Jump to content

Talk:Conficker/Archive 2

Page contents not supported in other languages.
From Wikipedia, the free encyclopedia
Archive 1Archive 2

April 1st activation

http://www.cnn.com/2009/TECH/03/24/conficker.computer.worm/index.html Seems like it would be of major importance.--205.202.243.5 (talk) 13:27, 24 March 2009 (UTC) (Jakezing)

April Fool's Day? That would be interesting to watch because sometimes I get a feeling that the payload threat may be a planned joke. Whatever happens, keep up the citation search when the whatever developments surface [sic]. --Marianian (talk) 07:55, 31 March 2009 (UTC)
This information seems to have spread like the proverbial wildfire. Even with many major news organizations and the like reporting on this, I still cannot help but think there is something fishy about this date.
Ignoring the fact that April 1st bears the unfortunate and annoying tradition of April Fool's Day, it seems as though a lot of users have seen the effects of a so-called payload from this little bug.
There is also no mention of the date in the article itself, which would appear suspicious when you think of this information as such widespread "fact". - Evil oatmeal (talk) 20:02, 31 March 2009 (UTC)
April Fool's Day is mentioned right in the very first sentence. And the 6th paragraph. And the next one. And the second to last. ~ 68.36.101.128 (talk) 06:50, 1 April 2009 (UTC)
There is only one mention of the date in the article as far as I can tell. I still say this reminds me of the panic before Y2K, which had nowhere near the gruesome effects people "speculated" into existence ("My computer is going to explode!" "Toasters will try to kill you!" and so on). Now I'm not saying this thing is harmless, I'm just thinking that it might be wise to wait and see instead of making crazy assumptions about a payload that hasn't even been delivered yet. —Preceding unsigned comment added by Evil oatmeal (talkcontribs) 10:53, 1 April 2009 (UTC)
Conficker activated today and is awaiting instructions, so it did activate on April 1st, the only question now is what will it do Kilshin (talk) —Preceding undated comment added 17:01, 1 April 2009 (UTC).
How.. how can you contest that it only mentions the date once? I just pointed out four places. Is if really that hard to do a search for "April" to see where it is? :[ ~ 68.36.101.128 (talk) 21:43, 1 April 2009 (UTC)
A search for "April" within the text only yields two (previously one) results, one is "April 1st" and the other is "April 2nd" somewhere towards the end. But I was really just perplexed by the way the date was referencing news articles. The notes have been changed now to point to something else. - Evil oatmeal (talk) 13:37, 6 April 2009 (UTC)

Why can't it be disabled everywhere just by doing this?

The thing phones home on April 1. That IP address MUST be in the code somewhere. Even if it's encrypted, the decrypt code can be extracted and executed. If we know the IP, the FBI or INTERPOL or someone can go to that physical location and shut it down--maybe even catch the information cockroach who wrote it. You can find the physical location by (at very least) following the elecrtrical signal to the destination. If the IP is not yet active, then the backbone net could be instrumented to disable it when it becomes active, compute the physical location, and alert the cops.

In fact, why don't they just put a packet sniffer and datascope on the network cable in back of the machine amd set the PC's realtime clock to April 1?

What obvious factor am I missing here? All I can figure is that somehow the ee-ville Darkside asshole figured out a way for the program to generate the correct IP, but not allow a step-through debug to function. And I don;t see how that's possible in an FSM. TechnoFaye Kane 07:37, 28 March 2009 (UTC)

There is no IP address in the code. It'll generate random domain names, perform DNS lookups on them, and try to connect. The author only has to register one of 500,000 domain names at some date after April 1st, and the worm will find it. It also doesn't use the PC's clock to get the time - it uses the Date header of HTTP responses. Corsix (talk) 17:06, 28 March 2009 (UTC)

My understanding is that it has a list of 50,000 domains, many of which are already registered to legitimate companies. I believe strong encryption is used to encrypt this list as well as seeds to the algorithm that will pick out which ones to attempt to contact on April 1, 2009. So, it's not as simple as you suggest. And it will attempt to contact all from that list. —Preceding unsigned comment added by 67.188.222.12 (talk) 17:16, 28 March 2009 (UTC)

There is no static list at all. The pool of 50000 names is generated with a PRNG using the current date as a seed. This ensures that every copy of the worm generates the same names. The worm then uses the system random number generator to pick which 500 of those to try for that day.
The domain-generation algorithm has been reverse-engineered. Anti-malware groups regularly register some of these domain names and set up webservers on them to monitor the spread of the worm. That is where they get their population estimates from.
Encryption is used mainly to protect the payloads, which are signed with the authors' 4096-bit RSA private key. The worm carries a copy of the public key and will discard payloads which don't verify. This means that the worm cannot be hijacked by having one of those domains serve a self-destruct payload.
78.46.104.168 (talk) 05:10, 30 March 2009 (UTC)

Corsix is right. It's a huge list--I believe ICANN has already started working on ensuring that none of those possible domain names will be allowed to be registered. It is not even close to as easy as getting IP addresses these days--if you haven't noticed yet, hackers/virus writers these days are ridiculously sophisticated and organized at these things. The guy(s) who wrote this almost certainly already have control over a botnet, or knows people who have control over a botnet. Chances are, they'll send a command over the botnet (chances are, the command hops over a couple of computers, maybe delayed, so that there's no feasible way to track where it originated from), which will tell a remote computer to register a domain name under a credit card # / ID that they stole from somewhere else and to set it up. Then, of course, the web server is hosted under another computer in the botnet. I'm fairly certain that it's not really possible to track them down without maybe reinfecting every computer that's part of a botnet and putting some reverse tracking code that spies on where commands come from. 131.215.166.97 (talk) 12:43, 29 March 2009 (UTC)

Wow, all of these IP users with knowledge. you all should create an account :p Sephiroth storm (talk) 12:00, 31 March 2009 (UTC)
Why are we even talking about this here? I thought talk pages are not forums. MuZemike 21:43, 31 March 2009 (UTC)
That seems kinda ironic-conficker is basically a giant botnet in and of itself now! I'm nervous to see what it's used for...and I actually hope to get a copy of it! I use linux, so my friend (who got infected) can give it to me safely. Maybe if people analyzed it more and learned in more detail what it does and how to prevent it, we wouldn't have as big a scare! Demosthenes2k8 (talk) 00:17, 2 April 2009 (UTC)

I guess the reason for the confusion is the fact the article almost omits the use of PRNG to generate pseudo-random domain names. If I'm not mistaken this information was present on older versions of this page, should we re-add it?124.170.132.2 (talk) —Preceding undated comment added 02:05, 24 April 2009 (UTC).

will the Conficker virus be an computer killer type of virus

if i was an computer virus expert, i would keep an big close eye on this virus to see if it will destory the computer's programming/motherboard/cpu/memory from the inside like the older generations of computer virus---Boutitbenza 69 9 (talk) 22:50, 31 March 2009 (UTC)

So far, Conficker appears, to me, the AIDS of computer viruses... Regardless, is this leading to discussions on improvement of the article? If not, just remember that this isn't a discussion of Conficker itself. Just the article--Unionhawk (talk) 23:15, 31 March 2009 (UTC)
There is no virus that magically destroys your hardware. That's impossible. The design of the hardware in itself prevents that.74.251.42.193 (talk) 06:42, 1 April 2009 (UTC)
What they may be referring to is CIH? That wiped a part of BIOS, so to most users that would be effectively a destruction of the machine, although an actual physical one (like halt and catch fire, or poke of death), I don't know of any of those for modern x86 architecture Jinniuop (talk) —Preceding undated comment added 23:01, 2 April 2009 (UTC).
Well i heard it can over load the circuits —Preceding unsigned comment added by 67.52.248.218 (talk) 14:27, 3 April 2009 (UTC)

Theoreticly it makes sense, if something literally overloaded a computer to the point that it generated too much heat and caused a proble, but most computers have safety mechanism's to prevent damage to components in the case of heat issues. Sephiroth storm (talk) 14:40, 3 April 2009 (UTC)

Conficker April 1st Joke

Many lead to believe that Conficker is April 1st joke. By the way ficker in german means F****er. Livecrunch (talk) 04:31, 1 April 2009 (UTC)

Neither of my computers have been infected (at least not yet) and no one has been franticly screaming in the street (at least not yet), I am starting to think that this is a joke.--Duffy2032 (talk) 04:37, 1 April 2009 (UTC)
Well, people have most definitely been infected with Conficker. Whether it does anything... Honestly, I'm just waiting for 1000 pop up windows with Rick Rolls and "April Fools" in yellow font and flashing magenta background to pop up. -- 204.112.157.26 (talk) 06:43, 1 April 2009 (UTC)
"flashing magenta background" That gonna cause seizures. I wounder if u changed the date on your computer to April 2nd would it still activate? Kirbyroth(to lazy to sign in xD) 67.52.248.218 (talk) 14:29, 1 April 2009 (UTC)

Right now it may seem that all it is is some april 1st joke but all the effort the author of this virus put into it to make it hard to remove and how it updates I don't think that all its going to do is make a bunch of pop ups. Its possible that it is a joke but the effort that had to be put in to make the virus makes me think that it is for something it is possible that the virus is having trouble finding the update it needs to download. Another possibility is that this is a deliberate tactic if the author of the virus were to wait to update the virus until next week when no one cares and just think that it is a joke it would be a perfect way to catch people off guard. Codeman177 (talk) 14:17, 1 April 2009 (UTC)

Well, it's so far just making computers vunerable to other viruses... That's sometihng.--Unionhawk (talk) 16:01, 1 April 2009 (UTC)
Um, yah...according to MSNBC, the virus is real, but ET has not phoned home...yet...Also, changing the date will NOT work. Montgomery' 39 (talk) 19:58, 1 April 2009 (UTC)
yeah, I think it's safe to say this was all a joke. At least, the April 1 launch part...--Unionhawk (talk) 15:06, 3 April 2009 (UTC)
I don't think that its a joke it did update to make itself harder to remove and it also mad it harder to find the author although it didn't cause mayhem on the internet it is still out there waiting for an instruction from its author and that could be days, weeks, or even months until we see that. Yes it could be a joke and as it seems right now it is just a joke however if I had gone to the trouble of writing a virus that can disble all security features on a systems, block websites that could aid the user in removing the virus, and wrote a domain name generator that can generate 50,000 domains per day, I would not make it one big joke. I think that the author of this virus is just waiting until everyone has either forgot about the virus or moved on to a more concerning problem, like possibly the hole in powerpoint that they found today. Codeman177 (talk) 19:47, 3 April 2009 (UTC)
I just added that to the article. It may need a better source, but, you guys can handle that, right?--Unionhawk (talk) 20:03, 3 April 2009 (UTC)

conficker versus conflicker

Can someone tell me what is the right spelling? All sorts of outlets call it "conflicker" while some will go back and forth in the same article from conficker to conflicker 69.205.97.220 (talk) 18:22, 1 April 2009 (UTC)

I would assume (in part intentional?) misspelling since "ficker" means "f***er" in English.--The Magnificent Clean-keeper (talk) 18:29, 1 April 2009 (UTC)

And it's not "configure" + "ficken", it's "con" + "f*cker", the German thing is just part of the joke. This is a dumb April Fools' joke. The worst is that some major websites bought it... and a few of them are playing along. Ridiculous.

Well obviously not, considering that it had a nasty scare last year, and it's been talked about on hacking sites for a while now. This is a very real and dangerous threat. Demosthenes2k8 (talk) 00:22, 2 April 2009 (UTC)
If it is a joke, it's a highly sophisticated one.. encrypted payloads to protect against hijacking? inbuilt P2P like system? PRNG generated update mechanism? I was pretty amazed when I read about this virus, and I've read about a number before. It seems way too much effort for the end payload to just be some prank. Jinniuop (talk) —Preceding undated comment added 23:05, 2 April 2009 (UTC).

But... what on earth does it /do/?

The article tells me that this worm is an ace at propagating/protecting itself, but what the heck is its mission? The article seems to say nothing about the actual damage it does (other than the incidental [to propagate/protect itself] opening of security holes etc). Does it trash data? Or send spam? Or ddos? Or spy? Or phish-host? Or clickbot? Or what?
Also, the article says it downloads binaries ("payloads" eh?), but doesn't say anything about what it does with those. Someone fix it please. -- Fullstop (talk) 21:38, 1 April 2009 (UTC)

So far it simply seems to be a dangerous annoyance; it disables/prevents anti-spyware/virus programs and/or Windows components. Yes, it does seem extremely sophisticated in how it protects & spreads itself. No one knows what its true purpose is, but I presume it's going to be impressive when the real payload hits. - insidious420 —Preceding unsigned comment added by 208.207.43.2 (talk) 21:59, 1 April 2009 (UTC)
My understanding (which is rudimentary at best) from reading this article, it's references, and other various sources is that the worm is an attempt to "move" or "create" domain names. Meaning, that if you had a domain called IamBill.com, it could move that domain to something like 157A83.com. It appears that not much happened over the April 1 date, but apparently many techs are still concerned over the future abilities of this virus/worm. Mainstream media are reporting a summary which mirrors this, but often they lack the technical knowledge to define a situation like this in accurate detail. I hope that helps — Ched :  Yes?   : ©  08:19, 2 April 2009 (UTC) (worries about WP:NOTFORUM for this thread.)
I think your understanding of it is wrong. It does change some domains resolution as part of it's host blocking, but that doesn't effect the real domain, it's just an effect on your machine to stop you being able to fix it. No-one knows what it will actually do yet, but if past viruses are anything to go by, it could be somethings like... a) setting up servers on your machine to host content for criminal gangs b) sending spam from your machine c) attacking a foreign governments infrastructure (although we don't even know who is 'foreign' at this stage d) making pop-ups or such to try and sell you fake software e) all of the above. That's really just speculation based on past ones I know, but with one this complex it is likely to be used for some criminal commerical gain, or some political aim. I agree that this is becoming a little forum like, but I do think it's an important question that should be addressed, I think we should try and find some reliable source making such speculations, and then in the article say "It has been speculated by X based on prior experience that the virus could be used for Y", so that people have an idea of what kind of things these programs do. Jinniuop (talk)

in case you guys are interested - there's a complete analysis of the A and B variants of the worm Here: http://mtc.sri.com/Conficker/ and variant C here: http://mtc.sri.com/Conficker/addendumC/ basically it does nothing except update itself at the moment - although it has the potential to do quite a bit, it is not currently doing anything very malicious at all. Whitehatnetizen (talk) 15:09, 3 April 2009 (UTC)

First thanks to both Whitehatnetizen and Jinniuop. Those resources can definitely help improve the article. I guess if we/they catch him/her/them before it gets updated with something really nasty, it'll just be a footnote in virus history. The "Security Product Terminator Thread" is probably the one that concerns me the most. I also agree that my understanding of the domains was wrong, and Jinniuop is much more accurate with the DNS redirect points. Hopefully these two sri.com resources can help improve the article. Thanks to all. — Ched :  Yes?   : ©  15:30, 3 April 2009 (UTC)
Sephiroth also mentioned the C-variant link here http://en.wikipedia.org/wiki/Talk:Conficker#Analysis_of_Conficker I didn't see that before posting the previous paragraph Whitehatnetizen (talk) 15:41, 3 April 2009 (UTC)

Originally, the worm was scheduled to download a payload from trafficconverter.biz after 1 December 2008. That site was run by a Ukranian outfit called Baka Software, and was used to organize a lucrative pay-per-install affiliate program for Antivirus XP, a scareware product.[1] The payload URL looked like an executable installer for this product, and the millions of infected computers would have been a huge bonanza for them.[2] But, as it were, the site was shut down in late November[3] and the worm missed its rendezvous. —Nailbiter (talk) 18:19, 3 April 2009 (UTC)

As I was reading through everyone's comments, what struck me was how intelligently made this program was, which made me think of scareware like Micro Antivirus(AV) 2009/Privacy Protector/Error Cleaner/Vista AV Security Package, Antivirus 2009, PC Antispyware, Spyware Remover,MS Antivirus, PC HealthCenter, Virus Remover 2008, Kvm Secure, and others. Groups like these put in enough time and effort to fool lots of people into allowing their software onto their computers. Some people even downloaded these programs from rogue websites, and paid for it! The graphics are designed to look professional and resemble Microsoft products; the spread via social engineering shows cunning and an understanding of psychology; the viruses, worms and trojans involved in it are sophisticated (enough to thwart an armchair security analyst like me) and require software designed to neutralize (like Malwarebytes' Anti-malware); the worm can disable programs that might kill it (such as Anti-malware, utility kits and antivirus programs) or work around them; etc. I've read briefs and articles about the worm, including from Microsoft, McAfee, Symantec, newspapers and other sources, yet none of them state the ultimate effect, aside from being blocked from antivirus websites, protection via Windows Defender, updates from Microsoft, etc. These are relatively minor effects, albeit irritating.
So, what's the end goal of the group/author? Anarchy? A well-planned shot at the poorly written Microsoft Windows series? Creating a super-network of computers for illegal data collection? The fulfillment of some sort of political/religious agenda? Specific targets (governmental/military/educational/etc.) being acquired during the random spread of this virus so their servers could be ransacked/hijacked? Something else? Perhaps this is just a stage in a series of developments that will be mutated when the virus is considered ready (because of how many computers are infected, or which computers are infected?) by the author(s). It may be that this is the gateway to another stage that will also frustrate security analysts because it will be delivered via the current platform, be encrypted, and equally difficult - but have a much worse effect that end-users will notice (much like scareware that forces users to seek the paid version). I am inclined to think this is more than just a casual project with no real agenda behind it - or else someone is REALLY bored!
This is exactly what I'm looking for: "No one knows what the worm was really created to do because it's encrypted. Thus far, the effects to end-users seems negligible" Why isn't this stated in the article?ReveurGAM (talk) 11:18, 6 April 2009 (UTC)
You're getting several terms mixed up here. The worm is only encrypted and signed when in transit as a payload. It has to be decrypted and unpacked into machine code for execution. You might mean that the worm's code is heavily obfuscated. But that is a separate issue to whether the purpose of the worm is clear or not. In any case, obfuscation has not stopped researchers from patiently picking apart the worm code path by code path and coming up with some thorough analyses.
The clearest (but by no means certain) indication so far of the worm's purpose was variant A's attempt to download an executable from the site distributing the Antivirus XP scareware product. That particular scareware scheme is already very lucrative: it was revealed that one of the affiliates on that site had made $140000 USD in a single month as commission on registrations of just 2700 users.[4] If the worm had made its rendezvous, that would have been just pocket change.
Nailbiter (talk) 16:18, 6 April 2009 (UTC)

Find a source for it. Sephiroth storm (talk) 11:25, 6 April 2009 (UTC)

ReveurGam - it's not the fact that "it's encrypted" that no one knows what its end-goal is. it's the fact that currently it does nothing except update itself. everytime it updates itself the "good-guys" reverse engineer it again to see what it does now. as soon as it updates to actually do something else, we'll know about it. Whitehatnetizen (talk) 12:15, 6 April 2009 (UTC)
Well, clearly then my understanding of the impact of the encryption on the research is flawed. I did also read that the coding is very elaborate to make it obfuscated. Anyways, I heard that bit about what Conficker does to download the scareware, and I saw here the mention of the spambot. Just another high quality attempt to get more money from victims. And it works, judging from what Nailbiter mentioned!ReveurGAM (talk) 05:14, 13 April 2009 (UTC)

Neeris

I don't know if this should be mentioned in the article but a new version of the Neeris worm was found to exploit the same hole in windows and uses a similar method of infecting computers through the auto run function. The first version of the virus was found in 2005 but the new version was found april 1st the same day as conficker's "activation" though that is believed to be coincidence. Some believe that the two virus authors may be working together as conficker copies parts of neeris and the new version of neeris copies the parts of conficker. If anyone thinks that this sould be added into the article I can get the sources Codeman177 (talk) 21:06, 6 April 2009 (UTC)

Include, Provided Sources - Absolutely. If you can get a good source that says this, then go ahead and include it. Provided a good source, of course.--Unionhawk (talk) 21:14, 6 April 2009 (UTC)
I found article in the microsoft malware protection center blog which i would consider a good source also should it be added into its own section on the article. Codeman177 (talk) 22:04, 6 April 2009 (UTC)
Neither the MS08-067 or AutoRun vectors are unique to Conficker. In fact, there's often a surge in malware targeting a particular vulnerability after it is revealed[5], with many different malware authors racing to code up a working exploit before the vulnerability is patched. For those in a hurry, a Chinese kit for MS08-067 was also available in November last year for just $37.80 USD.[6] So, it's not a good idea to hypothesize common authorship of the two worms based on use of similar vulnerabilities. It's also not a good idea to say that one worm "copies" the other, because that implies that they share actual machine code.
Nailbiter (talk) 12:44, 7 April 2009 (UTC)

Vandalism

Just putting out there, someone has been changing the technical name to : how to fuck a girl ha hahaha etc. I don't know what the technial name is, but i deleted the vandalism, If someone could re-add the info, It would be appreciated. 72.45.118.204 (talk) 01:29, 7 April 2009 (UTC)

There never was a Technical name for it in the article, and I don't know what it could be, so, I think you're good.--Unionhawk Talk Review 12:03, 7 April 2009 (UTC)

Activity?

Is there any info on the purpose of this worm, e.g. what actions (spamming, D.O.S. etc., but *not* the update routine) it has been / is used for? 91.11.224.146 (talk) 22:31, 9 April 2009 (UTC)

seems like it is turning out to be just a standard spam-bot/keylogger, dissapointing really: http://blogs.zdnet.com/BTL/?p=16082&tag=nl.e589 Whitehatnetizen (talk) 11:51, 10 April 2009 (UTC)
There's also news that it installs fake anti-virus software: http://news.cnet.com/8301-1009_3-10217386-83.html 91.11.224.127 (talk) 16:25, 11 April 2009 (UTC)

Information Conflict

Under section Initial infection, there is information that conflicts with the chart preceding it. The chart states (with sources) that variants B and C run a dictionary attack on ADMIN$ shares, while the Initial infection section claims that Conficker B/C runs a brute force attack. These two methods of testing possible passwords are similar in nature but have drastically different effects on overall computer performance, effectiveness, and time-to-completion. Seeing as Conficker's creators seem to have put emphasis on stealth, my best guess is that a dictionary attack is used. In addition, only the dictionary attack method is cited. I cannot yet edit the page, as I am not auto-confirmed, but if someone could sort out the discrepancy at their leisure, I would really appreciate it.

Thanks,
Zenexer (talk) 23:17, 10 April 2009 (UTC)

Task manager

Being fairly sure that the Home PC was infected by this, is the disabling of task manager also a symptom? MMetro (talk) 20:25, 12 April 2009 (UTC)

Not sure. (forum-like btw... but...) try pressing Ctrl+Shift+Esc in Vista, and task manager will be opened. it may be just blocking out the Ctrl+Alt+Del combo, but, this question should really be directed to the Computing Reference Desk.--Unionhawk Talk 13:38, 21 April 2009 (UTC)

Wikipedia is not censored

I don't like to dig up old arguments, but the whole "origin of the name comes from 'ficken'" content is now in the lead paragraph. The lead paragraph, which is supposed to summarize the most important topics explained by the article. I don't see the etymology for Downadup or Kido elevated to this position. And no, it's not that the word "fucker" burns my eyes. It just detracts from the article, without helping explain anything. This is not like the situation where you need to show a breast in order to explain breast cancer detection. It looks more like an excuse by adolescents to get a bad word written prominently. And then we get to say proudly "Wikipedia is not censored". Can anyone defend this? I move to put the name origin into a sub-section and change it to simply "comes from the German word ficker". If you object, please do so by explaining how the change would inhibit the reader's full understanding of this computer worm. Spiel496 (talk) 14:02, 22 April 2009 (UTC)

Sounds reasonable to change the sentence and move it down, although I would wait with rewording as some might object. We don't want a (potential) edit war on this minor thingy.--The Magnificent Clean-keeper (talk) 15:15, 22 April 2009 (UTC)
I'm of the opinion that the move out of the summary would be good - I also don't mind the word in there, but surely a wikilink to ficken would be sufficient in anycase as most of the time in wikipedia we don't explain the meaning of words everytime something needs to be wikilinked, we let the link do the explanation. Whitehatnetizen (talk) 15:23, 22 April 2009 (UTC)
Nobody came to its defense, so I made the change. Spiel496 (talk) 04:57, 24 April 2009 (UTC)
It was suggested that you not remove the definition of the word ficker. Everyone doesn't know German, and there has been discussion that a user should not have to click on the link in order to find out the meaning of the word. IMO, the only reason the etomology of the word is in this article is because of its meaning. It needs to be stated in the article, what it means. Sephiroth storm (talk) 13:00, 24 April 2009 (UTC)
Sorry, I misread the first comment and overstepped; I'm ok with leaving it for now. But I'm still waiting for "how the change would inhibit the reader's full understanding of this computer worm". The reason given by Sephiroth storm is too weak. The word "configure" is not a defining characteristic of the worm -- it doesn't even appear elsewhere in the article. Consider also that the editors of the the German Conficker article don't seem so sure that the name stems from "ficken". The explanation from Microsoft's site seems much more plausible. Spiel496 (talk) 15:13, 24 April 2009 (UTC)
Perhaps so, but it is not our job to decide, what we can do is present all the viewpoints. Again, the name is not really important, but the community seems to want it here. FYI, for the user who corrected the spelling, the wiki article on "Ficker" states the meaning as to "fuck", not "fucker". Sephiroth storm (talk) 17:18, 24 April 2009 (UTC)
I had to change it again. Please see my edit summary for explanation.--The Magnificent Clean-keeper (talk) 18:50, 24 April 2009 (UTC)
I disagree that we need to "present all the viewpoints". Articles would get ridiculously cluttered. Perhaps I was being too diplomatic with my "much more plausible" language. Some viewpoints are bogus. I'm still looking for someone to state how removing the profanity would inhibit the reader's full understanding of this computer worm. Spiel496 (talk) 23:50, 25 April 2009 (UTC)

Introduction

Per WP:LEAD, this is meant to be summary of the article, not to present new information. Citations are are usually not used in this section, unless the information presented is controversial. Socrates2008 (Talk) 21:52, 22 April 2009 (UTC)

AVG on-demand does not remove this worm

Resolved
 – Not in the article anymore--Unionhawk Talk E-mail 01:24, 24 May 2009 (UTC)

This is just a personal anecdote, but AVG's on-demand scan did not remove this worm from my computer (as the article states it does). Its passive shield, however, was able to detect it. A minor point, and maybe just user error, but still, can someone in the know double-check this? I am skeptical. --210.248.139.35 (talk) 06:26, 13 April 2009 (UTC)

This is not a forum. You should only discuss something relevant to the article here. Relevant being like suggested changes, additions, corrections, and such. General discussion like this is not meant here. JeremyWJ (talk) 06:30, 13 April 2009 (UTC)
JeremyWJ, you didn't even read what 210.248.139.35 posted. He noted a possible mistake in the article, and is requesting assistance in checking wether it should be corrected, and if yes, finding what the line should say.--86.87.28.191 (talk) 18:46, 22 May 2009 (UTC)
Except AVG is mentioned nowhere in the article...--Unionhawk Talk E-mail 20:09, 22 May 2009 (UTC)
Except it was, at the time of JeremyWJ's post: [7]. Spiel496 (talk) 22:03, 22 May 2009 (UTC)

Easy prevention?

"The Conficker worm spreads itself primarily through a buffer overflow vulnerability in the Server Service on Windows computers." It's my understanding that home users who don't have a home network (not a wireless network, which is a different animal, but a home network allowing the sharing of files, etc. among multiple machines) don't need the Server service. I disabled mine a long time ago. (Start > Run services.msc > enter > right-click Server and set to manual or disabled.) Can anyone more knowledgeable confirm whether this would prevent the Conficker from installing, even without the many other precautions being used? Thanks, Unimaginative Username (talk) 10:34, 1 March 2009 (UTC)

How about installing the patch that plugs the security hole that the virus exploits? I imagine that that would be the "easy fix".74.251.42.193 (talk) 06:34, 1 April 2009 (UTC)
Did that as soon as it was offered. It was an academic question: if it spreads through Server service, and millions of machines run this service unnecessarily, would that stop it as well? The "Big Picture" point being that every unnecessary service running is another potential vector for infection. Still waiting for that knowledgeable person to answer the question. Thanks for stopping by. Unimaginative Username (talk) 10:43, 2 April 2009 (UTC)
It would seem to me that, indeed, turning off the server service would block that hole. This assumes that the server service cannot be "called" by another routine or remotely turned back on. Considering that the worm can turn off, for example, Windows Update, it seems likely that it can turn on the Server Service. Therefore, to truly avoid this problem (without using the patch), we would have to delete the service (if that's even a viable option) from the system. This assumes that the author has yet to figure out another way to propagate the worm through another of Windows' numerous security holes. :) ReveurGAM (talk) 10:46, 6 April 2009 (UTC)
  • Thanks, but that's slightly recursive. If it enters through Server service, and Server is disabled, then it can't enter and so can't turn Server back on to let itself enter... AFAIK, if Server is set to "disabled" rather than "manual", nothing else legitimately in the system could turn it back on, although of course I could be mistaken. Certainly other means of infection are possible. Since the article claimed that this was the primary vulnerability, it seemed a reasonable question. Thanks for your time and reply. Unimaginative Username (talk) 08:10, 10 April 2009 (UTC)
Actually, it's only recursive if you take the statement in question in isolation (out of context). I have already pointed out that another attack vector (eg: removable media) would allow what I have suggested to be done. Therefore, it's not necessary to go in via the service to reactivate the service. In addition, there are so many holes in Windows, that another vector could be taken advantage of.
However, if the service were used as the vector, then subsequently patched, that would not mean the worm was gone - merely that the entry point was gone. Further, I have read that the worm is capable of modifying the service patch so that the hole is reopened. If you check out the websites that offer removal tools, they point out that the patch must be applied and then the worm eliminated. If not, then the worm is still active and doing it's naughtiness.ReveurGAM (talk) 05:09, 13 April 2009 (UTC)
"... there are so many holes in Windows, that another vector could be taken advantage of." goes without saying. You're right, I was taking it out of context, perhaps making the bigger point (not really pertinent to this article) that every unnecessary service running is a potential attack vector, so the more unnecessary services that are disabled, the fewer such vectors. But the article (in the version questioned) stated that the worm spreads "primarily through the Server service". I didn't think that statement would be meaningful or belong in the article if there were so many other common means of infection. Perhaps, "... often (or "in the majority of cases known to date") spreads through the Server service, although numerous other vectors have been used." -- would have made this question less significant, though perhaps still a valid point on security (which this article isn't, and WP is not ... a security manual). Thanks for clarifying. ... btw, "the patch must be applied and then the worm eliminated. If not, then the worm is still active and doing it's naughtiness." -- wouldn't you have to patch, remove the worm, and then re-patch in case the worm undid the patch before you removed it? I smell another endless loop here. Obvious (I think) answer: Isolate the machine from the Net and from all external devices, apply the patch whose installer you've already downloaded, remove the worm with the tool you've already downloaded, then re-install the patch, just in case. Are we then ready to go back online with confidence? And presumably, use the removal tools on any writable external medium, e. g. Flash drives, etc. Yes? No? Thanks again. (I don't have the problem. Just pondering.) Regards, Unimaginative Username (talk) 06:05, 21 April 2009 (UTC)
This is not supposed to be a general discussion forum, however a few points along the way have touched on changes to this article, so here goes. Yes, it's good security practice to disable all unused services, particularly those that open listening ports that can be exploited remotely, as this reduces the attack surface considerably. The server service may or may not be a candidate here, depending on circumstances; ditto for other services such as UPnP, peer-to-peer file sharing apps, webservers etc. The server service is the primary infection vector as author found it before most people had a chance to patch it, giving him a clear run for a while against more unpatched machines, and with less competition from other virus writers. Other operating systems have security issues too, however Windows is the biggest target with the most enemies, so I don't see the point in flogging it. Some common sense helps too - like having a firewall, using file sytem security, not running as admin, not opening dodgy file attachments or plugging your USB stick into an untrusted computer at an Internet cafe. Socrates2008 (Talk) 09:31, 21 April 2009 (UTC)
User:Socrates2008 [[User:Unimaginative Username] I must say that I disagree on one point that you both made differently. It can not be said too many times that Windows is the biggest target with the most flaws and presumably will be for the foreseeable future. The fact that we three know how flaw-ridden Windows is doesn't mean that all users know it, too. The truth is that a preponderance of users are mostly ignorant of the security flaws in Windows and, further don't know anything about alternative OSes. Thus, even though it's been said elsewhere, it can be pertinent to mention it again, or at least reference that information in the appropriate (Windows?) article. IMHO, of course!
UU, sorry, I've been busy. I apologize that I wasn't detail-oriented enough. Socrates2008 seems to have answered your questions well enough. In terms of vectors, I was looking at the bigger picture, while you were looking at the smaller one. Another vector was/is removable media, thus I felt it pertinent to mention that other vectors could be exploited. I was trying to respond to your question, but I wasn't specifically considering the framework of the article, as I thought you needed information that you would then add to the article.
Yes, of course, the machine would have to be isolated. I took that as a given, sorry. Removable media isn't safe...unless it's read-only. Thus, a flashdisk with the Write lock on, a CD-ROM, a DVD-ROM, etc. would be ok, while anything that can be written to (USB HDD, most flashdisks, CD-R/W, DVD-R/W) would not be a safe choice for holding the conficker-fighting files. We can go online after that, with the same confidence as before Conficker - that we will eventually be infected by another virus.ReveurGAM (talk) 08:43, 26 May 2009 (UTC)

New Section

Someone may want to consider adding some information from this article. [8] At Black Hat USA 2009, Investigators asked an individual who was scheduled to speak about Conficker, to scale back his talk to protect the investigation. It also includes information concerning the possible location of the creators. Very interesting article. Sephiroth storm (talk) 14:23, 1 August 2009 (UTC)

jwgkvsq.vmx

Is not Conflicker also referred to as "jwgkvsq.vmx"?WB2 (talk) 01:40, 28 September 2009 (UTC)

new source

The Atlantic just ran a story on Conficker that could be a good source. http://www.theatlantic.com/magazine/archive/2010/06/the-enemy-within/8098 —Preceding unsigned comment added by Intheblowinwind (talkcontribs) 23:37, 14 May 2010 (UTC)

new source

The Atlantic just ran a story on Conficker that could be a good source. http://www.theatlantic.com/magazine/archive/2010/06/the-enemy-within/8098 —Preceding unsigned comment added by Intheblowinwind (talkcontribs) 23:37, 14 May 2010 (UTC)

Untitled

Right, so it has infected yada yada yada, and uses the yada yada yada process to infect and then...

what?

there is no section on what this actually does, or has done.

Nuclear Lunch Detected  Hungry? 03:28, 8 December 2009 (UTC)


-Well, it infiltrated various military and government systems using the same path Storm and Waledac did and opened many people to having their info harvested. It also crashed at least one hospital that it was trying to use to spam out with; the hospital network wasn't powerful enough to handle the output generated by the spam routine.

These were up earlier, but difinitive text sources couldn't be located (ones to wiki's standard of proof). I'm sure they can go back up once proper sources are located and properly listed. You can see Impact in Europe section on Conficker main page for more infor about "what it did"

And I just noticed that a wiki search for Waledac directs to Conficker though I couldn't find any mention of Waledac on the page...anyone know what's up with that? (if anything Waledac should point to Storm based on http://www.securitypronews.com/insiderreports/insider/spn-49-20081231StormWormReincarnatesAsWaledac.html, but I'd rather see it have it's own page -- which I think it DOES, but I can't find) VulpineLady (talk) 16:21, 14 January 2010 (UTC)

Apparently, the people behind Conficker just haven't put it into use after infecting all these computer systems. Nobody (except them, of course) knows why. 75.76.213.106 (talk) 07:01, 21 April 2010 (UTC)

I am not fluent in German, but I know enough to realize that "Ficker" is a noun. Therefore, it cannot be translated as a verb, as it was previously. That is the reason for the change. 74.170.46.35 (talk) 14:27, 13 May 2010 (UTC)

conficker.b worm

overview of conficker.b worm —Preceding unsigned comment added by 99.254.64.192 (talk) 16:37, 11 October 2010 (UTC)

Mistake in Intro

"business and home computers in over 200 countries" There are just about 198 countries in the world today... Printf. — Preceding unsigned comment added by 87.69.73.105 (talk) 13:02, 27 October 2011 (UTC)

Reuters Conficker conspiracy article, sounds like a war crimes case filing!

According to a new Reuters article, Conficker was NOT a for-profit cybercriminal malware, in fact it was the early delivery vehicle for Struxnet military attack tool to Iran, and the the 9 to 11 million infected computers worldwide were just masking smoke and "collateral victims":

http://www.reuters.com/article/2011/12/02/us-cybersecurity-iran-idUSTRE7B10AP20111202 or http://www.reuters.com/assets/print?aid=USTRE7B10AP20111202

It is mind-boggling that anyone would "collaterally" carpet e-bomb circa 10 million Windows PCs all around the world just to wage cyberwar. If true, it sounds like a clear-cut IWCC criminal case for The Hague, although USA and Israel are apparently untouchables, so the "Unit 8200" personnel are safe. 82.131.210.163 (talk) 10:21, 5 December 2011 (UTC)

Text of the article, in case it gets "accidentally" dis-appearated by the powers that be:

http://www.reuters.com/assets/print?aid=USTRE7B10AP20111202

Insight: Did Conficker help sabotage Iran program Friday, 02 Dec 2011 by Jim Finkle, Reuters

A cyber warfare expert claims he has linked the Stuxnet computer virus that attacked Iran's nuclear program in 2010 to Conficker, a mysterious "worm" that surfaced in late 2008 and infected millions of PCs.

Conficker was used to open back doors into computers in Iran, then infect them with Stuxnet, according to research from John Bumgarner, a retired U.S. Army special-operations veteran and former intelligence officer.

"Conficker was a door kicker," said Bumgarner, chief technology officer for the U.S. Cyber Consequences Unit, a non-profit group that studies the impact of cyber threats. "It built out an elaborate smoke screen around the whole world to mask the real operation, which was to deliver Stuxnet."

While it is widely believed that the United States and Israel were behind Stuxnet, Bumgarner wouldn't comment on whether he believes the Americans and Israelis also unleashed Conficker, one of the most virulent pieces of so-called malware ever detected. He wouldn't name the attackers he believes were behind the two programs, saying the matter was too sensitive to discuss.

The White House and the FBI declined to comment.

Prime Minister Benjamin Netanyahu's office, which oversees Israel's intelligence agencies, also declined comment.

If Bumgarner's findings, which couldn't be independently confirmed, are correct then it shows that the United States and Israel may have a far more sophisticated cyber-warfare program than previously thought. It could also be a warning to countries other than Iran that they might be vulnerable to attacks.

His account leaves unresolved several mysteries. These include the severity of the damage that the program inflicted on Iran's uranium enrichment facility, whether other facilities in Iran were targeted and the possibility that there were other as yet unidentified pieces of malware used in the same program.

Bumgarner - who wrote a highly praised analysis of Russia's 2008 cyber assault on Republic of Georgia - says he identified Conficker's link to Stuxnet only after spending more than a year researching the attack on Iran and dissecting hundreds of samples of malicious code.

He is well regarded by some in the security community. "He is a smart man," said Tom Kellermann, an advisor to the Obama Administration on cyber security policy and the chief technology officer of a company called AirPatrol.

His analysis challenges a common belief that Conficker was built by an Eastern European criminal gang to engage in financial fraud.

The worm's latent state had been a mystery for some time. It appears never to have been activated in the computers it infected, and security experts have speculated that the program was abandoned by those who created it because they feared getting caught after Conficker was subjected to intense media scrutiny.

Bumgarner's work could deepen understanding of how Stuxnet's commanders ran the cyber operation that last year sabotaged an underground facility at Natanz, where Iranian scientists are enriching uranium using thousands of gas centrifuges.

He provided Reuters with his timeline of the attack, which indicates it began earlier than previously thought. He said that it was planned using data stolen with early versions of Duqu, a data stealing tool that experts recently discovered and are still trying to understand. The operation ended earlier-than-planned after the attackers got caught because they were moving too quickly and sloppiness led to errors.

WHO DID IT?

The view that Stuxnet was built by the United States and Israel was laid out in a January 2011 New York Times report that said it came from a joint program begun around 2004 to undermine Iran's efforts to build a bomb. That article said the program was originally authorized by U.S. President George W. Bush, and then accelerated by his successor, Barack Obama.

The first reports that the United States and Israel were behind Stuxnet were greeted skeptically. There are still a handful of prominent cyber security experts, including Jeffrey Carr, the author of the book "Inside Cyber Warfare: Mapping the Cyber Underworld," who dispute the U.S.-Israel idea. He says that circumstantial evidence paints a convincing case that China was behind Stuxnet.

Some also question Bumgarner's findings.

"He is making assertions that have no basis in fact. Anything is possible, but the empirical evidence doesn't show any linkage between the two," said Paul "Fergie" Ferguson, senior threat researcher with security software maker Trend Micro.

He was among a group of researchers from dozens of companies who teamed up in 2009 and spent months studying Conficker. That group concluded it was impossible to determine who was behind the worm.

Ferguson said on Friday he believed Conficker was likely the work of criminals in eastern Europe, based on similarities in the coding of Conficker and previously discovered types of malware.

According to Bumgarner's account, Stuxnet's operators started doing reconnaissance in 2007, using Duqu, which spied on makers of components used in Iran's nuclear and critical infrastructure facilities.

In November 2008, Conficker was let loose and it quickly spread, attacking millions of PCs around the world. Its initial task was to infect a machine and "phone home" with its location. If it was at a strategic facility in Iran, the attackers tagged that PC as a target. The release left millions of untagged machines infected with Conficker around the world, but no damage was done to them.

In March 2009, Bumgarner says, the attackers released a new, more powerful version of Conficker that started the next phase of the attack on April 1 by downloading Stuxnet onto the targeted PCs. After it completed that task, Conficker's mission on those machines was complete.

CRACKING THE CASE

It took Bumgarner months to conclude that Conficker was created by the authors of Stuxnet.

First, he noticed that the two pieces of malware were both written with unprecedented sophistication, which caused him to suspect they were related. He also found that infection rates for both were far higher in Iran than the United States and that both spread by exploiting the same vulnerability in Windows.

He did more digging, comparing date and time stamps on different versions of Conficker and Stuxnet, and found a correlation -- key dates related to their development and deployment overlapped. That helped him identify April Fool's Day, April 1, 2009, as the launch date for the attack.

Bumgarner believes the attackers picked that date to send a message to Iran's leaders. It marked the 30th anniversary of the declaration of an Islamic republic by Ayatollah Khomeini after a national referendum.

He also identified two other signals hidden in the Stuxnet code, based on the dates when key modules were compiled, or translated from programming text into a piece of software that could run on a computer.

One coincided with a day when Iranian President Mahmoud Ahmadinejad said his nation would pursue its nuclear program despite international objections, and another with the day that he made a highly controversial appearance at Columbia University in New York.

FUTBOL FANS

The operators communicated with Stuxnet-infected computers over the Internet through servers using fake soccer websites that they built as a front for their operation: www.mypremierfutbol.com and www.todaysfutbol.com.

If Iranian authorities noticed that traffic, they would be deceived into assuming it was from soccer fans, rather than suspect that something was awry, Bumgarner said.

Once Conficker had pulled Stuxnet into computers in Iran there was still one big hurdle, he said. Those infected computers weren't yet in the target - the underground uranium enrichment facility at Natanz.

Getting the virus in there was one of the trickiest parts of the operation.

Computers controlling the rapidly rotating gas centrifuges were cut off from the Internet. The best way to attack was to put the malware on a device like a USB thumb drive, and then get somebody to connect that drive to the system controlling the centrifuges.

Stuxnet was programmed to automatically jump from an infected PC to a USB drive as soon as it was put into a computer. That was the easy part. Getting somebody to be a human "mule" by bringing that USB drive to Natanz and plugging it into the right machine was a logistical nightmare.

It was impossible to predict when somebody with an infected USB drive would visit the plant. It could take a week or it might be six months.

"It's a painstakingly slow game of chess," said Bumgarner. "They had to keep making moves and countermoves until they reached the centrifuges. Then it was checkmate."

That was probably delivered by somebody who regularly visited the facility and had reason to share information electronically - an academic affiliated with an engineering program at one of Iran's universities or a worker at a company that provided technology to the facility, according to Bumgarner. He or she was almost certainly unaware of what was happening, he said.

Bumgarner is not sure when Stuxnet first hit Natanz, but suspects that early versions only did limited damage. He believes the attackers grew impatient with the pace at which it was damaging the facility and as a result they performed the cyber equivalent of injecting steroids into Stuxnet, adding modules to make it spread faster and inflict more damage. They deployed an enhanced version in January 2010, and two months later an even more powerful one.

Bumgarner believes the juiced-up malware was effective in damaging the centrifuges. But just as steroids have side effects on humans, so the additional modules had a negative impact on the malware: They started causing infected machines to act abnormally.

A then-obscure security firm known as VirusBlokAda in Belarus reported that it discovered Stuxnet after a piece of the souped-up virus made a computer in Iran behave erratically. International investigations followed, which eventually uncovered the attacks on Natanz.

"It blew their operation wide open," says Bumgarner.

Yet its creators may still have other irons in the fire, thanks to Conficker, which lies dormant in millions of PCs around the globe in strategic locations such as Iran, China, Russia, India and Pakistan.

"Conficker represents the largest cyber army in the world," Bumgarner said. "These soldiers are just waiting for their next mission."

(Additional reporting by Andrea Shalal-Esa and Caren Bohan in Washington and Crispian Balmer in Jerusalem. Editing by Martin Howell)

Another variant?

In 2011, my college was wholly infected by a Conficker version that created none of the symptoms found here. It's one recognized by virus scanners as Kido net.worm that propagates itself mainly via USB sticks and external drives that students were plugging and unplugging in and out of college computers at a two-digit rate per day.

Its symptoms consisted of renaming all files and directories on a given disk or stick into .lnk Windows icon files all appearing as 1kB each in Windows explorer or any other program's file opening dialogue, that when clicked prompt the error message that the link was leading to a missing resource. Additionally, it creates new directories also of the .lnk type with names such as "passwords" on the root level.

Using the tried, tested, and recommended Conficker removal tools and patches, the worm could be stopped from propagation, killed and removed from the individual system or disk, but that doesn't change anything about all files and directories still being re-named into .lnk files and not available.

By experimenting, I found out that the virus had not deleted the original files and directories, but replaced them with invisible .zip files, invisible as such that not even enabling the "show invisible files and directories" option in Windows made them appear. However, when using Winzip, everything looked and worked like the normal, uninfected state would have in Windows explorer.

That way, files could be "unzipped" to a clean disk protected by updated virus scanners with proactive protection recognizing and blocking Kido net.worm. But only files, not directories (as that curiously resulted in only a fraction of the files inside were transferred), which is why a disk's complete directory system had to be manually re-created by hand.

Are there any available, authoritative sources on this behavior of a Conficker variant? I'm asking because none of its behavior itself could point one to the fact that it's really Conficker when you're looking this article up. And because I'm really looking for a simpler way to reclaim TBs of data in thousands of directories and sub-directories. --87.174.199.94 (talk) 18:09, 26 January 2013 (UTC)

Redundant Ending in the Intro

I feel that the line "It's been involved in the activities like terrorism activities.It is considered a security risk and should be removed from the network with the help of Microsoft Certified Technician." which appears at the end of the intro is unnecessary. the fact that the worm is listed as attacking and infecting large numbers of computers makes it clear that the worm poses a security threat. Additionally the advise to employ the services of a Microsoft certified technician seems unnecessary given that removal can be now accomplished using standard tools making a Microsoft certified technician no more useful then any power user.Furthermore by suggesting the a Microsoft technician is necessary this sentence acts as an advertisement for Microsoft as it would indicate that their certificated technicians in some way possess a unique skill that any normal I.T. worker does not have. This would make a being a Microsoft technician a desirable quality which would mean Microsoft could potential make additional profits thought its certification program. 2001:470:1D:1DF:F933:358B:42FF:3660 (talk) 09:12, 3 September 2015 (UTC)

conficker

its a dangerous kin of worm.— — Preceding unsigned comment added by 59.162.178.234 (talk) 09:18, 19 October 2015 (UTC)