#321610 - 22/04/2009 13:33
Viruses
|
carpal tunnel
Registered: 08/03/2000
Posts: 12338
Loc: Sterling, VA
|
*I was going to post this in another thread, but didn't want to take his help thread off topic*
Can I say something about Conficker that's been bothering me lately?
Okay, so for some time now, I've been doing in-home and small business tech support, and I see a lot of infected machines. What kills me about Conficker is that everyone is so incredibly freaked out about it (and the media has helped in making that happen), but as of yet, to my knowledge it hasn't done anything other than update its self (and block Windows update and some antivirus sites). Granted, there's a definite possibility that it could be a huge problem, especially seeing as how it's infected so many computers, but it's relatively easy to remove and I believe the only necessary precautions are to run Windows Update.
On the other hand, you have whatever virus killed Glenn's (gbeer's) friend's computer. As far as we can tell, it has effectively killed the computer with no hope but to reformat.
The most insidious offender that I've seen is the one that I can only name "Antivirus 2009" (or Antivirus 360 or Antivirus 1 or WinPC Defender). It tries to disguise its self as an antivirus application, and once it gets on there, it's a devil to uninstall. Previously, Malwarebytes could get rid of it, but I was very scared the other day to come across a new variant of it (that WinPC Defender I mentioned) which specifically blocked Malwarebytes from running. I had to actually rename the installer, the folder it installs to, and the executable in order to get it to run. And once I got rid of it, it had dug so deep that the internet connection was shot with no hope of repair.
IMO, people aren't freaked out enough about the viruses that are out there and already doing damage. For the most part, malware writers have gotten good at hiding on people's system, in almost a symbiotic relationship, and the last thing they want to do is harm the computer. But lately I think there's been a resurgence of the nasty kind of virus, and I just think that Conficker is not the one to worry about, at least not yet.
What say you good people?
_________________________
Matt
|
Top
|
|
|
|
#321612 - 22/04/2009 13:51
Re: Viruses
[Re: Dignan]
|
carpal tunnel
Registered: 13/07/2000
Posts: 4180
Loc: Cambridge, England
|
As far as we can tell, it has effectively killed the computer with no hope but to reformat. Reformatting the partition or partitions won't, by itself, remove viruses from the MBR (mind you, do viruses still live in the MBR these days?). In theory, reformatting partitions isn't necessary if you just wipe all the executable files (EXE, DLL, all the other types an anti-virus will still scan if you deselect "scan all"); that way, you could keep all your data files. But then, if you don't have good backups of your data files, viruses are the least of your worries. Though on the gripping hand, modern viruses that act like fungi by lying hidden for a while before fruiting, might exist on your backups too. Does Windows have an equivalent of Unix's ability to mount a filesystem noexec? If so, it'd be a neat trick to install Windows and all the applications to C:, and put all the data on D: and mount it noexec. Then you could wipe C: and the MBR and be sure you'd eradicated the virus. Mind you, that wouldn't work if you caught a virus while logged-in as an administrator, as presumably it could just turn noexec off again on D:. Peter
|
Top
|
|
|
|
#321613 - 22/04/2009 14:14
Re: Viruses
[Re: Dignan]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
Conficker finally did turn on, but it apparently only became a spam bot. A spam bot for a certainly bogus antivirus program. My understanding of the concern about it is that it was very widespread (though I saw no instances of it), it was insidiously difficult to remove, and no one knew what it was going to actually do when it did turn on.
So it could have been a huge deal, but it just happened not to be.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#321614 - 22/04/2009 14:31
Re: Viruses
[Re: Dignan]
|
carpal tunnel
Registered: 27/06/1999
Posts: 7058
Loc: Pittsburgh, PA
|
What say you good people?
As someone who spent some time at work a few weeks ago trying to understand Conficker and measure its impact, I feel your pain. The 60 Minutes story is what really transformed it from being a garden variety infection to THE GATHERING STORM OF DOOOOOOOOOOM, and when the media latches on to a particular technology threat, they often overstate the risk, or don't understand that there are many other risks that could be worse given the right set of circumstances. However, I will say that as botnets go, Conficker is *huge*. Getting reliable information on the size of botnets is no easy task, but where I work, we monitor a very large network, and have developed tools for detecting conficker at the network level. One of our researchers posted this blog entry in late March with an estimate of 2.3 million infected machines worldwide. That's a LOT of horsepower sitting out there waiting to do harm. If it's just sending out spam/phishing attacks, it's no more dangerous than other botnets, but if they decided to start doing targeted denial of service attacks, you could be talking about some serious problems with some serious financial consequences for the site(s) and/or provider(s) who get hit. Saying that it's easy to remove or that all you need to do is run Windows Update misses the point, which is that a vast majority of people won't bother to remove it, and a vast majority of those not yet infected probably haven't bothered to run Windows Update to patch the vulnerability. In other words, yes, the press is somewhat arbitrary about which threats it treats seriously, and yes, every day there are thousands of machines getting owned by garden variety worms and viruses. But the sheer scale and sophistication of conficker is something security researchers are taking seriously, and represents a serious escalation of the cat-and-mouse game between black and white hats.
|
Top
|
|
|
|
#321616 - 22/04/2009 15:09
Re: Viruses
[Re: tonyc]
|
pooh-bah
Registered: 06/04/2005
Posts: 2026
Loc: Seattle transplant
|
Saying that it's easy to remove or that all you need to do is run Windows Update misses the point, which is that a vast majority of people won't bother to remove it, and a vast majority of those not yet infected probably haven't bothered to run Windows Update to patch the vulnerability. Not to mention the vast number of machines running a pirate version of Windows that MicroSoft will not allow to be updated... Certainly this is a small issue in the Western world, but in other lands the risk is much greater. Besides that- I think my brain is infected- everytime I see the word 'Conficker' it gets read in as 'Cornflicker'.
_________________________
10101311 (20GB- backup empeg) 10101466 (2x60GB, Eutronix/GreenLights Blue) (Stolen!)
|
Top
|
|
|
|
#321617 - 22/04/2009 15:13
Re: Viruses
[Re: Robotic]
|
carpal tunnel
Registered: 20/12/1999
Posts: 31597
Loc: Seattle, WA
|
Besides that- I think my brain is infected- everytime I see the word 'Conficker' it gets read in as 'Cornflicker'. I see Conflikt. :-)
|
Top
|
|
|
|
#321618 - 22/04/2009 15:45
Re: Viruses
[Re: Robotic]
|
carpal tunnel
Registered: 18/01/2000
Posts: 5683
Loc: London, UK
|
Not to mention the vast number of machines running a pirate version of Windows that MicroSoft will not allow to be updated... I thought that even bogus copies of Windows got security updates. Or did something change?
_________________________
-- roger
|
Top
|
|
|
|
#321621 - 22/04/2009 16:10
Re: Viruses
[Re: Roger]
|
pooh-bah
Registered: 06/04/2005
Posts: 2026
Loc: Seattle transplant
|
Not to mention the vast number of machines running a pirate version of Windows that MicroSoft will not allow to be updated... I thought that even bogus copies of Windows got security updates. Or did something change? Not sure of the specifics- just going off of what I found here. First of all: Whatever you've heard, don't panic. Most Windows Secrets readers don't have PCs infected with Conficker. The SRI analysis estimates that 54% of the affected machines are in China, Russia, India, Brazil, and Argentina, where many people use unauthorized Windows knockoffs. (Microsoft doesn't provide all its patches to unlicensed copies of Windows, leaving the vulnerable machines free to attack us — a self-defeating policy recently described by security expert Bruce Schneier.)
_________________________
10101311 (20GB- backup empeg) 10101466 (2x60GB, Eutronix/GreenLights Blue) (Stolen!)
|
Top
|
|
|
|
#321622 - 22/04/2009 16:45
Re: Viruses
[Re: Robotic]
|
carpal tunnel
Registered: 12/11/2001
Posts: 7738
Loc: Toronto, CANADA
|
If the patches required are considered "critical" then they can be downloaded by all Windows users, whether or not the machine validates as "genuine." Here's a bunch of info on the Genuine Advantage program from Wikipedia. I imagine that most large scale (distribution) pirates of Windows are circumventing Genuine Advantage so that any and all MS updates can be downloaded. The bit about the "knockoffs" being the highest concentration source of all infections sounds like FUD to me. I'm sure a lot of PCs in the US running completely legitimate copies of Windows have been infected, because the population is generally slow.
|
Top
|
|
|
|
#321623 - 22/04/2009 16:48
Re: Viruses
[Re: hybrid8]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
I don't know about Windows Update, but the Conficker-related hotfix doesn't require any authorization. The issue may be more along the lines that "pirated" installations are far more likely to not be running Windows Update at all.
_________________________
Bitt Faulk
|
Top
|
|
|
|
#321624 - 22/04/2009 18:36
Re: Viruses
[Re: wfaulk]
|
carpal tunnel
Registered: 08/03/2000
Posts: 12338
Loc: Sterling, VA
|
My understanding of the concern about it is that it was...insidiously difficult to remove I was under the impression that the free Microsoft MSRT was able to remove Conficker. And most antiviruses have been updated to do it as well. Sure, the virus might make that difficult, but I wasn't hearing that Conficker was making it tough. Oh, and for some reasons the alternate names for Conficker really annoy me. I'm not sure why, though. Who names these things anyway?
_________________________
Matt
|
Top
|
|
|
|
#321628 - 23/04/2009 00:48
Re: Viruses
[Re: Dignan]
|
pooh-bah
Registered: 20/01/2002
Posts: 2085
Loc: New Orleans, LA
|
IMO, Conficker and the newer breed of viruses are more insidious than the old kill your PC kind. In biology, those germs that are too effective at killing the host seldom survive. Those that can happily coexist without causing apparent adverse effects will proliferate much longer and infect many more hosts. It's the fact that there is the hive-mind aspect of the newer worms that is the most dangerous. All they have to do is wait dormant until x number of machines are infected, and then they could generate enough network traffic to cripple the internet or a select site of their choosing, with ransom demands included. How much would it be worth to say, Amazon.com to get their connection back? They'd be losing hundreds of thousands in revenue per hour.
The days of russian script kiddies are gone. Now it's the work of organized gangs of cyber-criminals.
|
Top
|
|
|
|
#321629 - 23/04/2009 01:01
Re: Viruses
[Re: lectric]
|
pooh-bah
Registered: 06/04/2005
Posts: 2026
Loc: Seattle transplant
|
At 11:14 BotNet became self aware...
_________________________
10101311 (20GB- backup empeg) 10101466 (2x60GB, Eutronix/GreenLights Blue) (Stolen!)
|
Top
|
|
|
|
#321630 - 23/04/2009 02:19
Re: Viruses
[Re: Robotic]
|
carpal tunnel
Registered: 25/12/2000
Posts: 16706
Loc: Raleigh, NC US
|
... one day AM woke up and knew who he was, and he linked himself, and he began feeding all the killing data, until everyone was dead ...
_________________________
Bitt Faulk
|
Top
|
|
|
|
#321632 - 23/04/2009 08:08
Re: Viruses
[Re: Dignan]
|
old hand
Registered: 14/04/2002
Posts: 1172
Loc: Hants, UK
|
I am really surprised that somebody hasn't modified one of these viruses to just trash a drive at a certain time, there have been very few truly destructive viruses so far. The only widespread one I can recall was Witty.
|
Top
|
|
|
|
#321633 - 23/04/2009 08:50
Re: Viruses
[Re: g_attrill]
|
carpal tunnel
Registered: 24/12/2001
Posts: 5528
|
I am really surprised that somebody hasn't modified one of these viruses to just trash a drive at a certain time, there have been very few truly destructive viruses so far. The only widespread one I can recall was Witty. Destructive ones don't spread as well. Why trash the machine if you can subvert it instead and have your own processes running in the background?
|
Top
|
|
|
|
#321634 - 23/04/2009 09:47
Re: Viruses
[Re: tman]
|
carpal tunnel
Registered: 12/11/2001
Posts: 7738
Loc: Toronto, CANADA
|
Speaking of bot nets... Has anyone noticed an increase in SPAM this week? I'm talking about an increase on the order of 10-100x or more compared to typical weekly volumes.
I was down to a couple a week and this week I'm getting one every couple of hours on a few addresses - mostly on one address which I use for domain registrations. The address is typically hidden with some type of privacy setting for the majority of registrations, but it's visible for a few of them (but has been for a long time).
|
Top
|
|
|
|
#321636 - 23/04/2009 10:07
Re: Viruses
[Re: hybrid8]
|
carpal tunnel
Registered: 13/07/2000
Posts: 4180
Loc: Cambridge, England
|
Speaking of bot nets... Has anyone noticed an increase in SPAM this week? I'm talking about an increase on the order of 10-100x or more compared to typical weekly volumes. Not this week particularly, but the spam I do get does seem to be very bursty; for a couple of days there'll be lots, then it'll go quiet again. (Though this is an address I've used, unobscured, on the Web and formerly on Usenet since 1996; "quiet" is 10-20 spams per hour, "lots" is 100 per hour. Spamassassin assassinates about 95% of them.) Peter
|
Top
|
|
|
|
#321732 - 26/04/2009 17:55
Re: Viruses
[Re: g_attrill]
|
pooh-bah
Registered: 09/08/2000
Posts: 2091
Loc: Edinburgh, Scotland
|
I am really surprised that somebody hasn't modified one of these viruses to just trash a drive at a certain time, there have been very few truly destructive viruses so far. The only widespread one I can recall was Witty. Because that won't make you money! Spam makes money...grabbing credentials will make you money...trojaning online transactions makes good money...breaking hard drives - meh!
_________________________
Rory MkIIa, blue lit buttons, memory upgrade, 1Tb in Subaru Forester STi MkII, 240Gb in Mark Lord dock MkII, 80Gb SSD in dock
|
Top
|
|
|
|
|
|