Slashdot Mirror
Researchers Ponder Conficker's April Fool's Activation Date
The Narrative Fallacy writes "John Markoff has a story at the NY Times speculating about what will happen on April 1 when the Conficker worm is scheduled to activate. Already on an estimated 12 million machines, conjectures about Conficker's purpose ranges from the benign — an April Fool's Day prank — to far darker notions. Some say the program will be used in the 'rent-a-computer-crook' business, something that has been tried previously by the computer underground. 'The most intriguing clue about the purpose of Conficker lies in the intricate design of the peer-to-peer logic of the latest version of the program, which security researchers are still trying to completely decode,' writes Markoff. According to a paper by researchers at SRI International, in the Conficker C version of the program, infected computers can act both as clients and servers and share files in both directions. With these capabilities, Conficker's authors could be planning to create a scheme like Freenet, the peer-to-peer system that was intended to make Internet censorship of documents impossible. On a darker note, Stefan Savage, a computer scientist at the University of California at San Diego, has suggested the possibility of a 'Dark Google.' 'What if Conficker is intended to give the computer underworld the ability to search for data on all the infected computers around the globe and then sell the answers,' writes Markoff. 'That would be a dragnet — and a genuine horror story.'"
Are those servers are somehow hidden? If it has an IP address, it can be tracked down.
Assuming that it would need to interact with those servers at some time in the future, those addresses would need to be known somehow beforehand (even if it was simply a lookup to a table which contained the actual server IP addresss). So what's to stop investigators from finding the people behind this?
That's a great question. We know exactly what domains will be used. I don't see why ICANN wouldn't be able to make these domains unregisterable or disable them at the root nameservers.
I was going to say, they usually register a domain name based on an algorithm for a specific date where the bots will connect to. They'll only register it the closer to the date they get.
has suggested the possibility of a 'Dark Google.' 'What if Conficker is intended to give the computer underworld the ability to search for data on all the infected computers around the globe and then sell the answers,' writes Markoff. 'That would be a dragnet -- and a genuine horror story.'"
In some dark room, a couple of virus writers are thinking... "Damn, what a great idea... why didn't we think of that! That's so much better than playing APRIL FOOLSs at max volume on everyone's computers."
Nothing like people giving out ideas... much like when security specialists say, "Well atleast they didn't try to take out the planes stuffing baseballs in the airplane's toilets."
Well, which one has a goatee?
You mean a merkin: "Counterfeit hair for women's privy parts" (Dr. Johnson). It always puzzles me why one would want to wear one of these on one's face.
Either shave or don't shave.
As someone who often tries to remove infestations with Autoruns and Process Explorer; don't bother with this one as it won't work. The days of easy malware and virus removal are over.
My solution for infected computers? Backup user data and nuke it from orbit! It's the only way to be 100% sure (format/reinstall). It's cheaper and quicker for the client. It also teaches them a lesson to not click on every god-damn window without reading it first.
Life is not for the lazy.
The 'server' you are referring to is a computer that is also compromised by the worm. It would be owned by an innocent 3rd party who is unaware of the infection. Every day, each computer in the botnet runs an algorithm to identify 50,000 hostnames. It then performs a DNS lookup on each of those 50,000 hostnames. When it finds something that resolves to an IP address, it contacts that computer for instructions, downloading a binary executable, etc. The worm owners only have to register one of the 50,000 unique hostnames a couple days in advance using a stolen credit card. Then they upload instructions, payload, etc. to the computer with the IP address they want to use to instruct the other bots. The only traceable point would be the domain registration, but as mentioned, a stolen credit card will remove any trace of fingerprints on that.
As the GP mentioned, it's impossible to pre-register all the possible domains, but the damage could be mitigated by watching for any of the 50,000 daily unique hostnames to be registered, then altering DNS to invalidate the IP for that hostname.
Seth
$5 / month hosted VPS on linux = awesome!
I have worked on viruses also, since the first boot sector virus. This looks like a distributed secure shell account into a cloud. I personally have not analyzed the code, but what happens with these things is that once you have the virus and understand it, you can mod it for your own purposes. In this way it becomes open source. I would say that it has a continuous stream of authors and has no one single origin.
It is obviously crafted by a talented person and seems to be maintained as an asset. I have run into things like this many times , debugging system level problems for corporations. Some of the bugs seem to develop a life of their own. It would not be surprised in the least, if this was originally an experiment ( gone awry ) by some bright individual that thought he could make a distributed OS.
It does have some very interesting aspects and much like the fact that, if you have physical access to a machine it can be compromised, I assume that have the code for the worm would allow me to root kit the worm.
The link was interesting and almost like a design document for conficker C++.
My personal opinion is, that whoever is working with this ( and it could be many ), have taken the approach that if people don't take the effort to avoid being used, then they are asking to be used. You see this all the time in advertising, it is mental manipulation, and in that case, they are kitting minds. I am sure that MIC has its hand in these things too, obviously.
The thing that keeps me from looking into it more is the fact that it uses so many Windows specific exploits and though exploiting Windows security is easy, it is also irritating to me personally , because it is such an incoherent kluge of different concepts.
No. Just because it communicates using IP does not mean it knows where it's instructions are coming from.
One of the key ways in which these worms/viruses/etc. get stopped is by taking the distribution/update servers down. Hard-coding the update server, or even having a means to update the source, is not terribly useful in the long run. Not when you're trying to be stealthy and avoid detection.
Fortunately for the IT industry (and really, the world as a whole) most trojan worms to this date have been fairly amateur in terms of avoidance techniques. They latch on to one or several vulnerabilities and use fairly predictable intelligence for infection and self-preservation.
Conflicker appears to be the first serious "engineered" worm we've faced yet: worms created by genuine professionals with a deep and broad knowledge of technology and security. This is going to be problematic.
A while back, a friend and and I made up a non-functional 'ultimate worm' rough prototype. Our design had many of the features which Conflicker seems to demonstrate: decentralized P2P type updating, stealthy system presence, encrypted communication, and the like. One key functionality was that the botnet controller could, at any time, update the botnet through any infected host and have it propagate throughout the botnet cluster, unattended. There would be absolutely no way to trace the origin of the update.
We had some additional functionality (what I'd call generational peering vectors) which hasn't manifested in Conflicker yet, thank god, but otherwise Conflicker and our design are freakishly alike.
My guess? I suspect Conflicker is either a massive foreign commercial project (compared to previous botnet attempts) staffed with sought-after professionals, or it's a (pick one) government-run experiment/espionage attempt. From a national-security perspective, I think the best thing that could be done is to create a counter-espionage bot to seek out and destroy infections of Conflicker. But maybe I'm off on this.
~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
I once had a project many years ago for $AGENCY, about encryption. They wanted to make a perfect encryption and so they would make keys, and I would break them. They gave up. I can't say that is still true, as the key systems seem reasonably secure, except for where MiTM, social engineering, and people are involved.
The problem here is that the process of maintaining the botnet is profitable and the process of defeating it is not. Much like drug trafficking, those who seek to stop it are less motivated and if they succeed in their task will be unemployed, so even less motivation.
I can imagine many things about this situation by jootsing (Hofstadter expression). I would worry about it if it affected my Linux systems, but since it doesn't, let those who designed the host (Ms) solve the problem themselves.
Why is it that worms and viruses have better security than legitimate programs?
On the average they don't. Much like legitimate programs there are many thousands of applications in this group and the ones that persist tend to be ones that stand out in some field. Since the operating challenge for these applications includes active aggressive and professional detection and eradication efforts the survivors are the ones which excel in the ease of installation, network security and transparent user interface categories.
Think of it as advanced beta testing.
Help stamp out iliturcy.