http://has.conficker.destroyedtheinternetyet.com/?destroyed=true
Needs an RSS feed, IMO.
Quote from: iago on April 01, 2009, 08:05:19 PM
http://has.conficker.destroyedtheinternetyet.com/?destroyed=true
Needs an RSS feed, IMO.
I knew I'd see you post something on it, that's why I went here right now :)
Quote from: Dale on April 01, 2009, 08:09:54 PM
Quote from: iago on April 01, 2009, 08:05:19 PM
http://has.conficker.destroyedtheinternetyet.com/?destroyed=true
Needs an RSS feed, IMO.
I knew I'd see you post something on it, that's why I went here right now :)
There are two other threads where I mentioned Conficker -- "Tell me now!" and "Server slowness". :)
srsly, the media completely blew this out of proportion. sure, conficker is interesting, but most of this is just been hyped up by the media.
lol, one of my friends was IMing me yesterday, paniced that her computer was going to vaporize today.
Quote from: Sidoh on April 02, 2009, 12:09:09 AM
lol, one of my friends was IMing me yesterday, paniced that her computer was going to vaporize today.
we had a client that was double checking her will cause of the virus.
I didnt get it, but whatever.
Quote from: while1 on April 02, 2009, 12:04:30 AM
srsly, the media completely blew this out of proportion. sure, conficker is interesting, but most of this is just been hyped up by the media.
I think it's significantly dangerous, the April 1st thing was probably a red herring, but the fact that it's so easy for a machine to become compromised (Due to the less than stellar Windows Update system) and it's so easy for Conficker to update itself, makes it actually really dangerous.
If they're going for a long term infected base, and if they can continuously push updates like the ones they already have, then it could spell a very dangerous situation.
The bigger problem I believe though, is how fragile the entire situation is. How relatively easy it is to get something with the potential to bring a lot of computers to their knees, and potentially steal a lot of information.
But hey, as a programmer, it's pretty damn cool.
Quote from: Warrior on April 03, 2009, 10:30:37 PM
How relatively easy it is to get something with the potential to bring a lot of computers to their knees, and potentially steal a lot of information.
What's weird is mass infections was never hard. That's why botnets have existed.
I'm completely out of the loop, but what makes Conflicker so media-worthy?
Probably the ease to which it spreads, it's elusiveness, it's ability to update itself.
It's pretty sophisticated, from what I've read.
Quote from: Warrior on April 04, 2009, 05:03:00 PM
Probably the ease to which it spreads, it's elusiveness, it's ability to update itself.
It's pretty sophisticated, from what I've read.
That's correct. Specifically.....
Multiple attack vectors -- it can spread through USB sticks, Windows vulnerability (MS08-067), and Windows shares (bruteforcing passwords)
Communication and updating -- it uses a peer-to-peer protocol to communicate and update itself
Cleans up -- it patches the vulnerability it used to gain access (but it patches it differently from how Microsoft does it -- that's how we can detect it remotely (http://www.skullsecurity.org/blog/?p=209))
Difficult to remove -- it disables antivirus and blocks access to Windows Update, Antivirus vendors, security sites, etc (can also be used to detect it locally (http://www.confickerworkinggroup.org/infection_test/cfeyechart.html))
Mysterious -- because of the automated updates, nobody knows what the functionality is going to be.
<edit> it's also what I would consider the biggest worm since the early 00's (2003/2004), and it's much less obvious than others (Blaster/Sasser used to be obvious, because it crashed the service -- Conficker doesn't)
Quote from: iago on April 04, 2009, 05:21:56 PM
Quote from: Warrior on April 04, 2009, 05:03:00 PM
Probably the ease to which it spreads, it's elusiveness, it's ability to update itself.
It's pretty sophisticated, from what I've read.
That's correct. Specifically.....
Multiple attack vectors -- it can spread through USB sticks, Windows vulnerability (MS08-067), and Windows shares (bruteforcing passwords)
Communication and updating -- it uses a peer-to-peer protocol to communicate and update itself
Cleans up -- it patches the vulnerability it used to gain access (but it patches it differently from how Microsoft does it -- that's how we can detect it remotely (http://www.skullsecurity.org/blog/?p=209))
Not only that, but it creates new holes so it can reinfect cleaned hosts.
Quote
Difficult to remove -- it disables antivirus and blocks access to Windows Update, Antivirus vendors, security sites, etc (can also be used to detect it locally (http://www.confickerworkinggroup.org/infection_test/cfeyechart.html))
It does more than that. It has absolute control over DNS resolution. It just simply resolves anti-virus websites to localhost. My father had Conficker on his system. After he formatted I had remembered that I could have made a static tunnel with putty to access TrendMicro Housecall (localhost->TrendMicro)!! >:(
Quote
Mysterious -- because of the automated updates, nobody knows what the functionality is going to be.
Maybe it just wants to live :'(
Quote from: nslay on April 04, 2009, 05:27:42 PM
It does more than that. It has absolute control over DNS resolution. It just simply resolves anti-virus websites to localhost. My father had Conficker on his system. After he formatted I had remembered that I could have made a static tunnel with putty to access TrendMicro Housecall (localhost->TrendMicro)!! >:(
There are ways to disable the DNS screwing -- something like "ipconfig /flushdnscache" will screw up Conficker's blocking. You'd have to look up the exact command.
Quote from: iago on April 04, 2009, 05:28:53 PM
Quote from: nslay on April 04, 2009, 05:27:42 PM
It does more than that. It has absolute control over DNS resolution. It just simply resolves anti-virus websites to localhost. My father had Conficker on his system. After he formatted I had remembered that I could have made a static tunnel with putty to access TrendMicro Housecall (localhost->TrendMicro)!! >:(
There are ways to disable the DNS screwing -- something like "ipconfig /flushdnscache" will screw up Conficker's blocking. You'd have to look up the exact command.
I doubt that would work as Conficker patches DNSAPI.dll or whatever to resolve incorrectly
Quote from: nslay on April 04, 2009, 05:33:51 PM
Quote from: iago on April 04, 2009, 05:28:53 PM
Quote from: nslay on April 04, 2009, 05:27:42 PM
It does more than that. It has absolute control over DNS resolution. It just simply resolves anti-virus websites to localhost. My father had Conficker on his system. After he formatted I had remembered that I could have made a static tunnel with putty to access TrendMicro Housecall (localhost->TrendMicro)!! >:(
There are ways to disable the DNS screwing -- something like "ipconfig /flushdnscache" will screw up Conficker's blocking. You'd have to look up the exact command.
I doubt that would work as Conficker patches DNSAPI.dll or whatever to resolve incorrectly
I don't know why it works, but this is the answer that has become common:
QuoteFix Your DNS. The first step to recovery is getting Conficker's sticky fingers out of your computer's DNS cache. Click Start, click Run, and enter CMD. In the Command Prompt window that appears, enter the command "NET STOP DNSCACHE". You should get a message that the DNS client service has stopped. This may slow your web surfing slightly, as your browser will need to request a DNS lookup for each page rather than relying on the cached DNS information stored locally. But with Conficker poisoning the DNS cache it's a necessary evil. The DNS service should restart automatically after you reboot Just to be sure, once you've clearly resolved the problem open a Command Prompt and enter "NET START DNSCACHE".
Fix Your HOSTS File. According to Trend Micro Conficker can also interfere with DNS resolution by modifying the HOSTS file. This file associates specific IP addresses with specific domains, and it overrides the online DNS system. Some people use it to block Web ads; Conficker uses it to keep you from getting help. To fix this problem, launch Notepad and open the file c:\windows\system32\drivers\etc\HOSTS. That's just plain HOSTS, not HOSTS.TXT. Typically you'll see a bunch of comment lines that begin with a number sign (#) plus one line similar to "127.0.0.1 localhost". If you also find a series of lines including the names of popular security products, they're almost certainly invalid. Comment out those lines by inserting a number sign (#) as the first character in each line. Save the HOSTS file, exit Notepad, and close all browser windows.
Apparently it affects things at the caching level, not as the resolution level.