back to article Conficker gets upgraded with defenses

Researchers at Symantec have discovered what could be a significant development in the ongoing Conficker worm saga: a new module that is being pushed out to some infected systems. In a couple of ways, the new component is designed to harden infected machines against an industry consortium that is actively trying to contain the …


This topic is closed for new posts.
  1. Chris C

    Call me cynical

    "Up to now, a pseudo random domain name generator produced 250 addresses that infected machines reported to each day. The industry consortium... snapp[ed] up those domains... to prevent the infected machines from sustaining further damage... The new component ups the ante by increasing the number of domains to 50,000 per day... 'It's clearly trying to work around the work of the cabal,' Vincent Weafer, vice president of Symantec Security Response, told The Register."

    That's one way to look at it. Another way to look at it is that it was created (or modified), directly or indirectly, by ICANN specifically to gain additional profits by collecting their $0.25 fee for each of those newly-registered domains. But nobody here would by cynical enough to think that.

  2. Sitaram Chamarty

    @Call me cynical

    never attribute to malice (of ICANN) that which can be adequately explained by incompetence (of Microsoft)...

    ...combined with the competence (of the vxer).

    ICANN is not that smart. ICANN is not that sophisticated. ICANN doesn't have it's technical act so co-ordinated and "together".

  3. Anonymous Coward
    Black Helicopters

    @Chris C

    There are conspiracy theories, and then there's nonsense.

    Do you really think ICANN needs the money from another 50,000 domain registrations? Domaintools ( shows something to the order of 150,000 new .com names are registered every day. ICANN is a non-profit, which means that - officially at least - it's not interested in making money beyond that needed to cover its costs. Therefore no, I don't think for a second that a US-based non-profit would go to the trouble of creating or financing the creation of a worm to infect 100,000 to 10,000,000 PCs (causing who knows how many $ in damage) for the purposes of driving domain sales up by 30% - for only a single day.

    Sometimes I think people try a bit too hard.

  4. Pete


    It's nice to hear Symantec are working towards a fix for this scumware, but why is their antivirus software so terrible these days?

  5. Anonymous Coward
    Anonymous Coward

    I wonder

    Can conficker pass new modules directly between infected hosts via an update mechanism? If so, things might be about to get very interesting, and probably not in a good way.

    When it scrags regmon, does anyone know whether it just kills the process, or does it do something else? Might be a useful diagnostic if it kills the process outright.

  6. David Wilkinson

    Make it legal to fight infections with infections

    Its 50,000 randomly generated domains per day not just 50,000. Its suddenly got a whole lot harder to check and see if anyone registered a domain and is hosting updates/instructions for the bot net.

    What we need is a law passed so that the FBI or some other government agency can legally hijack bot nets to install code on infected machines which will then remove the infection.

    Any of these researchers could do it, but hacking an infected computer to remove the infection is still illegal and if any damage was done they'd also be subject to lawsuits.

  7. Simon Neill

    @Make it legal to fight infections with infections

    I seem to recall someone wrote a worm that downloaded windows updates. All that happened was it crashed the windows update servers because they all contacted it at the same time.

  8. Roger Jenkins

    @David Wikinson

    'What we need is a law passed so that the FBI or some other government agency can legally hijack bot nets to install code on infected machines which will then remove the infection.'

    (1) I'm not sure how jurisdictions outside of the U.S. would view this option. Rather badly I feel.

    (2) The 'law' of unintended consequences is a great worry.

    (3) Once such a law was passed could it later be used for less benign tasks than to clean up a virus?

    Giving legislators the freedom to pass such a law is fraught with danger, we know how they want to interfere with the internet. Some legislators 'may' see passing such a law as a golden opportunity to have such relaxed checks and balances as to make such a law a danger to us all, even outside of the U.S.

  9. Rob Moir
    Thumb Down

    @ David Wilkinson

    You're right. Trying to fight fire with fire without solving the underlying problem by making people patch their machines or upgrade to a different OS is a much simpler solution for law enforcement than, say, compelling ISPs to drop traffic from infected hosts on their network and refusing to let them back on until they're clean.

  10. Fred

    Antivirus firms unable to keep up!

    It is because of hassles like this that so many people are moving over to Linux!

    The REAL surprise here is that anyone can go and download tools for automating windows processes, and no action is ever taken.

    From the information that can be seen here at this site, it is apparent that this network of machines has just been deployed, and now the fine-tuning is underway. This all begs the argument that the antivirus firms are simply trying to keep themselves in business.

    Time will tell us all: no target=anti-virus producers trying to ramp up the scare alert for windows users.

  11. Chris C

    @AC 12:37

    "I don't think for a second that a US-based non-profit would go to the trouble of creating or financing the creation of a worm to infect 100,000 to 10,000,000 PCs (causing who knows how many $ in damage) for the purposes of driving domain sales up by 30% - for only a single day."

    Did I misinterpret the quote from the article?

    "Up to now, a pseudo random domain name generator produced 250 addresses that infected machines reported to each day... The new component ups the ante by increasing the number of domains to 50,000 per day"

    I take that to mean that the original strain produced 250 (unique) addresses every day, and that the new variant increases the number of (new) domains to 50,000 every day (not 50,000 domains total). Do I believe that ICANN is the cause of the new variant? No, I don't. But if they get 50,000 new domain registrations every day (or even a fraction of that), it's hard to ignore the boost to their profit, and hence a possible link.

    As for your non-profit comment, don't be so naive. A *LOT* of non-profits are in the business of making money. They just make sure to stay just on the right side of the law. How do you make sure you don't have any money left at the end of the year? That's easy. Pay your execs outrageous salaries and bonuses, just like in private industry. Please don't misinterpret "non-profit" to mean "altruistic". I made that mistake once, but have since been shown how wrong I was.

    @ David Wilkinson:

    Nooooooo!! That would be just what we need, even greater powers legitimately given to the government organizations. Hey, let's make it legal for the Department of Homeland Security to hack into our computers when they've proven time and time again that they can't even protect themselves. Yes, I know you specifically said "FBI", but with such a law, all government organizations would be given the power.

    No, we don't need to legally allow people to hack into systems in order to clean infections. That would make the "good guys" no better than the "bad guys". What *WOULD* be helpful, however, is to set up a framework which would allow researchers (and others) to notify ISPs if the ISPs customers were infected. The ISP could then search* for the identifying traffic and alert the customer that they may be infected. If the customer continues to exhibit signs of infection, allow the ISP to sandbox the customer, either cutting them off completely, or only allowing them access to specific sections internal to the ISP where customers can find information regarding their infection and how to clean it. That, however, would require input and cooperation of ISPs who may not want to go along with it.

    * By "search for the identifying traffic", I'm speaking real-time searching, not logging of any data.

  12. Tim Spence

    @ Fred

    "It is because of hassles like this that so many people are moving over to Linux!"

    Except they aren't. At all.

    Linux is a decent CLI operating system, but terrible with a GUI. If the non-technical user take-up of Linux is increasing at all, it's purely down to the popularity of netbook style laptops, not because people are unhappy with Windows.

  13. Anonymous Coward
    Gates Halo

    @ Fred

    "It is because of hassles like this that so many people are moving over to Linux!"

    I've actually just moved over to Linux, and the grass isn't so green (so far). I frequenty updated Vista when I had it on my monster pc and had adequate protection so it never caused me any trouble. But then I had to downsize to a laptop, and Vista was painfully slow and crashed once or twice a fortnight. So I moved over to Linux, even though I managed to get my wifi working (took AGES), my laptop crashes more frequently than it did under Windows. This could just be my experience, and is probably an easy fix for someone more experienced with Linux, but with the time I spent installing and configuring Fedora, I could have diagnosed and fixed the Vista crashes.

    Anyway back to conficker, we hear alot about the government being seriously concerned about online crime, could they not just license a free security suite, then pass it out for free and get OEMs to install it at the point of sale? That may effectively kill the market, but surely there are ways around that.

  14. Telecide

    @Tim Spence

    I beg to differ. I dual-boot using Vista and Ubuntu (have dabbled with Fedora also) and use Linux for most instances now, only going back into Windows when there is no alternative. There are a lot of others now doing the same, but admittedly not in their millions. Ubuntu in particular has become so GUI-friendly that many people could use the default installation with a few updates through Synaptic without having to venture into CLI territory. Its not totally there yet but its getting that way. I feel much happier knowing that I have a relatively safe OS with Ubuntu should the brown stuff hit the fan with Windows OS's because of such things as Conflicker.

  15. Anonymous Coward

    what's a virus?

    damn, I must have been using linux for too long, I haven't seen a computer virus since I switched in the mid 90's. How does all this kerfuffle actually occur? A mixture of crap OS design (windows) and serious PEBKAC (windows users).

    Get with program or get left behind. *NIX is the future.

  16. Anonymous Coward

    @ What's a virus

    "Get with program or get left behind. *NIX is the future."

    Sorry but that is the funniest thing I've read all year! :-D

  17. Inachu

    Where is this worm writier?

    I want to make him feel considerable pain for messing up my monday.

  18. Inachu

    To my co workers

    My idiot co workers are helping in spreading this worm after I told them more than 3 times, "DO NOT USE YOUR USB FLASH DRIVES AT WORK!!!!!"

    do they listen? No.

  19. Tim Spence

    @ Telecide

    Yes, I appreciate there are some, like you, who do dabble with Linux, and some may inevitably stick. Also, out of all the distros, Ubuntu is probably the most proficient as a GUI mainstream operating system.

    The thing is, it still just isn't there - as quickly as Linux catches OSX/Windows/mature GUI OS, the competition just leap further away. The menuing and windows still look clunky, and the plug and play nature of installing (and uninstalling) software just isn't there - I've spent too many hours balls-deep in config files and yumming obscure and specific packages and modules, just to get simple pieces of software working. It should not be like that.

    As for the whole impact of Conficker on Windows boxes, it's down to idiot users. I run several WINDOWS machines on local networks where I know Conficker has infected, and I've not had any problems, because they are patched and protected by firewall/AV.

    I do an annual dabble with Linux

  20. Telecide

    @Tim Spence

    From your 'yum' reference, you've been fiddling with Fedora? I've found that distro way too fiddly to be considered appropriate for your average Windows user. The next release of Ubuntu (due out in April) is probably the closest yet to a good, user-friendly, ungeeky Linux distro which someone currently using XP/Vista could cross over to for general web useage, emailing, word processing, etc and not get their knickers in a twist over. I know what you mean when you say about the endless config files, etc. That scenario is greatly reduced and the PnP thing greatly increased with the latest Ubuntu, which is getting close to 'being there'.

    BTW, where you mention networks where you know Conflicker has infected, how did you detect this? Is there a way? If so, I'd like to check my work network out (5 workstations) if this is possible.

  21. zenkaon

    Still waiting for cornficker to turn on

    This worm's story is interesting, the bot masters are clearly on the defence and are probably doing a pretty good job of it.

    But as far as I understand, please correct me if I'm wrong, this worm hasn't actually launched any attacks yet. The bot masters are still in phase 1 - "Infect as many windows boxes as possible" (or in phase 1a - "consolidate and protect"). Should be fun when phase 2 - "full scale attack" starts up.

    Whatever they do I'll bet that MS and the AV guys will be several steps behind unable to comprehend the clusterfuck that has just happened.

    Well done for the people dabbling in Linux, true it's a bit trickier to configure, but so much more powerful and a hell of a lot safer. If in doubt - go ubuntu

  22. Fred

    Titles done belong here....

    I cant wait to see the total collapse of the internet and the world with it!!! about time something happened.

    Of course this has happened before and will happen again..... Its natural evolution,survival of the fittest.... but in a modern context.

    Let it happen... itll filter out M$ and the other multitude of crap anti virus companies and other spin offs and vultures... *cough* i mean paracites... praise be to El Reg, for their helpful insights and good guidance!!!


  23. Anonymous Coward
    Thumb Up

    Re: To my co-workers

    I had this problem for a while myself. As the senior ITO for my company, I made it IT policy to not use USB drives on the office computers. The IT staff complied, but the other staff didn't. So, my solution?

    Go into every damn computer in the office after hours, open them up, and physically remove all the wires to the motherboard from the USB ports except the two used for the mouse and keyboard (these are the ones mounted directly on the motherboard at the back of the case = a bitch to get to!). Sure, somebody could still stick a USB drive in one of those, but then a) they'd have to pull the whole case out of its under-desk slot to get to them, and b) they'd have to give up either the mouse or keyboard while it's in... Works a treat!

  24. Jay

    @AC Re: To my co-workers

    On the assumption that said boxes are running Windows, can't you just put in a policy/change the registry etc (sorry, I'm a UNIX guy) so that people can't attach such portable storage devices, or just tie down what drives they can access?

    That's what the desktop guys have done here by default, I had to ask nicely to allow access to USB storage.

  25. JD


    yeah theres loads of different methods

    disable autorun, disable plug and play, disable usb slots, etc

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2019