Welcome Guest.   Make a donation to an author on the site August 23, 2014, 02:49:27 PM  *

Please login or register.
Or did you miss your validation email?


Login with username and password (forgot your password?)
Why not become a lifetime supporting member of the site with a one-time donation of any amount? Your donation entitles you to a ton of additional benefits, including access to exclusive discounts and downloads, the ability to enter monthly free software drawings, and a single non-expiring license key for all of our programs.


You must sign up here before you can post and access some areas of the site. Registration is totally free and confidential.
 
Check out and download the GOE 2007 Freeware Challenge productivity tools.
   
   Forum Home   Thread Marks Chat! Downloads Search Login Register  
Pages: Prev 1 [2] 3 Next   Go Down
  Reply  |  New Topic  |  Print  
Author Topic: Conficker - The Facts  (Read 21146 times)
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #25 on: April 01, 2009, 12:41:30 AM »

Even with a proxy, you'd still be doing the DNS lookup locally - it's only the HTTP connection to the server that's going through the proxy.
« Last Edit: April 01, 2009, 02:12:09 AM by f0dder » Logged

- carpe noctem
app103
That scary taskbar girl
Global Moderator
*****
Posts: 5,154



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #26 on: April 01, 2009, 12:54:31 AM »

Even with a proxy, you'd still be doing the DNS lookup locally - it's only the HTTP connection to the server that's going through the proxy.

Wait, I connect to hidemyass.com and type in the url of my antivirus company and click the button. The proxy is using my DNS to find where that url is and not theirs? That just sounds weird, since the point to the proxy is to not connect to the url at all and let the proxy do it for you and forward the data to you.

Unless conficker is blocking your access to that particular proxy service, I don't see how or why it would fail to work.

Try it. Block access to download.eset.com in your hosts file, firewall or any other way you choose. Then put this url in the box at hidemyass.com and see if you get the file, paying close attention to where it says it is coming from: http://download.eset.com/...ial/EConfickerRemover.exe
Logged

Ehtyar
Supporting Member
**
Posts: 1,236



That News Guy

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #27 on: April 01, 2009, 01:05:12 AM »

Going to HTTP://ip.number.here often won't work, since the site won't get the "Host: domain.name.com" HTTP header they expect. You'd have to put the IPs in your hosts files, but that file is probably used by DnsQuery() and thus the method is going to fail because Conficker's patching.
Most of the big sites should work as they're on dedicated/load balanced boxes. For the smaller ones, you can use one of a number of methods to send a fake Host header.

Even with a proxy, you'd still be doing the DNS lookup locally - it's only the HTTP connection to the server that's going through the proxy.
F0d Man, were you thinking of a proper proxy? App Lady is talking about a web proxy.

Ehtyar.
Logged
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #28 on: April 01, 2009, 01:40:53 AM »

Sorry guys, I hadn't had enough morning coffee when I typed that post - I was thinking of a transparent proxy rather than one of those manual proxies embarassed
Logged

- carpe noctem
J-Mac
Supporting Member
**
Posts: 2,847


see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #29 on: April 01, 2009, 01:54:59 AM »

Going to HTTP://ip.number.here often won't work, since the site won't get the "Host: domain.name.com" HTTP header they expect. You'd have to put the IPs in your hosts files, but that file is probably used by DnsQuery() and thus the method is going to fail because Conficker's patching.

That is very true, but using a proxy like hidemyass.com would probably work, without the need of even trying the IP and using the actual URL that conficker is blocking. And yes, you can download removal tools through that proxy. I tested it.

That's a great tip, app. Thank you!

Jim
Logged

"I am getting so tired of slitting the throats of people who say that I am a violent psychopath."
iphigenie
Supporting Member
**
Posts: 1,166


curiosity FTW!

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #30 on: April 01, 2009, 04:15:15 AM »

But did I get this right - anyone with a legal copy of windows (and that includes people with a legal copy of windows which they installed on several machines, or multiple times on one machine for testing/development purposes) who runs regular updates, is protected by free software, so the only people not protected are the people with pirate copies who don't also have a paid/pirated/free copy of a virus scanner.

Those people really deserve what they get, no?
Logged
f0dder
Charter Honorary Member
***
Posts: 8,774



[Well, THAT escalated quickly!]

see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #31 on: April 01, 2009, 04:42:26 AM »

The people pirating Windows generally use a WGA hack, so they get updates just fine.

How long was the infection window open before a patch was released?
Logged

- carpe noctem
Ehtyar
Supporting Member
**
Posts: 1,236



That News Guy

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #32 on: April 01, 2009, 05:26:12 AM »

But did I get this right - anyone with a legal copy of windows (and that includes people with a legal copy of windows which they installed on several machines, or multiple times on one machine for testing/development purposes) who runs regular updates, is protected by free software, so the only people not protected are the people with pirate copies who don't also have a paid/pirated/free copy of a virus scanner.
Incorrect. You can still be infected if using an easily guessed password or through using an infected USB memory stick. The update only protects you from infection over the internet.

Ehtyar.
Logged
nite_monkey
Member
**
Posts: 689


see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #33 on: April 01, 2009, 08:30:59 AM »

Luckely for me, my computer hates autorun anyways. I believe it only worked for like the first week I had windows installed, and then it just randomly stopped working. Now I need to go home and put a password on my computer's accounts, because I am stupid and don't use passwords on the admin account or my user account because I am stupid... and lazy.
Logged

[Insert really cool signature here]
Stoic Joker
Honorary Member
**
Posts: 5,198



View Profile WWW Give some DonationCredits to this forum member
« Reply #34 on: April 01, 2009, 09:26:48 AM »

This is a classic example of why the 80/20 Rule of Information Security works. ...And throwing (away) mountains of cash on system resource hogging "Baby-Sitter) security applications doesn't.

I have never had to do a major cleanup on a network where A. (80/20) was inforced and B. (baby-Sitter) was ignored. Now, I'm not advocation that folks run without AV, I'm just point to an all to commonly repeating pattern where most (if not all) of this could have been avoided if people just took a few minutes outa their day to do something that's completely free.
Logged
Edvard
Coding Snacks Author
Charter Honorary Member
***
Posts: 2,531



View Profile Give some DonationCredits to this forum member
« Reply #35 on: April 01, 2009, 10:21:19 AM »

So, it's April 1st...

Anything happening? (no reports in the news yet)

 tellme tellme
Logged

All children left unattended will be given a mocha and a puppy.
mwb1100
Supporting Member
**
Posts: 1,291


View Profile Give some DonationCredits to this forum member
« Reply #36 on: April 01, 2009, 11:13:21 AM »

So, it's April 1st...

Anything happening? (no reports in the news yet)

 tellme tellme

I heard an ABC News radio report that they put an unprotected machine on Internet, and it got probed and compromised within a few minutes.  To be honest, I'm not sure how different that might be from any other day on the Internet.

I'm sure that having a NAT router between you an the 'net would go a long way toward preventing the problem (though does having UPNP enabled on the router change that? - It came enabled by default on my most recent router.)


Logged
mwb1100
Supporting Member
**
Posts: 1,291


View Profile Give some DonationCredits to this forum member
« Reply #37 on: April 01, 2009, 11:16:01 AM »

post deleted...
« Last Edit: April 01, 2009, 11:18:32 AM by mwb1100 » Logged
Lashiec
Member
**
Posts: 2,374


see users location on a map View Profile Give some DonationCredits to this forum member
« Reply #38 on: April 01, 2009, 12:36:06 PM »

So, it's April 1st...

Anything happening? (no reports in the news yet)

Yeah, but at some point you can't tell if it's another joke or the real thing. What a date to choose to activate the worm... So far, everything seems all right, did not see any report other than Conficker becoming "self-aware".

What it bothers me is that browsing the Internet today is a major pain in the ass, because everything is loading much slower than it's normal. What's more, I've been trying to download a podcast during the last two hours, achieving some staggering download rates (2 KB per second), and the cablemodem took like 5 minutes to connect to the ISP this morning. I assume the Net is crumbling under the Conficker hammering, or perhaps it's just a particular problem with my provider.
Logged
Edvard
Coding Snacks Author
Charter Honorary Member
***
Posts: 2,531



View Profile Give some DonationCredits to this forum member
« Reply #39 on: April 01, 2009, 12:43:10 PM »

I haven't experienced any noticeable delays, so it must be your ISP.
 huh
Logged

All children left unattended will be given a mocha and a puppy.
Ehtyar
Supporting Member
**
Posts: 1,236



That News Guy

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #40 on: April 01, 2009, 02:28:39 PM »

I'm sure that having a NAT router between you an the 'net would go a long way toward preventing the problem (though does having UPNP enabled on the router change that? - It came enabled by default on my most recent router.)
Disabling UPNP is to prevent Conficker from spreading from your network only.

I'm surprised at the number of people who expected the skies to fall and the seas boil today. Wasn't my original post about that not happening? Anyway, just be sure to keep your current protections in place and be prepared for the update to occur sometime soon. If you ask me, an awful lot of work has gone into Conficker for its authors to forget about it now.

Ehtyar.
Logged
Edvard
Coding Snacks Author
Charter Honorary Member
***
Posts: 2,531



View Profile Give some DonationCredits to this forum member
« Reply #41 on: April 01, 2009, 02:44:46 PM »

While I certainly was not expecting doomsday, I was wondering if something was happening.

So far, it's done nothing but wake up and start resolving DNS's just like they said it would.

I'm with you Ehtyar, it's put together too well to turn out to be nothing. But what it will do, I am very interested in.
Logged

All children left unattended will be given a mocha and a puppy.
Ehtyar
Supporting Member
**
Posts: 1,236



That News Guy

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #42 on: April 01, 2009, 02:59:21 PM »

Indeed!! I spent far too much time yesterday watching news updates in case there was news. I'd very much like to know what Conficker will morph into when its authors decide to get their act together, though I'm not surprised nothing happened yet, far too much media attention at the moment.

Ehtyar.
Logged
40hz
Supporting Member
**
Posts: 10,584



see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #43 on: April 01, 2009, 06:20:42 PM »

The people pirating Windows generally use a WGA hack, so they get updates just fine.

That, or they just use any one of a number of freebie offline-WSUS apps you can find on the web. With these, they just grab all the updates off Microsoft's website and burn them to a DVD for use on multiple machines.

I'm 110% legal with everything (MS Partners don't dare screw around with that) but I still do all my MS updating via offline utilities.
 Cool
Logged

Don't you see? It's turtles all the way down!
app103
That scary taskbar girl
Global Moderator
*****
Posts: 5,154



see users location on a map View Profile WWW Read user's biography. Give some DonationCredits to this forum member
« Reply #44 on: April 02, 2009, 03:30:12 PM »

Found this amusing little "eye chart" on friendfeed, for detecting if you are infected with Conficker:

http://www.confickerworki...tion_test/cfeyechart.html

While it's not 100% foolproof detection, it would work in a lot of cases, providing you aren't using certain types of proxies.
Logged

Ehtyar
Supporting Member
**
Posts: 1,236



That News Guy

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #45 on: April 02, 2009, 06:53:24 PM »

Why is it not foolproof? IMO that's a much easier way for users to detect to Conficker than attempting to download a tool from a site that Conficker blocks.

I nearly hit the roof at work this morning when we got an email from the higher-ups about Conficker, suggesting that if you believe you're infected you download a cleaning utility from Microsoft or Symantec, both of which are blocked by Conficker. Would common sense not tell you to have users check for infection by attemping to access, say, microsoft.com and then if they have issues, provide a URL that Conficker doesn't block from which to download your removal tool. What the hell is wrong with these people?

Ehtyar.

[edit]
Now that my ranting impulse has been satisfied, thanks for the link App smiley
[/edit]
« Last Edit: April 02, 2009, 06:55:35 PM by Ehtyar » Logged
Stoic Joker
Honorary Member
**
Posts: 5,198



View Profile WWW Give some DonationCredits to this forum member
« Reply #46 on: April 03, 2009, 07:25:29 AM »

Why is it not foolproof? IMO that's a much easier way for users to detect to Conficker than attempting to download a tool from a site that Conficker blocks.

I nearly hit the roof at work this morning when we got an email from the higher-ups about Conficker, suggesting that if you believe you're infected you download a cleaning utility from Microsoft or Symantec, both of which are blocked by Conficker. Would common sense not tell you to have users check for infection by attemping to access, say, microsoft.com and then if they have issues, provide a URL that Conficker doesn't block from which to download your removal tool. What the hell is wrong with these people?

Ehtyar.

You think that's bad...? ...Symantec had a big banner on their main page yesterday morning that said "Not sure if you're infected with the April 1st bug? For more information click here".

What more information?!? ... (I'm guessing lame sales pitch/I never checked) ... How about just saying "If you can read this you are ok."? It would make more sense, now wouldn't it?
Logged
Ehtyar
Supporting Member
**
Posts: 1,236



That News Guy

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #47 on: April 03, 2009, 03:00:39 PM »

Yeah, so true. My boss was on McAfee for whatever reason yesterday, and they were doing exactly the same thing. It's always such a disappointment when companies take advantage of consumers' ignorance like that.

Ehtyar.
Logged
Ehtyar
Supporting Member
**
Posts: 1,236



That News Guy

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #48 on: April 05, 2009, 07:02:42 AM »

I found this just now and thought it might be useful. It is a scanner, written by Team White Hat (Dan Kaminsky's crew) in python that should detect Conficker-infected machines.

The scanner can be downloaded as an independent package that can be run without python:
http://iv.cs.uni-bonn.de/uploads/media/scs_exe.zip
Simply extract the package and run 'scs <start-ip> <end-ip>' to scan an entire IP range, or 'scs <ip-list-file>' to scan a text file containing a list of IPs to scan. You can also run 'scanner <ip>' to scan a single IP address.
If you're handy with python you can download the source script (it requires the Impacket lib):
http://iv.cs.uni-bonn.de/uploads/media/scs.zip
More info is available at:
http://iv.cs.uni-bonn.de/...ons/containing-conficker/

Hope these help out in some way.

Ehtyar.
Logged
Shook
Member
**
Posts: 45


↑ DANISH

see users location on a map View Profile Read user's biography. Give some DonationCredits to this forum member
« Reply #49 on: April 05, 2009, 05:17:45 PM »

I just can't help wondering if anything actually happened at the time/date where people were all "OH SNAP WE'RE GOING TO BE BLASTED BY CONFICKER"? I mean, in my everyday, i've literally seen nothing regarding this Conficker, and the Danish news are usually eager to pounce on any major (bad) news outside Denmark, especially one like this of such potential magnitude. (Say that 10 times fast >.>)
The most i've seen of it is sporadic threads on forums here and there, but nothing about if anything actually happened. People do say that bad things will happen, but so far, i've seen... Well, nothing. Personally, i'm starting to doubt the existence of this virus. Am i totally alone in this?
Logged
Pages: Prev 1 [2] 3 Next   Go Up
  Reply  |  New Topic  |  Print  
 
Jump to:  
   Forum Home   Thread Marks Chat! Downloads Search Login Register  

DonationCoder.com | About Us
DonationCoder.com Forum | Powered by SMF
[ Page time: 0.063s | Server load: 0.08 ]