Researchers Ponder Conficker's April Fool's Activation Date

The Narrative Fallacy writes "John Markoff has a story at the NY Times speculating about what will happen on April 1 when the Conficker worm is scheduled to activate. Already on an estimated 12 million machines, conjectures about Conficker's purpose ranges from the benign — an April Fool's Day prank — to far darker notions. Some say the program will be used in the 'rent-a-computer-crook' business, something that has been tried previously by the computer underground. 'The most intriguing clue about the purpose of Conficker lies in the intricate design of the peer-to-peer logic of the latest version of the program, which security researchers are still trying to completely decode,' writes Markoff. According to a paper by researchers at SRI International, in the Conficker C version of the program, infected computers can act both as clients and servers and share files in both directions. With these capabilities, Conficker's authors could be planning to create a scheme like Freenet, the peer-to-peer system that was intended to make Internet censorship of documents impossible. On a darker note, Stefan Savage, a computer scientist at the University of California at San Diego, has suggested the possibility of a 'Dark Google.' 'What if Conficker is intended to give the computer underworld the ability to search for data on all the infected computers around the globe and then sell the answers,' writes Markoff. 'That would be a dragnet — and a genuine horror story.'"

Re:You have the date. What's the next instruction?

[calmofthestorm]

They interact with systems for which you don't have the code.

Re:You have the date. What's the next instruction?

[dameepster]

I have personally analyzed Downadup, so I can speak from experience here.

Downadup.A had the potential to contact a randomly generated domain and download and run a signed executable from it. The problem with the Downadup.A version of the worm is that the domain generation algorithm was decyphered, and it only generated 250 unique domains per day. This made it easy for security researchers to register the domains before the worm authors could, and thus Downadup.A was nullified.

Downadup.C is a worse breed: the domain generation algorithm was bumped from 250 domains per day to 50,000 domains per day. It's now a nearly impossible task for security researchers to register every possible domain Downadup.C will attempt to download code from. As an aside, Downadup.C also actively fights against security-related processes: it has a list of several Anti-Virus and Anti-Malware programs that it automatically kills if the user attempts to run it.

One thing to note about all Downadup variants: you would think that, if the security researchers could force Downadup to run an executable of their choice by registering a domain, couldn't they force Downadup to run remove_downadup.exe? Not so. Downadup cryptographically verifies the signatures of any executable it runs with a 4096-bit key. If the signature doesn't match, it doesn't run the program.

Downadup is easily the most advanced worm I have ever analyzed. Its anti-debugging techniques are impeccable, and the code is completely solid. I would love to meet the authors over a beer to ask how they did it, and then stab them in the face.

If you'd like more information on Downadup from a technical perspective, here's an excellent analysis of the worm: http://mtc.sri.com/Conficker/addendumC/ [sri.com]

Re:You have the date. What's the next instruction?

[chill]

The worm uses peer-to-peer communication [sri.com] with rendezvous points, not client-server. There are an estimated 10 million infected machines. Which one is the control center? Take your time.

Re:Can't they just

[Anonymous Coward]

Please read the article. The worm gets the date from some HTTP queries to well-known sites, not from the system.

Internet Date Check
Before proceeding to the main P2P logic, C contacts a list of known web sites to acquire the current date and time. C incorporates a set of embedded domain names, from which it selects a subset of multiple entries from this list. It performs DNS lookups of this subset list, and it filters each returned IP address against the same list of blacklist IP address ranges used by the domain generation algorithm (see Appendix 2). If the IP does not match the blacklist, C connects to the site's port 80/TCP, and sends an empty URL GET header, for example

contents.192.168.1.1.40.1143-195.81.196.224.80
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 6.0)
Host: tuenti.com
Connection: Keep-Alive

In response, the site returns a standard URL header that incorporates a date and time stamp. C then parses this information to set its internal system time. The following web sites are consulted by C's Internet date check:

Re:System Clock

[pwizard2]

That would only work if the worm doesn't get its time checks from an external source. (there are plenty of time servers on the internet)

Re:You have the date. What's the next instruction?

[myxiplx]

I wouldn't trust any manual clean these days, not after finding a virus a year ago that still ran in safe mode. Sure, you might clean up one or two, but can you guarantee they haven't installed any others, that you might not have found?

I've been manually removing viruses for years. Wouldn't even attempt it now.

Re:System Clock

[mutroniii]

Looking at http://mtc.sri.com/Conficker/addendumC/ [sri.com], it appears that it gets the time from an HTTP response coming from a few dozen major websites. The responding IP is checked against a blacklist of IPs. Additionally, if the returned IP is a duplicate of one returned from a previous request, that IP is blocked as well. So the network time could be spoofed, but you'd need to set up multiple http servers,each with unique IPs that are aren't on the blacklist.

Re:System Clock

[SleepingWaterBear]

The options to check time are limited... * Local machine time * NTP server time * Specialized time server set up by creators

Or there's a fourth option. (which according to TFA is what it actually does) which is to get time from http headers by contacting a bunch of websites. Which is a lot like your 2nd option, though slightly harder to fool.

More importantly, there's not much to be gained by tricking the worm, we know what it does - it tries to get instructions from the internet. For that matter, even if we didn't know, it would be simple enough to push an update to change the behavior of the worm at the last minute

Re:"Dark Google"

[davidphogan74]

I've heard it dates back to the days when a woman would shave/lose the hair down there as a treatment for syphilis. The women didn't always want those who had privilege to access those areas to always be aware they had needed to go hairless.

Shaving down under wasn't always culturally acceptable, and a merkin would cover up any visable sores.

The more you know...

Re:Botnet Speculative Fiction

[Pathwalker]

One of the reasons I wrote it was because I got tired of all of the contemporary fiction with computers that made you roll your eyes at how absurd the technology was. You know what I'm talking about: "It's a UNIX system -- I know this!".

If you are referring to the scene with the 3d interface from Jurassic Park, that was SGI's File System Navigator. I used to use it when I administered IRIX systems.

As for the other computer systems in the control room; most of them were running software which was available for IRIX at the time. According to one of SGI's press releases when the movie came out:

Because Silicon Graphics workstations are used by scientists and engineers to visualize and interpret complex data, existing software applications were easily modified for use in the film," said Harry Pforzheimer, director of corporate communications at Silicon Graphics. "Programs like EarthWatch Communications' EarthWatch(tm), which interprets weather data, and a 3D information navigator from Silicon Graphics, which lets users graphically fly through computer file system representations, provided perfect solutions to enhance the story line."

I think you could have picked far better examples of movies/fiction getting technology wrong than Jurassic Park.