Conficker worm aka skynet

[seemingly random]

Originally posted by: Demon-Xanth

Originally posted by: seemingly random
Since it's april 1 somewhere in the world right now, it seems that the question can now be answered.

March has 31 days.

My mistake. For some reason I thought today was the end of march.

So when can we expect to know results on the east coast of the u.s.?

 

[Crono]

Originally posted by: seemingly random

Originally posted by: Demon-Xanth

Originally posted by: seemingly random
Since it's april 1 somewhere in the world right now, it seems that the question can now be answered.

March has 31 days.

My mistake. For some reason I thought today was the end of march.

So when can we expect to know results on the east coast of the u.s.?

12:01 AM EDT April 1st.

 

[Joemonkey]

Our security team is going crazy over this thing... be interesting to see what happens

 

[seemingly random]

Originally posted by: Crono

Originally posted by: seemingly random

Originally posted by: Demon-Xanth

Originally posted by: seemingly random
Since it's april 1 somewhere in the world right now, it seems that the question can now be answered.

March has 31 days.

My mistake. For some reason I thought today was the end of march.

So when can we expect to know results on the east coast of the u.s.?

12:01 AM EDT April 1st.

Almost clever.

We'll have results from pc's located closer to the international dateline much sooner.

 

[Joemonkey]

has anyone moved their date ahead to april 1st on an affected computer to see what happens? or do the websites not go live until then as well?

 

[GTaudiophile]

We're all going to get a BSOD that says, "Help! I am stuck in Chinese fortune cookie factory!"

 

[seemingly random]

Originally posted by: Joemonkey
has anyone moved their date ahead to april 1st on an affected computer to see what happens? or do the websites not go live until then as well?

Hopefully there are others willing to play guinea pig. I was wondering about setting mine back a few days until the dust settles, but ms-windows doesn't like this a bit.

I hope antivir successfully detects it since that's what I'm using.

 

[Modular]

So should we all shut our computers down tonight? And never turn them back on again!?

 

[Jeff7]

Originally posted by: GTaudiophile
We're all going to get a BSOD that says, "Help! I am stuck in Chinese fortune cookie factory!"

Lucky numbers: STOP 0x38E974B2

 

[Modelworks]

Originally posted by: Modular
So should we all shut our computers down tonight? And never turn them back on again!?

Abstinence is not the solution

 

[Modelworks]

Originally posted by: destrekor
On April 1st, all infected PCs will display a flashing text window stating "APRIL FOOLS!!!!111oneone"

and then the world will enter into panic, awaiting what comes next. And then nothing. For years. If ever.

That would be a hilarious virus.

It is going to re-direct everyones browser to "You have won a free iPod ,"

 

[Duddy]

It's going to upgrade everyone to Windows 7 instantly and everything will turn out better than expected.

 

[FelixDeCat]

Cornflickers?

Cabals?

Ive never heard of this crap until today! :|

Next thing you know we will be at war with the Sulabon Cabal. :moon:

 

[Kalmah]

Should I go stock up on water and bread now?

 

[zinfamous]

Originally posted by: James Bond

Originally posted by: ElFenix
so what does this all mean?

There are hundreds of thousands of PC's around the world infected. At this moment, they are all standing by.

On April 1, they begin querying botnet websites for further instructions.

Anyone's guess, at that point. Could be bad.

maybe it will just be one giant Rickroll?

 

[zinfamous]

Originally posted by: seemingly random
Since it's april 1 somewhere in the world right now, it seems that the question can now be answered.

someone played an early April fool's prank on you, didn't they?

 

[seemingly random]

Originally posted by: zinfamous

Originally posted by: seemingly random
Since it's april 1 somewhere in the world right now, it seems that the question can now be answered.

someone played an early April fool's prank on you, didn't they?

Uhhh yeah, that's it...

 

[sjwaste]

Originally posted by: Demon-Xanth

Originally posted by: seemingly random
Since it's april 1 somewhere in the world right now, it seems that the question can now be answered.

March has 31 days.

Lousy Smarch weather.

 

[Kadarin]

Originally posted by: Joemonkey
has anyone moved their date ahead to april 1st on an affected computer to see what happens? or do the websites not go live until then as well?

From what I've been reading about conficker, it's smarter than that. It checks well-known sites online to check current time/date, rather than relying on the system clock.

 

[spikespiegal]

Question:

Can this bug infect a machine where the user doesn't have local admin rights and the box is patched?

If the above answer is "no", then why should I care when all the corporate networks I work on disable local admin shares and don't allow local admin rights under penalty of death?

 

[octopus41092]

Sept. Chinese hackers begin selling a $37 malware kit designed to tap a newly-discovered security hole in a component of Windows, called RPC-DCOM, which enables file and print sharing. RPC-DCOM is built into all PCs of Windows XP vintage and earlier, some 800 million machines worldwide.

 

[vi edit]

Originally posted by: spikespiegal
Question:

Can this bug infect a machine where the user doesn't have local admin rights and the box is patched?

If the above answer is "no", then why should I care when all the corporate networks I work on disable local admin shares and don't allow local admin rights under penalty of death?

We got screwed when a vulnerable machine got infected and somebody signed into it with admin rights at the domain level not knowing it was infected. Once the admin rights authenticated it executed the virus and then replicated out to any machine accessible by that domain account. For us that was 250 machines at a time since we had vendor supplied universal support accounts that were compromised.

We found that if one one machine was compromised, then any machine able to be logged in by that account was vulnerable regardless of patches and antivirus. We patched all servers back in October when this thing hit the streets. We didn't get infected until the end of February when one machine in our application environment went down with it.

This bug creates so much domain traffic that it was pegging domain controllers at 100% and bringing domain services down. It also captures account logins and tries randomly signing into the domain accounts. Since it doesn't know the password it just keeps trying resulting in locked out accounts over and over again. And you are totally screwed if it grabs a domain level service account and locks that out.

 

[ultimatebob]

Originally posted by: Crono

Originally posted by: ElFenix
so what does this all mean?

It sounds like war. Good guys versus bad guys.
http://lastwatchdog.com/debate...oning-hom-april-fools/

The Microsoft-led group of defenders, known as the ?Conficker Cabal? has been locking down many of these domains so the bad guys cannot use them to send instructions to infected PCs. Though Microsoft did not invite SecureWorks to be part of the Cabal, Stewart says that the Cabal ought not be underestimated.

I hope the magicks of Microsoft's wizards will be enough to defend us.
All praise the Cabal.

When will virus producers learn... if you give the IT guys a few weeks to prepare for an attack, they'll be ready for you!

That's why Melissa, Code Red, and SQL Slammer were so effective... most people didn't see those coming!

 

[ViRGE]

Originally posted by: Joemonkey
Our security team is going crazy over this thing... be interesting to see what happens

Why? There have been plenty of botnet worms before that do the exact same thing. Why is everyone in such a tizzy over this one?

 

[Modelworks]

Originally posted by: ViRGE

Originally posted by: Joemonkey
Our security team is going crazy over this thing... be interesting to see what happens

Why? There have been plenty of botnet worms before that do the exact same thing. Why is everyone in such a tizzy over this one?

Really because of how smart this one is. There really has never been anything like it.
I was laughing about it earlier comparing it to skynet, but I have been reading some tech papers on it. The thing is very well done. I would love to meet the programmer.
This was not written by some script kiddie. Whoever did this has some serious skills.

They released a tech paper that goes into detail on how it works.
http://www.honeynet.org/files/KYE-Conficker.pdf


Some examples:

Spreads via usb memory sticks.

People know about the date check of April 1st. You would think you could just set your clock forward and trigger it. No. It gets the date from the net. And not from a time server. But instead from sites like facebook, yahoo, google, MSN. It uses the time in the HTTP header.

It also runs inside other processes so it is hard to find. All the user see is svchost . It checks to see if it is running inside a virtual machine so that people have to use a full OS install to debug it. Uses SSL to encrypt communication and signs itself with RSA.

Tomorrow is going to be interesting.