Join 3,424 readers in helping fund MetaFilter (Hide)


The dry, technical language of Microsoft's October update did not indicate anything particularly untoward.
June 15, 2009 2:40 PM   Subscribe

Its reach is impossible to measure precisely, but more than 3 million vulnerable machines may ultimately have been infected. : The inside story on the Conficker Worm at New Scientist.
posted by The Whelk (84 comments total) 7 users marked this as a favorite

 
1. Get a decent antivirus, there are several good free ones.
2. Use Firefox + NoScript.
3. Download a HOSTS file or write your own.
4. Update your MS Windows.
5. Get a decent anti-spyware/malware, there are good free ones.

None of the above are particularly difficult to do, maybe no. 3 is a little beyond the typical user.
posted by Xoebe at 2:53 PM on June 15, 2009


The worm told me to tell you that this is unnecessary.
posted by Balisong at 2:58 PM on June 15, 2009 [5 favorites]


from article: Conficker also had an ingenious way of communicating with its creators. Every day, the worm came up with 250 meaningless strings of letters…

…and then automatically published those 250 meaningless words as a New Scientist article.
posted by koeselitz at 3:01 PM on June 15, 2009 [17 favorites]


And, because of this brilliant tactic, no one ever suspected anything.
posted by koeselitz at 3:03 PM on June 15, 2009


koeselitz, you are my new hero. If only the articles were 250 words long.
posted by benzenedream at 3:05 PM on June 15, 2009


Six days after the 1 April deadline, Conficker's authors let loose a new version of the worm via P2P. With no central release point to target, security experts had no means of stopping it spreading through the worm's network. The URL scam seems to have been little more than a wonderful way to waste the anti-hackers' time and resources. "They said: you'll have to look at 50,000 domains. But they never intended to use them," says Joe Stewart of SecureWorks in Atlanta, Georgia. "They used peer-to-peer instead. They misdirected us."

This is pretty cool you got to admit.
posted by Potomac Avenue at 3:08 PM on June 15, 2009 [4 favorites]


Xoebe: I'd put 4 at number 1. Nearly all worms exploit known yet unpatched flaws, and a number of website infection methods too. While a firewall (software or hardware) is also essential, it wouldn't have protected against conficker attacking from the internal network. AV also didn't catch it when it was first propagating. Nor did any user have to do anything wrong (click this link!) to catch it.

While there was little any normal user could have done about the autorun USB infection route, AV will catch it now, and keeping on top of the patches would have protected you from direct attack.

In a way, it's frustrating; many people don't update because they're afraid microsoft will catch their dodgy copy, or a DRM update through the same network will deactivate them, with some cause. Yet it's the people who are running legit copies in office networks who get kicked in the nuts the hardest because corporate patching is a much more complex affair, and they're vulnerable to this vast pool of deliberately unpatched machines.
posted by ArkhanJG at 3:12 PM on June 15, 2009 [1 favorite]


There are several other large networks of machines infected with malicious software. Conficker has simply joined the list.

I really had no idea about a lot of this stuff.
What happens if they try to fight each-other?
Should there be a voodoo computer bot army UN?
posted by Potomac Avenue at 3:12 PM on June 15, 2009 [1 favorite]


Now we just need to tell Conficker's creators that [insert worm name here]'s creators called them noobs, and quietly walk away.
posted by Salvor Hardin at 3:25 PM on June 15, 2009 [2 favorites]


Sounds like an inside job.
posted by chillmost at 3:30 PM on June 15, 2009


Aye, ArkhanJG, I was going to put a disclaimer in there about "no particular order". I kinda figure if you skip any of those steps, you are taking unnecessary risks, however small.
posted by Xoebe at 3:38 PM on June 15, 2009


many people don't update... with some cause

I call shenanigans. I've heard that logic before.

"I don't install any Microsoft updates. I saw Steve Jobs on Oprah talking about how Micro$oft updates cause bot-ism. Why should I put my faith in the Computer $cience uberlords? I'm the one who best knows how to protect my own computer. Enough other people install their updates that I'm protected from these viruses. If these so-called 'scientists' had computers, they'd understand."

I know you were just describing reality, ArkhanJG, not defending those positions. But "with some cause" is more benefit of the doubt than I can muster for people who, for selfish or willfully ignorant reasons, endanger the rest of us by intentionally remaining a potential vector for viruses. That's true for both the biological and electronic meanings of the term.
posted by Riki tiki at 3:43 PM on June 15, 2009 [4 favorites]


It is not an unprecedented situation. There are several other large networks of machines infected with malicious software. Conficker has simply joined the list.

That's the chilling part. Some of these botnets have been operating now for over a year, and no one has the means to eradicate them. The bad guys are winning.
posted by Nelson at 3:46 PM on June 15, 2009


Well for the last few years, Microsoft has refused to allow updates to install on the large swath of XP machines that they can identify as pirated.

The fact that the updates refuse to run is a pretty sound reason not to install them.

This would be fine if the policy only harmed the pirates - security problems in a large number of machines harms everyone.
posted by aubilenon at 3:54 PM on June 15, 2009


Nelson: "Some of these botnets have been operating now for over a year, and no one has the means to eradicate them."

Sure we do. It's just that certain corporations have a vested interest in maintaining monoculture in the operating systems ecosystem. You'd get the same rampant infections IRL if 95% of all babies born were cloned from a single person and weren't immunized consistently.
posted by mullingitover at 3:59 PM on June 15, 2009 [3 favorites]


Continuing Xoebe's list:

6. Also don't use Outlook or Outlook Express
7. Run your Windows machine as an unprivileged (non-admin) user
posted by dammitjim at 3:59 PM on June 15, 2009 [3 favorites]


Microsoft has refused to allow updates to install on the large swath of XP machines that they can identify as pirated.

This I did not know. I agree that this somewhat mitigates the blame on the part of pirates. However, while it would certainly be nice if Microsoft bit the bullet and allowed patches to install on pirated copies, I think you'd agree that they have no obligation to do so (no more than drug companies are obligated to provide free vaccinations to people who can't or won't pay). Maybe there's an opportunity for the government to step in here and subsidize updates for the public good, like I gather they do for vaccines?

At the very least, that fact undermines the oft-quoted argument that "piracy doesn't hurt anybody."
posted by Riki tiki at 4:01 PM on June 15, 2009


For those of you that liked this, check out the researchers who took over the Torpig botnet for a while. Their paper is a fascinating read even for non-techies. (Torpig has been around since 2006 and their 10-day hijack found 70gb of data and 10k credit cards numbers.)
posted by bhance at 4:02 PM on June 15, 2009 [5 favorites]


Continuing Xoebe's list:

8. Run Windows in a VM.
posted by mullingitover at 4:02 PM on June 15, 2009


My ISP (who are evil in most things) are actually pretty on the ball about worm infections. My wife got her box infected and after I though tit was clean I left her machine be, later that day my Internet connection went down and a helpful phone person told me that my machines were infected with a a worm. Looking at her machine again, sure enough it had come back.

I wiped her machine, they turned my access back on and all was well.

Bravo Evil ISP for doing something totally useful and sane on a network level and revealing how deep your deep packet inspection really is.
posted by NiteMayr at 4:02 PM on June 15, 2009


Conficker also had an ingenious way of communicating with its creators. Every day, the worm came up with 250 meaningless strings of letters and attached a top-level domain name - a .com, .net, .org, .info or .biz - to the end of each to create a series of internet addresses, or URLs. Then the worm contacted these URLs. The worm's creators knew what each day's URLs would be, so they could register any one of them as a website at any time and leave new instructions for the worm there.

It was a smart trick. The worm hunters would only ever spot the illicit address when the infected computers were making contact and the update was being downloaded - too late to do anything. For the next day's set of instructions, the creators would have a different list of 250 to work with. The security community had no way of keeping up.
What? This can't possibly be right.

Just infect a PC, connect it to a "dummy" internet instead of the real internet, set its clock forward 24 hours, and see what URLs it tries to access.
posted by Flunkie at 4:05 PM on June 15, 2009


Microsoft has refused to allow updates to install on the large swath of XP machines that they can identify as pirated.

That's not completely true. MS do allow critical security updates for machines that don't pass the WGA test. They just won't get 'feature' updates such as new versions of media player and such.
posted by punilux at 4:10 PM on June 15, 2009 [3 favorites]


8. Run Windows in a VM.

Computers aren't as useful these days, if they're not hooked up to a network or otherwise have an umbilical cord to the outside world.
posted by Blazecock Pileon at 4:10 PM on June 15, 2009


This I did not know. I agree that this somewhat mitigates the blame on the part of pirates. However, while it would certainly be nice if Microsoft bit the bullet and allowed patches to install on pirated copies, I think you'd agree that they have no obligation to do so (no more than drug companies are obligated to provide free vaccinations to people who can't or won't pay). Maybe there's an opportunity for the government to step in here and subsidize updates for the public good, like I gather they do for vaccines?

Well it's a little different in that the direct cost to Microsoft of allowing pirates system patches is almost certainly less than the cost of actually figuring out who is a pirate and writing the code to deny them updates - it costs pharma companies a lot more to produce a vaccine than it does for MS to pay for a couple gigs of data transfer.

I personally think the blame for these machines is shared between the pirates and MS.
posted by aubilenon at 4:17 PM on June 15, 2009


punilux: Some security holes will be patched without a WGA check, but I believe that some cannot be patched without that new version of the media player or the new version of IE (if you're using IE anyway).
posted by aubilenon at 4:19 PM on June 15, 2009


Conficker is extremely active and widespread. I made the mistake of hopping on coffee shop wireless with an unpatched, unsecured laptop and it only took seconds before I caught Conficker from someone else in the shop and I was getting nearly note-perfect Windows XP themed popups for SpyProtect2009, the fake antivirus software was they embedded in it.

I don't normally do that - I mean, run unpatched without anti virus and a firewall and everything else. I just did a reinstall the night before and forgot to finish installing stuff. On the home network this isn't nearly as risky as I keep everything pretty well locked down, but I just had a brainfart and forgot about it by the time I was out and about and surfing from the unsecured public coffee house network. I even had the proper software tools in my pocket on a thumb drive. Thankfully I have a hidden recovery partition on the notebook, so I just nuked the whole OS right there, pulled the copy of NOD32 I keep on my thumb drive and was back online in a few (dozen) minutes.


These stolen resources are nothing to sneeze at. We're now finally in an age where organized crime (or bored kids and hackers of all sorts, and whenever and wherever the two meet) actually can do some pretty crazy sci-fi shit like shut down power grids, knock vital online resources offline - and maybe in the not so distant future even heavily influence or damage things like the operation of governments, elections, financial markets, corporations, hospitals and more.
posted by loquacious at 4:28 PM on June 15, 2009


Crap, I just used "hacker" as a negative description and not in the traditional, historic positive vernacular. I am now officially a tool. Please shoot me.
posted by loquacious at 4:34 PM on June 15, 2009 [2 favorites]


Getting infected is still better than running most AV programs. And like ArkhanJG said, AV wouldn't even have helped. I was not infected because my XP is patched and I use a software "firewall".
posted by Authorized User at 4:34 PM on June 15, 2009 [1 favorite]


Just infect a PC, connect it to a "dummy" internet instead of the real internet, set its clock forward 24 hours, and see what URLs it tries to access.

They're probably not relying on the system bios clock. See Network Time Protocol.
posted by loquacious at 4:37 PM on June 15, 2009 [1 favorite]


Flunkie: if I remember correctly, on any given day, any given instance of Conficker used to randomly pick only a few out of the 250 to contact. You could do the experiment a whole bunch of times, for every day, to get all the domains, which is possible-but-hard. Also: without knowing how many domains it might contact, you have to do some statistical guesswork to get them all.

Assume a couple plausible details that I don't actually know (Conficker refuses to run or runs differently in a VM, and it randomizes the time of day it makes contact), and you need hundreds of dedicated machines to get the list.

Or you could just reverse-engineer the worm and find out that way, which is something you need to do anyway.

loquacious: if you're going through the trouble of faking (enough of) the internet, you could set up a fake NTP server, on whatever IP/domain, without too much trouble.
posted by reventlov at 4:54 PM on June 15, 2009


Riki tiki: I know you were just describing reality, ArkhanJG, not defending those positions. But "with some cause" is more benefit of the doubt than I can muster for people who, for selfish or willfully ignorant reasons, endanger the rest of us by intentionally remaining a potential vector for viruses. That's true for both the biological and electronic meanings of the term.

Biological and electronic viruses are as different as biological and electronic worms.

However, while it would certainly be nice if Microsoft bit the bullet and allowed patches to install on pirated copies, I think you'd agree that they have no obligation to do so (no more than drug companies are obligated to provide free vaccinations to people who can't or won't pay). Maybe there's an opportunity for the government to step in here and subsidize updates for the public good, like I gather they do for vaccines?

A question: have you ever actually run a Microsoft Update? They are neither as clear nor as universally necessary as you are implying.

Microsoft is a business, yes, but their principle problem is that they run every single aspect of Windows in the most lucrative way they can, often to the detriment of things like quality and security. A good chunk of those updates have been DRM copyright-protection updates, for example; in fact, Microsoft seems to take perverse pleasure in making it impossible to distinguish the “we want to make sure you aren't a pirate and don't do anything illegal” updates from the “this is for the virus that could kill your computer” updates.

The simple fact is that it'd be trivial to separate the two; moreover, it'd be the ethical thing to do. And it would just make sense: Microsoft has every right to patrol the computers that are on its update list and to require checkins to prevent piracy, but if they did virus updates separately and more clearly, this would not have been a problem. The policy as it is amounts to refusing to innoculate illegal immigrants because they aren't paying taxes; if you do that, sooner or later everybody gets infected.

This is not to mention the fact that updates are too complex and too badly-phrased to really catch anyone's attention. I think some of this blame does belong to Microsoft.
posted by koeselitz at 4:57 PM on June 15, 2009 [1 favorite]


Getting infected is still better than running most AV programs.

I believe an updated install of NOD32 will catch it inbound from LAN, NetBIOS shares, removable media or web, and it won't totally fuck up your computer. The threat-sensing algorithms they use are damn near black magic to me. It catches nearly everything, even actively inspecting incoming code in the download bitstream looking for malicious algorithms, not just relying on signatures. It doesn't just detect patterns, it's aware of vectors and methods.

Except for the fact that it seems to be impossible to completely remove from Windows. To re-install a demo version as far as I've seen requires an OS wipe, but it's the one and only general AV and anti-malware product I've ever recommended paying for and maintaining a yearly subscription. They push out patches and engine updates daily, sometimes hourly based on data from pulled their own threat-sensing network from NOD32 clients in the field.

I don't normally shill products. Hell, I should hate the program. It puts me out of work. Whenever I do upgrades for small home office support clients I usually recommend at least trying the NOD32 demo and getting rid of Norton, switching to Firefox and using a host file and/or AdblockPlus - and then I have to hope they break a printer or fry a motherboard or something because suddenly most of their Windows OS woes are gone.
posted by loquacious at 4:57 PM on June 15, 2009


Continuing Xoebe's list:

8. Run Windows in a VM
.

9. Unplug your computer from the wall.
10. Smash your computer with a large mallet.
11. Hide under a pile of coats in the fetal position and hope it all works out for the best.
posted by drjimmy11 at 4:58 PM on June 15, 2009 [7 favorites]


mullingitover: It's just that certain corporations have a vested interest in maintaining monoculture in the operating systems ecosystem. You'd get the same rampant infections IRL if 95% of all babies born were cloned from a single person and weren't immunized consistently.

Huh? What are you proposing? That was have 100 million different operating systems, each one genetically unique? Cuz having one or two more OSes isn't going to help you; it's not significantly more work to infect Linux or Apple systems, it's just not worth the trouble. If 33% of the world ran one of each OS, you bet you'd see worms on all three.
posted by Nelson at 4:58 PM on June 15, 2009


loquacious: if you're going through the trouble of faking (enough of) the internet, you could set up a fake NTP server, on whatever IP/domain, without too much trouble.

Right. I was just pointing out that a network-aware virus or worm isn't going to rely on just the BIOS clock if it needs to do important timed updates or communications, not saying that the time couldn't be spoofed.
posted by loquacious at 5:00 PM on June 15, 2009


loquacious: Crap, I just used "hacker" as a negative description and not in the traditional, historic positive vernacular. I am now officially a tool. Please shoot me.

I do this inadvertantly all the time, but I think it's understandable, since there's unfortunately no word for a malicious computer criminal who exploits software to harm. When I say “malicious hacker,” people just think I'm being redundant, and the point is lost.

And sometimes, following on the distinction between “hacking” and “cracking,” I refer to these people as “crackers” before I realize how silly it sounds. That usually confuses more people than it's worth.
posted by koeselitz at 5:03 PM on June 15, 2009


It seems unlikely, but does anyone have any statistics or figures on the location/disposition of machines in these botnets? My guess is that the 'Microsoft doesn't allow updates of pirated copies' argument is largely irrelevant, in the face of millions of machines with legitimate copies of Windows installed, yet still hopelessly compromised due to the operators' inability to effectively manage them.

Honestly, that's the real problem. Botnets will never be eradicated, simply based on the enormous number of machines connected to the internet at any given time, that aren't properly administered, and thus vulnerable to complete remote takeover.

At any rate, thanks for the post. I'm always fascinated to read about black-hat innovations in this area, and the white-hat counter-strikes.
posted by Brak at 5:12 PM on June 15, 2009


Flunkie: What? This can't possibly be right. Just infect a PC, connect it to a "dummy" internet instead of the real internet, set its clock forward 24 hours, and see what URLs it tries to access.

It looks like they did manage to crack the algorithm (see here which describes the algorithm). Though I think they dis-assembled it rather than the method you describe. Then, if the good guys registered all 250 domains for any particular day, they could prevent the authors from registering them. (Conficker checked all 250 domains regularly all day to look for updates). But registering 250 new domains every day just to try and prevent updates is no mean feat. Then the updated Conficker upped the number to 50,000 domains every day.
posted by memebake at 5:15 PM on June 15, 2009


They're probably not relying on the system bios clock. See Network Time Protocol.
That's not really a relevant distinction. As I said, hook it up to a fake internet, not the real one. Set up an NTP server that it will ask for the time.
posted by Flunkie at 5:19 PM on June 15, 2009


Continuing Xoebe's list:

6. Also don't use Outlook or Outlook Express
7. Run your Windows machine as an unprivileged (non-admin) user


#7 should be #1. If you do this, you will be immune from attacks that target the operating system (as opposed to data files that users create) and require user initiation. This is actually fairly simple, and will block the vast majority of attacks, especially for the individual non-corporate user with the basic Windows Firewall functionality enabled (no SMB/CIFS listeners, etc).

Running Windows XP as admin is like going bareback at a poz party. Relying on antivirus software to prevent compromise is one step better - an untested, potentially leaky condom.

Vista, much as everyone seems to hate it, is much better in this regard - while users are administrators by default, UAC prevents the immediate execution of code against the user's wishes. But you still shouldn't run as administrator in Vista, either.

Oh, and if you do all that, there's nothing wrong with Outlook or Outlook Express. Even if you don't do that, you can easily configure Outlook Express not to download images or execute code by using Restricted Zone settings. I believe that's the default setting in Outlook 2007.
posted by me & my monkey at 5:46 PM on June 15, 2009 [1 favorite]


I'd put 4 at number 1. Nearly all worms exploit known yet unpatched flaws

Yeah, well MeFi got infected recently, and strangely the very next day I noticed my first virus infection in a windows box ever, despite being all patched, running antivirus and running without admin privileges. Was it MeFi? Who knows, it could have been my son trying to gift me a new screensaver. I can't remember the name of the virus, but it was an older known one (vundo?) and thus there were good ways to eliminate it. Whatever it was made it nearly impossible to get into Safe Mode and then use a mouse or the track point and thus it was difficult to run a good scan from there. I think it was Microsoft's malicious software removal tool which saved the day. Anyway, any virus that was expunged in several hours work over several days is a pain, but not too taxing. I have since installed no-script but it basically makes so many sites essentially unusable until you allow scripts and then you are back where you started. Anyway, running without admin privileges is no cure all.
posted by caddis at 6:02 PM on June 15, 2009


If we're not careful with these increasingly powerful botnets, we're gonna wind up accidentally creating a distributed intelligence that probably won't like us and then we'll be really ficked.
posted by jamstigator at 6:05 PM on June 15, 2009


Metafilter: hook it up to a fake internet
posted by yoHighness at 6:07 PM on June 15, 2009


The solution for my laptop: A switch to Ubuntu. I still need Windows for a couple of pieces of software, and journal articles and such that must be saved in Word format (yes, it happens, and the use of software that saves in Word format is no substitute), but most of my desktop's hard drive will be a Ubuntu Linus partition soon.
posted by raysmj at 6:24 PM on June 15, 2009


Microsoft has refused to allow updates to install on the large swath of XP machines that they can identify as pirated.

This is 100% bullshit. Any XP computer can get automatic updates via the automatic updates client (not the website) and get all the security patches. The problem is all the morons with heads full of conspiracy theories afraid to turn it own.

This place is getting worse than slashdot with all the FUD.
posted by damn dirty ape at 7:00 PM on June 15, 2009


4. Update your MS Windows.

Thats all you need to do. You dont need to pray to the FSM or download someone's host files. The exploit that conficker uses was patched in October. Conficker spread in January. People are not patching. That is the real problem here.
posted by damn dirty ape at 7:01 PM on June 15, 2009 [3 favorites]


I think some of this blame does belong to Microsoft.

Whether you'd agree with it or not, Microsoft would probably argue that the "cost" of unconditional updates goes beyond just the bandwidth to provide them. They'd probably say that by supporting pirated copies, they give those pirates little reason to purchase a legitimate copy (even if not all of the pirates would have done so).

You may say that they should put the public good over such concerns, and I don't disagree, but I do think it's not up to us to make that judgement. They're a corporation and can't and shouldn't be expected to behave selflessly or ethically when it's not in their obvious financial interest. That's not an apologia, it's just reality. I think the onus should be on us as consumers, or (failing that) the government as appointed defender of our public good, to protect ourselves from these threats or make it be in the corporations' interests to do so.
posted by Riki tiki at 7:38 PM on June 15, 2009


Continuing Xoebe's list:

9. Unplug your computer from the wall.
10. Smash your computer with a large mallet.
11. Hide under a pile of coats in the fetal position and hope it all works out for the best.


12. Turn off your computer and make sure it powers down
13. Drop it in a 43-foot hole in the ground
14. Bury it completely, rocks and boulders should be fine
15. Then burn all the clothes you may have worn any time you were online
(from Weird Al's Virus Alert, greatest guide to computer security evah!)
posted by wendell at 7:47 PM on June 15, 2009


People are not patching. That is the real problem here.

All PC's at my company (A Big One) get automatic updates and patches and yet we still had/have a problem with this thing. Why? Because the patch to block it isn't the first one your machine gets, even on a home setup with Windows Update. And it only takes minutes for Conficker to get on there, often between the time you can get online and get the patch. So if you have to do a reinstall or you take a PC out of the box with the base image, you're going to be vunerable if you don't patch offline before you ever get connected to anything even if you're doing everything you're supposed to do.

Patching offline is professional-level precaution and we're doing it, but the speed of the thing makes it hard not to have a compromised machine somewhere until the patch is part of the OS. And I know plenty of people who can do a Windows reinstall, but would never think to patch their machine before connecting to Windows Update to let it do it for them.

(Or, kinda what loquacious said.)
posted by Cyrano at 7:50 PM on June 15, 2009 [1 favorite]


16. Slaughter all the pigs.
posted by kanewai at 7:52 PM on June 15, 2009


I kinda figure if you skip any of those steps, you are taking unnecessary risks, however small. posted by Xoebe at 3:38 PM on June 15 [+] [!]

Step 4 was Update your MS Windows.

I'd have to be rid of FreeBSD and downgrade to MS Windows. And pay Bill Gates money for broken software. Now why would I to do that?

And don't you need MS Windows to have Conflicker work?

For the conflicker threat - it seems that even needing to do step 4 is part of the problem.
posted by rough ashlar at 8:37 PM on June 15, 2009


Excellent stuff. This issue was previously previously sent up in the "Boss Level" of internet worms thread (why no conficker tag here?) and I will recommend the analysis from SRI again, who are referenced in the article- it is great that the new scientist appear to mostly get it. Although SRI wins: they have diagrams (overview of conficker guts).
Quote:
That said, as scan and infect worms go, we have not seen such a dominating infection outbreak since Sasser in 2004. Nor have we seen such a broad spectrum of antivirus tools do such a consistently poor job at detecting malware binary variants since the Storm outbreak of 2007. Very impressive little bug.

I would like to note that one MS sponsored efforts to address the issue is called the conficker Cabal, which shows a sense of humor. Trench humor perhaps.
posted by zenon at 9:36 PM on June 15, 2009


koeselitz: Biological and electronic viruses are as different as biological and electronic worms.

* There hasn't been a true virus in the wild probably since CIH/Chernobyl. "Virus" is a term used to day by modern witchdoctors to mean anything you can't explain. Support techs that can't fix problems routinely state "you must have a virus, you'll need to contact [insert vendor]".

* True viruses are exactly like their biological counterparts in that they cannot exist without a legitimite file to reside in.

You can resume your mythology now.
posted by felch at 10:08 PM on June 15, 2009


The problem is all the morons with heads full of conspiracy theories afraid to turn it own.

It doesn't really seem surprising to me that people who pirate windows would turn windows update off. Especially with Microsoft constantly rolling out new anti-piracy systems. Maybe you'll only get critical updates like mentioned before... or maybe Microsoft will shut your computer down. That would also stop you from getting infected, eh?
posted by smackfu at 10:32 PM on June 15, 2009


felch: There hasn't been a true virus in the wild probably since CIH/Chernobyl. "Virus" is a term used to day by modern witchdoctors to mean anything you can't explain. Support techs that can't fix problems routinely state "you must have a virus, you'll need to contact [insert vendor]".

Yes. I know. That was part of my point. Perhaps I was unclear. That's why I mentioned worms… worms are the real danger here.

* True viruses are exactly like their biological counterparts in that they cannot exist without a legitimite file to reside in.

Yes, they are exactly like their biological counterparts in that sense. But they are different in other senses; people who don't trust Microsoft and have been (rationally or irrationally) unhappy with having to run Windows Update (which still isn't really necessary so long as you're running good security/antimalware programs) are nothing like people who refuse against the better judgement of science to vaccinate themselves or their children; sorry, but it's true. For one thing, the maker of the human body doesn't issue security updates; and for another thing, science is on a hell of a lot better footing than Microsoft.

So: since I was responding to Riki Tiki (who, I might point out, was the one who was using the word “virus” to describe Conficker, and who was saying that people who don't use Windows Update are like people who don't vaccinate) does it make sense that I said what I said? Which, remember, wasn't that biological and electronic viruses/worms are different in every way, but only that they're different in certain ways, ways that sort of render null his argument.

You can resume your mythology now.

I have no idea what you're talking about, but whatever.
posted by koeselitz at 2:12 AM on June 16, 2009


Patching offline is professional-level precaution and we're doing it, but the speed of the thing makes it hard not to have a compromised machine somewhere until the patch is part of the OS. And I know plenty of people who can do a Windows reinstall, but would never think to patch their machine before connecting to Windows Update to let it do it for them.

If your corporation is of any appreciable size, you should have a WSUS box on your LAN to patch all your local machines. Also, your workstations should all be behind a firewall to block incoming connections, thus preventing them from getting hit by worms before the updates get rolled out. It sounds like an odd setup you have at your place of work if people are getting worm infections the way you describe, none of those machines should be exposed incoming connections!
posted by Thoth at 3:18 AM on June 16, 2009


4. Update your Windows.
posted by flabdablet at 3:37 AM on June 16, 2009


Epidemics are caused by monocultures. The way to stop epidemics is to promote diversity. Stop using Windows.
posted by DU at 5:14 AM on June 16, 2009 [1 favorite]


I wiped her machine, they turned my access back on and all was well.

And 10 minutes later she had installed a cute little kitty that walks around her screen and meows, a Super E-Commerce Dealfinder Search Assistant, and an Awesome Angels screensaver and all was not well again.
posted by Hovercraft Eel at 5:45 AM on June 16, 2009 [4 favorites]


Why? Because the patch to block it isn't the first one your machine gets, even on a home setup with Windows Update. And it only takes minutes for Conficker to get on there, often between the time you can get online and get the patch.

Again, pay attention: this patch was released in October. I patched all our machines here back then. Conficker didnt exist in October.There's no dramatic Hollywood style "the conficker is on the network, quickly get the update working.. 10...9..8...7.." In other words your IT dept is incompetent if they waiting 2 months to patch a uber-critical vulnerability like this.
posted by damn dirty ape at 6:41 AM on June 16, 2009


Conficker Eye Chart
posted by Pope Guilty at 8:20 AM on June 16, 2009


Computers aren't as useful these days, if they're not hooked up to a network or otherwise have an umbilical cord to the outside world.

I'm running XP Pro in VirtualBox on Ubuntu. Internet works great.

Why does windows have such a crappy update mechanism? If a fix was found in October the patch should have been applied in days, instead it failed to be installed by a large portion of the users months later. Sure you can blame the users, but this is unproductive. This seems like a huge failure on Microsoft's part. For contrast, Ubuntu generally has a list of updates that pops up every couple of days. I'm sure if a exploit like this existed and had been patched it would appear there. Most users just get in the habit of applying these updates without even looking to closely at them. I mean its really as simple as that.
posted by no_moniker at 8:49 AM on June 16, 2009


Sure you can blame the users, but this is unproductive.

You know, it's not like Synaptic runs itself.
posted by Pope Guilty at 8:51 AM on June 16, 2009


I'm running XP Pro in VirtualBox on Ubuntu. Internet works great.

Virtualization doesn't protect you meaningfully from worms; your virtual XP install is just as vulnerable to worms as a real one. If you do get infected it's easier to reset to a clean state, but then you'll lose all the changes you made in your XP environment.

Why does windows have such a crappy update mechanism?

Actually Windows has a very good update mechanism. They provide security patches swiftly, they are distributed automatically, and they can be installed automatically. The updater is quite unobtrusive. I've never once had a problem with any Microsoft-distributed update. (By contrast, Adobe and Apple's updaters on Windows are both terrible).

The main reason people don't patch Windows is they've disabled the updater. Typically because they fear the update might break their machine or in a mistaken belief that the updater somehow won't work with their stolen copy of Windows. Neither concern is very valid, particularly if you consider just installing the high priority security updates. But short of forcing users to install the update, removing their choice, I don't know what else Microsoft can do.

Microsoft and Windows used to have horrible security, ignoring flaws and distributing patches slowly. That stopped several years ago, they now have a very good team of people handling exploits and a very effective security update mechanism. Part of what's scary about Conficker is that despite all that, it's not good enough. I fear it wouldn't be any better if Ubuntu or MacOS had a large enough installed base to be targeted by an organized criminal enterprise the way Windows is.
posted by Nelson at 9:11 AM on June 16, 2009


Typically because they fear the update might break their machine or in a mistaken belief that the updater somehow won't work with their stolen copy of Windows.
A routine security update for a Microsoft Windows component installed on tens of millions of computers has quietly installed an extra add-on for an untold number of users surfing the Web with Mozilla's Firefox Web browser.

...

Big deal, you say? I can just uninstall the add-on via Firefox's handy Add-ons interface, right? Not so fast. The trouble is, Microsoft has disabled the "uninstall" button on the extension. What's more, Microsoft tells us that the only way to get rid of this thing is to modify the Windows registry, an exercise that -- if done imprecisely -- can cause Windows systems to fail to boot up.
posted by Pope Guilty at 9:24 AM on June 16, 2009 [1 favorite]


Yeah, Pope, that was a fuckup. Here's a fix Microsoft released.
posted by Nelson at 9:32 AM on June 16, 2009


To repeat myself: less than 40% of administrators patched their *nix machines in the lead up to the Slapper Worm, another 30% once the worm was in the wild, leaving a full 30% of systems unpatched in the period studied. Most admins simply don't update until they need to - and even then some don't.

Note: researchers expected mod_SSL users to be better than average about installing security fixes for a number of reasons including: "UNIX users are widely believed to be more experienced in server administration than Windows users" and seriousness of the problem ie: "the flaw allowed an attacker to take over the entire Webserver".

Seconding Nelson- Windows is the only OS that I know of that has a regular update schedule - everybody else has random updates here and there, some more frequent that others. It may be that Windows needs to have that update schedule - but the problem here seems to be the operators, and patching generally. And Pope Guilty is correct - stuff like that is the main reason windows is the OS I avoid when I can.
posted by zenon at 10:07 AM on June 16, 2009 [1 favorite]


You know, it's not like Synaptic runs itself.

Have you used Ubuntu? Every couple of days automatically a suggested update window pops up without the user doing anything. After that you install by hitting ok (and typing in your password).

But it looks like in the case of windows a lot of users shut off updates for some reason. Tough to fault Microsoft for that I suppose.

I also agree that there is some self selection on the *nix systems and far less work put in by hackers to exploit them. If they had the majority market share I think they would have a good deal more problems, but their design is superior in some ways, specifically file permissions.
posted by no_moniker at 10:16 AM on June 16, 2009


Yep, thats the elephant in the room. The one the linux kiddies are afraid to address: most webserver infections are some type of unix which target windows exploits. If these webmasters would keep the exploits off their machines we'd be alot better off. You cant just sit there and repeat the slashdot talking points and fud about windows. Security needs to be holistic. That means cleaning up all the exploits in the world's badly written php apps and patching the windows client side exploits. We're all in this together.
posted by damn dirty ape at 11:26 AM on June 16, 2009


Sure you can blame the users, but this is unproductive.

I guess personal responsibility is out of style here at metafilter. Hopefully, its alive and well in the real world.
posted by damn dirty ape at 11:31 AM on June 16, 2009


Brak: Botnets will never be eradicated, simply based on the enormous number of machines connected to the internet at any given time, that aren't properly administered, and thus vulnerable to complete remote takeover.

No one ever suspects that the worst will happen, or takes precautions against it, until it does. As everyone should know from watching Battlestar Galactica:

Laura Roslin: I don't get it. We're talking about a visitor's guide.

William Adama: The answer's no.

Doral: (I'm sure there's a way to work this out...)

Roslin: It tells people things like where the restroom is. Or what's the lunch special in the cafeteria. Or how do I buy a Galactica t-shirt.

Adama: I don't care what it does. It's an integrated computer network and I won't have it on this ship.

Roslin: You're one of those people? You're actually afraid of computers?

Adama: I'm not afraid of computers. There are computers on this ship right now, but none of them are networked together.

Roslin: I don't think you understand. The computer network will make it faster and easier for teachers to teach their students about this ship and—

Adama: Madame Secretary, I don't think you understand. Good men and women died on this ship because someone wanted a faster computer to make life easier. So I'm sorry if I'm inconveniencing you and your teachers, but I'll be damned if I'm going to let you or anyone else put a computer network on this ship while I'm in command. Now, is that clear?

posted by koeselitz at 12:03 PM on June 16, 2009 [1 favorite]


Yes, hard to imagine why you'd turn off updates, when it does things like, oh, completely turn off your sound card. Once, I was even unable to use Word. I long for the day when no one ever makes me use Word for anything again, and so many companies stop catering to Microsoft users only. (As I noted earlier, it's best just to do Word or Power Point files in MS Office, rather than Google docs or some substitute, if you're sending the docs to someone else for professional purposes). Vista is appalling.
posted by raysmj at 12:05 PM on June 16, 2009 [1 favorite]


I don't want to point the finger entirely at users (perhaps mostly) it's both OS & users. As well,- I don't know how positive MS forcing some system of updates would be received by the general population - especially if they are getting "fixes" for Mozilla products or other shenanigans.

It is a situation that is not going to improve in the near future, because it remains unreasonable to expect high computer literacy - most folks get burned before they wise up on what they should be doing with their machine, and it is impossible to place all of the responsibility on the OS - if they were able to get it right we wouldn't be having this discussion.
posted by zenon at 12:09 PM on June 16, 2009


damn dirty ape: That's a damned arrogant statement, considering that Microsoft can't even get its updates to work with its showcase Office software, in the "real world" that I inhabit.
posted by raysmj at 12:11 PM on June 16, 2009


Have you used Ubuntu? Every couple of days automatically a suggested update window pops up without the user doing anything. After that you install by hitting ok (and typing in your password).

If you don't turn off Automatic Updates, Windows does everything for you in the background without the user doing anything at all. It's not about ease of use.
posted by Pope Guilty at 3:23 PM on June 16, 2009 [1 favorite]


That Torpig paper posted by bhance, fucking amazing

From the conclusion:

the victims of botnets are users with poorly maintained machines that choose easily guessable passwords to protect access to sensitive sites. This is evidence that the malware problem is fundamentally a cultural problem.
posted by yoHighness at 5:26 PM on June 16, 2009


Yeah, the torpig paper should be a FPP - excellent link bhance.
posted by benzenedream at 5:35 PM on June 16, 2009


It is most definitely about ease of use. The updates have a tendency to screw even basic Microsoft programs up.
posted by raysmj at 6:53 PM on June 16, 2009


I read the torpig paper and now I'm scared to go on the internet. It just got worse and worse: MBR rootkit that can't be caught by virus scanners, code injection into network drivers to get around firewalls, and perfect https site spoofing. Shudder.
posted by smackfu at 8:28 PM on June 16, 2009


MBR rootkits are easily detected by using a scanner that doesn't boot from the hard disk. Malware would need a BIOS-flashing rootkit to get around that, and since BIOSes are not a monoculture, this is unlikely to turn into a real-world problem.
posted by flabdablet at 10:52 PM on June 16, 2009


Yes, hard to imagine why you'd turn off updates, when it does things like, oh, completely turn off your sound card. Once, I was even unable to use Word.

To be fair, I've occasionally had customer Ubuntu boxes temporarily broken by kernel updates.

But kernel updates are so far the only ones I've ever seen break anything, and because kernel updates add a new default kernel but don't remove the old one, it's really easy to boot the machine with the older kernel and be up and running again while waiting for the breakage to be resolved. This is something I have explained how to do to two of my least clueful customers, in less than five minutes of phone time each, and each of them not only understood what to do but understood why and was left understanding how to deal with similar occurrences should they happen again.

By contrast, I have often seen Windows automatic updates break things, and it's not, in general, easy to predict which update needs to be rolled back to fix them. As a part-time school network administrator, I cannot simply allow all my Winboxen to update themselves whenever they feel like it. Instead, I have them do it only on Monday nights, because Tuesday is one of my work days and I'll be at the school to fix the occasional show-stopping server or workstation breakage*.

For the non-technical home computer user, there is much more incentive to turn off Windows automatic updates than to disable the Ubuntu update manager.

Epidemics are caused by monocultures. The way to stop epidemics is to promote diversity. Stop using Windows.

Quoted for truth.

I'm also fairly convinced that if we ever do see a day where Windows is reduced to one of many desktop OS players, we will also see that it is in fact more vulnerable to exploits than *nix based competitors, for one simple reason: it will still be running with full admin privileges on most boxes most of the time, because Windows apps that misbehave unless you grant them admin rights will still be common enough to make most people not bother with limited user accounts.

Conficker and other worms that rely on modifying the master boot record would get nowhere without admin privileges. In fact, without those privileges most malware would end up far easier to detect and far easier to remove. *nix-family systems have always separated user and admin activites, and they simply don't have Windows' cultural heritage of apps that gratuitously require admin access.

And yes, I do know that Vista and W7 have the User Annoyed Constantly feature, which was allegedly designed to enforce running with LUA most of the time. In fact, since the LUA violations characteristic of Windows environments are an app problem rather than a system problem, all UAC actually does is teach users to swear and click Allow without thinking about what they're doing.

*In the most recent of these, something in Automatic Updates caused the school's admin server to switch the drive letters for its main hard drive and an external USB backup drive. It had automatically restarted with %SystemRoot% set to H:\WINDOWS instead of C:\WINDOWS and lots of things failed, including the ability to log on at the admin console - even in Safe Mode. That was fun to fix.
posted by flabdablet at 11:56 PM on June 16, 2009 [1 favorite]


I can't believe nobody has mentioned this one yet, but continuing Xoebe's list:

18. Delete the system32 folder. (In addition to enhancing security, this also yields a huge performance boost. I've been consistently getting 85fps in Crysis on my EEE netbook since I did this).

Disclaimer: if you follow this advice, you are and idiot.
posted by mullingitover at 10:17 AM on June 17, 2009


>In the most recent of these, something in Automatic Updates caused the school's admin server to switch the drive letters

Youre crazy if you have servers doing AU. You should be testing all patches on a spare box and then manually installing them or approving them via WSUS. There will always be bugs, you should be responsible to your client to watch out for them. Blaming MS here is only part of the problem, the other part of the problem here is you and your practices.
posted by damn dirty ape at 8:58 PM on June 17, 2009 [1 favorite]


It's a small school, small amounts of IT downtime don't stop the school from functioning as a school, we don't yet have a spare server box, I'm always onsite the morning after the updates get applied, and a little over an hour before they do get applied the server has completed a full backup including system state.

Also, Microsoft doesn't pay me to do its quality control. The school employs me part-time to keep its IT resources functioning reliably. If I were to spend more time doing Microsoft's job, I'd need to spend less time working on other issues inside the school.

So I don't think I'm crazy - I think that the system administration choices I've made strike a reasonable balance between all the requirements that apply at my workplace.

And I would certainly rather risk a bit of broken-update-induced downtime than risk outbreaks of god knows what due to unduly tardy patch application, because update breakage isn't deliberately hard to fix.
posted by flabdablet at 12:42 AM on June 18, 2009


« Older Mark Wagner...  |  DFG Science TV... Newer »


This thread has been archived and is closed to new comments