So update it then
If the infected machines call-in looking for an update they are inviting that domain to make changes to their machine - why not provide them with an update that kills the worm?
The infamous Conficker worm is set to disrupt the operation of at least four legitimate websites this month. Machines infected with Conficker (Downadup) are programmed to dial home for updates through a list of domains which changes every day. Microsoft is heading an alliance to block unregistered domains on this list but that …
Surely the thing to do is agree with one of these websites to host a package that, if downloaded, would clean up the Conficker installation on the infected machine. That way they can at least reduce the number of infected machines out there.
I guess US liability laws stop them doing it, lest one of the machines crashes (even though it serves the owner right) due to the clean-up.
Bravo! Bravo! Finally a smart idea! I'm sure all those in M$ and Sophos and the hundreds of other virus tools out there are kicking themselves that they didn't come up with that one since it first appeared in November.
Perhaps it's not that simple? Reverse engineering a virus isn't like feeding a hamster. I'd imagine they've tried this and couldn't get the system to update, or they don't know how to disable it by doing so. Or the update tool might not be something that can be updated, so it always runs regardless of what each update is. The virus writer probably thought, just in case one or two cases get compromised, he can supply an alternate update on a later date to override this.
Or each time they find a way to 'update' it he changes it before they can fix it. It might only allow updates from that generated address, which isn't so easy since you'd have to wait for the timeslot, own the domain etc etc. It's a bit like tracking down WMD really, only without the ability to obliterate it without any real evidence of a fix being ready
Seems to me that having a known date of attack and known target is an ideal opportunity to log the IP addresses of the actual infected hosts. Since the http request has been identified, the botnet boxen can be singled out from legitimate users. Then the target sends the info to the ISPs with a legal request to stop providing the means of the attack. The ISPs for the botnet hosts should notify the account holders that their computers are now part of the problem -- clean up or be blocked from the 'Net.
Hope I don't offend anyone by implying ISP should actually ACT on this problem, or that -- horrors! -- computer owners be held responsible for their own negligence! One would think that knowingly being part of a botnet would render a party legally responsible just like failing to confine a vicious dog to the backyard.
It's not just liability laws in the US, in the UK for example it would be a breach of the computer misuse act, as you are causing unauthorised modification of of the contents of a computer, with intent to impair operation of a program (even if the program is malware in the first place!)
This cold be a usefull way around the hacking laws not allowing them to send a bug round to clean up the bug ...
If they know where it is going to strike, they can leave their payload their.
obviously only with permission from the host. where as they are legally hosting a config file(there is no law aginst that) and a botnet that is already illegal connects to said adderes
woops did we leave that there !!!#
but anyway can we have a poll before friday for wether people will think it will actually get used ..
i reckon its gonna take down overclockers.co.uk/
Not as easy as you might think. The report referenced in a Reg article a mere week ago ( http://www.theregister.co.uk/2009/02/23/conficker_variant/ ) suggests that there's some clever enough encrypted signature verification at work to ensure that only updates by the original virus' authors will be accepted and processed.
First, the updates are "signed" by private key encryption. The public key is in the worm binary itself, but the private key is, well, private and only held by those responsible.
As for identifying infected machines, I was thinking the same thing. This is a perfect opportunity to set up filtering which would identify the estimated 9m+ machines infected with the worm. At the very least, this would seem to provide a fairly accurate head-count. Good opportunity for the Feds, I would think.
Of course, holding individuals and ISPs responsible for this outbreak is pure rubbish. All of us are victims. Follow the trail back far enough and along the way you will find the virus writers' parents are at fault, but only because of a lack of a relationship with their siblings. But that, of course, is the result of an overbearing parental structure, which was, in turn, the result of puritanical views of child-rearing prevalent in the local culture. Go back far enough and you can probably blame God.
Is that it? In our new culture of victimization and self-perpetuating mediocrity, is everything God's fault? Ultimately, are we all victims of God's lack of competency or action against Evil? My word, what will they think of next? (And Holy Carp, I went a long way for that one!)
Paris, I blame God.
This has been debated to death already. It sounds like a good idea, but would be illegal as an act of computer intrusion. They'd also be liable for any and all damage it causes. With millions of infected machines, anything you write is all but guaranteed to screw up on some of them.
Surely Obama or one of his minions could give immunity to prosecution to some security professionals to do this? After all in this case there is no perfect way of stopping this infection so its a case of someone with clout deciding which is worse 9 million infected machines around the world or some of those falling over when they are remotely cleaned?
...so I like the idea of identifying infected machines and contacting the owners, perhaps even cutting them off!
Whilst it won't get all of them, and it's only one infection out of many, it might *just* serve as a wake up call to people that "t'internet" is the electronic Wild West, and not a place to meander around unprotected and not expect to get mugged in some way!
Since virtually all of this runs off systems running their software. The sad part if that they COULD actually fix this if they were to have written any version of windoze properly....
(1) you only are allowed to install into your own program files folder
(2) you maynever create hidden files
(3) you may never create rootkits
(4) you may never update anything in widoze folder
(5) you may never update the registry (worst idea, EVER)
(6) you may only execute in your own little sandbox
(7) you may not access the internet without permission of the firewall
I dibs IP on all this
Basically this guy says "we know these are legit domains, but we'll blacklist them anyway, which is kind of a problem for them".
Well, why don't you just let them go then? If they are legit domains, the worm can't use them anyway.
Now the DDOS attack-like risk is still real, though the big guys can probably cope with a few million connections over a few hours, even if they have to bring their sites down for that period. Hardly the end of the world. Especially if they know about it in advance.
Sheesh, security guys sure do love to make up phoney problems these times.
Just insert some global govt interstitial Ads into said http requests, so that the evil botmaster gets some social reprogramming, all paid for by advertisers.
The software to do this is phucking called "Ph**m" mate, you can get it on torrents :-)
Mines the long coat with unbreakable encryption on the pockets, and a tin-foil hood.
Paris, cos she can lick my .conf anyday.