Journal Friends Calendar Profile View Website Previous Previous Next Next
Profile
The Renaissance Man
User: unixronin
Name: The Renaissance Man
Website: View Website
Author
Unixronin is Alaric, the Renaissance Man, Samh-ildánach, Man of Many Sciences, Brother Railgun of Reason, Episkopos of the Discordian Order of NoH, Mystic Zen Biker, Pasha of Atomic Fusion, Czar of Quantum Mechanics, Offender of the Faith, Grand Dragon of Poon Appreciation, technomage, Aspie, loner, technical thug, intermittent vr00mist, shottist, polymath, a lovely little thinker but a bugger when he's pissed, slave to cats, ignostic, occasional poet, sometime artist and sculptor, former wrestler of seals, eclectic swordsman, futurist, minarchist, novice cyborg.
Links
Contents
Calendar
Back December 2012
1
2345678
9101112131415
16171819202122
23242526272829
3031
Tags
Habemus plus vis computatoris quam Deus - PSA:  Spreading the [bad] word
Ramblings of a Unix ronin
unixronin
unixronin
Share
PSA:  Spreading the [bad] word

Not all of you folks on my FL read databeast, or keep up with the tech press.  Which is why I’m quoting his most recent post in its entirety here:

Next week, at 8pm EST/00:00 GST, the Conficker worm will download its next code update.

I’ve spent the last 4 months spending damn near my every waking hour fighting this thing.

If you have no idea what I’m talking about, just go google ‘Conficker’ now.  I’ll be happy to answer any questions.

In the meantime, go to http://windowsupdate.microsoft.com/ and download every last update on there.

Tell your friends to do the same.

if you can’t reach that site, you are already infected. Take your machine offline and get it disinfected by a professional.

But remember this, right now If you are not part of the solution, you are part of the problem.

Conficker is shaping up to be the scariest, largest botnet ever to have existed.  If you use Windows as your operating system, and you don’t regularly update it, you are part of the problem, and your computer is likely now the property of some shadowy criminal syndicate based out of God-Knows-Where.

If you aren’t a Windows user, but you know people who are, tell them the above instructions.  We have less than 7 days until what could, in the worst case scenario, be the most destructive event ever witnessed on the internet, a vast, data-stealing network owned by an organized crime syndicate.  We aren’t talking science fiction here folks.

If every man would sweep his own doorstep the city would soon be clean.

Italian Proverb

He’s not kidding, folks.  Conficker (aka Downup, Downadup, or Kido) is serious bad news.  It’s the next level of Internet worm evolution; it’s Botnet 2.0, the most sophisticated worm yet seen.  During one of its major activity spikes, on January 15-16, Conficker infected 1.1 million PCs in less than 24 hours.  At that time, F-Secure estimated — conservatively — that 3.52 million systems were infected worldwide.  By January 21 the number was believed to be around 9 million.  Current estimates run as high as 12 million.

For the technically knowledgeable among you, SRI International has an analysis of the most recent Conficker-C variant here.  For the non-technical, McAfee has some less technical information about what it does here.  And PC World has an article here detailing how it attacks and some measures you can take to protect yourself if you’re not already infected.  (The article is slightly out of date; one recent Microsoft security patch disables AutoRun for you as a precaution.)

One point from databeast‘s post cannot be emphasized enough:

If you run Windows, with ANY browser, and you can read this post, but you cannot get to www.windowsupdate.com, or GRIsoft.com (home of AVG antivirus), or Trend Micro, or Sophos, McAfee or Kaspersky or any other antivirus site, assume you are already infected.  Take your computer offline and seek professional assistance to get it disinfected and patched.

On April 1, the Conficker botnet goes active.  And we don’t have any idea what its new instructions will tell it to do.  But it could be very, very bad.


UPDATE:

Since Conficker can’t block downloads of tools from sites that don’t match its internal list of strings, I’ve mirrored several of the free Conficker removal tools locally:

So if you can’t get to windowsupdate or any of the antivirus sites, you can download removal tools here.

Tags: ,
Current Location: Gilford, New Hampshire

Comments
lblanchard From: lblanchard Date: March 25th, 2009 12:28 pm (UTC) (Link)
I can get to the update site. Does that mean I'm not infected?
unixronin From: unixronin Date: March 25th, 2009 01:05 pm (UTC) (Link)
If you can get to windowsupdate.com, it is probably safe to assume you're not infected. The sites I listed are among those to which it blocks access. (It actually blocks access to any site containing any of a list of 78 strings matching almost anything even vaguely antivirus-related.) If you have any doubts, make sure your antivirus software is up to date and perform a full scan of your machine. Make sure you're fully patched up-to-date, and you should be OK.

Edited at 2009-03-25 01:07 pm (UTC)
lblanchard From: lblanchard Date: March 25th, 2009 01:23 pm (UTC) (Link)
Thanks. Norton scanned my system a little more than 24 hours ago and pronounced it clean.
hugh_mannity From: hugh_mannity Date: March 25th, 2009 01:10 pm (UTC) (Link)
I've windoze on automatic update and I've got the paid version of AVG running and it's doing automatic updates as well.

I ran a virus scan at the weekend too (quite by coincidence) and that was clean.
unixronin From: unixronin Date: March 25th, 2009 01:21 pm (UTC) (Link)
/nods

We recently switched from AVG to Avast!, because while we'd been very happy with AVG Free up to v7.5, AVG8 just really chowed down on the CPU. Avast! also updates more frequently — as much as several times a day — and does an initial post-install scan actually before Windows fully boots, which prevents a pre-existing infection from using certain Windows tricks to hide from the scan.
hugh_mannity From: hugh_mannity Date: March 25th, 2009 01:28 pm (UTC) (Link)
Thanks, I'll recommned Avast! to the TeenBeast. Not sure what he's got on his spiffy PC what he builded himself.
bikergeek From: bikergeek Date: March 25th, 2009 02:17 pm (UTC) (Link)
another vote for Avast!, here.
mazianni From: mazianni Date: March 25th, 2009 01:50 pm (UTC) (Link)
I've been running AVG on one of two of my machines and I've been thinking about switching to avast. Given your recommendation I think I'll do that when I get home.
argonel From: argonel Date: March 25th, 2009 02:33 pm (UTC) (Link)
I've been pretty happy with both AVG and Avast!. Specifically I currently have 2 machines running Avast! and 1 running AVG.
databeast From: databeast Date: March 25th, 2009 11:07 pm (UTC) (Link)
And I love the 'virus database has been updated' voice it plays too!

No wait, no I dont.

still, a vote for Avast! here, It's been my primary suggestion to people for the last two years now
mazianni From: mazianni Date: March 25th, 2009 01:13 pm (UTC) (Link)
Skynet begins to learn, at a geometric rate. It becomes self-aware at 2:14 a.m. eastern time, August 29. In a panic, they try to pull the plug.

Hrm...the timeline is a little off...
unixronin From: unixronin Date: March 25th, 2009 01:28 pm (UTC) (Link)
One hopes Conficker hasn't gotten into SAC. It's gotten into the Royal Navy, the UK Ministry of Defense, and the Bundeswehr, though.
databeast From: databeast Date: March 25th, 2009 11:08 pm (UTC) (Link)
Comparing Conficker to Skynet started as a joke

That joke's now entering 'Ha! Ha! Only Serious!' territory.
jhetley From: jhetley Date: March 25th, 2009 01:16 pm (UTC) (Link)
One (at least _this_ one) assumes that Macs are not affected? Neither of the Windows machines here get internet exposure.
unixronin From: unixronin Date: March 25th, 2009 01:25 pm (UTC) (Link)
Correct. Conficker infects only Windows machines. It exploits a vulnerability in the Windows Server service on Windows 2000, Windows Server 2003, Windows XP, Windows Vista, Windows Server 2008, and Windows 7 (beta). It cannot infect Linux, *BSD, or OSX.
otherbill From: otherbill Date: March 25th, 2009 01:29 pm (UTC) (Link)
Does this mean older versions of Windows (95SE, etc.) are safe?
unixronin From: unixronin Date: March 25th, 2009 01:46 pm (UTC) (Link)
Windows 95 uses a different underlying architecture with a completely different kernel, and does not contain the service exploited by Conficker. But scanning the machine with an up-to-date antivirus tool is a good precaution anyway. Windows 95 may actually be old enough at this point that most Windows worms aren't even trying to target it any more.
otherbill From: otherbill Date: March 25th, 2009 04:17 pm (UTC) (Link)
Ah, that's good.

Our home "data server" is a Win98SP2 box sitting on the floor of the den, with only power and ethernet cables running to it. (No monitor, no keyboard, no mouse—everybody told me Windows would complain, but I haven't had any problems.) I can perform maintenance on it via RealVNC, but updating Windows and rebooting is sort of painful.
databeast From: databeast Date: March 25th, 2009 11:10 pm (UTC) (Link)
if by 'affected' you mean 'not infected with', then yes, mac's are immune

If by 'affected' you mean 'impacted by the effects of', then no computer is immune.

Do you allow a windows machine to access files on your mac? is that windows machine infected? If the situation we are predicting comes true, then come April 1st, all your data is up for sale for the highest bidder.

Users of alternate operating systems are safe if they have *no* interaction with windows machines.
jhetley From: jhetley Date: March 25th, 2009 11:23 pm (UTC) (Link)
We don't run a home network -- the Windows (98 and XP) machines stand alone in their corners, sulking, with no internet access. If I want to transfer files between machines (word-processing files), I use disks or a USB flash drive.
databeast From: databeast Date: March 25th, 2009 11:57 pm (UTC) (Link)
funnily enough, one of the ways conficker spreads, is via removable media.

Enjoy!
ithildae From: ithildae Date: March 26th, 2009 02:40 am (UTC) (Link)
We all interact with Windows systems. My home network is likely safe, but it will be far less useful with the internet Windows machines doing whatever they are going to do next week.

I am more disturbed that the "bad guys" now know how to make a significantly nastier worm. Once the proof of concept gets tried out, there are sure to be more of the same type of attack.

It is ugly that security has such a tangential role in most computer use. Nobody wants to pay for it. When a big problem (like Conficker) is alleviated by good publicity, we are accused of crying wolf. We can't win in the public or business executive's eye.
unixronin From: unixronin Date: March 26th, 2009 03:13 am (UTC) (Link)
I am more disturbed that the "bad guys" now know how to make a significantly nastier worm. Once the proof of concept gets tried out, there are sure to be more of the same type of attack.
Hence my "BotNet 2.0" comment.
databeast From: databeast Date: March 26th, 2009 03:31 am (UTC) (Link)
It's massively apparent that the conficker guys spent a lot of time reading whitehat "how I'd write the ultimate botnet, and how we should prepare for it" papers.
ithildae From: ithildae Date: March 26th, 2009 08:41 am (UTC) (Link)
I caught it. The thing is, until Windows no longer dominates the computer landscape, or until Windows becomes a true multiuser system, there will be no need for a BotNet 3.0. (Probably not even a 2.1)
databeast From: databeast Date: March 26th, 2009 03:31 am (UTC) (Link)
heh, I take it we work in the same industry then?

(im the CIRT engineer for RSA/EMC)
ithildae From: ithildae Date: March 26th, 2009 08:34 am (UTC) (Link)
Former for me. As a manager, security was part of my responsibility. I was unpopular when I took that responsibility seriously.
unixronin From: unixronin Date: March 26th, 2009 11:39 am (UTC) (Link)
Yeah, I know that one. People who kept reinstalling Bonzi Buddy on work machines. People who thought 11111 and qqqqq were perfectly cromulent passwords. People who kept turning off the virus scanner because it slowed down their computer ...

Fortunately the worst we ever got was a quickly-contained outbreak of an Excel macro virus that someone, probably the comptroller, brought in on a floppy disk from an unsecured home machine.
ithildae From: ithildae Date: March 26th, 2009 07:27 pm (UTC) (Link)
Things like; All internet ports are closed, unless business reason is needed for them to be open. All those nifty utilities just didn't seem to work... Don't get me started about games. (The game ports opened after 1900, and stayed open until about 0300.)

As far as passwords went, I just shut down some access to the business system for easily cracked passwords. I figured that everyone used the same password everywhere, so it was all good. (I was bad, I didn't require frequent password changes. I reasoned that a long-term, secure password was better than a short-term, weak password.)

[The Webmaster kept the M$ 13? ports open on his BSD web server. He got a laugh every day at the script kiddies trying to run IIS exploits against his system. Odd sense of humor...]
unixronin From: unixronin Date: March 26th, 2009 07:37 pm (UTC) (Link)
I was bad, I didn't require frequent password changes. I reasoned that a long-term, secure password was better than a short-term, weak password.
I'm with you there. Sooner get people to pick a strong password once and remember it, and require changes only if there's reason to suspect a compromise, than make people change their passwords every two weeks and have half the monitors and half the desks in the company have sticky-notes on them with the user's current password written down in clear.

The Webmaster kept the M$ 13? ports open on his BSD web server. He got a laugh every day at the script kiddies trying to run IIS exploits against his system. Odd sense of humor...
Heh. Been there, done that. :) I have most of the common PHP and CGI exploit URLs tarpitted. But I changed my incoming ssh port because I got sick and tired of my logs filling up with the same idiot script-kiddies blindly trying the same brute-force dictionary attacks day after day after day after day. There was one 'tard who would restart the dictionary attack every day at about the same time, from the same point in the dictionary. It stopped being funny, and became just pathetic and annoying.
danjite From: danjite Date: March 25th, 2009 01:56 pm (UTC) (Link)
I posted publicly to my blog and my twitter feeds, total exposure about 400 people and asked people to repost/retweet.

Par usual, I doubt anyone will and I will then wonder why I bother, realising that Kantian Categorical Imperative thing runs deep with me and I post because that is who I am. '

Thanks and- as always- my respects.
elegantelbow From: elegantelbow Date: March 25th, 2009 02:14 pm (UTC) (Link)
*nod*

I posted last night, and I have only seen one response -- someone I know stating that he thinks it's all just an April Fool's Day joke.

*sigh*
danjite From: danjite Date: March 25th, 2009 02:18 pm (UTC) (Link)
Precisely.

But if it weren't for fools, would we have half as many friends?

unixronin From: unixronin Date: March 25th, 2009 02:21 pm (UTC) (Link)
"It's hard to make anything foolproof, because fools are so ingenious."
mazianni From: mazianni Date: March 25th, 2009 02:37 pm (UTC) (Link)
Some of the security guys apparently think it might be an April Fool's joke.

Joe Stewart, a senior researcher at SecureWorks, notes that the infected PCs are already capable of receiving directives from the controllers via the P2P network, "so the 50,000 domains aren't really needed. They could even be a practical joke on the part of the authors."

In other words, new marching orders and code updates can be pushed out to Conficker at any time, so why bother scheduling a pull on a particular date and time?

Regardless, it is always excellent advice to make sure that patches and AV software are up to date.
unixronin From: unixronin Date: March 25th, 2009 03:29 pm (UTC) (Link)
It's entirely possible that part is just misdirection to make security folks spread their efforts too wide. Just the part of scheduling activation for April 1 is a clever social-engineering attack that may make many people disregard the warnings. I think there are some disconcertingly shrewd people behind this.
databeast From: databeast Date: March 25th, 2009 11:14 pm (UTC) (Link)
The guys behind conficker have ALWAYS acted in a way to misdirect security folks

when the worm originally surfaced, it was the afternoon of the last workday before we all went on vacation for thanksgiving. The April 1st date is exactly because "The Diversionary attack you are ignoring is the primary assault"
unixronin From: unixronin Date: March 25th, 2009 02:20 pm (UTC) (Link)
[...] realising that Kantian Categorical Imperative thing runs deep with me and I post because that is who I am.
I know exactly what you mean. We do what we can to help, because we must.
danjite From: danjite Date: March 25th, 2009 02:51 pm (UTC) (Link)
But all this said- I marvel at how strong and resiliant the internet has proven to be. We haven't had a total worldwide failure- a real one- at all, as far as I know.

This thing wasn't engineered- it is the biggest bodge job in the history of humanity. Yet it flys...
mazianni From: mazianni Date: March 25th, 2009 04:59 pm (UTC) (Link)
Well, there was the Morris worm. I think that's been the closest to an Internet shutdown. Course, the Internet was a bit smaller back then.
dr_strych9 From: dr_strych9 Date: March 26th, 2009 01:32 am (UTC) (Link)
There are a number of known vulnerabilities in the Internet core infrastructure of which the Conficker authors cann0t possibly be ignorant. It would be irresponsible not to expect that Conficker will be implicated in an attack on those vulnerabilities. When that happens, we must all hope and pray that we're dealing with mere crooks and not terrorists or worse.

Patch your damned systems.
dakiwiboid From: dakiwiboid Date: March 25th, 2009 03:59 pm (UTC) (Link)

For some unknown reason...

I couldn't install the service pack when I originally downloaded it, but it installed today. Thanks for the reminder.
ithildae From: ithildae Date: March 25th, 2009 05:27 pm (UTC) (Link)

Advice Please

Should I boot my Windows partitions just to install the virus protections? It has been well over 120 days since I last booted Windows anywhere connected to the net. The kids have a WindowsME system that they use for games, but it is DOS based, I am assuming it is safe.

Do I specifically boot Windows just to scan it, or can I leave it until after April 1, and do the scan then?

(I only ever use Windows for some specific school programs (over), or to play a couple of games (seldom, and never on the net.))
unixronin From: unixronin Date: March 25th, 2009 05:40 pm (UTC) (Link)

Re: Advice Please

Frankly, given that situation, I'd install clamav (if you don't already have it installed), make sure it's up-to-date, and scan the Windows partition(s) from Linux. Conficker first appeared in October, so by the sound of it you probably haven't even booted Windows since before it appeared. If Windows isn't running, it can't do anything anyway.

The other side of the coin is, when you DO boot Windows, you should make sure getting Windows patched is the very first thing you do.

Your assumption that the ME box is safe is probably correct. ME is a completely different architecture and kernel, and it doesn't have the exploited service at all. Then again, it's also widely considered the worst version of Windows ever...

Edited at 2009-03-25 05:45 pm (UTC)
ithildae From: ithildae Date: March 25th, 2009 09:21 pm (UTC) (Link)

Re: Advice Please

WindowsME runs the games the children use just fine. It has never given me any problems.

Updating Windows is an issue. On some of the machines, it is demanding to install Windows Genuine Advantage before any other updates will be applied. I refuse to run WGA. It seems to get very unhappy if it can't find the internet. Usually, if I am in Windows, the internet is disabled for that machine. The whole OS leads me to cuss. It is not so much the UI or the way it runs programs, it is the ongoing cost (in time more than $$) to keep it running safe and secure[?]
lizzibabe From: lizzibabe Date: March 25th, 2009 09:51 pm (UTC) (Link)
I can't get to windowsupdate on my home machine...

But that's because the cable guy hasn't come yet to hook me up. The minute I'm live on Tuesday night, i'm going to update all my security stuff.
Output (46) || Input