Researchers Ponder Conficker's April Fool's Activation Date 214
The Narrative Fallacy writes "John Markoff has a story at the NY Times speculating about what will happen on April 1 when the Conficker worm is scheduled to activate. Already on an estimated 12 million machines, conjectures about Conficker's purpose ranges from the benign — an April Fool's Day prank — to far darker notions. Some say the program will be used in the 'rent-a-computer-crook' business, something that has been tried previously by the computer underground. 'The most intriguing clue about the purpose of Conficker lies in the intricate design of the peer-to-peer logic of the latest version of the program, which security researchers are still trying to completely decode,' writes Markoff. According to a paper by researchers at SRI International, in the Conficker C version of the program, infected computers can act both as clients and servers and share files in both directions. With these capabilities, Conficker's authors could be planning to create a scheme like Freenet, the peer-to-peer system that was intended to make Internet censorship of documents impossible. On a darker note, Stefan Savage, a computer scientist at the University of California at San Diego, has suggested the possibility of a 'Dark Google.' 'What if Conficker is intended to give the computer underworld the ability to search for data on all the infected computers around the globe and then sell the answers,' writes Markoff. 'That would be a dragnet — and a genuine horror story.'"
Re:You have the date. What's the next instruction? (Score:4, Informative)
They interact with systems for which you don't have the code.
Re:You have the date. What's the next instruction? (Score:5, Informative)
I have personally analyzed Downadup, so I can speak from experience here.
Downadup.A had the potential to contact a randomly generated domain and download and run a signed executable from it. The problem with the Downadup.A version of the worm is that the domain generation algorithm was decyphered, and it only generated 250 unique domains per day. This made it easy for security researchers to register the domains before the worm authors could, and thus Downadup.A was nullified.
Downadup.C is a worse breed: the domain generation algorithm was bumped from 250 domains per day to 50,000 domains per day. It's now a nearly impossible task for security researchers to register every possible domain Downadup.C will attempt to download code from. As an aside, Downadup.C also actively fights against security-related processes: it has a list of several Anti-Virus and Anti-Malware programs that it automatically kills if the user attempts to run it.
One thing to note about all Downadup variants: you would think that, if the security researchers could force Downadup to run an executable of their choice by registering a domain, couldn't they force Downadup to run remove_downadup.exe? Not so. Downadup cryptographically verifies the signatures of any executable it runs with a 4096-bit key. If the signature doesn't match, it doesn't run the program.
Downadup is easily the most advanced worm I have ever analyzed. Its anti-debugging techniques are impeccable, and the code is completely solid. I would love to meet the authors over a beer to ask how they did it, and then stab them in the face.
If you'd like more information on Downadup from a technical perspective, here's an excellent analysis of the worm: http://mtc.sri.com/Conficker/addendumC/ [sri.com]
Re:You have the date. What's the next instruction? (Score:5, Informative)
The worm uses peer-to-peer communication [sri.com] with rendezvous points, not client-server. There are an estimated 10 million infected machines. Which one is the control center? Take your time.
Re:Can't they just (Score:5, Informative)
Please read the article. The worm gets the date from some HTTP queries to well-known sites, not from the system.
Internet Date Check
Before proceeding to the main P2P logic, C contacts a list of known web sites to acquire the current date and time. C incorporates a set of embedded domain names, from which it selects a subset of multiple entries from this list. It performs DNS lookups of this subset list, and it filters each returned IP address against the same list of blacklist IP address ranges used by the domain generation algorithm (see Appendix 2). If the IP does not match the blacklist, C connects to the site's port 80/TCP, and sends an empty URL GET header, for example
contents.192.168.1.1.40.1143-195.81.196.224.80
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 6.0)
Host: tuenti.com
Connection: Keep-Alive
In response, the site returns a standard URL header that incorporates a date and time stamp. C then parses this information to set its internal system time. The following web sites are consulted by C's Internet date check:
Re:System Clock (Score:3, Informative)
Re:You have the date. What's the next instruction? (Score:3, Informative)
I wouldn't trust any manual clean these days, not after finding a virus a year ago that still ran in safe mode. Sure, you might clean up one or two, but can you guarantee they haven't installed any others, that you might not have found?
I've been manually removing viruses for years. Wouldn't even attempt it now.
Re:System Clock (Score:2, Informative)
Re:System Clock (Score:3, Informative)
The options to check time are limited... * Local machine time * NTP server time * Specialized time server set up by creators
Or there's a fourth option. (which according to TFA is what it actually does) which is to get time from http headers by contacting a bunch of websites. Which is a lot like your 2nd option, though slightly harder to fool.
More importantly, there's not much to be gained by tricking the worm, we know what it does - it tries to get instructions from the internet. For that matter, even if we didn't know, it would be simple enough to push an update to change the behavior of the worm at the last minute
Re:"Dark Google" (Score:5, Informative)
I've heard it dates back to the days when a woman would shave/lose the hair down there as a treatment for syphilis. The women didn't always want those who had privilege to access those areas to always be aware they had needed to go hairless.
Shaving down under wasn't always culturally acceptable, and a merkin would cover up any visable sores.
The more you know...
Re:Botnet Speculative Fiction (Score:4, Informative)
If you are referring to the scene with the 3d interface from Jurassic Park, that was SGI's File System Navigator. I used to use it when I administered IRIX systems.
As for the other computer systems in the control room; most of them were running software which was available for IRIX at the time. According to one of SGI's press releases when the movie came out:
I think you could have picked far better examples of movies/fiction getting technology wrong than Jurassic Park.