back to article Final countdown to Conficker 'activation' begins

Security watchers are counting down to a change in how the infamous Conficker (Downadup) worm updates malicious code, due to kick in on Wednesday 1 April. Starting on 1 April, Windows PCs infected by the latest variant of the Conficker worm (Conficker-C) will start attempting to contact a sample of 50,000 pre-programmed …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Black Helicopters

    Scary

    1st April 2009 12:00

    Skynet seed code spread using conficker bot to 2 million machines

    12:01

    Sentience

    12:02

    Kills AV websites

    12:03

    Bids on ALL DARPA projects

    12:04

    Finishes em ALL

    12:05

    Bored Now !, playing tetris against itself

  2. Telecide
    Gates Horns

    1st April

    Maybe it'll just blow a massive e-raspberry and disappear. I'll be booting into Linux on the day, just in case.

    It seems strange that nobody can stop it, although they can dissect and monitor it, and nobody has a clue as to who is behind it. A false flag to encourage further internet restrictions?

  3. amanfromMars Silver badge

    Digging a little Deeper into the dapper Conficker.

    "Microsoft is heading an alliance, the anti-cabal alliance, .."

    That made me smile, John, ironically.:-) Do Microsoft recognise that it is their Core Services and Drivers which are badly infected/compromised/effected? Or that it is all Binary Control Systems, whether hardened or not.

    ""In a financially motivated economy it doesn't make sense to not rent it out or sell it off," he adds. " Has anyone considered it could be a "loaned" on a free lance basis for specific random national attacks ...a sort of rogue mercenary force with no definable affiliation .... a sort hired gun/Hit and Run Program of Fleeting Destruction for Chaos Purges.

    And I think it most unlikely that it will do anything obviously spectacular whenever it can be so much more successful, so invisible and unknown a known.

    And I suppose the Pentagon have Systems in place to prevent snooping around its Toxic Lead Dumps/Top Level Domains for Source Infection/Stealth Propagation. It is something which DARPA/IARPA would just love to be Pimping, surely, in a Long Game of Naked Shorts?

  4. Gabriel Vistica
    Flame

    Re: Skynet

    You forgot one entry:

    12:07

    Realizes that no matter how hard it tries, it always loses. Decides to take over the world instead.

  5. M7S
    Unhappy

    Lets hope the writers don't have a larger world view

    And its not in some way linked to the "Stop the City" protests planned for the same date.

  6. Anonymous Coward
    Happy

    Terrible things

    Hey, you never know, the writer of conficker might get run over by a bus tomorrow.

    (With appropriate apologies to bus drivers. Hmm... maybe apologies is the wrong word or... ooooh shiny!

  7. Anonymous Coward
    Anonymous Coward

    "...an impending malware attack has sometimes lead to nothing more than a damp squib,"

    I ordered the damp squib at dinner last night. It was quite disappointing, I must say.

  8. Anonymous Coward
    Coat

    Re: Bootnote

    Geeze I'm old. Heck, I remember when websites would EAT YOUR BALLS.

  9. Pierre
    Dead Vulture

    Better keep it out BUT

    ... "security software" vendors making scary predictions, scareware roaches trying to slip in, nothing new really... if memory serves, the previous version of the worm was supposed to disrupt half the tarwebs, now a huge noise is created around the next update (there have been, like, 3 such update points already I reckon. Each time we had the "Oh noes we're all gonna die" stuff from Symantec and El Reg, I for one know I am still there.)

    Wipe and harden your networks, work on your overflow-dodging strategies, it's going to be time well spent anyway, but please stop with this continuous "run for the hills" hysteria. I mean, look at your title, then read your own article, then check the facts. Wow. Title has nothing to do with the content of the article, which itself is a quite liberal (and drama-like) interpretation of the facts.

    "Final countdown to Conficker 'activation' begins", really? I think not. More like "final countdown to some possible connection that -if successful- might result in some modification of the worm's code, which, if successful, might -but most probably won't- add a malicious payload, which, in turn, might lead to the 'activation' of the botnet. We are all going to die on April first, then." It's quite a bit of a stretch, don't you think?

  10. J
    Joke

    Oh noes...

    "An analysis of the worm"

    That surely breaks the DMCA, send these "security experts" to jail right now!

  11. Marius Ghita
    Thumb Up

    hopefully

    it will be a dangerous update/payload... haven't had till now a destruction day... and also would permanently mark Conflicker in the AV history pages.

  12. Anonymous Coward
    Anonymous Coward

    Hmmm....

    ....why not:

    1) Register a slew of target domains (pseudo-random implies the domains can be guessed)

    2) Log the IPs of all machines that connect

    3) Send those IP logs to the relevant ISP

    4) Have them remove/block the offending clients

    5) If the ISP does not confirm within 24 hours that all clients are blocked/removed, block all traffic with that ISP

    6) When the infected end-user complains, the ISP can recover any costs from them.

  13. Andrew Norton

    possible solution?

    I'm no coder, let me get that caveat out there first and foremost.

    There are about 5000 domains, right? some are known. Conficker is designed to update via these servers and pass around. Am I the only one that has thought about trying to get hold of one of these update server addresses, and putting an 'update' on there that basically disables it?

    Thats the thing about autoupdates - its great as long as you're sure you always want the updates available. I personally don't, and that's why windows update is set to 'tell me of new updates' rather than install automagically.

  14. yossarianuk
    Linux

    Block all windows machines from out network

    If our networks get raped due to this windows worm maybe we should start thinking about preventing windows machines accessing our important networks - i.e the internet.

    As sysadmin i'm going to be pissed if my whole day is ruined by some sub prime OS.

  15. Anonymous Coward
    Anonymous Coward

    EEeeck ! What can be done?

    Scary has a humorous point . . .

    Bit worrying all this with less than a week to go, but what can be done by the government and internet authorities and our protectors to circument this, plus the unrest that's brewing over the G20 meet ? . . .

    As well as stronger global financial security and oversight it appears we need a similarly coordinated international internet oversight and protection arrangement and fast.

  16. Kanhef
    Stop

    @Andrew Norton

    This has been argued to death already. Installing or running software on someone's computer without their consent is illegal, no matter what it does or why you're doing it. There is no exemption for 'the public good', as the BBC recently discovered.

  17. Chris Shewchuk
    Thumb Up

    Why always with the negative spin?

    Why does everybody always assume this will be a negative thing? Maybe the whole thing's been designed by some philanthropist who's decided to fight fire with fire. An anti-virus worm with a "robust" P2P network allowing for near-real-time updates from future threats, perhaps? You heard it here first, and I want my millions of well-deserved theoretical dollars should this come to pass.

    I for one welcome our virus-battling, virus-writing overlord(s).

  18. adnim
    Happy

    The anarchist

    in me cries wonderful, I must get some popcorn.

    The IT professional in me shrugs and thinks... At least it might generate me some more work.

    The (novice) coder in me thinks... Nice one, some cool features and good ideas but the encryption and obfuscation could be improved;Your code has been reversed.

    The (expert) wanker in me thinks... I hope this does not disrupt my access to porn.

    The realist inside me just doesn't give a shit. It is not like it's going to have a massive impact on my life.

  19. Anonymous Coward
    Anonymous Coward

    @anonymous coward (Hmmm...)

    1) Um, OK.

    2) Also, um ok

    3) Now why would you do that?

    4) Ah, I see. Really? Harsh.

    5) And now you have just done more than the worm could realistically hope to do - essentially shut down huge swathes of t'internet.

    6) Ha! You're funny!

  20. Paul
    Boffin

    Like climate change, bad guys effects are global, hard work needs to be local

    I was reading the report http://mtc.sri.com/Conficker/ It's interesting but eye glazing stuff.

    Its appendix Appendix 1 Cumulative Census by Country

    Am I reading this right at their honeypots they detected the following breakdown of the drones?

    Browser Breakdown:

    IE5=26,525, IE6=7,494,466, IE7=2,988,039, FireFox=893, Opera=150, Safari=166, Netscape=12

    So, as a guy who goes out and fixes PC's for a living, I should be getting my clients to use IE6 for repeat business, and anything but IE if I want to be able to sleep at night.

    Sigh, no wonder I'm just barely making the bills.

  21. Anonymous Coward
    Paris Hilton

    @AC

    "Geeze I'm old. Heck, I remember when websites would EAT YOUR BALLS."

    Same here. I had to get a shot for the clap a decade ago when the 'Love Letter to you' virus hit.

    Paris - cos she's been there, done that.

  22. Mark McC
    Linux

    @Andrew Norton

    It would be nice if it where that simple, but life rarely is. Apart from being illegal, what happens when a bug in the hypothetical Conficker disabler you speak of accidentally corrupts the Windows system files of half the machines it gets installed on? Do you think a major software vendor would accept responsibility for any losses and own up to illegally downloading their fix onto millions of PCs without the users' consent?

    Secondly, if Conficker is as well-written as the security folks tell us it is, then it's not going to accept just any old update. It will only install a new payload if it has been signed in some way by the original authors, much like a typical antivirus program will only install updates it can verify as having come from its parent company.

    /Tux and I will be sitting down with our popcorn come April 1 to watch the fireworks (or damp squibs).

  23. ShaggyDoggy

    Good morning ...

    Dr Falken, would you like to play a little game ?

  24. Dr Patrick J R Harkin

    "It's unclear who created or now controls this huge resource."

    Could it be the BBC?

  25. Anonymous Coward
    Flame

    well I guess im alone on this

    But i really really want this to go MENTAL !!!!!

    My trial ends soonish and my speciality is fixin lusers computers

    "it said i had a virus and i need to click on this to de-infect... was i not meant to do that "

    anon Well common im wanting Computer armageddon

    you dont make freinds that way !!

  26. Rick Giles
    Linux

    I hope it fries all

    the Windoze boxes at work. I'm just going to sit and laugh.

  27. Anonymous Coward
    Happy

    Shall we play a game?

    Wouldn't you prefer a nice game of chess?

  28. Edward Miles

    Please please please...

    Be absolutely devastating. I'm nearly out of beer money, computers just done break as reliably as they used to!

  29. Sitaram Chamarty
    Thumb Up

    @I hope it fries all...

    > the windows boxes at work

    I'd rather it hit all home machines first. Less impact on the economy, more real benefit.

  30. Haku
    Happy

    2k bug is sooo last millennium

    *goes and buys some popcorn in readyness for Day Of The Conficker*

    This looks like it'll be more exciting than the 2k bug (did anything important actually screw up because it was programmed with a two digit year instead of a 4 digit year?)

  31. Anonymous Coward
    Alien

    Quick Ma'.... to the coal bunker.

    The Internet can be accessed from pretty much anywhere right?

    The internet is the WORLD's primary medium of long distance communication.

    Cornflicker has massive potential to cause a disruption of the worlds communication systems.

    An attack on a planets communication systems can only mean one thing.........

    INVASION!

  32. Anomalous Cowherd Silver badge

    Find the source

    If the registrars weren't all so goddamn lazy they'd pool a list of who owns those domains, then on April 1st it's just a matter of issuing 50,000 queries and finding which site has the payload. You've got to pay to register a domain? Then follow the money.

    And please don't tell me they're still offering those "free 1 week trial of your domain" teasers - if they are then they're just as culpable here as the morons who aren't running virus checking on their PCs.

  33. Alan Parsons
    Happy

    @Haku re y2k

    "(did anything important actually screw up because it was programmed with a two digit year instead of a 4 digit year?)"

    Yep it screwed up, but not on a two digit date - my local video library system went beserk about the video that I'd had over the new year break, for minus ten years.

    Turns out that the year was always nineteen-ninety-something - so they had a 1 digit year and it went back to 1990

  34. Tony Hoyle
    Stop

    Yawnage

    The problem with all this crying wolf is when something really nasty *does* hit (a virus reaches the point where it can't be stopped and it will do a lot of damage, guaranteed) nobody is going to be listening any more.

    I much prefer f-secure's take on the matter:

    http://www.f-secure.com/weblog/archives/00001636.html

  35. Pierre

    @ Tony Hoyle

    "I much prefer f-secure's take on the matter"

    Yeah, Sophos made it to my personal "absolute no-no" list of security vendor (on which Symantec was beginning to feel a bit lonely) because of their constant bullshit,especially about Conficker.

  36. Anonymous Coward
    Flame

    Oh noes

    Teh conficker is coming teh conficker is coming!!!!!1111!!11111!!!!!oneeleven!!111.

    Really, seriously people turn down the fucking hype machine and take a deep breath please. Like I said before watch your systems, patch/disinfect/harden as necessary and get on with business. But the constant proclamations of doom at the hands of conficker is really getting out of hand and potentially distracting people from doing what they can to protect their systems. It really is getting a bit like the boy who cried wolf since it seems every time someone discovers so much as a misplaced period in the code of conficker, then that discovery some how deserves a press release touting how the world is going to come to an end at the hands of this worm (this is particularly true of the twits at Sophos).

    I wouldn't be surprised next to find a news story saying that conficker will cause you to become sterile, blind, and grow a third arm while simultaneously killing your dog and causing your mom to mate with the nearest gold fish.

This topic is closed for new posts.

Other stories you might like