.CA Registrar Trying To Preempt Conficker

clover kicker writes "The CBC reports that the group managing Canada's .ca internet domain is working to foil an internet worm set to attack starting April Fool's Day. 'This is the first virus that's really focused on domain names as part of propagating the virus itself,' said Byron Holland, CEO of the Canadian Internet Registration Authority, a non-profit organization that represents those who hold a .ca domain. CIRA's strategy includes pre-emptively registering and isolating previously unregistered .ca domain names that Conficker C is expected to try and generate, said a news release issued by the group. That would make those names unavailable for anyone to register in order to set up a website to host the worm's 'command and control' file. A list of the names has been predicted by security experts based on the worm's code. In addition, CIRA is investigating and monitoring activity at names on the list that have already been registered and will 'take appropriate action if suspicious activity is detected.'"

Tactics?

[nubsac]

It seizes to amaze me as to why they would make this public, 8 days before conficker is "supposed" to become active.

It's like telling your enemy "Hey, I know where and when your going to strike"

We know it's capable to updating itself, this just gives the author an 8 day head start on writing a new pseudo random URL generator.

Re:Tactics?

People misusing ceases irritates me almost as much as people saying "I could care less". That's all well and good, if you care a great deal about something, but what people mean when they say it (and Americans are the guiltiest of all when it comes to this) is "I couldn't care less".

Source code

[ManuelH]

Anyone knows where can I take the Confiker source code? Must be enlighting!

Re:ugh

[Plutonite]

Look, we don't hate you for what you write - it may well be true. It just has nothing to do with this story, OK? It really is offtopic. In fact I agree with a lot of what you wrote (and disagree with some twisted facts too) but I think the moderators are right modding you down to hell, and maybe banning your IP range. You are annoying people. Annoyed people don't listen. Find a forum to discuss this in a sane way and people might listen.

Re:ugh

[cez]

lmao, you had me at:

If you wanted the trolling to stop, let a troll per week post a front page story or something.

now I'd subscribe again for that. It would have to be lottery style or something mad random... way too many trolls out there with too much time on their hands.

Seems like a futile attempt

[billcopc]

It's cute that they're trying to preempt the worm, but to be effective they pretty much have to disable ALL potential domains. Miss one, and the worm will find it.

What I don't get is how people can still be surprised/impressed/scared by these things. Today's viruses have little in common with their elegant, obfuscated ancestors. Any twit can assemble a "virus" by tapping into the OS' libraries. Today's worms are essentially package managers, so anything you can do with legitimate software like emailing, flashing your BIOS or opening ports on your firewall, a virus can do the same things. It simply has to talk to its software repository, pull down the pieces it needs and proceed with its dirty deeds.

Hell, a tiny perl script could turn standard tools like Yum and Emerge into virus delivery agents. They already possess all the required functionality...

Re:GREAT!

[cez]

The people who analyzed it know what algorithms lay dormant and could be changed with the flick of a bit.

I know I shouldn't feed the trolls, but if these people who "analyzed" it only know what they've been able to observer or provoke it to do. I must have missed where they completely reverse engineered it and created a fix.

They figured out 1 of a myriad of its activities and service mediums let alone been able to crack one of its control channels. I'm all for fighting the good fight, but saying we understand this or have analyzed it thoroughly is naive.

The root cause IMO

[Onyma]

Isn't one of the root causes of all this the fact that the exploit was released into the wild? I am highly against it every time I see one of the security "researchers" releasing these holes into the public knowledge base. Had this exploit been kept quiet with Microsoft rolling out an important update that quietly patched it I believe we wouldn't be in this situation.

It's like someone announcing on a street corner that the bricks on the south wall of a bank were found to be very thin, but don't worry... we'll get to adding a little more mortar soon enough. Don't any body make use of this information though as that wouldn't be nice of you.

I understand the concept of motivating the software manufacturers to move on fixing bugs but is this really a worthwhile outcome to achieve this goal? I tend to believe if some "researchers" hadn't just kept their mouths shut and found alternate means to have this dealt with April 1 would still only be "Fool's Day".

I also suspect that some of these "information releases" are often done for ulterior motives as well. Possibly to say "look at what I found" and quite possibly to just watch the target OS/product go down vs. your alternate favourite OS/product.

I am not an expert on Conficker's exact history nor this specific exploit, but I do feel my comments above are generally accurate to many announced exploits in general.

Re:The root cause IMO

[shentino]

The flaw in your argument is trusting MS to be timely about its updates.

I'd say tell the vendors, and give them about a month.

If they haven't fixed it by then, there's a chance that someone else has found it, and publishing it won't hurt anything else, and may actually help by putting pressure on the vendor for a fix.

Keeping an exploit under wraps only works if the vendor is responsive enough so that they don't get beat by a different "researcher" looking to use the hole for his own gain.

Re:The root cause IMO

[Yvanhoe]

First, some exploits are made through reverse engineering of MS patches and then targets unpatched machines. This procedure has even been automatized, meaning that a virus could be created in the very first minutes a patch is rolled out of Redmond.

Second, the general ethics about flaws disclosure is to inform the manufacturer first, but to keep in mind that even if you are a talented security researcher, there are numerous malicious talented security researcher and that if the manufacturer doesn't react, there is a moral duty to inform users that some software in some configuration might be at risk. If you are a small guy with little reputation, you have to release details in order to be taken seriously.

And it works. Most of the time.

Re:The root cause IMO

[cffrost]

Isn't one of the root causes of all this the fact that the exploit was released into the wild?

No. Microsoft was (made) aware of the vulnerability and had a patch available on 2008-10-18. According to Symantec's malware database, W32/Conficker.A was first seen on 2008-11-24. If all vulnerable machines had been patched in a timely fashion, Conficker would not have spread.

Full-disclosure motivates vendors to patch their vulnerable software, and allows administrators and users to take precautions (independent of the vendor's action or inaction). For more information on why full-disclosure is preferable to security-through-obscurity, consult writings by Bruce Schneier. One interesting example that Schneier points out is that NSA releases many publicly-available security guides and tools; NSA is aware that these releases can be utilized by friends and foes alike.

Re:The root cause IMO

It's like someone announcing on a street corner that the bricks on the south wall of a bank were found to be very thin, but don't worry... we'll get to adding a little more mortar soon enough. Don't any body make use of this information though as that wouldn't be nice of you.

Except banks have insurance, so even if someone breaks in, their customers don't need to worry.

Not so with Microsoft. If you get hit with Conficker, don't expect to see a single cent from Microsoft, to cover any loss you may suffer.

If banks had no insurance, and someone breaking in meant that all their customers lost their money, I can guarantee you that those customers would want to know which bank is easy to break in to. Because their only safety would be to not put their money in that bank.

As a Microsoft customer, your only defence is to know exactly where the hole is, and set up your own defence. If a security researcher doesn't inform you, you have no defence at all.

Re:ugh

[Mystra_x64]

Maybe ACs should be disabled until at least 30 comments are written or something...

Re:Hrm

This is because there's just no way to do it without destroying what makes the internet such a good thing in the first place.

Full Disclosure

> Isn't one of the root causes of all this the fact that the exploit was released into the wild?

Yes and no.

In the bad old days before full disclosure, vendors would threaten security researchers. That lead to the bad guys knowing everything and being able to hack with impunity, the security researchers being considered the "bad guys" even though they weren't doing anything bad with the holes they found, and the general public being totally ignorant of all the security problems out there.

In other words, back when no one called out the vendors putting out shoddy products, all we had were shoddy products.

So the practice of not disclosing security vulnerabilities actually hurts the good guys far more than it hurts the bad guys, even if it sometimes leads to cases like this one.