Back to previous post: Scenes From the Lives of the Great Economists

Go to Making Light's front page.

Forward to next post: The 600 Series Had Rubber Skin

Subscribe (via RSS) to this post's comment thread. (What does this mean? Here's a quick introduction.)

March 25, 2009

Conficker: Yet Another Virus Warning
Posted by Jim Macdonald at 12:44 PM * 64 comments

The warnings are circulating again: Botnet 2.0 is on the way, scheduled to go live on April First.

Already we’re seeing some skepticism: The Conficker Worm: April Fool’s Joke or Unthinkable Disaster?

Still, take reasonable precautions. Update Windows. Update your anti-virus and do a scan. (If you don’t have an anti-virus, get one now.)

See also: Social Disease

[UPDATE] This tool will find and remove Conficker.

[UPDATE] The Conficker Eye Chart. (Fast, easy, no-installation check to see if you’re infected. Thanks Kathryn from Sunnyvale.)

Comments on Conficker: Yet Another Virus Warning:
#1 ::: Pedantka ::: (view all by) ::: March 25, 2009, 01:39 PM:

This reminds me: my version of Sophos came with my computer, purchased through the university. I don't believe it has ever successfully updated--it keeps saying it couldn't find the server. Granted, my brain has been very much elsewhere (end stages of PhD misery), but the glances I've taken through the online documentation haven't yielded a clue about which server it should be connecting to--whether it's a university thing (do I need to make sure it's attached to the campus network? Do I need to get someone in IT to do voodoo to make it work? Do I need to buy an update subscription of my own?) or something else. Does anyone understand this?

#2 ::: David Dyer-Bennet ::: (view all by) ::: March 25, 2009, 01:56 PM:

I continue to think that running your computer behind NAT (or a good firewall), not running Outlook Express, not running Internet Explorer, and being a bit careful what links you click on are much, much more important than running an anti-virus. While I've run anti-virus most of the last decade (mostly the free version of AVG), it has never once blocked anything. I think the no-script add-on for Firefox is more important.

I've had two work computers infected by viruses while following the full advice of the IT department, however, I think because they were running Outlook (required by the IT department), and despite being behind a corporate firewall, a system firewall, and running a commercial anti-virus program.

#3 ::: Andrew Plotkin ::: (view all by) ::: March 25, 2009, 01:57 PM:

Yeah, well. My Windows box went into a state of being absolutely virus-proof last week.

Still not sure if it's the power supply or the motherboard.

#4 ::: dcb ::: (view all by) ::: March 25, 2009, 02:08 PM:

Andrew Plotkin @ 3

Sympathies. Last time it happened to me, it turned out to be both, effectively. That is, some defect in the power supply was killing the motherboard (as the engineers worked out when the new motherboard fried after a couple of days). I'm just glad it was under extended warranty.

Remember BACKUP, BACKUP, BACKUP. Preferably onto more than one external storage device alternately, and if you can make periodic DVD backups of everything and leave at another location, even better (guards against fire and theft).

#5 ::: Caroline ::: (view all by) ::: March 25, 2009, 02:32 PM:

dcb @ 4, thanks for the reminder. I'm backing up to my portable HD here right now, since you said that. (One backup kept at home, one locked up here at my desk.)

(I have a Mac, so this particular worm isn't an issue. But hardware failure could always happen. Andrew, I hope your machine gets fixed quickly and doesn't cause too much inconvenience.)

#6 ::: Keith ::: (view all by) ::: March 25, 2009, 02:47 PM:

Pedantka @1:

It wouldn't hurt to give your University IT department a call or email. They should be on top of this and have a simple answer for you.

I just called mine, since I'm admin on every computer in our university's library. Figured I might need to know if I'm going to spend the rest of the week updating antiviral software or not.

[grumble] This would have to be during spring break, when my workstudy is off... [/grumble]

#7 ::: Dave Bell ::: (view all by) ::: March 25, 2009, 02:48 PM:

Don't forget Linux options. There are CD-bootable rescue toolkits, for instance.

#8 ::: Andrew Plotkin ::: (view all by) ::: March 25, 2009, 03:03 PM:

Thanks for your wishes. The Windows machine in question has nothing important on it. (All I ever do with it is install games, play them, and delete them. And occasionally test (my own) web sites with IE.)

Back up your data, or decide to delete it. There is no third option.

#9 ::: dcb ::: (view all by) ::: March 25, 2009, 04:13 PM:

Caroline @ 5

You're welcome. A couple of no-warning hard drive failures made me fairly paranoid. A friend having their Phd Thesis trashed due to a major failure during timed backup to university mainframe encouraged the "to alternate devices". Neighbours getting burgled recently reinforced the "backups in different locations" meme. I also figure that thieves will grab the external hard drives, if they see them, but are unlikely to bother taking used CDROMs/DVDs. And when you find a page of your website is corrupted, having a weekly backup CD or DVD means you can go back through until you find a version of the page which is not corrupted.

#10 ::: DannyK ::: (view all by) ::: March 25, 2009, 04:46 PM:

I'm re-reading "A Fire Upon the Deep", so I can't help thinking of Conficker as our version of the Straumli blight: singularity-via-spam.

#11 ::: Liza ::: (view all by) ::: March 25, 2009, 05:34 PM:

All: I see infected computers fairly regularly in my job (I do computer support) and it's gotten to the point where I run three separate programs' scans, because they each catch things the others miss.

1. the antivirus software of my employer's choice
2. Spybot Search & Destroy - free! http://www.safer-networking.org/en/home/index.html
3. Malwarebytes' Anti-Malware - free! http://www.malwarebytes.org/mbam.php

Between the three of them they've been able to clean most of the infected computers I've seen recently. Good luck!

#12 ::: Earl Cooley III ::: (view all by) ::: March 25, 2009, 06:26 PM:

Caroline #5: I have a Mac, so this particular worm isn't an issue

Just remember, there are Mac, Linux and router targeting nasties out in the wild; the days of platform-based complacency are over.

#13 ::: Mike Kabongo ::: (view all by) ::: March 25, 2009, 09:09 PM:

Heyla...

I recommend Avast strongly. That said i use both it and AVG, but if i were gonna drop one it would be AVG. And I'd never but Mcafee or Norton in a computer unless i had zero choice.

http://avast.com

#14 ::: AndrDrew ::: (view all by) ::: March 25, 2009, 09:44 PM:

Aiee, what a time to regain internet access.

As for backing up data... I started my 'puter use with an Apple IIe. The maxim "save everything, and save often" sort of gets drilled home when there is no hard drive, and the thing dies of it's own heat periodically.

#15 ::: j h woodyatt ::: (view all by) ::: March 25, 2009, 09:55 PM:

Caroline @5 writes: "...I have a Mac, so this particular worm isn't an issue..."

More accurately, it won't be an issue until after April 1, and there isn't much you can do in the interim except hope those friends and business partners of yours with whom you've shared your valuable personal information find the time to sheep-dip their Windows machines in time.

#16 ::: Randolph ::: (view all by) ::: March 25, 2009, 10:21 PM:

By the way, there are now Adobe Acrobat/Adobe Reader exploits out there. The bugs go back as far as version 7 and are contained in all but the most recent patches Good time to update that, too, on all platforms.

http://www.adobe.com/support/security/bulletins/apsb09-04.html

#17 ::: antukin ::: (view all by) ::: March 26, 2009, 05:38 AM:

thanks for the heads up, especially the link to Anti-Malware. I've been looking for an anti-malware program that scans thumb drives.

#18 ::: Pendrift ::: (view all by) ::: March 26, 2009, 06:08 AM:

antukin@17: Just noticed your handle. I take it you're a sleepyhead?

#19 ::: James D. Macdonald ::: (view all by) ::: March 26, 2009, 08:15 AM:

This tool removes all versions of Conficker.

#20 ::: Dave Bell ::: (view all by) ::: March 26, 2009, 09:12 AM:

I've heard that the .pdf exploits are not limited to Adobe products, which doesn't sound good for Postscript.

Trouble is, that would make it a cross-platform virus, which is heading for mega-ouch territory.

The advantage of a Linux-based recovery or back-up tool is that it is different. And if you can use Open Office for your work, you aren't tied to one OS.

There are some people in the Linux 'verse who are, frankly, assholes. "RTFmanpage" is not very helpful to the newbie.

Back last October, I bought a Linux-based netbook. It's not horribly complicated to use. But any OS needs stuff to be learned before you can use it well.

I'm not rushing to change, but I can see myself switching. There are things I have to check on, but the idea feels comfortable now.

#21 ::: Caroline ::: (view all by) ::: March 26, 2009, 11:02 AM:

j h woodyatt, good point there.

Earl Cooley @ 12, oh yes, I know. That's why I specified "this particular worm." Standard advice applies everywhere: use a firewall, download things only from trusted sources, don't open unexpected email attachments, pay attention to what things are before you run them, don't click on dodgy-looking links, etc.

The latest Mac trojan I heard about was hiding in a torrent of iWork '09 -- which is why I don't torrent stuff.

#22 ::: Joel Polowin ::: (view all by) ::: March 26, 2009, 01:22 PM:

Mike Kabongo @ 13: I tried Avast a bit over a year ago and found it quite unusable. Your mileage varies, obviously.

#23 ::: Joel Polowin ::: (view all by) ::: March 26, 2009, 01:35 PM:

It is worth noting that one of Conficker's transmission modes is to copy itself as an 'autorun' file onto USB flash drives and the like -- that's how I crossed paths with it after it got loose in my workplace. When the drive is plugged into a vulnerable machine, the autorun is executed.

The normal Windows settings for disabling autorun for devices do not necessarily disable it. For Your Convenience, Windows remembers devices that have been previously used -- a particular USB drive, for example -- and if it recognises that such a device has been connected again, it'll go ahead and do the autorun, even if that's supposedly been turned off.

This helpful behaviour can be turned off, but you have to modify a registry entry to do it. On the plus side, this is as simple as copying a bit of text to a registry-update file, then running the file. Instructions are here.

#24 ::: Dave Bell ::: (view all by) ::: March 26, 2009, 02:13 PM:

The last major upgrade of AVG was a mess, in my experience. I decided I couldn't trust it.

If there's a virus signature in a file containing several emails, I would prefer not to have all my new email deleted without any warning, thank-you.

There were other problems reported, and it may be related to the unusual software I was using, but that was the last straw for me.

#25 ::: Paula Lieberman ::: (view all by) ::: March 26, 2009, 02:29 PM:

Obligatory rant...

1) The Internet was NEVER conceived of as a system... it's an escaped evolved lab experiment that makes kudzu looks like a dead rock.

2) TCP and IP were never designed to be commercial protocols, they are organic protocols in the Escaped Lab Experiment.

3) Commercialization of the Internet was/is an exploitive, haphazard, in large part extremely malicious and self-aggrandizing and self-enriching fraught-with-scam endeavor.

4) My opinion is that the US Postal Service's charter to provide national mail service and to keep out of the mail unless there are warrants involve with judges/court hearings for impounding and opening and screening mail, is what I felt and feel really should have been the model for electronic national civil content communications...

5) "Secure" or "trusts" systems for delivery of email and files and such, not only IS possible, it's been done... the problems with the Internet all stem from a) escaped not-even-prototype which NEVER had security as one of the experiment's design criteria and consideration, b) protocols which never considered security, c) scientists running non-security experiments for scientists do NOT consider "malice" "cluelessness" "greed" and other such factors, when designing lab experiments.... bottom line is that security was never organic to the ARPAnet, the idea that people would be deliberately or by happenstance causing malicous/greedy/destructive/STUPID activities, simple wasn't part of the mindspace involved in the data communications EXPERIMENT...

Someting designed for real world commercial use, such as the original telephone system, included "resistance to thieves, idiots, malice, self-aggrandizers, trolls, etc."

#26 ::: Wyman Cooke ::: (view all by) ::: March 26, 2009, 03:04 PM:

Joel @ 22 I agree with OMike about Avast and AVG. I have both on my system. They form a layered shield in my opinion.

#27 ::: albatross ::: (view all by) ::: March 26, 2009, 03:08 PM:

Paula #25:

Someting designed for real world commercial use, such as the original telephone system, included "resistance to thieves, idiots, malice, self-aggrandizers, trolls, etc."

That explains the utter lack of known exploits on the phone system, back in the day. And the utter lack of spam on my phone to this day....

Less snarkily: I broadly agree with your diagnosis, but not your solution. It's true that neither most of the protocols nor most of the networked applications were designed with security in mind. But there were efforts to design all kinds of large-scale communications schemes from the top down, and they mostly didn't work out. The speed of innovation in this area makes that kind of top-down planning unlikely to work. And the worst vulnerabilities seem to me to come from emergent properties of these systems. For example, we had a long history of people worrying about networked applications, and spending some effort locking those down, before anyone noticed that in a world where everyone has attachment-supporting-email and most everyone's email client opens known file types on request, every application that is associated with a known file type is essentially on the network.

To me, the creepiest thing about the malware industry is that it's a f--king industry, complete with folks maintaining the botnets and attack tools who read the latest academic papers in computer security and cryptography. This is a pool of thousands of skilled people, who are using this as a way to make a living. It's going to be amazingly hard to get rid of them, because whatever we do to close off one weakness will likely drive them into the next. People who have spent the last 10 years making a living writing malware or some such thing have a tremendous incentive to find alternative ways to make the same kind of living, nearly all of which will also be criminal.

Of course, the other fun concern here is terrorism, both state-sponsored and otherwise. The existence of a large pool of experienced, professional attackers makes it much more likely that bad people could recruit a few of them for some bad thing. And our defenses are 99% retrospective--try to talk someone into adding a performance-decreasing defense to a product, and you will hear them trot out the old "show me where this attack has happened before" routine. (If you're lucky, showing them examples will convince them. If not, they'll back into demands for more and more specific examples, till they find a way to avoid slowing down their application, shipping a month later, or getting rid of any features.) To the extent that almost all the serious attackers so far are commercially motivated, the first serious, well-funded ideological attacker may do immense damage, because the folks trying to close the relevant vulnerabilities couldn't show where such attacks had been done before.

#28 ::: GHN ::: (view all by) ::: March 26, 2009, 04:25 PM:

I am slightly paranoid when it comes to security on my PCs. I haven’t yet installed all the necessary security on my newest, but that is only because I bought it a couple of days ago. It will get fully updated during the weekend, believe me!

I have used Spybot Search and Destroy and Ad-aware for several years now, and have been happy with them (in addition to a suitable antivirus program, of course), but I must say that I am not entirely certain about the Ad-aware Anniversary Edition. Do anybody have any comments on this, should I switch to something else, and if so, what would you recommend?

#29 ::: Paula Lieberman ::: (view all by) ::: March 26, 2009, 05:31 PM:

#27 Albatross

The first person to crack the security on the Bell system, was an MIT type whom Bell immediately hired.... the fellow was an Original Definition-type MIT Hacker-- someone who played around with things to see what made them tick and for the joy of researcg and knowledge, and NOT for malicious/greediness/etc. purposes.


Considering that the phone system at heart is Victorian era technology (second half of the 19th century) it's stood up astonishingly well. But then, it was "good enough" and "better" is something that doesn't really apply to it. The improvements have all been in ways that are mostly transparent to users, except for the additional features of things such as call waiting, voice forwarding, automated conference calling... but the basics of transducing speech to electromagnetic signals traveling to a remote terminal and transducing back into comprehensible speech, are still really the same. Trannsmission of computer data over phone lines, is a feature added much later, but irrelevant to the purpose of conversing with person(s) located beyond direct earshot.

Issues with computer security include from the get-go "purchase authorities" with not only a complete lack of interest in security, but with actual animosity towards the idea of safe computing and data and content integrity... Microsoft Windows 3.5 or 4.0 had C level security--discretionary access control-- on it. Microsoft dropped it because its direct customers squawked about it being inconvenient for them and something they wanted -gone-.

The same thing applied to various versions of Internet Explorer--clueless wonder idiots moron end users who felt imposed upon and the Purchase Authorities who were even stupider and bigger morons, that they had to go to the effort to click once or twice to open up an email instead of having it automatically run and show the stupid animations and other usually crap infesting HTML email, instead of having software which did sane things such as CHECK what attachments were going to try to do....

That's what gets me so torqued about the situation, that all of this is stuff that not only HAD known solutions, there were known solutions RUNNING, and that asshole cofounder of Apple, and Bill Gates the opportunist who followed the money trail and the asshole jackass journalists and the jackass idiot Purchase Authorities who fawned on Mr Jobs and every stupid moronic user interface for paraliterates Jobs foisted on the universe, stole not the GOOD STUFF from Xerox, but the crap, and deliberately LEFT OUT all the things that provided checking and allowed the end user to SEE what the attachments were going to try to do...

That is, I used an Amiga. The Amiga IGNORED the filename extension and looked IN THE FILE for what the file type ACTUALLY was, and let the user know that. So, if there was a file claiming to be a graphic image that was ACTUALLY a nasty virus, the Amiga would let the user known the that file type was EXECUTABLE and the user could see that that file if opened was going to try to overwrite the user's hard drive...

Offensive full-of-himself Jobs however promulgated memes for computing which didn't even let the user see the file extension type when opening a file from within a Macintosh program, much less give the user access into finding out that the file type extension and the file actual type didn't match... sort of like being blindfolded and given a keyhole view of the inside of a house....


#30 ::: Mike Kabongo ::: (view all by) ::: March 26, 2009, 09:46 PM:

Joel,

Sorry it didn't work for you. The only time i had a computer it didn't work right on was when there wasn't enough free ram. That said I keep a recent version on a thumb drive of both Avast & AVG and will install and run them on any computer I need to use that doesn't have something adequate.
I also use Spybot S&D and occasionally others...

#31 ::: antukin ::: (view all by) ::: March 27, 2009, 03:44 AM:

Pendrift@18: yes, actually, especially now in the middle of Friday afternoon at the office...

#32 ::: Alex ::: (view all by) ::: March 27, 2009, 09:14 AM:

F-Secure Labs has a nice FAQ on Conficker/Downadup and April 1st and its significance or otherwise.

#33 ::: albatross ::: (view all by) ::: March 27, 2009, 09:29 AM:

More generally, the F-secure blog is a nice source of ongoing news coverage on various internet threats.

#34 ::: Randolph ::: (view all by) ::: March 28, 2009, 02:46 PM:

Paula, #25, #29: and, let's hear it for the magic of the market, which keeps companies working on new features, rather than fixing low-profit issues like security holes.

#35 ::: Spam Deleted ::: (view all by) ::: March 30, 2009, 05:16 AM:

Spam from 213.31.172.5

#36 ::: Wyman Cooke ::: (view all by) ::: March 30, 2009, 11:38 PM:

One way to detect if your system is infected by Conflicker is to see if you can update your anti-virus software. Conflicker blocks updates, according to Homeland Security's computer guys.

#38 ::: Linkmeister ::: (view all by) ::: March 31, 2009, 02:25 AM:

On the principle that if 60 Minutes mentions it it's pervasive, I went to the site that's linked in the [Update] and downloaded the scan tool. It loads a 306kb file and runs a scan. It offers you a report to a .txt file as well as a screen diagnosis; amusingly, it warns me that McAfee is running.

Once downloaded, though, it stays resident in memory. You can't right-click to exit; it just runs the scan again when you try.

#39 ::: Linkmeister ::: (view all by) ::: March 31, 2009, 02:28 AM:

Also, clicking the link for "Update Windows" in the main post takes you to http://www.windowsupdate.com, which demands that you be running IE 5 or higher; it won't accept Firefox. If you want to update Windows without IE, do it through your Control Panel.

#40 ::: Earl Cooley III ::: (view all by) ::: March 31, 2009, 04:16 AM:

Linkmeister, are you talking about accessing Windows Update through the Help and Support Center (WinXP)? That still uses the IE engine to work, so you're not actually avoiding any downsides by doing it that way.

I just made Windows Update my IE home page, because that's about the only time I care to sully my fingers with IE. Some online games use IE for their launch programs, which is a shame. I run CCleaner every time I'm forced to use IE or its dark brethren.

If Microsoft wants to make me feel better about IE, then they should open source it.

#41 ::: Linkmeister ::: (view all by) ::: March 31, 2009, 02:48 PM:

Earl @ #40, sorry, shoulda said. I'm using Vista. Clicking the Start Button offers a range of options; Control Panel is the one which gives you the Security sub-menu including Windows Updates. I've forgotten (already! It's been just six months!) what XP's options are.

#42 ::: Daniel Klein ::: (view all by) ::: April 01, 2009, 12:47 PM:

Armageddon somewhat anticlimactic so far: Conficker War Room!

Still, it's an amusing name for a virus if you're German. I can't help but wonder who Con is.

#43 ::: albatross ::: (view all by) ::: April 01, 2009, 01:25 PM:

Daniel #42:

Yeah. Though I do wonder about those isolated agrav failures in the floating docks....

#44 ::: Mary Dell sees spam OR VIRUS LINK!! ::: (view all by) ::: April 01, 2009, 02:24 PM:

The link in #35 looks legit, but I'm not personally familiar with the site, and James is a first-time commenter. Also a google search for the words in his post turns up a zillion instances on different sites. (If this link doesn't work for you select everything in his post between "Good article" and "outbreak" and drop it into google.)

So it's possible that it's actually a link to a virus distribution package, and if it's not, it's spam.

#45 ::: KeithS ::: (view all by) ::: April 01, 2009, 02:40 PM:

Mary Dell @ 44:

Sophos is one of the big-name anti-virus/malware players. They tend to pitch their products to businesses rather than home users, which is why you may be unfamiliar with the name. That is their website and not an imposter.

#46 ::: Clifton Royston ::: (view all by) ::: April 01, 2009, 02:40 PM:

Unless someone's hijacked the webservers at Sophos, a fairly respected AV firm, the package linked by "James Coulter" is presumably legit. However, it's Not Nice for them to link-spam their software.

On the mitigating side, I can at least imagine how someone might think it was a good idea for reasons other than marketing; after all, to prevent SkyNet from activating and causing Armageddon, any kind of incidental damage is acceptable! No, wait, that was the other thread.

#47 ::: albatross ::: (view all by) ::: April 01, 2009, 02:48 PM:

From: Sophos (a known military intelligence company of the high beyond; if this is an imposter, someone is living dangerously)

Subject: New archive opening up in high beyond!

[sapient network packets deleted by firewall]

I love living in a science fiction movie.

#48 ::: KeithS ::: (view all by) ::: April 01, 2009, 02:56 PM:

Clifton Royston @ 46:

I know there are lots of people out there doing astroturf for big companies, but I'm willing to give James the benefit of the doubt on this. There are still public-spirited people unconnected to big companies out there. (Maybe, oh, three of them.)

#49 ::: abi ::: (view all by) ::: April 01, 2009, 02:59 PM:

Mary Dell @44:
Sophos (Wikipedia link) is a well-regarded anti-virus vendor.

I suspect that this is either a helpful lurker or a very relevant commercial post. The link isn't dangerous.

You're right to be careful, though; we have had spammers linking to exploit sites of late, even on reputable domains (a couple of university ones). Don't click on links from spam comments, exercise good care, and make sure your browser is checking for malware. It's a big bad internet out there.

#50 ::: Mary Dell ::: (view all by) ::: April 01, 2009, 03:25 PM:

Thanks, all, for the reassurances. My company (& my house) use other providers and since AV isn't my bailiwick, I'm not up on the other players.

Abi @#49: James is a very helpful lurker indeed, to the tune of 90 google hits for the identical post (sample). Definitely a commercial entity but probably not, it appears, a harmful one.

#51 ::: Raphael ::: (view all by) ::: April 02, 2009, 09:59 AM:

Daniel Klein @42, I can't help but wonder who Con is.

What if we assume that that part is an English loan?

#52 ::: Kathryn from Sunnyvale ::: (view all by) ::: April 02, 2009, 06:34 PM:

The conficker working group has built a simple visual diagnosis tool for conficker infection.

The page should show six images linked to security websites (for the test) and operating system websites (control group). If you only see 3 of the six, you may have a problem.(1)

"Conficker Eye Chart"

To first learn about the conficker working group and the above url, here are Google news articles about them, and here is PCWorld on how they got started, with links to the cwg home url.

----------------
(1)"Conficker (aka Downadup, Kido) is known to block access to over 100 anti-virus and security websites. If you are blocked from loading the remote images in the first row (AV/security sites) but not blocked from the second row (websites of alternative operating systems) then your Windows PC may be infected by Conficker (or some other malicious software).

If you can see all six images in both rows of the top table, you are either not infected by Conficker, or you may be using a proxy server, in which case you will not be able to use this test to make an accurate determination...

#53 ::: Earl Cooley III ::: (view all by) ::: April 02, 2009, 07:59 PM:

That Conficker Eye Chart is clever. (Now I'm trying to figure out which Webby Award category that would fit into.)

#54 ::: David Dyer-Bennet ::: (view all by) ::: April 03, 2009, 09:56 AM:

Ooh, the eye chart is brilliant! Nice exploitation of the known behavior.

And my work computer is in fact clean, as I had thought from other evidence.

#55 ::: Erik Nelson ::: (view all by) ::: April 04, 2009, 01:00 PM:

The conficker eye chart page:

I do a "view source" on it and I just see generic HTML with generic image inclusion tagss; I don't see any diagnostics being carried out. What actually triggers the diagnostic?

Is it being sniffed remotely by the sites being referred to? If so, what gave them that access privelege?

How does it work?

#56 ::: Erik Nelson ::: (view all by) ::: April 04, 2009, 01:05 PM:

Never mind, I have read the explanation at the bottom of the page and I get it now.

#57 ::: Pendrift ::: (view all by) ::: April 09, 2009, 03:35 PM:

Conficker is on the move, although they still don't know what it's up to exactly.

#58 ::: Lenny Bailes ::: (view all by) ::: April 10, 2009, 11:26 AM:

More Conficker news, including links to some new removal tools.

#59 ::: Wyman Cooke ::: (view all by) ::: April 24, 2009, 06:41 PM:

Reuters has some Conflicker news:

http://www.reuters.com/article/technologyNews/idUSTRE53N5I820090424?feedType=RSS&feedName=technologyNews

#60 ::: James ::: (view all by) ::: June 18, 2009, 04:51 PM:

@50

Hi,

I work in the marketing department at Sophos and i help increase the visibility of our free tools by promoting them in relevant blogs.

I wouldn't classify what i do as spam (since what I'm promoting is relevant to the discussions) although in essence for me to achieve my goal i do need to promote the tool on a lot of websites. Which could make what i do seem like spam.

I purely want to help users protect themselves from the Conficker threat by making them aware of Sophos' free removal tool.


Kind regards,
James Coulter, Sophos

#61 ::: Lee sees something the moderators should evaluate ::: (view all by) ::: June 18, 2009, 06:35 PM:

@ 60

#62 ::: Jim Macdonald ::: (view all by) ::: June 18, 2009, 10:54 PM:

#60 James: I wouldn't classify what i do as spam

I would.

#63 ::: Jon Meltzer sees spam ::: (view all by) ::: November 11, 2009, 03:43 PM:

And, if this links to a scam spyware-remover, potentially dangerous.

#64 ::: mcz sees spam ::: (view all by) ::: November 11, 2009, 03:44 PM:

at the soon-to-be-deleted #63.

Welcome to Making Light's comment section. The moderators are Avram Grumer, Jim Macdonald, Teresa & Patrick Nielsen Hayden, and Abi Sutherland. Abi is the moderator most frequently onsite. She's also the kindest. Teresa is the theoretician. Are you feeling lucky?

If you are a spammer, your fate is in the hands of Jim Macdonald, and your foot shall slide in due time.

Comments containing more than seven URLs will be held for approval. If you want to comment on a thread that's been closed, please post to the most recent "Open Thread" discussion.

You can subscribe (via RSS) to this particular comment thread. (If this option is baffling, here's a quick introduction.)

Post a comment.
(Real e-mail addresses and URLs only, please.)

HTML Tags:
<strong>Strong</strong> = Strong
<em>Emphasized</em> = Emphasized
<a href="http://www.url.com">Linked text</a> = Linked text

Spelling reference:
Tolkien. Minuscule. Gandhi. Millennium. Delany. Embarrassment. Publishers Weekly. Occurrence. Asimov. Weird. Connoisseur. Accommodate. Hierarchy. Deity. Etiquette. Pharaoh. Teresa. Its. Macdonald. Nielsen Hayden. It's. Fluorosphere. Barack. More here.















(You must preview before posting.)

Dire legal notice
Making Light copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010, 2011, 2012, 2013, 2014 by Patrick & Teresa Nielsen Hayden. All rights reserved.