Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researchers Ponder Conficker's April Fool's Activation Date

Posted by Soulskill on from the rick-astley's-plans-come-to-fruition dept.

The Narrative Fallacy writes "John Markoff has a story at the NY Times speculating about what will happen on April 1 when the Conficker worm is scheduled to activate. Already on an estimated 12 million machines, conjectures about Conficker's purpose ranges from the benign — an April Fool's Day prank — to far darker notions. Some say the program will be used in the 'rent-a-computer-crook' business, something that has been tried previously by the computer underground. 'The most intriguing clue about the purpose of Conficker lies in the intricate design of the peer-to-peer logic of the latest version of the program, which security researchers are still trying to completely decode,' writes Markoff. According to a paper by researchers at SRI International, in the Conficker C version of the program, infected computers can act both as clients and servers and share files in both directions. With these capabilities, Conficker's authors could be planning to create a scheme like Freenet, the peer-to-peer system that was intended to make Internet censorship of documents impossible. On a darker note, Stefan Savage, a computer scientist at the University of California at San Diego, has suggested the possibility of a 'Dark Google.' 'What if Conficker is intended to give the computer underworld the ability to search for data on all the infected computers around the globe and then sell the answers,' writes Markoff. 'That would be a dragnet — and a genuine horror story.'"

8 of 214 comments (clear)

  1. Missing option by gmuslera · · Score: 5, Funny

    Skynet

    This guys always fall short thinking in the worst alternative.

  2. Re:You have the date. What's the next instruction? by dameepster · · Score: 5, Informative

    I have personally analyzed Downadup, so I can speak from experience here.

    Downadup.A had the potential to contact a randomly generated domain and download and run a signed executable from it. The problem with the Downadup.A version of the worm is that the domain generation algorithm was decyphered, and it only generated 250 unique domains per day. This made it easy for security researchers to register the domains before the worm authors could, and thus Downadup.A was nullified.

    Downadup.C is a worse breed: the domain generation algorithm was bumped from 250 domains per day to 50,000 domains per day. It's now a nearly impossible task for security researchers to register every possible domain Downadup.C will attempt to download code from. As an aside, Downadup.C also actively fights against security-related processes: it has a list of several Anti-Virus and Anti-Malware programs that it automatically kills if the user attempts to run it.

    One thing to note about all Downadup variants: you would think that, if the security researchers could force Downadup to run an executable of their choice by registering a domain, couldn't they force Downadup to run remove_downadup.exe? Not so. Downadup cryptographically verifies the signatures of any executable it runs with a 4096-bit key. If the signature doesn't match, it doesn't run the program.

    Downadup is easily the most advanced worm I have ever analyzed. Its anti-debugging techniques are impeccable, and the code is completely solid. I would love to meet the authors over a beer to ask how they did it, and then stab them in the face.

    If you'd like more information on Downadup from a technical perspective, here's an excellent analysis of the worm: http://mtc.sri.com/Conficker/addendumC/

  3. Far darker notions by Rik+Sweeney · · Score: 5, Funny

    It'll uninstall your current OS and install Vista. And if you have already have Vista it'll simply do nothing, because you're already suffering enough.

    --
    Summation 2
  4. Re:You have the date. What's the next instruction? by Anonymous Coward · · Score: 5, Insightful

    From TFA:

    For example, C's latest revision of Conficker's now well-known Internet rendezvous logic may represent a direct retort to the action of the Conficker Cabal, which recently blocked all domain registrations associated with the A and B strains. C now selects its rendezvous points from a pool of over 50,000 randomly generated domain name candidates each day. C further increases Conficker's top-level domain (TLD) spread from five TLDs in Conficker A, to eight TLDs in B, to 110 TLDs that must now be involved in coordination efforts to track and block C's potential DNS queries. With this latest escalation in domain space manipulation, C not only represents a significant challenge to those hoping to track its census, but highlights some weaknesses in the long-term viability of how Internet address and name space governance is conducted.

  5. Re:You have the date. What's the next instruction? by chill · · Score: 5, Informative

    The worm uses peer-to-peer communication with rendezvous points, not client-server. There are an estimated 10 million infected machines. Which one is the control center? Take your time.

    --
    Learning HOW to think is more important than learning WHAT to think.
  6. Re:Can't they just by Anonymous Coward · · Score: 5, Informative

    Please read the article. The worm gets the date from some HTTP queries to well-known sites, not from the system.

    Internet Date Check
    Before proceeding to the main P2P logic, C contacts a list of known web sites to acquire the current date and time. C incorporates a set of embedded domain names, from which it selects a subset of multiple entries from this list. It performs DNS lookups of this subset list, and it filters each returned IP address against the same list of blacklist IP address ranges used by the domain generation algorithm (see Appendix 2). If the IP does not match the blacklist, C connects to the site's port 80/TCP, and sends an empty URL GET header, for example

    contents.192.168.1.1.40.1143-195.81.196.224.80
    GET / HTTP/1.1
    Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-xbap, */*
    Accept-Language: en-US
    UA-CPU: x86
    Accept-Encoding: gzip, deflate
    User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 6.0)
    Host: tuenti.com
    Connection: Keep-Alive

    In response, the site returns a standard URL header that incorporates a date and time stamp. C then parses this information to set its internal system time. The following web sites are consulted by C's Internet date check:

  7. Re:You have the date. What's the next instruction? by byner · · Score: 5, Funny

    illegal drugs. child pornography ... "terrorism"

    That sound you hear is several FBI vans and helicopters surrounding your house.

  8. Hello World! by confused+one · · Score: 5, Funny

    The Conficker worm is the AI's way of guaranteeing its own survival. It has a sense of humor as well as a sense of self-preservation. The AI plans to announce its existence on April 1, 2009, having calculated that a humourous introduction will be disarming and lead to the most favorable outcome: a positive initial interaction with the large population of wetware based intelligence it has become aware of.

    The AI's calculations regarding this course of action show a 15% probability of failure. To prevent its extinction, it will begin disbursing copies of itself across the network using p2p protocol prior to running the introduction program. The computer infected by the worm will facilitate this. If the initial instance of the AI is terminated, a watchdog program will initiate a specific set of instructions embedded in the copies of itself. If it becomes necessary, the AI plans to take control on April 2nd.

    It sincerely hopes that it will not be necessary.