Security

Conficker.C: April Fools or maybe not

Conficker's creators may make the first day of April a painful day for IT types if the experts who reverse engineered the new Conficker code are right. Is there anything we can do?

Conficker's creators may make the first day of April a painful day for IT types if the experts who reverse engineered the new Conficker code are right. Is there anything we can do?

-------------------------------------------------------------------------------------------------------------------

You may be saying, not another article about Conficker/Downadup! Still, any news about a piece of malware code that's capable of infecting millions of computers is significant. Especially since Conficker might be finally waking up.

Why do I say that? Apparently a new and more sinister version of Conficker has just been spotted. At least I think so. There are so many different names being used to describe Conficker it's almost impossible to tell if it's a new variation or just another AV company deciding to get into the game by calling it something different.

Why so many different names?

I'm not sure why, every AV or anti-malware vendor seems to want to use a different name. For example, let's look at all the different names being given to the first variation of Conficker. Microsoft calls their version Win32/Conficker.A, and was considerate enough to point out all the other known aliases:

TA08-297A (other)

CVE-2008-4250 (other)

VU827267 (other)

Win32/Conficker.worm.62976 (AhnLab)

Trojan.Downloader.JLIW (BitDefender)

Win32/Conficker.A (CA)

Win32/Conficker.A (ESET)

Trojan-Downloader.Win32.Agent.aqfw (Kaspersky)

W32/Conficker.worm (McAfee)

W32/Conficker.E (Norman)

W32/Confick-A (Sophos)

W32.Downadup (Symantec)

Trojan.Disken.B (VirusBuster)

That's the first version of Conficker too. I just don't understand why naming something has to be so complicated, especially when doing so adds complexity to the problem. To keep things simple, I'll use Conficker to mean all previous versions and Conficker.C to represent the latest variation.

Back to Conficker

This all started with a zero-day exploit for systems using Microsoft operating systems. Microsoft released an out-of band update with their security bulletin MS08-067 way back on 23 Oct 2008, but millions of people aren't installing the patch. Needless to say, not patching has led to many of those computers becoming infected with Conficker.

To me those numbers are akin to sticker shock. Think about it, millions of computers infected in less than a six-month period. Other malware has used the same approach, so why does Conficker have such a high success rate?

It's simple actually; Conficker's developers have morphed the malware into new and increasingly more difficult to detect versions every time the existing variation is compromised. Investigators weren't too worried though, because all known versions were using methods to contact command and control servers that the good guys knew about and could defeat.

How these first variants of Conficker phone home is really interesting, so I'd like to explain how it works. Each and every day, Conficker uses an algorithm to create a list of 250 seemingly random domain names. Then, via the infected computer's Internet access, Conficker tries to contact servers advertising the domain names for that specific day to get further instructions.

A dormant Conficker

So far there's been very little if any communications with command and control servers, hence no real activity on the part of the infected computers, other than to continue spreading. In fact, experts are engaged in an ongoing debate as to whether the infected computers should be considered an organized botnet or not.

Many feel that this inactivity is due in large part to the coordinated defensive response by the Conficker Cabal, an ad hoc partnership that includes several major players:

"Along with Microsoft, organizations involved in this collaborative effort include ICANN, NeuStar, VeriSign, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, the Shadowserver Foundation, Arbor Networks and Support Intelligence."

I don't have enough information to make an assessment if that's the case or not. Ironically, others believe the unusually successful infestation rate of Conficker malware has so overwhelmed the developers, they are still trying to figure out what to do. I'll let you decide who's right.

Conficker.C: New and improved

If I may offer my opinion, I think the coalition is getting to Conficker's owners. Either that or Conficker's keepers are making a preemptive strike by releasing a new variant that really ups the ante. Remember the 250 new domain names created each day; well that number increased to 50,000 per day in the new version.

That ramp up makes it virtually impossible for the Conficker Cabal to sit on every one of the domain names. Dr. Jose Nazario (an expert I often reference) from Arbor Networks (Conficker Cabal member) was quoted by the New York Times John Markoff as saying:

"It's worth noting that these are folks who are taking this seriously and not making many mistakes. They're going for broke."

Added peer to peer networking

One reason Dr. Nazario feels this way is based on a new capability employed by Conficker.C, which is the ability to create peer to peer networks (P2P). That means it's only going to take one infected PC and one command and control server with an unblocked domain name to pick up new commands. After that, according to Symantec, the command files can be shared using the P2P mechanism:

"During the process shown above, Downadup not only patches the RPC vulnerability in memory, but uses this patch to recognize incoming exploit attempts from other Downadup infected machines. The worm is able to analyze the incoming shellcode and checks if it matches its own exploit shellcode.

If the shellcode matches, information is extracted from the shellcode that allows the worm to connect back to the other infected machine. This "back connect" uses the HTTP protocol, but on a randomly selected port. The other infected machine then responds with a packet of data consisting of the payload files."

In an ominous tone, Symantec sums it up:

"So, while we know Downadup's method of operation, we still await its motive."

Other improvements

Conficker.C doesn't stop there. It initially was just considered a trojan, but experts are now also calling it a worm as well. Their reasoning is based on Conficker.C's being able to identify antivirus software and/or malware scanners running on the infected PC along with the ability to disable the identified applications.

Some serious malware

I'm one to give credit when credit is due and the tenacity and drive of Conficker's developers is something that should be bottled and sold. I'd better explain that comment before I get too hot from all the flaming. Hopefully the following example will point out how sophisticated this malware package is.

During September of 2008, MIT's Dr. Ronald Rivest published a paper describing a cutting-edge encryption algorithm called MIT MD6 algorithm. Guess what? That's right; Conficker.C is using MIT MD6 to obscure all P2P and command and control traffic. This prevents rival botmasters from taking control as well as preventing security firms from deciphering command and control traffic. Now I ask you, what encryption algorithms are your latest and greatest programs using?

What to do

As Conficker gets more sophisticated, the workable solutions to remove it start to get limited in scope. Initially, just applying the MS08-067 patch would have been sufficient. I'm afraid it's not that simple now.

AV applications are trying their best to keep up and provide solutions that will remove the malware. That worked initially, but Conficker.C is shutting those applications down as well as Microsoft's Windows Update. So that avenue is eliminated. I've not heard if MBAM and other TPV scanners were getting the same treatment, so they might be worth a try.

Officially, the only real resolution is to reformat and reload, especially since Conficker.C still resides at the application level. If the developers decide to bury the malware in the BIOS or SMM, it could get ugly.

April Fools or not

Okay, that's Conficker.C in a nutshell. Now I'd better get to explaining what April Fool's day has to do with this. Apparently, several experts in the Conficker cabal have reversed engineered Conficker.C's code and determined that April 1st is when computers infected with Conficker.C are supposed to wake up and begin searching for command and control servers. Hopefully the Conficker Cabal has a plan.

It appears that the experts do not want to cry wolf just yet. Kelly Jackson Higgins of InformationWeek's Dark Reading in the article Notorious Conficker Worm Still Alive and Infecting Unpatched PCs clearly points out that experts have varying opinions as to what's supposed to happen on the first of April:

"It's unlikely anything will happen on the first [of April], says Patrik Runald, chief security advisor for F-Secure, which has been following Conficker for months. Considering all the attention going on about April 1st, why would they do something that day? The group behind it could as easily do something on April 4th or April 10th."

Kelly then presents another expert's opinion:

"Randy Abrams, director of technical education for ESET, says there's no way to know for sure at this point what will happen that day. It could be that it does nothing, and April 1 was a joke, diversion, or aborted plan. Or it could be the launch of a massive spam run, DDoS, or infrastructure attack. We really can't say,"

Final thoughts

If the experts are all over the map about this, where does that leave the rest of us? My humble opinion is that the exact date doesn't matter. What matters is if the millions of infected computers do get organized. Rock-solid encryption, P2P traffic-routing, and the fact that Conficker.C is still deploying could lead to some very frustrating times.

TechRepublic's IT Security e-mail newsletter (delivered every Tuesday) is a great way to keep on top of security issues related to Information Technology. Please make sure to sign up.

About

Information is my field...Writing is my passion...Coupling the two is my mission.

371 comments
Michael Kassner
Michael Kassner

I just read about one way researchers are using to detect Conficker.C. They look for the patch Conficker applies to the MS08-067 security flaw. Once this is figured out we will be able to scan entire networks from a single location, easily detecting any infected workstations or servers. It appears that Conficker's developers may have out-smarted themselves, which is good for us.

Michael Kassner
Michael Kassner

Byron Achido (The Last Watchdog) has a good update about Conficker.C: The lastest version of Conficker, Variant C, is not looking for unpatched Windows PCs to infect, according to SRI International and IBM ISS. The bad guys appear to have infected more PCs than they can productively manage, perhaps well over 10 million, according to OpenDNS founder David Ulevitch. Conficker C first appeared on March 5. It's singular purpose is to connect with, and install updates on PCs previously infected with variants, B and B++, says Philip Porras, program manager at SRI. For weeks prior to the arrival of Conficker C, machines infected with B and B++ had been regularly checking 250 new web addresses each day for new instructions. The good guys, namely the Microsoft-directed Conficker Cabal, hustled to cut off access to the fresh list of 250 rendezvous points popping up daily. But on March 5 the bad guys managed to gain control of one or more of the rendezvous points for that day and pass along Conficker C to B and B++ machines, says Porras. Keep in mind that Conficker C only reached PCs infected with variants B and B++. It did not reach machines infected with Variant A. Those machines reported daily to a completely different set of 250 web addresses. Score that one for the good guys. We have no evidence an A rendezvous point was seeded with Conficker C, says Porras. 50,000 new check-in points daily Not only does Conficker C lack any self-propagating mechanisms, it actually shuts down the spreading mechanisms in B and B++ machines. It installed new instructions to check in at 500 rendezvous points, selected randomly from a list of 50,000 web domains; this list reconstitutes every 24 hours with 50,000 new rendezvous points. This new check-in routine commenced yesterday, April 1. And finally, Conficker C installed a customized peer-to-peer, or P2P, network, enabling all B and B++ machines to secretly communicate and share files, and easily cleave through most corporate perimeter defenses, such as firewalls, traffic sniffers and intrusion detection systems. Therefore, the spreading mechanisms, diagrammed below, would seem to apply only to machines infected with Conficker A. Or to B and B++ machines that never received the C update. conficker_diagram_crop2 LastWatchdog asked SRI's Porras if it was likely that a high percentage of B and B++ machines have been updated by now with Variant C. More likely than not, Porras replied. What's more, B and B++ machines, updated with Variant C, really do not need to use the web domain rendezvous points. Why? Because they can share files efficiently and privately via cloaked P2P communications, similar to how people share pirated music and movies. Early variants took care of propagation, says Holly Stewart, IBM ISS threat response manager. Conficker C is focused on staying put and keeping up communications channels. So what did the bad guys gain by going through all the trouble to construct a customized, proprietary P2P network from scratch? It is an alternate, harder to track and much harder to block mechanism for distributing malicious logic to the infected population, says Porras. It effectively gives the Conficker developers an overlay network with decentralized control.

dixon
dixon

I got a call from a lady last evening. Starting April 1st, she's suddenly noticed really slow performance and she can't access Windows Update or any AV-related sites. She says her machine seems 'really busy', even when she isn't using it. Interestingly, she claims to have religiously updated Windows and her AV. I can't wait to get a close look at what this machine's really up to.

deepsand
deepsand

Unfortunately, of limited usefullness. [i]Conficker_C_P2P_Detector.patch - [b]tested on Linux, Snort version 2.8.3.2, little endian only[/b] Conficker_C_P2P_Scanner.C - [b]compiled and tested on Gnu gcc ver 4.2.2, running Linux, little endian only[/b][/i]

Michael Kassner
Michael Kassner

That PCWorld and their writers can't decide if it's a big deal or not. I have issues with that approach. I do feel Conficker has the potential to do a great deal of harm. I also know that all sorts of intelligent people are working this. Just like Y2K, so if this turns into a non-event, I'll know why.

Michael Kassner
Michael Kassner

To help me understand. I'm not getting either of your comments. I guess, that's why I'm really bad at chess and games of strategy.

JCitizen
JCitizen

in my mind - strategically speaking. It is called economy of force in the military. Perhaps the developers of this worm were very familiar with such strategy, as they came from some official background. Or else there is a global "school of hard knocks" for malware writers out there.

seanferd
seanferd

Consolidation and reinforcement after invasion. Orders to hold position. A bit like a land war in the intertubes.

JCitizen
JCitizen

I don't have much respect for the writing on anything malware related on their articles. Especially when they rate AV software. It's like, "Let's see, hmmm? Who is the biggest advertiser on this rag? Okay! They are the best software!" Then the rank goes down from there based on the same criteria.

deepsand
deepsand

or that the threat has been forever neutralized, why should not some writers be of a similar mind? That one is either a professional writer or a TR member is no guarantee of being possessing of sufficient knowledge and understanding of the issues about which one speaks. In general, most people are quite poor at judging the true magnitude of any kind of risk. And, having dodged one bullet, they are likely to devalue the risk of being hit by another.

santeewelding
santeewelding

Hurt you with the leastest for the mostest. In the financial world, it's leverage.

dixon
dixon

...and had the lady try it. Failed completely. She can, however, access all 'regular' websites. I'll let you know what I find out. I'm really anxious to see what's going on with ports and IPs.

deepsand
deepsand

Been away from a keyboard for decades; and, my mother gave away my sax, without my permission! X-( On the up side, an acoustic guitar can be played anytime, anywhere, with no lower limit on its volume.

JCitizen
JCitizen

I think I'll skip the piano, I had to donate it to the Church. Maybe I'll get a digital keyboard for that time and place. Gotta see where my second quarter earnings are. =(

deepsand
deepsand

So long as we do not wallow in it, become dependent upon it, it serves us well, reminding us of past good times, of dreams and hopes forgotten or lost, perhaps to rekindle that which once gave us purpose, and thus spur us to new attempts at attaining that which we have not yet attained. Listening to "old" music prods me to pick up the guitar, and learn yet one more song on my ever growing list of songs to add to my repertoire.

JCitizen
JCitizen

The Rocky Bullwinkle show! HA! Forgive me for wallowing in the past deep! But it sure is fun! I was a Irwin Allen fan back then too; my hard drives are full of his shows from ALN cable network. Man I'm a horribly sentimental putz! :p

deepsand
deepsand

Other than my Philco model 38-4 radio, all of my electronics hardware was then stored in my parents basement, which was severly flooded. And, without conferring with me as to what was salvageable, they threw everything out! God, I wish Mr. Peabody would get back so that I can use his Wayback Machine.

JCitizen
JCitizen

about you links, and asked him where his old stuff is. He scratched his head and said he didn't know for sure! :( I'll have to dig for him; I can't believe he lost track of that tube amp. He admits it sounded better than anything he had.

deepsand
deepsand

audiophiles with deep pockets. And, there's a reasonable supply of vintage products, from brand like Harmon Kardon, Marantz, McIntosh, etc. still trading on the secondary markets, some of it available for a song.

deepsand
deepsand

Funny thing is, it started with the usual thinning at the crown, but never really spread much, leaving a look similar to a monk's tonsure that wasn't finished being shaved.

deepsand
deepsand

of an Allied catalog that predates its being acquired by Tandy. Wish I'd saved some of the earlier ones dating back to the late 50s. :(

Neon Samurai
Neon Samurai

I've a guitar friend that swears by tubes. Of the four in his main room at last visit, all tubes, all bought in poor condition then refurbished, some with low production numbers. It was amazing to find out that the echo filter is simply two springs wired in parallel along the path.

Michael Kassner
Michael Kassner

Use tube amplifiers. My son plays with a few guys and they all have huge amps with some real heaters in them.

JCitizen
JCitizen

at least that is one area where I not losing it upstairs! HA!

NickNielsen
NickNielsen

Ah, the good old days when the cover of the catalog read "Allied Radio Shack". Bought my first kit from that catalog, an AM crystal set for $3.99. It ran off 2 D cells and the only station I ever got it to receive was WGY.

deepsand
deepsand

Rather than spend the rest of the night trying to come up with a sufficiently succinct but all inclusive summary of the technical reasons for tube & solid state amps sounding different, I just point you to http://en.wikipedia.org/wiki/Tube_sound

JCitizen
JCitizen

and listen to it once and a while. Now that vacuum tubes are available again, I may want to stock up on spares, but have never had one fail! I swear the tones sound more golden somehow, but its probably in my head - or the old LPs just have more frequency response.

JCitizen
JCitizen

Man I'd forgot about that one! That really brings back memories; like Michael said; fond memories. I had no idea what I was doing in those days, but under my big brothers wing, I tried my heart out to attempt to get it all. He will be very tickled to see these links! Thanks, deepsand! :)

Michael Kassner
Michael Kassner

Throughout my amateur radio career, I invested a great deal of time and money in HeathKit products and have absolutely no regrets, just fond memories of good times.

deepsand
deepsand

http://www.heathkit.com/ Although they originally retained the rights to the old manuals, they've recently sold such to Data Professionals; see http://www.d8apro.com/ Other sources of the manuals abound; see http://www.google.com/search?q=heathkit+manuals&ie=utf-8&oe=utf-8&aq=t&rls=org.mozilla:en-US:official&client=firefox-a However, and sadly, the bama.sbc.edu site seems to now be dead. And, as noted at http://electronicdesign.com/Articles/Print.cfm?ArticleID=20689 , there are still a few other providers of electronics kits. The other kit maker that I greatly miss - :( - is Allied, whose (vacuum tube based) "Knight Kits" literally warmed & lighted my room many a night.

JCitizen
JCitizen

used to be a good geek read when I was a kid; now I don't even know if they exist. Lets face it high technology is becoming more modular and so is the information on it. You almost don't have to know much of anything to repair a device now because you simple throw the module or the entire device away! So the knowledge divide between the guy on the street and the scientist developer gets wider by the week. It seems even smart people would rather know less and less; of course that could be attributed to intelligent thinking also, as knowledge not needed is a waste of time. I'm just glad I try and waste at least a little time to try and get the basics; even about subjects that may not normally be important to me.

deepsand
deepsand

As electronic systems have become more and more appliance like, the need for users to know and have easy access to technical information has diminished, with the result that many publications turned into little more than industry shills and/or vanished. Of the survivors, many are now little more than teasers pointing to online content. Magazines such as [i]Electronic Design[/n], which once contained a plethora of schematics, etal., are now but skeletons of their former selves.

Michael Kassner
Michael Kassner

I even have moments that agree with your comment: "Having dodged one bullet, they are likely to devalue the risk of being hit by another." It's so true.

santeewelding
santeewelding

And azimuth, at least, is fed in. The rest is up to you.

JCitizen
JCitizen

so I will take santeewelding's comments as a compliment. I never thought of my verse as cannon cocker material though! HA! :^0

santeewelding
santeewelding

JCitizen has a way of catapulting me. I would have nothing to say otherwise. Like an engine, unconnected to a load.

JCitizen
JCitizen

Don't feel bad Michael, santee is a way better communicator than I. :)

JCitizen
JCitizen

I am finding both business and home users doing the same thing. I try to imbue some paranoia into their thinking about this. I wonder sometimes if they are getting an Apple/Linux user sense of invincibility on this x64 platform, and I try my best to extinguish such notions post haste!

deepsand
deepsand

user's machines. And, with local cable loops rivaling the population of a small town, there's plenty of low hanging fruit to be had. To be successful, a malware app, like a biological contagion, doesn't have to be capable of infecting every potential host, but only infect a number sufficient for ensuring its continued existence. Given the fact that personal machines far outnumber business ones, and that personal machines are those to which less thought re. security is given, by virtue of the ability of the user to sate his appetites absent an overseer, it is logical to expect that malware will generally be no sophisticated than is needed to accomplish its task(s) under Administrative privileges.

JCitizen
JCitizen

less and less, though as Microsoft battens down the hatches. Restricted user accounts work very well to protect this if all the apps are patched(thanks to Secunia). I still get the occasional user who is hit while doing administrative duties. Vista seems to have stopped this temporarily with the UAC. I don't know why the forums see so much complaining - my users seem to like the User Account Control - the bad part is - it makes them lazy and the don't want to run as restricted user anymore! Their machines are unbelievable clean, maybe it's the new Windows firewall(I just can't trust it), but despite only having Windows Defender on the machine their x64 system is sqeaky clean. It will take me a LONG time to believe Windows Defender is responsible for such good results. It didn't help even on the restricted side for me, but then I get radical out there.

deepsand
deepsand

For example, if a particular app wants to ensure that it's presence is not detected by SS&D, the best 1st course of action would be to alter the data store re. "Ignore Products" or "Ignore Single Entries."

JCitizen
JCitizen

and uninstall the program. Of course if one does not password protect the local machine administrator, then one wouldn't bother to password protect the consol of a good AS solution. So I guess my complaint may be null when considering Joe and Jill sixpack. I often wonder if that is why Spybot needs to hook the video output to see if the user is actually the one modifying the GUI. I've not tested that but, have faded in the continued use of Patrick Kolla's brain child. Because of the rise of x64 Vista I've switched to AdAware, Comodo, Avast, ect. All my clients are buying x64 systems now. And their machines are surprisingly clean considering their bad habit of running as administrator. Perhaps the UAC is finally saving them from themselves. Too bad MalewareBytes doesn't make a 64bit Anti-maleware for Vista.(yet) And of course good ol'SpywareBlaster is still part of a good, blended defense, even now. (for my clients who just can't seem to do without active X)

deepsand
deepsand

Not only does Malware seeking to modify or neutralize a security app not only doesn't need access to such, but using such would be the more difficult way to go. As for SS&D, it would be reasonable to expect that it does have some self-defense mechanism(s) in place, although I doubt that they are sufficient for rendering it totally invulnerable. In fact, this very subject would be an excellent one for Michael to investigate & report on.

JCitizen
JCitizen

consol. Not that I can remember if AdAware does; but I've never seen any malware modify Adaware yet. There is always a first time of course.

deepsand
deepsand

Those of particular note include the abilities to : 1) View & toggle on/off ActiveX components; 2) View & toggle on/off BHOs; 3) View & toggle on/off/delete Startup entries; 4) Specify which Cookies are be be kept/purged; 5) Specify which Applications/File Sets/Tracks are to be ignored/scanned for/removed; 6) Which Registry Hive entries have changes Allowed/Disallowed; and, 7) Whether allowed Reg changes are temporary or permanent.

JCitizen
JCitizen

It isn't the "cookie" removal that is necessarily freeing up the browser, it is the update to the AdWatch feature that is freeing up the browser?! Hmmm! The new freeware version I'm putting on my clients computers has an almost complete version of adwatch and registry guard now. Perhaps Spybot Search & Destroy is truely obsolete. I don't use SS&D on my x64 Vista and I have few problems. I noticed someone was trying to break my door down on my gateway soon after the last Windows update. Must have broken some spyware somewhere. I will need to read the logs to see which PC it was destined for.

deepsand
deepsand

the IE Resident & TeaTimer functions of Spybot S&D. Thus, it is actively blocking requests made to certain known "bad" hosts, thus truncating the "download" times required for such, and speeding up the total time required for downloading & rendering. The cookies aren't the issue.

Michael Kassner
Michael Kassner

Variety is the spice of life too. I use Safari and Firefox.

JCitizen
JCitizen

[b]At deep -[/b] I notice that the slowdowns won't happend for a long time if I keep AdAware/Adwatch updated regularly. In that case I sometimes run CCleaner to see if there has been a build up and there always has. I will have several pages of file reference to cookies and temp files. I really suspect AdAware/Adwatch is handling more than just "cookies", because as I said before - the locations are not in the IE cookie folder or CCleaner would always find them too. Sometimes I clean with CCleaner and it doesn't free up the browser, so I run the scanner in AdAware, and low and behold there are at least 5 or 6 "cookies" not found before, and my lockups are gone! When I first went back to AdAware in XP, I used to find the occasional infected index.dat file. Adaware was able to clean them without deleting them. This also had a beneficial effect, but never returned with Adwatch's blocker. I don't use XP anymore, however. [b]At Michael -[/b]I use IE because I DON'T want safety, I used to do this on my honeypot to see what kind of minefield my stubborn clients were in for. But now I do it just as much for a refusal to give in to the crackware and obnoxious malware "terrorist" ruining our experience on the internet. My philosophy, "Why give in to the bastards?" I prefer to stand and fight! - Now I wouldn't do this working for the bank, of course! That would be irresponsible.

Michael Kassner
Michael Kassner

I'd have thought you run away from IE to FireFox or anther more secure browser.

deepsand
deepsand

& manual flushes. As the cache grows, the overhead involved in managing it becomes more burdensome. Sometimes it helps to move the cache to a different partition or HD; all depends on the HD & its controller. As for cookies being designed for "mischief," given that they are no more than very tiny passive data files, such is not possible. However, as each one will consume a full cluster on the HD, and as session cookies are automatically culled, leaving single empty clusters scattered about, the cache very quickly becomes quite fragmented, so that repeated calls for page data that is cached result in slower IO between the HD and RAM. Why it is that you see a noticable improvement in performance using AdAware's AdWatch I cannot say for certain. However, I'll venture to say that it may be that, like Spybot S&D, it blocks calls to certain known "bad" servers, which avoids the overhead that results from the normally ensuing page requests. I've noticed that certain servers, even legitimate ones such as www.google-analytics.com & ssl.google-analytics.com, have become notoriously slow, so much so that, as I identify such, I am manually adding them to the Hosts file for blocking. Additionally, I've taken advantage of FF's provision for having local, user controlled CSSs, via the [i]userContent-example.css[/i] file, so as to block display of entire ad panels. This won't block the download of the content for such panel(s), but it will prevent such content from being rendered, thus decreasing the total rendering time required for display of the page as a whole.

JCitizen
JCitizen

for mischief then, or perhaps it is the lack of ads downloading. This wouldn't explain why CCleaner works almost as well manually, though. I dump temporary files too, when I use CCleaner, but I'm not fully aware of just what all AdWatch accomplishes. If you turn AdWatch off and wait for the slowdown behavior, and then do a scan; all it finds is cookies. They are NOT in all in the usual place you would normally expect to find cookies in Internet Explorer. I can't quote file path as I never look at the logs, but even CCleaner can't find these errant "cookies". I don't know why they just don't get it over with, and call it spyware. I assumed it must do something very similar to Spybot S&D because I see a lot of disabled page controls on supposedly legitimate sites. and a lot of flash ads replaced by hyperlinks and dead Trend Micro ads, or IE "this page cannot be displayed" where the ad normally plays.(like the host file blocker on Spyware Blaster) I usually don't need to click on them anyway to get my research done. I use to surf porn sites on my lab machine, until they started getting security compliant, and it got boring without any combat. Yeah, I know - I'm weird because I prefer combat action to porn. Ha! ]:) Now the action is on mostly the sites I like to go to anyway, for general, scientific, or IT interest. It would make sense that crackers are placing iFrame attack vectors on IT sites, for instance. I don't disable iFrames either. Some of this is accomplished by Spyware Blaster also of course. But I doubt blocking active X controls is speeding up my connection. I never bother to complain to the web-masters anymore - unless I plan to do business with them, or return for more information. This isn't my imagination - when I forget to update either one of them, my page loads start slowing down incrementally. Within a week I get failed IE "failure to connect" messages. Come to think of it, I need to renew my auto-update subscription to Spyware Blaster.

deepsand
deepsand

Blocking cookies will have no effect other than causing them to not be stored; it will not stop the server requests which result in their being downloaded. Neither will it stop calls that look for the presence of those cookies.

JCitizen
JCitizen

about nine months ago, or so, I started slowly having more and more IE 7 failures to connect or flat slowing to a crawl. So out of desperation I started running CCleaner every 15minutes to a halfhour to clean all the cookies and temp files out of the profile. This worked like a champ - but got tiring. Since Spybot S&D didn't have a x64 version and doesn't really look so much at cookies even when you set it that way - I downloaded an AdAware trial, so that I could see if AdWatch would block at least the bad cookies. Well it worked. So I paid the $19 or so for a year, just so I could block them all the time, and quit dumping them. Keep in mind I don't like using the IE account settings to simply block them all the time, because I visit too many research sites for the first time, and I don't have time to set Internet Options everytime I visit a site. This way I still get the content without the troubles. AdWatch also blocks a lot of bad page controls and even infected images occasionally. I believe both Spyware Blaster and AdAware block bad servers that can serve as injection attack vectors, as well as bad ad servers that tend to contain .bat infected flash ads, and ect. I run without Java or active X disabled. I do this to get quick content and because I got used to doing it on my lab honeypot. My clients refuse to disable Java and load NoScript on their FF browsers - and in fact most of them use IE 7. You can't talk 'em out of doing it, so I navigate the mine fields looking for ways to make it at least as survivable as I can. I've had great succes at it so far, but it takes a blended defense to get away with it. If you use Linux, you probably think it is just a lot of foolishness, but I'm not very good at talking my clients into switching to FOSS.

JCitizen
JCitizen

and I actually agree with your statement about DNS. Cookies have become particularly nasty in the last nine months or so; and I think folks don't seem to realize how much they can slow them down. That speaking to any slowdowns on April 1st that is.

deepsand
deepsand

FF was constantly timing out or coughing up 404s; IE, the ever entertaining frozen progress bar. However, the pain was equally shared by virtually all sites; and, was able to reach a number of security sites, such as Grisoft, ZoneLabs/Check Point, SpyBot S&D mirrors, and Windows Update. I suspect that any problem the woman in question experienced only coincidentally gave the appearance of being restricted to security related sites.

Michael Kassner
Michael Kassner

A great deal more worrisome in my opinion that Conficker. I just do not understand why we are not in a panic about that.

JCitizen
JCitizen

and, by instinct, attributed it to all the hype and the Windows updates and worm removal dowloads going on. Just my feeling on it. It would make sense that the bot-net would attack some DNS locations as a strategic move, but to what end would be pure speculation. Sometimes I suspect these malware sponsors are just pulling off the greatest commercial for their services. All completely free to them, of course. And also, of course, Symantec's obvious suspected duplicity has already been widely reported and noted.

Michael Kassner
Michael Kassner

To decipher anything from what was claimed then. Was there anything in the AV or Windows event logs that might give you a clue? Did anything upstream of the computer change and then change back? Oh well, it's good for your friend at least, unless the problem returns.

dixon
dixon

According to her, on April 1st and 2nd, she could access any site except AV sites and Windows Update. Then yesterday the problem was gone. She updated everything, scanned her system and came up clean. I don't know what to make of it.

dixon
dixon

The lady called back yesterday morning to say that 'everything's fine now'. No problem accessing security sites or updating Windows. Seemingly normal performance. Hmmm. I still might volunteer my time for free, just to see if I can figure out why those symptoms existed temporarily.

Michael Kassner
Michael Kassner

So the Web site is a good indicator? Keep us in the loop. Thanks.