Stories
Slash Boxes
Comments
Search

News for nerds, stuff that matters

Slashdot Log In

Log In

Create Account  |  Retrieve Password

.CA Registrar Trying To Preempt Conficker

Posted by timothy on Tue Mar 24, 2009 09:13 PM
from the circling-the-wagons dept.
The Internet Security Worms
clover kicker writes "The CBC reports that the group managing Canada's .ca internet domain is working to foil an internet worm set to attack starting April Fool's Day. 'This is the first virus that's really focused on domain names as part of propagating the virus itself,' said Byron Holland, CEO of the Canadian Internet Registration Authority, a non-profit organization that represents those who hold a .ca domain. CIRA's strategy includes pre-emptively registering and isolating previously unregistered .ca domain names that Conficker C is expected to try and generate, said a news release issued by the group. That would make those names unavailable for anyone to register in order to set up a website to host the worm's 'command and control' file. A list of the names has been predicted by security experts based on the worm's code. In addition, CIRA is investigating and monitoring activity at names on the list that have already been registered and will 'take appropriate action if suspicious activity is detected.'"
+ -
story

Related Stories

[+] Researchers Ponder Conficker's April Fool's Activation Date 214 comments
The Narrative Fallacy writes "John Markoff has a story at the NY Times speculating about what will happen on April 1 when the Conficker worm is scheduled to activate. Already on an estimated 12 million machines, conjectures about Conficker's purpose ranges from the benign — an April Fool's Day prank — to far darker notions. Some say the program will be used in the 'rent-a-computer-crook' business, something that has been tried previously by the computer underground. 'The most intriguing clue about the purpose of Conficker lies in the intricate design of the peer-to-peer logic of the latest version of the program, which security researchers are still trying to completely decode,' writes Markoff. According to a paper by researchers at SRI International, in the Conficker C version of the program, infected computers can act both as clients and servers and share files in both directions. With these capabilities, Conficker's authors could be planning to create a scheme like Freenet, the peer-to-peer system that was intended to make Internet censorship of documents impossible. On a darker note, Stefan Savage, a computer scientist at the University of California at San Diego, has suggested the possibility of a 'Dark Google.' 'What if Conficker is intended to give the computer underworld the ability to search for data on all the infected computers around the globe and then sell the answers,' writes Markoff. 'That would be a dragnet — and a genuine horror story.'"
Submission: .CA registrar trying to pre-empt conficker by Clover_Kicker (20761)
This discussion has been archived. No new comments can be posted.
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

.CA Registrar Trying To Preempt Conficker 50 Comments More /

 Full
 Abbreviated
 Hidden
More
Loading... please wait.

  • Hrm (Score:5, Interesting)

    by Niris (1443675) on Tuesday March 24 2009, @09:31PM (#27323945)
    Am I the only one hoping this thing turns out HUGE? It'd be interesting to see what happens.

    • Re:Hrm (Score:4, Funny)

      by tuxgeek (872962) on Tuesday March 24 2009, @10:04PM (#27324273)
      I'm sure there are a variety of *nix users out there anxiously waiting on the sidelines with popcorn and a soda ready for the show to begin.
      We can only hope for some explosions to make it interesting.

      • Re:Hrm (Score:5, Interesting)

        by toonces33 (841696) on Tuesday March 24 2009, @10:17PM (#27324391)
        Yeah, until we get the phone call from someone who needs help disinfecting a Windows machine. Then it isn't quite as entertaining. I am of the opinion that the internet is dying, precisely because of stuff like this. It just gets worse and worse every year, bandwidth requirements for spam and other garbage keep climbing, and nobody has a plan for how to shut these things down once and for all.

    • For me... well yes and no. I'm really wondering what it is going to do in the first place.

      Yes: because it could be a wake-up call to computer security. But then I have been thinking that since the i-love-you virus or what was it, the first one to propagate by e-mailing itself to everyone in the outlook address book. Many people know or at least should know about viruses and worms by now, but many/most still don't care.

      No: because in case of a truly malicious attack the results could be quite horrible for

    • Re:Hrm (Score:4, Funny)

      by Yvanhoe (564877) on Wednesday March 25 2009, @02:46AM (#27325983) Journal
      Hell yeah ! Carry on little skynet !

    • Am I the only one hoping like hell that someone will release this virus for the Mac and Linux platforms? :)

  • Tactics? (Score:4, Insightful)

    by nubsac (1329063) on Tuesday March 24 2009, @09:39PM (#27324029)
    It seizes to amaze me as to why they would make this public, 8 days before conficker is "supposed" to become active.

    It's like telling your enemy "Hey, I know where and when your going to strike"

    We know it's capable to updating itself, this just gives the author an 8 day head start on writing a new pseudo random URL generator.

    • Re: (Score:3, Informative)

      by kbahey (102895)

      Yes, it should have been done quietly. Perhaps it is a PR thing "our .ca domains are not vulnerable"? Who knows.

      As I >pointed out [slashdot.org] in another comment, the author(s) scan all the info about Conficker and then modify it to protect itself against the defenses. They did that by releasing the C variant to select domains out of a random number of 50,000 total, after the initial 250 got outed in B.

      I bet that there will be a D variant shortly before April 1st, and it will have more defenses and convolutions.

      Inter

    • Re:Tactics? (Score:5, Informative)

      by qengho (54305) on Tuesday March 24 2009, @10:54PM (#27324673)

      It seizes to amaze me as to why they would make this public, 8 days before conficker is "supposed" to become active.

      Assuming English isn't your first language: "It never ceases to amaze me" is what you meant, i.e. "I'm always surprised."

    • Re:Tactics? (Score:4, Interesting)

      by grcumb (781340) on Tuesday March 24 2009, @11:47PM (#27325063) Homepage Journal

      It seizes to amaze me as to why they would make this public, 8 days before conficker is "supposed" to become active.

      It's like telling your enemy "Hey, I know where and when your going to strike"

      We know it's capable to updating itself, this just gives the author an 8 day head start on writing a new pseudo random URL generator.

      Others have already answered to the effect that publicly coordinating actions doesn't significantly raise the exposure in this particular case.

      But going beyond that, are you sure that they're not manoeuvring in the face of the enemy, trying to elicit a response? Once you've got a subject under observation, sometimes the best way to learn its true nature is to poke it and see what it does.

      • Re: (Score:2, Funny)

        by Anonymous Coward

        "grammer" nazi?

          • Re: (Score:3, Funny)

            by Anonymous Coward
            You would be a naziism nazi, then?
  • Anyone knows where can I take the Confiker source code? Must be enlighting!

  • April Fools!!! (Score:5, Funny)

    by gsgriffin (1195771) on Tuesday March 24 2009, @09:50PM (#27324139)
    is all the worm pops on the screen and does. Now how much money did you spend trying to ward off this script? That will be the real joke.

  • Helps, but not much ... (Score:5, Informative)

    by kbahey (102895) on Tuesday March 24 2009, @10:14PM (#27324379) Homepage

    I saw the article today on CBC (Canada's equivalent of the BBC).

    This effort may help, but given that the worm has so many other TLDs to choose from, it may not help much. Making the 110 TLDs only 109 (or even 75 if other TLD authorities do the same) will not help that much.

    Moreover, there is another mechanism which is not very clear, whereby the infected nodes will contact each other via a See Peer to Peer protocl [sri.com]. So, once the botnet gets going, the need for the domain name (so called "Internet Rendevouz points") may diminish.

    Also, the article contains some inaccuracies:

    "... expected to launch its attack once the system date on an infected machine is on or after April 1, 2009".

    Actually, the worm author(s) are aware that the user may change the clock of the PC to avoid the worm from triggering. So they query several well known sites and check the date/time on the HTTP headers to make this defense point moot. See Internet Date Checking [sri.com]

    "... will try to generate and connect to 50,000 web URLs a day ..."

    It will query only 500 out of 50,000 generated domain names. See the domain generation algorithm [sri.com].

    I bet there will be a revision D shortly before April 1st, and the author(s) will address many of the potential defenses in revision C.

    • Re:Helps, but not much ... (Score:5, Funny)

      by Dr. Cody (554864) on Tuesday March 24 2009, @10:42PM (#27324577)

      I saw the article today on CBC (Canada's equivalent of the BBC).

      Well, that would certainly explain the "C," wouldn't it?

    • "... will try to generate and connect to 50,000 web URLs a day ..."

      It will query only 500 out of 50,000 generated domain names.

      This part I still don't get. It means that either the authors plan to register a huge number of domains (very unlikely as in it makes it way too obvious who is behind this worm), or only about 1% of the infected hosts will succeed in connecting to the correct host to receive instructions. Still a large number of course, but how about the other 99% of infected hosts? Are they just going to sit idle? Or if using that p2p functionality to propagate instructions: how are they going to find each other?

  • What's in a name? (Score:4, Funny)

    by schmidt349 (690948) on Tuesday March 24 2009, @10:34PM (#27324509)

    I think I've heard every lexically significant variation on the name of this damn worm by now. I have no idea what "Conficker" actually means or to what it refers, but so far on this thread people have called it "Conflicker," "Cornflicker," and best of all "Cornfucker."

    I think another name for it is "Downadup," which I always read as either "Downandup" or "Download a Duplicate."

    Who gets to name the worms? We know that this one employs neat tricks like code signing peer-to-peer driven software updates and that it might be used for a sort of "evil Google" that people can use to data mine financial stuff and so on. Couldn't we lobby for a more rational taxonomy, so we could call this one "Cryptographically Labyrinthine Internet-Traveling ORganized Information Stumbler?"

    • Re: (Score:2, Funny)

      by cez (539085)
      Bad idea, the CLITORIS can not be found by man... certainly not a slashdotter.

  • Seems like a futile attempt (Score:5, Insightful)

    by billcopc (196330) <vrillco@yahoo.com> on Tuesday March 24 2009, @11:30PM (#27324943) Homepage

    It's cute that they're trying to preempt the worm, but to be effective they pretty much have to disable ALL potential domains. Miss one, and the worm will find it.

    What I don't get is how people can still be surprised/impressed/scared by these things. Today's viruses have little in common with their elegant, obfuscated ancestors. Any twit can assemble a "virus" by tapping into the OS' libraries. Today's worms are essentially package managers, so anything you can do with legitimate software like emailing, flashing your BIOS or opening ports on your firewall, a virus can do the same things. It simply has to talk to its software repository, pull down the pieces it needs and proceed with its dirty deeds.

    Hell, a tiny perl script could turn standard tools like Yum and Emerge into virus delivery agents. They already possess all the required functionality...

    • Re: (Score:3, Informative)

      by rdebath (884132)

      On the contrary, conficker looks very much like something that harkens back to the bad old days. True it doesn't have the hard memory constraints of a boot sector virus but it's not bloated nor is it just a primitive script.

      It uses strong crypto to protect it's updates, it uses peer to peer to distribute it's updates and code obfuscation that puts the best of the old school to shame. The obfuscation is so good in fact that it's proving to be a serious barrier to pulling apart the new peer to peer code; i

  • Isn't one of the root causes of all this the fact that the exploit was released into the wild? I am highly against it every time I see one of the security "researchers" releasing these holes into the public knowledge base. Had this exploit been kept quiet with Microsoft rolling out an important update that quietly patched it I believe we wouldn't be in this situation.

    It's like someone announcing on a street corner that the bricks on the south wall of a bank were found to be very thin, but don't worry..

    • Re: (Score:3, Insightful)

      by shentino (1139071)

      The flaw in your argument is trusting MS to be timely about its updates.

      I'd say tell the vendors, and give them about a month.

      If they haven't fixed it by then, there's a chance that someone else has found it, and publishing it won't hurt anything else, and may actually help by putting pressure on the vendor for a fix.

      Keeping an exploit under wraps only works if the vendor is responsive enough so that they don't get beat by a different "researcher" looking to use the hole for his own gain.

    • Re: (Score:3, Insightful)

      by Yvanhoe (564877)
      First, some exploits are made through reverse engineering of MS patches and then targets unpatched machines. This procedure has even been automatized, meaning that a virus could be created in the very first minutes a patch is rolled out of Redmond.

      Second, the general ethics about flaws disclosure is to inform the manufacturer first, but to keep in mind that even if you are a talented security researcher, there are numerous malicious talented security researcher and that if the manufacturer doesn't react,

    • Except nobody is in the driver seat at the moment.

      This is a way of trying to keep anyone from stepping in.

      • Except nobody is in the driver seat at the moment.

        Incorrect... someone is most certainly in the driver seat. Botnets aren't autonomous sytems that spawn out of control. They are replicated and controlled spawned instances, nodes or bots in a net mind you, doing whatever whomever is pulling the strings would like.

          • Planning on post-moderm triage by blacking out the algorithm for it's DNS awareness channels is all good and dandy...and in all liklihood wouldn't affect normal business operations of DNS (unless someone had really bad taste in domain names)... but who knows what algorithms lay dormant that could be changed with the flick of a bit or hell, updated. What do you think these thugs change control and turnover is? Just saying disclosing certain aspects of how you are actually fighting it, and learning how to co

              • Re: (Score:3, Insightful)

                by cez (539085)

                The people who analyzed it know what algorithms lay dormant and could be changed with the flick of a bit.

                I know I shouldn't feed the trolls, but if these people who "analyzed" it only know what they've been able to observer or provoke it to do. I must have missed where they completely reverse engineered it and created a fix.

                They figured out 1 of a myriad of its activities and service mediums let alone been able to crack one of its control channels. I'm all for fighting the good fight, but saying we unders

    • I feel left out... (Score:5, Funny)

      by erroneus (253617) on Tuesday March 24 2009, @09:37PM (#27324007) Homepage

      My wife runs MacOS and I have my Linux... I really wish I could get involved in the party. Will Cornfucker run under Wine?

      • As soon as your OS is used by more than 50 people, you'll be invited. :)

        • Re:I feel left out... (Score:5, Funny)

          by erroneus (253617) on Tuesday March 24 2009, @11:08PM (#27324791) Homepage

          Oh your elitist, mob-rule attitude is not helpful. Some of us aren't fortunate enough to be able to afford Microsoft software. The wife's Mac OS X came with her machine and my computer did come with Windows installed on it but I didn't create the restore media before my machine was trashed with malware. So instead of buying software, I got free software. It works just fine though. Well enough to post here, view all sorts of porn that would have trashed my computers again if I were running Windows, and aside from playing games and DRM media, I can do anything I ever wanted to do.

          It is only during events like those created by cornfucker that I really begin to feel left out of the party.

      • No. It uses a vulnerability in the Windows File and Printer sharing daemon to inject a DLL file into svchost.exe.

        I suggest filing a bug with SAMBA and Wine, respectively.

      • I recall a test of viruses under Wine, a while ago... apparently, only a few of the tested viruses would even run, but none were able to do anything dangerous.

        Some have used this as an argument that Wine is not nearly compatible enough.

        • Yes, so the solution is to keep peddling the environment that makes this easy? I'm bewildered by what people put themselves through to be able to run excel macros.

    • Re: (Score:3, Informative)

      by Sir_Lewk (967686)
      No. Conflicker will only download/run cryptographically signed code.

    • IIRC the authors were smart enough to use digital signatures to protect against that.

      • ... which makes me worry about what else might be in store.

        They are already way past the script-kiddie stage.

        • Also its set to go off on 1. April, so when the internet is down and nukes are flying people are just going to laugh thinking its a hoax.

    • Re: (Score:2, Insightful)

      by Mystra_x64 (1108487)

      Maybe ACs should be disabled until at least 30 comments are written or something...

      • Re:ugh (Score:5, Insightful)

        by Plutonite (999141) on Tuesday March 24 2009, @10:06PM (#27324285)

        Look, we don't hate you for what you write - it may well be true. It just has nothing to do with this story, OK? It really is offtopic. In fact I agree with a lot of what you wrote (and disagree with some twisted facts too) but I think the moderators are right modding you down to hell, and maybe banning your IP range. You are annoying people. Annoyed people don't listen. Find a forum to discuss this in a sane way and people might listen.

      • Re: (Score:3, Insightful)

        by cez (539085)
        lmao, you had me at:

        If you wanted the trolling to stop, let a troll per week post a front page story or something.

        now I'd subscribe again for that. It would have to be lottery style or something mad random... way too many trolls out there with too much time on their hands.

All trademarks and copyrights on this page are owned by their respective owners. Comments are owned by the Poster. The Rest © 1997-2009 Geeknet, Inc.