The C Variant

By John Conway | March 25, 2009 5:28 pm

Not to be a harbinger of doom, but this one sounds bad. There are some 6-15 million computers out there running Windows which are infected with a computer virus, dubbed Conficker C. The recent report by SRI makes for some chilling reading. On April 1 (that is, next Wednesday!) the virus is set to…well…do something. It’s not clear what, but with so many millions of computers will do it. The report concludes:

We present an analysis of Conficker Variant C, which emerged on the Internet at roughly 6 p.m. (PST) on 4 March 2009. This variant incorporates significant new functionality, including a new domain generation algorithm and a new peer-to-peer file sharing service. Absent from our discussion has been any reference to the well-known attack propagation vectors (RCP buffer overflow, USB, and NetBios Scans) that have allowed C’s predecessors to saturate so much of the Internet. Although not present in C, these attack propagation services are but one peer upload away from any C infected host, and may appear at any time. C is, in fact, a robust and secure distribution utility for distributing malicious content and binaries to millions of computers across the Internet. This utility incorporates a potent arsenal of methods to defend itself from security products, updates, and diagnosis tools. It further demonstrates the rapid development pace at which Conficker’s authors are maintaining their current foothold on a large number of Internet-connected hosts. Further, if organized into a coordinated offensive weapon, this multimillion-node botnet poses a serious and dire threat to the Internet.

Yikes! Whoever wrote this thing is not a very nice person…or persons. The C variant apparently managed to upgrade itself over the network, and disables security anti-virus software. If I were you (and I am apparently not because I use only OS X and Unix) I would update my antivirus software every day and scan my machine. And leave it off next Wednesday if possible.

Pass the word…

CATEGORIZED UNDER: Advice, Computing, Miscellany
  • http://diracseashores.wordpress.com Moshe

    i-switched very recently, so I could use this as an opportunity to snicker, but in all honesty this sounds like yet another doomsday scenario. I have a feeling next Wednesday there will be a new one.

  • Don

    Those who don’t use/own a Windows PC shouldn’t feel too smug. It’s your Internet too.

  • John

    I certainly don’t feel smug…I’d hate to see this thing unleash a really malicious attack.

    The SRI report sounds dire, but there is a variation of opinion out there as to how big a threat this is. See for example

    http://arstechnica.com/security/news/2009/03/confickerc-primed-for-april-fools-activation.ars

    and

    http://www.pandasecurity.com/homeusers/security-info/about-malware/encyclopedia/overview.aspx?idvirus=204292

    and

    http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=77976

    It all depends on the intent of the authors, I guess, as to how bad it will be.

  • http://rightshift.info Dileep
  • Gary Roberts

    Well, after using Windows 7 for a week, I realized why I bought a Mac in the first place. My HP laptop is definitely turning back to Ubuntu.

  • Fil

    OS X ⊂ Unix.

  • ts

    I thought people are buying from MS since they actually want to deal with the excitement. Viruses are important features of Windows. They create new business opportunities for computer security companies, so all is great for US economy.

  • Maugrim

    I use Windows purely because I play PC games. Those of us who game are pretty much locked-in until developers worldwide see the light and provide robust alternatives.

  • trond

    Here’s a week old comment from a real hacker:

    “I was surprised. For IE 8, I’d give him a 9 out of 10. For Safari, maybe a 2. It’s just too easy to pop Safari. For Firefox on Windows, I give him a 10. That was the most impressive of the three. It’s really hard to exploit Firefox on Windows.”

    http://blogs.zdnet.com/security/?p=2941

  • Daithí

    1st April? How convenient….

  • Oliver

    doomsday. puuuulkllleeeeeezzzeee!!

    This is nother but another Y2K scenario. In the famous word of Sir W. S.

    “Much ado about nothing”

  • Spiv

    Yeah, having 90% of the market kinda makes it the target for everything. As mentioned above, macs are not actually much more secure, but there’s almost no one writing viruses for macs (ingtana.a, leap.a, stuff like that come to mind).

    PC’s basically lack herd immunity- the number of viruses that are ‘unwashed’ is too high for the sheer number of users it can be propagated through. You only need a small percentage that haven’t updated their security, or to willingly install a virus from an email attachment, or whatever, to come up with a pretty grand problem.

    <–I have both windows and unix machines. Neither has had a virus in years and years. Guess I just don't open too many email attachments with bad grammer?

  • Spiv

    Oh, and don’t let me give you the wrong idea. Macs are a heck of a lot more secure than a windows machine, as least as far as the typical exploits are concerned. But to think anything as complex as an OS can lack any means of exploit whatsoever?

  • Egaeus

    Spiv, it doesn’t take opening questionable email. All it takes is an exploit and a compromised website. I recently got a variant of Vundo. I don’t look at porn, download cracks, or go to other questionable websites. I use Opera, not IE, Firefox, Chrome or Safari, so my browser is too obscure to be an effective vector. I use Gmail webmail, not Outlook.

    However, somehow (probably through JavaScript), I ended up with an infection that AVG couldn’t detect, even after several days of update-and-scan cycles. It disabled Windows Update, Folder Options (after disabling viewing hidden files and hiding itself), and regedit. Then it proceeded to drop more and more virus and trojans on my machine (which AVG did detect).

    I had to get the AVGRTK_remover VB script to fix the registry keys that were thwarting my attempts at removing the virus manually, and ended up using my work laptop to scan my HD over the network with Symantec to identify all of the viral files. It took the better part of a week to completely remove all traces.

    So I was embarassed to have been infected, since I’m someone who “knows better,” but there was nothing that I did that was high-risk. Sometimes it just happens.

  • http://mychemicaljourney.blogspot.com The Chemist

    I’m covered by viture of the fact that both my fairly new laptop and my backup laptop are out of commission. Hooray?

  • http://mychemicaljourney.blogspot.com The Chemist

    *Above should be “virtue”.

  • Spiv

    Egaeus: vundo/virtualmundo is a very interesting one, I messed with that on someone else’s machine not long ago. Apparently chrome is the only thing immune to it. Anything else it is able to exploit javascript somehow, and from there it’s a pain to remove (though if you are still stuck on it I can explain the manual removal process).

    Even if you think your spyscanner or virusscanner got rid of it, it’s very wise to manually check. Pop into the system tools-> system information, click software environment->startup programs and look for things that are a fairly random string of ~7 letters. If you can’t find an actual process related, you’re still infected with it, despite whatever your anti-junk tools tell you.

    This little nicker is really, really obnoxious, because you don’t have to do anything wrong to get it (unlike almost all others), and it’s basically immune to every protection, and no one seems to have an answer to actually gaining immunity to it.

    I’m used to the type people write by exploiting security issues that are openly outlined in MS’s security bulletins and work by assuming enough people are too lazy to keep their patches up to date. Vundo is different. Very different.

  • chemicalscum

    Hell why don’t you guys give up and run Ubuntu. Then you can stop worrying and enjoy life. Sill I always keep my system fully patched and up to date just to be safe anyway.

  • Ezryder

    …and all the villagers of Troy welcomed the magnificently crafted gift that had been rolled up to their impregnable gate….

    “Perhaps we should send a thank you note to the Spartans who sent us this magnificent horse…

    There are seriously bad people out there, and whether or not this particular virus is cybergoedden is beyond the point…This is the blueprint for how a cyberwar will be carried out someday.

    Also, this worm has infected the British Royal Navy and Parliament, the French Air Force, the Houston, Texas courts and police, and many others.

    Clearly there is not that much incompetence in IT security around the world.
    This beasty deserves watching

  • Low Math, Meekly Interacting

    Fusion is off, and will stay off until the coast is clear.

  • eddie

    The particular vulnerability that this work exploits should have been patched a month ago. Only vulnerable systems is where the admins have not maintained the patches diligently. See KB 958644 for details.

    If you’r XP PC is not patched, ans has this KB entry in your updates history, go to the windows update site now.

  • eddie

    speling FAIL

  • Sili

    I’m actually a bit surprised that Macs haven’t reached critical mass yet. They seem to be pretty popular so I’d have thought they’d be able to sustain virusses of their own. Not least since Macheads like to hang out with Macheads.

    Or are all malicious vira in reality made by Macowners? The hatred sounds so strong online that Windowsusers ought to have found some way to sabotage Macs by now.

  • Ditch

    Next Wednesday, huh?

  • Low Math, Meekly Interacting

    I am also surprised we’re not the victims of malware more often. Given the irrational hatred that flows from both sides, it seems natural that some Windows partisans would take the endless litany of “Macs R Safe, pee-cees R teh sux” as a challenge. We know from all the vulnerability patches we get that MacOS is not invincible. It’s arguably harder to take over the entire system on a MacOS machine, but it’s not impossible to do serious damage, and reportedly no more difficult. Yet there’s not a single serious malware threat that I’m aware of that targets Mac users. Why?

  • Larry

    We alreay disinfected it off our corporate network. I am a little bit concerned about DDOS attacks disrupting some internet service somewhere, but I expect that by Thursday it will be like nothing happened. Widespread minor annoyance, mainly from you all worrying too much about it. You all do have a backup strategy, right? You need to test it, but not for this. Not having a backup strategy that works is much riskier.

  • John R Ramsden

    Sometimes it almost seems as if Microsoft wants to encourage viruses.

    For a start, each time one plugs in a USB storage device Windows immediately starts rummaging through it searching for a program to run, which on an infected device could easily be a virus, and there seems no permanent way of stopping this irritating feature.

    Then there’s the insane default of suppressing file name suffixes in file explorer, so that a moderately crafty hacker could easily infiltrate a program called say funny_image.jpg.exe which an unsuspecting user would naturally double-click.

    Also ActiveX and even Javascript seem to be riddled with bugs and vulnerabilities.

    That’s three examples, and doubtless many more could be cited. I’m sure Microsoft are more than comfortable for viruses to be around up to a point and infecting PCs, because clearing a virus infestation is often a motive to do a clean install, and that is likely to involve a Windows upgrade at the same time.

  • thewill

    That used to be the standard scare virus advice: turn your computer off on such and such day.

    I think it’s silly fear mongering, and not that great a line of defense: turn computer off. As opposed to real security solutions like hardened O.S. models. I know you can’t advocate advanced approaches but seriously, “turn computer off” really takes the cake.

    Let me know when you figure out how I can use a computer that’s turned off, since that would be step 2 in your solution.

NEW ON DISCOVER
OPEN
CITIZEN SCIENCE
ADVERTISEMENT

Discover's Newsletter

Sign up to get the latest science news delivered weekly right to your inbox!

Cosmic Variance

Random samplings from a universe of ideas.
ADVERTISEMENT

See More

ADVERTISEMENT
Collapse bottom bar
+

Login to your Account

X
E-mail address:
Password:
Remember me
Forgot your password?
No problem. Click here to have it e-mailed to you.

Not Registered Yet?

Register now for FREE. Registration only takes a few minutes to complete. Register now »