FAQ: Conficker time bomb ticks, but don't expect boom
There's been lots of hype about the fact that the latest variant of the Conficker worm is set to start communicating with other computers on the Internet on April 1--like an April Fool's Day time bomb with some mysterious payload.
But security researchers say the reality is probably going to be more like what happened when the clocks on the world's computers turned to January 1, 2000, after lots of dire predictions about the so-called millennium bug. That is, not much at all.
"It doesn't mean we're going to see some large cyber event on April 1," Dean Turner, director of the global intelligence network at Symantec Security Response, said on Wednesday.
It's likely that the people behind Conficker are interested in using the botnet, which is comprised of all the infected computers, to make money by distributing spam or other malware, experts speculate. To do so, they would need the computers and networks to stay in operation.
"Most of these criminals, even though they haven't done something with this botnet yet, are profit-driven," said Paul Ferguson, an advanced-threats researcher for Trend Micro. "They don't want to bring down the infrastructure. That would not allow them to continue carrying out their scams."
To help clear up some of the confusion about Conficker, here are answers to common questions people may have.
What is Conficker and how does it work?
Conficker is a worm, also known as Kido or Downadup, that cropped up in November. It exploits a vulnerability in Windows that Microsoft patched in October.
Conficker.B, detected in February, added the ability to spread through network shares and via removable storage devices, like USB drives, through the AutoRun function in Windows.
Conficker.C, which surfaced earlier this month, shuts down security services, blocks computers from connecting to security Web sites, and downloads a Trojan. It also reaches out to other infected computers via peer-to-peer networking and includes a list of 50,000 different domains, of which 500 will be contacted by the infected computer on April 1 to receive updated copies or other malware or instructions. Previous Conficker variants were written to connect to 250 domains a day.
Among the domains targeted by Conficker was that of Southwest Airlines, which was expected to see an increase in traffic from the botnet on March 13. But a Southwest spokesman said the worm had had no impact on the site.
Where did Conficker come from?
Some pieces of the Conficker code and methodologies it uses are similar to those used in previous botnet worms created by the underground operation known as the Russian Business Network and cohorts in the Ukraine, Ferguson said. But while there is speculation, researchers don't know for sure who is involved, he said.
"There is some evidence to indicate that this might at one point have been tied to distribution of misleading apps and rogue affiliate networks," said Symantec's Turner.
How is it different from other Internet worms?
Conficker has grown increasingly sophisticated with each iteration, with features designed to increase its longevity, most likely in response to researchers' attempts to block it. After researchers began preregistering domains targeted in the code, the Conficker.C authors upped the ante by having the algorithm generate 50,000 possible domains, instead of just 250, throwing a big roadblock into efforts to counter the worm. The creators also are using advanced encryption to obscure the instructions detailing which random 500 of the 50,000 domains will actually be contacted on April 1.
It appears the authors may also be intending to create domain collisions by targeting domains that are already in use by legitimate owners, Ferguson said.
"They're creating collateral damage, throwing a monkey wrench into our ability to counter them," he said. "What they're trying to do is make our lives miserable on any efforts to mitigate the threat."
Some of the tactics, including the domain randomization, inter-node communication, and use of strong encryption, are new, according to Ferguson.
"They are using tactics that are probably the most complex and sophisticated botnet tactics we've seen to date," he said. "This is very professionally architected design and development."
Added Turner: "This is the first widespread distribution of a worm since about 2004," when Sasser came out. That worm was believed to have infected as many as 500,000 computers.
What is being done to fight Conficker?
Microsoft has partnered with all the major security companies and domain registrars and registries to form the Conficker Coalition Working Group. The parties are collaborating on research, trying to put the pieces of the puzzle together and figure out who is behind the worm and how to stop it. They are using techniques like behavioral analysis of the code and reverse engineering, but researchers don't want to reveal too much information on their efforts. "We have made headway but I'm hesitant to talk about how far we've gotten," Turner said.
Researchers in the U.S. are preregistering domains that are targeted, but experts in Canada are going even further. The Canadian Internet Registration Authority is taking steps to block domains generated in Conficker code that fall in the .ca top-level domain from being used in the botnet, the nonprofit agency said. "If other domain registries were able to do the same thing it would go a long way toward helping mitigate some of the ability for the botnet to breathe," Ferguson said.
Conficker has proved to be such a nuisance that Microsoft has even offered a $250,000 reward for information leading to an arrest in the Conficker case.
What can I do?
Computer users should apply the Microsoft patch and update their antivirus and other security software.
Windows users should also apply a Microsoft update for the AutoRun feature in Windows that was released in February. The patch allows people to selectively disable the Autorun functionality for drives on a system or network to provide more security, to ensure that it is truly disabled. In addition to putting USB drive users at risk of Conficker and other viruses, the Autorun functionality has been blamed for infections from digital photo frames and other storage types.
Panda also has released a free "vaccine" tool for blocking viruses that spread through USB drives.
Microsoft has a Conficker removal tool. More botnet information and removal resources are on the Shadowserver Web site.
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor. 
"Most of these criminals ... are profit-driven"
[CNET editors' note: Prohibited content deleted.]
I think it is a little foolish to just assume that the point of activity like this isn't to tear the whole freakin' system down. The ultimate protest against that would punish companies terribly by costing them squillions
Understand people that there is strength in diversity.
Same problem with show dogs. They are vulnerable to all sorts of genetic defects because of inbreeding. Say no to inbred operating systems and inbred anything.
This really is the fault of the US government for allowing Microsoft to extend it's monopoly by not handing out sufficient punishment for their abusive monopolistic practices.
Competition is good for consumers on every level. Monopolies cause more headaches than they are worth simply because monopolies are usually only interested in themselves and care not for everyone else.
In fact, the DNA of all human beings on earth are 99.9% the same. The amount that varies is only 0.1%, proportionally less than the differences between, say, XP and Vista! There is no such "strength in diversity" in the human race, or even in primates (chimps have 95% the same DNA as we do) or mammals or in fact all animals.
Hence diseases can jump from a pig or a chimp or a bird to human beings. Hence all of us are susceptible to ebola. Yes certain viruses could indeed wipe out the human race (which is why a bird flu mutation would be so devastating.)
If human beings didn't share 99.9% of the exact same DNA, then we'd lose "compatibility". Sound familiar? Except in biological terms that would mean we couldn't reproduce and would stop to exist as a species, which would really suck. So thank God (or Darwin) that we're all virtually the same.
Some humans will do stupid things like sharing needless, have unprotected sex with a lot of strangers, not using an anti-virus, or downloading random programs from porn sites. Yet humans live on, and so will the Windows ecosystem.
Todays society is geared more and more towards a uniform, singular manifestation, a monoolpoly be it software, agriculture, fisheries etc.... Homogenizes is counter productive to the survival of us all, be it food, animals, modes of transport, even software. There should be a diversity among all with a level of compatibility. Bovines are very much like us as they are different from us however they have the same needs as we do, breathe, eat, sleep etc... they are treated as a resource for which money is to be ade from.
Everything in life should be considered as a part of a whole rather than a whole part, everything, not just software, water, food, fuel, everything.
Perhaps if another company were offering a truly competitive solution Microsoft would not be in this monopolistic situation they're in. Competition is indeed good, but as I see it OS X is the only real competition (on the operating system from) at this point and most people don't want or can't afford spendy (although top-end) hardware. Linux just isn't there yet for the majority of consumers -- part of it is because Microsoft is winning the mind share and patent battle, and partly because at this point you need a friend with a degree in computer science to fix your machine if something goes bad.
A competitor to Microsoft would be someone like Apple, but with an operating system as good as OS X and widely available at a price point the consumer wants to spend. And they would need to create developer tools as good as Visual Studio and go to extraordinary lengths to attract developers and keep them happy. Microsoft has fought hard, created an incredibly productive and happy developer community, and created an enormous breadth of products over the years. If Apple only had the 90's to do over again and not squander Microsoft would not be in the position they're in.
Mbenedict, I really don't care, but this "Bad analogy and poor analysis" beginning, and your patronising tone makes you look like a total fool. T8's point was clear, and the analogy did the job. He is right....
If all computers in the world, at the same time, share a common security flaw, then there is a huge risk. If there are 10 operating systems with equal market share, then the likelihood of this is lower.
Don't be such a smart arse. Further, if there is a slight error with a person's comment or if a chosen analogy is not rock solid, just get over it and don't be such a tool. Your point about compatibility was great, but the rest of your DNA talk was pointless bollocks.
In any case the DNA analogy is still a poor one. DNA factors are more important in genetic disorders, not general resistance against viruses. Yet even identical twins (which by definition have the same DNA) do not suffer from identical diseases. Whether 0% or 99% of humans had the same exact DNA wont significantly change the mortality rate against, say, Ebola.
Not to mention that Conficker is a worm, not a virus... which totally fails the analogy.
Point is, no matter what OS is being used, there is always going to be the dipshits (be it man or woman) that make the exploitation of the OS possible.
That was possibly the best debunking of a really bad analogy that I've seen for a long, long time.
Thanks for that. Brightened my day up.
Unfortunately your debunking of the analogy isn't right. While disease can jump from one species to another (zoonotic infections) these sorts of disease vectors tend to be relatively rare and even then generally require a unique set of circumstances for it to happen. There are, of course, exceptions to this rule but they are exceptions. The vast majority of viruses are highly species specific and simply fail to thrive in alien hosts unless their protein coats are able to exploit a common entry point into the cell. Even then, just because a virus causes a disease in one species doesn't mean it will in another.
To use your ebola example - it's theorized that ebola uses bats as its natural reservoir - three species of fruit bats simply don't get sick from ebola even though they harbor large amounts of the virus. Sometimes people are exposed to ebola by contact with bats *but* even then most of the time the virus fails to take hold. However, on rare occaisions it is able to make the leap and it leads to a disasterous outcome for both the humans the virus (ebola has a tendency to kill the host too quickly leading to a natural burnout of the virus because it can't jump from host to host quickly enough). Of course, there are provisos with all of this - some forms of ebola aren't dangerous to humans even if they are infected (Reston A) even though its lethal to some varieties of monkeys and apes. Some zoonotic infections can end up becoming endemic. Some virii can infect a wide variety of animals (influenza) etc etc etc... However, its generally accurate to say that any particular viral strain evolved in close conjunction with one or a very small number of closely related species. Species jumping is the expection.
With regards to the "stength in diversity" argument. Its not uncommon for a certain subset of any population to be immune to an infection even without prior exposure. Its not an immune response - the person is genetically immune, the virus cannot take hold in the host or has a difficult time doing so. For example, there is significant evidence that certain northern europeans sub groups are essentially immune to the plague bacillus (http://haplogroup-i.com/2008/genetic-mutation-imminuty-plague-hiv/). Likewise, some people are immune to many common strains of influenza. Luck of the draw really. Similarly, certain sub-sarahan groups are less affected by malaria because of a genetic predisposition to sickle cell anemia. In the same way some humans retained the ability to digest lactose into adulthood and some didn't. These are all genetic factors. While the DNA may be nearly identical there is a lot of difference in how those genes are actually expressed. So there is quite a bit of diversity in the human race at fundamental and inheritable levels.
The lack of genetic diversity problem is an issue with bananas though. Seriously. Bananas only propogate vegetatively (cuttings) so every commerical banana tree in the world (cavendish cultivar) is susceptible to the same disease (a viral infection) because they are, in a manner of speaking, clones. The previous common cultivar (Gros Michel) was essentially wiped out in the 1950s due to a fungal infection because there was no real diversity within the cultivar.
Yes, this has nothing to do with computers. I'm just a fan of epidemiology and I saw an opening. ;)
The vast majority of the computers infected with Conflicker are very old, unmaintained systems. Ironically most are likely corporate computers where misguided IT staff turn off "auto update" without regularly applying patches, and fail to install an anti-virus (or keep its database updated.) The lack of firewalls within most corporate intranets means an infection of one of these computers will expose all of the computers in that intranet.
www.techgeeknews.net
Just run Microsoft Update. It's your own fault if you get this virus.
My family is on Linux now so of course I'm not carrying Conficker (and for the record, Linux is mostly easier to use than Windows - completely different, but easier). But it's possible that the actions of the worm could affect ordinary people like me who haven't played any part in its spread.
I want you to know that I am not bashing you, just being helpful as some people will bash you here big time. Please NOTE: I am a happy Mac user and love all three of my Macs I just want you to be careful on the "NO Viruses" words as this is not 100% true and can make us Mac users look silly and ill informed. :) But I know what your saying... AS I sit here on my Macbook Pro with very little concern or hardly a thought of getting anything like this. WooHOO!! :)
There are no viruses on the Mac the same reason the people in Tuscaloosa, Texas feel safe from terrorist attacks. There are only about 500 people there.
You mean like the one described here at macfixit.com?
http://www.macfixit.com/article.php?story=20090326104010541
Yeah, no malware on Macs *rolls eyes*
Trust me It is a target already but no one has done it ... YET but is not due to market share my friend (as there are hundreds of millions of user world wide) it is due to the Challenge of the OS security... PLEASE NOTE it will happen but most likely not in mass or as easy as it is on Windows! Macs are NOT perfect but just better than Windows. It is one reason I love my Mac... The Market Share Story is totally Bogus!!! The fame alone from getting a massive virus attack on Apple products is HUGE and reward in it's self!!!
I am a virus writer and I am trying to decide whether I should go after the 4 people, the one person, or the 95 people? What do I think would do the most damage... hmmm...
Yeah. You are right. Lame excuse. It isn't as if the Pwn2Own hacking conference demonstrated an ability to take complete control of a 2008 unibody MacBook in less than 10 seconds or anything. Mac OS CX is just much more "Secure."
more like if there are 100,000 computers, 91,000 will be windows,8,995 mac's and 5 Linux's/Unix's.
Now if you write malware, which one are you going to go for? the consumer, the Idiot CEO or the company which holds server's for a major company?
The Malware writer's, if they are out to get something/someone will go for the CEO or Servers. Un/Fortunately there aren't many of these so the consumers get the Malware. However both will lose if one is infected.
So consumer on infected Mac tries to buy goods of internet, Malware steals credit card details before forcing the computer to shut down before transaction is completed so consumer loses money, doesn't get goods and seller doesn't sell goods and doesn't get money.
I've backed away from these security-through-obscurity debates, since they're generally concerned with predicting the future. I have Parallels/WindowsXP for my job, I use the Mac OS for the rest of my life plus ANY web-browsing, and I'm so glad I haven't had any of the experiences Windows people have on a regular basis. Once I get "pwned" (sp?) by some script MacKiddie, I'll give a rat's a**.
(Although when someone says "There are no viruses because you are too little for anyone to bother with you," it makes my lower lip tremble and I go running to Mummy.)
http://dvlabs.tippingpoint.com/blog/2009/03/18/pwn2own-2009-day-1---safari-internet-explorer-and-firefox-taken-down-by-four-zero-day-exploits
I'm not saying that Windows is the most secure thing out there, but I think MS does pretty well considering the size of and definitely the type of userbase it has. Most users have no idea what the User Account Control messages are, and have no idea what to click. I can only imagine half of the cust support calls they get even now. Ok, I think I made my point.
Oh, I know this hasn't been said here, but I am going to slap the next person that says Win98 was the most secure OS ever.
"The bug does affect Windows but, honestly, it?s way harder to get the code to run reliably on Windows. That?s the reason I did my Firefox attack on the Mac. I?m not allowed to talk about it but, for that bug, to get real exploitation on Windows is difficult because of ASLR (Address Space Layout Randomization) and DEP (Data Execution Prevention). On the Mac, I could trigger it and exploit it easily."
http://blogs.zdnet.com/security/?p=2951
I sincerely doubt there are anywhere near 100 million Mac users in the world.
win 98 = most secure os ever!
HAHA!
My macs are all second-hand, very affordable... Power PC, not intel, but run Panther, Tiger, Leopard and even CS4 suite (except Pr and Ae) on G4s even though adobe says you can't.
Yep, I drank the apple kool-aid long ago, very tasty!
you guys are weird. amen.
Good comment bud, you made my day. See, i told you i was weird.
Hey Malwarebytes and McAfee companies, please fighting against infect and harmful things!!!! Go on! I beg on two companies! :-( I really sad.
the $1000 from my wallet is going towards a piece of **** computer?
are you kidding me?
I'll stick with pc
And sure, i never point out that OS X is impenetrable, i just point out that i don't get viruses. The details as to why i don't doesn't really matter that much.
Oh, and just to point out, i still have an anti-virus on my Mac, just in case.
And on a different note, i'm looking forward to seeing what happens when the Conficker happens :)
Oh. Btw. I don't give a damn about Woz. We don't all worship him, you see? The same way i bet you probably don't worship Bill Gates.
It's when something like this comes up and people start the "Well, good thing I run a Mac, Winblows users can suck it" that we get irritated. And yes, AV software on any platform is a good idea.
The author, David Scott, has an interview that is a great exposure: www.businessforum.com/DScott_02.html -
The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
In the realm of risk, unmanaged possibilities become probabilities ? read the book BEFORE you suffer a bad outcome ? or propagate one.
- by DOTA AllMoons March 28, 2009 2:37 AM PDT
- why has the topic suddenly turned into a Mac and Windows discussion? too bad CNET doesn't have moderators... im really starting to get irritated at these Mac users...
- Reply to this comment
-
-
- by AZNpeoples March 29, 2009 3:36 PM PDT
- true that
-
-
- by pagewise March 30, 2009 7:33 PM PDT
- come, drink the apple kool-aid, join us...
-
-
Showing 1 of 2 pages (85 Comments)fanboys are the leading cause for flaming on pc's which everyone should know is one of the best os's