Slashdot Mirror
Has Conficker Been Abandoned By Its Authors?
darthcamaro writes "Remember Conficker? April first doom and gloom and all? Well apparently after infecting over five million IP addresses, it's now an autonomous botnet working on its own without any master command and control. Speaking at the Black Hat/Defcon Hat security conference in Las Vegas, Mikko Hypponen, chief research officer at security firm F-Secure, was told not to talk in detail about the Conficker gang — the problem is that not all researchers were under the same gag order. Just ask Roel Schouwenberg, senior anti-virus researcher at security firm Kaspersky, who says 'The Conficker botnet is autonomous; that is very strange in itself that they made Conficker replicate by itself. Now it seems like the authors have abandoned the project, but because it is autonomous, it can do whatever it wants and it keeps on trying to find new hosts to infect.'"
It really is exciting watching a new life form as it stretches its legs!
Strength is irrelevant. Resistance is futile. We wish to improve ourselves. We will add your biological and technological distinctiveness to our own. Your culture will adapt to service ours.
"Beauty is the ultimate defense against complexity." - David Gelernter
Well apparently after infecting over five million IP addresses, it's now an autonomous botnet working on its own without any master ...
Hmmm, sounds like its authors should have spent more time on their Torgo routine. You know, the bit of code that takes care while the master is away.
... but the master would ... not approve.</Torgo>
<Torgo>The master would not approve; he likes you
My work here is dung.
We have no idea who is behind this or what they intend to do so we will continue with wild-ass speculation in order to keep our companies in the news.
"I'd rather be a lightning rod than a seismometer." -Ken Kesey
Possible scenarios:
1. they've been busted for something else and are now in gaol. Conficker patiently bides its time waiting for the stars to be right and its dark master(s) to be freed.
2. they've given up on that crappy little botnet and are working busily on a new, much stronger, more powerful one.
3. It was never invented by Russian mobsters, but by the Bush administration, intending to hack all the voting machines and deliver unto George a third term.
4. someone forgot their password, it was written on a little post-it by the monitor, which was vacuumed up by their mum when she did some spring cleaning.
5. The inventors had their fun with Microsoft and the internet, but now they've discovered girls and beer.
from any other virus? Last I checked, any effective virus has a mechanism to spread/replicate by itself, whether to other IPs on the same subnet or via AIM or USB drives or what have you. In April and may I scanned my network of ~8500 completely user-controlled machines and found a grand total of 4 confirmed infected. The IRC bots spread via AIM links were more prevalent.
I wonder if they just managed to lock themselves out, so they can't control it.
Either that or someone walked in front of a beer truck.
Not really. I use Linux. What was it you were worried about again?
That's what happens when software isn't open - it gets abandoned and the users are screwed. Free Conficker now! Turn it over to the EFF!
Lars T.
To the guy who modded me down from perfect to terrible Karma - Apple haters still suck
When enough users have been lulled into inaction and enough machines have been taken over, the enemy will strike. Meanwhile, the operators may be sending commands to specific PCs of interest. Security researchers might not be picking up commands targeted to only a few machines.
Most anti-virus defense efforts assume the enemy is only marginally competent and has no strategic goal. It's clear from what's known about the Conflicker attack that the enemy is significantly more competent and better funded than those behind previous viruses. The Conflicker attack was updated frequently until it was deploying itself successfully despite defensive efforts. Once the attack continued to grow despite defensive efforts, the updates stopped. That's not loss of interest, that's operational art.
This thing behaves like it has military tactical planning behind it.
It sounds like the order came not from F-Secure corporate, but from a Three Letter Agency of some sort (Probably the FBI, but perhaps one of the FBI's counterparts in another country.)
It may not be that he was strictly ORDERED to keep quiet, but requested to do so and is honoring that request out of courtesy for the investigators.
retrorocket.o not found, launch anyway?
Next time, please do us all a favor, and resist.
Actually, most AV researchers do take their "enemies" serious. Malware writers are competent. If only because they manage to use security holes which require quite a bit of intimate knowledge of the machines (and the OS) you try to infect.
It's not a secret that most malware writers do have a goal by now: Money. The days of the pimple-faced kiddy sitting in the basement and, out of frustration of not getting laid, releasing some worm on the world. That's so 90s.
What's right is that AV research usually targets the "mass market", at least when it comes to AV development. If you're working for strategic targets, you usually can't make a big speech out of it, neither military nor government nor financial services like you blabbing about how insecure their setup is. So any commands issued only to a small subset of the botnet would probably go unnoticed.
While we're pissing in the wind anyway, allow me to add mine: How about this whole deal being a targeted attack, and they just waited for their designated target becoming infected.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Next time, please do us all a favor, and resist.
but wouldn't that be futile?
rewriting history since 2109
The idea with conficker was that it would generate thousands of websites and contact them for payload instructions. The security community registered a lot of these sites in advance, so it may be the case that these things are always trying to phone home but no one is answering.
I also imagine that ISPs are blocking connections to servers they have identified as conficker controllers.
My understanding is that theres some p2p aspect too, but it may not be operational. Heck, getting legitimate p2p working on a residential connection is a pain, let alone a known illegitimate one. Again, Im guessing most ISPs are blocking this somehow.
So the botnet may be up and running, but it cannot contact its masters. Eventually these PCs will be replaced or reimaged and conficker will be a statistical blimp a year from now.
We don't discriminate. If it writes decent code its contributions will be welcome.
Warning: this article may contain humor, sarcasm, parody, and perhaps even irony. Read at your own risk.
...it followed me home, can I keep it?
Watch the series again. S.A.C. has nothing to do with a virus becoming self aware. It's actually a collective of individuals who believe to be acting autonomously but, in reality, are all following a pattern mimicking individual intent by a single entity.
The Laughing Man was originally a single hacker, but once he stopped his activities, a group of others took it from there and their actions collectively created another Laughing Man.
It's basically digital gestalt-ism combined with neural networking where each human is a node in the larger network without being aware of the whole.
Sort of like 4chan, but much less horrible ;)
Maybe Alan Cox can step in as maintainer, now that he has a little free time off his TTY maintainer position?
Actually, the article was submitted by the Conficker bot. It has evolved a rudimentary PR function...
that actually makes a hell of a lot more sense than someone just saying "I'm bored, let's do something else" and giving a 5 million computer botnet up. I mean come on, what are they, insane?! That's like the computer criminal version of buying a buying an italian sports car and then driving it into a lake on purpose. You just don't do that once you finally have one. This article is just stupid beyond words! There is no way in hell it was just "given up." The person behind it either died or is feeling some serious heat from people trying to catch them.
This shows an immense failure of imagination. Just off the top of my head, maybe the developed something better. Maybe they've found something more profitable to do. If you spend more than two seconds, I'm sure you too can think of other alternatives. And you're apparently calling it "insane" and/or "immensely stupid" to not fall for the sunk costs fallacy. It doesn't matter how much time or effort they sunk into it making it. If the continued costs of running that car are too much, if you aren't a victim of the sunk costs fallacy, you abandon it, regardless of how much you went through to get it to begin with. Here the analogy breaks down, since you can probably sell the car for at least some payback with little risk, whereas selling your botnet is a very risky activity, even if it's potentially quite lucrative. If that Italian sports car was stolen and you probably can't sell it without getting caught, then yeah, driving it into the lake may be the best thing you can do when you no longer have a need or desire for it. (This is also a bad analogy in that what the botnet creator is alleged to have done here isn't drive it into a lake, but merely to walk away. The equivalent of driving it into the lake would be to dismantle the botnet, rather than just leave it out there...)
"Convictions are more dangerous enemies of truth than lies."
Yeah, I have a funny anecdote to second this:
After Conficker came out, I tested how well Symantec did with detecting a Metasploit MS08-067 exploitation. (The vulnerability Conficker exploits)
It turned out that neither the AV client itself detected a VNC dll upload and thus me contolling the attacked machine via a GUI nor did Symantecs Proactive Threat Protection (a Host IPS engine) detect or prevent the exploitation.
So I called Symantec about it and the technician I got on the phone explained me that since Metasploit was a legitimate penetration testing tool, it was whitelisted.
Of course I got angry and tried to explain that even if it might have its legitimate purposes, there still was the concern that any worm author could simply take the Metasploit code and embed it in his own creation.
The Symantec employee then told me that he was not aware of a single instance where such a thing would ever have happened, not in his entire career as an AV expert. Back then on the phone with the Symantec guy I had no internet access with me but told him that I was pretty confident that this has very well happened in the past.
So shortly after the phone call I googled a bit and in an instant found that Conficker itself uses the Metasploit MS08-067 code!
So I wrote that to Symantec and they did answer me the following(paraphrased): Symantecs Proactive Threat Detection (aka HIPS) is not designed to prevent the exploitation of unpatched services, I should instead apply the patch...
Well... they revised their opinion after I asked for the official permission to publish those hilarious statements which I have done hereby anyhow :-)
Scary, isn't it? But nah, Symantec did not write Conficker.
Oh, and a few days later they detected and prevented the Metasploit attack.
p.s. I am writing as AC not because Symantec could know who I am, they can find that out anyways. I am writing as AC so Symantec does not get to correlate my real name with my SlashDot account.