Diagnose Conficker With Web-Based Eye Chart

thomsomc writes "Joe Stewart from the Conficker Working Group has created an eye chart that allows for online identification of Conficker B and C infections. Using basic knowledge of the blacklisting that Conficker employs to avoid attempting to infect IPs that belong to popular Anti-Virus and security firms (including Microsoft), the group whipped up this very simple test to see if you can load content from the various pages. If you can see all of the images, you're more than likely Conficker-free. According to Honeynet, 'This detection method should be more reliable than network scanning based tests. Happy scanning!'" Related: Tech Fragments notes in passing that nothing much seems to have come of conficker's dreaded April 1 deadline.

Jon Stewart?

[ender1598]

Am I the only one that read it as Jon Stewart and then spent a few minutes trying to figure out the joke on the page?

Re:

[Anonymous Coward]

Haha, me too. Give this a !jonstewart tag.

Re:

[Vu1turEMaN]

the question is: how many other topics can we find that are !jonstewart?

answer: 99% of them wooooooooooooo

Re:

[commodoresloat]

No; the real question is, how many other tags do we need to add about what this is not? Clearly there should be a !stephencolbert tag as well as a !billmurray and !torquemada. Better add !natalieportman too, and of course !dmca. What else isn't this story about?

Re:

[Vu1turEMaN]

That's what I was trying to communicate, but apparently I'm flamebait :(

That hurts, slashdot...:( I was expecting someone else to dig up old articles with the name Jon or Stewart in them and say "Silly noob, these articles are more than 1% of /."

Maybe yall are still venting after the internet sucking yesterday, but its no reason to take it out on me!

*cries and runs away*

Re:

[Dreadneck]

how about !sixDegreesOfJonStewart ?

Re:Jon Stewart?

[piojo]

How can the first post be modded Redundant when he says something that is not a meme or a common sentiment?

Re:Jon Stewart?

[Spazztastic]

How can the first post be modded Redundant when he says something that is not a meme or a common sentiment?

Because someone with mod points is either trolling or doesn't understand the meaning of the word. Just another flaw in the system.

Re:Jon Stewart?

[RevRagnarok]

Just another flaw in the system.

Come and see the flaws inherent in the system! Help! Help! I'm being modded down!

Re:

[evanbd]

In the general case, if the comment is so obvious it wasn't worth making in the first place (or, especially, just repeats something in the summary / article), then it's redundant.

In this case, I agree, the moderation is silly. Hopefully it will be corrected in metamod.

Re:

[Anonymous Coward]

Go read what redundant actually means - it does not necessarily mean repeated.

Re:

[Toonol]

It could be redundant if it restates something obvious from the summary or article.

Which this particular one doesn't do, so please mod me irrelevant.

Hah! You CAN'T!

Re:Jon Stewart?

[moxley]

This perfectly illustrates one of the unspoken rules of Slashdot culture:

*If the sole point of your post is to either complain, call a moderation unfair, or ask for an explanation about a moderation, be prepared for your post to be modded in exactly the same way.*

It's really a wonderful cultural practice, and is preparing interworldnettubez denizens everywhere for what they can expect when asking similar questions of real world "moderators" like cops and politicians.

Let's all keep up the good work!

 

Pick your punchline

[Comboman]

Am I the only one that read it as Jon Stewart and then spent a few minutes trying to figure out the joke on the page?

Pick your "Daily Show"-style punchline for this story:

• If we can diagnose computer viruses with an eye-chart, does that mean McAffee can tell me if I need glasses?
• Users of dual-boot computers should consult the bifocal eye-chart.
• Your mother was right! If your computer visits those nasty virus-infected pron sites, you WILL go blind.

Re:

[drik00]

I say this with love... keep your day job.

Re:

[httptech]

Ah yes, as hilarious as the first hundred times I've seen that joke posted about me. Maybe I _should_ just change my name to !jonstewart...

-Joe

Re:

[TheReverandND]

Nope. Definitely not.

Re:Jon Stewart?

[Bootarn]

I love the sweet irony of including links to alternate OSes in the test. If those dissapear, is it possible that you're infected with a Microsoft made worm?

sweet

[rbrausse]

a nice, easy, reliable way to detect a conficker infection.

great!

Re:sweet

[ShieldW0lf]

a nice, easy, reliable way to detect a conficker infection.

As long as it doesn't get slashdotted... that might cause a new panic :P

Re:sweet

[RiotingPacifist]

i panicked for a sec, im on linux but thanks to virgin media the bottom two images didn't load. thankfully the chart said: any other combo = shite internet!

Re:sweet

[Matt Perry]

shite internet!

Just be glad you aren't using Sunni internet.

Re:

[hawk]

*shudder*

That's totally out of control. Page after page of shameless hussies lifting their burkas to flash their ankles!

hask

Re:sweet

[supernova_hq]

Considering he is hot-linking images to 3 other servers, he is potentially slashdotting 4 servers with 1 link!!!

Re:

[Mozk]

Since the images are each only 3 to 10 KiB each, I doubt it.

Re:

[supernova_hq]

You FOOL! Never underestimate the power of slashdot!

Re:

[Aladrin]

Indeed. I really didn't expect it to be something this nice and easy. I'm definitely going to pass this one around.

Re:sweet

[Chabil Ha']

The chart or the virus?

Re:

[Aladrin]

Hopefully just the chart. ;)

Re:

[solevita]

It'd almost be perfect if it was for the fact that to make it work in the office I'm going to have to turn off caching on the proxy for that site. Otherwise everyone's going to pass now that I've visited on my Ubuntu powered laptop.

It seems that Conficker's authors could get round the tests without any trouble too; just roll out an update that blocks everything from F-secure et al. except the nice logos.

Re:sweet

[imemyself]

Assuming you don't use a transparent proxy, then you would still get false negatives. The "eye chart" test won't work with proxies, not because of caching, but because with a non-transparent proxy Conficker wouldn't see that your computers are actually communicating with the security people's IP ranges.

Re:

[Jamie's Nightmare]

The site is slow, but I found a copy here. [joestewart.org]

I'm going to make my own page based on this idea because there was no reason to put the stupid Linux and BSD logos on the page. That's just being a douche bag.

Re:sweet

[moose_hp]

The reason there are logos there is to test that your browser can actually display images before you start panicking that you don't see the logos from the anti-virus. They are also good to compare download times in case that your Internet connection is just slow at that time.

I copied to source code into an Apache server here, changed the logos on the lower row to point to images on the respective sites (instead of local images) and downloaded the "description" images. Works like a charm, we already found an infected laptop.

Re:

[smoker2]

Does it hurt ?
I'm more upset he didn't reference the Logos at the bottom of the page. He did all the proprietary ones.

Re:

[kv9]

I'm going to make my own page based on this idea because there was no reason to put the stupid Linux and BSD logos on the page. That's just being a douche bag.

with blackjack and hookers? in fact, forget the page...

Re:

[dltaylor]

According to the chart, my Fedora/Seamonkey (with javascript disabled and no Flash installed) is possibly infected with Conflicker C?

That's pretty neat

[the_humeister]

I'm glad the computer I'm using is not affected. I think it's funny how every few years the media picks up and runs with the new malware of the day. Remember that one that flashes the computer's BIOS? The one named after some famous artist?

I see a dog.

[memorycardfull]

Dog with head split in half.

Re:I see a dog.

[interkin3tic]

Funny, I see a penguin, a blowfish, the devil, and some boring corporate logos. No dogs. You must have Confiker R variant (Rorschach variant)

Re:

[EdZ]

Remember the old adage about not explaining the joke?

Re:I see a dog.

[agnosticanarch]

I was going to explain it, but I got caught up looking at the pretty butterfly.

Re:I see a dog.

[JWSmythe]

    Well, there are only two kinds of people in the world. Those with ADD and ......

   

Re:

[petehead]

I see a picture of somebody that is having sex with someone that got released from prison.

Linux and OpenBSD too ?!

[ZeroA4]

Yesterday there was an warning about an Conficker infection on an FreeBSD. Now comes the eye chart with links to Linux and OpenBSD! OMG! This Conficker is worse than I imagined!

oh gosh, I am infected

[godrik]

My w3m can not display the images!

Re:

[zero-point-infinity]

$ sudo aptitude install w3m-img
Infection cured?

Re:

[Derleth]

Mine can. w3m displays images just fine in both xterm and rxvt if it's built to.

Lynx support?

[MrEricSir]

Come on, it doesn't work in Lynx? I want my money back.

Re:Lynx support?

[MBCook]

Works here.

You must be infected.

Re:

[egcagrac0]

Upgrade to links [sourceforge.net]. Srsly. I used it for some time on a lousy laptop with excellent results.

If Conficker was designed by a security guru...

[Khopesh]

Because there is so much money to be made by botnets these days, it has moved from a "look what I can do" feat to a real business in its own right (legality aside). It is widely assumed that Conficker is among the first of a new breed of very carefully produced viruses and worms, written by professional developers who are paid quite well for their computer security and anti-anti-virus skills.

This class of developer knows exactly how the anti-virus companies work. It should have been expected by the Conficker designers that their virus would be examined in isolated networks. The designers would therefore be able to take advantage of that (it's easy enough to detect -- no word from the master servers, no ability to further infect, etc), and that's what we saw yesterday. Planned panic for no reason. At this point, most people think Conficker is either no serious threat, or an April Fools' Day prank. These people could be very wrong.

With the pressure off, infected machines are now able to go about their intended business, which could be sending spam, using distributed computing, farming user data, coordinated attacks of one type or another, or merely a conspiracy to protect computers from infections (a virally spreading anti-virus utility that you can't detect, stop, or remove? ingenious!).

The merits of a secret anti-virus product are more down-to-earth than you might think; most high-end zombie masters write their viruses so that they can't be detected by users and so that they are the sole "pwners" of the system -- competition is bad in this field. What you end up with is zombie masters who are suddenly interested in maintaining your computer for you - virus-free (save their virus), clean, efficient. If this zombie master is your federal government, merely reserving the right to use ("draft") your system as a "minute man" for emergencies where your computing power or attacking capabilities are needed, that might be a fair "tax."

Re:If Conficker was designed by a security guru...

[Anonymous Coward]

No, they didn't plan on misleading the public about April 1st. Even the real(not PR driven) security researches didn't think anything bad would happen. The public and news sites were just using it as an excuse to make a fuss again.

Conficker has already had a few of these dates, April 1st is just the date it starts actively looking for any future updates to the worm. As long as everything is going well so far, they won't update it.

Re:

[sweatyboatman]

With the pressure off, infected machines are now able to go about their intended business

bot-net performance anxiety is a new concept to me. what you're saying sounds reasonable, but the obvious question is why wait?

there's no limitation that says that Conficker cannot be in operation while it continues to spread. It's clear that the majority of infected computers will never be cleaned (because their owners don't know/care). So why be coy?

Even if we knew what it did, it wouldn't change the fact that the oblivious people running infected machines will remain oblivious.

Re:

[Colonel Korn]

Because there is so much money to be made by botnets these days, it has moved from a "look what I can do" feat to a real business in its own right (legality aside). It is widely assumed that Conficker is among the first of a new breed of very carefully produced viruses and worms, written by professional developers who are paid quite well for their computer security and anti-anti-virus skills.

This class of developer knows exactly how the anti-virus companies work. It should have been expected by the Conficker designers that their virus would be examined in isolated networks. The designers would therefore be able to take advantage of that (it's easy enough to detect -- no word from the master servers, no ability to further infect, etc), and that's what we saw yesterday. Planned panic for no reason. At this point, most people think Conficker is either no serious threat, or an April Fools' Day prank. These people could be very wrong.

With the pressure off, infected machines are now able to go about their intended business, which could be sending spam, using distributed computing, farming user data, coordinated attacks of one type or another, or merely a conspiracy to protect computers from infections (a virally spreading anti-virus utility that you can't detect, stop, or remove? ingenious!).

The merits of a secret anti-virus product are more down-to-earth than you might think; most high-end zombie masters write their viruses so that they can't be detected by users and so that they are the sole "pwners" of the system -- competition is bad in this field. What you end up with is zombie masters who are suddenly interested in maintaining your computer for you - virus-free (save their virus), clean, efficient. If this zombie master is your federal government, merely reserving the right to use ("draft") your system as a "minute man" for emergencies where your computing power or attacking capabilities are needed, that might be a fair "tax."

Except there's nothing particularly new, innovative, or resistant to AV in conficker. Conficker came to exist long after the vulnerability it exploits was publicly fixed. It is trivially detectable with a wide array of different techniques, and easily curable. The only thing making it effective is public ignorance about the need to update, and exploitation that flaw is very common.

Re:

[Khopesh]

Except there's nothing particularly new, innovative, or resistant to AV in conficker. Conficker came to exist long after the vulnerability it exploits was publicly fixed. It is trivially detectable ...

I don't disagree with your assessments, but that's not what I was talking about, either. The point is that we have no idea of what it can do. We know exactly how it got there.

As to how this relates to a virus acting as an anti-virus: When I said not detectable, I meant from the perspective of the everyday [l]user, not a security expert or security software. A zombie master wants his/her zombies to be otherwise clean and operable with minimal intrusion upon the system, as this minimizes detection and m

Re:

[geekoid]

Yeah, you need to be a real expert to run AVG, or go to this website:
http://www.confickerworkinggroup.org/infection_test/cfeyechart.html [confickerw...ggroup.org]

Conflicker can be removed, and should be.

As someone who has had a PC for pretty much the entire history of the PC, I have never had a virus on an IBM Compatible.

So I wonder how bad it really is.

Slashdotted scare

[interkin3tic]

Clicked on the link, page unavaliable. A reload did work.

Should be in the summary: If the page doesn't load at all, that doesn't mean you're infected, that means "Poor Internet connection?" If the page loads but some of the images don't, THAT is a positive.

Re:

[nwf]

Same here. Reloading did work. Thankfully, I'm clean!

Re:

[Phroggy]

Can't believe you guys. Clicking on an unverified link about a virus. Duh!

No more dangerous than clicking an unverified link about anything else...

Thank god

[diablovision]

Whew, I haven't had that much relief since I accidentally ate that whole jar of exlax....

Re:

[iknowcss]

I think it goes "since I accidentally the whole jar of exlax"

Slashdotted

[56]

Looks like it's slashdotted... or my ubuntu machine has Conficker!

Mirror

[Anonymous Coward]

Conficker Eye Chart

Conficker Eye Chart

[f-secure.com]
[secureworks.com]

[trendmicro.com]

[openbsd.org]
[linux.org]
[freebsd.org]

How to interpret:

If you see this above:It probably means this:

= Normal/Not Infected by Conficker (or using proxy)
= Possibly Infected by Conficker (C variant or greater)
= Possibly Infected by Conficker A/B variant
= Image loading turned off in browser?
Any other combination= Poor Internet connection?

Explanation:

Conficker (aka Downadup, Kido) is known to block access to over 100 anti-virus and security websites.

If you are blocked from loading the remote images in the first row of the top table above (AV/security sites) but not blocked from loading the remote images in the second row (websites of alternative operating systems) then your Windows PC may be infected by Conficker (or some other malicious software).

If you can see all six images in both rows of the top table, you are either not infected by Conficker, or you may be using a proxy server, in which case you will not be able to use this test to make an accurate determination, since Conficker will be unable to block you from viewing the AV/security sites.

F-Secure and the F-Secure Logo are trademarks of F-Secure Corporation.

SecureWorks and the SecureWorks Logo are registered trademarks of SecureWorks Inc.

Trend Micro and the T-Ball logo are trademarks or registered trademarks of Trend Micro Inc.

Re:Mirror

[Onymous Coward]

Ha.

Anyway, the page is a clever idea.

Here's another interpretation to add to the list: Some of the sites that the page pulls images from are Slashdotted.

This is gonna cause mass hysteria..

[gsmalleus]

when the page gets slashdotted and doesn't load at all.

Re:

[crashumbc]

I think it's already there... I got it to actually load 1 out of 6 trys

Re:

[AlexCorn]

I think it's already there... I got it to actually load 1 out of 6 trys

Well that's why it's slashdotted... people are loading it six times!

Re:

[Beelzebud]

If you just spam-click the refresh button, it will surly make the webpage run smoother! :)

Defective thinking.

[Futurepower(R)]

The people who made the chart apparently didn't think of server overload.

They should have posted a list of 26 links and told people to click on the link corresponding to the first letter of their name. Or something like that. Or gotten Google to host the page.

Useful in China?

[Jamie's Nightmare]

Not really that useful here in the states, but would this work in China? Are any of these current URLs normally blocked anyways?

My C= is infected!!!!

[SomeoneGotMyNick]

I tried the VIC-20, 64, 128 and Plus-4

None of them show the pictures....

Nothing?

[blair1q]

Someone set us up the spambot.

Spam was way down most of this year, until yesterday. Then it shot back up to where it was last year.

Clearly someone tagged 4/1 as the day to start the spambots back up. Whether this is directly related to the conficker thing I couldn't tell.

Re:Nothing?

[Renraku]

I can't take credit for saying this as I'm only parroting it from another source, Fark I believe, but someone said it was well-known in the security industry that April 1st is by far the most common date for new malware to go live, and is also a common date for existing malware to update.

Probably to maximize confusion.

Oh shit

[atomicthumbs]

I can't see the chart at all! Shit shit shit!

Re:

[sixpenny_83]

it's because you have image loading turned off. But you wouldn't know it, because that explanation is next to an image- showing no images. Which- coincidentally, should be marked redundant. Or is that ironic?

It's not slashdotted, it's the end of the world!

[Beelzebud]

Hey I saw a report on CBS news about how devastating this worm would be. So I'm sure that this isn't a slashdotted page, but the first in a cascade that will surly bring down the global internet!

How long before...

[Anonymous Coward]

...Conficker is patched to allow access to these specific images from these domains?

Re:How long before...

[moose_hp]

Then we (it's open source after all!) modify the test to use iframes (ewwww... but useful in this situations) to actually load the full pages, once Conficker gets updated so it allows the pages, we move to actually downloading the patches with a message like "if the file doesn't download, you're probably infected", by the time Conficker gets good enought to actually allow the patches but modifing them on the fly so they are not useful (just random noise with the same size and filename), then we're screwed.

Maybe I shouldn't give them ideas. I bet the author of Confickr reads slashdot.

Re:

[Ian Alexander]

Maybe I shouldn't give them ideas. I bet the author of Confickr reads slashdot.

Considering that s/he actually gets shit done I highly doubt it.

Re:

[mzs]

Conficker messes with DNS not HTTP, assuming they did not want to DDoS themselves they would have to now build in an HTTP proxy (to pass three requests on and 404 the rest) and a firewall to not let anything out to those IPs other than TCP port 80, good luck with that.

How long before they ruin this test

[aarenz]

All they have to do is fake the images on their servers and this test is toast. Give them another 4 hours to create a work around.

Re:How long before they ruin this test

[wytcld]

Not if they're blacklisting. Only if they're redirecting. And if they were redirecting they'd presumably already have fake site mirrors set up, including these images, so the test would have never worked.

Oops

[Wilson_6500]

Considering how quickly and effectively we managed to slashdot this helpful site, It's pretty obvious that we are the worms.

Another option for the eye chart

[fava]

And if you can see the top row and not the bottom one it means you work at Microsoft.

Irony? Just a bit?

[irving47]

It's got to be irony when, the day after April fools day, the day the virus in question was supposed to "detonate" for lack of a better word, the easiest method of detection is THIS.

Very cool.

Re:

[John Hasler]

Only the newsies supposed that it was going to "detonate".

Interesting idea, but ...

[Anonymous Coward]

What happens when those six sites see that they are getting leeched, and pull those images? Chaos ensues as man + dog believes themselves to be infected.

Ingenious!

[gweihir]

While technologically simple (or because of it), this is a truely amazing idea! One of these once-in-a-lifetime ideas, in fact.

Re:Very nice & interesting technique

[bhtooefr]

My HOSTS file uses data from reputable sources like STOPBADWARE.ORG

Sucks when / is blocked, now, isn't it? :)

Re:

[bhtooefr]

I didn't mean when /. is blocked, I meant when / is blocked [blogspot.com].

Re:

[bhtooefr]

If / is blocked by StopBadware, all sites with a / anywhere in the URL get blocked.

Now realize that all sites HAVE a / anywhere in the URL.

And that that actually happened once, at least on Google's copy of the StopBadware database. ;)

Re:

[Nos.]

(or, conversely, "hardcode" IP-to-URL equations for sites I like to speed up access to they, &amp

You may want to rethink that part. For one, unless you have pathetic DNS servers, I doubt you'd ever notice doing the lookups. And if just once, that IP happens to be down, or has moved, the time it would take you to figure out the problem, you'd have lost all the time you "saved".

math pedantic

[way2trivial]

30 ms is 30 times faster than 0 ms?

wow.

Re:

[lilomar]

literally, 30x as fast!

:::PEDANT ALERT:::

Actually, 1ms would be 30x as fast as 30ms, or 29x faster.

Oms can't be represented as 'so many times as fast as" any number, but since 0ms is actually anything less than 0.5ms (assuming that you only have the one sig-fig) then we CAN say that 0ms is at least 60x as fast as 30ms, or at least 59x faster.

Re:

[Nos.]

Ummm, yeah. First off, pinging the site tells you nothing except round trip time. Try something like 'time dig +short slashdot.org' Mine takes about 6 milliseconds of real time. Sure, the DNS server likely has it cached (which would be true of the OpenDNS servers).

I don't know about you, but I wouldn't notice a reduction of 6 milliseconds. Even 30 milliseconds I wouldn't notice. Depending on your setup, your local machine probably caches the results as well, so you're likely only doing that lookup

Re:Jon Stewart

[thedonger]

And I sure am glad Taco et al chose to disable the italics tag

Try the em tag.

Re:

[camperdave]

What's wrong with the italics tag?

Re:

[thedonger]

Separation of presentation and content [etc.]

Disco.

If I could transfer my mod points to you I would.

Re:

[camperdave]

I didn't mean what's wrong from a philosophical viewpoint. Someone asserted that the italics tags were not working, and I was pointing out that they were.

Re:

[jc42]

Yeah, you're right. But compiling a linux kernel is easier than some of the things that I see her attempting to do with Windows. ;-)