-=PCTechTalk=- Re: The final word on Confickr/Downadup/Kido including removal instructions
- From: "Lilian" <lilcruz.2@xxxxxxxxx>
- To: <pctechtalk@xxxxxxxxxxxxx>
- Date: Wed, 1 Apr 2009 18:32:37 -0300
Hi all!
Have just arrived online. Any news yet on the bug? Or is it early days
yet...
Lil
----- Original Message -----
From: "Gman" <gman.pctt@xxxxxxxxx>
To: <pctechtalk@xxxxxxxxxxxxx>
Sent: Tuesday, March 31, 2009 5:52 PM
Subject: -=PCTechTalk=- Re: The final word on Confickr/Downadup/Kido
including removal instructions
Hi Lil,
The bug includes a timer that's set to go off sometime tomorrow (I would
guess at midnight tonight). The design is for the bug to 'call home' for
further instructions. With millions of them currently infecting machines
around the world (most infections are in China, Russia and other far eastern
countries), this botnet could be told to start doing almost anything. There
are over 50,000 locations it can use to reach 'home' and there's no way for
the security experts to identify & close them all. The experts' best guess
is that they will definitely receive instructions to update the security
sites they block to include the ones that were created since the last time
the bug updated. They could also receive directions to start Spamming the
world, launch Denial of Service attacks against major online sites, new
methods to infect more systems, etc.. Right now, they are only focusing on
infecting more systems, but the security folks have closed up most of the
holes they've been using (which includes the patch I've been pushing here
lately). If the worm writers have come up with new ways to get it into new
systems, we'll be battling that soon, too.
Since every infected system that remains online tomorrow will try to
update itself (the entire botnet will likely take several days for all of
them to get through to the controlling servers and get their instructions),
it doesn't matter if a clean system stays offline. The online bugs will
update their instruction set and try to carry out their new duties
regardless. When you bring your system back online, those changes will
already have been started.
So, I'll be online just as much as I've always been, but I'll be
spending much of my time at several security sites trying to keep up with
reports on what this botnet seems to be doing with its new instructions. I
have the patch in place, all of my security software is completely up to
date, I know how to surf safely and I won't be randomly surfing around until
I get a clear picture of what the botnet has been told to do. This isn't a
time to hide our heads in the sand and stay offline, but treat the internet
like a minefield for a few days until we know what the botnet is up to.
Every security related company in existence will be working together to
pounce on anything new that can be plugged and share that info with the
other companies. Hopefully, whatever happens will be (relatively) contained
within a reasonable period of time.
I also predict that most of our trusted security apps will be getting
major updates soon to battle whatever new attacks come out of all of this.
We certainly do live in interesting times. lol
Peace,
Gman
http://www.bornagainamerican.org
"The only dumb questions are the ones we fail to ask"
----- Original Message -----
From: "Lilian" <lilcruz.2@xxxxxxxxx>
To: <pctechtalk@xxxxxxxxxxxxx>
Sent: Tuesday, March 31, 2009 4:10 PM
Subject: -=PCTechTalk=- Re: The final word on Confickr/Downadup/Kido
including removal instructions
> Gman,
> I´ve had that patch since Oct 2008 (KB958644) so I guess its ok. But, I
> am
> curious as to how these nerds do their damage. They infect you with a bug
> which is programmed to go off on a certain date? Or is it programmed to
> launch from a certain day onwards? The reason I ask is if we take the day
> off tomorrow (those who can of course...) and only switch back on on 02
> April, would the virus still be active? If they give it a leeway of
> several
> days to activate, then we are stuck...
>
> Lil
---------------------------------------------------------------
Please remember to trim your replies (including this sentence and everything
below it) and adjust the subject line as necessary.
To subscribe, unsubscribe or modify your email settings:
http://www.freelists.org/webpage/pctechtalk
To access our Archives:
http://groups.yahoo.com/group/PCTechTalk/messages/
http://www.freelists.org/archives/pctechtalk/
To contact only the PCTT Mod Squad, write to:
pctechtalk-moderators@xxxxxxxxxxxxx
To join the PCTableTalk off-topic group, send a blank email to:
pctabletalk+subscribe@xxxxxxxxxxxxxxxx
---------------------------------------------------------------
---------------------------------------------------------------
Please remember to trim your replies (including this sentence and everything
below it) and adjust the subject line as necessary.
To subscribe, unsubscribe or modify your email settings:
http://www.freelists.org/webpage/pctechtalk
To access our Archives:
http://groups.yahoo.com/group/PCTechTalk/messages/
http://www.freelists.org/archives/pctechtalk/
To contact only the PCTT Mod Squad, write to:
pctechtalk-moderators@xxxxxxxxxxxxx
To join the PCTableTalk off-topic group, send a blank email to:
pctabletalk+subscribe@xxxxxxxxxxxxxxxx
---------------------------------------------------------------
Other related posts: