Comments on: Conficker wakes up, updates via P2P, drops payload

The worm is updating itself on infected computers via peer-to-peer and is programmed to stop running on May 3, Trend Micro researchers say.

[homey4u]

It's a good to keep your Antivirus updated

[homey4u]

We don't like Turing to send an email on CNET

[elgin54]

I have not been on-line with my home computer since early Feb, does anyone know if maybe I escaped the 'activation' of the Conficker if I am indeed infected? and if not, should I bother backing up my 'sensitive data' before I connect again?

[The_happy_switcher]

I would just throw the PC out the window from several stories up.

[farmfreak]

Could someone please explain to me why in gods name you need 5 different versions of XP, Vista and now Windows 7 to run on a computer?

[monkeyfun14]

Could you explain to me what this comment has to do with the story at hand?

[chash360]

FYI: Patching will NOT protect you completely! I have personally seen this worm spread via flash drive, to newly installed systems, with complete up-to-date security patches applied and corperate ($$$)antivirus security software installed with up-todate definitions, prior to any network connection of the system. I was specifically trying to avoid such network infections, by completing all security patching offline, on nelwy imaged servers, via patches and security software transfered and installed by flash disk.

After much research and personal code tracing this malware also attacks and spreads via the AutoRun features built into MS OS's, that are turned on by default. What is not realized is that these features, are not easily turned off, even when you think they are. When you insert a CD in a drive, or a flash disk in a USB Port, by the time the OS asks you what you want to do with the newly inserted media, its already infected your system. Even when the 'AutoRun' feature setting presented to ordinary users is turned off.

It angers me incredibly because MS users have been stung by this before, and MS knows it. These things they think are neat features, designed for the dumbest of users, are huge security holes. If you do not know what to do with the media you insert, you should not be using a computer in the first place. Secondly, even the best Virus scanning software is not catching these spread vectors, particularly with flash drives because deleted files are not actually erased, and the scanners do not scan the 'free space' where these things can hide.

DOD Cardinal Computer Security Rule #1 YOU NEVER EVER AUTOMATICALLY EXECUTE ARBITRARY CODE (IOW: There should always be a human action to initiate arbitrary code execution)

If MS and the other vendors out there would quit writing code that does this, then there would be NO spread of malware like it is today. Every form of malware would then become merely a trojan, requiring a user to initiate and infect, and would allow virus scanners to catch, and would allow such risks to be caught, faster than they can spread.

[monkeyfun14]

There is always human interaction to launch code...

Conficker requires human interaction spreading by flashdrives is done by cleverly hiding the run part of the command.

[chash360]

NO, there is NOT always human interaction. Take any scripted web page. You nav to the page and your browser executes whatever code is contained within. This was fine when it was just text markup, fonts, and display formatting. But with ActiveX, etc. you now open your file system and process space to significant risk. Any thing that listens on a port, that does not properly handle all errors, and check all buffer boundries, and trap all escape sequences (or better yet has no escape sequences) is a potential hole.

When you insert a flash drive, the system automatically begins to scan the data on it to give you a list of options of what to do with it (I assume this feature is for the idiots who don't know what they are doing) even when aurorun is supposedly off. The function that is performing this scanning is being over written by this worm, so that it spreads itself to any media it can, upon insertion. The mechanism by which it gets to overwrite this function still eludes me, as I said the systems I observed this on were new, never connected to any network. I immediately remove any autorun.inf file from any media I use, as well, turn off this feature in any system I am responsible for.

Additionally I have begun disabling the thumbnail display feature of MS systems, since the GDI sub system seems to continually have flaws that allow for code execution upon parsing a 'specially crafted photo'.

[jkessel]

I wish these journalists would bother to talk to us computer guys in the field. We have been dealing with this Malware for years - I must have cleaned this puppy a hundred times before anyone even noticed it was around - starting 3 years ago as SmitFraud, PSGuard, Anitivirus gold, EliteCodec, Antivermins, WinAntivirus 200x etc etc etc... yawn - the sad part is not really that you have no idea what you're talking about, but you are regurgitating the claptrap being spat at you by Anti-virus software marketing and so called Researchers & Analysts - whose primary job seems to be invoking panic to spur sales. Wiki RBN or Russian Business Network and start your process of learning. I have not seen one vendor outside of Avast and Eset protect a system and I make a living off the backs of Symantecs' junk software. Granted it's always a tough fight, but if you think these AV vendors don't have the technology at their disposable to remove this or protect your system? - think again! For years we have relied on third party micro tools which thankfully have been written and updated by individuals which routinely save our customer's ass but we NEVER EVER see this technology incorporated into AV software - EVER - What is it that they do in their ivory towers! Oh right figuring out more ways to create false panic and rip off your clients!

[grecs]

Although most of us wouldn't condone this sort of activity, it was smart of the owners to wait a week or so after all that media attention.