# Conficker Worm: impending disaster



## broken_g3 (Jun 27, 2008)

If anyone has been following the news lately, the latest in destructive malware is the conficker worm, which targets Windows based computers using Windows 2000, XP, Vista, 7, Server 2003 and Server 2008. NT 4.0 seems to be immune . Thoguh Microsoft patched the vulnerability back in 2008, it is still spreading and has infected over 10 million PCs worldwide. Not even the British house of commons escaped:

House of Commons network hit by Conficker computer worm | Technology | guardian.co.uk

Back in February, Microsoft put a $250,000 bounty on the heads of the conficker programmers: 

Microsoft offers $250,000 bounty for capture of Conficker worm author | Technology | guardian.co.uk

If anyone here knows who these bastards are (unlikely), Bill will be happy to supplement your salary this year. And he's doing it for a reason. What is most troubling about this worm is virus experts have discovered that it is set to deliver some sort of unknown payload using its botnet of zombie computers on April 1st, 2009:

What Will Conficker Bring on April 1? - News and Analysis by PC Magazine

Right now, it is just pure speculation as to what this thing will bring. Some say it will only update its existing hosting of phishing and spam sites, though I think the satanists who created this have something far more sinister planned. In any case, anyone here who is using a Windows-based system, back it up sometime before April 1st. Never know what could be coming. 

:yikes:


----------



## EvanPitts (Mar 9, 2007)

I guess the patch had bugs... beejacon


----------



## Adrian. (Nov 28, 2007)

I posted this a while ago. It is very scary. The worm spreads incredibly quickly. 

Just like the impending disaster with bananas of homogenised genes, the complete dominance of Windows OS will come crashing down when someone can develop a programme that can rapidly exploit systems like wildfire. 

Indeed, the Plague is coming. 

I'm immune. 

I've got a Linux and Solaris partition on an external, if it ever comes down to it.


----------



## fjnmusic (Oct 29, 2006)

This could help boost Apple sales. Time to buy some Apple shares, methinks.


----------



## rgray (Feb 15, 2005)

:yawn: I have a Mac........ :yawn:


----------



## The G3 Man (Oct 7, 2008)

S-h-i-t, anyone to tell if i have it on meh PC?

I hope my school board has it beejacon. Just because the techies say macs are just as secure as windows machines. AND that windows is better because it has service packs, is'nt the point updates just like a service pack?

Morgan


----------



## broken_g3 (Jun 27, 2008)

rgray said:


> :yawn: I have a Mac........ :yawn:


This is exactly the kind of attitude that could get us screwed in the future. You lull yourself into a false sense of security and as a result you are rarely careful with your computer. No machine is immune... the common Costco machine is just as susceptible as the Cray-2. Someday, someone will find a way to crack Mac OS 10's security. And it will not be pretty when it happens.



The G3 Man said:


> S-h-i-t, anyone to tell if i have it on meh PC?


I have no idea how to find out. All that I know is that I ran NTBACKUP on my ThinkPad, and I'll have it automatically back up for the next couple of weeks. No idea what it has planned, but I'll be prepared for the little son-of-a-bitch come hell or high water.



The G3 Man said:


> I hope my school board has it beejacon. Just because the techies say macs are just as secure as windows machines. AND that windows is better because it has service packs, is'nt the point updates just like a service pack?


The techies are seriously misguided, although in theory Windows could be just as secure as a Mac. Microsoft stole the idea for Windows NT from OS/2, and that OS is rock solid and, I can say without a doubt, more secure than Mac OS 10. Just look at Nuclear power plants for an example... they all run OS/2, they don't trust anything else. Microsoft just slips up a bit when it comes to making the OS nice and tight, I guess the code is too complex to find all the little holes.

As for service packs... I've always thought of service packs as the same as going from Mac OS 10.2 to 10.3 to 10.4 (although 10.5 is a much more serious update than any service pack ever was), and I've always thought of the 10.4.3 to 10.4.4 updates being more like major patches issued for Windows.


----------



## fjnmusic (Oct 29, 2006)

The G3 Man said:


> S-h-i-t, anyone to tell if i have it on meh PC?
> 
> I hope my school board has it beejacon. Just because the techies say macs are just as secure as windows machines. AND that windows is better because it has service packs, is'nt the point updates just like a service pack?
> 
> Morgan


The techies and IT people from the school board have to say this because if they switched over to Macs, they'd all be out of jobs. You have to buy service packs it seems, whereas you can download software updates for free.


----------



## fjnmusic (Oct 29, 2006)

broken_g3 said:


> This is exactly the kind of attitude that could get us screwed in the future. You lull yourself into a false sense of security and as a result you are rarely careful with your computer. No machine is immune... the common Costco machine is just as susceptible as the Cray-2. Someday, someone will find a way to crack Mac OS 10's security. And it will not be pretty when it happens.


Silly boy. Mac OSX has been around for about 10 years already. If it hasn't been cracked yet, it's because UNIX is a much better foundation on which to build an operating system than MS-DOS is. As long as MS-DOS is underlying Windows, it will be vulnerable.



broken_g3 said:


> The techies are seriously misguided, although in theory Windows could be just as secure as a Mac. Microsoft stole the idea for Windows NT from OS/2, and that OS is rock solid and, I can say without a doubt, more secure than Mac OS 10. Just look at Nuclear power plants for an example... they all run OS/2, they don't trust anything else. Microsoft just slips up a bit when it comes to making the OS nice and tight, I guess the code is too complex to find all the little holes.


Well, you're right about one thing. You don't hear about viruses for OS/2 anymore.


----------



## rgray (Feb 15, 2005)

broken_g3 said:


> This is exactly the kind of attitude that could get us screwed in the future. You lull yourself into a false sense of security and as a result you are rarely careful with your computer.


You have no idea how I am with my computer or anything about me for that matter so you have no right to jump to pathetically generalised conclusions.

I am perfectly aware of the vulnerabilities of any computer to malefactors, and take steps accordingly.

However, the topic of this thread (I mean, you wrote it!!) is the "Conficker Worm". My computer is not vulnerable to this. _Ergo_ - :yawn:

Now if you want to talk security threats in general, that is a different matter.

Otherwise, BACK OFF!


----------



## Kazak (Jan 19, 2004)

Anyone suspicious of the delivery date?

Just asking.


----------



## broken_g3 (Jun 27, 2008)

rgray said:


> You have no idea how I am with my computer or anything about me for that matter so you have no right to jump to pathetically generalised conclusions.
> 
> ...
> 
> ...


I wasn't specifically targeting you, I was using "you" as a general term, kinda like how we say "you are unable to concentrate on the road when driving drunk".

Take it easy.


----------



## broken_g3 (Jun 27, 2008)

fjnmusic said:


> Silly boy. Mac OSX has been around for about 10 years already. If it hasn't been cracked yet, it's because UNIX is a much better foundation on which to build an operating system than MS-DOS is. As long as MS-DOS is underlying Windows, it will be vulnerable.


...I thought we got rid of MS-DOS with the demise of Windows 9x? Right now, MS is using Windows NT, which as I said before they stole from OS/2. There could still be some underlying legacy code, I suppose...



fjnmusic said:


> Well, you're right about one thing. You don't hear about viruses for OS/2 anymore.


Because, unlike Windows, OS/2 is not a dip**** OS. IBM made it nice and secure, spent lots of time perfecting it. Kinda like what Apple is doing right now... though I've never been a fan of Aqua, I like how they spend lots of time and effort perfecting the kernel of the OS.


----------



## rgray (Feb 15, 2005)

broken_g3 said:


> I wasn't specifically targeting you, I was using "you" as a general term, kinda like how we say "you are unable to concentrate on the road when driving drunk".


In that case the correct English usage is "one"..... as in "one is unable to concentrate on the road when driving drunk". "You" is 'second person' - when singular, correct usage refers to a particular individual; when used plural, correct usage refers to a particular group.


----------



## broken_g3 (Jun 27, 2008)

rgray said:


> In that case the correct English usage is "one"..... as in "one is unable to concentrate on the road when driving drunk". "You" is 'second person' - when singular, correct usage refers to a particular individual; when used plural, correct usage refers to a particular group.


Acknowledged. 

Though we are getting a little off-topic. Back to Conficker...


----------



## bgw (Jan 8, 2008)

Mac OS X 10.5.6 and not worried. But going over to my Bootcamp and virtual machines to update the system and AVG!


----------



## fjnmusic (Oct 29, 2006)

Kazak said:


> Anyone suspicious of the delivery date?
> 
> Just asking.


Yup. Y2K all over again. Unfortunately, you can fool too many of the people too much of the time.


----------



## Atroz (Aug 7, 2005)

fjnmusic said:


> Yup. Y2K all over again. Unfortunately, you can fool too many of the people too much of the time.


There's no fooling, just hype. The media has overblown this. Even the AV companies are downplaying it. 

The code is set to do something on April 1st. The extent of what it does is unknown. It may just do an update and go quiet. It may fail to work at all. It may do some horrible unspeakable stuff. I think it will do something on the low end of the scale. I think the motive is for financial gain in selling Bot services. So, it will wake up, and do an update in preparation for whatever service they are selling. I don't believe it will be destructive because it doesn't make sense for a parasite to kill its host.


----------



## eMacMan (Nov 27, 2006)

Atroz said:


> ....So, it will wake up, and do an update in preparation for whatever service they are selling. I don't believe it will be destructive because it doesn't make sense for a parasite to kill its host.


Some-one should explain that to the Bankers, Politicians and pine bark beetles.tptptptp


----------



## Atroz (Aug 7, 2005)

eMacMan said:


> Some-one should explain that to the Bankers, Politicians and pine bark beetles.tptptptp


I did say "make sense". I've seen the analysis of this worm. The authors are smart enough not to destroy their work. Unlike beetles.


----------



## broken_g3 (Jun 27, 2008)

eMacMan said:


> Some-one should explain that to the Bankers, Politicians and pine bark beetles.tptptptp


Politicians and Pine Beetles certainly are parasites, but don't go ripping on the bankers. It's not their fault that we spent more than we had. 

But back on topic... Atroz is somewhat right. The creators would not want to destroy the entire botnet, although I'm beginning to think that they are going to use it to wreck havoc. So far, I can see something like a multitude of DOS attacks or an attempt by the worm to gain access into even more computers with the supposed future update. 

But remember, as much as the creators may not want to destroy something that took them so long to build (and may get them quite a bit of cash), we must realize that this is all they live for. To watch the world burn. Sure, they may be looking for some money, but their primary objective is to make peoples' lives miserable for their own pleasure. I can definitely see this worm taking control of computers or stealing/deleting important files or screwing with the settings to turn them into a horde of Zombie PCs, just for the sake of wasting peoples' time.


----------



## fjnmusic (Oct 29, 2006)

Atroz said:


> I did say "make sense". I've seen the analysis of this worm. The authors are smart enough not to destroy their work. Unlike beetles.


Yeah, except when McCartney foolishly allowed Michael Jackson to buy up their catalogue.


----------



## eMacMan (Nov 27, 2006)

broken_g3 said:


> Politicians and Pine Beetles certainly are parasites, but don't go ripping on the bankers. It's not their fault that we spent more than we had.
> .


No but they were the ones that were leveraged at ratios of 30, 40 even 50:1 buying worthless derivatives. And they are the ones sucking $3 Trillion US taxpayer dollars at the Treasuries teat. The fact that Canadian banks had limited participation is largely due to inopportune election timing. They were certainly begging the feds to remove those prohibitive regulations.

Back on topic, yes destroying the bot-net host computers would be quite acceptable to the designers if it accomplished a specific goal, say looting the hosts bank accounts.


----------



## broken_g3 (Jun 27, 2008)

eMacMan said:


> Back on topic, yes destroying the bot-net host computers would be quite acceptable to the designers if it accomplished a specific goal, say looting the hosts bank accounts.


Bastards won't get ME. I keep all my bank records in nice, analog bank books locked away in a safe for this very reason. 

Although that is a good point- something like this would certainly be possible, but again there is not much incentive for destroying the computer after initiating the raid of the bank accounts (aside from the fact that they are heartless bastards who will most certainly burn in hell with their best friends Adolph Hitler and Joseph Stalin), so we will just have to wait and see. Again, all those with a Windows partition, back up everything- we are not yet sure what this worm will do. I remember a worm that had a very amusing payload: 










Or, it could be programmed to erase all partitions on the hard drive after stealing your information, including NTFS, ext3, FAT32, HFS+, everything. So it can't hurt to have an extra copy of all your things on several DVDs or an external hard drive.


----------



## Atroz (Aug 7, 2005)

broken_g3 said:


> or an external hard drive.


That is NOT connected when the malware strikes. 

Just thought I'd throw that in since some people seem to think backups are safe but don't realize they can be erased by malware or an accident.


----------



## EvanPitts (Mar 9, 2007)

fjnmusic said:


> Well, you're right about one thing. You don't hear about viruses for OS/2 anymore.


Or software for OS/2 anymore... beejacon


----------



## broken_g3 (Jun 27, 2008)

Atroz said:


> That is NOT connected when the malware strikes.
> 
> Just thought I'd throw that in since some people seem to think backups are safe but don't realize they can be erased by malware or an accident.


True- thanks for pointing that out. To be safe, I guess a rule of thumb would be not to connect your external hard drive at any time From March 31st to April 2nd, 2009, just in case the worm is timed to go off according to another time zone.



EvanPitts said:


> Or software for OS/2 anymore... beejacon


I actually had a computer wiz back in university help me out with OS/2 by running a project called ODIN on it. This hacked the OS and allowed it to natively run Win32 APIs. Last I saw him in 2004, he managed to get Office 2000 running on OS/2 Warp 4. Though not actual OS/2 software, you can still teach an old dog new tricks. And as far as I know, StarOffice is still available, as well as Netscape...


----------



## fjnmusic (Oct 29, 2006)

broken_g3 said:


> True- thanks for pointing that out. To be safe, I guess a rule of thumb would be not to connect your external hard drive at any time From March 31st to April 2nd, 2009, just in case the worm is timed to go off according to another time zone.


Yup. This is exactly why I have no problem paying more for a Mac computer and OS X operating system that just_ works_. Sometimes the wanna-be competitor products like Windows are cheaper for a reason. You get what you pay for. But all you folks out there who wanna pride yourself on how much you saved by buying a PC enjoy that three day down time. 

For what it's worth, I predict absolutely nothing will happen on April _Fools'_ Day. It is fun to say everyone get riled up though.


----------



## broken_g3 (Jun 27, 2008)

fjnmusic said:


> For what it's worth, I predict absolutely nothing will happen on April _Fools'_ Day. It is fun to say everyone get riled up though.


Who knows. Maybe its a cruel "joke" to be played, maybe we'll be flashed another "O RLY" owl.


----------



## DR Hannon (Jan 21, 2007)

I am sorry, but saying that there are no viruses for Macs is just not true. I received this one the other week and man was I upset.

"Amish 'Honour System' Computer Virus"


You have just received the Amish Virus. Since we do not have electricity or computers, you are on the honour system. Please delete all of your files.

Thank thee.
:clap::heybaby:


----------



## SINC (Feb 16, 2001)

DR Hannon said:


> You have just received the Amish Virus. Since we do not have electricity or computers, you are on the honour system. Please delete all of your files.
> 
> Thank thee.
> :clap::heybaby:


What I can't figure out is what this thread about a PC worm is doing in the "Anything Mac" forum. It should be deleted forthwith too.


----------



## The G3 Man (Oct 7, 2008)

DR. Hannon = :lmao::lmao::lmao:


----------



## broken_g3 (Jun 27, 2008)

SINC said:


> What I can't figure out is what this thread about a PC worm is doing in the "Anything Mac" forum. It should be deleted forthwith too.


Macs are PCs, SINC. 

Personal Computer = Mac.


----------



## SINC (Feb 16, 2001)

broken_g3 said:


> Macs are PCs, SINC.
> 
> Personal Computer = Mac.


Of course you are technically correct, but the subject matter virus is threatening Microsoft PCs, not Mac, therefore it belongs anywhere but in Anything Mac.


----------



## broken_g3 (Jun 27, 2008)

SINC said:


> Of course you are technically correct, but the subject matter virus is threatening Microsoft PCs, not Mac, therefore it belongs anywhere but in Anything Mac.


It kinda relates to us... some of us are running Windows on our Macs, so this information could be quite helpful to them. For all we know, the worm could be programmed to format the entire hard drive, taking the HFS+ partition along with it.


----------



## fjnmusic (Oct 29, 2006)

broken_g3 said:


> Macs are PCs, SINC.
> 
> Personal Computer = Mac.


Perhaps someone should explain this to Steve Ballmer and the good people of MicroSoft. At the moment, Canadians, Mexicans, Brazilians and Peruvians don't qualify as "Americans" either, although we all live on the North and South American continents.


----------



## broken_g3 (Jun 27, 2008)

fjnmusic said:


> Perhaps someone should explain this to Steve Ballmer and the good people of MicroSoft. At the moment, Canadians, Mexicans, Brazilians and Peruvians don't qualify as "Americans" either, although we all live on the North and South American continents.


Calling everyone an "American" would not fit either- we are called "North Americans" or "South Americans", depending on which continent we live. Remember, they are two separate continents, but both named in honour of Amerigo Vespucci.


----------



## krs (Mar 18, 2005)

broken_g3 said:


> Remember, they are two separate continents, but both named in honour of Amerigo Vespucci.


I always wondered why we are taught in Canada and the US that North America and South America are two separate continents.
They are one land mass and really only have one name, America - there is no other continent called North........ and South........

It's also not clear to me where the dividing line is between North and South America - is Central America part of North America or part of South America or is this ficticious North/South American dividing line somewhere in Central America?


----------



## keebler27 (Jan 5, 2007)

krs said:


> I always wondered why we are taught in Canada and the US that North America and South America are two separate continents.
> They are one land mass and really only have one name, America - there is no other continent called North........ and South........
> 
> It's also not clear to me where the dividing line is between North and South America - is Central America part of North America or part of South America or is this ficticious North/South American dividing line somewhere in Central America?


krs, while i can't explain where the division is, I believe the north and south for the Americas came simply from being north or south of the equator with Central being centre of the equator. that's what i remember from geography.

hope that helps.

Cheers,
Keebler


----------



## bryanc (Jan 16, 2004)

broken_g3 said:


> Right now, MS is using Windows NT, which as I said before they stole from OS/2.


NT is built on VMS, not OS/2. Completely unrelated.

Cheers


----------



## krs (Mar 18, 2005)

keebler27 said:


> krs, while i can't explain where the division is, I believe the north and south for the Americas came simply from being north or south of the equator with Central being centre of the equator. that's what i remember from geography.
> 
> hope that helps.
> 
> ...


Definitely not the equator. That runs right through South America.


----------



## fjnmusic (Oct 29, 2006)

I always thought the Panama canal was the divider.


----------



## Gerbill (Jul 1, 2003)

broken_g3 said:


> ......Microsoft stole the idea for Windows NT from OS/2.....


Oh, really? And here was me thinking it was derived from VMS, a mainframe OS, just because Microsoft hired the main VMS programmer away from DEC to write it.


----------



## SINC (Feb 16, 2001)

fjnmusic said:


> I always thought the Panama canal was the divider.


The border is most commonly described as being the Panama/Columbia border with Panama being in North America.


----------



## EvanPitts (Mar 9, 2007)

broken_g3 said:


> Macs are PCs, SINC.
> 
> Personal Computer = Mac.


Actually not - if you want to get hard core about the term PC - then it can only apply to the earliest IBM 8088 based machines that had a five slot ISA backplane and a built in cassette interface. Nothing else is PC, in the absolute sense...


----------



## EvanPitts (Mar 9, 2007)

Completely WRONG!

Windoze NT *IS* OS/2. IBM and Microsoft co-developed OS/2 as the successor to older systems like MS DOS / PC DOS, and OS/2 was intended to be released at the same time as the IBM PS/2 computers. However, OS/2 development was plagued by the kitchen sink mentality, and the system was released in parts while memory prices were steep (upward of $800 per MB). An OS that needed 16 MB of memory wasn't going to find buyers - especially with the late release of the 386DX, and later, the often delayed release of the 486DX. OS/2 was not originally a GUI driven OS - that was to be part of the OS/2 Presentation Manager.

By the time OS/2 was usable, Microsoft had went ahead with Windoze running on top of DOS - which meant that Windoze was usable on a greater number of existing machines than OS/2. Of course, by this time, IBM was in an all out war with Microsoft, with IBM continuing inhouse production of OS/2, while Microsoft took their part and released Windoze NT.

Even though OS/2 and NT were derived from the same root, the usual circumstances of warfare dictate that each company work to make their product completely unusable by the other, and thus, software written for OS/2 would not run on NT and vice versa. IBM did try to make OS/2 "mainstream" in competition against the then new Windoze 95, but it would not be profitable, as the mass of the market was being shoved to 95; while OS/2 was relegated to the corporates who couldn't bear AS/400.

As for VMS - VMS was an OS designed for minicomputers, and was completely unsuitable for use on microcomputers. It just needed too many resources for the machines of the day. Neither MS or IBM took much advantage of VMS, especially avoiding such things as a properly secured file system with sysop imposed quotas on resources - something that was pollenated with UNIX, and hence, a system like OSX borrows more from VMS than either OS/2 or Windoze.

Of course, there were programmers that went from company to company, but in most cases, their contributions were slim. The main advantage in VMS was the handling of virtualized memory in a multi-user multi-tasking environment - something that was completely absent from the scheme MS uses (which uses "Swap files" that are nothin more than FCBs); but was better adopted by the Linux people as virtual swap drives. The use of VMS on a PC would suffer from the disadvantages of the Intel instruction set, where the processor imposes it's own peculiar virtualizing methods with very poor implementation of GDTs/LDTs; though with enough clock cycles, modern impementations of OpenVMS tend to ignore Intel's cryptic ways of handling such matters, and does it on it's own.

So OS/2 = Windoze NT; and only after the spate of law suits, did the products really spool off into their own; while VMS is a distinct beast, with OpenVMS being to VMS what Linux is to UNIX...


----------



## lily18 (Oct 5, 2008)

How exactly is this virus spread? The ol' email scam or file sharing?


----------



## Funkynassau (Apr 13, 2008)

Ok, please dont laugh at me. I am pretty new to Macs and have a G4 with OS 10.4 on it. Do I need to worry about this impending worm? I dont think I do, but want to be sure.

I have a PC with an up to date a/v program on it.

Thanks,
A Mac lover with not a lot of background...
Funkynassau


----------



## SINC (Feb 16, 2001)

Funkynassau said:


> Ok, please dont laugh at me. I am pretty new to Macs and have a G4 with OS 10.4 on it. Do I need to worry about this impending worm? I dont think I do, but want to be sure.
> 
> I have a PC with an up to date a/v program on it.
> 
> ...


Relax funky, it won't bother your Mac.


----------



## Atroz (Aug 7, 2005)

lily18 said:


> How exactly is this virus spread? The ol' email scam or file sharing?


#1 method would be through direct connections to windows machines with a known vulnerability. This was patched back in October, but many people hadn't applied the patch. 

It also transfers through removable media (usb stick, hard drives), especially when the Windows machine has AutoRun turned on. As a file, it could also be transfered through Email, etc.


----------



## krs (Mar 18, 2005)

SINC said:


> The border is most commonly described as being the Panama/Columbia border with Panama being in North America.


"most commonly" is right.

There doesn't seem to be a consistent definition of what constitutes North America - think about NAFTA for instance - North American Free Trade Agreement - but it only includes the three most northerly countries in the Americas.

Anyway - we are way off topic.


----------



## Funkynassau (Apr 13, 2008)

Thanks, Sinc, I am now relaxed 

Funkynassau


----------



## Adrian. (Nov 28, 2007)

SINC said:


> The border is most commonly described as being the Panama/Columbia border with Panama being in North America.


I suspect you are correct SINC. Some people consider Greenland as part of Europe. Wonky.


----------



## lily18 (Oct 5, 2008)

Atroz said:


> #1 method would be through direct connections to windows machines with a known vulnerability. This was patched back in October, but many people hadn't applied the patch.
> 
> It also transfers through removable media (usb stick, hard drives), especially when the Windows machine has AutoRun turned on. As a file, it could also be transfered through Email, etc.



Thanks. I'm wondering if our PC got the patch. Would there be any way to check? It's XP SP2 (and it's so useless that SP3 won't install. Since July, every time the computer shuts down it says "installing automatic updates" shortly followed by a fail error message. It's eventually going in the trash though; my mom wants an iMac :clap


----------



## Atroz (Aug 7, 2005)

lily18 said:


> Thanks. I'm wondering if our PC got the patch. Would there be any way to check? It's XP SP2 (and it's so useless that SP3 won't install. Since July, every time the computer shuts down it says "installing automatic updates" shortly followed by a fail error message. It's eventually going in the trash though; my mom wants an iMac :clap


Sorry, but this is NOT a good sign. If your machine won't auto patch, it may be because of malware preventing it. Conficker does this. It may not be Conficker, but may still be a sign that your patches are not being properly applied and you may be vulnerable to other malware. 

Is the machine behind a firewall? 

There are ways of checking. Check with the Antivirus company websites, many of them have provided free checking tools for this malware.


----------



## bgw (Jan 8, 2008)

For a free PC firewall get ZoneAlarm. It might tell you if any malware is trying to phone home.


----------



## EvanPitts (Mar 9, 2007)

lily18 said:


> How exactly is this virus spread? The ol' email scam or file sharing?


Neither, since it isn't a virus, but a trojan. One has to navigate to the appropriate web site that is rigged with it, where it downloads "an important system update", places itself on the drive with the name svchost.exe (which is a program that Windoze uses), then makes a randomly named copy of itself, and installs itself as a DLL. It does this by taking avantage of a flaw in the way Windoze updates itself.

As for the results - there is lots of hype, but mostly, this worm will attempt to navigate to whatever sites you use and punches in passwords from a set list of about a hundred very weak passwords. If you use a weak password, then your e-mail or whatever can be exploited, by which the crackers will then purloin your e-mail in order to send out gobs of spam. If you do not have weak passwords, perhaps the worst thing is that "SVCHOST.EXE" ends up robbing 98% of your CPU in order to keep trying sites, once it has connected to the mothership to access a larger list of passwords.

There is not evidence that it will "wipe out your hard drive" or "make your monitor explode" - it will simply attempt to turn over all of your accounts that have weak passwords - so that they can spam even more people with endless spam about viagra/cialis, or whatever.

Two variants were quashed, but the patch enabled a third variant to become profuse. Fixing the third variant makes the system open to the original two variants; and since the performance reduction of the third variant is so pronounced, it is best to rid oneself of the first two (which are both smaller and harder to detect) than the third, which is a bit unwieldly (I have seen it drag a Core i7 Quad to a crawl yesterday, and I mean a crawl).

The third variant can be discerned by using a Find utility to look for SVCHOST.EXE, and any file with that name that is not in a directory called \SYSTEM32\ is the beast. If it is there, you will need to have the appropriate anti-viral to remove it, since it will have spawned off into a randomly named DLL file.

It can be passed by any media that is "autoloaded", especially if the preexisting and widely spread rootkit "Automatic Infant" is on the system, which makes spreading the beast easy-peasy. If one has all autoloading turned off, and takes care to avoid "Automatic Infant", it comes down to only one vector for infection, and that is to visit a site, click on an icon that downloads the executable trojan, and that the system also automatically runs anything that is downloaded. It can only infect a system through e-mail by the same means, by automatic or inadvertent execution of the trojan.

Unlike Windoze, there are no other OSes that automatically run arbitrary code - so a degree of social engineering would be required to trick the user into running it, or for a user to do anything as Admin and using weak (or no) passowrds at all.


----------



## fjnmusic (Oct 29, 2006)

Thanks, Evan. This information will be very helpful to my Wondoze bretheren (I've already passed it on).  :clap:


----------



## RC51Pilot (Mar 26, 2004)

EvanPitts said:


> Unlike Windoze, there are no other OSes that automatically run arbitrary code - so a degree of social engineering would be required to trick the user into running it, or for a user to do anything as Admin and using weak (or no) passowrds at all.


Well the spread through Vista should hopefully be minimized with the use of Windows Defender. It generally asks if you want to "Cancel or Allow" similar to OS X. Of course, this can be disabled.

I'm actually looking forward to booting my Macs into Vista tomorrow morning just to see what the fuss is all about


----------



## EvanPitts (Mar 9, 2007)

fjnmusic said:


> Thanks, Evan. This information will be very helpful to my Wondoze bretheren (I've already passed it on).  :clap:


It's really something that Mac users do not have to worry about so much - since OSX by default does not allow for the arbitrary execution of codes, nor does the system automatically run files whenever it pleases. Of course, the configuration can be changed, and as such, becomes a real vulnerability for a subset of OSX users, especially if they are agreeable to install any "driver" some Tajikistan web site tells them they need to watch some "hot video".

It is good to make Windoze users aware of such things, and even though I detest Windoze (it is the worst OS I have ever had to use), there are some people that are really stuck with it. Scanning is important, especially with keychains (which are the main vector for Conflicker). Attacks of this sort can easily be "ported" to the Mac world, since it is a socially engineered attack rather than an actual virus - so it is a good idea for Mac users to be aware that having things automatically open or run is just a bad idea.


----------



## EvanPitts (Mar 9, 2007)

RC51Pilot said:


> Well the spread through Vista should hopefully be minimized with the use of Windows Defender. It generally asks if you want to "Cancel or Allow" similar to OS X. Of course, this can be disabled.
> 
> I'm actually looking forward to booting my Macs into Vista tomorrow morning just to see what the fuss is all about


The problem with Vista is the Cancel or Allow is so annoying, most people shut it off.

Plus, a web site, cunningly designed, can con a user into actually hitting fake "Cancel or Allow" buttons, but with the "Cancel" actually being the download and run function. Of course, if Vista's Cancel or Allow it on, the fake web site will reveal itself, because it will get stuck in a loop of trying to install something that can't be installed. But since 90% of Vista machines have Cancel or Allow shut off - and that most Windoze machines are not Vista anyways - well, it is a veritable plague of what amounts to be the dumbest possible way of collecting email addresses for spam purposes imaginable.

Not only does this thing require virtually no actual security settings, it also requires the target machine to have a user that has some of the weakest passwords known - since Conflicker only tries about 100 weak passwords - but if it strikes the lotto - then the games begin, especially when it tries to send five e-mails per second, and sucks all of the life out of the CPU and Internet like no tomorrow. (And that is another advantage of OSX, since such a request would bring up Mail, and wait for you to approve and send the messages - while Windoze will do it automagically)...


----------



## lily18 (Oct 5, 2008)

Atroz said:


> Sorry, but this is NOT a good sign. If your machine won't auto patch, it may be because of malware preventing it. Conficker does this. It may not be Conficker, but may still be a sign that your patches are not being properly applied and you may be vulnerable to other malware.
> 
> Is the machine behind a firewall?
> 
> There are ways of checking. Check with the Antivirus company websites, many of them have provided free checking tools for this malware.


I checked and SP 3 was installed, although I'm not sure when. But still, the automatic updates are not going through. The machine uses Windows firewall; is a 3rd party one better?


----------



## bgw (Jan 8, 2008)

lily18 said:


> I checked and SP 3 was installed, although I'm not sure when. But still, the automatic updates are not going through. The machine uses Windows firewall; is a 3rd party one better?


Third party firewalls give you more control. ZoneAlarm will, annoyingly, announce every program trying to use your internet connection (both in and out). Through it you can set rules for each program, eventually reducing the annoyance factor. On a couple of occasions in the past on my Win 95 machine (yes I've had one!) a strange program would start calling out to the web. ZoneAlarm told me which program or process it was and where it was tying to connect to. With the name of the process I could root the sucker out and erase it. I could also then go into the registry and delete all related references to the malicious code. In essence I could remove the trojan/virus/malware manually.

Later I got really sophisticated about these Windows related problems and reduced my machine maintenance to near zero; I started buying and using Macs.


----------



## Gerbill (Jul 1, 2003)

EvanPitts said:


> Completely WRONG!
> 
> Windoze NT *IS* OS/2. IBM and Microsoft co-developed OS/2 as the successor to older systems like MS DOS / PC DOS, and OS/2 was intended to be released at the same time as the IBM PS/2 computers. However, OS/2 development was plagued by the kitchen sink mentality, and the system was released in parts while memory prices were steep (upward of $800 per MB). An OS that needed 16 MB of memory wasn't going to find buyers - especially with the late release of the 386DX, and later, the often delayed release of the 486DX. OS/2 was not originally a GUI driven OS - that was to be part of the OS/2 Presentation Manager.
> 
> ...


 Maybe not quite "completely" wrong. Here's what WikiPedia has to say about NT development:



> Microsoft decided to create a portable operating system, compatible with OS/2 and POSIX support and with multiprocessing in October 1988.[1] When development started in November 1989, Windows NT was to be known as OS/2 3.0,[2] the third version of the operating system developed jointly by Microsoft and IBM. In addition to working on three versions of OS/2, Microsoft continued parallel development of the DOS-based and less resource-demanding Windows environment. When Windows 3.0 was released in May 1990, it was eventually so successful that Microsoft decided to change the primary application programming interface for the still unreleased NT OS/2 (as it was then known) from an extended OS/2 API to an extended Windows API. This decision caused tension between Microsoft and IBM and the collaboration ultimately fell apart. IBM continued OS/2 development alone while Microsoft continued work on the newly renamed Windows NT. Though neither operating system would immediately be as popular as Microsoft's MS-DOS or Windows products, Windows NT would eventually be far more successful than OS/2.
> Microsoft hired a group of developers from Digital Equipment Corporation led by Dave Cutler to build Windows NT, and many elements of the design reflect earlier DEC experience with Cutler's VMS and RSX-11. The operating system was designed to run on multiple instruction set architectures and multiple hardware platforms within each architecture. The platform dependencies are largely hidden from the rest of the system by a kernel mode module called the HAL (Hardware Abstraction Layer).
> Windows NT's kernel mode code further distinguishes between the "kernel", whose primary purpose is to implement processor and architecture dependent functions, and the "executive". This was designed as a modified microkernel, as the Windows NT kernel does not meet all of the criteria of a pure microkernel. Both the kernel and the executive are linked together into the single loaded module ntoskrnl.exe; from outside this module there is little distinction between the kernel and the executive. Routines from each are directly accessible, as for example from kernel-mode device drivers.
> API sets in the Windows NT family are implemented as subsystems atop the publicly undocumented "native" API; it was this that allowed the late adoption of the Windows API (into the Win32 subsystem). Windows NT was one of the earliest operating systems to use Unicode internally.


----------



## fjnmusic (Oct 29, 2006)

I notice Facebook seems to be making users jump through hoops today.


----------



## bgw (Jan 8, 2008)

fjnmusic said:


> I notice Facebook seems to be making users jump through hoops today.


Is there any reason or rhyme to it? I'm not a Facebook user.


----------



## fjnmusic (Oct 29, 2006)

I suspect they're just being extra cautious and make you log in again every time you refresh your page.


----------



## bgw (Jan 8, 2008)

fjnmusic said:


> I suspect they're just being extra cautious and make you log in again every time you refresh your page.


That, I doubt, will prevent Conficker!


----------



## csonni (Feb 8, 2001)

It's April 1 on our end of Canada with nothing to report.


----------



## Adrian. (Nov 28, 2007)

csonni said:


> It's April 1 on our end of Canada with nothing to report.


Ditto.


----------



## Adrian. (Nov 28, 2007)

> BOSTON (Reuters) - A malicious software program that has infected millions of computers could enter a more menacing phase on Wednesday, from an outright attack to a quiet mutation that would further its spread.
> Computer security experts who have analyzed the Conficker worm's code say it is designed to begin a new phase on April 1, and while it's unclear whether it will unleash havoc or remain dormant, its stubborn presence is rattling businesses with multimillion-dollar budgets to fight cyber crime.
> Conficker, believed to reside on 2 million to 12 million computers worldwide, is designed to turn an infected PC into a slave that responds to commands sent from a remote server that controls an army of slave computers known as a botnet.
> "It can be used to attack as well as to spy. It can destroy files, it can connect to addresses on the Internet and it can forward your e-mail," said Gadi Evron, an expert on botnets who helps governments protect against cyber crime.
> ...


----------



## eMacMan (Nov 27, 2006)

The fact that nothing happened yesterday in Australia & New Zealand shoulda been a clue.


----------



## EvanPitts (Mar 9, 2007)

^^^
Wikipedia is wrong, Windoze NT borrowed nothing from VMS - and if there was any borrowing, they didn't borrow any of the strengths or main features of VMS. If NT has in fact, had any of the features of VMS, it wouldn't have sucked. Most of what the Evil Empire did was "borrow" things from UNIX, since Gates was part owner of SCO - and then implemented them in the most assinine way imaginable.

If NT has "borrowed" from VMS, it would have had such features as multi-user/multi-tasking (that doesn't need Citrix WinFrame to fake it out), a comprehensive Quota and Accounts system with full Username/Password logins (just like in Unix/Linux/OSX etc.), would have had proper virtualized memory (not just poorly constructed and resource wasteful FCB locked files borrowed from CP/M), and it would have had the strongest VMS feature of all, the best file system ever created.

It looks to me that someone has been trying to sanitize and rewrite what was in fact, a very public war that has erupted between IBM and M$, and perhaps the only "feautre" that NT had over OS/2 was the fact that they coupled the Presentation Manager so closely to the OS that everyone was stuck with the PM, that and perhaps the face that the Evil Empire built in the BIOS support that in IBM's world was going to be included in the ABIOS and CBIOS on the PS/2's that never really saw the light of day. All this warfare and attempts to create proprietary, resource eating systems just made these systems dinosaurs that had no real advantage - and opened the door for the porting of more modern concepts to computing, notably LINUX and the hoard of other UNIXes.

The Evil Empire sucked a lot of people out of a lot of companies - but none of those acquisitions ever lead to any improvements in the wares that the Empire sold, and it's been entirely downhill for M$ ever since their botched release of DOS 4.0...


----------



## krs (Mar 18, 2005)

eMacMan said:


> The fact that nothing happened yesterday in Australia & New Zealand shoulda been a clue.


There seems to be an indirect effect - many of my "Windows" friends decided not to turn on their PC today assuming their computer won't be compromised if it's not running on April 1st.


----------



## fjnmusic (Oct 29, 2006)

krs said:


> There seems to be an indirect effect - many of my "Windows" friends decided not to turn on their PC today assuming their computer won't be compromised if it's not running on April 1st.


That's funny. As though the trojan hasn't already been sitting idle for several months. Just because nothing happens on April 1 does not mean that a problem does not exist. And Evan spelled out the solution quite simply too, methought.

Simple test: if you can connect to MicroSoft.com, your computer is probably not affected.


----------



## bgw (Jan 8, 2008)

It could be that this malware put the date of April 1 in as a deception. This trojan is sophisticated, such that the experts are having a hard time fully working out what is going on with it. Just because the first has passed doesn't mean the danger has passed. It maybe that the trojan is relatively benign and is designed stealthily to make money through spam or information hijacking and it will never overwhelm your machine or the internet. It may collect information off your hard drive and forward it to some quiet but sinister organization that will make a single purchase on your credit card or do a single bank transfer _not_ on your behalf.


----------



## krs (Mar 18, 2005)

fjnmusic said:


> That's funny. As though the trojan hasn't already been sitting idle for several months. Just because nothing happens on April 1 does not mean that a problem does not exist. And Evan spelled out the solution quite simply too, methought.
> 
> Simple test: if you can connect to MicroSoft.com, your computer is probably not affected.


"That's funny"..................I agree, but it shows you how many people think!

On the other hand - this is a problem:

"your computer is *probably* not affected"

There is a lack of definitive and specific information about this worm.

Why did you include the word 'probably'?
Is that simple test not a definite indication that your PC is not infected with this worm?


----------



## fjnmusic (Oct 29, 2006)

krs said:


> "That's funny"..................I agree, but it shows you how many people think!
> 
> On the other hand - this is a problem:
> 
> ...


I use the word "probably" because I am no expert, but it is a simple test I've read about for PC users to find out whether they have the latest Service Pack upgrade or whatever they call them in the Windows world.


----------



## bgw (Jan 8, 2008)

The post conficker media reports are surfacing. Take this one in Computer World.



> The malware makers who crafted Conficker must be extremely disappointed, a security expert said today, and not because the Internet didn't come crashing down as some of the wildest speculation had predicted.
> 
> "All of their work has gone for naught," said Alfred Huger, vice president of development for Symantec Corp.'s security response team, referring to the hackers who created the Conficker worm.
> 
> ...


I, for some reason, a gut feeling maybe, suspect that the real action is just beginning. However the action will be quiet and financially painful.


----------



## EvanPitts (Mar 9, 2007)

^^^
The one machine we left running with it did spend the day attempting to phone home, but it kept crashing out when the Conficker trojan attempted to download 500 web pages at the same time. It didn't appear to be a very good trojan at all, it struggled with even the easiest of passwords, and was quite confused because it couldn't find the DDL files it depends on because they were over on D: - and Conficker doesn't do D:.

Even if it wasn't up to much, it would be irritating just because Exploder is not even a champion when it comes to rendering a single web page, let alone 500 of them. They ended up with problems at my girlfriend's workplace, but not because of Conficker, but because their "techie" attempted to install a number of different virus scanners on their server. Once they all attempted to run automagically at midnight - the server went down in a massive crash during the night, so that they couldn't do anything in the morning. So if Conficker was designed to freak people out, con them into doing stupid things like running McAfee's at the same time as AVG, Sophos and Norton - then it did it's job.

But as far as a trojan goes - bah, humbug. It was more exciting to take over someone's prompt in the old days, go debug and have the system reboot forever. In fact, it was more fun hacking a Xerox DocuCenter than watching Conficker prove that Windoze is not up to the task of loading multiple pages at the same time - but none of that is as fun as watching traffic webcams in Korea or Japan - man, that's just nuts...


----------



## broken_g3 (Jun 27, 2008)

bgw said:


> For a free PC firewall get ZoneAlarm. It might tell you if any malware is trying to phone home.


My IT people tell me ZoneAlarm is useless. According to them, the free version is just as good as the Windows Firewall, won't really do much more. We have a heavy-duty corporate firewall at our office, and that is what I am using on my ThinkPad right now.


----------



## gordguide (Jan 13, 2001)

This came from Slashdot, but points to a different site that is dedicated to stopping the worm. It's a Conflicker Worm "Eye Chart" that links to URLs blocked by the worm. If you can see all of the page and you are not behind a proxy, chances are the worm is not installed. Details are on the same page in case there is any confusion as to what to look for.


----------



## chas_m (Dec 2, 2007)

Man I'm glad I have never let Windows pollute any computer I've ever owned.


----------



## broken_g3 (Jun 27, 2008)

chas_m said:


> Man I'm glad I have never let Windows pollute any computer I've ever owned.


Usually, Windows is not that bad, all you have to do is not be stupid with it and you'll easily avoid like 98% of all viruses out there, with the majority of the remaining 2% being caught by anti-virus software. It starts with the user, and people who are irresponsible with their computers should probably not be using Windows. 

But this one is different. It is a new breed. You can be a very savvy user who does something as benign as plug in a USB drive, and before you can even scan it you are already infected. Microsoft patched up this one (the new infections come from, you guessed it, lazy and irresponsible users who failed to patch their computer), but the whole AutoRun thing just opens the door to more attacks in the future. I've had the feature disabled on my ThinkPad since I first heard about this.


----------

