Security experts reckon a new low-threat worm that displays the image of President Obama on infected desktops is the work of technically-knowledgeable pranksters. Infections of the worm appear to be confined to scores of desktops at the same (unnamed) Illinois high school, which contacted its anti-virus supplier. The outbreak …
Now being a Geek means that you're the prime suspect!
Then give him an A
in IT, political science and art.
If I'm understanding correctly...
...conficker's main claim to fame is its social engineering (clever application name) rather than fancy code. Couldn't it be fairly easily copied once you go, "Ah hah, that's a neat trick", without source being an issue?
Remember the worm that hit Nasa - WANK (Worm against nuclear killers)? Those were the glory days my friends, when kids in Melbourne stopped a shuttle from launching...
Pirate icon, because, well, arrrrrrrrgh :)
Yeah, that's it. Any real detective work is too much trouble, let's just resort to profiling instead.
Look for the 2nd or 3rd smartest kid ...
The smartest kid probably thought about doing something like that, then decided against it on the grounds that people are going to 100% treat it as a serious crime rather than a silly prank.
Hopefully they will just stop investigating it now .. its a waste of money and resources and whoever wrote it is probably a kid who is scared enough that he won't be repeating that mistake anytime soon.
Hi, little fella!
"Couldn't it be fairly easily copied once you go, "Ah hah, that's a neat trick", without source being an issue?"
And how do you propose to get to that Aha moment? Can you read machine code or something?
Anyway, from what I heard the source code _is_ available for the network share exploit in metasploit so any doofus should be able to use it.
Source code not available?
IIRC, Conficker "borrowed" the code for the wormable exploit from Metasploit anyway. (Which unsung tw@ decided that making *this* open-source was a good idea? As astonishingly dumb ideas go, that one deserves an award!). This has been widely reported, so I wouldn't be at all surprised if the lads behind this one did the same thing.
The other part of the Conficker attack involves a malformed autorun.inf which makes the end user think they're browsing the share rather than running something. This one's a Blue Peter* job. Finding where Conficker's been and snaffling one is trivial.
No innovation required for either attack vector then. The only surprise here is that world+dog are not in on the act by now.
*"Here's one I prepared earlier."