Conficker worm aka skynet

Page 4 - Seeking answers? Join the AnandTech community: where nearly half-a-million members share solutions and discuss the latest tech.
Toggle sidebar Toggle sidebar
S

seemingly random

Diamond Member
Oct 10, 2007
5,277
0
0
Originally posted by: Joemonkey
Originally posted by: Demon-Xanth
Originally posted by: seemingly random
Since it's april 1 somewhere in the world right now, it seems that the question can now be answered.
Click to expand...

March has 31 days.
Click to expand...

OK, so what about now?
Click to expand...
We're not looking at this correctly. Common sense doesn't fit into the news cycle...
 
sygyzy

sygyzy

Lifer
Oct 21, 2000
14,001
4
76
Originally posted by: Modelworks
Originally posted by: Gunbuster
So why cant they monitor what it's checking for timesync and then forge the responses to set off the thing and find out where it will pull new instructions from. Then just DDOS that site.
Click to expand...


It uses some 50,000 sites and creates hundreds more randomly on a daily basis. Time is pulled from websites like google, yahoo, facebook via the normal browsing experience. Blocking major sites like that would be impractical. That is why the creator(s) probably chose that method.

It is also using RSA encryption to protect its code and SSL to protect the data it sends/receives.
Click to expand...

Are you sure about your statements? From the whitepaper:

Unlike the domain generation algorithm, which retrieves a GMT value from remote hosts, this new check is performed against the host's clock. Computers that have their clock set to a future time will already try to download updates.
Click to expand...
 
nobody554

nobody554

Senior member
Jan 21, 2006
526
0
0
Originally posted by: sygyzy
Originally posted by: Modelworks
Originally posted by: Gunbuster
So why cant they monitor what it's checking for timesync and then forge the responses to set off the thing and find out where it will pull new instructions from. Then just DDOS that site.
Click to expand...


It uses some 50,000 sites and creates hundreds more randomly on a daily basis. Time is pulled from websites like google, yahoo, facebook via the normal browsing experience. Blocking major sites like that would be impractical. That is why the creator(s) probably chose that method.

It is also using RSA encryption to protect its code and SSL to protect the data it sends/receives.
Click to expand...

Are you sure about your statements? From the whitepaper:

Unlike the domain generation algorithm, which retrieves a GMT value from remote hosts, this new check is performed against the host's clock. Computers that have their clock set to a future time will already try to download updates.
Click to expand...
Click to expand...

Also from the whitepaper (page 11)

In a first step, a public web-site is queried in order to get a response that includes the current time based on
GMT. Conficker.A and .B randomly contact one of the following web-sites:
! baidu.com
! google.com
! yahoo.com
! msn.com
! ask.com
! w3.org
Conficker.C uses three more web-sites in addition to those above:
! facebook.com
! imageshack.us
! rapidshare.com
Selecting such high profile websites as these for time synchronization makes it almost impossible for system
defenders to simultaneously disable all target time sources in a co-ordinated effort.
Click to expand...
 
Modelworks

Modelworks

Lifer
Feb 22, 2007
16,240
7
76
Originally posted by: sygyzy
Originally posted by: Modelworks
Originally posted by: Gunbuster
So why cant they monitor what it's checking for timesync and then forge the responses to set off the thing and find out where it will pull new instructions from. Then just DDOS that site.
Click to expand...


It uses some 50,000 sites and creates hundreds more randomly on a daily basis. Time is pulled from websites like google, yahoo, facebook via the normal browsing experience. Blocking major sites like that would be impractical. That is why the creator(s) probably chose that method.

It is also using RSA encryption to protect its code and SSL to protect the data it sends/receives.
Click to expand...

Are you sure about your statements? From the whitepaper:

Unlike the domain generation algorithm, which retrieves a GMT value from remote hosts, this new check is performed against the host's clock. Computers that have their clock set to a future time will already try to download updates.
Click to expand...
Click to expand...


Two checks. First is for generating domains, taken off the http header. Second check for updates to the program taken off host clock. There is also a CMP instruction that takes place nobody is sure the result of until tomorrow.

Most malware you know what its aim is and what it is going to do. steal passwords, or delete files, redirect you to a site. This one really has not done anything yet except infect and create dummy sites. It just seems to quietly sit in the background spreading itself.


 
S

spidey07

No Lifer
Aug 4, 2000
65,469
5
76
Originally posted by: Modelworks


Two checks. First is for generating domains, taken off the http header. Second check for updates to the program taken off host clock. There is also a CMP instruction that takes place nobody is sure the result of until tomorrow.

Most malware you know what its aim is and what it is going to do. steal passwords, or delete files, redirect you to a site. This one really has not done anything yet except infect and create dummy sites. It just seems to quietly sit in the background spreading itself.
Click to expand...

And I've said all along that when get get a worm that works over SSL for it's payload/instructions we're screwed. This is one nastly little ah heck.
 
will889

will889

Golden Member
Sep 15, 2003
1,463
5
81
Originally posted by: seemingly random
Originally posted by: will889
Here's an updated Mcafee stinger tool for Conficker.

Text
Click to expand...
Just ran this on a pc with vista. It crashed while scanning an .iso file. Also, the drive had many files - 100k+.
Click to expand...

Interesting - I used it along with some f-secure apps -- with one Vista install and 3 XP installs today (clients) and no issues. I hope you had a backup?
 
Triumph

Triumph

Lifer
Oct 9, 1999
15,031
14
81
Originally posted by: nobody554
From here.

Your first step should be the tools you already have: Windows Update, to make sure your computer is fully patched, and your current antivirus software, to make sure anything that slips through the cracks is caught.

But if Conficker's already on your machine, it may bypass certain subsystems and updating Windows and your antivirus at this point may not work. If you are worried about anything being amiss -- try booting into Safe Mode, which Conficker prevents, to check -- you should run a specialized tool to get rid of Conficker.
Click to expand...
Click to expand...

So all I have to do to check and see if I have it, is to try and boot in safe mode? That's easy enough, no more work for me! I haven't been on Windows Update in about 6 years.
 
Modelworks

Modelworks

Lifer
Feb 22, 2007
16,240
7
76
Originally posted by: Triumph


So all I have to do to check and see if I have it, is to try and boot in safe mode? That's easy enough, no more work for me! I haven't been on Windows Update in about 6 years.
Click to expand...


I hope the pc you are using is not on a network. Not patching any OS for long periods of time , like years, is really asking for trouble.,
 
Triumph

Triumph

Lifer
Oct 9, 1999
15,031
14
81
Originally posted by: Modelworks
Originally posted by: Triumph


So all I have to do to check and see if I have it, is to try and boot in safe mode? That's easy enough, no more work for me! I haven't been on Windows Update in about 6 years.
Click to expand...


I hope the pc you are using is not on a network. Not patching any OS for long periods of time , like years, is really asking for trouble.,
Click to expand...

So is that a yes to the safe mode thing?
 
S

seemingly random

Diamond Member
Oct 10, 2007
5,277
0
0
Originally posted by: will889
Originally posted by: seemingly random
Originally posted by: will889
Here's an updated Mcafee stinger tool for Conficker.

Text
Click to expand...
Just ran this on a pc with vista. It crashed while scanning an .iso file. Also, the drive had many files - 100k+.
Click to expand...

Interesting - I used it along with some f-secure apps -- with one Vista install and 3 XP installs today (clients) and no issues. I hope you had a backup?
Click to expand...
Sorry, that was grammatically vague. The stinger app crashed - no data loss.
 
A

archcommus

Diamond Member
Sep 14, 2003
8,115
0
76
Is there anything in particular normal users should do to prepare for this nasty little ah heck tomorrow?
 
J

JackBurton

Lifer
Jul 18, 2000
15,993
14
81
We'll see how tomorrow goes. We're up to date on all our Windows patches (we've been patched for this particular security hole for a long time), AV up to date, and everyone is running with limited user rights.
 
GTaudiophile

GTaudiophile

Lifer
Oct 24, 2000
29,767
33
81
Well, all seems to be well in Australia, Japan, etc.

I'm sure they would start to see the effects of Conficker first.
 
A

Acanthus

Lifer
Aug 28, 2001
19,915
2
76
ostif.org
Originally posted by: GTaudiophile
Well, all seems to be well in Australia, Japan, etc.

I'm sure they would start to see the effects of Conficker first.
Click to expand...

It could be going by GMT or a certain time zone.
 
You must log in or register to reply here.

TRENDING THREADS

COMPANY
RESOURCES
FOLLOW
Top Bottom