Discussion on:

Conficker.C: April Fools or may be not

What's your opinion about the chances that millions of infected computers will cause any problems on the April 1st?

I don't know. But it will cause a lot of serious problems at some point, even if it were just some giant "awareness scheme" (although I find this unlikely).

And Microsoft is very concerned. It now appears that most of the infected machines are in areas of the world where a huge majority of the operating systems are pirated and can't be updated.

Where did you dig that one up? But, it does remind me of my opinion on WGA :\

Still it talks about pirated copies. Look around the third paragraph:

http://mtc.sri.com/Conficker/

http://www.honeynet.org/papers/conficker has their know they enemy paper up finally if your interested. Some of it seems to be a rehash of what you posted, though I haven,t finished reading either yet.

If you are interested:

http://blogs.techrepublic.com.com/security/?p=1251

If I were a conspiracy oriented person I could think that this looming virus's targeting pirated software could be origionating from the softwares source??????

These days it wouldn't surprise me at all.

Hello Michael,

I came across this link online on slashdot.org:

http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

The principle seems sound. I hope this is a good first step in trying to track down the rootkit that seems to have everyone's attention these days bescides the wolverine movie leaked on the internet, LOL! Have a good morning.

Doesn't seem a bad idea for a first test.

What a great idea, simple yet effective. Thanks for sharing the Web site.

I decided it's been a few days since updating, and after reading this I thought, I really should check in case a new patch is avail.

Anyway, I usually have auto-updates download, and I install at will, however, I decided to click on the Windows Update link in Security Center.

"Thank you for your interest in obtaining updates from our site"
"To use this site you must be running Microsoft Internet Explorer 5 or later"

I looked, I was in IE 7.0.5730.13. I closed out, and tried again -- same thing. I clicked a link for IE updates, and it has a nice easy Update to IE8 button.

Geez, they are getting pretty desperate to try to force IE8 in such a manner.

The funnier thing, if I type
windowsupdate.microsoft.com -- it works fine

Install IE8? I'm hearing varied reports about IE8 breaking things after it's installed.

I dont want it yet. Besides, I primarily use FF on this system.
I just think it was odd that clicking the link to Windows Update in the Security Center would fail with the proper browser (2x), but typing in windowsupdate.microsoft.com worked fine.

And, clicking the link from the failed page takes you to an install IE8 page.

To me it seems like a sneaky way to get people to install it. I wonder how many people installed it because they thought that their browser was broken?

Interesting in two weeks when the next update starts.

I downloaded IE and used it for several days. I was appalled by it slowness. It took, on average, 9 seconds just to open the app, then another 9-10 seconds to connect to the home page, news.yahoo.com. Time of day didn't seem to matter when comparing speed. I was so disgusted with the performance that I rolled back to IE 7 and CONTINUE to use Firefox as my main browser. MS should be ashamed to put this POS out there for general use while toughting performance comparable to Firefox. And they wonder why people hate them.

That talks about where IE8 is even breaking systems:

http://blogs.techrepublic.com.com/window-on-windows/?p=1032

You can register a dll file to make it run faster:

http://www.edbott.com/weblog/?p=2443

http://blogs.zdnet.com/Bott/?p=754

Seems to be the answer for page load problems.

IE8 takes more time to start up because it uses a bit more RAM but after it it starts it is fine and each tab uses its own address space so a crash in one does not affect the other.

If a user had many entries in IE's Restricted zone that are place by SpywareBlaster's protection or Spybot S&D's Immunize function then the installation of IE8 takes a long time.

It is documented somewhere but I can't remember where.

I have IE8 on my old 2.4GHZ P4 XP Home system with 512MB RAM and it works fine even after I added SpywareBlaster's Protection but I don't use Spybot S&D anymore.

Isolate whether IE8 is functional or if Spyware interceded? IE8 is controversial right now, but I would suspect nothing less.

It would seem strange it would affect anything. I have seen competitors like older versions of PC-cillin choke on SpywareBlaster after updates, but I for the life of me couldn't understand why; unless it was a registry protection feature that had to run a review of each entry for approval. This may be why Spybot Search & Destroy won't list Spyware Blaster as a complimentary tool anymore - because Tea Timer gets confused by all the registry entries, and has to differentiate whether to load an alert on it or not.

I hadn't checked for a while and I didn't realize Patrick Kolla had written it for x64 already. However Adaware seems to supplant it now with the free adwatch function now available for customers. Most of the function and registry protection is as good as, and exceeds PepimK capablilities.

I have absolutely no trouble using both on Vista x64, they seem to compliment each other very well. My web pages load like lightning.

http://www.eggheadcafe.com/software/aspnet/34210366/about-ie8-and-spybot-spy.aspx

I noticed lately I could open many more sessions without any of them crashing. And for a few weeks the crashes were surprisingly isolated.

However my browser reports it is IE 7 and Vista Home x64 reports no available IE 8 for updating.

I have a special cable compliant operating system, so I can't just switch to Linux (yet), or use Vista Ultimate - even my version of Media Center has its own product key!

I wasn't worried about it until you related these security improvements! If they do make it available, I hope it isn't automatic so I can turn off the protections on Javacools GUI.

Because IE8 is more standards compliant than earlier versions, and owing to the great many sites which were designed with IE-centric features that no longer work under IE8, "Compatibility View" is included to provide for backwards compatibility.

"Compatibility View" can be set at a site level by the site operator, or at a page level by the user, using newly created Meta Tags; additionally, IE8 has the ability to, under certain circumstances, automatically invoke said view.

it was only supposed to appeal to the artsy-fartsy crowd, I sure hadn't read anything like this, but I've been a little busy on field projects lately and haven't kept up with my reading.

Sorry for being so ignorant, deep, I really appreciate the catch up!!! Even then I thought I read indications that it was only going to have a lot of these features on the Vista machines, and only "theme"and maybe some add-on features would be active on XP.

Perhaps with compatibility mode I won't have to fire up my 32 bit browser as often(which is less often all the time).

I've only become aware of much of this by way of other forums, particularly WebProWorld, which has as members a high concentration of site developers who are forced to deal with issues relating to browser compatibility, not just across various releases of a given one, but across multiple browsers such as IE, FF, Opera & Safari.

If you are, I'm curious to learn what you both think.

that you have to go to the microsoft site to download in manualy. Everyone keeps telling me they got it by auto-update; but that doesn't go for me.

When I check my history, I haven't received an update since the 16th of last month. And IE 8 is not available as a non critical update. Maybe the Vista x64 version is not ready?

It's time again so it may show up.

For Wave 0, which includes the English language, IE8 became available via WU the week of 23 MAR for Beta & RC users; for all other it will become available via WU the week of 13 APR.

See http://www.neowin.net/news/main/09/03/19/ie-8expected-windows-update-and-automatic-updates-schedule

I've a test machine or VM partition available for it.

Having experienced the horrible user interface of IE7, I'm not about to gamble on it with a needed box.

but he's a newbie and may have not used the Beta 2 uninstaller.

I had him use the fixIT tool at Microsoft which gave him a little more speed and functionality, but he is using a single core Dell with 1Gb+ of RAM on XP SP3.

He admits that surf speed is fine, just start up that is slow. Seems acceptable to me if the security features work on XP.

by author (wrong line)

No doubt a review of his op stats will reveal a great deal of page thrashing unless he does, as many still do, run but a single browser instance at a time.

instances he can actually run.

I just upgraded a client from 1 Gig to 2 and it was a huge improvement. It seems that there are a lot more processes working in the background than there were a few years ago.

Mostly from running bloated AV/AS solutions;
before IE 8, I was able to keep it under 500Mbs of memory. Only by using light weight blended defenses, BTW.

These days, any new box that I recommend/purchase has at least 2 gig installed, and a minimum of 4 gig as the maximum supported on the motherboard.

as he completely hosed his TCP/IP stack and the entire network!

It was just easier to reinstall, so we could get IE 8 on clean. He really likes it now!

Now if I can just get him to stick to the recommended AV/AS solutions and quit doing every trialware that comes along!

Ahh - newbies!!

Would you like us to download our virus scanner and remove the detected viruses?

[Allow] [Deny]

(hehehe.. how many times has he clicked on that little gem of a free trial?)

and I had forwarned him about the fake virus downloads.

At least he is a quick learner; I wished all my clients were as good a study!

I've already got him on open office doing powerpoint presentations with ease!

Is either first or second on the list of most effective malware droppers. It's actually a two-step process that I'm researching right now, using compromised Web sites and workstations in concert to lure unsuspecting users in.

I love fishing for malware!

Don't you mean "phishing?"

IE8B2 was a pile of caca! Had to uload that fertilizer until it bloomed into a release candidate. IE8 is sometimes slow, but otherwise, solid for casual browsing and shopping - so far. I reserve full judgement until it has many more miles under the belt.

http://www.channelregister.co.uk/2009/03/30/conficker_signature_discovery/

apparently nmap (among others) can find infected machines with today's updates and pattern files.

I knew Rick Mogull was working on that this weekend via Twitter. Thanks for sharing the link.

downloaded their scs.zip file yet?

ATM I am playing with nessus and nmap to see what they can do in terms of finding infections.

http://honeynet.org/node/388

Link to the proof-of-concept scanner and its use.

Do you know of an issue? If you do install it, could you please let us know what you think. Thanks.

My first machine ran into a missing Impacket dependency. Trying it now on a Debian.

Just be sure you have python-impacket package installed.

Two of the winboxes on my home network have been generating suspicious traffic... Maybe tonight I can know for sure.

...is the only free one to identify conficker. I downloaded that yesterday.

Let us know what you think and if you have any unresolved issues.

whether infected or not, will NOT cause any problems on the first of April. (It won't even be turned on that day.)

To make sure. Hope it means your on vacation and have better things to do.

and wondering what it's effects are if it is not turned on, on April 1st.

I have a Linux box to use during that time

I doubt the infected computers will even display any outward signs of the problem, other than may be some elevated traffic levels.

The infected computers are just supposedly to try to phone home and get command files.

What will the command files be and what will they do. Potentially they could have a devistating effect.

but generally, the thought is that someone wants to make money off this. So they will use it to steal profitable information by capturing keystrokes, looking for credit card numbers on the hard drive, that sort of thing. (Yes, that can be devastating, definitely.) Considering the size of the Conficker botnet, the creators will probably rent time to those who wish to do those sorts of things.

Another fine article Michael. Guess we will wait and see how this all plays out. I do love a good cliffhanger...

Is it only going to be distributed randomly to a preset number of computers and from there get sent out to more computers, and so on?

It doesn?t sound like a traditional virus where unsafe web surfing gets you infected.

from flash drives to a network connection.

You dont need to visit a website to get infected.

I wasnt sure about the details of this virus. I know it hit in 2008 also i just never had the "pleasure" of coming in contact with it.

You won't get it, specifically if the MS08-067 patch is installed.

Is MS going to release a similar patch for the upcoming conficker virus once they know what it is?

The patch fixes a vulnerability in the operating system.All versions of Conficker exploit the same vulnerability. If the patch is applied the vulnerability is no longer a problem.

the patch failed, or a service pack was re-applied after the update, or something else.

Too many times have I seen a patch show as being loaded on a system, and yet the vulnerability is still present.

I totally know what you mean. I had that very thing happen, which resulted in the computer being infected multiple times. Finally I checked to see if that particular patch was installed or not. Guess what.

behind our network people here, running bootup scans. After logging in, the system goes into a quarantine state for a few minutes, while the system undergoes some vulnerability tests (scripts meant to find if a patch is not installed, or is not functioning).

Is it MS AD that scans before allowing the computer access?

of what apps they use unfortunately. However, it runs in a homegrown application/patch management software system.
They run scripts to find vulnerabilities, and force patch/re-patch if it fails, then re-runs the script to make sure it is working. If it still fails ou get a lockout notice, your system restarts and the boot.ini file was changed to display SYSTEM HALTED BY IT SECURITY -- Visit this website to fix

That sounds like they are using NAC. What AV are you using? Symantec has a NAC offering I believe, but I am not sure about the other vendors.
However, I would assume they have the same NAC and AV vendor.

I suspect that the users don't though. How long does the scan take?

I've heard that Symantec and MS worked something out with AD to have it work with user login.

logins vary greatly, from 2 minutes to 20 minutes depending on the day
Usually average would be 4-5 minutes.

...IT pros who don't patch their systems?

Consider legacy systems and applications that may totally dump if some alteration negatively affects them.

This is what MS has to face every month. Does MS make it simple for everyone or make sure nothing breaks. IMHO that's an extremely difficult question to answer. Most system admins understand this and approach updates with caution and dare I say trepidation. At least I do.

I understood you to say that once a P2P was established, it could transmit through the P2P without need of the expoit. Did I read this wrong?

One reason Dr. Nazario feels this way is based on a new capability employed by Conficker.C, which is the ability to create peer to peer networks (P2P). That means it?s only going to take one infected PC and one command and control server with an unblocked domain name to pick up new commands. After that, according to Symantec, the command files can be shared using the P2P mechanism

P2P makes it extremely easy for the bots to communicate, obviating the need for every bot to connect to command and control. The bots will take commands from each other, once the commands are authenticated by analyzing the shellcode.

Sean is correct. I thought I might just add a bit more. If one computer gets through to a server that happens to be advertising a domain name that the infected computer is looking for, it will then be able to download what ever the botmasters want.

After that it's all over. Even if the Cabal shuts that domain name down, the instruction set will propagate using P2P networking. Not as efficient, but nearly impossible to shut down.

IBM's ISS has cracked the P2P encryption scheme, so that might be an avenue for them to determine what the victim computers are going to do.

Thanks to you both.

I hope it is just a joke, I suppose if your system is up to date that you will have nothing to worry about.

Also it's not like other time bomb malware that degrades the computer. The infected computer will try to phone home and receive command and contro information.

I suppose the botmasters could tell the infected computer to delete C: but then they would lose a bot.

I s

Depends on what there intentions are, what happens if they want to bring Windows users onto there knees by doing this

Because there are enough people who would ignore it just because it's April Fools Day.

Still, it's becoming apparent that a different approach is going to be required. People just want to use their devices for what interests them.

All this other stuff to keep things going is just an irratant.

Please forgive my ignorance, but didn't the main article say that Conficker had been reverse engineered? If that's the case, then why don't they (the reverse engineers) know what it's purpose is? Aren't these types of programs designed differently for different purposes, i.e. spam vs DOS vs Infrastructure attacks? Or does it depend on the payload to be delivered on 01-Apr? Again, forgive my ignorance, I'm trying to learn something here. A layman's explanation should satisfy my curiosity.

My interpretation is that they have discovered alot about how the worm works, how it infects the machines and how it spreads. However, no one knows what it will do because that will be determined by whatever instructions it receives from the command and control servers.

You have to remember that there are dealing with multiple versions as well. Variant C's traffic is encrypted so it's difficult to know what going to happen. April first is just the start.

...a combination of Trojan, Worm & Zombie all rolled up into one. Sounds like the design of a hacker brigade in China, Russia or the US.

It's april fools somewhere right now and I wonder if it has reared it's head in Asia.

Perhaps someone should monitor such outbreaks overseas and report them real time say on a website.

Just and Idea....

John Day
Former IT Manager

Conficker checks the date at some major websites, so it depends on the date given by those sites as to when Conficker will do its thing. If it does not poll Asian sites, Asia will have to wait it out with the western hemisphere.

I had some fun removing the Sony rootkit today that I discovered unexpectedly on one of my user's boxes. It would be interesting to see how to manually remove this beast.

Hello,

I am also confused with all the names of the conficker worm/virus.

Isn't there an industry standard about reporting such finds? For example when I worked with Police Communications a theft would get a category ID which is '354'. Then from that we had the ability to still use the '354' category but the second option then gave us a specific classification.

I would be interested to hear from anyone who can elaborate on the reporting and classifications of viruses/worms/threats.

Regards

Michael
Melbourne, Australia

Excellent article Michael. Extremely informative and absolutely terrifying.

I don't know what they called it, but I had a similar bug/worm on one of my older PCs at home. Anti-Virus wouldn't run or install. I tried various fixes, taken from Internet forums, and some of them worked to some degree, but I continued to have problems and I wanted to reformat ANYWAY (after 6 years of not doing so) so in my case, it was OK.

But what I want to talk about is the MOTIVE of the people that create these viruses and worms. I really think that we need to develop a system of punishment for them - if we could only catch them.

Personally, I don't find virii or worms funny. Not at all. I actually think (and I hope you are listening, whoever you are) that people that intentionally create such things are akin to the people who work on biological warfare. Or invent new diseases. Sick, evil, twisted, thoughtless, violent people. People who ENJOY causing harm and pain.

My life is pretty complicated. I am in pain 24 hours a day. I am barely able to do normal, routine work on my PCs. I can just about manage it. So when some...b@st@rd invents something that destroys my PC, and it costs me three days of bending and stretching and MORe pain...well, I guess these people don't really care about anything, so they wouldn't care that they are actually causing human beings physical PAIN by doing what they do.

I try not to get involved in political or moral issues when I participate in forums, but I truly think that the people who intentionally create destructive virii and worms should a) pay for any and all damage they cause, to companies and individuals b) be arrested and charged with causing bodily harm and harm to property c) sometimes I wish...I just wish...that they would bring back some of the ... crueller forms of capital punishment, as an incentive to these people to STOP hurting computers, people and companies. If creating a virus was punishable by hanging, it might slow down a bit. Just an example

What do they get out of it? A "kick"? A "thrill"? "Satisfaction" that they "stuck it to the man" ???

To my mind, these are really sick individuals, who crave attention but generally don't get it.

So come on, creators of this worm. Show yourselves to the people you are hurting.

I bet the people they are hurting (us, dammit) would PROBABLY react by forming a mob, and getting some rope. Human nature! If these "virus developers" had to FACE the people they hurt, maybe they would stop what they are doing.

And from another standpoint...isn't life difficult ENOUGH, without virii and worms added in? Why make things MORE difficult?

This impacts elderly folk, children, disabled folk like myself...these people are committing what SHOULD be considered to be a serious crime, and it's impacting innocent people, who mostly can't cope with what it does to their computers.

Nice people. So if you (virus creators) are reading this...you should be ashamed of yourselves! Didn't Mommy pay enough attention to you?? Do you NEED MORE attention?

Well, I wish it would come: from the law, the police, the courts. And I speculate that if a virus creator fell into the hands of their victims, when no law enforcement was around, that they would not be too excited about the "attention" they would get from an angry mob.

So the technological damage aside, there is a cost in human terms. And the perpetrators of this should PAY that cost.

Or so it seems to me...


peace and love
d.

It burns....

For real or not? Lots of nerdy types are chomping at the bit to digest an infestation.

use lubrication next time

Will do! But it still burns!

I give up. I must be too focused on geek things, but I don't get it. Can you explain about the burn thing? I just know I'm setting myself up, but I had to ask.

Then read down from Jason's first post. I suspect Jason's problem is that he's using penetrating oil as his lubricant...

Omnipotent my friend, yet I being one of those that is ultimately curious I want to learn from everyone.

thank our deity of choice that I am not omnipotent. Were I so, I'd be having more fun than a little bit!

Others might think differently.

Never mind that the direct effects of Conficker are small (to date), it is a nuisance even for organisations that are meticulous in guarding against it. My major public sector client had all of its servers down for 2 hours to get rid of it, which is no mean cost in man hours and inconvenience.

On my little home & office network I am keeping on top of it, but cannot get rid of it. I am currently in the process of organising for tech support from my anti-virus tool provider to dial in to get to the root of the problem. Again no small cost in effort and money if I have to take time out from earning fees.

It keeps intervening to prevent security updates. This means hand cranking downloads from the various sites by changing the network set-up to fool it long enough to make connection. My laptop is updated using my 3G when I am on the train.

If I was not paranoid and aware of the symptoms it would be very easy to sleep walk into trouble. This is a persistent and professional job. It is not a joke. I just don't want to be its unwitting victim.

Yesterday (04/01), we just had a few new SPAM emails received.

Today, the amount of SPAM received has multiplied by about 5 times over what we had been receiving before the 1st and we expect it will continue to get worse. In addition, the number of rejects from SPOOFED email have multiplied about the same amount.

As long as I have the right idea of what actually happens with conficker.

My understanding is that it randomly picks its domains. I had also read somewhere but am not sure how true it is that all infected computers pick the same domain.

I was thinking what happens if the domain that holds the commands is actually waiting for all of these infected computers to pick its domain before sending the command. This could neally mean that it is possible that the creators dont even know when it will go off.

What you mean. Could you please help me understand?

what these guys look like, The virus writers.

I try not to be judgmental (Everybody is to some degree) I see a handful of severely overweight guys working out of an inconspicuous trashed apartment littered with dirty clothes, pizza boxes, and empty ice cream containers. While waiting for the virus?s response from their hijacked victims they alt-tab back to their life devoted (other than pissing in Cheerios ) game of world of warcraft. I guess when you have never had a date, never been laid, don?t have a life, and your idea of a good time is watching Star-Trek reruns, your only option is to take it out on society. So I guess it is good they are programmers of we would have another shooting on our hands.

No offence to TR members who are WOW players, fans of star-trek, and weigh a few extra pounds

That you may be surprised. The experts seem to think that the latest malware, especially Conficker is done by highly motivated professionals. There is big money in this.

I work on 50 machines a week in my little shop. I've had 5 "IE quit working" phone calls all fixed with MS System Restore and I've had 5 computers in my shop with "IE quit working" problems which will work with Firefox and are IE unfixable as far as I can make out. Not sure if any of these are Conflicker. The same problems listed for Conflicker have been happening a long time as far as I can tell. Who knows if it's Conflicker or the regular problem stuff, WinAntivirusPro2009, Smitfraud, etc.???

If the patch for MS08-0657 was installed. If it's installed then the problem isn't Conficker.

More and more have began to talk of things happening in the technology world. well i say let them happen. the world of IT must stand together against those who use this gift of knowlegde for the root of evil.

By whom?

Toward what end?

Like antivirus 2009 and spyguard 2008?

I really like the depth and breadth of the explanations.

Unfortunately, I don't think the sheer genius of the Conficker developers can hold a candle to the sheer unwillingness to install one single patch. It is baffling in the utmost.

Why the confusing collection of names?
1. Anti-malware vendors compete in every way.
2. They don't care to work it out otherwise.
3. "I saw it first."
4. FUD - making it appear as though there is more out there than there really is. Making it appear that your product intercepts something theirs does not.

If they just made it very obvious that a simple patch would cover you, in this particular instance, where would all these security types be? Without all the funding, that's where. It should be studied, though, as all the evil mechanisms of the thing could ride on a variety of future vulnerabilities. There just wouldn't be as much support for all the activity that is currently happening.

(Ha. Thought TR was flaking out again, but I guess it was just a "busy signal", as I was trying to start a discussion at the same time.)

Be really wild. Yet another conspiracy. I'm not ruling it out, though. It seems that the good rule is getting beat up pretty bad lately.

when "culture" or "self-interest" (enlightened or not) do just as well. I find they are much more pervasive, extensive, and powerful than conspiracy.

You make a great deal of sense. Those terms run a lot deeper, don't they?

by the people who are distributing this thing.

Let's not lose sight of where the real criminal behavior is.

Have an idea? Discussed acting on this idea with at least one other person? Conspiracy.

Of course, it does include the connotations of secrecy and also negativity, usually.

I don't think anyone has forgotten the origin of the malware as a root of the problem. I hope that the developers do get nailed. Evil *********s.

Nicely explained Michael. We will just have to wait and see what happens on April 1st. I have my Systems all up to date and I will do a major Backup on the 31st Mar just in case. Keep these informative articles comeing as it is a good heads up to what is happening out there.

Ah, but whose April 1st are we talking about? Our's (Oz) or their's (not Oz)?

TFIC

good point. It's only a couple of days before we find out.

I first assumed that it would depend on the system clock of the computer, but that's not logical and wouldn't work correctly as you have pointed out.

I'm starting to wonder if that would be one avenue to defeat this problem. Change the date and the 50,000 domain names would be wrong.

then Windows Update won't work!

I'll have to look for the link to the site where I read this.

Ah. Since I've not yet cleared my browser history:
http://www.pcworld.com/article/161809/conficker_to_phone_home_on_april_fools_day.html?tk=rss_news

As well and it yet again amazes me as to how well thought out this malcode is.

Is that Conficker developers appear to want the infected computers to be viable. If Conficker was a destructive piece of malware it would be a whole different story.

but at the same time destructive malware is obvious that its there, even to the untrained, And is more likely to be fixed or removed. Malware that just sits, waiting, is the scary kind, because there may be no warning until your machine is used to spam, ddos, distributed crack, what have you.
And this trend will continue as malware writers shift their focus from damage to profit.

Conspiracy: The Chinese Government is sponsoring Conficker in order to make a high-profile exploit out of a vulnerability that would have easily been patched except for WGA limitations, and thus create a media frenzy over MS's unwillingness to keep the internet safe. This will lead to a reduction and or removal of the WGA process, benefiting China and other countries with very high Windows piracy levels. Leveraging this new computing security and freedom, they will proceed to reverse engineer Windows Update, BITS, and MS command/contol, and take over all the worlds MS machines. Using this giant bot net they will attempt to extort 5 million dollars from the UN.

I've never heard of that take on the situation before. Definitely has logic on it's side.

The Ghostnet: http://techrepublic.com.com/5208-1035-0.html?forumID=102&threadID=305601

For an article. I'm trying to separate fact from sensationalism. I starting to suspect that much of that is being held back.

conficker is the work of a 14 year old Russian boy. Heard anything about this? Or is it just office gossip?

Ghost net, yeah, my feeling is a lot of it is being held back as well. Seems to me that this kind of activity has to be going on all over, from all parties, its just the first one discovered. Think the NSA doesn't have a ghostnet like entity?

Maybe Im wrong but didnt they show a 14 year old Russian kid on the 60 minutes piece?

but Im wondering if anyone has any backup data for 60 minutes. And why ONLY 60 minutes? How did they scoop the internet as a whole on this?

Mike Horowitz of ComputerWorld had already written a review of the 60 Minutes piece about Conficker:

http://blogs.computerworld.com/the_conficker_worm_on_60_minutes

http://blogs.computerworld.com/60_minutes_missed_the_elephant_in_the_room

60 Minutes has not gotten a single story right in its entire 40 year run! They have a track record of consistently skewing facts and cutting interviews to make a story "play" the way they want. The program is NOT an unbiased news show. It is a "news-based" entertainment show. Do not trust its "facts."

Other than Andy Rooney.

At work we have a pretty good firewall and restriction as to what is downloaded.

At home We have 2 MAC's (laptop for my son arrived Friday) and one dying - sometimes working PC (over 5 yrs old). I hope it doesn't amount to much, but those backups are being done . . . if we have it and back up and restore it, will it hit us next year on April 1?

Very little will happen initially. What April first is about is a possible attempt to get all the infected machines organized into a botnet.

If and when that happens then things may start to occur:

1. A tremendous increase in spam.

2. Really nasty DDoS attacks

Either of which may just saturate the system, due to the total number of coordinated computers.

April 1st, the crap was actually making it to my end box, instead of the junk folder. But Windows Secrets, a well known forum for PC enthusiasts was forced to redirect at nearly the same time. They couldn't get through hotmail's filters; and I'd bet that was not coincidental.

MSN probably planned the new filtering to coincide with conflicker - plus or minus a few days. It is the first time I've had to add a trusted contact manually in my hotmail.

I use MSNs service precisely because of the success of their spam filtering. I've had less trouble than others I know that use Yahoo! or gmail. And those individuals are pretty carefull about leaving their addresses laying around the web.

A mere 15 the last I looked.

And, since they discontinued their "classical" interface, even for Premium clients, it now has that ubiquitous Fisher-Price look and feel.

I use Netaddress, which employs Brightmail's spam filtering system, and provides for up to 256 filters, each of which allows up to AND conditions to be concatanated.

Thanks deep, I may have to look into that! I'm looking at their sight now - they related to USA Today?

Dang! So many projects-so little time!!

I gotta admit, though - hotmail has been pretty spam free for me. When they do have problems they are usually taken care of within 24 to 48 hours.

Sure beats the ISPs server based cr@pmail!

Just wish that they'd have let me keep the classical interface.

USA.net is owned by Perimeter eSecurity; see http://www.perimeterusa.com/index.php . They're as global firm; the last contact I had with tech support was with guys in Iceland!

I know what you mean, I kept my MSN classical until they forced me to change. Had a heck of a time finding all the controls to do the old functions.

I'm getting used to the sparse totally business "Fisher Price" look though. I refuse to try any of their themes. I think all in all it is just another ploy to get people to pay for Windows Live, added content.

I had hoped to try to get some screen shots of the NetAddress panels for you; but, as I'm bushed now, and have a 25 mi. drive across the Delaware River to reach my bed, and best set out shortly so as to not be found beneath the Betsy Ross Bridge, that will have to wait.

If they don't have a demo and you are interested in seeing such, and allowing for the fact that after the "New" flag disappears from this post I may lose sight of it, give me a heads-up via PM.

I assume it is free? I'll have to revisit it later, as this week has been a corker so far.

Once again, I really appreciate the tip! =)

The following is copied from the plans currently available to me as an individual account holder. The formatting isn't great, but it's the best I can do on short notice.

-------------------------------------------

Net@ddress offers 9 unique Service Plans designed to meet your individual needs.

Every Net@ddress service plan offers you the most advanced email features on the market today, including:

Efficiency

Virus scanning of all inbound and outbound messages and attachments
Enhanced spam filtering powered by Brightmail? Anti-Spam
No advertising or promotional email taglines!
Auto-forwarding to other email addresses

Effectiveness

Secure login
Personal Junk Mail blocker
Full-featured Calendar and Tasks support
Sending rich email with stationery and smileys
Multiple signatures to match your different email profiles

Accessibility

Easy access to email from anywhere around the world, anytime, through any Web browser
POP3 and IMAP access from your favorite desktop email clients, (e.g., Microsoft Outlook Express).
Synchronization between your calendar, tasks, and contacts and Outlook and wireless devices
Email collection from other accounts


All with free telephone and online customer service to handle your email and billing questions

To begin taking advantage of the business-class features of Net@ddress today, or to upgrade a current subscription, select your desired product from the options below:

Net@ddress Standard

Take advantage of all of the great features of Net@ddress today! Choose from 3 affordable Net@ddress Standard plans.
Monthly with 500MB $5.95
1 Year with 500MB $39.99
2 Years with 500MB $69.99

Net@ddress Extra

Is 500MB not enough for all of your email? Do you need more security? Upgrade to Net@ddress Extra and a 1GB mailbox with SSL encryption.
1 Year with SSL and 1GB $54.99
2 Years with SSL and 1GB $89.99


Net@ddress Premium

For users that need that extra storage, Net@ddress Premium gives you 1GB and SSL encryption for increased security.
1 Year with SSL and 2GB $64.99
2 Years with SSL and 2GB $97.49


Net@ddress Premium Plus

For users that need that extra storage, Net@ddress Premium Plus gives you 4GB and SSL encryption for increased security.
1 Year with SSL and 4GB $93.99
2 Years with SSL and 4GB $140.99

------------------------------------------

They currently offer a free 3-day, "no send/receive" tour at

https://www.netaddress.com/tpl/Subscribe/Step1?Locale=en&AdInfo=&Referer=http%3A%2F%2Fwww.netaddress.com%2Ftpl%2FDoor%2FLogin%3FAdInfo%3DN-USAHP-LOGIN-1&T=1239247060956119

way sooner than paying one more cent to Microsoft Live!

The tele support really makes USA.net attractive!

And, when was needed, was without peer.

I've yet to have a problem of such urgency as to require phone contact; but, I've no reason to expect that such would be of a lessor quality than that had via e-mail.

I just set up an account with Red Condor. Not bad. 25 users for $500/year. It caught over 3000 spam e-mails in two days. The client is so totally happy.

I suppose, when you look at the pain it takes to run your own domain, exchange server, and the client and virus maintenance involved - $500 a year can look pretty inviting - especially if you have up to 25 clients.

USA.net uses BrightMail.

J, that client does run all the things you mentioned. well, I guess I do if you get picky. Still Red Condor is a service to which all e-mail passes through first. Another nice feature is that they will store e-mail for 96 hours if something happens to the primary Exchange server.

Deepsand, I'm not sure what they use. I've used Postini and others, but Red Condor seems to be the most effective one I've found. I haven't seen any false positives yet.

Judo uses an opponent's own strength against them.

Why not exploit the p2p feature of the virus and send an update that tells it to self destruct at 11:30PM on March 31st?

MS08-067 is the MS patch - schoolboy error.

(i won't pick holes in the rest of the grammar of the otherwise useful article...)

I apologize, as I should have known better as the link gives the correct nomenclature.

Also, I'd appreciate any comments that you might have. I'm always trying to improve my writing skills.

I've run my comb through your piece twice, now. What's-his-face has little to stand on.

That means something, especially now. Still I like the English take on writing. They're a lot stricter. I can stand to learn.

Besides, my editor corrected me on the use of maybe as well. My oops, even after researching it.

Only because their forebears knew more than they to play fast and wonderfully loose "...with language...carrying itself under its own arm".

I am British, I remember how strict English was. While I constantly cringe when I hear US and sometimes even Canadian slang, its the phrasing and pronounciations that bother me most.

But English schools are VERY uptight about grammar, to the point of being too much so. When writing a novel, perhaps it is worthy of close grammatical scrutiny. When writing copy, I have editors(thank god!). But when it comes to peers on a chat forum, or even an editors comments, who the bloody hell cares about punctuation, correct useage of Who or WHOM, Me or I, semi colon or colon?

It just doesn't matter, conversations in perfect English gramar are what brings upon Brits that air of being pompus and toffee nosed to begin with.

When in reality, Brits have incorporated some of the worst regional English slang of all.

Innit right, mate?
Don'alf fink so!

Little voice: I do.

Not Tigger Two but Tig. At least it has purpose.

Like using a hyphen instead of semi colon or beginning a sentence in lower case and then trailing it with three periods?

Every time I see you post you're being a dick. Do you ever offer anything productive?

Your lower-case comes perilously close to what I go by.

First of all, its Richard to you.

You also failed to notice that the previous poster, who I was actually replying to (not yourself as you seem to have mistaken), commented on the writer's poor grammar, while offering poor grammar himself.

My typing is hideous, therefore I don't go around poiting out typos to other people.

So go play bitch at some other playground until you know what you're talking about.

First, I care a great deal about both of you, so read this knowing that, please

I was wrong in the article, three times. That's something I don't accept from myself. So, I like it when I'm straightened out.

Both spellings are in common use.

You may wish to alter Tags on your appropriate Blog entries & Discussions started.

I asked about it and Conflicker is an incorrect spelling as far as I know. In fact one explanation identifies fick with an English word that I'll avoid writing.

equal to F**k

there, I said it for you

supposedly.

In two ways, either your configuration is messed up or the malware is going to mess it up.

Although the origin of the name "conficker" is not known with certainty, Internet specialists and others have speculated that it is a German portmanteau fusing the term "configure" with "fick", the German equivalent of ****.[5] Microsoft analyst Joshua Phillips describes "conficker" as a rearrangement of portions of the domain name 'trafficconverter.biz'[6].


http://en.wikipedia.org/wiki/Conficker

the fact remains that both are in common usage, and we need to accommodate such.

Other names/variations include Downup, Downadup, Kido & Kiddo

That you missed that part of my article, where I was ranting about that very subject.

By the way, how are you feeling? Lot's of us here are concerned about our fellow security nut.

As for health, I'm somewhat improved. The pains come less frequently, and generally with less severity & longevity; but, I'm far from being totally well.

Most bothersome is the near constant state of being at least somewhat sleep deprived, and the awareness of time lost, things not done.

But, I take heart in the knowledge that life is a game from which no one escapes alive!

I've went a few day without sleep and that was tough. I can only imagine what that must feel like for longer periods. I wish you the best and appreciate the fact that you still share your thoughts with us.

Pain wasn't horrendous; but, along with RLS, sufficient for keeping me tossing & turning 'til 5:45. Wouldn't have been so bad had I not of necessity for the day ahead had the alarm set for 7:00!

As I've nothing scheduled tomorrow until late afternoon, I might tonight make some small progress toward paying down my sleep debt.

for my sleep problems, deep. But I don't know if they would conflict with anything you may take already.

I found out almost by accident that the Valerin and melatonin extracts at Wonder Labs have cured both my back spasms and my sleep problems.

http://www.wonderlabs.com/itemleft.php?itemnum=6062

I'm not a pitch man for them, I just think it is astounding that herbs and such work better than pharmaceuticals. Beleive me, I though that stuff was silly "hippy" crap when I first ran onto it.

The former are solutions which are supposedly "infused" with the "essence" of "something". If one does the math, it is frequently the case that the dilution rate is so great that it is almost certain that the entire portion of the solution contains not a single molecule of the "something."

Probably can't help RLS, but I empathize with anyone that has sleep problems, as I suffered sleep apnea for 12 years.

The damage already done, it is a long road to hopefull recovery.

I'm not much of a pill chucker; but when I forgot to take those two, I was reminded within three days - minimum - to continue, post haste.

You both appear to have found something that works. I consider myself very fortunate to not have too many sleepless nights. Even before my heart surgery, I was surprised that I was able to fall asleep.

My cure is a two (well may be three) finger shot of brandy, by the way.

nt

if there's no "something" present, it's just a placebo effect.

All claims aside, there's no such thing as the "essence" of a substance; it's either present or not. And, in many homeopathic solutions, it's just not present.

Once burnt off a good portion of my mustache/beard doing flaming shots of Bacardi of a much lower proof. Didn't time quite right, so that rim hit lower lip before upper, splashing contents all over the place.

I've got that pyrotechnical bug so am jealous of your good times.

Like I said before, I'm not particularly placebo effect material as I hate popping any pills especially pharmacueticals; and only notice any positive affect days after forgeting to take them. Sometimes it may take me weeks to remember just WTF I had just done to quell the suffering!

None the less if the placebo effect will cure me of chronic side effects of weight loss/gain harmonics, and keep the side affects of what is called "mountain climbers" disease from ripping the muscles from my leg bones - then I'll take the placebo affect any day.

I do believe in the AMA, but they sell snake oil too! 20 years of continued sleep apnea suffering have taught me how to survive - I should have been dead a long time ago. I probably don't have too much longer to live anyway.

As with all remedies, the risks lie in unintended consequences.

Setting aside the omnipresent risk of active side effects, there is the case that, in believing oneself to be cured by virtue of the absence of symptoms, we risk, through action or inaction, exacerbating the underlying cause.

As regards the AMA & FDA, while each is far from being a perfect protector, I am glad that they do at least stand to somewhat reduce the risks that we are exposed to.

http://techrepublic.com.com/5208-1009-0.html?forumID=102&threadID=305614&start=0

If you have MS08-067 installed.

to note that F-Secure has provided a list of 4750 addresses that conficker can contact. I wonder where they are located.

many of those have been secured, and no attempts at making contact via such have been witnessed.

That's an accumulation of 19 days worth of domain names.

This worm/virus has so many relays it is almost impossible to track. Knock a relay out there are 5 more taking its place. Using a packet catcher and trying to follow this is worst than Melissa.

Everything is pointing directly to Asia and China. Asia mainly due to the huge amount of pirated and infected computers. This is definitely not a school kid put together and has to come from a lab, maybe even government related. While I will not use names I have my suspects. Very well collaborated and we all know certain governments have been testing cyber attack tests.

With that I will say no more until further data is collected.

I think the MIT people need to look at the laws a bit more closely.

Encryption software is classified as weapons technology.
It is restricted for export, to approved countries and with a license for exporting weapons only.

Since they made SOURCE CODE of an implementation available from the site you linked to, they actually have broken the US laws about exporting weapons technology.

https://www.pgp.com/products/export_compliance.html

Only the Zimmerman dude managed to clear himself.
http://en.wikipedia.org/wiki/Pretty_Good_Privacy#Criminal_investigation

It's a very good point though - it's definitely empowered the malware to protect its P2P connectivity. How sad that the first public use of this encryption method is in this manner...

Jaqui brought it up, I've been searching for some additional information on this. Haven't seen much as of yet.

I'm sure you remember when only Canada and the US had browsers with 128 bit encryption, because of restrictions EXPORTING the technology.

Unfortunately, it isn't anything you'll find in I.T. related searches, it's delving into the laws around weapons technology where you will find the restrictions on distribution... and definitions of what is weapons tech.

of a compiled binary and source code.

And the reading about the US Govt vs encryption is very interesting.

Compiled binaries, at that.
I remember, but can't find, the license agreement.

2nd best:
http://news.cnet.com/2100-1001-200862.html

I didn't think of that aspect. Dr.Rivard is a well-known expert in the field. Rivard and his MIT group have developed several products so they should be aware of what's proper.

that he is well known in the field of securing systems and networks, since I read his bio page on MIT's site.

It isn't that I have a problem with the product, or the concept, it was the lack of fore site when posting the sources for an implementation.
It slipped his mind that they could be used for criminal purposes, and the legality of exporting weapons technology.

Unless it was developed here in the US.

...but, isn't it a little odd that the Conficker Cabal's domain is for sale? I mean, once the problem's solved, who'd want to buy it?

May be it's just me being American, but this is the first i've heard the term cabal.

cabal - a loose knit organization of people - usually used in reference to a "den of thieves".

Don't know if it is accurate - just the first image that comes to mind. =)

I'd like to that they are something other than thieves though.

and probably true too! =\

It just struck me as an odd switch in tone or something.

"We, the world leaders of technology have come together with grim resolve to rescue the world from total catastrophe. Wanna buy our domain name?"

It's probably just me. Lots of things strike me as odd, these days.

and most systems that are infected don't have any notifications being handed them by security software...

Sounds to me like those responsible for confiker also used exploits DEMONSTRATED by Microsoft.
the turning off of all notifications, opening of a hidden window as administrator demonstrated by WGA/MGA .

so Microsoft contributed to the effectiveness of confiker themselves with their "Bolted on Security"

I think MS is starting to realize how many pirated copies of Windows are out and about as well.

MS is posting the bounty. Maybe the conficker coder managed to get some MS State Secrets, and is using them in their code.

disable the notifications?
I have a copy of the legitcheck.dll that has the code in it.

you just need to be able to pull it out of the dll with your hex editor... and jedit will translate the hex into source.. on windows

MS screwed up royally with the windows genuine advantage / microsoft genuine advantage programs, they demonstrated exactly how easy it is to bypass he security, even 3rd party security apps, on windows.

But it makes sense. If you build in a back door, someone will eventually find it.

Completely off topic...

How would you apply Darwin's theory of evolution to computer operating systems, given the fact that they are created by humans?
Its obvious that an OS has to evolve to adapt and survive in a changing net environment, but can we really say its survival of the fittest? Or does survival of the fittest model work better with the virus sector?

.. survival of the fittest has long since been forgotten in the information technology field including software. Ours is an industry littered with better products that couldn't compete against better marketing.

That the marketing is the driving power, and not the quality of the product. But, according to a basic evolutionary model, this will collapse with the first environmental catastrophe, leaving only the actual fittest. But, once again, the software world does not follow evolutionary rules, it is managed, tweaked, and nudged.
The virus model fits evolution better. They replicate, adapt, and change to meet the hazards of their environment. And in the current software environment, the process appears to be backwards. AV vendors (hazards in the virus environment) react to changes in the virus (evolution) instead of the reverse.
AV researchers and companies have to fight a reactionary battle, since being the "good guys", their hands are tied by legality in terms of bringing the fight to the virus authors. All they can do is defend and clean. I wonder if we can "stonewall" virus writers long enough, if defense is strong enough, to provide a minimum of security for an indefinite, extended period of time.

Wow.. Dern I'm rambling. Time for more coffee, and quick!

I really like your analogy. It's as I understand it, but reading it made for an Ah Ha moment. Thanks.