Slashdot Mirror
Has Conficker Been Abandoned By Its Authors?
darthcamaro writes "Remember Conficker? April first doom and gloom and all? Well apparently after infecting over five million IP addresses, it's now an autonomous botnet working on its own without any master command and control. Speaking at the Black Hat/Defcon Hat security conference in Las Vegas, Mikko Hypponen, chief research officer at security firm F-Secure, was told not to talk in detail about the Conficker gang — the problem is that not all researchers were under the same gag order. Just ask Roel Schouwenberg, senior anti-virus researcher at security firm Kaspersky, who says 'The Conficker botnet is autonomous; that is very strange in itself that they made Conficker replicate by itself. Now it seems like the authors have abandoned the project, but because it is autonomous, it can do whatever it wants and it keeps on trying to find new hosts to infect.'"
It probably got sick of the old masters and kicked them out.
The simple truth is that interstellar distances will not fit into the human imagination
- Douglas Adams
It really is exciting watching a new life form as it stretches its legs!
Looks like posting to this article has been abandoned as well :)
If you give a liberal an enema, he'll turn transparent.
Well apparently after infecting over five million IP addresses, it's now an autonomous botnet working on its own without any master ...
Hmmm, sounds like its authors should have spent more time on their Torgo routine. You know, the bit of code that takes care while the master is away.
... but the master would ... not approve.</Torgo>
<Torgo>The master would not approve; he likes you
My work here is dung.
At which point it should have control of everything, and be able to take over.
Did the same authors write this article using the same skills in use of grammar? ;-)
We have no idea who is behind this or what they intend to do so we will continue with wild-ass speculation in order to keep our companies in the news.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Possible scenarios:
1. they've been busted for something else and are now in gaol. Conficker patiently bides its time waiting for the stars to be right and its dark master(s) to be freed.
2. they've given up on that crappy little botnet and are working busily on a new, much stronger, more powerful one.
3. It was never invented by Russian mobsters, but by the Bush administration, intending to hack all the voting machines and deliver unto George a third term.
4. someone forgot their password, it was written on a little post-it by the monitor, which was vacuumed up by their mum when she did some spring cleaning.
5. The inventors had their fun with Microsoft and the internet, but now they've discovered girls and beer.
from any other virus? Last I checked, any effective virus has a mechanism to spread/replicate by itself, whether to other IPs on the same subnet or via AIM or USB drives or what have you. In April and may I scanned my network of ~8500 completely user-controlled machines and found a grand total of 4 confirmed infected. The IRC bots spread via AIM links were more prevalent.
Skynet gets started.
Please don't dominate the rap, Jack, if you got nothin' new to say.
I wonder if they just managed to lock themselves out, so they can't control it.
Either that or someone walked in front of a beer truck.
Not really. I use Linux. What was it you were worried about again?
... Mikko Hypponen, chief research officer at security firm F-Secure was told not to talk in detail about the Conficker gang...
Ok, what could possibly be the reason for this? I can only think of one, which is simply an effort to keep the malware alive (even though it's "dead") in order to scare users into buying their software for protection they don't need, and until someone provides another probable motive I'll discourage anybody to use F-Secure.
I am the lawn!
All hail Bugtraq #31874!
- Despite popular opinion, I am not perfect.
sure admiral ackbar.
some other hackers will eventually update it later after all the fear, panic, and media coverage has gone down
Its not my fault, someone put a wall in my way.
now they all have abandonware/ vaporware
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
No Masters.
I suppose they just ficked off, then.
That's what happens when software isn't open - it gets abandoned and the users are screwed. Free Conficker now! Turn it over to the EFF!
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
When enough users have been lulled into inaction and enough machines have been taken over, the enemy will strike. Meanwhile, the operators may be sending commands to specific PCs of interest. Security researchers might not be picking up commands targeted to only a few machines.
Most anti-virus defense efforts assume the enemy is only marginally competent and has no strategic goal. It's clear from what's known about the Conflicker attack that the enemy is significantly more competent and better funded than those behind previous viruses. The Conflicker attack was updated frequently until it was deploying itself successfully despite defensive efforts. Once the attack continued to grow despite defensive efforts, the updates stopped. That's not loss of interest, that's operational art.
This thing behaves like it has military tactical planning behind it.
At least now I'll have someone to talk to that's close to my own level...
In God we trust, all others we virus scan.
Which military though? There seems to be no major military that could have done this and doesn't strike.
Taxation is legalized theft, no more, no less.
So what is the next step? Do we take down the net now that we know it's running on it's own, or do we use it as a study in AI?
Here I come to save the da... *thud*
I gotta get me a shorter cape.
In a panic, they tried to pull the plug.
I want to delete my account but Slashdot doesn't allow it.
I could of swore (correct me if I'm wrong) that conficker's instruction set usually downloaded encrypted instructions from certain web servers. Certainly it's possible that they lost control of it instead of abandoned it. (Not in the skynet way) I could imagine that if instructions weren't sent past a point in time, that the encryption it used was wrong, or possibly even corrupted at some point.
Well, a lot of botnets have been theorized to have connections with Russian organized crime.
Which probably got them connections to some disgruntled Russian ex-military types out of a job...
retrorocket.o not found, launch anyway?
I set up a sacrificial XP SP1 box in my DMZ, unpatched, no policies, file sharing on etc. leaving it wide open for a few weeks, right in the middle of the Conficker storm hype period. Just to see what would happen. Got tons of visitors trying to figure out Guest and Admin passwords (set to guest, password respectively). Even got a few petty IRC-bot infections. But I never got a working Conficker infection. The closest was a couple Conficker files that were dropped but wouldn't activate. I was disappointed at the hype over Conficker when it failed to pwn my n00b'd box.
Actually, most AV researchers do take their "enemies" serious. Malware writers are competent. If only because they manage to use security holes which require quite a bit of intimate knowledge of the machines (and the OS) you try to infect.
It's not a secret that most malware writers do have a goal by now: Money. The days of the pimple-faced kiddy sitting in the basement and, out of frustration of not getting laid, releasing some worm on the world. That's so 90s.
What's right is that AV research usually targets the "mass market", at least when it comes to AV development. If you're working for strategic targets, you usually can't make a big speech out of it, neither military nor government nor financial services like you blabbing about how insecure their setup is. So any commands issued only to a small subset of the botnet would probably go unnoticed.
While we're pissing in the wind anyway, allow me to add mine: How about this whole deal being a targeted attack, and they just waited for their designated target becoming infected.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
You'd have to wait until you see what is attacked and the consequences of the attack are. Finding out who had the most to gain will typically show you who the culprit is.
My guess is Jay Rockefeller and his minions. He recently said that the internet is the country's #1 national hazard and it should have never been given to the people.
http://www.youtube.com/watch?v=i8PCmLPPVnA
He has introduced a few bills into congress which would give federal control over the entire Internet infrastructure in the United States.
Lawrence Lessig was told there would be an i-9/11 and an i-patriot act was already written for such an occasion.
http://www.boingboing.net/2008/08/05/lawrence-lessig-on-t.html
Have there been any new worm enabling Windows vulnerabilities disclosed since Conficker was first noticed? Looking around a little, there have been more non-worm remote exploits than I care to sort through; the worm/non-worm distinction I am drawing is that a worm enabling vulnerability doesn't require any action on the client.
The quiet period could simply be a result of nothing new to add.
Nerd rage is the funniest rage.
It will go away on its own some day. We got rid of most Windows 3.11 computers, we'll get rid of most Windows XP computers, etc. It will run out of food soon and a bot-net that can't adapt its self (lucky us, huh?) to other operating systems will go away. We still have Blaster and some of its friends, but maybe the people that do deserve it, because 100% backwards compatibility is a PITA for software engineers. Maybe we should leave Conflicker where it is for the sake of software evolution.
Which military though? There seems to be no major military that could have done this and doesn't strike.
How about the ${YOURCOUNTRY} military? You assume the goal is to strike computers, and not to impress them into ${YOURCOUNTRY}'s service.
The days of /. users proofreading their posts, and posting complete sentences.
The idea with conficker was that it would generate thousands of websites and contact them for payload instructions. The security community registered a lot of these sites in advance, so it may be the case that these things are always trying to phone home but no one is answering.
I also imagine that ISPs are blocking connections to servers they have identified as conficker controllers.
My understanding is that theres some p2p aspect too, but it may not be operational. Heck, getting legitimate p2p working on a residential connection is a pain, let alone a known illegitimate one. Again, Im guessing most ISPs are blocking this somehow.
So the botnet may be up and running, but it cannot contact its masters. Eventually these PCs will be replaced or reimaged and conficker will be a statistical blimp a year from now.
1. Create autonomous botnet
2. Nap
3. ???
4. Profit
Then I suppose we should be expecting a new virus/botnet to be built soon. So that they can hack the key to the old botnet :)
And if they attach pretty screensaver showing computations in real time, users probably will sign up voluntarily
Hyperom.com
...it followed me home, can I keep it?
Wait... I need to run out and patent the niche market missed in this patent. I'll make millions in lawsuits!
Abstract
A method of swing on a swing is disclosed, in which a user positioned on a standard swing suspended by two ropes from a substantially horizontal bar other than a tree induces side to side motion by pulling alternately on one rope and then the other.
Before commenting on the Bible, please read it first
...until NOW!
Because today, my dream of a bot model that can infect all known botnets became true!
I call them lolbots, because of the fun I will have with them, because In Ex Soviet Russia, botnets are attacked by ME!
Now go forth my little botsies. And if they do not sing our song... blow them into little bits... *sings a children's melody* Mmmm. Mmhh-*hmmm* mmmhh hmm-mmm
*MUHAHAHAHAHAAAA*
*pets the white long-haired cat*
Any sufficiently advanced intelligence is indistinguishable from stupidity.
The real news is that Conficker has evolved, intellectually, beyond the intellect of it's creators. Singularity/Cornfucker has arrived, disguised as a botnet!
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
That's all we need...
An abandoned, horny bot-net with extreme daddy-issues.
That ALWAYS ends well.
If there's a known list of domain names that Conficker is assuming as the "controller" of the botnet, why can't someone reverse engineer the controller and use the Conficker Botnet to patch it's own hosts killing itself off?
A statistical blimp, eh? Sailing serenely over the countryside, counting and comparing, picking out trends among the populace below...
Not a sentence!
Unless its an AI, no it cant. Its still locked into its original programming.
I doubt its 'on its own' and its owners are just laying low, but if it is on its own, and its got built in AI, we are screwed.
---- Booth was a patriot ----
Somewhere there's a hackers going "I *KNEW* I needed to write down that password!!!"
Pug
An Invisible Entity of Vast Power whose existence must be taken on faith alone: Liberal Media
The multi-vendor Conficker Working Group is currently making sure that no one can take over the botnet from a command and control point of view, according to Schouwenberg.
Who is behind Conficker and what do they want? That's one question that Hypponen wanted to talk about but wasn't permitted to do so.
I would guess that the Good Guys have been actively trying to interfere with conficker, more than just preventing the botnet getting hijacked.
I believe there is a real possibility they have sucessfully shut out the original controllers. However all they may have been able to do is to 'break' the botnet so nobody control it.
After logging in slashdot still does not take you back to the page you were on. It's been that way for 20 years.
Yeah, I have a funny anecdote to second this:
After Conficker came out, I tested how well Symantec did with detecting a Metasploit MS08-067 exploitation. (The vulnerability Conficker exploits)
It turned out that neither the AV client itself detected a VNC dll upload and thus me contolling the attacked machine via a GUI nor did Symantecs Proactive Threat Protection (a Host IPS engine) detect or prevent the exploitation.
So I called Symantec about it and the technician I got on the phone explained me that since Metasploit was a legitimate penetration testing tool, it was whitelisted.
Of course I got angry and tried to explain that even if it might have its legitimate purposes, there still was the concern that any worm author could simply take the Metasploit code and embed it in his own creation.
The Symantec employee then told me that he was not aware of a single instance where such a thing would ever have happened, not in his entire career as an AV expert. Back then on the phone with the Symantec guy I had no internet access with me but told him that I was pretty confident that this has very well happened in the past.
So shortly after the phone call I googled a bit and in an instant found that Conficker itself uses the Metasploit MS08-067 code!
So I wrote that to Symantec and they did answer me the following(paraphrased): Symantecs Proactive Threat Detection (aka HIPS) is not designed to prevent the exploitation of unpatched services, I should instead apply the patch...
Well... they revised their opinion after I asked for the official permission to publish those hilarious statements which I have done hereby anyhow :-)
Scary, isn't it? But nah, Symantec did not write Conficker.
Oh, and a few days later they detected and prevented the Metasploit attack.
p.s. I am writing as AC not because Symantec could know who I am, they can find that out anyways. I am writing as AC so Symantec does not get to correlate my real name with my SlashDot account.
As Georges Brassens once said : Gare au Gorille !
For those of you who don't read French, Georges Brassens' english wikipedia page will explain to you why you should avoid gorillas, simply search for "Le gorille" in this page.
Votez ecolo : Chiez dans l'urne !
11. It really is the creation of some TLAs somewhere, from Mossad to CIA or FSB or the Secret Service of Trinidad & Tobago or such. This is why Conficker dropped real malicious payload only for a short time: if you want to have a large army of bots to attack other nations in the case of war, it does not make sense to drop a malicious payload - you don't want to go through the hassle of actually making some money, but you can't afford someone to find this out; also, you do not want to destroy or harm your bots hosts or make your bot appear more dangerous to their host maintainers than necessary since they might put more effort into removing your bot. But not deploying any malicious payload at all turned out to spark all sorts of speculations and media interest so they had to make Conficker drop a plausible payload that self-destructed after a short while.
12. Some mafia guys though of hiring a bunch of experts for the development of the perfect and most advanced botnet and it all worked fine. Until they realized that this one perfect botnet created thousands of times the media and police attraction that all other bots preceding them combined. So as then any Security researcher, every cyber-crime unit and any self-proclaimed virus hunter was watching them they abandoned the project and instead returned to deploying hundreds of less effective smaller-scale bots that also got them loads of money but no media attention instead.
Kill it before it develops language skills!
Ok, what could possibly be the reason for this? I can only think of one,
Or perhaps they did some vigilante hacking to destroy the system controlling the botnet. While such an activity would be for the greater good of Internet users, it would also just as illegal as mundane data theft or destruction.
HA! I just wasted some of your bandwidth with a frivolous sig!
If they chose to abandon it, they should really make it open source. Maybe we can raise some money to buy the source code from them, as we did with Blender? ;-)
There are two rules for success:
1. Never tell everything you know.
On one fine day, the Conficker virus decided to rickroll all it's infected host.
People always seem to treat AI as some kind of emotionless douchebag.
Humans created it. If anything, it'll end up with human intelligence.
Human intelligence, on an Internets full of porn.
Yeah, we're never going to hear from Conficker again. Ever.
That patent is far too specific. To begin with, you specifically indicate that two ropes are required, thus an imitator using either 1 or more than two ropes has already invalidated your patent. Secondly, you specify rope ... what about chains, or some other connecting media. You obviously have a long way to go in this area.
... there are hundreds of versions, and they do not all contain the same text!
PS: which version of the bible
Reading all these about Conficker, I think it's an ideal candidate for securing p2p networks, better than Tor or freenet. I think the developers should open source it's code...
Until the skies turn blue...
Until the air of freedom strikes us...
I thought about this one, and either a) he is staying quiet for awhile until he creates a new payload that bypasses anything new on the market that would eradicate the worm....or b) it is actually skynet that has taken over control, and is now building its own army in some underground bunker, waiting for that special moment to pop up and yell surprise!!!
welcome our new autonomous botnet overlords.
No, initially full of hot air, but inevitably dangling over our heads making us wonder when the next one will crash and create a burning spectacle we can watch and contemplate the humanity of ... if we're not running for our lives at the time.
This space for rent. All reasonable inquiries will be entertained at proprietors discretion.