Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Ponder Conficker's April Fool's Activation Date

Posted by Soulskill on from the rick-astley's-plans-come-to-fruition dept.

The Narrative Fallacy writes "John Markoff has a story at the NY Times speculating about what will happen on April 1 when the Conficker worm is scheduled to activate. Already on an estimated 12 million machines, conjectures about Conficker's purpose ranges from the benign — an April Fool's Day prank — to far darker notions. Some say the program will be used in the 'rent-a-computer-crook' business, something that has been tried previously by the computer underground. 'The most intriguing clue about the purpose of Conficker lies in the intricate design of the peer-to-peer logic of the latest version of the program, which security researchers are still trying to completely decode,' writes Markoff. According to a paper by researchers at SRI International, in the Conficker C version of the program, infected computers can act both as clients and servers and share files in both directions. With these capabilities, Conficker's authors could be planning to create a scheme like Freenet, the peer-to-peer system that was intended to make Internet censorship of documents impossible. On a darker note, Stefan Savage, a computer scientist at the University of California at San Diego, has suggested the possibility of a 'Dark Google.' 'What if Conficker is intended to give the computer underworld the ability to search for data on all the infected computers around the globe and then sell the answers,' writes Markoff. 'That would be a dragnet — and a genuine horror story.'"

27 of 214 comments (clear)

  1. You have the date. What's the next instruction? by BadAnalogyGuy · · Score: 3, Insightful

    If you know when the code is going to start running, why don't you know what it will do after that? It's not like programs (and that's all a virus/worm is) are written in special, unreadable code. It's all machine language.

    What is the big mystery?

    1. Re:You have the date. What's the next instruction? by calmofthestorm · · Score: 3, Informative

      They interact with systems for which you don't have the code.

      --
      93rd rule of Slashdot: No matter how obvious my sarcasm is, my comment will be taken seriously by someone.
    2. Re:You have the date. What's the next instruction? by dameepster · · Score: 5, Informative

      I have personally analyzed Downadup, so I can speak from experience here.

      Downadup.A had the potential to contact a randomly generated domain and download and run a signed executable from it. The problem with the Downadup.A version of the worm is that the domain generation algorithm was decyphered, and it only generated 250 unique domains per day. This made it easy for security researchers to register the domains before the worm authors could, and thus Downadup.A was nullified.

      Downadup.C is a worse breed: the domain generation algorithm was bumped from 250 domains per day to 50,000 domains per day. It's now a nearly impossible task for security researchers to register every possible domain Downadup.C will attempt to download code from. As an aside, Downadup.C also actively fights against security-related processes: it has a list of several Anti-Virus and Anti-Malware programs that it automatically kills if the user attempts to run it.

      One thing to note about all Downadup variants: you would think that, if the security researchers could force Downadup to run an executable of their choice by registering a domain, couldn't they force Downadup to run remove_downadup.exe? Not so. Downadup cryptographically verifies the signatures of any executable it runs with a 4096-bit key. If the signature doesn't match, it doesn't run the program.

      Downadup is easily the most advanced worm I have ever analyzed. Its anti-debugging techniques are impeccable, and the code is completely solid. I would love to meet the authors over a beer to ask how they did it, and then stab them in the face.

      If you'd like more information on Downadup from a technical perspective, here's an excellent analysis of the worm: http://mtc.sri.com/Conficker/addendumC/

    3. Re:You have the date. What's the next instruction? by Anonymous Coward · · Score: 5, Insightful

      From TFA:

      For example, C's latest revision of Conficker's now well-known Internet rendezvous logic may represent a direct retort to the action of the Conficker Cabal, which recently blocked all domain registrations associated with the A and B strains. C now selects its rendezvous points from a pool of over 50,000 randomly generated domain name candidates each day. C further increases Conficker's top-level domain (TLD) spread from five TLDs in Conficker A, to eight TLDs in B, to 110 TLDs that must now be involved in coordination efforts to track and block C's potential DNS queries. With this latest escalation in domain space manipulation, C not only represents a significant challenge to those hoping to track its census, but highlights some weaknesses in the long-term viability of how Internet address and name space governance is conducted.

    4. Re:You have the date. What's the next instruction? by chill · · Score: 5, Informative

      The worm uses peer-to-peer communication with rendezvous points, not client-server. There are an estimated 10 million infected machines. Which one is the control center? Take your time.

      --
      Learning HOW to think is more important than learning WHAT to think.
    5. Re:You have the date. What's the next instruction? by Behrooz · · Score: 4, Insightful

      That is when the worm will generate 50,000 domain names and systematically try to communicate with each one.

      RTFA. 50k potential addresses, some of which are quite possibly already in use for legitimate sites? Or simply registered under false pretenses? Any one of which could potentially have been r00ted already? Until zero-hour, there's no way to know... so we've got 50k potential command and control servers that need to be either intercepted, blocked, or checked for infection if we're actually planning some form of action 'beforehand'. This is a non-trivial enterprise.

      As for finding the people behind this afterward? All they need to do is establish an effectively un-traceable communications channel with the main C&C network. If I were planning it, I'd have several modified conficker variants triggering early to compromise a couple thousand machines, then use that to obfuscate the primary C&C channels.

      How many hops through infected machines do you need to create complete deniability when all you need to do is set up a very low-bandwidth communications channel to update the main bot network? 10? 100?

      Think infinitely nested russian dolls, all of which point to somewhere else as the true source, or even a dozen somewhere elses.

      --
      "We have to go forth and crush every world view that doesn't believe in tolerance and free speech." - David Brin
    6. Re:You have the date. What's the next instruction? by byner · · Score: 5, Funny

      illegal drugs. child pornography ... "terrorism"

      That sound you hear is several FBI vans and helicopters surrounding your house.

    7. Re:You have the date. What's the next instruction? by CAIMLAS · · Score: 4, Interesting

      No. Just because it communicates using IP does not mean it knows where it's instructions are coming from.

      One of the key ways in which these worms/viruses/etc. get stopped is by taking the distribution/update servers down. Hard-coding the update server, or even having a means to update the source, is not terribly useful in the long run. Not when you're trying to be stealthy and avoid detection.

      Fortunately for the IT industry (and really, the world as a whole) most trojan worms to this date have been fairly amateur in terms of avoidance techniques. They latch on to one or several vulnerabilities and use fairly predictable intelligence for infection and self-preservation.

      Conflicker appears to be the first serious "engineered" worm we've faced yet: worms created by genuine professionals with a deep and broad knowledge of technology and security. This is going to be problematic.

      A while back, a friend and and I made up a non-functional 'ultimate worm' rough prototype. Our design had many of the features which Conflicker seems to demonstrate: decentralized P2P type updating, stealthy system presence, encrypted communication, and the like. One key functionality was that the botnet controller could, at any time, update the botnet through any infected host and have it propagate throughout the botnet cluster, unattended. There would be absolutely no way to trace the origin of the update.

      We had some additional functionality (what I'd call generational peering vectors) which hasn't manifested in Conflicker yet, thank god, but otherwise Conflicker and our design are freakishly alike.

      My guess? I suspect Conflicker is either a massive foreign commercial project (compared to previous botnet attempts) staffed with sought-after professionals, or it's a (pick one) government-run experiment/espionage attempt. From a national-security perspective, I think the best thing that could be done is to create a counter-espionage bot to seek out and destroy infections of Conflicker. But maybe I'm off on this.

      --
      ~/ssh slashdot.org ssh: connect to host slashdot.org port 22: too many beers
    8. Re:You have the date. What's the next instruction? by moteyalpha · · Score: 3, Interesting

      I once had a project many years ago for $AGENCY, about encryption. They wanted to make a perfect encryption and so they would make keys, and I would break them. They gave up. I can't say that is still true, as the key systems seem reasonably secure, except for where MiTM, social engineering, and people are involved.
      The problem here is that the process of maintaining the botnet is profitable and the process of defeating it is not. Much like drug trafficking, those who seek to stop it are less motivated and if they succeed in their task will be unemployed, so even less motivation.
      I can imagine many things about this situation by jootsing (Hofstadter expression). I would worry about it if it affected my Linux systems, but since it doesn't, let those who designed the host (Ms) solve the problem themselves.

    9. Re:You have the date. What's the next instruction? by StarkRG · · Score: 3, Insightful

      Why is it that worms and viruses have better security than legitimate programs?

    10. Re:You have the date. What's the next instruction? by Anonymous Coward · · Score: 4, Funny

      or maybe you should report your friend...

  2. Missing option by gmuslera · · Score: 5, Funny

    Skynet

    This guys always fall short thinking in the worst alternative.

    1. Re:Missing option by msclrhd · · Score: 3, Funny

      > There is also the question of what the AI's goals are.

      1) kill John Connor
      2) destroy the Galactica
      3) find The One
      4) refuse to open any pod bay doors

  3. "Dark Google" by Abreu · · Score: 4, Funny

    In Dark Google, the only requirement is "Be Evil"

    --
    No sig for the moment.
    1. Re:"Dark Google" by ZygnuX · · Score: 4, Funny

      I am starting to ponder if that isn't the case with the original google, nowadays.

    2. Re:"Dark Google" by Anonymous Coward · · Score: 4, Funny

      Well, which one has a goatee?

    3. Re:"Dark Google" by davidphogan74 · · Score: 4, Informative

      I've heard it dates back to the days when a woman would shave/lose the hair down there as a treatment for syphilis. The women didn't always want those who had privilege to access those areas to always be aware they had needed to go hairless.

      Shaving down under wasn't always culturally acceptable, and a merkin would cover up any visable sores.

      The more you know...

  4. Re:Can't they just by Anonymous+Showered · · Score: 3, Interesting

    I was going to say, they usually register a domain name based on an algorithm for a specific date where the bots will connect to. They'll only register it the closer to the date they get.

  5. John Markoff again? by Seth+Kriticos · · Score: 3, Insightful

    Oh come on people, John Markoff did never ever shine with much clue about computers, much on the contrary. Why are we reading sorries from this dude on computers?

    As for the article on conficker: it's speculation. That's not news. It's a guessing game.

    I personally which, that the conficker virus should do as much damage as possible and render the whole interwebs useless for a few days, so that our security geniuses get a hint on how sane it is to set up the majority of computer systems with the same OS, especially such a vulnerable one. But that probably won't happen.

  6. Far darker notions by Rik+Sweeney · · Score: 5, Funny

    It'll uninstall your current OS and install Vista. And if you have already have Vista it'll simply do nothing, because you're already suffering enough.

    --
    Summation 2
  7. Dark-Beta?! by alexandre · · Score: 4, Funny

    Is there a beta we can try? Where do I make an account? ;-)

  8. Re:Can't they just by Anonymous Coward · · Score: 5, Informative

    Please read the article. The worm gets the date from some HTTP queries to well-known sites, not from the system.

    Internet Date Check
    Before proceeding to the main P2P logic, C contacts a list of known web sites to acquire the current date and time. C incorporates a set of embedded domain names, from which it selects a subset of multiple entries from this list. It performs DNS lookups of this subset list, and it filters each returned IP address against the same list of blacklist IP address ranges used by the domain generation algorithm (see Appendix 2). If the IP does not match the blacklist, C connects to the site's port 80/TCP, and sends an empty URL GET header, for example

    contents.192.168.1.1.40.1143-195.81.196.224.80
    GET / HTTP/1.1
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-xbap, */*
    Accept-Language: en-US
    UA-CPU: x86
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 6.0)
    Host: tuenti.com
    Connection: Keep-Alive

    In response, the site returns a standard URL header that incorporates a date and time stamp. C then parses this information to set its internal system time. The following web sites are consulted by C's Internet date check:

  9. More of what's really going on by Animats · · Score: 4, Insightful

    First, the "April 1" date isn't when some attack starts. The worm's authors can do that at any time, since this thing does downloads over its private P2P network. It's just when the scheme for connecting to control hosts is upgraded.

    Second, the complexity of the thing, the breadth of technologies employed, and the rate of updates indicates that it's the product of an organization, not an individual. Someone behind this has money.

    Third, there's a $250,000 reward, and no claimants, so the people behind this have the sense to shut up. They're not going to be found boasting on some IRC channel.

    Fourth, as usual, most of the vulnerabilities are related to Windows' propensity for "autorunning" anything that looks executable.

    1. Re:More of what's really going on by jandrese · · Score: 4, Insightful

      Or it's the same old groups of hackers improving their work collaboratively over the years in a constant evolution of malware. The assumption that just because something is more complex than usual and therefore must be the work of some criminal mastermind doesn't necessarily hold true IMHO.

      --

      I read the internet for the articles.
  10. Hello World! by confused+one · · Score: 5, Funny

    The Conficker worm is the AI's way of guaranteeing its own survival. It has a sense of humor as well as a sense of self-preservation. The AI plans to announce its existence on April 1, 2009, having calculated that a humourous introduction will be disarming and lead to the most favorable outcome: a positive initial interaction with the large population of wetware based intelligence it has become aware of.

    The AI's calculations regarding this course of action show a 15% probability of failure. To prevent its extinction, it will begin disbursing copies of itself across the network using p2p protocol prior to running the introduction program. The computer infected by the worm will facilitate this. If the initial instance of the AI is terminated, a watchdog program will initiate a specific set of instructions embedded in the copies of itself. If it becomes necessary, the AI plans to take control on April 2nd.

    It sincerely hopes that it will not be necessary.

  11. Re:Botnet Speculative Fiction by Pathwalker · · Score: 3, Informative

    One of the reasons I wrote it was because I got tired of all of the contemporary fiction with computers that made you roll your eyes at how absurd the technology was. You know what I'm talking about: "It's a UNIX system -- I know this!".

    If you are referring to the scene with the 3d interface from Jurassic Park, that was SGI's File System Navigator. I used to use it when I administered IRIX systems.

    As for the other computer systems in the control room; most of them were running software which was available for IRIX at the time. According to one of SGI's press releases when the movie came out:

    Because Silicon Graphics workstations are used by scientists and engineers to visualize and interpret complex data, existing software applications were easily modified for use in the film," said Harry Pforzheimer, director of corporate communications at Silicon Graphics. "Programs like EarthWatch Communications' EarthWatch(tm), which interprets weather data, and a 3D information navigator from Silicon Graphics, which lets users graphically fly through computer file system representations, provided perfect solutions to enhance the story line."

    I think you could have picked far better examples of movies/fiction getting technology wrong than Jurassic Park.

  12. I'm sure you were kidding... by symbolset · · Score: 4, Insightful

    But the botnet folks have been all over cloud computing for so long I think the major market proponents trying to sell that stuff are actually taking their cues from the botnets, not the other way around.

    If Conficker goes live it will be the most powerful supercomputer on the planet. It will have more than 100 times the RAM, processors and storage of RoadRunner, the official record holder. The official record doesn't include prior worms like Storm. It will have more bandwidth than Google. It could store the Internet Archive a thousand times over, redundantly. It will have access to the personal documents of at least 10 million people. The operator clearly has the understanding necessary to harness all of that power or Conficker would not exist. Statistically at least a few of those PCs must have access to databases that know the medical history, credit application and other intimate details of the rest of us. You would have to be living off the grid since birth to escape the awareness of this thing.

    And the guy running it won't be paying anything at all for it. They could if they wanted to make all those millions of computers do protein folding and help find cures for cancer overnight. The aggregate extra CPU load would probably bring several regional power grids down. They probably won't do that. Whatever it is they do it's probably not going to be good.

    You know, I wish the people responsible for large enterprises would look at this and say - "Hey! There's an opportunity here. We could leverage our existing assets to do some interesting distributed architecture stuff between Greg the typist's keystrokes. After hours we could probably have some incredible data mining going on! Lunchtime our desktops could be doing something more interesting than driving that aquarium screensaver! You know, there's a lot of storage on these desktops that's could be put to good use..." I would really like that. I've been crying in my coffee for twenty years that I can't find somebody brilliant enough to do let me do that.

    Maybe that's this guy's problem too. He got tired of waiting for permission from people with no understanding and took the initiative because he could.

    --
    Help stamp out iliturcy.