# Conflicter C



## Ainoko (Mar 26, 2009)

Who has heard of a worm called conflicker c? I am curious and would like to know if anyone was affected by it last year?


----------



## CodArk2 (Mar 26, 2009)

I'm on a mac, so i'm immune to Conficker C, as are linux users, this only affects Windows. Its a worm that could do all sorts of nasty things to your computer.Microsoft has issued a security update for it and has a scanner for the worm. It will shut off your antivirus though. For more info on the worm go to these places for the gist of it. http://news.cnet.com/8301-1009_3-10204590-83.html
http://www.eweek.com/c/a/Security/Conficker-The-Windows-Worm-That-Wont-Go-Away-529249/
http://abcnews.go.com/Technology/story?id=7163685&page=1


----------



## duo2nd (Mar 26, 2009)

There's only one way for us to this if April 1 comes and this Virus hits...............




PANIC!


----------



## Ainoko (Mar 28, 2009)

duo2nd said:


> There's only one way for us to this if April 1 comes and this Virus hits...............
> 
> 
> 
> ...



lol! All I can really do is just to make sure that my anti-virus definitions are up-to-date.


----------



## â„¢-Daley Leungsangnam475-â„¢ (Mar 28, 2009)

bleh ... i'm not too bothered about it


----------



## WolvesSoulZ (Mar 28, 2009)

Lol i'm going to laught at people who panic xD


----------



## pheonix (Mar 28, 2009)

I just heard of this today but it doesn't bother me the least bit. I hope I don't get it but if I do no big loss this time.


----------



## Aurali (Mar 28, 2009)

don't worry about it.. just practice good internet browsing strategies and you'll be fine..


----------



## Stratelier (Mar 29, 2009)

Eli said:


> don't worry about it.. just practice good internet browsing strategies and you'll be fine..


You still need a few good tactics to back them up.

I was browsing deviantART just an hour ago and got hit by a VirusDoctor popup.  You know, browser window disappears, you get a Javascript box that redirects you to their homepage, tries to download itself and doesn't want you to leave....


----------



## Aurali (Mar 29, 2009)

Umm.. either you had something before Strata or you REALLY need to report that page to the Deviant Art Admins.

Antiviruses were never meant to be the protect all save all.. 

Neither were Macs/Linux boxes..

Neither are condoms remember that


----------



## Daniel Kay (Mar 30, 2009)

Not too paniced about this but reminded me to do some necessary updates and backups that where long overdue


----------



## Toaster (Mar 30, 2009)

Your worm is no match for my Linux Box!

I'm not worrying over this.


----------



## Irreverent (Mar 30, 2009)

Ornias said:


> Your worm is no match for my Linux Box!
> 
> I'm not worrying over this.



When 8 billion infected wintel machines saturate the Internet backbone and consume all available bandwidth, your Linux box is going to become an island.  

Relax, it ain't gonna happen on my watch.


----------



## Toaster (Mar 30, 2009)

Irreverent said:


> When 8 billion infected wintel machines saturate the Internet backbone and consume all available bandwidth, your Linux box is going to become an island.
> 
> Relax, it ain't gonna happen on my watch.



Great It will be the perfect time to rebuild the internet linux only style. Only this time no html4, it's xhtml only people! :twisted:


----------



## Sulfide (Mar 30, 2009)

I heard about it.


----------



## Aurali (Mar 31, 2009)

Ornias said:


> Great It will be the perfect time to rebuild the internet linux only style. Only this time no html4, it's xhtml only people! :twisted:



fuck those lies. let's do it right >..>


----------



## ArielMT (Mar 31, 2009)

If any of my customers have it, they either went offline or put themselves behind a firewall since, because I have yet to find any.

Feeling Conflicted about Conficker? - SANS Internet Storm Center

Third party information on conficker - SANS DShield

Infocon as I posted: Green: Everything is normal. No significant new threat known.



Irreverent said:


> When 8 billion infected wintel machines saturate the Internet backbone and consume all available bandwidth, your Linux box is going to become an island.



OSHI-SKYNET D:



Irreverent said:


> Relax, it ain't gonna happen on my watch.



Nor on mine.


----------



## Carenath (Mar 31, 2009)

Irreverent said:


> When 8 billion infected wintel machines saturate the Internet backbone and consume all available bandwidth, your Linux box is going to become an island.
> 
> Relax, it ain't gonna happen on my watch.


Im happy with my windows laptop, and windows desktop. If by chance, the worm manages to bugger Eset Smart Security and one or both of my machines become infected... I'll pull them both off the network and reimage them, apply any of the required patches, and make sure the antivirus software is up to date. Though at least I wont be able to blame my ISP for the lack of bandwidth.

And too bad you dont work for my ISP 



Ornias said:


> Great It will be the perfect time to rebuild the internet linux only style. Only this time no html4, it's xhtml only people! :twisted:


XHTML 1.1 and CSS... if I catch you using tables for layout I'll bap you on the head.


----------



## Stratelier (Mar 31, 2009)

Eli said:


> Umm.. either you had something before Strata or you REALLY need to report that page to the Deviant Art Admins.


Malicious advertisement, pure and simple.  I didn't catch any of the technical information about which ad it was, however, so all I get from their Helpdesk is a stock answer about how to report offensive ads.


----------



## Stratelier (Mar 31, 2009)

I noticed that patch to prevent Conficker C's attack was released October 2008....


----------



## Irreverent (Mar 31, 2009)

Stratadrake said:


> I noticed that patch to prevent Conficker C's attack was released October 2008....



Correct.  Its not really a virus update thing, its an OS patch, MS08-067.

Couple of resources

http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm&inid=us_ghp_link_conficker_worm

http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

http://www.mcafee.com


----------



## Irreverent (Mar 31, 2009)

*Conficker Check using nmap*

Couple more resources and a testing tool for those interested.  (sanitized)

http://insecure.org/

4.85BETA5 is now available on the download page:
http://nmap.org/download.html

nmap -PN -T4 -p139,445 -n -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]

A clean machine should report at the bottom: â€œConficker: Likely CLEANâ€, while likely infected machines say: â€œConficker: Likely INFECTEDâ€.

Further usage info:
http://seclists.org/nmap-dev/2009/q1/0869.html

Further info on detection:
http://www.securityfocus.com/brief/936

*PROTIP:* Scanning machines you don't own for Conficker will probably get you noticed.  We may even dispatch black helicopters.  Use at your own risk.


----------



## Aden (Mar 31, 2009)

Is this where I smugly post that I have a Mac? Just want to make sure.

:V


----------



## Toaster (Mar 31, 2009)

Eli said:


> fuck those lies. let's do it right >..>



HALL YA!



Aden said:


> Is this where I smugly post that I have a Mac? Just want to make sure.
> 
> :V




Don't worry Macs are safe.

**Edit: from this worm that is, but your screwed on every thing else lol**


----------



## WarMocK (Mar 31, 2009)

Ornias said:


> Don't worry Macs are safe.


Oh the irony ... ^^

http://www.tomshardware.com/news/Pwn2Own-CanSecWest-2009,7322.html


----------



## Toaster (Mar 31, 2009)

WarMocK said:


> Oh the irony ... ^^
> 
> http://www.tomshardware.com/news/Pwn2Own-CanSecWest-2009,7322.html



lulz.
A mac can stand up to a so called "Super Worm", but can hacked in 10 sec.
wow.......

Btw, how long has this worm been around? I know I saw it last year but nothing bad happened to any of my windows computers.

Also if it can do what they say it can, I can't wait to see what the hacker targets if it gains control over a large number of computers. Can any one say Super Uber Massive DDOS attack?


----------



## WarMocK (Mar 31, 2009)

Ornias said:


> lulz.
> A mac can stand up to a so called "Super Worm", but can hacked in 10 sec.
> wow.......


Yup. ^^


Ornias said:


> Can any one say Super Uber Massive DDOS attack?


Online-only patch release for World of Warcraft.


----------



## Irreverent (Mar 31, 2009)

Aden said:


> Is this where I smugly post that I have a Mac? Just want to make sure.
> 
> :V



As long as your MAC isn't running any unpatched MS virtual machines or dual boots to an unpatched  MS OS you _may_ be ok.  If your Mac_ does_ host MS machines or dual boots, you probably already have it.  

Better to be damn-sure than cocksure.


----------



## LizardKing (Mar 31, 2009)

Spoiler: It just sets your homepage to rickroll on april 1st.


----------



## fangborn (Mar 31, 2009)

for anyone who cares here:ftp://193.110.109.53/anti-virus/tools/beta/f-downadup.zip


It is a slow program that searches the command lines of your system.  Just install it and extract it
theres a read me that tells you what it exactly dose.

I hope your April Fools day is virus free.


----------



## Nathyn (Mar 31, 2009)

Stratadrake said:


> You still need a few good tactics to back them up.
> 
> I was browsing deviantART just an hour ago and got hit by a VirusDoctor popup.  You know, browser window disappears, you get a Javascript box that redirects you to their homepage, tries to download itself and doesn't want you to leave....



Gah, that happened to me as well. Luckily I was able to exit out pretty fast.


----------



## Stratelier (Mar 31, 2009)

Nathyn said:


> Gah, that happened to me as well. Luckily I was able to exit out pretty fast.


I subsequently blocked VirusDoctor's domain off via my hosts file.  Temporary measure only, I know.  In retrospect I should've snagged my sessionstore.js at the time of popup and reported the site to Google Labs for some good ol' Inquisition action.

I also disabled Javascript from moving/resizing the browser window.


----------



## WolfoxOkamichan (Apr 1, 2009)

Holy shit, it's the Venjix virus!

We need to call the Power Rangers, pronto!

*RPM GET IN GEAR!!1!1!11!!!1*


----------



## CyberFox (Apr 1, 2009)

I already installed the needed patch to prevent me from having that thing, plus FYI, the worm's name is Conflicker not Conflicter


----------



## Carenath (Apr 1, 2009)

Well there's no sign of the virus here, not sure how it spreads though, I never looked into it, but its a safe bet that Eset is keeping my systems protected quite nicely.

I'll be more curious to know if anyone here has been infected.


----------



## CaptainCool (Apr 1, 2009)

according to a little scanner tool i used yesterday im not infected.
im sure that this wont be such a big thing^^

edit: ha, looks like it really attacked^^ it seems to scan for multimedia files and contactlists in outlook.
as it seems its searching for the latest MP3 files and movie files with sexual content and uploads them...
i have no idea how valid my source is, though^^

edit2: now another source says that its just a very big april fools joke XD haha, this whole thing is so very hilarious^^


----------



## Runefox (Apr 1, 2009)

From the Washington Post:



> - A nuclear missile installation near Elmendorf Air force Base outside of Anchorage, Alaska briefly went on a full-scale military alert after technicians manning the bunker suspected that several of their control systems were infected with Conficker. According to wire reports, the remote facility temporarily moved to Defense Condition (Defcon) 3 in the pre-dawn hours, but quickly backed down from that posture. An airman at the installation who asked not to be identified blamed the mishap on "way too much caffeine" consumed by occupants inside the secluded underground control room. The airman said the facility's lead engineer became agitated and inconsolable after watching an Internet broadcast of Sunday night's hard-hitting 60 Minutes expose' on the Conficker worm entitled, "The Internet is Infected."



What the hell, guys. How can you possibly say that Windows is "good enough" for things like this? Gee, I sure feel safe knowing that the US DoD decided to go with Microsoft's proprietary offerings instead of building themselves a bulletproof UNIX-based system to control their nukes. Yep.



> - In Iceland, Conficker brought a brief thaw to the long economic winter that began last year with the government's inexorable slide into bankruptcy. According to local news reports, shortly after midnight local time, an ATM in the capital city of Reykjavik began spewing 100-Krona notes. Banking officials there reportedly said the Microsoft Windows-based based bank system began disbursing the bills after a local prankster crammed an infected USB stick into the maw of the teller machine.



I take it back. I want Windows _everywhere_.

...

April fools, of course! Fucking news sources are gonna be out all day today, so you'd better wait 'til tomorrow to find your Conficker damage reports.


----------



## Stratelier (Apr 1, 2009)

CyberFox said:


> plus FYI, the worm's name is Conflicker not Conflicter


Con_fick_er.


----------



## Toaster (Apr 1, 2009)

Damn still waiting for something to happen.

Death to windows! POWER TO LINUX!


----------



## Aurali (Apr 1, 2009)

Stratadrake said:


> Con_fick_er.



_dud_


----------



## Ty Vulpine (Apr 1, 2009)

Runefox said:


> What the hell, guys. How can you possibly say that Windows is "good enough" for things like this? Gee, I sure feel safe knowing that the US DoD decided to go with Microsoft's proprietary offerings instead of building themselves a bulletproof UNIX-based system to control their nukes. Yep.



That would be rather difficult for Conficker to attack military computers, as they are not connected to the public internet for obvious reasons.


----------



## Aurali (Apr 1, 2009)

Runefox said:


> What the hell, guys. How can you possibly say that Windows is "good enough" for things like this? Gee, I sure feel safe knowing that the US DoD decided to go with Microsoft's proprietary offerings instead of building themselves a bulletproof UNIX-based system to control their nukes. Yep.



I'd rather them build something from scratch. Unix has it's vulnerabilities too.


----------



## LizardKing (Apr 1, 2009)

Runefox said:


> > Banking officials there reportedly said the Microsoft Windows-based based bank system began disbursing the bills after a local prankster crammed an infected USB stick into the maw of the teller machine.



I lol'd


----------



## Runefox (Apr 1, 2009)

Ty Vulpine said:


> That would be rather difficult for Conficker to attack military computers, as they are not connected to the public internet for obvious reasons.



Really? Well, it's not too far-fetched; The French military _actually is_ having issues thanks to Conficker, and many of their fighters have been grounded.

Too bad, 'cause the Rafale is pretty cool. Still prefer me a Eurofighter, though.


----------



## Ty Vulpine (Apr 1, 2009)

Runefox said:


> Really? Well, it's not too far-fetched; The French military _actually is_ having issues thanks to Conficker, and many of their fighters have been grounded.
> 
> Too bad, 'cause the Rafale is pretty cool. Still prefer me a Eurofighter, though.



Sorry, I forgot to say U.S. military. French military computers, probably could be infected with it, but U.S. military computers are not tied into the web, or at least have high-tech firewalls. Too much of a security risk. Someone hacks into one, a lot of national secrets are lost and national security compromised.


----------



## ArielMT (Apr 1, 2009)

Irreverent said:


> *PROTIP:* Scanning machines you don't own for Conficker will probably get you noticed.  We may even dispatch black helicopters.  Use at your own risk.



About getting the attention of your ISP in a bad way...  My ISP may be too small to afford any black helicopters to whisk away evil hackers, but we do have Vinny and Guido, who love to give guided tours of the back country's rockier unpaved roads and dirt trails while the tourists are seated comfortably in the trunk of their '77 Cadillac.

I keep telling them to make it a round-trip tour, but they insist that their tourists love the vistas they're shown, such as high cliffs, deep mine shafts in ghost towns, snake pits, coyote dens, and during the monsoon season the arroyos, so much that they insist on walking back.



Aden said:


> Is this where I smugly post that I have a Mac? Just want to make sure.
> 
> :V



Until the Conficker.X variant comes out. 



Ty Vulpine said:


> That would be rather difficult for Conficker to attack military computers, as they are not connected to the public internet for obvious reasons.



Why not?  A simple Windows NT Blue Screen of Death left the USS Yorktown dead in the water for three hours in '97.

Also,
http://www.navy.mil/
http://www.army.mil/
http://www.usmc.mil/
http://www.af.mil/
http://www.uscg.mil/
and their subdomains are connected to the public Internet.

I'm not at liberty to say where or how many, but some of the computers used by military personnel on duty run Windows and access the public Internet, even if they are behind enterprise-class managed proxies and firewalls.


----------



## Ty Vulpine (Apr 1, 2009)

ArielMT said:


> Why not?  A simple Windows NT Blue Screen of Death left the USS Yorktown dead in the water for three hours in '97.
> 
> Also,
> http://www.navy.mil/
> ...




But that's only a few public military computers, and those that wouldn't have sensitive data on them. The really sensitive ones aren't connected, so that hackers can't access them, and steal data. As for the Yorktown, however, I'm not sure about, as even Wiki doesn't mention anything about the BSOD "incident", which may have just been a computer crash, and not a hack.


----------



## Pi (Apr 1, 2009)

Eli said:


> I'd rather them build something from scratch. Unix has it's vulnerabilities too.



Building something from scratch is a _great_ way of accidentally inventing new vulnerabilities and reimplementing old ones. I wholly disagree with you here.


----------



## Aurali (Apr 1, 2009)

Pi said:


> Building something from scratch is a _great_ way of accidentally inventing new vulnerabilities and reimplementing old ones. I wholly disagree with you here.



True. However it's a lot harder to find known vulnerabilities on something that isn't really known. though I guess randomly hitting at it, anything is gonna give eventually.


----------



## Runefox (Apr 1, 2009)

Ty Vulpine said:


> French military computers, probably could be infected with it, but U.S. military computers are not tied into the web, or at least have high-tech firewalls.



The French feel the same way; The entire network was under lockdown, and these systems aren't supposed to face the net. The belief is that one enterprising young sailor with an infected USB key sent all those precautions spiralling into oblivion rather nicely. The very same could happen on the US side of things as long as Windows is around to see it through.


----------



## verix (Apr 1, 2009)

Eli said:


> True. However it's a lot harder to find known vulnerabilities on something that isn't really known. though I guess randomly hitting at it, anything is gonna give eventually.



that's not how vulnerability research works


----------



## Eevee (Apr 1, 2009)

Eli said:


> However it's a lot harder to find known vulnerabilities on something that isn't really known.


what

every vulnerability starts out unknown; then someone _finds it_.  what would make My Cool OS any different?


----------



## Runefox (Apr 1, 2009)

> every vulnerability starts out unknown


Unless you're particularly annoyed with your employer and manage to slip in some "extra functions" between massive walls of comments or something.


----------



## Aurali (Apr 1, 2009)

Eevee said:


> every vulnerability starts out unknown; then someone _finds it_.  what would make My Cool OS any different?



and if you aren't on a common system. then isn't it a lot harder to fin? I dunno.

EDIT: Okay then.. so why does it really have to be Unix based?


----------



## Runefox (Apr 1, 2009)

> Okay then.. so why does it really have to be Unix based?


To take a stab at it, the concept of UNIX has been around since 1969, is an open, widely-adopted and widely-expanded concept, and operating systems based on it typically feature much greater security in general and have available a wider array of security tools dealing in much lower-level activity than is typical of certain other operating systems out there.


----------



## Aurali (Apr 1, 2009)

Runefox said:


> To take a stab at it, the concept of UNIX has been around since 1969, is an open, widely-adopted and widely-expanded concept, and operating systems based on it typically feature much greater security in general and have available a wider array of security tools dealing in much lower-level activity than is typical of certain other operating systems out there.


and the military isn't able to make something more secure?


----------



## Ty Vulpine (Apr 1, 2009)

Eli said:


> and the military isn't able to make something more secure?



Probably something along the lines of a Phoenix firewall.


----------



## Eevee (Apr 1, 2009)

Eli said:


> and if you aren't on a common system. then isn't it a lot harder to fin? I dunno.


um.  no?  why would this be the case?



Eli said:


> and the military isn't able to make something more secure?


how exactly is the military going to duplicate the *40 years' worth* of untold thousands of people hammering away at UNIX and friends?


----------



## Runefox (Apr 1, 2009)

Eli said:


> and the military isn't able to make something more secure?



Well, ideally, the military would take it as a base and build something more secure, yes. However, they're almost universally entrenched with Microsoft's proprietary systems, and are either unwilling or unable to spare the resources to break out of that and write/hack/_use_ something actually secure. Of course, Microsoft vehemently asserts that its offerings are bulletproof, but the French Navy seems to have found out the hard way that such isn't the case.

I suppose the point is, at one point, they _were_ using UNIX, but switched to the Microsoft tax because it's easier to maintain (a reliable (as in, not going under anytime soon) third party is doing it, much like aircraft and weapons manufacturers) and more cost-effective than writing and maintaining their own code or someone's machine-specific implementation of UNIX like HP-UX. In addition, most military personnel are familiar with Microsoft software. I'm sure there's a corporate deal in there somewhere, but long story short, I can't think of any reason but logistical to be using Windows-based machines in the military. Pretty soon, that's going to become a much greater threat than any budget will.

A lot of Linux-bashers like to point out that Windows is DoD-approved - I like to point to the big pools of botnets sitting around out there on the internets.


----------



## verix (Apr 1, 2009)

Eli said:


> and if you aren't on a common system. then isn't it a lot harder to fin? I dunno.
> 
> EDIT: Okay then.. so why does it really have to be Unix based?



make a completely undocumented processor architecture for your system and then you won't have a problem (except nobody will be able to write software for your system)


----------



## verix (Apr 1, 2009)

Runefox said:


> A lot of Linux-bashers like to point out that Windows is DoD-approved - I like to point to the big pools of botnets sitting around out there on the internets.



and Linux has an entire community dedicated to rootkits and exploitation of the operating system itself

so what

you realize that this comment has little to do with the operating system's security itself and more to do with the fact that Windows has like 90% marketshare of all computers, right


----------



## verix (Apr 1, 2009)

this is it. this is the horrifying payload that has arrived on April 1st via the conficker infection. this horrible thread.


----------



## Aurali (Apr 1, 2009)

Eevee said:


> how exactly is the military going to duplicate the *40 years' worth* of untold thousands of people hammering away at UNIX and friends?


Maybe they have something already designed... hmm? maybe they only SAY it's windows based. 



verix said:


> make a completely undocumented processor architecture for your system and then you won't have a problem (except nobody will be able to write software for your system)



I guess that works


----------



## verix (Apr 1, 2009)

whoops looks like your undocumented architecture got reverse engineered

hey look at that someone found a buffer overflow in one of your syscalls

better start over again


----------



## Runefox (Apr 1, 2009)

verix said:


> and Linux has an entire community dedicated to rootkits and exploitation of the operating system itself
> 
> so what



They're generally largely less successful at that than Windows-based rootkits and exploits, and any of these things requires access to the computer in question and typically relies either on root privileges or overflows in specific versions of libraries. Long story short, you'd need to be actively trying to get into the system, unlike most cases in the Windows world where many infections are quite fire and forget.



> this is it. this is the horrifying payload that has arrived on April 1st via the conficker infection. this horrible thread.


With a triple-post on top.


----------



## Aurali (Apr 1, 2009)

verix said:


> whoops looks like your undocumented architecture got reverse engineered
> 
> hey look at that someone found a buffer overflow in one of your syscalls
> 
> better start over again



but there is nothing for that architecture! 

So nothing of Value was lost :3


----------



## verix (Apr 2, 2009)

Runefox said:


> They're generally largely less successful at that than Windows-based rootkits and exploits,


please define "successful." my litmus for "successful" is "completely hides itself from the operating system unless extreme detective work is taken." which means that there have been tons of successful *nix-based rootkits-- at least, by my litmus. what's your goal-post?



Runefox said:


> and any of these things requires access to the computer in question and typically relies either on root privileges or overflows in specific versions of libraries.


which is kind of irrelevant when you consider that a lot of software requires root privileges, and to prevent normal attacks, drop down _from_ root to some other user. trouble with this is that they can also be brought back up to root.



Runefox said:


> Long story short, you'd need to be actively trying to get into the system, unlike most cases in the Windows world where many infections are quite fire and forget.


counter-argument: milw0rm.com


----------



## Kesteh (Apr 2, 2009)

April 2. Con variant C is a hoax...save for this thread.
GG.


----------



## Pi (Apr 2, 2009)

verix said:


> drop down _from_ root to some other user. trouble with this is that they can also be brought back up to root.



This depends on whether or not the app is using setuid or seteuid. If it's the former, your assertion does not hold.


----------



## verix (Apr 2, 2009)

Pi said:


> This depends on whether or not the app is using setuid or seteuid. If it's the former, your assertion does not hold.



huh, I must be confused then. I thought a shellcode trick was to drop setuid(0) somewhere to run as root on setuid() apps? my mistake then.


----------



## Shino (Apr 2, 2009)

Well, it's the day after without so much as a peep from the "dreaded" worm.
I'm doing my best to not to say "I told you so", but I think I just failed.
I had a feeling this was going to be another Y2K false panic attack.
I'm sorry. I have to say it again.
"I told you so."


----------



## Eevee (Apr 2, 2009)

all conficker was ever going to do was mutate

what did you think would happen

malware authors don't want to nuke machines; they want to have as many living machines as possible so they can DDoS and spam all day


----------



## Runefox (Apr 2, 2009)

> please define "successful." my litmus for "successful" is "completely hides itself from the operating system unless extreme detective work is taken." which means that there have been tons of successful *nix-based rootkits-- at least, by my litmus. what's your goal-post?


Eh, my goal-post says "wide-spread, easy to infect" on it. Surely there are _working_ rootkits and attacks on *NIX systems themselves, but wide variations of implementations of different system libraries, lack of a user base that would be kept blinded by the fact they have a rootkit for very long, and a general inability to really do much but infect a user unless privilege escalation is given make these rootkits fall short of my expectations.

There actually isn't a lot of software that implicitly requires root access except those which can directly interact with the system (like hdparm, modprobe, etc), and on the GUI level, for things that need root access, we're just talking software that rewrites config files for you. Even the ATI binary driver installer, for example, mostly just runs a script that compiles a kernel module off your current sources and rewrites your xorg.conf file. For that sort of attack to work, you'd need to be doing some social engineering, and if that's the case, no system in the world is secure enough to prevent an attack based on that.

EDIT:


> malware authors don't want to nuke machines; they want to have as many living machines as possible so they can DDoS and spam all day



Exactly what I said in another thread about this, in fewer words.


----------



## ArielMT (Apr 2, 2009)

Eevee said:


> all conficker was ever going to do was mutate
> 
> what did you think would happen



But-- But-- But the TV told us it was gonna destroy the Internet, steal my bank account, and drop us into a post-apocalypse where people have to barter animal skins for food or use CueCats, floppy disks, and Cracker Jack prizes as money to survive!



Eevee said:


> malware authors don't want to nuke machines; they want to have as many living machines as possible so they can DDoS and spam all day



^ This.


----------



## Stratelier (Apr 2, 2009)

Runefox said:


> Unless you're particularly annoyed with your employer and manage to slip in some "extra functions" between massive walls of comments or something.


That's not a vulnerability, that's a backdoor.


----------



## Stratelier (Apr 2, 2009)

Eevee said:


> malware authors don't want to nuke machines; they want to have as many living machines as possible so they can DDoS and spam all day


*EXACTLY*.

Conficker doesn't want to ficken up your system or do anything that would _force_ you to dump and re-install your whole computer.  It won't block you from playing Halo or Windows Solitaire, and it won't randomly delete sentimental images you transferred off your digital camera.

It just wants your extra, unused CPU cycles so it can commit coordinated cybercrimes with millions of other computers across the Web; the only things it _does_ block are attempts to actually remove it from your system.



Runefox said:


> There actually isn't a lot of software that implicitly requires root access except those which can directly interact with the system (like hdparm, modprobe, etc), and on the GUI level, for things that need root access, we're just talking software that rewrites config files for you.


Which makes it all the more ridiculous that high-end PC games insist on having administrative privileges in order to install 'properly'.  Which is really not because of the games _themselves_, but rather because of whatever DRM scheme the publisher chose to bundle with the game to (supposedly) prevent the game from being pirated.


----------



## Aden (Apr 2, 2009)

The _real_ April Fool's was getting people to think something would happen on April Fool's Day.

I will laugh my ass off if something happens in a week, when nobody cares anymore.


----------



## Aurali (Apr 2, 2009)

Aden said:


> The _real_ April Fool's was getting people to think something would happen on April Fool's Day.
> 
> I will laugh my ass off if something happens in a week, when nobody cares anymore.



I'm laughing now because the only people who will be hurt are those too stubborn to admit something might be wrong...


----------



## Toaster (Apr 2, 2009)

Stratadrake said:


> That's not a vulnerability, that's a backdoor.



Pffff. Back doors are for losers..... 

**Codes in logic bomb just in case he dosn't get paid**


----------



## Pi (Apr 2, 2009)

verix said:


> huh, I must be confused then. I thought a shellcode trick was to drop setuid(0) somewhere to run as root on setuid() apps? my mistake then.



oh, oh oh. Yeah, I know what you're doing. But I think the sequence goes "seteuid(0);setuid(0);", since (at least according to setuid(2)):



> If the user is root or the program is set-user-ID-root, special care must  be  taken.   The  setuid()  function checks the effective user ID of the caller and if it is the superuser, all process-related user IDâ€™s are set to uid.  After this has occurred, it is impossible for the program to regain root privileges.
> 
> Thus, a set-user-ID-root program wishing to temporarily drop root privileges, assume the identity of a non-root user,  and  then regain root privileges afterwards cannot use setuid().  You can accomplish this with the (non-POSIX, BSD) call seteuid(2).


----------



## Irreverent (Apr 2, 2009)

Shino said:


> Well, it's the day after without so much as a peep from the "dreaded" worm.



No, the worm definitely peeped.  A couple of million machines "called home" in a coordinated wave as time changed across the different timezones.    Nothing the backbone couldn't handle.  And "home" didn't answer,  nor did I really expect it to.



> I'm sorry. I have to say it again.
> "I told you so."



Not so fast, this aint over yet.  The botnet is still there, the control channel is still viable.  This bot net is going to get sold (or I'll speculate, leased) to the highest bidder for purpose built uses; most likely spam and distributed denial of service attacks.


----------



## Carenath (Apr 2, 2009)

Eli said:


> True. However it's a lot harder to find known vulnerabilities on something that isn't really known. though I guess randomly hitting at it, anything is gonna give eventually.


Thats what the MPAA thought when they invented CSS for DVD players, only it got reverse-engineered by a Norwegian programmer who wrote DeCSS as a result. Security through Obscurity is FAIL.



Eli said:


> and the military isn't able to make something more secure?


The NSA uses Unix, and they were the nice guys that released SELinux for the rest of us, its a bastard to setup, but it can make your system a lot more secure than conventional unix systems would be on their own.

A lot of Linux-bashers like to point out that Windows is DoD-approved - I like to point to the big pools of botnets sitting around out there on the internets.[/quote]Well if the US DoD approves windows as secure.. then those cant be the same idiots that work for the NSA... I doubt the NSA certified Windows as being secure.


----------



## Runefox (Apr 2, 2009)

Stratadrake said:


> Which makes it all the more ridiculous that high-end PC games insist on having administrative privileges in order to install 'properly'.  Which is really not because of the games _themselves_, but rather because of whatever DRM scheme the publisher chose to bundle with the game to (supposedly) prevent the game from being pirated.



Well, it harkens back to the differences in concepts between Win9x and NT, and the *NIX community. At the consumer level, it has always been widely assumed, whether true or not, that the person sitting in front of the computer knows best, and typically offered as much control over the system as possible. Things like installing games and software have always been treated as system-wide tasks, and that paradigm continues to stretch into the current world of higher security and limited accounts. It's perfectly reasonable in *NIX to install/compile an application as a user without making system-wide changes; You do need to escalate to install system-wide, but this is part of the difference between the two worlds.

Newer applications and installers sometimes add the option to install "For this user only", which somewhat bypasses the need for administrative privileges. However, another huge roadblock is the concept of the Registry, which is extremely difficult to secure, and is in essence a giant blob of data. Why it's being used so much, I'll honestly never know. It's not portable; If you need to reinstall your OS, that means you'll need to reinstall your apps. I suppose this brings the concept of tethering software to a certain PC for anti-piracy purposes to a much more accessible level, but there do exist other ways of doing that. It's just one more roadblock to a more sensible, less antiquated solution.


----------



## mapdark (Apr 2, 2009)

Ornias said:


> Pffff. Back doors are for losers.....
> 
> **Codes in logic bomb just in case he dosn't get paid**



Meh .. why make it complicated when it can be easy?

People still fall for the good ol' Nigerian scam .. so security is not exactly a priority in most neihjbouerhoods that have internet


----------



## Runefox (Apr 2, 2009)

mapdark said:


> Meh .. why make it complicated when it can be easy?
> 
> People still fall for the good ol' Nigerian scam .. so security is not exactly a priority in most neihjbouerhoods that have internet



It's different if the software in question is going to be either used widespread or in corporate environments. In the former case, it just makes it easier to have something that can be exploited right off the bat instead of having to go to the trouble of social engineering. In the latter, it can help bypass tight security.

I'd like to think it doesn't happen very often. Then again, I use mostly open source software for productivity.


----------



## Toaster (Apr 2, 2009)

Runefox said:


> It's different if the software in question is going to be either used widespread or in corporate environments. In the former case, it just makes it easier to have something that can be exploited right off the bat instead of having to go to the trouble of social engineering. In the latter, it can help bypass tight security.
> 
> I'd like to think it doesn't happen very often. Then again, I use mostly open source software for productivity.



I'd ALWAYS code in something nasty just in case something happens that I don't like. It just go's to show you, you should always pay your programmers right. 

But any ways, chances are the code for this worm is most likely going to be sold to the highest bidder, then used in a failed ddos attack on god knows who. This isn't the first time I've herd of it (even though I'm very young), and it won't be the last.


----------



## Pi (Apr 2, 2009)

Ornias said:


> I'd ALWAYS code in something nasty just in case something happens that I don't like. It just go's to show you, you should always pay your programmers right.



great way to get fired and waste lots of people's time scraping your backdoor out of the code, then reviewing to make sure you didn't leave anything else in!


----------



## SnowFox (Apr 2, 2009)

Ornias said:


> I'd ALWAYS code in something nasty just in case something happens that I don't like. It just go's to show you, you should always pay your programmers right.



LOL, Where I work we sometimes send out disks with all our product information on, I made an autorun program for it and put in a little bit of spying just for fun.

I also had someone send me an email with an embedded image and I just happened to notice the source was in the format [noparse]ftp://usernameassword@hostname.com/image.jpg[/noparse]. *FAIL!!!* I hid a little script among his guestbook files so I can eval() anything I submit to it. If I'm ever feeling evil....... :twisted:


----------



## verix (Apr 2, 2009)

Runefox said:


> Eh, my goal-post says "wide-spread, easy to infect" on it. Surely there are _working_ rootkits and attacks on *NIX systems themselves, but wide variations of implementations of different system libraries, lack of a user base that would be kept blinded by the fact they have a rootkit for very long, and a general inability to really do much but infect a user unless privilege escalation is given make these rootkits fall short of my expectations.


then your goal-post describes worms, not rootkits. rootkits and exploits are a lot like Linux in the sense that they're disjoint but powerful when put together-- like "cat" and "grep" I guess, but that's a really dorky example. rootkits are the means by which to completely maintain control over a system after you have exploited it. just because the rootkit _alone_ isn't as effective as it can be without being paired with an exploit doesn't mean that rootkits aren't effective.


----------



## Toaster (Apr 2, 2009)

Pi said:


> great way to get fired and waste lots of people's time scraping your backdoor out of the code, then reviewing to make sure you didn't leave anything else in!



I'm too young too get any real compute job, so I really don't care :/


----------



## Runefox (Apr 2, 2009)

verix said:


> just because the rootkit _alone_ isn't as effective as it can be without being paired with an exploit doesn't mean that rootkits aren't effective.



Well, like any weapon, it can be effective on its own, but without anything to deliver it, what purpose does it have? A payload is a payload, no matter what it does. Without any way into the system to begin with, there's no way it can do any damage - hence, it's ineffective in the same way an Mk84 2,000lbs freefall bomb is ineffective without an aircraft to drop it - or something to throw it.


----------



## Kesteh (Apr 2, 2009)

http://www.pcmag.com/article2/0,2817,2344342,00.asp



> Remember the Y2K bug?


Lol pcmag.


----------



## Aurali (Apr 2, 2009)

Ornias said:


> I'm too young too get any real compute job, so I really don't care :/



Dude.. You wanna be a game programmer right?

Guess what? You will never get a job after that statement :[

it's a small industry.. trust me on that.


----------



## Pi (Apr 2, 2009)

Eli said:


> Dude.. You wanna be a game programmer right?
> 
> Guess what? You will never get a job after that statement :[
> 
> it's a small industry.. trust me on that.



ahahahaha

are *you* of all people threatening him?


----------



## Aurali (Apr 2, 2009)

Pi said:


> ahahahaha
> 
> are *you* of all people threatening him?



It's not really a threat.. if he can be traced back to this he won't be able to find a job... All it takes is one small mistake. 

Besides. We _all_ know how much I screwed up in the past.


----------



## Pi (Apr 2, 2009)

Eli said:


> It's not really a threat.. if he can be traced back to this he won't be able to find a job... All it takes is one small mistake.


right, someone's future employers are going to find something some kid said on a furry website and use it as the sole determining criterion for whether or not said person should be hired



			
				Eli said:
			
		

> Besides. We _all_ know how much I screwed up in the past.



Oh, we're very aware.


----------



## Aurali (Apr 2, 2009)

Pi said:


> right, someone's future employers are going to find something some kid said on a furry website and use it as the sole determining criterion for whether or not said person should be hired


And people get fired for what they post on facebook. All you need is a connection





> Oh, we're very aware.


Resisting.. urge to go... offtopic....


----------



## Eevee (Apr 2, 2009)

verix said:


> ...a lot like Linux in the sense that they're disjoint but powerful when put together-- like "cat" and "grep" I guess, but that's a really dorky example.


especially since there's rarely any reason you should need to pipe cat into grep  :eng101:


----------



## Runefox (Apr 2, 2009)

Pi said:


> right, someone's future employers are going to find something some kid said on a furry website and use it as the sole determining criterion for whether or not said person should be hired



You'd be surprised.

A lot of prospective employers will run any known usernames and/or the name of the applicant through some searches around the web to see what they keep themselves busy with. Not entirely impossible, though a stretch, to see someone finding their way here.


----------



## Pi (Apr 2, 2009)

I think it's cute that you two think that FAF is as important as Facebook.


----------



## ArielMT (Apr 2, 2009)

_*I BRING ON-TOPIC NEWS!*_

The Conficker Eye-Chart drawn up by the Conficker Working Group will detect whether your own system likely has the Conficker Worm or not!


----------



## Aurali (Apr 2, 2009)

ArielMT said:


> _*I BRING ON-TOPIC NEWS!*_
> 
> The Conficker Eye-Chart drawn up by the Conficker Working Group will detect whether your own system likely has the Conficker Worm or not!



YAY! I'm not infected


----------



## Runefox (Apr 3, 2009)

Pi said:


> I think it's cute that you two think that FAF is as important as Facebook.



I think it's cute to think that Facebook is of any worth to begin with. But anyway, both are likely to turn up on a Google search.


----------



## lilEmber (Apr 3, 2009)

I'm not really worried, at all.


----------



## Runefox (Apr 3, 2009)

NewfDraggie said:


> I'm not really worried, at all.



Wow, you're later to the party than Conficker is.


----------



## lilEmber (Apr 3, 2009)

Runefox said:


> Wow, you're later to the party than Conficker is.


I never even seen it honestly, I was like "Oh look, a thread on that new "mega" worm" and clicked it, adding my opinion. :3

I updated my Windows to the latest updates, though; which also updated my LAN driver as well as my NET framework, so it's probably an added plus.
Thanks mega worm!


----------



## Cecil (Apr 3, 2009)

*Re: ConFICKer C*

I had to fix the title. It was burning my eyes.


----------



## verix (Apr 5, 2009)

Runefox said:


> I think it's cute to think that Facebook is of any worth to begin with. But anyway, both are likely to turn up on a Google search.


yeah, fuck social networks man


----------



## verix (Apr 5, 2009)

Eevee said:


> especially since there's rarely any reason you should need to pipe cat into grep  :eng101:


sometimes I do "cat [big file] | grep (expression)" fuck you I won't do what you tell me :colbert:


----------



## Stratelier (Apr 5, 2009)

ArielMT said:


> _*I BRING ON-TOPIC NEWS!*_
> 
> The Conficker Eye-Chart drawn up by the Conficker Working Group will detect whether your own system likely has the Conficker Worm or not!



Eh, right.  But Conficker's own anti-security measures already make it obvious if you have a Conficker infection (can't run AV or even Task Manager, can't browse MS et al. websites).


----------



## Eevee (Apr 6, 2009)

verix said:


> sometimes I do "cat [big file] | grep (expression)" fuck you I won't do what you tell me :colbert:


every time you do this RMS kills a kitten


why do you hate kittens, verix


----------



## Aurali (Apr 6, 2009)

Stratadrake said:


> Eh, right.  But Conficker's own anti-security measures already make it obvious if you have a Conficker infection (can't run AV or even Task Manager, can't browse MS et al. websites).



and this is when someone with a brain gets suspicious and fixes the problem...

Or do like my mom and throw out her old PC.. I got nice Dual core for free that way :3


----------



## Runefox (Apr 6, 2009)

> Or do like my mom and throw out her old PC.. I got nice Dual core for free that way :3


I never really understood that concept. The idea was that the repair bills for those who don't know how to do it themselves pile high when you get infected with spyware and/or viruses over and over again, but to buy a new computer every time you get an infection is even more insanely expensive. Compare $60/infection to $500/infection minimum. Then factor in that those same people will want to buy (obviously useless) anti-virus packages, and you've got idiot stew.


----------



## Aurali (Apr 6, 2009)

Runefox said:


> I never really understood that concept. The idea was that the repair bills for those who don't know how to do it themselves pile high when you get infected with spyware and/or viruses over and over again, but to buy a new computer every time you get an infection is even more insanely expensive. Compare $60/infection to $500/infection minimum. Then factor in that those same people will want to buy (obviously useless) anti-virus packages, and you've got idiot stew.



My mom was so scared that the virus would spread she almost made me destroy the computer in front of her.. all I really did was wipe the drive and kept going.


----------



## AxlePerri (Apr 7, 2009)

My home network was infected by conflicker/downadup some time ago :\. The home computers had not had automatic updates since last year and they spread it between each other on network when someone plugged in external infected computer.

I re-formatted all the machines at once, but it STILL came back after, because it infected autorun.inf on external USB drive :/.

All it did was prevent access to microsoft.com and all anti-virus sites (except one it forgot).

As long as windows update is enable you will not get the (real variant of this) virus, unless something get you to run it. And the MS Malicious Software Removal Tool remove it.


----------



## Runefox (Apr 7, 2009)

> My mom was so scared that the virus would spread she almost made me destroy the computer in front of her.. all I really did was wipe the drive and kept going.


See, that's silly. And I know exactly why she felt that way, too - The term "virus" is really misleading, though I suppose I can't really figure out another word that would describe it as well. Still, people need to learn that software is software - Can't harm the hardware in any way. At least, not in today's world.



> I re-formatted all the machines at once, but it STILL came back after, because it infected autorun.inf on external USB drive :/.


The lesson here, kiddies, is that autorun is universally a bad thing. Turn it off!


----------



## net-cat (Apr 7, 2009)

Runefox said:


> The lesson here, kiddies, is that autorun is universally a bad thing. Turn it off!


My mom agrees with you.

First computer she had the supported autorun:

Her: "Why does it pop up when I put the CD in."
Me: "It's a new feature in Windows 95?"
Her: "It's stupid. Make it stop."

Ten years later when the Sony rootkit came out and I explained it to her.

Her: "Yeah, I've always though autorun was stupid."

As for Conficker C, I'm still here. The world hasn't ended. I guess I shouldn't have run up my credit card bill on hookers.


----------



## Runefox (Apr 7, 2009)

net-cat said:


> As for Conficker C, I'm still here. The world hasn't ended. I guess I shouldn't have run up my credit card bill on hookers.



Wait, hookers take credit cards? Where do you swipe? >_>


----------



## net-cat (Apr 7, 2009)

Of course they do. And they swipe them anywhere that will take them until you report it stolen.


----------



## Aurali (Apr 7, 2009)

net-cat said:


> As for Conficker C, I'm still here. The world hasn't ended. I guess I shouldn't have run up my credit card bill on hookers.




Dude it's a dud. Anyone with a brain had it fixed in October.


----------



## Runefox (Apr 7, 2009)

Eli said:


> Dude it's a dud. Anyone with a brain had it fixed in October.



BUT! There's a NEW superworm! It's called Neeris! It's based on Conficker, which can only mean it's SUPER BAD!


----------



## Aurali (Apr 7, 2009)

whatever source runefox pointed to said:
			
		

> but has been updated to target the *same Microsoft flaw MS08-067 *



Granny is already stocking her cupboard.


----------



## Runefox (Apr 7, 2009)

Eli said:


> Granny is already stocking her cupboard.



Hey, I never said I was serious, but that's what the news is reporting. =D And they're TALKING TO EACH OTHER


----------



## Irreverent (Apr 7, 2009)

Runefox said:


> but that's what the news is reporting. =D And they're TALKING TO EACH OTHER




"Give us dirty laundry!" *whistles Don Hennly tune*


----------



## LizardKing (Apr 7, 2009)

So it turns out conficker was just so some dude could make his own private version of limewire or something.


----------



## AxlePerri (Apr 7, 2009)

Runefox said:


> The lesson here, kiddies, is that autorun is universally a bad thing. Turn it off!



It is already on my list of "things to do after reformat computer". But my list is in a text file on that external USB disk. :\


----------

