Microsoft Warns of Copycat Conficker Worm

nk497 writes "Microsoft is warning that malware writers have adapted a four-year-old virus to use features of Conficker to take advantage of Windows flaws. Other similarities between the adapted Neeris worm and Conficker are that it downloads a copy of the worm from the attacking machine using HTTP, spreads via autorun, and uses a driver to patch the TCP/IP layer of the system. It even saw a traffic jump around the first of April, when the Conficker hype peaked. But the Microsoft researchers suggested Conficker may have copied Neeris, or that they're copying each other: 'It is possible that these miscreants somehow collaborate or at least are aware of each other's "products."'"

Re:

[silent_artichoke]

<frank-n-furter>
but not... the SYMPTOM!
</frank-n-furter>

Uh oh

[Rik Sweeney]

This is could one of two ways, either the viruses will try and outdo each other by doing more and more outrageous things to the victim's computer or (and let's face it, this would be more amusing) they'll try and kill each other to get sole ownership of the PC.

Either way, I'm glad I use Linux.

Re:

[Anonymous Coward]

http://xkcd.com/350/ [xkcd.com]

Re:

[sopssa]

The funny thing is that Conficker does actually protect against this worm. When conficker infects a system it patches the vulnaribility. It will only be open for new conficker variants, as it will see that anything coming thru it is digitally signed with a correct certificate.

Re:

[auric_dude]

Either way, I'm glad I use Linux.

So am I because you can't pass it on to others.

Re:

[An ominous Cow art]

Sure you can, freely and legally.

Re:

[InsertWittyNameHere]

he viruses will try and outdo each other by doing more and more outrageous things to the victim's computer

I miss the virus's of the 90's that would randomly open and close your CD tray. They should bring that back. Slightly amusing and didn't steal personal data.

Re:

[TJamieson]

Hell yes! BackOrifice ftw. I used to pop the CD drive on a friend's machine (remotely), put up a msgbox saying "Feed me bologna!". Since you could detect the drive being closed, I would just repeat as necessary.

Re:

[BenoitRen]

http://angryflower.com/bobsqu.gif [angryflower.com]

Re:

[InsertWittyNameHere]

http://xkcd.com/386/ [xkcd.com]

autorunamuk

[v1]

when will they ever get rid of that?

Re:

[Anonymous Coward]

It's pretty rare on Windows to actually need to reboot for software installation. The only things you can't really do are replace or delete files that are in use, and remove / replace a driver without rebooting.

The real secret - it hasn't really ever been necessary. Almost everything you'd want to do in an application installer could be done without rebooting even on Windows 95. Only system-level software (drivers, for example) ever really needed a reboot, and even that never really needed it on Windows NT.

Re:

[Danza]

Actually, the patch was released even before conficker started appearing. The systems effected are the ones that dont update. "Conficker, aka Downadup, which began circulating in late November, exploits the MS08-067 vulnerability patched by Microsoft last October" http://www.theregister.co.uk/2009/01/19/conficker_worm_feed/ [theregister.co.uk]

Re:

[Culture20]

But it was spreading via autorun.inf on removable media too, and that was something MS didn't "fix" for WinXP until very recently (if one was only installing the auto-updates). Even then, protection requires non-automatic changes from a user/admin.

Re:

[Gadget_Guy]

No, they are updating an old virus to use the new flaws. Think about it. If the old virus used the same security holes as Conficker then it would not need to be updated.

Re:Four years?

[Shrike82]

It's more like "You turned off autoupdates and don't have antivirus software, so watch out".

Conficker only affects out-of-date systems made vulnerable by idiots turning off security systems to gain a small performance improvement.

But hey, don't let me interrupt your "Bash M$; get karma" rant...

Re:

[Rosyna]

This is untrue. Conficker uses a variety of ways to spread itself. Such as installing itself as autorun on various volumes. It also includes a password attack to get admin access to a machine and infect SMB shares.

It may use additional methods as well. This is part of the reason conficker is getting so much press.

Re:

[Shrike82]

Are any of the techniques you mentioned immune to a real-time virus scanner on a PC with up-to-date patches?

Re:

[An ominous Cow art]

> It also includes a password attack to get admin access to a machine

RT virus scans and patches won't save you from that.

Re:

[Shrike82]

Unless they're able to recognise the mailicous code in memory, as good virus scanners are.

Re:

[Rosyna]

Except they really do not. The *next* generation is *supposed* to do behaviour monitoring instead of definition files, but the current generation does not.

Also, conficker disables most AV Scanners, making the point moot.

Re:

[Shrike82]

Except they really do not. The *next* generation is *supposed* to do behaviour monitoring instead of definition files, but the current generation does not.

No "behaviour monitoring" is necesary if the scanner recognises the code being exectued is a virus. And most modern scanners do have behaviour monitoring in the form of intelligent heuristics that can (sometimes) detect threats that aren't defined in a virus definition file.

Also, conficker disables most AV Scanners, making the point moot.

Only if it's allowed to execute, which it shouldn't be if a good real-time scanner with an up-to-date DAT file is present on the system.

Re:

[cool_story_bro]

yes. The autorun feature.

Re:

[xenolion]

I do believe that they did release a patch for this but due to WGA lot of people that have pirated copies have the auto-updates turned off. Leaving these holes open. Again there is nothing you can do if the user is the problem.

Re:

[snowraver1]

Honestly, if you stole Windows, then disable the updates, even though MS will still allow you to security patch your computer with an invalid key, you should not be surprised when you run into some sort of problem.

It's like stealing a plant from a store, refusing to water it, then when it dies you get mad at the store that you stole it from. Tough balls.

Re:

[xenolion]

That as to be the best way I have heard anyone ever say it.

Re:

[david_thornley]

Look, if you're running an illegitimate copy of Windows, and you have problems with it, tough. (If you're running a legit copy that WGA thinks is illegitimate, complain to Microsoft. Or make a voodoo doll of Steve Balmer, and put it in front of Gilligan's Island reruns. Or whatever. It isn't really my problem, except if it happens to me when I boot up Windows to play a game.)

My objection is that anybody running an unpatched copy of Windows makes my life more difficult. If people would figure out som

Re:

[TJamieson]

I understand your argument, but couldn't one conversely blame Microsoft? After all, if they didn't expressly prevent these machines from getting updates, this wouldn't be as big of a problem.

Shocking...

[fuzzyfuzzyfungus]

I, for one, am amazed to learn that criminal software developers behave quite similarly to ordinary ones. Reusing code, copying features from industry leaders, why, they probably even use revision control systems!

Seriously, though. It would be more of a surprise if they weren't doing this. Of course players in a competitive market are going to be watching each other and adopting each others best features.

Worms copying each other

[Ed Avis]

How long before each worm includes a copy of its source code in a git repository, searches out other variants of the same worm on the infected system or across the net, and randomly exchanges patches with them to create hybrid offspring? The worm would need some way to compile itself, of course (unless written in Javascript or other scripting language where the interpreter is included with Windows).

Re:

[AnEducatedNegro]

because the strain would have to be identifiable. this means greater detection by virus scanners and the possibility of being exploited by rogue creations.

the authors more than likely have a code repository on their systems that they share with each other. hell, search hard enough and you can find this code shared on their personal websites. the innovative authors take pieces of code from others and re-release the source. another favorite is decompiling code from an author who chooses not to help others

Re:

[chappel]

How long before each worm compares copies of other source code, checks it for copyright and patent infringement, and automatically fires off legal threats?

Re:

[fuzzyfuzzyfungus]

Good heavens man, these are spam-mongering worm-farmers, not monsters!

Re:

[BrokenHalo]

The worm would need some way to compile itself, of course (unless written in Javascript or other scripting language where the interpreter is included with Windows).

A way of getting around this would be to code your virus in a self-modifying assembled object. Ah, there's hope for us old Real Programmers [pbm.com] yet. Just when you kiddies thought we were all getting a bit smelly... ;-P

Miscreants!

[GogglesPisano]

Why, I very nearly dropped my monocle when I heard that the rascals might be cahoots! Perhaps they have some sort of network (a system of tubes, perhaps?) that allows them to share their diabolical plans! Fiendishly clever!

We must safeguard our computing engines! I say we must find these these rogues and hang them from the highest scaffold in the land!

Copyright...?

[wyoung76]

Thank God there's no software copyright claims being made between these virus writers...

What to say?

[howman]

You would think that Microsoft researchers would spend more time patching Windows rather than saying idiotic things like 'It is possible that these miscreants somehow collaborate or at least are aware of each other's "products."'.
Considering Conficker has been all over the news and the maker of Neeris would have to be working in a cave beside Osama not to have seen anything about it, I dare say it is more than freakin' likely they know of each others products.
Now if only Microsoft knew as much about Window

Microsoft wants you to have the genuine worm

[mspohr]

I can see that Microsoft is concerned that some people might be getting an imitation worm. They are warning that there is only one real conficker worm.

They will shortly be releasing a tool to test your system to make sure you have the real worm and not some impostor/pirate copy of the worm. This will be an extension of the WGA program.

The new Windows Replica Advantage (WRA) program

[hAckz0r]

Maybe one day the 'Imitation Worm' will install a Replica OS http://www.reactos.org/en/index.html [reactos.org] just to completely confuse the fellow malware competition. At that point Microsoft will be 'off the hook' for inviting every form of malware possible, and the replacement/replica OS will finally get lots of user testing, and perhaps eventually get released as Beta. At that point the worm only needs to remember to blue-screen periodically and run the 'Windows Replica Advantage' utility just often enough to compl

Of course! They're connected to teh intertubes

[Bearhouse]

"It is possible that these miscreants somehow collaborate or at least are aware of each other's 'products.'"

Well, no shit, Sherlock. Guess they must have Internet connection too, then...

With all the resources at Microsoft's disposal, you'd have thought that they'd have come up with a specific fix. Yes, I'm aware that regularly-patched machines are better protected, but the evidence is clear that many people don't do that; (and not just the pirates, either).

If Ms supplied something that detected/removed/protected against up&down, (free, with no 'Genuine Advantage / Validation' bs), then I'm sure pretty soon all the media would link to that & the sheeple would rush to download & install... How about it, Redmond?

Re:Of course! They're connected to teh intertubes

[Bearhouse]

Disagree. Windows security issues are a major concern for Microsoft's customers, and hence to them. Apple, BSD/*x and FOSS boosters, (and yes, I'm one) regularly point out how much more 'secure' their platforms are. (Of course, as debated endlessly here and elsewhere, that may be as much a function of market share as inherent design, although few informed people would seriously challenge the latter).

Of course, it's not just the OS, it's the apps. Ms makes a lot from selling 'Office' too, which has its own vulnerabilities.

So, since the competition is 'free' (*x & Ooo) and more secure, yes, I guess they do give a damn.

Re:

[whoever57]

Disagree. Windows security issues are a major concern for Microsoft's customers, and hence to them.

I disagree with that statement. IMHO, Windows users are either:
1. Concerned about viruses, but they think their machine has some magical immunity because they don't actually think their machine might ever be infected, OR:
2. Are totally clueless about viruses and spyware.

Even on forums where experienced users post, how many times have you seen a post that is something like: "I don't use anti-virus, I'm j

Re:

[BenoitRen]

I hope you're not trying to imply that it's impossible to be safe on Windows without anti-virus. Being careful about where you browse is stupid, as any site can get hacked to spread malware.

Using common sense, like not blindly opening attachments, being behind a NAT router and/or firewall and using a web browser that isn't IE that gets updated regularly goes a long way towards being malware-free. You can go even further and implement a whitelist for programs (instead of the anti-virus blacklist, which is on

Re:

[Rycross]

The funny thing is that its nearly impossible to prove the negative of "they just haven't been aware of the infection on their machine!" Your Linux box has a secret virus that only a few people know about, and has managed to hide itself so well you don't even realize you have it! Prove I'm wrong. How are you going to do that? I suppose you could run anti-virus, at which point I could say that your anti-virus just doesn't know about it. You could do checksums, until I say that it uses a weakness in the

Re:

[drsmithy]

(Of course, as debated endlessly here and elsewhere, that may be as much a function of market share as inherent design, although few informed people would seriously challenge the latter).

Which part of the "inherent design" of Windows makes it less secure ?

Re:

[BenoitRen]

They only give a damn about security issues that are public. Unknown ones they just sit on, as has been demonstrated several times with vulnerabilities like the Windows meta file one.

Re:

[Demonantis]

I know theres tonnes of toolkit thats are being released by third parties because this worm is such an aggresive one. The issue is that people with unpatched systems are probably just as competent about the toolkits as they are about updating their system. Microsoft actually reacted to this threat quicker then most of the other exploits they experience.

Re:

[Shrike82]

If Ms supplied something that detected/removed/protected against up&down, (free, with no 'Genuine Advantage / Validation' bs), then I'm sure pretty soon all the media would link to that & the sheeple would rush to download & install... How about it, Redmond?

The virus does it's best to block attempts at removal as you'd expect, but still, you seem to be referring to something along these lines [microsoft.com] with specific instructions on detection and removal from M$, or perhaps even the Windows Live safety scanner, which despite it's crappy sounding name apparently detects and removes it.

Yes I know this is /. and bashing the evil corporation usually results in "sheeple" modding you up, but did you really think M$ wouldn't have thought about supplying people with the means

Re:

[Bearhouse]

Thanks, I was actually aware of all that stuff.

Now I invite you to navigate to the page you linked to - where's the big red button marked 'Worried newbie? Click here to download/do online scan now'.

Links to that button should be all over the net.
They're not. Why?

Re:

[reashlin]

Because the media are just as bigoted as you in hating Microsoft and a solution to a problem is no longer newsworthy.

You see stories all over the press about "this accident". You don't hear about the people that cleaned it up. "The internet in X places went down yesterday" - no followup of "The internet is back for those that suffered".

Re:

[Bearhouse]

Because the media are just as bigoted as you in hating Microsoft

Don't hate Ms - check my posting history. Still think they could do a lot more on security, tho'.

Re:

[Shrike82]

Thanks, I was actually aware of all that stuff.

Oh, sorry, I must have misunderstood when you wrote "you'd have thought that they'd have come up with a specific fix", and it was utterly stupid of me to link to a page with a specific fix.

Now I invite you to navigate to the page you linked to - where's the big red button marked 'Worried newbie? Click here to download/do online scan now'.

For those unable to read, comprehend and follow instructions there are two big blue buttons that say "Get help now". Sorry they're not red.

Links to that button should be all over the net. They're not. Why?

Put "remove conficker" into Google and you're about three clicks away from a number of downloadable removal tools. Sorry, but anyone that can't be bothered to read a little and wants a

Re:

[OglinTatas]

With all the resources at Microsoft's disposal, you'd have thought that they'd have come up with a specific fix. Yes, I'm aware that regularly-patched machines are better protected, but the evidence is clear that many people don't do that; (and not just the pirates, either).

How about if Microsoft would mod the "malicious software removal tool" to patch only the vulnerabilities that any removed malware exploited?

• benefit 1: that installation will no longer be vulnerable to that particular infection, in spite of the fact that the user disabled automatic updates.
• benefit 2a: the user will not be able to scream "ZOMG M$ forcing software on MY computar! That is MY BOX, I choose teh softwareZ!" (I'm not fluid in tard-speak, obviously. Also, it is apparently OK for malware writers to

Re:

[OglinTatas]

sed 's/2b: unpatched/2b: unexploited/'

Me and my mad previewz skillz.

Err Morro???

[HannethCom]

They do have their malware removal tool and have free anti-virus software coming out.
http://www.pcworld.com/businesscenter/article/154146/microsoft_drops_onecare_antivirus_product.html [pcworld.com]

That being said, there will probably still be the Genuine Disadvantage stuff.

Re:

[seandiggity]

FYI, Symantec has a gratis removal tool available here [symantec.com]. In case that helps anyone unfortunate enough to be using Windows AND infected by Conficker :P

Re:

[Ralish]

If Ms supplied something that detected/removed/protected against up&down, (free, with no 'Genuine Advantage / Validation' bs), then I'm sure pretty soon all the media would link to that & the sheeple would rush to download & install... How about it, Redmond?

They do.

Malicious Software Removal Tool [microsoft.com]
Download Link [microsoft.com]
Technical Details [microsoft.com]

You'll note said tool does not require any validation to download, anyone can download it regardless of the legality of their copy of Windows; no validation or genuine advantage required, period.

This tool is also regularly distributed via Automatic Updates/Windows Updates to help clean out any infections that computers that use these services may have contracted, either because they weren't patched, or some other mechanism tha

MAD Magazine

[m0s3m8n]

Sounds like "Spy vs. Spy".

Idiots guide to detecting Conficker

[Shrike82]

While doing a bit of looking around for another post in this thread I found what's basically an idiot's guide to detecting conficker. It uses pictures to show you if you have it [confickerw...ggroup.org].

This tickled my funny bone for some reason; you have to love the lets-use-pictures approach!

Grammar Nazi

[amclay]

Says to use single quotation marks inside of double quotes.