Author Topic: Has Conficker Destroyed the Internet Yet?  (Read 3639 times)

0 Members and 1 Guest are viewing this topic.

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity

Offline abc

  • Hero Member
  • *****
  • Posts: 576
    • View Profile
Re: Has Conficker Destroyed the Internet Yet?
« Reply #1 on: April 01, 2009, 08:09:54 pm »
http://has.conficker.destroyedtheinternetyet.com/?destroyed=true

Needs an RSS feed, IMO.


I knew I'd see you post something on it, that's why I went here right now :)

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Has Conficker Destroyed the Internet Yet?
« Reply #2 on: April 01, 2009, 10:15:05 pm »
http://has.conficker.destroyedtheinternetyet.com/?destroyed=true

Needs an RSS feed, IMO.


I knew I'd see you post something on it, that's why I went here right now :)

There are two other threads where I mentioned Conficker -- "Tell me now!" and "Server slowness". :)

Offline while1

  • x86
  • Hero Member
  • *****
  • Posts: 1013
    • View Profile
Re: Has Conficker Destroyed the Internet Yet?
« Reply #3 on: April 02, 2009, 12:04:30 am »
srsly, the media completely blew this out of proportion.  sure, conficker is interesting, but most of this is just been hyped up by the media.
I tend to edit my topics and replies frequently.

http://www.operationsmile.org

Offline Sidoh

  • x86
  • Hero Member
  • *****
  • Posts: 17634
  • MHNATY ~~~~~
    • View Profile
    • sidoh
Re: Has Conficker Destroyed the Internet Yet?
« Reply #4 on: April 02, 2009, 12:09:09 am »
lol, one of my friends was IMing me yesterday, paniced that her computer was going to vaporize today.

Offline CrAz3D

  • Hero Member
  • *****
  • Posts: 10184
    • View Profile
Re: Has Conficker Destroyed the Internet Yet?
« Reply #5 on: April 03, 2009, 05:49:17 pm »
lol, one of my friends was IMing me yesterday, paniced that her computer was going to vaporize today.
we had a client that was double checking her will cause of the virus.

I didnt get it, but whatever. 

Offline Warrior

  • supreme mac daddy of trolls
  • Hero Member
  • *****
  • Posts: 7503
  • One for a Dime two for a Quarter!
    • View Profile
Re: Has Conficker Destroyed the Internet Yet?
« Reply #6 on: April 03, 2009, 10:30:37 pm »
srsly, the media completely blew this out of proportion.  sure, conficker is interesting, but most of this is just been hyped up by the media.

I think it's significantly dangerous, the April 1st thing was probably a red herring, but the fact that it's so easy for a machine to become compromised (Due to the less than stellar Windows Update system) and it's so easy for Conficker to update itself, makes it actually really dangerous.

If they're going for a long term infected base, and if they can continuously push updates like the ones they already have, then it could spell a very dangerous situation.

The bigger problem I believe though, is how fragile the entire situation is. How relatively easy it is to get something with the potential to bring a lot of computers to their knees, and potentially steal a lot of information.

But hey, as a programmer, it's pretty damn cool.
One must ask oneself: "do I will trolling to become a universal law?" And then when one realizes "yes, I do will it to be such," one feels completely justified.
-- from Groundwork for the Metaphysics of Trolling

Offline Newby

  • x86
  • Hero Member
  • *****
  • Posts: 10877
  • Thrash!
    • View Profile
Re: Has Conficker Destroyed the Internet Yet?
« Reply #7 on: April 04, 2009, 04:57:15 pm »
How relatively easy it is to get something with the potential to bring a lot of computers to their knees, and potentially steal a lot of information.

What's weird is mass infections was never hard. That's why botnets have existed.

I'm completely out of the loop, but what makes Conflicker so media-worthy?
- Newby
http://www.x86labs.org

Quote
[17:32:45] * xar sets mode: -oooooooooo algorithm ban chris cipher newby stdio TehUser tnarongi|away vursed warz
[17:32:54] * xar sets mode: +o newby
[17:32:58] <xar> new rule
[17:33:02] <xar> me and newby rule all

I'd bet that you're currently bloated like a water ballon on a hot summer's day.

That analogy doesn't even make sense.  Why would a water balloon be especially bloated on a hot summer's day? For your sake, I hope there wasn't too much logic testing on your LSAT. 

Offline Warrior

  • supreme mac daddy of trolls
  • Hero Member
  • *****
  • Posts: 7503
  • One for a Dime two for a Quarter!
    • View Profile
Re: Has Conficker Destroyed the Internet Yet?
« Reply #8 on: April 04, 2009, 05:03:00 pm »
Probably the ease to which it spreads, it's elusiveness, it's ability to update itself.
It's pretty sophisticated, from what I've read.
One must ask oneself: "do I will trolling to become a universal law?" And then when one realizes "yes, I do will it to be such," one feels completely justified.
-- from Groundwork for the Metaphysics of Trolling

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Has Conficker Destroyed the Internet Yet?
« Reply #9 on: April 04, 2009, 05:21:56 pm »
Probably the ease to which it spreads, it's elusiveness, it's ability to update itself.
It's pretty sophisticated, from what I've read.
That's correct. Specifically.....

Multiple attack vectors -- it can spread through USB sticks, Windows vulnerability (MS08-067), and Windows shares (bruteforcing passwords)

Communication and updating -- it uses a peer-to-peer protocol to communicate and update itself

Cleans up -- it patches the vulnerability it used to gain access (but it patches it differently from how Microsoft does it -- that's how we can detect it remotely)

Difficult to remove -- it disables antivirus and blocks access to Windows Update, Antivirus vendors, security sites, etc (can also be used to detect it locally)

Mysterious -- because of the automated updates, nobody knows what the functionality is going to be.

<edit> it's also what I would consider the biggest worm since the early 00's (2003/2004), and it's much less obvious than others (Blaster/Sasser used to be obvious, because it crashed the service -- Conficker doesn't)

« Last Edit: April 04, 2009, 05:27:45 pm by iago »

Offline nslay

  • Hero Member
  • *****
  • Posts: 786
  • Giraffe meat, mmm
    • View Profile
Re: Has Conficker Destroyed the Internet Yet?
« Reply #10 on: April 04, 2009, 05:27:42 pm »
Probably the ease to which it spreads, it's elusiveness, it's ability to update itself.
It's pretty sophisticated, from what I've read.
That's correct. Specifically.....

Multiple attack vectors -- it can spread through USB sticks, Windows vulnerability (MS08-067), and Windows shares (bruteforcing passwords)

Communication and updating -- it uses a peer-to-peer protocol to communicate and update itself

Cleans up -- it patches the vulnerability it used to gain access (but it patches it differently from how Microsoft does it -- that's how we can detect it remotely)
Not only that, but it creates new holes so it can reinfect cleaned hosts.

Quote
Difficult to remove -- it disables antivirus and blocks access to Windows Update, Antivirus vendors, security sites, etc (can also be used to detect it locally)
It does more than that.  It has absolute control over DNS resolution.  It just simply resolves anti-virus websites to localhost.  My father had Conficker on his system.  After he formatted I had remembered that I could have made a static tunnel with putty to access TrendMicro Housecall (localhost->TrendMicro)!!  >:(

Quote
Mysterious -- because of the automated updates, nobody knows what the functionality is going to be.
Maybe it just wants to live :'(
An adorable giant isopod!

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Has Conficker Destroyed the Internet Yet?
« Reply #11 on: April 04, 2009, 05:28:53 pm »
It does more than that.  It has absolute control over DNS resolution.  It just simply resolves anti-virus websites to localhost.  My father had Conficker on his system.  After he formatted I had remembered that I could have made a static tunnel with putty to access TrendMicro Housecall (localhost->TrendMicro)!!  >:(
There are ways to disable the DNS screwing -- something like "ipconfig /flushdnscache" will screw up Conficker's blocking. You'd have to look up the exact command.

Offline nslay

  • Hero Member
  • *****
  • Posts: 786
  • Giraffe meat, mmm
    • View Profile
Re: Has Conficker Destroyed the Internet Yet?
« Reply #12 on: April 04, 2009, 05:33:51 pm »
It does more than that.  It has absolute control over DNS resolution.  It just simply resolves anti-virus websites to localhost.  My father had Conficker on his system.  After he formatted I had remembered that I could have made a static tunnel with putty to access TrendMicro Housecall (localhost->TrendMicro)!!  >:(
There are ways to disable the DNS screwing -- something like "ipconfig /flushdnscache" will screw up Conficker's blocking. You'd have to look up the exact command.

I doubt that would work as Conficker patches DNSAPI.dll or whatever to resolve incorrectly
An adorable giant isopod!

Offline iago

  • Leader
  • Administrator
  • Hero Member
  • *****
  • Posts: 17914
  • Fnord.
    • View Profile
    • SkullSecurity
Re: Has Conficker Destroyed the Internet Yet?
« Reply #13 on: April 04, 2009, 05:41:02 pm »
It does more than that.  It has absolute control over DNS resolution.  It just simply resolves anti-virus websites to localhost.  My father had Conficker on his system.  After he formatted I had remembered that I could have made a static tunnel with putty to access TrendMicro Housecall (localhost->TrendMicro)!!  >:(
There are ways to disable the DNS screwing -- something like "ipconfig /flushdnscache" will screw up Conficker's blocking. You'd have to look up the exact command.

I doubt that would work as Conficker patches DNSAPI.dll or whatever to resolve incorrectly
I don't know why it works, but this is the answer that has become common:
Quote
Fix Your DNS. The first step to recovery is getting Conficker's sticky fingers out of your computer's DNS cache. Click Start, click Run, and enter CMD. In the Command Prompt window that appears, enter the command "NET STOP DNSCACHE". You should get a message that the DNS client service has stopped. This may slow your web surfing slightly, as your browser will need to request a DNS lookup for each page rather than relying on the cached DNS information stored locally. But with Conficker poisoning the DNS cache it's a necessary evil. The DNS service should restart automatically after you reboot Just to be sure, once you've clearly resolved the problem open a Command Prompt and enter "NET START DNSCACHE".

Fix Your HOSTS File. According to Trend Micro Conficker can also interfere with DNS resolution by modifying the HOSTS file. This file associates specific IP addresses with specific domains, and it overrides the online DNS system. Some people use it to block Web ads; Conficker uses it to keep you from getting help. To fix this problem, launch Notepad and open the file c:\windows\system32\drivers\etc\HOSTS. That's just plain HOSTS, not HOSTS.TXT. Typically you'll see a bunch of comment lines that begin with a number sign (#) plus one line similar to "127.0.0.1 localhost". If you also find a series of lines including the names of popular security products, they're almost certainly invalid. Comment out those lines by inserting a number sign (#) as the first character in each line. Save the HOSTS file, exit Notepad, and close all browser windows.

Apparently it affects things at the caching level, not as the resolution level.