Conficker flaw reveals which computers are infected
Even worm creators write buggy software.
Once it infects a computer, the Conficker worm closes the hole in Windows that it used to get onto the system so no other malware can get in. This also makes it difficult for organizations to detect which computers have the legitimate Microsoft patch and which have the fake Conficker patch.
However, Conficker's "patch" has a weakness that can be used to distinguish between patched computers and infected computers that look patched, according to the nonprofit Honeynet Project.
Some of the researchers have released a proof-of-concept scanner that can be used to detect Conficker. The tool is being integrated into the free nMap vulnerability scanner, as well as scanning tools from companies including Qualys, nCircle, and Tenable. The tools are designed for use by network administrators at companies and not consumer users.
"What we've found is pretty cool: Conficker actually changes what Windows looks like on the network, and this change can be detected remotely, anonymously, and very, very quickly. You can literally ask a server if it's infected with Conficker, and it will tell you," Dan Kaminsky, director of penetration testing at IOActive who worked with The Honeynet Project, wrote on his blog. "We figured this out on Friday, and got code put together for Monday. It's been one heck of a weekend."
Qualys' remote-detection Conficker scanner is automatically available to its subscribers and will be available to others soon, said Wolfgang Kandek, Qualys' chief technology officer.
The worm has been around since November, but the most recent variant is programmed to connect to other computers on April 1 and as a result has triggered mass confusion and a media frenzy.
The worm exploits a vulnerability in Windows that Microsoft patched in October, as well as through network shares and removable storage devices like USB drives.
The latest variant shuts down security services, blocks connections to security Web sites, downloads a Trojan, and connects to other infected computers via peer-to-peer technology. It also includes a list of 50,000 different domains to reach out to for updated copies or instructions, but only 500 of those will be contacted on April 1. Earlier versions of the worm attempted to contact 250 domains.
A quick way to tell if your computer is infected is to try to access the Web site of a major antivirus vendor, which the worm blocks.
The U.S. Department of Homeland Security has released a Conficker detection tool for government agencies and state and local governments to use that ws developed by US-CERT.
The OpenDNS security services provider blocks access to the domains listed in the Conficker code. Microsoft has more information on its site, as does Symantec. The Web site of the Conficker Working Group, which is composed of companies allied to combat Conficker, also has information and worm removal tools.
Asked what impact the Conficker worm will have on Wednesday, Kandek said:
"I don't think anything is going to happen. Conficker authors are smart and determined people. They have a huge botnet in their hands, which they will try to get money from. It's better for them to fly under the radar and maintain as many machines from that botnet as possible. The real issue is this is a really good worm and...people are learning to write these things better and better."
Does that mean the next version will fix the flaw in the code?
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor. 
BTW, I use Windows, OS X, Liux, and Irix. I'm not infected either. Sorta ruins your whole argument right there.
You are doing a fantastic job of convincing people to not use Apple. I don't know exactly why you are on this crusade to make Mac fans look like drooling idiots without a single thought in their head unless Steve Jobs puts it there, but.. .well, that's the impression you are giving people with every one of your posts.
If this is intentional- it's very impressive.
If this isn't your intent- oh my...perhaps you didn't know.
The following are the ones who are at risk for the virus:
Who is at risk?
Users whose computers are not configured to receive patches and updates from Microsoft and who are not running an up to date antivirus product are most at risk. Users who do not have a genuine version of Windows from Microsoft are most at risk since pirated system usually cannot get Microsoft updates and patches.
http://www.macfixit.com/article.php?story=20090326104010541
"Keep on using that tired old 'security through obscurity' myth to explain the lack of any noteworthy virii for the Mac, dude. "
No problem. Simply have Apple get 75-90% of the marketshare. Once you do that, then you can talk.
You seem *very* interested in this Conficker exploit, AppleRocks1963. A little bit *too* interested in it in my opinion. Makes me wonder if the feds shouldn't be looking towards you for a sour-
BWAAHAHAHAAHAHA! I just can't do it, folks. I almost wanted to give this fellow enough credit of intelligence to actually write such an exploit, but it's simply beyond his capabilities. Nah, he's just a troll.
Explain why OS9 had at least hundreds of viruses. Explain why the MS servers, which do not have the highest market share have the most exploits among servers.
Market share and security have nothing to do with each other. A secure program is secure with 1 users or 1 billion users.
http://news.cnet.com/8301-1009_3-10154662-83.html
The Macintosh and base Linux kernel operating systems have dominated the top spots for vulnerabilities by operating system over the past three years
http://news.cnet.com/8301-1009_3-10199652-83.html?tag=mncol;posts
Safari hole exploited in seconds at security conference
It's just that FanBoys get under my skin I have the urge to squash them like a bug. I'm pretty sure that I am not alone in the sentiment.
Some people would call it 'Security through Obscurity." I would prefer to call it "Security through Ignorance."
"Yeah, and while we're at why don't we start believing in goblins, too, because we can't disprove the existence of them, either. "
Well, you're expecting people to believe in you... so....
Sad thing is that there very may be an Apple virus going around that nobody knows about because the creators on't want to have it detected and removed.
--------------------------------------------------------------------------------
Reality check Dan - if nobody knows about it, what good will any AV software do? The virus/malware must first be known by somebody (the AV vendor specifically) for the AV software to be updated to handle it. Or do you think those daily updates your AV software makes are because it's lonely?
Predictably, your next "argument" will be something along the lines of "oh, but the AV vendor *will* know". Then why not tell the world, since it would shut up so many annoying Mac heads?
Please, just stop. Your argument will go nowhere because it's not based on any sense of reality.
The best advice for Mac or Linux users is to run a hardware firewall and use Open DNS.
Best advice for Windows users is to run a hardware firewall, use open DNS, run the best AV software you can get and pull your hard drive from time to time and scan it from a known good system.
Apple has a relatively small market share and consequently has almost no one out there writing malware for it. The truth is, the mac machines are typically the first to fall in the pwn2own contest every year. More over, whoever said that most mac users who are infected probably are not aware of it are correct.
Any statements to the contrary are being made by foolish people with no understanding of cyber security.
In fact, ConFicker CANNOT install itself on Vista PC's..... UAC would pop up a warning saying "Hey, do you want this to install!" and anyone getting that message for no reason would say "Of course not!"
The problem with the UAC is that people got too used to it and would click on 'accept/allow' without reading the message itself. The message may say something like 'Would you like to infect your computer now?' and people would be in too much of a hurry and click yes. Win7 has dialed that back a lot so now if it comes up, it really IS for something important that could affect your system adversely.
ConFicker also can't install itself on any PC that is or has been up to date on its OS updates for the last several months.
The best thing that Microsoft could do: make automatic updates IMPOSSIBLE to turn off. Tell these companies that are using 'proprietary softwares' that seem to break with every single patch they put out..... to stop using those programs! I mean really, there comes a time when you have to say "This proprietary thing that I spent OODLES of money on..... makes it so that I cannot update Windows? DELETE, and call the company to DEMAND a refund!"
To be blunt.... that is just POOR SOFTWARE DESIGN when a small update wreaks havoc on a third-party program. I can understand a SERVICE PACK that changes a lot of things like SP2 and SP3 did doing that.... not small updates.
Also, I would start getting on the cases of people who are still using Windows XP. I told my cousin "Hello, it's time to update to Vista!" She tried giving me the 'whine' that "It will slow down my PC!"..... I got angry with her and fiesty, because I knew better from my own testing. Windows Vista does NOT slow down a computer in the slightest, from my testing, REAL-LIFE...... i.e. none of those rigged "Benchmarking" programs..... it's faster than Windows XP in many situations.
Network speed: faster. Disc access: faster. The only knock I have against it is that it uses a LEETLE more memory at idle with nothing installed but Windows Vista itself than Windows XP.... but considering her machine had 4GB's worth of RAM in it..... it wasn't anything noticeable.
Did you also hear what computer he uses? It is a Mac. An ex NSA spook using an easy to exploit computer?
With that attitude, you could get a job at Ximian/Novell.
There is a reason why even systems controlled by experts only have certain (usually audible) alarms for critical events. When even Microsoft are saying "yes, we got it wrong", it's time for the foaming-at-the-mouth fanboys to sit up, shut their mouths and pay attention.
1. OS 9 had many viruses written for it, most of them released in the wild. OS X hasn't had one virus. Try using your "market share" argument to explain that without laughing or telling bold faced lies. I dare you.
2. You're right that the Mac has fallen in the "pwn2own" contest the last 2 years, but that's a little deceptive. Notice the OS has NEVER ONCE fallen, it's always an application running within (Safari this year, which was one of a collection of browsers to fall). I'm not saying that's a perfect record by any means, but compare that to the history winblows has earned. Gee, what article are we commenting on again? Oh yeah, yet ANOTHER winblows virus attack. Some people don't even consider these news anymore.
Winblows is insecure (it's getting better though). That isn't a belief, it's a fact proven by an undeniable track record. All the "UAC" cheerleading in the world can't invalidate facts. Besides, if UAC was all that powerful, why did M$ have to issue a patch against Conficker for fista? HUH?
The thing about the Mac falling int the pwn2own contest is that it fell *first*. And yes, another attack on Windows machines, why, because they're by far more prevalent. The likelihood of finding one without the security updates applied is far more likely than if they were to write a malicious program to go after a hole in OS X (yes they exist, all operating systems have holes) that had been found. If it had been found and patched the likelihood of finding an OS X based machine run across the right website without the patch applied would be low. Also, home users aren't going to be affected by this if they have the updates installed. That's why companies update their software, people find holes/ways to attack the software and they plug it up. With the prevalence of Windows based machines it's far easier for a coder to use one as a guinea pig and try to break it and the rewards from their attack will be bigger and yield greater results. To use an analogy here, if you're a predatory bird, you don't hang around the food source of your prey that's hard to get to and limited in number, you hang around the biggest, easiest to get to patch of food and wait, eventually one will slip up and expose themselves. That's what the attackers are doing. They hit the biggest, most exposed group (Windows) and just wait for someone to slip up and reveal themselves (get the worm) and then they get what they want.
That you don't know what the difference is between a browser and OS is not surprising at all.
This wins the ignorance award of the month.
It can and will get on a patched system because it can get on your system and run with other methods. Besides, having an OS use RPC is a literal open door.
I may have to rescind the award and give it to you.
Windows is insecure by default, its users are technically illiterate.
*** do you think is going to happen when you mix the two?
If you use a computer without understanding them like you and Dan clearly do not, and use Windows, you will get what you deserve.
There is now a variant of Conficker, Variant "C" which introduces new tactics in response to some of the measures taken to combat Variants A & B. Amongst other things, Conficker C is capable of copying itself to removable media (such as USB flash drives), where it infects new hosts using Windows AutoRun. It is also capable of spreading infection through P2P connections. Conficker C was first spotted March 4, 2009.
As for Mr and Mrs Sassypants, I have no idea who those people are either.
http://en.wikipedia.org/wiki/Conficker#Initial_infection
As for the Conficker thing, just unplug your internet on the days that it's supposed to update. It's that simple. No updates means it won't do anything bad.
Applerocks, just shut the hell up. Your ranting has taken away all doubt, you are an idiot.
Assuming the "1,100 Mac G5" cluster existed, I'm sure it crashed all the time; a network outage can often bring down the Mac OS. And there's a known, unpatched problem with OS X Server that causes 100% CPU use after serving a certain amount of data to client computers; I wouldn't like to be the one with the job of rebooting all those machines!
I'll likely do better on OS X when I learn the tricks of the trade for good disc managment as you call it. On Windows I know what needs done. Mac, I'm learning.
Everyone seems to talk about Norton Utilities but the one I've found that seems to work better for me is Disk Warrior. Just make sure you defragment often and a couple of times a week, I clear all internet files. I never use the form-fill feature on my Macs either. We use several hard drives. My wife has a different hard drive for each client. Some are larger than others. The ones that we have found work best for us are Lacie. Any of them other than the ones designed by F. A. Porsche. Good luck learning Macs. I started on Macs and once I started working with PCs, I found that Macs were easier. You can also run Macs with the Unix operating system since it is Unix based.
Q: How exactly is this virus spread? The ol' email scam or file sharing?
Neither, since it isn't a virus, but a trojan. One has to navigate to the appropriate web site that is rigged with it, where it downloads "an important system update", places itself on the drive with the name svchost.exe (which is a program that Windoze uses), then makes a randomly named copy of itself, and installs itself as a DLL. It does this by taking avantage of a flaw in the way Windoze updates itself.
As for the results - there is lots of hype, but mostly, this worm will attempt to navigate to whatever sites you use and punches in passwords from a set list of about a hundred very weak passwords. If you use a weak password, then your e-mail or whatever can be exploited, by which the crackers will then purloin your e-mail in order to send out gobs of spam. If you do not have weak passwords, perhaps the worst thing is that "SVCHOST.EXE" ends up robbing 98% of your CPU in order to keep trying sites, once it has connected to the mothership to access a larger list of passwords.
There is not evidence that it will "wipe out your hard drive" or "make your monitor explode" - it will simply attempt to turn over all of your accounts that have weak passwords - so that they can spam even more people with endless spam about viagra/cialis, or whatever.
Two variants were quashed, but the patch enabled a third variant to become profuse. Fixing the third variant makes the system open to the original two variants; and since the performance reduction of the third variant is so pronounced, it is best to rid oneself of the first two (which are both smaller and harder to detect) than the third, which is a bit unwieldly (I have seen it drag a Core i7 Quad to a crawl yesterday, and I mean a crawl).
The third variant can be discerned by using a Find utility to look for SVCHOST.EXE, and any file with that name that is not in a directory called \SYSTEM32\ is the beast. If it is there, you will need to have the appropriate anti-viral to remove it, since it will have spawned off into a randomly named DLL file.
It can be passed by any media that is "autoloaded", especially if the preexisting and widely spread rootkit "Automatic Infant" is on the system, which makes spreading the beast easy-peasy. If one has all autoloading turned off, and takes care to avoid "Automatic Infant", it comes down to only one vector for infection, and that is to visit a site, click on an icon that downloads the executable trojan, and that the system also automatically runs anything that is downloaded. It can only infect a system through e-mail by the same means, by automatic or inadvertent execution of the trojan.
Unlike Windoze, there are no other OSes that automatically run arbitrary code - so a degree of social engineering would be required to trick the user into running it, or for a user to do anything as Admin and using weak (or no) passowrds at all.
From Charlie Miller, winner of the pwn2own competition when asked what would he recommend, Windows, Linux or Mac.
Alan: Sure, the risk = threat x vulnerability x consequence concept. Macs have low threats but high vulnerability while Vista is the other way around. I recently switched to a Mac myself and wrote about it for Tom's Hardware (and had a lot of angry readers). Like you mentioned earlier, we want to support vendors with the most secure software, but it?s not easy to always figure out which software is the most secure and sometimes the real-world risk is lower with a vulnerable platform with fewer threats.
So for our readers, what are some tips for running a "secure" PC/Mac/Linux machine?
Charlie: For all OS's, make sure you keep your system up to date. That?s the best thing you can do. On a PC, I'd recommend running some AV software to help clean up when things go bad. Otherwise, just be smart, pay attention, and hope for the best. It is possible to really lock down your computer (running noscript for example) and make it safer, but in my opinion it?s not worth the trouble and the loss of functionality you experience.
My Point?
Linux really doesn't have to be that hard.
After working with Linux and OS X I'm both liking and hating the mandatory password admin protection that should keep random programs from running. Windoze fix, don't play on your computer as an Admin unless you are doing Admin tasks. That's a different way of thinking for most. However after a local shop hacked my password on my Windows machine (to prove a point I think). I've been pondering security a lot more than I used too.
i am seriously confused
Does this happen on Mac or not?
the scan doesn't apple for microsoft????
and is this real or not?
If you haven't updated your Macintosh computer since October last year, you have a security flaw that allows any user of your computer to install a rootkit using just one line of Applescript.
Moral of the story: Macintosh users should not be so smug.
Why Safari? Why didn?t you go after IE or Safari?
It?s really simple. Safari on the Mac is easier to exploit. The things that Windows do to make it harder (for an exploit to work), Macs don?t do. Hacking into Macs is so much easier. You don?t have to jump through hoops and deal with all the anti-exploit mitigations you?d find in Windows.
It?s more about the operating system than the (target) program. Firefox on Mac is pretty easy too. The underlying OS doesn?t have anti-exploit stuff built into it.
aargh.
you cant fix it mike if it aint broken.
solution 2
switch off power for your PC and networking appliance or best residence's power switch? and light the candle and pray to your favourite deity for all the sin you have committed till date and beg borrow or steal deity's mercy. and when you hear all is safe? get back online, and start the usual gibberish. jurrasic age. sheesh.
can we send MAC OS users be it intel/ppc to some outer planet/galaxy and label that planet as a hazardous zone and the tag "proceed at your own risk." because no matter what, be it windows, or linux/bsd/solaris, they are the max noise maker, like every other empty vessels all the time, while genuine mac user/dev's spend time developing new product(s).
i need an aspirin or some other headache pill. :-( this is ridiculous, sensationalization. bollocks! no wonder why divide by 0 is such a problematic problem.
yes, conficker will attack you and that will release the war heads and we all will die on 1 st of april (MAC users too).
"daddiiiiiiiiiiiiiiiiiiiiiiiiiiiiii i need a lolly pop."
ciao
and if you again read the post than a BLUNT arguement? you will see i made a mockery of the so much hype about conficker worm/virus. world has more than 150,000 computers. and if thats so? that all the systems under windows are vulnerable? then how come so many more windows PC are still not infected? do those windows OS mutant variety even when online? like from some outer galaxy M$ merger with alien technology?
you need to stop playing games on your X-BOX and whine here about every mock post which you never understand. seriously IDIOTS NEEDS TO BE SHOT AT THE TIME OF THEIR BIRTH. this way we can solve 98% problems of this planet.
i have seen many ran windows non stop for more than 20 days w/o slowdown/reboot/virus attack? how is that possible? and i have seen many linux/bsd/unices ran for more than 2 years non stop, with advancements via loadable kernel modules than a new kernel a reboot? HOW?
and mac? mac is a mix of mach 3.0 and freebsd. so if you are asking to switch to MAC you are asking to move from windows and linux to freebsd. and since there is a port for freebsd ppc/ppc64? we might as well install freebsd for that port and carry our work. thus? WHINING AND ARGUING MAC USERS ARE USELESS AND NEEDS TO BE SHOT WITH A TRANQUALIZER WHENEVER ONLINE. and
You can't fix what you don't understand, and hiding your head in the sand tomorrow will not make this trojan disappear for PC users. Good luck, and I mean that.
oh oh oh, wow wow oooooooooo, you must be an alien. where is will smith and tommy lee jones when we need them most, else flash the memory eraser, i will take my glass off. i guess applerules is just a figment of my wild IT imagination.
in windows there is a nice tool from sysinternals where you can see how your file and filesystem and process and et all behaves, frikkin idiot. if you download those and install, if you run those utils and look at the console and not stare like how all whining mac users DO, you will see how your windows OS changes its behaviour when new software products are introduced. remember sysinternal's rootkit revealer? idiot. no wonder why any one sensible silently ignores MAC users comments to the dustbin of history. RETARD.
IGNORANT ABNORMAL MORON oh and here a bonus too, ABSOLUTE IDIOT.
nanana nanananana
NOW WHO IS IGNORANT? ;-) ha ha ha ha! appleruled got pwned man!
Do you think that Microsoft puts out Intel processors? If that is the case, then I suppose you think Motorola is owned by Apple. That is who put out the processors that Macs used for a long time. Apple switched to Intel for the same reason that most manufacturers switch components of the products they make. Usually, cost effectiveness. A processor can be used with any operating system. I could also ask why Michael Dell stated that he would use Mac OS X on all of his computers if Apple would sell the operating system to Dell? A computer is a computer. All operating systems have flaws. You have to remember when speaking about operating systems, you are not necessarily talking about the performance of the computer itself. In performance tests, most Macs perform better than most Windows-based machines. That doesn't mean that the operating system is better. Just the hardware. Windows-based computers that outperform Mac computers are out there but, usually cost way more than a stock Mac. When you see that a Mac cost $2500 compared to $899 for a Windows- based machine, it is easy to say that Macs are overpriced. If you look at the performance tests you will understand that stock Macs are better equipped than stock Windows computers. Once you upgrade a Windows computer to the performance of a Mac, you have spent the same amount or. in most cases, more than you would spend on a Mac.
Also, if you go to Google, type in Dell Mac OS X, you will find several articles that talk about many people already using Mac OS X on a Dell Inspiron Mini 9.
http://hubpages.com/hub/_86_Mac_Plus_Vs_07_AMD_DualCore_You_Wont_Believe_Who_Wins
PS. Hellomad, Please try to keep hydrated. I know it hurts to swallow.
- by AWuchner April 1, 2009 4:23 AM PDT
- My team created a step by step instruction to identify and fix Conficker infections on all kind of systems including Windows domain controller. You can find the instruction on my blog at http://ITRiskSpace.com Positive feedback already available.
- Reply to this comment
-
(104 Comments)Enjoy
-Andreas