Researchers Ponder Conficker's April Fool's Activation Date

The Narrative Fallacy writes "John Markoff has a story at the NY Times speculating about what will happen on April 1 when the Conficker worm is scheduled to activate. Already on an estimated 12 million machines, conjectures about Conficker's purpose ranges from the benign — an April Fool's Day prank — to far darker notions. Some say the program will be used in the 'rent-a-computer-crook' business, something that has been tried previously by the computer underground. 'The most intriguing clue about the purpose of Conficker lies in the intricate design of the peer-to-peer logic of the latest version of the program, which security researchers are still trying to completely decode,' writes Markoff. According to a paper by researchers at SRI International, in the Conficker C version of the program, infected computers can act both as clients and servers and share files in both directions. With these capabilities, Conficker's authors could be planning to create a scheme like Freenet, the peer-to-peer system that was intended to make Internet censorship of documents impossible. On a darker note, Stefan Savage, a computer scientist at the University of California at San Diego, has suggested the possibility of a 'Dark Google.' 'What if Conficker is intended to give the computer underworld the ability to search for data on all the infected computers around the globe and then sell the answers,' writes Markoff. 'That would be a dragnet — and a genuine horror story.'"

Re:You have the date. What's the next instruction?

[CAIMLAS]

No. Just because it communicates using IP does not mean it knows where it's instructions are coming from.

One of the key ways in which these worms/viruses/etc. get stopped is by taking the distribution/update servers down. Hard-coding the update server, or even having a means to update the source, is not terribly useful in the long run. Not when you're trying to be stealthy and avoid detection.

Fortunately for the IT industry (and really, the world as a whole) most trojan worms to this date have been fairly amateur in terms of avoidance techniques. They latch on to one or several vulnerabilities and use fairly predictable intelligence for infection and self-preservation.

Conflicker appears to be the first serious "engineered" worm we've faced yet: worms created by genuine professionals with a deep and broad knowledge of technology and security. This is going to be problematic.

A while back, a friend and and I made up a non-functional 'ultimate worm' rough prototype. Our design had many of the features which Conflicker seems to demonstrate: decentralized P2P type updating, stealthy system presence, encrypted communication, and the like. One key functionality was that the botnet controller could, at any time, update the botnet through any infected host and have it propagate throughout the botnet cluster, unattended. There would be absolutely no way to trace the origin of the update.

We had some additional functionality (what I'd call generational peering vectors) which hasn't manifested in Conflicker yet, thank god, but otherwise Conflicker and our design are freakishly alike.

My guess? I suspect Conflicker is either a massive foreign commercial project (compared to previous botnet attempts) staffed with sought-after professionals, or it's a (pick one) government-run experiment/espionage attempt. From a national-security perspective, I think the best thing that could be done is to create a counter-espionage bot to seek out and destroy infections of Conflicker. But maybe I'm off on this.