Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Ponder Conficker's April Fool's Activation Date

Posted by Soulskill on from the rick-astley's-plans-come-to-fruition dept.

The Narrative Fallacy writes "John Markoff has a story at the NY Times speculating about what will happen on April 1 when the Conficker worm is scheduled to activate. Already on an estimated 12 million machines, conjectures about Conficker's purpose ranges from the benign — an April Fool's Day prank — to far darker notions. Some say the program will be used in the 'rent-a-computer-crook' business, something that has been tried previously by the computer underground. 'The most intriguing clue about the purpose of Conficker lies in the intricate design of the peer-to-peer logic of the latest version of the program, which security researchers are still trying to completely decode,' writes Markoff. According to a paper by researchers at SRI International, in the Conficker C version of the program, infected computers can act both as clients and servers and share files in both directions. With these capabilities, Conficker's authors could be planning to create a scheme like Freenet, the peer-to-peer system that was intended to make Internet censorship of documents impossible. On a darker note, Stefan Savage, a computer scientist at the University of California at San Diego, has suggested the possibility of a 'Dark Google.' 'What if Conficker is intended to give the computer underworld the ability to search for data on all the infected computers around the globe and then sell the answers,' writes Markoff. 'That would be a dragnet — and a genuine horror story.'"

5 of 214 comments (clear)

  1. Re:You have the date. What's the next instruction? by Anonymous Coward · · Score: 5, Insightful

    From TFA:

    For example, C's latest revision of Conficker's now well-known Internet rendezvous logic may represent a direct retort to the action of the Conficker Cabal, which recently blocked all domain registrations associated with the A and B strains. C now selects its rendezvous points from a pool of over 50,000 randomly generated domain name candidates each day. C further increases Conficker's top-level domain (TLD) spread from five TLDs in Conficker A, to eight TLDs in B, to 110 TLDs that must now be involved in coordination efforts to track and block C's potential DNS queries. With this latest escalation in domain space manipulation, C not only represents a significant challenge to those hoping to track its census, but highlights some weaknesses in the long-term viability of how Internet address and name space governance is conducted.

  2. Re:You have the date. What's the next instruction? by Behrooz · · Score: 4, Insightful

    That is when the worm will generate 50,000 domain names and systematically try to communicate with each one.

    RTFA. 50k potential addresses, some of which are quite possibly already in use for legitimate sites? Or simply registered under false pretenses? Any one of which could potentially have been r00ted already? Until zero-hour, there's no way to know... so we've got 50k potential command and control servers that need to be either intercepted, blocked, or checked for infection if we're actually planning some form of action 'beforehand'. This is a non-trivial enterprise.

    As for finding the people behind this afterward? All they need to do is establish an effectively un-traceable communications channel with the main C&C network. If I were planning it, I'd have several modified conficker variants triggering early to compromise a couple thousand machines, then use that to obfuscate the primary C&C channels.

    How many hops through infected machines do you need to create complete deniability when all you need to do is set up a very low-bandwidth communications channel to update the main bot network? 10? 100?

    Think infinitely nested russian dolls, all of which point to somewhere else as the true source, or even a dozen somewhere elses.

    --
    "We have to go forth and crush every world view that doesn't believe in tolerance and free speech." - David Brin
  3. More of what's really going on by Animats · · Score: 4, Insightful

    First, the "April 1" date isn't when some attack starts. The worm's authors can do that at any time, since this thing does downloads over its private P2P network. It's just when the scheme for connecting to control hosts is upgraded.

    Second, the complexity of the thing, the breadth of technologies employed, and the rate of updates indicates that it's the product of an organization, not an individual. Someone behind this has money.

    Third, there's a $250,000 reward, and no claimants, so the people behind this have the sense to shut up. They're not going to be found boasting on some IRC channel.

    Fourth, as usual, most of the vulnerabilities are related to Windows' propensity for "autorunning" anything that looks executable.

    1. Re:More of what's really going on by jandrese · · Score: 4, Insightful

      Or it's the same old groups of hackers improving their work collaboratively over the years in a constant evolution of malware. The assumption that just because something is more complex than usual and therefore must be the work of some criminal mastermind doesn't necessarily hold true IMHO.

      --

      I read the internet for the articles.
  4. I'm sure you were kidding... by symbolset · · Score: 4, Insightful

    But the botnet folks have been all over cloud computing for so long I think the major market proponents trying to sell that stuff are actually taking their cues from the botnets, not the other way around.

    If Conficker goes live it will be the most powerful supercomputer on the planet. It will have more than 100 times the RAM, processors and storage of RoadRunner, the official record holder. The official record doesn't include prior worms like Storm. It will have more bandwidth than Google. It could store the Internet Archive a thousand times over, redundantly. It will have access to the personal documents of at least 10 million people. The operator clearly has the understanding necessary to harness all of that power or Conficker would not exist. Statistically at least a few of those PCs must have access to databases that know the medical history, credit application and other intimate details of the rest of us. You would have to be living off the grid since birth to escape the awareness of this thing.

    And the guy running it won't be paying anything at all for it. They could if they wanted to make all those millions of computers do protein folding and help find cures for cancer overnight. The aggregate extra CPU load would probably bring several regional power grids down. They probably won't do that. Whatever it is they do it's probably not going to be good.

    You know, I wish the people responsible for large enterprises would look at this and say - "Hey! There's an opportunity here. We could leverage our existing assets to do some interesting distributed architecture stuff between Greg the typist's keystrokes. After hours we could probably have some incredible data mining going on! Lunchtime our desktops could be doing something more interesting than driving that aquarium screensaver! You know, there's a lot of storage on these desktops that's could be put to good use..." I would really like that. I've been crying in my coffee for twenty years that I can't find somebody brilliant enough to do let me do that.

    Maybe that's this guy's problem too. He got tired of waiting for permission from people with no understanding and took the initiative because he could.

    --
    Help stamp out iliturcy.