Yet Another Microsoft Worm [Conficker] Runs Amok
According to the BBC today,
Infections of a worm that spreads through low security networks, memory sticks, and PCs without the latest security updates is “skyrocketing”.
The malicious program, known as Conficker, Downadup, or Kido was first discovered in October 2008.
Anti-virus firm F-Secure estimates there are now 8.9m machines infected.
This is yet another major outbreak. At least the coverage of this one is pretty clear that it is just Windows PCs that are affected, but jeez, how come people are still putting up with this crap:
“Microsoft did a good job of updating people’s home computers, but the virus continues to infect business who have ignored the patch update.
“A shortage of IT staff during the holiday break didn’t help and rolling out a patch over a large number of computers isn’t easy.
“What’s more, if your users are using weak passwords – 12345, QWERTY, etc – then the virus can crack them in short order,” he added.
“But as the virus can be spread with USB memory sticks, even having the Windows patch won’t keep you safe. You need anti-virus software for that.”
Sorry. What? Microsoft did a good job patching another hole. People just don’t get it do they? It’s a bit like trying to plug the holes in a sieve using a knitting needle. You might block one, but hey, there are hundreds more holes just next door.
I love the bit about having the Windows patch is not enough. So that only protects you from network born infections? And not from other sources? Or so it would seem. Be afraid. Be very afraid…
According to Microsoft, the worm works by searching for a Windows executable file called “services.exe” and then becomes part of that code.
It then copies itself into the Windows system folder as a random file of a type known as a “dll”. It gives itself a 5-8 character name, such as piftoc.dll, and then modifies the Registry, which lists key Windows settings, to run the infected dll file as a service.
I know that for most of the readers of this blog this is teaching your granny to suck eggs but please:
just try doing something like this on a proper operating system.
But of course the malware-that-masquerades-as-an-operating-systemTM isn’t so robust.
If you find it hard to convince the great unwashed why it is that “proper operating systems” don’t really get viruses, this article is quite a good, and not too technical, explanation of the main reasons.
For a Linux binary virus to infect executables, those executables must be writeable by the user activating the virus. That is not likely to be the case. Chances are, the programs are owned by root and the user is running from a non-privileged account. Further, the less experienced the user, the lower the likelihood that he actually owns any executable programs. Therefore, the users who are the least savvy about such hazards are also the ones with the least fertile home directories for viruses…
… A computer virus, like a biological virus, must have a reproduction rate that exceeds its death (eradication) rate in order to spread. Each of the above obstacles significantly reduces the reproduction rate of the Linux virus. If the reproduction rate falls below the threshold necessary to replace the existing population, the virus is doomed from the beginning — even before news reports start to raise the awareness level of potential victims.
The reason that we have not seen a real Linux virus epidemic in the wild is simply that none of the existing Linux viruses can thrive in the hostile environment that Linux provides. The Linux viruses that exist today are nothing more than technical curiosities; the reality is that there is no viable Linux virus.
Now please go and upgrade someone you love from Windows to a proper operating system.
While I think your argument is well-intentioned, and agree with you about switching to a more sensible operating system, I think you’re wrong.
First, all OS’s have security holes. I don’t think a week goes by without a security patch for some part of my Ubuntu system, and some of those holes would be critical if exploited. Having security holes *and patching them as promptly as possible* is a good thing, even if it’s Microsoft that’s doing it.
Secondly, you *could* do something like this with a Unix-style permissions system: it just requires tricking the user into giving permission (ie by giving out the admin/root password). That’s actually exactly the same as you have to do with this worm using a properly-patched copy of Windows Vista, even if you have Autorun on (and it’s *not* on by default in Vista).
In summary: Windows XP sucks donkey balls for security, but that’s not exactly news. Vista is better, but like all OSs you should keep up with your patches and not give random programmes permission to run when they ask for it. A Unix-style system gives you greater protection (and generally faster patching), but still isn’t immune to teh st00pid.
Or, to put it another way: It’s always worth rememering that there is no perfectly secure OS, because there is always a perfectly insecure user sitting in front of the machine.
As an aside, MS is doing some really interesting work in terms of working out development methodologies which reduce the possibility of creating security holes exactly like this one. And, better yet, they’re sharing the knowledge about it – have a look at their Secure Development Lifecycle blog (http://blogs.msdn.com/sdl/) for more details. Open source developers would benefit from reading and learning.
Hi Ian, thanks for dropping by and commenting.
I never said that Linux is perfect and does not have holes. Security patches are par for the course for any OS and I am grateful that the FOSS community keep on top of them when they are identified. Did I say you shouldn’t patch your system? That’s what it sounds like you are inferring in your first paragraph.
You are correct that by providing the root password you open up any system. But with modern unix style distributions, having the root password on it’s own is not enough. If you (the user) are not in the sudoers file (i.e. with admin privileges) then knowing the root password will not allow you to gain root access. This is one of the biggest advantages of using sudo and not enabling the root user. The default user account on my computers does not have admin privileges.
I’d like to see some stats about how/why Vista is better in terms of security. From the news items I have seen around the ‘net since it’s introduction, it seems to be more vulnerable than an up-to-date and patched version of XP. But that is purely anecdotal so please – if you have anything to corroborate your comment – it would be good to see it.
Many thanks for the link. I’m sure some people will find it useful.
It’s a pleasure to be here 🙂
For Windows Vista security, the Wikipedia article is a good overview (http://en.wikipedia.org/wiki/Security_and_safety_features_new_to_Windows_Vista). Even though it includes DRM as a “security feature”, which of course is nonsense.
Some of the features are trivial: having a Firewall that’s actually worthy of the name, for example. But others are a bigger deal: Data Execution Prevention, for example, effectively blocks off most zero-day exploits, although it comes at the price of breaking some older applications. Memory randomization is nice. Windows Service Hardening makes it harder to write an exploit which can hijack key system elements. And Mandatory Integrity Control *should* make it harder for compromised applications to do Bad Things.
Rich Mogull, whose opinion I respect a lot, rates Vista as more secure than OS X overall (good short analysis at http://securosis.com/2006/11/20/mac-vs-windows-security-its-a-whole-new-game-and-doesnt-matter/). Given that OS X’s security model is fairly standard Unix, that’s an intersting conclusion. And Vista’s record, so far, is pretty good – in its first year, it had fewer vulnerabilities than other OS’s in their first years (http://www.darkreading.com/security/management/showArticle.jhtml?articleID=208803818).
(As an aside, it’s worth reading some of the Microsoft security/malware blogs for some unintended gems, such as the map at http://www.microsoft.com/security/portal/sir.aspx which conclusively proves that Canadians are more secure than Americans 🙂 )
check out some of the pictures of this virus that wants you to run it
http://www.f-secure.com/weblog/archives/00001586.html
so you can see why things on memory sticks can spread if the operating system is defective.
[…] http://www.theopensourcerer.com/2009/0… […]
Dear Ian,
You should not let the best be the enemy of the good.
I suffered for years whilst using Windows, not malware as I always didinfected, but that was a pain as I had to do it every day, actively and if I ever had to re-install Windows then download yet another from AVG.
But I don’t have to actively intervene in keeping my machine safe with Ubuntu.
Less maintenance time means I can do more work on my mcahine.
Why not try it out using a dual-boot?
That’s a clever piece of social engineering, Alan – but how do you code to stop it? If you include the ability to autorun a piece of software on insertion of media (which is generally a convenience for users) AND you use the name and icon of the application to show what it is that wants to run, then this trick will always work.
There will always be ways of using any feature which adds convenience to attack the user. No doubt the “scaled back” UAC in Windows 7 will be less secure than the (over-the-top) version in Vista – at which point, people will claim that it’s less secure. Which, in one sense, it is. The only really secure system is one where the user has no choice about what is installed on his machine – and that would be rather a dull PC 🙂
Charles – Ubuntu is my main OS. Although I still have a small Windows partition, it barely gets booted – there’s one application I use which has no FOSS equivalent and won’t work in WINE, so sadly I have to boot Windows once a week or so. But other than that, I don’t use Windows (and haven’t for years).
[…] believe is inherently more secure, and more robust too. Just recall on the last couple of months of Microsoft security […]
[…] the last few scant months, there have been several major and very serious security flaws and attack […]
Pertaining to the posts about windows versus other operating systems…
I have been a very devoted windows user for all of my life up until about 2 months ago. I started with 3.1 right up through Windows 7 build 7000. I love Windows, but I switched to Linux because I wanted to broaden my scope of operating systems. I really enjoy Linux, the look and feel of Xubuntu 8.10, and the general experience. I feel that each operating system out there has a place in society, for different types of people. I do support the idea that if put under more pressure that Linux and MAC would become more vulnerable to attacks. I love the support from the open source community and I am very impressed and pleased with the products they have created. But we all have to remember, if windows machines become infected with a virus such as the conficker it doesn’t just affect windows machines. Just because Linux and MAC may not be susceptible to infection no node is immune to DoS attacks like excessive network traffic. Even if MAC and Linux were to be “coded better” than Windows, for me to draw that conclusion would be implying that I am willing to throw away good security practices on the chances that something bad won’t happen. But this is all beside the big picture, if you can trick the user, or gain physical access to a system it doesn’t matter what operating system you are using. Like Schiener says, “Security is a process, not a product.”
@thevirus,
thanks for dropping by and commenting. Your argument is well written and made. In fact, you might care to read a subsequent post on the discussion of the nature of a possible Linux virus. It is actually a gnome/kde/ desktop type virus, but clearly shows how one needs to be on guard constantly. Here’s the link: http://www.theopensourcerer.com/2009/02/11/free-linux-virus-writing-course/
Thanks again.
Sure, I must admit that EVERYONE, including Linux & Mac users, are suceptible to worm or virus attacks if one isn’t vigilant enough. But, the risks, in my opinion, of that happening in either a Linux or Mac system are nowhere near as great as they are in a Windows system. Case in Point – In jobs I have had in the past where I have had to use computers that used the Windows operating system, regardless of the version, I, being logged in as only a guest, could go right to the core of Windows(C:\\Windows\ and C:\\Windows\system32) and begin deleting and/or modifying files at my sole discretion, no password required. One must think that if I, being a lowly guest user on a Windows system, could do all that, just think how easily a worm or a virus could wreak havoc on a system without needing any sort of password.
There have been viruses for UNIX, but the environment gets more and more hostile.
I didn’t like Ubuntu alot. I like Linux mint more, and Debian for more experienced users.