Scary
1st April 2009 12:00
Skynet seed code spread using conficker bot to 2 million machines
12:01
Sentience
12:02
Kills AV websites
12:03
Bids on ALL DARPA projects
12:04
Finishes em ALL
12:05
Bored Now !, playing tetris against itself
Security watchers are counting down to a change in how the infamous Conficker (Downadup) worm updates malicious code, due to kick in on Wednesday 1 April. Starting on 1 April, Windows PCs infected by the latest variant of the Conficker worm (Conficker-C) will start attempting to contact a sample of 50,000 pre-programmed …
Maybe it'll just blow a massive e-raspberry and disappear. I'll be booting into Linux on the day, just in case.
It seems strange that nobody can stop it, although they can dissect and monitor it, and nobody has a clue as to who is behind it. A false flag to encourage further internet restrictions?
"Microsoft is heading an alliance, the anti-cabal alliance, .."
That made me smile, John, ironically.:-) Do Microsoft recognise that it is their Core Services and Drivers which are badly infected/compromised/effected? Or that it is all Binary Control Systems, whether hardened or not.
""In a financially motivated economy it doesn't make sense to not rent it out or sell it off," he adds. " Has anyone considered it could be a "loaned" on a free lance basis for specific random national attacks ...a sort of rogue mercenary force with no definable affiliation .... a sort hired gun/Hit and Run Program of Fleeting Destruction for Chaos Purges.
And I think it most unlikely that it will do anything obviously spectacular whenever it can be so much more successful, so invisible and unknown a known.
And I suppose the Pentagon have Systems in place to prevent snooping around its Toxic Lead Dumps/Top Level Domains for Source Infection/Stealth Propagation. It is something which DARPA/IARPA would just love to be Pimping, surely, in a Long Game of Naked Shorts?
... "security software" vendors making scary predictions, scareware roaches trying to slip in, nothing new really... if memory serves, the previous version of the worm was supposed to disrupt half the tarwebs, now a huge noise is created around the next update (there have been, like, 3 such update points already I reckon. Each time we had the "Oh noes we're all gonna die" stuff from Symantec and El Reg, I for one know I am still there.)
Wipe and harden your networks, work on your overflow-dodging strategies, it's going to be time well spent anyway, but please stop with this continuous "run for the hills" hysteria. I mean, look at your title, then read your own article, then check the facts. Wow. Title has nothing to do with the content of the article, which itself is a quite liberal (and drama-like) interpretation of the facts.
"Final countdown to Conficker 'activation' begins", really? I think not. More like "final countdown to some possible connection that -if successful- might result in some modification of the worm's code, which, if successful, might -but most probably won't- add a malicious payload, which, in turn, might lead to the 'activation' of the botnet. We are all going to die on April first, then." It's quite a bit of a stretch, don't you think?
....why not:
1) Register a slew of target domains (pseudo-random implies the domains can be guessed)
2) Log the IPs of all machines that connect
3) Send those IP logs to the relevant ISP
4) Have them remove/block the offending clients
5) If the ISP does not confirm within 24 hours that all clients are blocked/removed, block all traffic with that ISP
6) When the infected end-user complains, the ISP can recover any costs from them.
I'm no coder, let me get that caveat out there first and foremost.
There are about 5000 domains, right? some are known. Conficker is designed to update via these servers and pass around. Am I the only one that has thought about trying to get hold of one of these update server addresses, and putting an 'update' on there that basically disables it?
Thats the thing about autoupdates - its great as long as you're sure you always want the updates available. I personally don't, and that's why windows update is set to 'tell me of new updates' rather than install automagically.
Scary has a humorous point . . .
Bit worrying all this with less than a week to go, but what can be done by the government and internet authorities and our protectors to circument this, plus the unrest that's brewing over the G20 meet ? . . .
As well as stronger global financial security and oversight it appears we need a similarly coordinated international internet oversight and protection arrangement and fast.
Why does everybody always assume this will be a negative thing? Maybe the whole thing's been designed by some philanthropist who's decided to fight fire with fire. An anti-virus worm with a "robust" P2P network allowing for near-real-time updates from future threats, perhaps? You heard it here first, and I want my millions of well-deserved theoretical dollars should this come to pass.
I for one welcome our virus-battling, virus-writing overlord(s).
in me cries wonderful, I must get some popcorn.
The IT professional in me shrugs and thinks... At least it might generate me some more work.
The (novice) coder in me thinks... Nice one, some cool features and good ideas but the encryption and obfuscation could be improved;Your code has been reversed.
The (expert) wanker in me thinks... I hope this does not disrupt my access to porn.
The realist inside me just doesn't give a shit. It is not like it's going to have a massive impact on my life.
I was reading the report http://mtc.sri.com/Conficker/ It's interesting but eye glazing stuff.
Its appendix Appendix 1 Cumulative Census by Country
Am I reading this right at their honeypots they detected the following breakdown of the drones?
Browser Breakdown:
IE5=26,525, IE6=7,494,466, IE7=2,988,039, FireFox=893, Opera=150, Safari=166, Netscape=12
So, as a guy who goes out and fixes PC's for a living, I should be getting my clients to use IE6 for repeat business, and anything but IE if I want to be able to sleep at night.
Sigh, no wonder I'm just barely making the bills.
It would be nice if it where that simple, but life rarely is. Apart from being illegal, what happens when a bug in the hypothetical Conficker disabler you speak of accidentally corrupts the Windows system files of half the machines it gets installed on? Do you think a major software vendor would accept responsibility for any losses and own up to illegally downloading their fix onto millions of PCs without the users' consent?
Secondly, if Conficker is as well-written as the security folks tell us it is, then it's not going to accept just any old update. It will only install a new payload if it has been signed in some way by the original authors, much like a typical antivirus program will only install updates it can verify as having come from its parent company.
/Tux and I will be sitting down with our popcorn come April 1 to watch the fireworks (or damp squibs).
But i really really want this to go MENTAL !!!!!
My trial ends soonish and my speciality is fixin lusers computers
"it said i had a virus and i need to click on this to de-infect... was i not meant to do that "
anon Well common im wanting Computer armageddon
you dont make freinds that way !!
The Internet can be accessed from pretty much anywhere right?
The internet is the WORLD's primary medium of long distance communication.
Cornflicker has massive potential to cause a disruption of the worlds communication systems.
An attack on a planets communication systems can only mean one thing.........
INVASION!
If the registrars weren't all so goddamn lazy they'd pool a list of who owns those domains, then on April 1st it's just a matter of issuing 50,000 queries and finding which site has the payload. You've got to pay to register a domain? Then follow the money.
And please don't tell me they're still offering those "free 1 week trial of your domain" teasers - if they are then they're just as culpable here as the morons who aren't running virus checking on their PCs.
"(did anything important actually screw up because it was programmed with a two digit year instead of a 4 digit year?)"
Yep it screwed up, but not on a two digit date - my local video library system went beserk about the video that I'd had over the new year break, for minus ten years.
Turns out that the year was always nineteen-ninety-something - so they had a 1 digit year and it went back to 1990
The problem with all this crying wolf is when something really nasty *does* hit (a virus reaches the point where it can't be stopped and it will do a lot of damage, guaranteed) nobody is going to be listening any more.
I much prefer f-secure's take on the matter:
http://www.f-secure.com/weblog/archives/00001636.html
Teh conficker is coming teh conficker is coming!!!!!1111!!11111!!!!!oneeleven!!111.
Really, seriously people turn down the fucking hype machine and take a deep breath please. Like I said before watch your systems, patch/disinfect/harden as necessary and get on with business. But the constant proclamations of doom at the hands of conficker is really getting out of hand and potentially distracting people from doing what they can to protect their systems. It really is getting a bit like the boy who cried wolf since it seems every time someone discovers so much as a misplaced period in the code of conficker, then that discovery some how deserves a press release touting how the world is going to come to an end at the hands of this worm (this is particularly true of the twits at Sophos).
I wouldn't be surprised next to find a news story saying that conficker will cause you to become sterile, blind, and grow a third arm while simultaneously killing your dog and causing your mom to mate with the nearest gold fish.