Security watchers are bracing themselves to respond to the activitation of the huge botnet created by the Conficker superworm. The malware has created a network of infected PCs under its control estimated at 9m or even more, according to the latest estimates — dwarfing the zombie army created by the infamous Storm worm, which …
is there a cure
Apart from updating windows which seems to only prevent the infection taking place is there anything to remove once there because i have noticed some client machines i have being working on had windows update turned off although they shouldnt of !
Anon cause i feel stupid
Pirates have gone a step too far.
".....most affected by Conficker have a high percentage of pirated windows users...."
Why would anyone want to make moody clones of windows users? It's not like there aren't enough of 'em around already.
Tin Foil Hats On!
All the experts are out to make a right killing over this. "Oh no! It's dormant." or "Oh no! It's alive!". "It's 5m strong!" or "Oh has to be at least 9m strong by now!".
Tin foil hat on, but financial downturn? No one buying software? Security the last thing on the budget list? Easy access to security info to craft something….
RE: is there a cure
Have a look at this page on the Sophos web site:
it explains about the files and registry keys created by the virus.
Mine's the one with a CD containing WSUS installation files
The damage may already be done
One of the primary reasons that corporations don't install updates or patches is that "business critical" applications - specifically high-dollar custom applications that are core to the business operations - often stop functioning when a new patch is introduced. Until Conficker arrived, the business had two choices: leave the systems unpatched and hope that their firewalls protected the systems, or purchase/develop a rewrite of the application(s) that were impacted by the patch/updates.
Post-Conficker, the only option is to rewrite the applications so that zero-day patching can be maintained.
And here's the bad news: the impact of this necessity for most major businesses (in the Fortune 100, ALL that I have visited have multiple applications that fit this profile) is a development effort that is possibly bigger than Y2K. Certainly the effort is now more pressing: zero-day patches that take down key applications are certainly more time sensitive than the 2 year run-up to Y2K.
So, the "damage" may well and truly already be done. The business impact on those companies that will rewrite their code is potentially huge. And the impact to those that do NOT rewrite their applications is certainly going to be devastating.
Lets face it..
We're obviously doomed. DOOMED I SAY!!
The Great CyberWar
So I guess china is making the first move in this...
Or maybe once it's all set into place it will replace windows with ubuntu to kill off all the fscking zombies...
RE: is there a cure
Symantec have a tool to remove the worm and enable Windows update.
"I believe that it’s simply 'sleeping' and may be woken up at a future date to execute some set of evil instructions."
What are 'evil' instructions? Are they built-in to processors nowadays? "Oh no; if only we hadn't created that evil instruction set, this worm would never have done all this damage!!.."
I’m intrigued to see what it does! Although I’ll probably be disappointed when all it does is steal bank details and DOS attacks on websites I’ve never heard of and don’t use.
Doing IT for the Gals. What better Motive is there?
"These guys aren't doing it for intellectual challenge or showing-off. Money is the motive."
I wouldn't be at all so sure whenever Control of Power makes Money a Fools' Toy to Play with and Spend Obscenely.
the great cyberwar?
don't pretend u know about it :P
HAving recent switched over to linux my self and now have converted a friend as well (Fun to Learn something new)
He bought round a mem stick off his windows machine.
And on the mem stick where two files extra. called :-
and a dogy looking autorun.inf file..
But soon deleted and removed
Noobs off the net
If you're not in control of your PC, what do you care if it's a Zombie?
If you don't care about security, why do you care if your bank account is taken?
Makes no sense.
Wht's the mechanism fro infectin for fully patched machines?
The article seems to suggest that, with one unpatched machine, a whole network of patched machines can be infected? If this is the case, why do you need one unpatched machine? How can the patch claim to protect a machine?
What am I missing here?
Just finish watching Terminator 3
Rise of the Machine...
Step 1 Infect tons of computers all over the world (check)
Step 2 Create a panic
Step 3 Make things so bad that DAPRA has to fire up Skynet
Step 4 Overthrow the flesh overlord...
For God sake, don't turn on Skynet!
""We haven’t seen this type of advanced worm in many years,""
The other day I read that the worm was thrown together by some script kiddie using the metasploit engine and published exploit code. Ho hum. I too would like to know how the worm can infect *patched* machines through a shared drive. I understand that removable drives with autorun enabled is a vector but how could a shared drive infect a patched machine unless the user found the executable and ran it? Doesn't make sense....
Penguin cause this worm couldn't spread through with linux and nfs vulnerabilities.... Oh wait, yeah it could.
autorun.inf will execute from the root of ANY drive letter.
Autorun works when placed at the root of any drive, it doesn't have to be removable. It will get triggered when you visit the root via Explorer.
Unfortunately end users tend to freak out when you disable autoplay,
So you leave it enabled and end users can get infected by browsing a network share or inserting an infected removable storage device. You disabled it and they complain that their computer is broke because nothing automatically happens when they insert a disc.
Not just MS08-067....
The reason is can infect patched machines, is because patching only stops a user getting infected by 1 vector - the MS08-067 exploit. If the user opens a network drive or usb drive that has the autorun.inf file and exe on it, it'll load it automaticly
Will the trains stop working and planes fall out the sky?
I do believe that Network Rail are having "one or two" issues with virus infestation...
let's hope it doesnt impact the train running, making them even later :)
"These guys aren't doing it for intellectual challenge or showing-off. Money is the motive."
So Graham Cluley is psychic now is he? There are hundreds of semi skilled virus writers who could have pulled this off, many aged 14-18 and all who would do it to show off to friends or for the "buzz"
It may have been done for money or it may have been done for kicks, who knows, we shall wait and see. Could be for spam, could be for harvesting data or could be for thrills.
Paris, cause she doesn't have a Cluely either. :-)
What's the fecking point of the patch if it doesn't protect you from infection?
oh wait, it's from microsoft, lol
Pride before a fall
Lookee here Linuxites, the main reasons that this stuff happens to Windows PCs is that Windows is by far the bigger market and, well frankly it's a bit easier. But your machines are just as exploitable, just in different ways. When the time comes that Linux is a big enough footprint then you will find many of these events happening to you.
Me - I have Win and Linux and, while I am paranoid about the Win machine, I'm pretty damn careful with me Linux kit too.
The moral of the story is...
...always wear a metaphorical rubber kiddies.
> Doing IT for the Gals. What better Motive is there?
Re: Evil Instructions
Sadly, Evil instructions are just a byproduct of the proliferation of Dual core processors. It is a natural law that one of the twins needs to be evil. Bwahahaha!
@Pride before a fall - AC
don't you mean windows is easier to write worms for? or easier to infect?
I wouldn't presume to know the ins and outs of linux and windows security stuff, but I do know that most people who use linux are generally better with computers / more IT literate / even arguably more intelligent than those who are stuck with / dont know any better / use windows.
You would be hard pressed to make a linux user "click here for free viagra" while it apparently works much better on the average windowze user.
You sir, smell.
@AC - Balls!
Sick of this "WIndows has a bigger share so it gets hit more often!" crap argument!
Apache has the biggest market share of all webservers, but which webserver software gets hit the most? IIS!
MS write shonky software, deal with it!
Whatch it do something stupid like.....
Whatch it do something stupid like a DOS attack on RIAA or the white house or some Israeli website or some thing else stupid like DOS attack any website hosting previews the curious case of Benjamin Button.
If at most used by an angry MMO gamer gone bad.
So and I quote "These guys aren't doing it for intellectual challenge or showing-off. Money is the motive". Oh really?? You're sure of that are you. Well before Mr. Cluley goes and changes his name to the Amazing Kreskin I'd like to point out that a great many of us in our PFY days wrote viruses and what not simply for kicks. We did it just for the thrill of seeing how far it could go and in those days I would have been on top of the world to see something we had created spread this far and wide. True this thing may well be dormant waiting for someone to send out activation orders from where ever they have their CnC systems. However there is the equal possibility that it's done all it can and all the writer(s) intended it to do.
I'd like to remind all the people attempting to whip up a huge panic about this that yes we need to remain watchful but these attempts to incite panic is an ugly business. Fear mongering will get you no where guys which, with their constant press releases about how big this has become and the impending doom and mass destruction it will cause, is quickly becoming. So lets all just calm the hell down, keep an eye on your systems, patch/disinfect/harden as needed and get on with business :-).
@AC 16:24 - Thanks for trotting out the old "windows isn't that vulnerable to attacks it's just the market share they have which makes it APPEAR that way" line. It wasn't true when it was first postulated lo these many years ago, isn't true now, and no matter how often misinformed trolls repeat it it will never be true. But thanks for playing and better luck next time.
Re: Pride before a fall
The biggest reason is the insecure nature of your o/s sonny. Yes, sure there's a bigger market for any potential exploit but the exploit is far far simpler on your o/s. You knew that when you accepted use of it. Take your medicine
"Unfortunately end users tend to freak out when you disable autoplay"
Have you tried telling them to shut up?
If I were you, I'd start reading the highly informative BOFH column which runs on this very web-site. For my taste, pushing people down a lift-shaft is perhaps a step too far, but it works for Simon...
Seriously: if your users understand instructions like "You have been provided with bottled water, because the local tap water may make you sick. Do not drink the local tap water, no matter how convenient it may seem or how used to may have been to this method of obtaining water in the past" then they should be able to understand why Autoplay is now gone, and they may have to use the foot-pedal to select the little icon in My Computer which... hey, it kinda looks like a CD!
RE: Wht's the mechanism fro infectin for fully patched machines?
If the infected machine has the same username and password for an admin account as the rest of the machines on the network, then the worm on the infected machine could just brute force the password and use the information to spread to all of the other computers on the network.
@Pride before a fall
These things do in fact happen to linux users, I had one happen to me recently in fact. Twas a terrible affair coming in from roundcube... However I aim to counter your further point. "When the time comes that Linux is a big enough footprint then you will find many of these events happening to you."
The main argument I draw against this statement is that Linux is heterogeneous. Windows on the other hand is massively homogeneous. See: http://en.wikipedia.org/wiki/Great_Irish_Famine
The problem with having one company controlling it all is that if something can get through it's gonna start getting through on a massive scale. So it's not simply to do with the numbers of users it's also to do with the density of variation. Just like in the real world of viruses.
In proof of point, Linux has enormous penetration in the server domain, many millions of websites run on LAMP etc... etc... but these installations are all so varied with so many binary variations, builds, (mis-)configurations and generally not being so homogeneous that you cannot impact on the numbers we're talking with this case.
Patch as patch can
The idea that Windows update won't let you download patches or auto-update if your Windows is not a legitimate licensed installation is wrong. Don't ask me how I know. It's a secret.
It is true that it won't let you have the latest version of Internet Explorer. And you won't want the update called "Windows genuine advantage".
I think even Microsoft realise that refusing to distribute security updates to pirated copies of Windows would hurt their legitimate users.
It won't be activated
I bet it's creators never wanted it to get so huge. It got out of their hands and now that they are in all the headlines they won't use it for fear of the consequences.
It's probably better to enjoy the pride of having created something so successful and then quietly slip into anonimity than later going to pound-me-in-the-ass federal prison for being overzealous.
You basically want to know how the worm can infect a patched machine. Amirite? There are these things called attack vectors. One of the worm's attack vectors is attacking a buggy service and causing a stack overflow or something like that. If the machine is patched, then that attack vector is closed off to it. However, since this worm can apparently use multiple attack vectors, if it fails to infect a machine through one route, it can still attack via one of the other routes.
It's like this: it wants to go in the front door, but you change the lock or make some other change to the door to prevent it getting in that way. Unfortunately, it's also (metaphorically speaking) programmed to go around to the back door and/or check for open windows. It doesn't matter if you've sealed off one route of attack (patched the dodgy front door, if you will) if you leave the other ones open... security being as strong as the weakest link in the chain, as the old saw goes.
SO Glad I use Ubuntu
SO, once again we're all hearing how vulnerable windows is, and can add further re-enforcement to my decision to use Ubuntu.
windows and security.
title and icon says it all really.
Graham Cluley knows what he is talking about. In general and this time specifically.
Yes, lots of viruses etc. are written for a lot of different reasons, including boyish high spirits, but Mr. Cluley has been working in this field for over 20 years that I know about. He is obviously using his judgement and experience when he tells us that on this occasion the perpetrators are setting up for some kind of remunerative hustle, maybe a spam oriented enterprise like the botnets set up by storm and others.
You don't have to be psychic to see that Downadup (or Confick) is configured to make it hard for the opposition to find the controlling servers and shut them down, as they recently did for some older spam botnets. It is a botnet creator with a random server name generator welded on. Just what is needed to counter the white hats' latest successes. Read up about how it works and it is obvious.
The end of the world is nigh!
OMG THE BOTNET IS GOING TO TAKE OVER THE WORLD! Let's kill ourselves now! Or, on the other hand, we could just reimage and patch the PCs and get on with something more interesting. Like, I don't know, making camps in the woods and trapping small animals.
What a fuss over a poxy computer virus. Really. Get a grip. A pain in the arse for sysadmins and maybe the odd end user will care, and possibly some creative, determined group of people will make a quick buck out of it at the expense of some corporation (or possibly the feckless home user). So what?
Move along nothing to see here... ;)
"Unfortunately end users tend to freak out when you disable autoplay"
Err...Thats their problem surely, not yours?
Autoplay is not, and never has been a good feature, it has always something that any Sysop or Sysadmin or whatever they call themselves nowadays, should immediately disable, simply because not to do so causes too many problems.
It takes about three mouse clicks to get around autoplay, if your users are to stupid to manage that, then I suggest locking the boxes down so tight they squeak when used.
You must work for an advertising agency or local government? since they seem to be the only employers of computer illiterates on this particular scale nowadays.
Do us all a favour and please educate these morons that running programs without explicitly requesting it , is actually a really (read, career ending) bad idea.
You know it makes sense
Yours, Uncle Sid.
@Patch as patch can
I thought IE7 was now available to the pirates? The original WGA checks were removed form it some time in late 2008.
Problem is, half of the freetards who use a pirated copy of XP totally disable Windows Update. So miss even the security updates that would of prevented this issue. And then whinge that they have been infected, or the system is crashing on them.
I used to run a pirate XP in the office just so I could see what did and did not get updated automatically. As long as the WGA update was avoided, the system seemed to work well enough. And the majority of the security updates would still be offered for installation.
Maybe it was Microsoft who released this Virus to kill off some of those freetards using Pirate OSs?
It has probably already started its nefarious activity..
I've noticed that my spam levels have gone beyond 98:1
Last week it was 9:1, three years ago it was 3:5
1994 it was one spam a month. I never fancied a bird that could kick-start tanks, so never answered.
Isn't it funny how things have gone full-circle? In 1994 the spam was from some pimply gits trying to sell Russian brides, now it is from tarty Russian bints, trying to blag a diamond berth. :-(
Everyone switch to Linux Ubuntu!
Ok So Windows is relativly buggered. The Worm has spread to 9m+ PCs and whats to say that the worms in the infected computer cant be sent a update around the patch. The Simplist way is to back up your stuff, Encrypt it and switch ooperating system or rebuild your system. Surely By now if you havent realised it already, 9m computers with a unactivated worm is gonna cause a lot of hell sonner or later.
What are we??
For a lot of readers, we are The Systems Engineers/ Experts/ Him who KNOWS.
STOP the Jokes.
Somebody Somewhere wants to kiil/ maim/ destroy the goods entrusted to our care.
It is not the LUSER.We have allowed them to think they KNEW.
Ships,Buildings, ..., even Space Shuttles are done to Engineeers methods.
We do NOT.
Well, if it started with infected Windows machines in China, then it was probably an attack against China. The most likely attacker being the US........ The most likely country to be stupid enough to unleash something that's now come back to attack the originator is .... the US.
Just some ideas
Im not a comp sci/sys admin/bofh but even i can think of 2 ways that could possibly help stop this worm from starting up.
1. If the security researches have worked out some of the IP addresses/ websites that the worm will try to get infected computers to contact, then a) buy the domains first, b) set up instructions on the sites so that when the infected computer gets in contact, it is told to not contact any other IP address. c) inform local plod what you've done so that they dont think your the one behind the worm! Danger mitigated. Sure it doesnt solve the problem of the worm in the first place but at least the botnets in the hands of supposedly trustworthy people and maybe they can pass over infected ip addresses to local plods in each country for the plod to go and knock on peoples door and tell them to fix their bloody computer!
2. If the security researches can work out the majority of IP addresses/websites that the worm will try to get infected computers to contact, then a) pass these addresses to ICANN b) announce to world and dog (via every media outlet in every country that you can get in contact with) that you have told ICANN where all these addresses are. c) monitor these websites and see if ICANN sells any of them. If they dont, the danger of the worm is mitigated to a large extent. If they do - then the media circus can kick up a massive stink, international governments can put pressure on and hopefully we can finally get a governing body who actually cares about users rather then making as much money as possible!
I dont know how relevant these ideas are but it would be nice to see something done, rather then just hearing continual stories about how armageddon is coming in the form of conflicker!
Trust is an issue, true
"“The countries most affected by Conficker have a high percentage of pirated windows users, who may not be entitled to apply Microsoft’s patch. This could be a factor in the spread of the worm.”
Exactly, and this highlights Microsoft's conflicting goals of protecting their intellectual property while simultaneously protecting all of us from the perils they've imposed on us by their own success.
Pirated copies of the OS are locked into a vulnerable state, thus putting all of us at risk. This is because MS has decided that their own well-being trumps that of the general public.
Worse yet, many of us do not use autoupdate because the contents of any given update may or may not include code that is antithetical to customers' own interests. A relatively few tweaks and adjustments to DRM for Microsoft's own benefit as well as media partners erode our trust to the point that many of us are very reluctant to give them the keys to our Windows folders.
Finally, is it any surprise that corporations are loathe to roll out patches that may end up shutting down large swathes of business operations? Just a couple of such instances are enough to drive down acceptance of autoupdate.
re so glad I use Ubuntu...
I use Ubuntu as well, but we'll all suffer when websites go off line because of DDOS attacks... A botnet this big could be used to make whole countries inaccessible...