Researchers Ponder Conficker's April Fool's Activation Date

The Narrative Fallacy writes "John Markoff has a story at the NY Times speculating about what will happen on April 1 when the Conficker worm is scheduled to activate. Already on an estimated 12 million machines, conjectures about Conficker's purpose ranges from the benign — an April Fool's Day prank — to far darker notions. Some say the program will be used in the 'rent-a-computer-crook' business, something that has been tried previously by the computer underground. 'The most intriguing clue about the purpose of Conficker lies in the intricate design of the peer-to-peer logic of the latest version of the program, which security researchers are still trying to completely decode,' writes Markoff. According to a paper by researchers at SRI International, in the Conficker C version of the program, infected computers can act both as clients and servers and share files in both directions. With these capabilities, Conficker's authors could be planning to create a scheme like Freenet, the peer-to-peer system that was intended to make Internet censorship of documents impossible. On a darker note, Stefan Savage, a computer scientist at the University of California at San Diego, has suggested the possibility of a 'Dark Google.' 'What if Conficker is intended to give the computer underworld the ability to search for data on all the infected computers around the globe and then sell the answers,' writes Markoff. 'That would be a dragnet — and a genuine horror story.'"

You have the date. What's the next instruction?

[BadAnalogyGuy]

If you know when the code is going to start running, why don't you know what it will do after that? It's not like programs (and that's all a virus/worm is) are written in special, unreadable code. It's all machine language.

What is the big mystery?

Re:You have the date. What's the next instruction?

[DamienRBlack]

The mystery is that the original programmers obfuscated the design in order to make it a mystery. Security through obfuscation doesn't work in the long term, but it'll throw researchers off the scent for a while.

On top of that, the worn can get additional code via online updates, which can't be predicted.

On top of that, ever if we know what it can do, we don't know what purpose the authors will put it towards.

Re:You have the date. What's the next instruction?

From TFA:

For example, C's latest revision of Conficker's now well-known Internet rendezvous logic may represent a direct retort to the action of the Conficker Cabal, which recently blocked all domain registrations associated with the A and B strains. C now selects its rendezvous points from a pool of over 50,000 randomly generated domain name candidates each day. C further increases Conficker's top-level domain (TLD) spread from five TLDs in Conficker A, to eight TLDs in B, to 110 TLDs that must now be involved in coordination efforts to track and block C's potential DNS queries. With this latest escalation in domain space manipulation, C not only represents a significant challenge to those hoping to track its census, but highlights some weaknesses in the long-term viability of how Internet address and name space governance is conducted.

Re:You have the date. What's the next instruction?

[Behrooz]

That is when the worm will generate 50,000 domain names and systematically try to communicate with each one.

RTFA. 50k potential addresses, some of which are quite possibly already in use for legitimate sites? Or simply registered under false pretenses? Any one of which could potentially have been r00ted already? Until zero-hour, there's no way to know... so we've got 50k potential command and control servers that need to be either intercepted, blocked, or checked for infection if we're actually planning some form of action 'beforehand'. This is a non-trivial enterprise.

As for finding the people behind this afterward? All they need to do is establish an effectively un-traceable communications channel with the main C&C network. If I were planning it, I'd have several modified conficker variants triggering early to compromise a couple thousand machines, then use that to obfuscate the primary C&C channels.

How many hops through infected machines do you need to create complete deniability when all you need to do is set up a very low-bandwidth communications channel to update the main bot network? 10? 100?

Think infinitely nested russian dolls, all of which point to somewhere else as the true source, or even a dozen somewhere elses.

Re:You have the date. What's the next instruction?

[0xygen]

Except that any botnet author with half a brain in the last few years has stopped you from stealing their botnet by only accepting digitally signed commands and updates.

It is a bit of a catch 22 - if you had their botnet, you might be able to crack the private key in a reasonable amount of time.

Re:You have the date. What's the next instruction?

[indi0144]

I have an alternative solution.

Migrate to Linux. Or Mac. Or, Solaris. Or Win3.11.

Seriously - everyone knows that 99.999999% of viruses and other infestations are targeted at Windows operating systems. Why stay with Windows?

People with A: an IQ larger than their shoe size B: a budget smaller than the federal government and C: are literate should have migrated long ago.

My shoe size is 136 and I have two Linux boxes but why using Windows should be symptom of low IQ or low budget?

Since Linux is Free as in beer and runs SO happily on older systems you would talk about Linux being targeted cheapskates.

Since there is such a quantity of software and hardware that run only on Windows, the fact that you can't run every program (with the performance) you need inside a virtual machine, and that it's installed on 90% of the worldwide toasters are things you just can make go away even if you're on the 999 society or the world most wealthier man (pun). People on real world need to make stuff on a PC and if theres no option you HAVE to use Windows because, probably, you need the work for money to buy food and stuff, you know, things that happen outside a basement.

You just can't be so naive and claim that Linux is the only option just because theres a kick ass worm about to go mad, fucking off the beige boxes owned by random world citizens that don't give a heck about what they clicks or what they allow to run. Linux is the option because it's free and libre and once stablished it's will boost the development of IT worldwide because it relies on the fact that information should be free and a competitive environment will take over.

People will get owned and they deserves it and the rest of the clean PC's owners deserve it too because we are just sitting in our ass looking at a chronicle of a tragedy Foretold

This is way more than a bunch of "Russians doing it for the lul$" FOX news succeeded in conditioning YOU to atomagically dismiss conspiracy theories just because yes. Most of darkest episodes of human history worked out in the form of conspiracies, back in the time when "theorist" were just stabbed in alleys by furry prostitutes. Nowadays you just get laughed by pointing a conspiracy, still you fear that.

Re:You have the date. What's the next instruction?

[StarkRG]

Why is it that worms and viruses have better security than legitimate programs?

John Markoff again?

[Seth+Kriticos]

Oh come on people, John Markoff did never ever shine with much clue about computers, much on the contrary. Why are we reading sorries from this dude on computers?

As for the article on conficker: it's speculation. That's not news. It's a guessing game.

I personally which, that the conficker virus should do as much damage as possible and render the whole interwebs useless for a few days, so that our security geniuses get a hint on how sane it is to set up the majority of computer systems with the same OS, especially such a vulnerable one. But that probably won't happen.

Re:System Clock

[Garridan]

A reliable network source? Surely that couldn't be faked on an isolated network!

Criminal activity == free market values

[iminplaya]

There's no other way to explain the enormous profits. People ask me, *Why do people write these viruses?* It's because the market demands it.

Re:System Clock

[Rip+Dick]

Maybe... if you know the 4096-bit key.

More of what's really going on

[Animats]

First, the "April 1" date isn't when some attack starts. The worm's authors can do that at any time, since this thing does downloads over its private P2P network. It's just when the scheme for connecting to control hosts is upgraded.

Second, the complexity of the thing, the breadth of technologies employed, and the rate of updates indicates that it's the product of an organization, not an individual. Someone behind this has money.

Third, there's a $250,000 reward, and no claimants, so the people behind this have the sense to shut up. They're not going to be found boasting on some IRC channel.

Fourth, as usual, most of the vulnerabilities are related to Windows' propensity for "autorunning" anything that looks executable.

Re:More of what's really going on

[jandrese]

Or it's the same old groups of hackers improving their work collaboratively over the years in a constant evolution of malware. The assumption that just because something is more complex than usual and therefore must be the work of some criminal mastermind doesn't necessarily hold true IMHO.

Re:Great idea!

[rritterson]

This logic always irks me. Do you really believe the speculative pundits they interview for these articles are more likely to come up with a new idea than the talented and probably extremely intelligent programmers who wrote up the Conficker worm in the first place?

Yes, perhaps some less-than-average person has now read this article and has seen the new idea for the first time, but that's no one to worry about. Usually if you are smart enough to implement some genius idea, you think of it first.

I'm sure you were kidding...

[symbolset]

But the botnet folks have been all over cloud computing for so long I think the major market proponents trying to sell that stuff are actually taking their cues from the botnets, not the other way around.

If Conficker goes live it will be the most powerful supercomputer on the planet. It will have more than 100 times the RAM, processors and storage of RoadRunner, the official record holder. The official record doesn't include prior worms like Storm. It will have more bandwidth than Google. It could store the Internet Archive a thousand times over, redundantly. It will have access to the personal documents of at least 10 million people. The operator clearly has the understanding necessary to harness all of that power or Conficker would not exist. Statistically at least a few of those PCs must have access to databases that know the medical history, credit application and other intimate details of the rest of us. You would have to be living off the grid since birth to escape the awareness of this thing.

And the guy running it won't be paying anything at all for it. They could if they wanted to make all those millions of computers do protein folding and help find cures for cancer overnight. The aggregate extra CPU load would probably bring several regional power grids down. They probably won't do that. Whatever it is they do it's probably not going to be good.

You know, I wish the people responsible for large enterprises would look at this and say - "Hey! There's an opportunity here. We could leverage our existing assets to do some interesting distributed architecture stuff between Greg the typist's keystrokes. After hours we could probably have some incredible data mining going on! Lunchtime our desktops could be doing something more interesting than driving that aquarium screensaver! You know, there's a lot of storage on these desktops that's could be put to good use..." I would really like that. I've been crying in my coffee for twenty years that I can't find somebody brilliant enough to do let me do that.

Maybe that's this guy's problem too. He got tired of waiting for permission from people with no understanding and took the initiative because he could.