One word…Linux.

Posted at 5:52 pm on Mar 30th, 2009 by tony

@tony

+1

Posted at 6:06 pm on Mar 30th, 2009 by happypinguin

Yeah, we scanned our fifty some odd hosts and found the one machine that was running Windows.

Posted at 6:22 pm on Mar 30th, 2009 by Eliot Phillips

it’s amazing that there are people able to figure this stuff out! i don’t understand!

but oh no, not another april fools computer problem to worry about.

Posted at 6:29 pm on Mar 30th, 2009 by planoaddlct

If rustock.c was propagated via a shellcode dropper engine we’d all be ‘ficked’. This is just a DLL that uses encrypted connections to lists of remote servers. It uses random file names and av locker stuff too, but it still loads off the native windows service tables.

I think vista and 7 DRM will eventually be cracked to load unsigned drivers allowing kernel mode rootkits to keep on trucking. Even if not userland stuff can still be just as dangerous, 64bit users aren’t protected either, you can get pass driver signing on SP2C x64 XP even from the shell, and you can still DDK a 64bit driver that hooks and moves around low level abstractions from device interrupts up to kernel tables.

The perfect malware would be kernel or user mode, either one+ a good threaded mutating packer+ a shellcode dropper using multiple++ vulnerabilities in native services such as tcip.sys server table checks(would allow infection even on dead ports SYN or whatever), and a lot low level file system and kernel table hooking.

The fast spreaders all use SMTP or shellcode droppers. Some of the email ones use browser vulnerabilities in the body, but that’s rare.

Posted at 6:44 pm on Mar 30th, 2009 by TJHooker

i can never understand the people that just mindlessly say ‘use linux’ to any sort of computer problem. depending on the user(s), doing a switch from windows to linux may solve security issues at the expense of user aggravation. i’ve been trying linux as a server OS and more recently as a workstation OS for ~4 years and i still get aggravated because of linux (used as a blanket statement to cover many things).

the root problem here is not conficker infected computers, it’s irresponsible/dumb/lazy/whatever people that don’t know anything about computer security, like antivirus software, patching, and common sense (like attachments, extensions, and so on). i’ve seen it so many time that people propose linux (or some other open source thing) to a problem while not ever evaluating the problem or seeing if linux is truly the best solution out there.

Posted at 6:55 pm on Mar 30th, 2009 by cornelius

Someone in the Slashdot comments mentioned an even simpler method than this one, just write a script to have each of your computers try to ping clamav or one of the other blacklisted av’s, of course you need enough access to be able to run the check, but for most admins I doubt that would be a problem.

Posted at 7:11 pm on Mar 30th, 2009 by Wolf

@cornelius

They don’t mindlessly say it. Some of the best computer users prefer linux systems because they are simply ‘better’ for most advanced users than windows; this is the same as people who think manual transmissions are ‘better’ than automatics.

if the users are too stupid (read: aggravated) to switch platforms, they shouldn’t be angry with the people who are smart enough to operate both.

It disgusts me that it takes a virus (wasting the person’s talent) to show that windows is not secure, no matter what you think.

Posted at 7:28 pm on Mar 30th, 2009 by Spork

Linux and its popular components of course are constantly patched to close vulnerabilities too, nothing is perfect.

Posted at 8:41 pm on Mar 30th, 2009 by Wwhat

This is what I hate about the stupid “online media” who seems to want to bash windows without checking sources.

THE PATCH FOR THE BUG THAT CONFICKER ATTACKS WAS RELEASED BEFORE CONFICKER CAME OUT.

Linux has had security holes before, and certainly some were exploitable–but most people using linux had them patched, and those who didn’t get them patched got lucky because virus authors don’t bother actually trying to hack linux for anything past proof-of-concept.

IT IS THE USER’S RESPONSIBILITY TO PATCH THEIR SYSTEM.

I don’t know how linux somehow inherently is more capable of getting a user to keep their system updated.

I don’t see how this report is anything new. After hearing about the conficker nonsense a while ago, I did a bit of research and apparently the “patch” conficker does is deliberately broken to allow conficker to reinfect the computer. It should have been fairly easy given the data in that report to make a program that did this.

Honestly, I’m really damn disappointed at hackaday and all the other online sources which seem to be going crazy over this little tiny virus that exists basically purely because of the fact that PEOPLE ARE STUPID.

Posted at 8:46 pm on Mar 30th, 2009 by threepointone

^ by the way, a couple of those phrases were meant to be in caps and screaming.

Posted at 8:46 pm on Mar 30th, 2009 by threepointone

how do you know if you have been infected…

Posted at 8:55 pm on Mar 30th, 2009 by Girrrrrrr2

@threepointone

“I don’t know how linux somehow inherently is more capable of getting a user to keep their system updated.”

Because generally linux users are not idiots (i’m not trying to be offensive here, let me explain).

Windows and many of it’s applications are made so that you can point the mouse and click the button that says something to make you happy and it does what ever the button said. Then when finished, most users don’t even turn the computer off.

Linux generally requires some knowledge to install (windows comes preinstalled) and configure, even if through some GUI type menu. Everything is not handed to you on a silver plate in linux, which means you are more likely to try and protect it. Also linux kernel updates are usually tested much more thoroughly than windows, because microsoft just needs to cover their own asses for legal purposes.

@girrrrrr2
Just click the link to the executable above then open a command prompt and type scanner (your computer name or IP or i think 127.0.0.1 will work)

Posted at 10:17 pm on Mar 30th, 2009 by Spork

Spork, you’re a terrible Linux troll. I mean that in the most pejorative way possible, and I frankly hope this helps you get your head out of your ass.

Some of the best users? Is that from your personal bank of made up on the spot statistics? I can show you a bunch of Linux professionals who know nothing to Windows and vice versa. OS choice is a preference OR need, not a direct correlation of your IQ. I’ve used both Linux and Windows system, enjoyed both. Linux has it’s use and so does Windows. Would I qualify myself more brilliant than you for using one OS or the other? No. I’d qualify myself more brilliant than you for knowing there’s purpose to both and that both can be very extensible, secure and complicated at their times.

An OS choice is nothing like a transmission type too. That’s a terrible analogy, as if you knew anything to different type of cars and car races, you’d know there’s a lot of automatic transmissions (the majority) that are more efficient than manual transmissions. A car computer is much more apt at switching gears than your slow and unreliable body.

Finally, you obviously and clearly know nothing of how Windows works under the pretty GUI, regarding your kernel comment.

And even then, I stay open-minded and always modest, as I know there’s always users who will know more on a topic than I.

Posted at 11:57 pm on Mar 30th, 2009 by thatuser

@threepointone

Despite I like to bash Microsoft everytime
possible just to piss off monkeys.
The real truth is that people make viruses
for the following reasons:

1) They want to prove that target system is
insecure.
2) They want to show off him-selves to a
restricted hacker group.
3) They don’t like the target system or
vendor, they only want to damage.
4) They really want to exploit systems
to make some $$.

So, given that, lets look to GNU/Linux:
1) and 2) The best way to do it on GNU/Linux
is to send a patch to bugzilla and post
it on the mailing list.
3) There are zilion variants of a
traditional GNU/Linux system making it
hard to infect them all using the same
method.
4) Here 3) also holds true. I can also
add that most of consumers running Linux
have higher level of expertise that average
billy joe running windows. To make this even
less unprofitable, there are not enough
consumer Linux boxens out there to justify
this claim.

So yes, we are perfectly secure running a
Linux box. But lets not all remember to
start using Linux at the same time or maybe
I’ll have to start closing ports and
taking paranoid precautions on my computers
in near future.

@cornelius

<>

If you guys don’t believe it, just google
for selinux and try to explain me what
would be the equivalent on a windows server.

Posted at 1:51 am on Mar 31st, 2009 by happypinguin

Situation and Question for the average user:

You are trying not to make some one pregnant or become pregnant yourself. At your disposal are condoms and birth control pills.

Do you:

a) Put on a condom once and never change it?

b) Take birth control one day and never again?

c) Both renew the condom and renew the birth control when sexual intercourse is engaged?

Compare that model to computers, replacing the penis with a virus, the uterus with a computer and the condoms/birth control with system patches and scanning tools.

Similarity?
Makes sense?
Yeah.. I think there is an educational gap in computer security for the average user.

Posted at 2:17 am on Mar 31st, 2009 by Louis II

if the windows users with unpatched machines that get infected all switched over to linux, they still wouldn’t patch their machines.

Posted at 2:48 am on Mar 31st, 2009 by dan

ahh, the age old battle of linux versus windows…

i prefer linux for most applications, particularly servers facing the cloud, but the truth is it is a predominantly windows world from a workstation point of view. why? mainly because most users simply want to use their computers and not spend their life administrating them.

that being said, louis ii’s analogy above is pretty dead on. the core issue is user education but unfortunately I can tell you from personal experience that the large majority of users either do not want to learn how to secure their systems or cannot be bothered to regularly run antimalware tools, even free ones.

why is this? perhaps there has not been a threat of sufficient magnitude to make them care. perhaps it is because the popular media and our educational system have manipulated people’s perceptions of those that are computer proficient to such a degree that it is uncool to be a ‘geek’ or a ‘nerd’.

as long as people think it is uncool to know what is going on under the hood of their systems, malware such as conficker will continue to propagate. unfortunately, microsoft is fueling this philosophy by further abstracting end users from the inner workings of their computers with successive releases of windows.

Posted at 3:21 am on Mar 31st, 2009 by numa

Additional question for the average user:

You are at an orgy where no one is required to have sex and nobody is required to have tests for STD’s to get in. You personally know 3 of the people there each have the STD’s “HIV”, “Herpes” and “gonorrhea”. You do not have any know STD’s. You don’t want to get any STD’s.

Given this bizarre situation do you:

a) jump right in?

b) jump right in with a condom (m/f types)?

c) watch with out exposing yourself?

A weird example, yes, but I think the point is clear:
Your body is like a computer and the orgy is like the internet.
If you want to be at tho orgy, but don’t want to get all the problems, it’s safer to not physically contact the participants.

If you run a computer on the internet and don’t want to get the virus problems out there, it’s safer to avoid using things you don’t need (like random exe files and claims of sexy pictures in your e-mail.)

Anyway… uhh.. *vanish*

Posted at 4:37 am on Mar 31st, 2009 by Louis II

but then I realized this virus is limited only to windows.

BAM UBUNTUNOOB HERE

:)

-james

Posted at 5:08 am on Mar 31st, 2009 by Man I WAS REALLY PARANOID

Hi,

Good article. Sophos’ Conficker removal tool can detect and remove all variants of the worm/virus.

As long as people run these tools it should stop any serious outbreak.

James

Posted at 5:37 am on Mar 31st, 2009 by James

I think that in concept conficker could be used for good instead of infecting millions of computers for some doomsday April 1 scenario but still the person or people who made it must be incredibly intelligent

Posted at 5:43 am on Mar 31st, 2009 by Jon Micheals

couln’t I just leave my computer off and unplugged april 1st if I have this worm?

Posted at 6:13 am on Mar 31st, 2009 by human

thank you guys who are actually talking about the /virus/ (read: topic)

i wish there was a better way to test for virus infections than downloading and running an exe from the internet

i guess if i’m hesitant enough about the test exec, i’m probably safe enough with my computer to not need it :]

Posted at 6:24 am on Mar 31st, 2009 by tr0nk

@human:

yes, that is all you need to do. Congratulations!

lazy bastard ;)

Posted at 6:26 am on Mar 31st, 2009 by andBeans

I’ve always thought that one of the most effective things a virus could do (if someone wanted to do something meaningful rather than just steal data) would be to pop up a message explaining that their computer is infected, here is how to remove it, oh and you may want to contact Microsoft about focusing more on security or possibly consider an alternative operating system.

Posted at 8:13 am on Mar 31st, 2009 by Robo

@robo:
I think there was a worm that did more than that, it actually fixed the security hole.

Posted at 10:25 am on Mar 31st, 2009 by jjrh

i did some reading and the dorky avg free and kasperskey and a few other anti virus programs allready have conficker in their database so if you kept your anti virus updated your safe!! but seriously if you cant take care of your computer and update it or even take care of it properley, some one should take it away from you, similar to cps. “knock knock, hello sir your too stupid to use the Internets were here to take your computer away.”

Posted at 12:08 pm on Mar 31st, 2009 by nick

@thatuser

I made the comparison to transmissions because manuals offer more control to the user. Automatics can be more efficient if tuned to the exact purpose of the car (like racing or stop and go traffic), and autos can be better all around because the “user” can shift according to the driving conditions at any given time.

I didn’t say that a users IQ was determined by their OS of choice, I said that people who solely use windows because it came installed and understand nothing about it are “stupid” and I meant that to be specific to computers, not in general. Many gardeners know a ton more about botany/gardening than I ever care to understand and I consider them smart, just not when it comes to computer use.

If you understood my comment from my point of view or at least not so egotistical to think that you know more than I just from a simple post, you would probably agree.

Posted at 1:29 pm on Mar 31st, 2009 by Spork

Conficker.A and Conficker.B can both be removed using free software like F-Secure’s Downadup removal software as well as bdtools which was made just for this. However Conficker.C has to be removed manually still. In just another day a fix will be made for it. You can view the Microsoft site for more information on how to remove this manually.

Posted at 2:09 pm on Mar 31st, 2009 by Conficker.C

Linux has user policies that effect processing and file system access out of the box. It also has stack protection.

On windows it’s called group policies and data execution prevention(or dep.) The two things the masses don’t use because of the inconvenience, and ms doesn’t enable by default because it restricts file access and messes up a lot of programs that use memory tricks(same thing happens on linux for the record.)

Linux uses mostly the same abstractions as windows does, it just gets fast patches because of source repositories and mailing lists(open source,) and as stated before has policies enabled out of the box.

The stack protection in windows is way better compared to propolice(openbsd) and what’s in fedora 10. None of them protect again non-stack memory corruption like heap overflows etc.

The silly little toys who say reformat or switch to [your distro here] are mindless consumers who don’t know the first thing about software engineering, debugging, or even the simple concept of thinking in abstract.

Next time you see a ‘brand new geek’ ask them how to compile a boot loader and 2.6 kernel to run on 16MB RAM..with high level user land packages for a desktop environment.

Geek culture is a marketing demographic symbolized by thick frame glasses and themed social order. The people actually writing what all the social bull shit is floating on top of are total rejects.. never mind the cheesy satire.

Let them drink starbucks..

Posted at 3:19 pm on Mar 31st, 2009 by TJHooker

tjhooker, wonderful post.

Not sure how much you’ve read about stack protection on non-windows systems, but ProPolice is -ONLY- the compiler based protection included with linux systems. Just like Microsoft’s “/GS” switch when compiling.

Other things like ‘libsafe’ help to protect against this (libsafe was ported to windows to protect against the same stack problems) as well as the implementation of non-executable address space in both windows and linux systems.

I’m not arguing that linux or windows is better, just saying that they both implement several different mechanisms to stop problems regarding the stack.

Just like to say that I scanned over 1200 windows clients on my domain today. All clean of this virus.

Posted at 3:59 pm on Mar 31st, 2009 by Spork

I crashed my Bicycle, I should have been using LinuX…

I gonna Punch those ConF*ckers right in the Nuttz…

Posted at 8:58 pm on Mar 31st, 2009 by Charlie

@spork: Yeah I didn’t think about propolice being a compiler extension. I know there is some level of protection on f10 and openbsd, but I forget what they are. I know the dep protection on windows does more advanced stuff with pointers and canaries than the ones on linux and bsd including compiler extensions like propolice for gcc. It’s in a lot of lengthy articles.

None of them protect against heap overflows though, and there are more algorithmic stack overflows and memory corruption variants they don’t protect against without using paging security from the CPU which is impractical with systems that implement 3rd party solutions not tailored to the architecture.

Malware that does shellcode droppers are a minority though. The most complex engines are using smtp engines I guess for rapid propagation. People still run attachments. I think I seen a few that did browser vulnerabilities from html bodys.

All the mutating packer code, kernel level hooking, and array of api hooking that went into rustock.c was wasted because they spread it via smtp.

Posted at 9:55 pm on Mar 31st, 2009 by TJHooker

TJhooker = Computer Genius !

Posted at 11:20 pm on Mar 31st, 2009 by Charlie

@TJHooker

you are wrong.
fedora 10 comes with selinux which (if used
properly) applies aggressive MAC policies.
even if you could get an heap overflow,
you could not make it executable due to
selinux policies.

there is also grsecurity’s pax that prevents
stack and heap memory corruption using memory flagging. it also does heap and stack
randomization.
(latest vanillas also do stack randomization
for free).

please read more about it before starting
misleading people.

Posted at 4:54 am on Apr 1st, 2009 by happypinguin

@happypinguing: I don’t recall giving specifics, so under what logic am I wrong? You actually regurgitated what I stated in your first paragraph.

I know about randomization and such, I read a credited article on shellcode attacks based on abstraction a long time ago, and it compared windows dep to stack defender, pro police, and selinux(platform irrelevant) etc..

dep does better randomization and predictions along with pointer tracking.

My overall point is that windows has equal or better security than linux, it’s just not enabled out of the box. You configure group policies and and enable dep a remote exploit has the same effect on windows as it does on openbsd 4.4 and fedora 10 default policies.

I agree microsoft is a big scary corporation with greedy licenses and anti-trust issues, but we live in a materialistic dog eat dog world, and they’re just doing better at screwing other people over than everyone else through ease of implementation and practicality.

Linux is nice and all, but try implementing it as a work station solution in a small-medium sized company and see how much it costs to manage and train around it. Most companies use it on backbones for this reason.

Posted at 5:19 am on Apr 1st, 2009 by TJHooker

@TJHooker

OK, I’m sorry. This paragraph from you
made me understand that you made no idea
what you were talking about (linux):

“The stack protection in windows is way better compared to propolice(openbsd) and what’s in fedora 10. None of them protect again non-stack memory corruption like heap overflows etc.”

Since propolice is “only” a compiler flag
and rather rudimentary mechanism (it
only prevents a limited set of
memory corruption attacks),
I tried to explain what more is available
to linux systems. :)

So, my “you are wrong” statement was regarding
the fact that Linux has indeed (with
specific, non-vanilla patches) stack and heap
memory corruption protection that is
contradictory to your quoted claim.

I really don’t know much about microsoft dep,
but I can tell for sure that linux pax
can take advantage of the NX bit and emulate
it in case it is not present in the
hardware, which seems pretty much what
dep do.

“dep does better randomization and predictions along with pointer tracking.”
It is not my interest or either I have the
means to verify this claim, so I’ll believe
it for now.

“My overall point is that windows has equal or better security than linux, it’s just not enabled out of the box”
What is it useful for then, if it is
disabled? :P
That’s the main problem. Sysadmins *CANNOT*
be uninstructed people. IMHO Microsoft is
guilty on this one for their OS for dummies.

Believe it or not, the same is happening on
the opensource community. With the
introduction of ubuntu (which was not bad
at all), I’ve started to see the SNR level of project’s mailing lists decreasing a lot.

“I agree microsoft is a big scary corporation with greedy licenses and anti-trust issues, but we live in a materialistic dog eat dog world, and they’re just doing better at screwing other people over than everyone else through ease of implementation and practicality.”

I’m not with you on this one. While our
economy is capitalism driven, most of us
don’t care.
While money is good for living I belive we
should not live for money.
I do computer sciences research for a living
and I *hate* microsoft for what it is been
doing for all this years. it killed a lot
of good projects (either by buying them or
by lawsuit flood).
I entirely believe that we would be way
ahead in research and technology if microsoft
wasn’t here.
Considering the company size, it was expected
that they produce more innovation, instead
of copying/cloning everything that moves.

“Linux is nice and all, but try implementing it as a work station solution in a small-medium sized company and see how much it costs to manage and train around it. Most companies use it on backbones for this reason.”
Indeed.
I don’t think “linux is for everyone” (TM)
either.
I love linux because it oversimplifies
(as in methodology) software research.
I could tell you a lot of jokes about
colleagues of mine spending a lot of time
doing things on windows that would be done
in a matter of seconds using a few bash lines
on linux, like copy pasting unformatted data
to excel one-by-one at hand : \

It was nice to talk with you all,
thanks for your time.

Posted at 6:05 am on Apr 1st, 2009 by happypinguin

i use free pirated windows xp sp2 fresh install without any update since 24 December 2006, no antivirus installed just some security & performance tweak using various softwares. why im not infected? why i never get virus infection? i tried online scan few days ago,yet no virus detected…can someone tell whats wrong with my windows?

Posted at 8:38 am on Apr 1st, 2009 by kulup

@kulup

surf

more

porn

Posted at 11:17 am on Apr 1st, 2009 by andBeans

@happypinguin: Both windows and linux use custom allocators and/or nx bit on all the above mentioned solutions. SELinux has it enabled out of the box, and NT SP2+ systems have it through optional dep.

What selinux calls heap protection is a allocator algorithm. Basically a sort algorithm that works with frames. Simple shellcode payloads are defeated by it, but allocators have been around since the nineties and continue to be defeated through trampoline techniques and such. there have been a lot of xor allocators defeated through trampolining of native processes and tables both on linux and windows.

I guess technically it is protection, but I didn’t give that credit to windows either, windows just has better randomization and obscurity.

The software emulation of nx bit on both platforms are also allocators that just flag frames.

You might know something I don’t. I don’t monitor the innovations that much. I just know it’s not effecting my work and I have 9x and nt installs over and almost a decade old now. reformatting is like buying a new car when a battery needs replaced.

I’ve been a fan of openbsd for a long time and use it exclusively on servers and some laptops. I have about the same level of security on my nt machines as I do my thinkpad with an anally retentive configured openbsd 4.4 install on it. If people don’t have restrictions on processing and file systems the system is going to get hit hard even on top of perfect code and hardware.

Posted at 2:55 pm on Apr 1st, 2009 by TJHooker

I Stand by TJhooker and what he says makes since..

Pinguin… Your wrong and thats why you got fired from your last job…

Posted at 6:57 pm on Apr 1st, 2009 by Charlie

Yea Happy “feet” Pinguin. What is your problem dude? your totally in the wrong about that..
Jeez,You got fired Man?

Posted at 12:44 am on Apr 2nd, 2009 by jimslipper

This is crazy ! why is this happening!

Posted at 12:48 am on Apr 2nd, 2009 by spacebob

@Charlie @jimslipper

I didn’t even enter the job market yet.
Like I said, I do research at the
University and I’m very well paid.

Maybe you both quited from University? : \

PS: I don’t usually reply to morons,
specially when I’m under a fake alias and
have nothing to defend about myself.
But, you both need to see that nothing is
what it looks like.

Posted at 7:57 am on Apr 2nd, 2009 by happypinguin

@ “happy”pinguin

lol dude take your midol

Posted at 10:13 pm on Apr 3rd, 2009 by nick

@TJHooker

http://blog.trendmicro.com/flaw-in-windows-vista-aslr-implementation/

Posted at 11:29 am on Apr 15th, 2009 by happypinguin

Hi there, I found you via Google searching for general herpes info and your site came up, thanks.

Posted at 5:06 pm on Jul 12th, 2009 by Lindy Maynard

Actually NMAP have a feature to detect conficker infected PC

Posted at 8:05 am on Jul 19th, 2009 by Vinoth