Downadup, the superworm that attacks a patched vulnerability in Microsoft Windows, is making exponential gains if estimates from researchers at F-Secure are accurate. They show 6.5 million new infections in the past four days, bringing the total number of machines it has compromised to almost 9 million. The astronomical growth …
Where is government ? Where are the lawyers?
We all know our various governments spy on various percentages of emails and other web traffic, especially those that cross national borders. And perhaps/probably this spying is excessive.
For the cost to privacy of this major intrusion, it certainly does not seem to be helping national security or individual security in any meaningful way -- if it did the authors of this worm would be locked up right now.
Why isn't protecting the public and the nation when the public can't protect itself the purpose of government?
For example, why is proof of identification not required to register a domain name?
A domain name on the internet is published, so it is public. I can see keeping the identification of the domain owner confidential between the registrar and the domain owner, but only until a valid court order is produced.
So here we have an example of a simple non-intrusive security measure that would be effective: requiring valid personal identification. Does the fact it is non-intrusive makes it unattractive to the law enforcement and the intelligence community?
For nobody, not even the registrar, to know who the owner is, is an abdication of responsibility bordering on, and maybe surpassing, gross negligence.
Such gross negligence on the parts of registrars and ISPs is causing us all to run more and more expensive (in terms of computer resources) anti-malware tools and operating systems. (Yes, invulnerable sections of code require more resources.)
I'd really like to see some lawyer types in a major jurisdiction launch some class action lawsuits on this.
I (and much of the public) malign lawyers and law enforcement, but this is a situation where they could easily step in, and where they should step in, because this worm and malware in general is a gross threat to the privacy of us all as individuals, and is a threat to economic and national security.
Have the "central control" send a message to self destruct. If the security guys know where it is going to connect, just have a domain name waiting that has the proper destruct sequence. Then add in a nice patch that inhibits further infection.
Am I being to obvious here?
If the security researchers understand the worm correctly, use it against itself. Hopefully sooner than later!
'massive networks of infected Windows machines'
Oh! didn't I say this in another thread?
> Have the "central control" send a message to self destruct.
Because that would be hacking, which is illegal. I happen to believe that there should be exceptions in the law to allow trained Police officers to do that sort of thing (probably with judicial pre-approval for each specific case), but there currently isn't.
Also, you rapidly run into jurisdictional issues (even if it's legal in the UK the person who does it might find themselves extradited to the USA & prosecuted there for disinfecting a PC in the USA; and IP-address-based geotargeting isn't perfect). There are also major liability issues for when it goes wrong (and writing bugfree software that runs under every version of Windows is impossible, so it will go wrong).
Also, @Where is government ? Where are the lawyers?:
> why is proof of identification not required to register a domain name?
Well you probably need at least a credit card. But it might be a stolen card. If I had an 9m-strong identity-stealing botnet, then providing a stolen ID to register a domain name would be kinda easy.
One in three?
Those one in three who have not updated would not happen to be those who find WIndows Genuine Armlock to be unfair and intrusive would they?
"We all know our various governments spy on various percentages of emails and other web traffic, especially those that cross national borders. And perhaps/probably this spying is excessive."
No, we don't all know that. Accepting the premise that some governments do monitor some communications (I do believe this is true) does nothing to indicate the scope of the monitoring, nor the quality of analysis.
"For the cost to privacy of this major intrusion, it certainly does not seem to be helping national security or individual security in any meaningful way -- if it did the authors of this worm would be locked up right now."
There are so many assumptions in this paragraph it's hard to know where to start. First of all, we don't know how "major" the communications monitoring is. For the sake of argument, however, I'll give you the benefit of the doubt. Let's say that each government has access to all international communications. The next assumption is that the goverment has the capability to analyze these communications in real-time (because if they couldn't the backlog would grow exponentially). But let's give that to you as well. We next have to assume that the perpetrators have in fact identified themselves and given away their locations in international communications. Then we have to assume that these worm authors are, in fact, high enough on the list of criminals exposed by this supreme analytical database for the government to allocate resources to apprehend them. Then we have to assume that the government has either a) some legal agreement with the government of the location where these individuals are residing, or b) the resources and the nerve to invade the sovereignty of another nation (okay, maybe I'll give you that -- but for a few worm-writers...?) Then we have to assume that the government would necessarily publicize its efforts, which I find highly unlikely given that such would likely expose illegal activity on the part of the government
"Why isn't protecting the public and the nation when the public can't protect itself the purpose of government?"
1. The public CAN protect itself -- the patch has been available for THREE MONTHS. There are also antivirus programs, firewalls, alternative operating systems, just doing something else instead of using a computer...
2. The purpose of government is to protect the interests of said government. Anything more is an assumption of your ideology.
"For example, why is proof of identification not required to register a domain name?"
Because it's worked so well in bars and at border crossings? For the record, contact information is necessary to register a domain name, but there's no easy way to prove identity. There is no such thing as a reliable proof of identification. All attempts at creating such a thing have met with strong opposition from privacy advocates, as it would require large amounts of personal information in the hands of those with questionable ablility to protect it. In fact, I find it ironic that you bemoan governments' excessive monitoring of communications and yet propose a solution which would require an equal invasion of privacy. It's clearly not as "non-intrusive" as you think.
"For nobody, not even the registrar, to know who the owner is, is an abdication of responsibility bordering on, and maybe surpassing, gross negligence."
The owner of what? The worm-writers haven't registered any of the domains the worm is contacting. That's why the security professionals have been able to register them.
"(Yes, invulnerable sections of code require more resources.)"
Significantly more resources? Not likely. Not if your development is security-focused to begin with and if you develop on security-focused platforms.
"I'd really like to see some lawyer types in a major jurisdiction launch some class action lawsuits on this."
"I (and much of the public) malign lawyers and law enforcement, but this is a situation where they could easily step in, and where they should step in, because this worm and malware in general is a gross threat to the privacy of us all as individuals, and is a threat to economic and national security."
No, they could not easily step in. And no, this is not a reasonable prioritization of resources. Bringing these people into a court of law isn't going fix the infected systems, or prevent anyone else from registering the domain names those systems will contact in future. It also will do nothing to stop the real crimes that are happening on a daily basis. The inconvenience of patching security flaws and using antivirus software is NOT on the same order of magnitude as the major financial scams and physical violence and exploitation, not to mention inefficent use of resources, global pollution, etc., which are going on in our lovely world. And if the lawyers and the government can't stop those, why do you expect them to be able to fix the IT world's minor boo-boos?
Have some fairy cake and get yourself a sense of proportion.
Maybe CIA could assassinate scumbags
Steven Knox wrote:
"Bringing these people into a court of law isn't going fix the infected systems, or prevent anyone else from registering the domain names those systems will contact in future. It also will do nothing to stop the real crimes that are happening on a daily basis."
Hi Steve. I understand what you're saying, and I agree with many of your points. You have a rational/realistic view of things.
One has to wonder, though, if other steps might eventually be needed to combat this sort of thing - if it someday gets *really* out of hand to the point where it's threatening national security (or some other such serious-sounding thing like that, which would finally get the attention of the lawmakers etc.).
I agree that bringing people into court isn't much of a deterrent these days (revolving door, at least here in the U.S.).
However, if there should happen to be, say, a long string of gruesome unexplained *assassinations* of scumbag botmasters/spammers/etc., word would get around and it might start to have an effect, at least on new recruits. Being in the botmaster business might not seem like such an easy way to make money after all... having to watch their back all the time... wondering if they'd be next...
Where's the CIA when you need them, anyway? ;) Aren't they supposed to be good at that sort of thing? Or NSA or whoever.
(Okay, if one disagrees with the whole assassination idea as most civilized people probably would [at least publicly], then maybe just figure out some legal way to freeze the scumbags' financial assets - surely if humans can send a man to the moon ;) we ought to be able to find out where these miscreants are laundering their money and DO SOMETHING about it.)
Just my two cents.
@Jon, by way of Herby
>> Have the "central control" send a message to self destruct.
>Because that would be hacking, which is illegal.
No, hacking is not illegal. In fact, I make a pretty good living hacking, and have done since roughly 1974. I'm in the open, I'm not hiding, you can find me in the 'phone book. Occasionally, even law enforcement and the court system asks me to help out with ... uh ... "stuff".
The problem with the "central control" concept is that there isn't such an animal. It doesn't exist, at least not within the current iteration of what we call "the internet".
considering the lack of security offered from a PC
Bill G's true legacy...
An internet full of infected MS machines - his name shall live on forever - or at least until everybody does a clean install all at the same time.
As has been pointed out, if your windows machines have been patched in the last couple of months, then you have nothing to worry about.
I then wonder why most of the currently affected machines appear to be in Russia, China, Brazil etc. Could they be (shock horror!) pirated copies and therefore not allowed to be patched by MS?? (the "genuine" crap mentioned previously?).
As you sow, so shall you reap. My current favourite crop is Ubuntu.
What you do is under the auspices of law enforcement, with their permission and against machines within their jurisdiction. Now, try applying this principle to millions of machines all around the world, across multiple jurisdictions, sets of laws, and relations with your home country.
Jesus you idiots...
...who are calling for the spooks to swoop in, draconian new internatinal rules on domain ownership and even, yes, assasination would be the frist to get pissy were any of your governments try and do any of that. Get a grip Keith / Alice It's just fucking data.
I'm sure the govt would love to have a new raft of powers over a technology they seem incapable of understanding but at the end of the day you're dealing with an inter-fucking-national network and unless you can get your rules made law in every country in the world then you'll just get your ass hacked from somewhere else.
This shit is a fact of life, these are problems that you can't wish or legislate away - they have to be fixed. If your bank lets some russian teenager clean out your account your bank has failed, they need to sort _their_ shit out not send in a hit squad - I don't know if you've noticed but quite a few banks have started issuing secure tokens totheir customers recently - that's a solution, installing your updates is a solution, being a bit more fucking careful is a solution, blaming the ISPs and the script kiddies is _not_ a solution.
"considering the lack of security offered from a PC"
You can get versions of Linux, BSD and Solaris that run on a PC these days, you know.
There is a little more to this worm than is being made clear
Already patched machines do get infected, either via windows shares or careless use of USB memory sticks
My fully patches machine was hit via a shared folder from a server in work. Both the server and laptop had a fully up to date version of CA antivirus.
Even when infection has been cleaned the rootkit he worm installs simply makes it look like the patch was applied (in reality it hasnt been)
Additionaly the CA antivirus (for example) CANT fully disinfect Conficker it requires several additional tools. In addition it appears that CA don't think that they will be able to include proper disinfection within their regular AV package.
From other accounts Sophos didn't manage to clean machines particularly well either, so don't expect things to get better for a while.
There's whole IT companys infected in the UK and I doubt that the rest of the world is any better in this respect
AC cos you never know who is watching
Publish the details and/or code required to self-destruct the bots, in some sort of kneecapped form, then wait for some white hat in a country where there are less laws to fix your code and run it.
Does not involve any qualified government or police personnel (I seriously doubt their existence, most governments can't afford any qualified personnel these days), does not involve breaking any laws.
I believe this is what happened to storm.
Henny Penny! The sky is falling!...
So? Jaunty Jackalope and Hardy Heron are my friends.
@ Roger Heathcote
Less moaning minnie and more security patching action if you please!
The reason these viruses proliferate is typically due to lax security and patching policies! Get your systems up to date and keep them up to date and where will the virus be able to go! Lazy sys admins are the root cause of the reasons for viruses spread.
What is it with the world today, I don't want the UK Gov responsible for wiping my ass! they'd use up too much loo roll and then charge me to flush it!
Let them get on with whatever job it is they claim they do and let the rest of us mere mortals pull our fingers out and concentrate on keeping the planet spinning on it's axle, tomorrow never comes to patch up today.
i think it was on the bbc site, they had a list of the estimated infected in countries - the UK and the US were the bottom of the list, only 3000 in the states and nearly 2000 in uk. the majority of infected were in china and eastern europe
so while it seems that western users are making use of the security patches, it's the rest of the world that are at risk
internet censorship only applies...
... if there's a 100,000-1 chance it could f*ck up YOUR computer
I presume these guardians of our safety went through a huge number of legally acceptable steps to close down these sites
Double standards only apply to people with double standards.
Can we please
have some coordination between the A/V outfits so there's only *one* name for every virus, not two or three? Even the Reg hacks haven't agreed on what to call it.
Assuming what they found is a 'machines infected' counter, I think they're interpreting it the wrong way, given the discrepancy between counter totals and unique IPs seen. It could be counting the number of machines attacked, whether or not it's successful. Alternatively, the virus could attack a machine, then query it to confirm that it was successfully infected. If the target was already infected, it would still be counted as a successful attack. This would substantially over-count the number of infections as it spreads across a corporate network.
Regarding the comment "Those one in three who have not updated would not happen to be those who find WIndows Genuine Armlock to be unfair and intrusive would they?", either you don't understand Windows Updates, or you're just trolling. I can't stand WGA, and I explicitly recommend that nobody install it. Having said that, it does NOT block Windows Updates. It DOES block you from going to the Windows Update website. Yes, there is a difference. Without installing WGA, the systems I administer update perfectly fine when set to automatic updates or download-and-notify. If I think there's an update my system hasn't checked for, I'll go into the Windows Updates control and disable it, wait 30-60 seconds, then re-enable it, and it will go out and immediately check for updates. My system is fully patched, and I do not have WGA installed or use the Windows Updates website.
Having said that, one reason people MAY not want to set Windows Updates to automatic is that as part of installation, it will automatically reboot your system no matter what. What' s that, you say? You had something important open, or were running scientific simulations, Pime95, StressPrime2004, download a large file, etc? Too bad. It shows a dialog box that says it will reboot in 5 minutes, and if you don't click no, that's exactly what it will do, no matter what is open or what app is running. That's why I set my personal system to download-and-notify. Download-and-notify wouldn't be bad for most companies, either, as long as the users shut their systems down at the end of the day (and let Windows install the updates during shutdown).
update your systems
load linux, bsd etc.
i've loaded Fedora10 on my laptop and it rocks. easy to install, has all that i need and didn't face any issues. right from wifi, to the webcam to bluetooth, every thing works pretty much out of the box. and did i mention that performance wise it's blazingly fast?
oh and no antivirus. don't need one. linux is secure by design.
What are the ISPs doing?
If they told the ISPs the pattern of the domains. Then they could start blocking the connection of the infected PCs until they are cleaned by the users? Put these systems into a walled garden with limit access to patching and clean up tools sites.
If the ISPs offer a clean up service they could also make a bob on helping clueless customers clean up their PCs.
We have to solve the root problem
Get clients over to Open Source. We know MS can not produce reliable software. No wonder all our development has been moved to the LAMP stack - now get get the clients to use a browser via Ubuntu, MAc or similar.
Let's solve the core problem, people - not chase tails over the symptons.
Fully Patched is NOT fully protected
MS patches up to date.
AV definitions up to date.
Behind corporate firewall - no idea if THAT means anything.
Scenario: AV software detected 2 files, one quarantined, the other untouchable - oops.
Requires a supershell to allow permissions changes to registry to even see where the services were hacked so that the bastard worm could be disabled and destroyed.
Took several hours to clean all the machines in the office - most fully patched XP & 2000 boxes of the 2 different Downadup varieties we encountered.
Re:update your systems
"no antivirus. don't need one. linux is secure by design"
Linux is "more" secure by design, there are also less viruses written for Linux than for Windows but that does not mean you can neglect to install an anti-virus. It almost sounds like you are new to Linux (because you seem almost surprised that it is so easy to use these days) - in which case I am guessing someone you know told you that you don't need an anti-virus on a Linux install.
I've heard it all before and it's a common misconception that you "can't" get a virus on a Linux machine.
I believe there was talk of a White-Hat pushing out destruction code for the MyDoom / Sasser worm half a decade ago. As I recall, the scanning algorithm was so efficient that it caused more network traffic than the original worm.
Even with the best of intentions, sometimes they get it wrong.
But these are the same people who, being unable to work icons under Ubuntu because they look different, are recommended to use Windows "because it is so easy".
Someone that clueless about computers won't know that they don't have to go to the Website.
It is the users
They don't update, they don't upgrade, they run unverified executables, they don't reinstall, they don't know how.
Is really is not the OS, if the 'users' would jump to a different OS same story; it is their actions and their inability that enables malware to proliferate.
There is no de-infect, there is no central control, there are just clueless users.
Malware nowadays can adapt, can check for the presence of other running software. Check out corewars, that's the game http://www.corewars.org/ and a lot of malware uses a variant on the idea.
The problem is a general purpose computer system is always going to be vulnerable, just by the nature of it being general purpose, there are ways to reduce vulnerability, but none are simple 1 dimensional ideas, at the base it requires constant monitoring and trusted sources.
>oh and no antivirus. don't need one. linux is secure by design.
FFS grow up no one OS fits all, have you not learnt that by now.
IF 90% of desktop machines where basised on a single linux distribution you would be suffering the same as the windows crowd are now.
Oh Mario, if you think you are secure why don't you have a go at posting a public address for your machine, and see how long it stays clean.
Windows, Linux, BSD, Solaris, OSX, VMS or even VME they all have holes and always will, it's just weight of numbers means that it's windows machines that get all the attention pais to them.
I don't think it is that MS can't produce secure software.
It's that they don't want to.
Because such software would be harder to use and MS would have an OS that is on an equal footing with other OSes and therefore couldn't use their monopoly power to keep it number one.
I'd gladly upgrade all the systems here - if it wasn't for one major point.
$IMPORTANT_BIT_OF_BUSINESS_SOFTWARE does not run on anything other than Windows.
If the developer was prepared to spend the £££ required to re-write this product so it would run on $INSERT_OS_OF_YOUR_CHOICE then I'd do so.
But they can't/won't. So I'm stuck with it.
And before anyone else starts, there is no comparable product that isn't also Windows only. Trust me, I've looked.
I'm sure that the Russians, Chinese etc. would like to move to Ubuntu, but there's one thing stopping them.
Where do they get the pirated version from?
@Huw Davies - $IMPORTANT_BIT_OF_BUSINESS_SOFTWARE
@update your systems
>no antivirus. don't need one. linux is secure by design.
Viruses were born on OS's like Linux, (anyone guess what the "root" in rootkit originally meant?), I've seen many a Linux virus.
Linux can be more secure than Windows, Windows can be more secure than Linux.
Linux is very unpopular compared to Windows (this is purely a numerical fact), this is why there's not much effort trying to infect it, now if it was as popular as windows, it would not only have a much better selection of software available, but it would be worth the effort of Virus writers to attack it. OK it's not as simple as that, but run everything as root (like Lindows) or be complacent and you will have problems, have you noticed how similar UAC is to the default sudo in Ubuntu?
Don't get me wrong, I love Linux, I have two systems running at home 24x7, one internet facing
but I use Vista for general surfing, games and photo editing, if Counter-Strike:Source ran on Linux and Gimp was as good as Photoshop:CS2 then maybe I'd replace my desktop, but probably not, if there's something I want to do, I can do it easily on Windows, can't always expect that on Linux, and all too often on Linux I have to build a package from source.
One day Linux might have the wealth of software of Windows that just works "out of the box", but when it does it will probably have a wealth of viruses too.
OK, still not convinced? just check all of the patches, revisions and security vulnerbilties in the LAMP stack over the last 2 years, now imagine that clever people wanted to take advantage of these vulnerbilities and took advantage of them before they were patched, and that's just in one, very open, well maintained, well written set of applications.
Tried getting support when an app goes wrong and its running through Wine? Even if you are 99.999999999% certain its an app related problem rather than a OS based problem they wont want to know
I feel so left out, 18 virus free years on a mac, maybe there will be one this year we'll see....
ISPs failing in their duty
ISPs should be detecting unpatched machines and then blocking their access until the user sorts it. Running a secured PC should be written into the contract with the suer and enforced.
We don't need governments to stick their beak in, we need ISPs to actually do the job they are paid to do.
Feel a little sympathy for MS but....
MS are damned if they do damned if they don't!
If you knock off Windows and you get "caught" you are denied updates necessary to project the install, that natty little box in the corner and nice WWII blackout curtain backdrop. MS have every right to protect their product from unauthorised use, well MS I'm afraid this is the payback!
Don't give me all that cack about "Well Windows is so widely used it is obviously going to get attacked!". Let give you a one word argument to that old cods, APACHE.
Apache runs 70%+ of the worlds web servers and it manages to stay ahead of the game and not get infected, while IIS lags behind and is always under attack.
MS write shonky code and release half-backed software, deal with it!
( Just slip into my flame-proof suit here! )
>oh and no antivirus. don't need one. linux is secure by design.
Pfft. Linux is only "secure" because it does not yet have enough penetration to warrant writing attacks that target its users (worms, trojans etc). Where is does have enough penetration, it can and does get attacked and hacked into.
You can make Windows more secure (top tip: dinnae have your user account being an admin), but most people do not do this. Which is THEIR OWN STUPIDITY.
You attitude is *EXACTLY* what causes the kinds of problems we are seeing. I bet you log in as "root" because Linux is soooooo secure.
"Get clients over to Open Source. We know MS can not produce reliable software."
*cough* debian SSH *cough*
anyway this is a patched vun. So if all computers are patched it needs to get on the network by somewith with admin priviledges running the .exe or other file via the other methods).
If this was linux/mac it would be the same thing, weekest point in pc security is the user , simple as
Stop blaming MS and the WGA , I seem to remember at the start when they bought it out they did block ALL updates to non verified users, btu then there was a big fuss about it cause millions of pirate machines couldn't get security fixes.
If you don;t like WGA cause it phones home,fine.Install and edit hosts file etc to block access. if you don;t like WGA cause it means you actually have to pay for software, grow up and see the real world.
Yet more common sense reasons to dump windows
Like lemmings off a cliff this will never stop until evolution replaces either windows or man-kind!
@The Fuzzy Wotnot
>>Don't give me all that cack about "Well Windows is so widely used it is obviously going to get attacked!". Let give you a one word argument to that old cods, APACHE.
>>Apache runs 70%+ of the worlds web servers and it manages to stay ahead of the game and not get infected, while IIS lags behind and is always under attack.
Have a look at the vulnerbilities against 1.3/2.0/2.1/2.2 on the apache.org site - remember these are only the ones that have actually been fixed!
Some of the highest profile web page defacements and root compromises have been due to Apache not patched to the latest level (and there are also zero day hacks too), which is actually a perfect example of when something becomes popular it gets attacked, so I guess your one word argument actually is more valid round the other way.
The other thing to note that if a server has Apache, you don't know what distro (or even OS) is behind it, could be windows, could be Solaris/Linux and a whole host* of others, otoh if a server has IIS, likely it's Windows on x86 so any compromise is far more likely to be predictable.
This just goes to show how harmful the windows monoculture is...
If windows had a smaller market share, say 30% with linux and mac also having 30% (and 10% of misc others), then the damage such a worm could do would be considerably less. And you would have something else to use while one system is unsafe to connect to the internet due to 0day bugs.
Someone else mentioned Debian SSH... But that just goes to further illustrate how a monoculture is bad, if everyone was running Debian the SSH bug would have been far more damaging.. But instead, the Linux community is split between a number of major distributions as well as countless smaller ones... Those which were not Debian based had nothing to worry about. Windows only has one "distribution", and is therefore far more reliable to target.
But monoculture doesn't make as much damage if the underlying system is secure.
See, for example, Apache installs (60%). Fewer infection notices than IIS (30% or less).
MS make their OS "easy to use". Which is also easy for the worms to use too.
Windows can install via Office problems. Why? Because IE is run as admin (some of it higher than that) and it is used in Office for rendering messages.
Autorun is how this worm manages to propogate.
No autorun on Linux.
Therefore this vector CANNOT EXIST on Linux.
Your statement is just wishful thinking and completely and utterly without any data that could suggest it may be true.
- Just TWO climate committee MPs contradict IPCC: The two with SCIENCE degrees
- 14 antivirus apps found to have security problems
- Feature Scotland's BIG question: Will independence cost me my broadband?
- Apple winks at parents: C'mon, get your kid a tweaked Macbook Pro
- Driverless car SQUADRONS to hit Britain in 2015