question cleaned the virus, but didn't enable all the disabled services. So again, no firewall, no Auto Updates.
It's not all because they're turned off intentionally.
Re:i find it so hard (Score:5, Insightful)
When you've gone to make some coffee and you come back to the message "An important update required a restart of your computer." the first question you ask is "Where did my work go?" The second question is "How do I stop that happening again?"
Re:i find it so hard (Score:4, Insightful)
This is much like the "linux uses a command line, so it's better. I don't care if you don't want to learn arcane syntax".
Windows is hard to configure correctly. If you don't know the magic registry line, or which utility buried in the system folders to use, there's no way in hell you can make the fine-grained adjustment not to automatically restart. On the other hand, turning off system updates entirely is easy. I'd count the clicks if I had a windows box available, but I guarantee it's not that many.
Re:It just amazes me (Score:5, Informative)
I've often wondered why Microsoft just doesn't implement some sort of security in Windows like other OS's have. It might prevent this kind of thing.
You mean like patching the flaw MONTHS before Conficker was released?
What having something like an application which could scan for it and remove it? You could call it "Malicious Software Removal Tool" and get it to run when automatic updates are done which would be handy. You could also allow users to run it themselves if they wanted by, say, clicking on Start, Run and typing in mrt...
Oh wait...
Re:It just amazes me (Score:4, Funny)
seriously ? it is named "Malicious Software Removal Tool" ? so we could call it... "ms removal tool".
that's the best name of software coming from microsoft in a long time.
Re:It just amazes me (Score:5, Insightful)
"You must be logged on as a member of the Administrators group to run the tool."
A "user" can't run the MRT or apply automatic updates, you have to log in as an "administrator." If you regularly log in as a "user" you won't even be notified by Windows that there are updates available! This is why just about everyone who uses Windows logs in as administrator all the time. I think THAT is one of the most important security holes.
Re: (Score:3, Funny)
For the same reason that a bomb technician doesn't reset the timer to zero just to see what the bomb does. Sure it may be a dud and do nothing, or it may be huge and blow up in their face.
Re: (Score:3, Interesting)
ipc0nfig: ...why not just move the computer clock forward to April 1st, and see what Conficker does.
cdrudge:
For the same reason that a bomb technician doesn't reset the timer to zero just to see what the bomb does. Sure it may be a dud and do nothing, or it may be huge and blow up in their face.
I think ipc0nfig has a fair point - you could run an date-adjusted infected machine in a VM, isolated inside a virtual network, and monitor any disk/network activity.
Of course, you might not know what'll really happen unless you let it phone home, and even then you might not see what will happen on April 1st; but it might give more clues about which external addresses to block.
Re: (Score:2, Interesting)
Re: (Score:3, Interesting)
Sure you can. And add a transparent proxy to change the headers to the false, moved-forward time.
Re: (Score:2, Insightful)