mirrorshades

Conficker / Downadup

36 posts in this topic

This is just coming up on our radar where I work... April 1 is sort of becoming the next Y2K:

http://mtc.sri.com/Conficker/addendumC/

Discuss. I'm interested in thoughts/opinions/conspiracy theories!

This is weapons-grade malware here...

it's very impressive, I've seen some older versions of this first hand and it's pretty nasty.

0

Share this post


Link to post
Share on other sites

Wow, that's pretty insane! Once it has access your completely screwed, it disables all security and chance of automatic updating.

April 1 is going to be a Windows Holocaust.

0

Share this post


Link to post
Share on other sites

We had a big problem with this at all of the schools in our district a few months ago. It was a mess to clean up. They still do not know exactly what it may or may not do. I am a little concerned about some of the comps that I take care of at my school but not too much. About 95% are up to date on Windows updates and all have current virus protection. It took something like this though for the higher ups to listen to me about what needed to be done.Some of them hate when I am right.

0

Share this post


Link to post
Share on other sites

Extremely good read! I'm highly interested in this field.

0

Share this post


Link to post
Share on other sites

Damn, does this mean any Windows computer is potentially going to be infected on April 1st?

Could this also affect Linux Distro's?

0

Share this post


Link to post
Share on other sites
Damn, does this mean any Windows computer is potentially going to be infected on April 1st?

Yes, potentially it could infect your PC. I wouldn't worry all that much though. I am actually looking forward to April 1 lol.

Could this also affect Linux Distro's?

Nah, This worm is only operable on Windows.

Edited by phasma
0

Share this post


Link to post
Share on other sites
Damn, does this mean any Windows computer is potentially going to be infected on April 1st?

Yes, potentially it could infect your PC. I wouldn't worry all that much though. I am actually looking forward to April 1 lol.

Could this also affect Linux Distro's?

Nah, This worm is only operable on Windows.

I guess I'll be running linux until this gets fixed, damn.

0

Share this post


Link to post
Share on other sites
Damn, does this mean any Windows computer is potentially going to be infected on April 1st?

Yes, potentially it could infect your PC. I wouldn't worry all that much though. I am actually looking forward to April 1 lol.

Could this also affect Linux Distro's?

Nah, This worm is only operable on Windows.

I guess I'll be running linux until this gets fixed, damn.

Not too worried. Storm was more impressive when it came out, and it was defeated largely by Microsoft's Malicious Software Removal Tool (that i heard). They will deal with Conficker. Just keep stuff patched and up-to-date and regular backups and we'll survive. As always...

EDIT (12:09AM): LOL @ authors. They used MD6 hashing algorithm. They are smart in some ways, not so smart in others. Cryptographers are encouraging avoidance of the new hashing algorithms until testing is finished. Current algorithms are good enough, but they had to use something cutting-edge and with flawed implementation. Skilled developers, amateur cryptographers... :)

Edited by army_of_one
0

Share this post


Link to post
Share on other sites
Damn, does this mean any Windows computer is potentially going to be infected on April 1st?

Yes, potentially it could infect your PC. I wouldn't worry all that much though. I am actually looking forward to April 1 lol.

Could this also affect Linux Distro's?

Nah, This worm is only operable on Windows.

I guess I'll be running linux until this gets fixed, damn.

Not too worried. Storm was more impressive when it came out, and it was defeated largely by Microsoft's Malicious Software Removal Tool (that i heard). They will deal with Conficker. Just keep stuff patched and up-to-date and regular backups and we'll survive. As always...

As always huh? Things can change.

0

Share this post


Link to post
Share on other sites
EDIT (12:09AM): LOL @ authors. They used MD6 hashing algorithm. They are smart in some ways, not so smart in others. Cryptographers are encouraging avoidance of the new hashing algorithms until testing is finished. Current algorithms are good enough, but they had to use something cutting-edge and with flawed implementation. Skilled developers, amateur cryptographers... :)

I think you missed the point. They aren't in it to win cryptography awards. I believe it's just to further obfuscate things even more. That's my take on it.

0

Share this post


Link to post
Share on other sites
EDIT (12:09AM): LOL @ authors. They used MD6 hashing algorithm. They are smart in some ways, not so smart in others. Cryptographers are encouraging avoidance of the new hashing algorithms until testing is finished. Current algorithms are good enough, but they had to use something cutting-edge and with flawed implementation. Skilled developers, amateur cryptographers... :)

I think you missed the point. They aren't in it to win cryptography awards. I believe it's just to further obfuscate things even more. That's my take on it.

I didn't claim they needed cryptography awards. They could be obfuscating, but all the other algorithms are standard and widely known. I presumed they used MD6 because the new ones are faster. However, it's common sense among security engineers to use tried and true techniques. They could have just used SHA1/2 or Whirlpool and it probably would have worked well enough without the implementation errors. One can download optimized, correct SHA1 code off the internet easily, then obfuscate it with a packer. Other than speed benefit, which Skein is better at, I couldn't see why they'd use MD6. It seemed like a bad design decision.

EDIT: That the only problem I came up with is their hash function choice says a lot about the rest of the design. The worm is overall designed very well with many innovative techniques. I can't wait to see what their next iteration will bring. I look forward to it with both dread and anticipation.

Edited by army_of_one
0

Share this post


Link to post
Share on other sites
Damn, does this mean any Windows computer is potentially going to be infected on April 1st?

Yes, potentially it could infect your PC. I wouldn't worry all that much though. I am actually looking forward to April 1 lol.

Could this also affect Linux Distro's?

Nah, This worm is only operable on Windows.

I guess I'll be running linux until this gets fixed, damn.

Not too worried. Storm was more impressive when it came out, and it was defeated largely by Microsoft's Malicious Software Removal Tool (that i heard). They will deal with Conficker. Just keep stuff patched and up-to-date and regular backups and we'll survive. As always...

As always huh? Things can change.

yes people that are paranoid about security can be smart and "apt-get remove sudo" so not anyone on their computer can get root via "sudo su" wow people running linux complain you can get root on vista and then they go and install programs to let them get that in linux so everybody is root everybody can unmount the filesystem. dont download garbage that gives you worms in the first place and your fine, wow had my eee without anti virus for like 3 months download and installed all kinds of apps when finally installed kapersky guess what didnt have any worms, spyware, viruses nothing. and people that write malicous codes are dicks do they bug a small percent of the poeple you could write a code for linux/mac and bug a few million people or yoou could write it for windows and piss of hundreds off millions of people

0

Share this post


Link to post
Share on other sites
Damn, does this mean any Windows computer is potentially going to be infected on April 1st?

Yes, potentially it could infect your PC. I wouldn't worry all that much though. I am actually looking forward to April 1 lol.

Could this also affect Linux Distro's?

Nah, This worm is only operable on Windows.

I guess I'll be running linux until this gets fixed, damn.

Not too worried. Storm was more impressive when it came out, and it was defeated largely by Microsoft's Malicious Software Removal Tool (that i heard). They will deal with Conficker. Just keep stuff patched and up-to-date and regular backups and we'll survive. As always...

As always huh? Things can change.

yes people that are paranoid about security can be smart and "apt-get remove sudo" so not anyone on their computer can get root via "sudo su" wow people running linux complain you can get root on vista and then they go and install programs to let them get that in linux so everybody is root everybody can unmount the filesystem. dont download garbage that gives you worms in the first place and your fine, wow had my eee without anti virus for like 3 months download and installed all kinds of apps when finally installed kapersky guess what didnt have any worms, spyware, viruses nothing. and people that write malicous codes are dicks do they bug a small percent of the poeple you could write a code for linux/mac and bug a few million people or yoou could write it for windows and piss of hundreds off millions of people

What?? English please.

0

Share this post


Link to post
Share on other sites

have fun using sudo a program that was designed to be a vuln.

LINE 10: START
LINE 20: USER = YOU
LINE 30: GARBAGE APLICATION = PROGRAM WITH MALWARE, VIRUS, OR. SPYWARE
LINE 40: SUDO = GARBAGE AP MADE FOR CREATING A VULN. IN LINUX
LINE 50: INPUT T, FOR TRUE, F, FOR FALSE, AND S, FOR SUDO: DO YOU DOWNLOAD GARBAGE AP'S?
LINE 60: USER + GARBAGE APLICATIONS = TRUE THEN USER.BOX HAS MALEWARE
LINE 70: USER + GARBAGE APLICATIONS = FALSE THEN USER.BOX DOES NOT HAVE MALEWARE
LINE 80: USER + SUDO = VULN.
LINE 90: GOTO LINE 10
LINE 100: END

for those who cannot read a batch file;

doyouhavemaleware.zip

Edited by dinscurge
0

Share this post


Link to post
Share on other sites

Indeed, setting sudo up to allow execution of any command as root with no password for all users (or even just one user, really) is not smart. However, a properly configured /etc/sudoers file will allow the execution of /necessary/ commands from non-root accounts while remaining secure.

Do people really use sudo for mounting/umounting their various filesystems now? You can add a "user" option to your /etc/fstab and prevent having to do that.

0

Share this post


Link to post
Share on other sites

dinscurge: man sudoers

As for conficker, it's pretty interesting how complicated it is, it's creators are putting tons of effort into it. It'll be interesting to see what happens come April fool's day.

Say, is the worm attacking anything yet, or is it just spreading?

Edited by zandi
0

Share this post


Link to post
Share on other sites
EDIT (12:09AM): LOL @ authors. They used MD6 hashing algorithm. They are smart in some ways, not so smart in others. Cryptographers are encouraging avoidance of the new hashing algorithms until testing is finished. Current algorithms are good enough, but they had to use something cutting-edge and with flawed implementation. Skilled developers, amateur cryptographers... :)

I think you missed the point. They aren't in it to win cryptography awards. I believe it's just to further obfuscate things even more. That's my take on it.

I didn't claim they needed cryptography awards. They could be obfuscating, but all the other algorithms are standard and widely known. I presumed they used MD6 because the new ones are faster. However, it's common sense among security engineers to use tried and true techniques. They could have just used SHA1/2 or Whirlpool and it probably would have worked well enough without the implementation errors. One can download optimized, correct SHA1 code off the internet easily, then obfuscate it with a packer. Other than speed benefit, which Skein is better at, I couldn't see why they'd use MD6. It seemed like a bad design decision.

Again, I believe it's for further obfuscation. Considering the size of things, I doubt speed is as much of a concern. My belief is that, reguardless of obfuscating SHA1/2, it's still going to be easily identified in the end. I can't really say it was a bad design, because I haven't seen any bad side affects (for the worm). I know about the over flow, but it hasn't made it easier to stop. Heck, they could have done it just to do it. If I recall correctly, they _have_ used SHA1 in the past.

EDIT: that the only problem I came up with is their hash function choice says a lot about the rest of the design. The worm is overall designed very well with many innovative techniques. I can't wait to see what their next iteration will bring. I look forward to it with both dread and anticipation.

I agree. I havent heard any failures on MD6. It certain hasn't slowed down the worm. It's a interesting choice of design, but I can't call using MD6 a failure. It's just new, and untested.

0

Share this post


Link to post
Share on other sites
Damn, does this mean any Windows computer is potentially going to be infected on April 1st?

Yes, potentially it could infect your PC.

No, it couldn't. Conficker requires the MS08-067 not to be installed. Stop spreading misinformation.

0

Share this post


Link to post
Share on other sites
Damn, does this mean any Windows computer is potentially going to be infected on April 1st?

Yes, potentially it could infect your PC.

No, it couldn't. Conficker requires the MS08-067 not to be installed. Stop spreading misinformation.

Why would anyone give a shit about this if a patch from October is sufficient protection?

0

Share this post


Link to post
Share on other sites
Damn, does this mean any Windows computer is potentially going to be infected on April 1st?

Yes, potentially it could infect your PC.

No, it couldn't. Conficker requires the MS08-067 not to be installed. Stop spreading misinformation.

Why would anyone give a shit about this if a patch from October is sufficient protection?

Because 30% of Windows out there don't have it installed.

0

Share this post


Link to post
Share on other sites
Indeed, setting sudo up to allow execution of any command as root with no password for all users (or even just one user, really) is not smart. However, a properly configured /etc/sudoers file will allow the execution of /necessary/ commands from non-root accounts while remaining secure.

Do people really use sudo for mounting/umounting their various filesystems now? You can add a "user" option to your /etc/fstab and prevent having to do that.

idk i just figured unmounting a filesystem or clearing all partitions is about as bad as you can get for a virus, yeah you didnt get to be an asshat and piss them off for a long timebut you did destroy their os. i've never tried but pretty sure you can unmount from batch on windows something like

 diskpart
Remove /all

0

Share this post


Link to post
Share on other sites
Damn, does this mean any Windows computer is potentially going to be infected on April 1st?

Yes, potentially it could infect your PC.

No, it couldn't. Conficker requires the MS08-067 not to be installed. Stop spreading misinformation.

Why would anyone give a shit about this if a patch from October is sufficient protection?

Because 30% of Windows out there don't have it installed.

That's fucking crazy. So 30% of Windows users haven't updated for at least 5 months? Where did you get that 30% number?

0

Share this post


Link to post
Share on other sites
Damn, does this mean any Windows computer is potentially going to be infected on April 1st?

Yes, potentially it could infect your PC.

No, it couldn't. Conficker requires the MS08-067 not to be installed. Stop spreading misinformation.

Hence why I said "potentially". Chill out, over reacting won't solve anything.

0

Share this post


Link to post
Share on other sites
Damn, does this mean any Windows computer is potentially going to be infected on April 1st?

Yes, potentially it could infect your PC.

No, it couldn't. Conficker requires the MS08-067 not to be installed. Stop spreading misinformation.

Why would anyone give a shit about this if a patch from October is sufficient protection?

Because 30% of Windows out there don't have it installed.

That's fucking crazy. So 30% of Windows users haven't updated for at least 5 months? Where did you get that 30% number?

I don't know where he got that number, but I've seen many reports showing how many folks don't update much. I know that some have trouble with Windows Update then just never try it again. There are also reports of people still using Internet Explorer 5 & 6, which may say something about their upgrading habits. These people alone make a large number of potential hosts. Finally, we have enterprises who patch slowly to prevent downtime. There are patches out there whose negative effects on some applications have never been resolved. I think one of these two explains Conficker, as it mainly targets business computers on Windows domains. I think it exploits slow patching strategy.

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now