Forgot your password?
typodupeerror
The Internet Security Worms

.CA Registrar Trying To Preempt Conficker 227

Posted by timothy
from the circling-the-wagons dept.
clover kicker writes "The CBC reports that the group managing Canada's .ca internet domain is working to foil an internet worm set to attack starting April Fool's Day. 'This is the first virus that's really focused on domain names as part of propagating the virus itself,' said Byron Holland, CEO of the Canadian Internet Registration Authority, a non-profit organization that represents those who hold a .ca domain. CIRA's strategy includes pre-emptively registering and isolating previously unregistered .ca domain names that Conficker C is expected to try and generate, said a news release issued by the group. That would make those names unavailable for anyone to register in order to set up a website to host the worm's 'command and control' file. A list of the names has been predicted by security experts based on the worm's code. In addition, CIRA is investigating and monitoring activity at names on the list that have already been registered and will 'take appropriate action if suspicious activity is detected.'"
This discussion has been archived. No new comments can be posted.

.CA Registrar Trying To Preempt Conficker

Comments Filter:
  • Hrm (Score:5, Interesting)

    by Niris (1443675) on Tuesday March 24, 2009 @10:31PM (#27323945)
    Am I the only one hoping this thing turns out HUGE? It'd be interesting to see what happens.
    • yeah, it will be good for the future of computers as well. all the idiots who click on 'allow' when the background dims without reading are going to get fucked up.
    • Re: (Score:1, Funny)

      by Anonymous Coward

      Anti-virus software becomes live CDs that require a reboot to use. When you run it, it either replies "Your computer is fine" or "You must reinstall Windows".

    • Re:Hrm (Score:4, Funny)

      by tuxgeek (872962) on Tuesday March 24, 2009 @11:04PM (#27324273)
      I'm sure there are a variety of *nix users out there anxiously waiting on the sidelines with popcorn and a soda ready for the show to begin.
      We can only hope for some explosions to make it interesting.
      • Re:Hrm (Score:5, Interesting)

        by toonces33 (841696) on Tuesday March 24, 2009 @11:17PM (#27324391)
        Yeah, until we get the phone call from someone who needs help disinfecting a Windows machine. Then it isn't quite as entertaining. I am of the opinion that the internet is dying, precisely because of stuff like this. It just gets worse and worse every year, bandwidth requirements for spam and other garbage keep climbing, and nobody has a plan for how to shut these things down once and for all.
        • 'no.' Let the show begin.
        • Re: (Score:2, Insightful)

          by Anonymous Coward

          This is because there's just no way to do it without destroying what makes the internet such a good thing in the first place.

        • Re: (Score:2, Funny)

          by troll8901 (1397145)

          bandwidth requirements for spam and other garbage keep climbing

          What? BitTorrent isn't number one traffic anymore? This is not acceptable!

          *ducks*

          • by cp.tar (871488)

            Well, Conficker has P2P functionality...

            I think it would be really really fun if it turned out to share everyone's music and video. Especially if MAFIAA computers got infected in the process.

            Popcorn time indeed.

        • Yeah, until we get the phone call from someone who needs help disinfecting a Windows machine. Then it isn't quite as entertaining.

          Unless it's your job (as in something you'd claim on taxes) just say, "no." It worked for me. After a few times of, "I need to download a file," or, "I think I have a virus...what's a backup," and the venerable, "I need to install [insert piece of crap software], can you help me," being denied they stopped calling me. Are family relations any better? No, but they're not any worse, and teh simple fact is that I *don't* do that kinda thing anymore: at work, at home, or anywhere else. Even if I *wanted* t

    • by wvmarle (1070040)

      For me... well yes and no. I'm really wondering what it is going to do in the first place.

      Yes: because it could be a wake-up call to computer security. But then I have been thinking that since the i-love-you virus or what was it, the first one to propagate by e-mailing itself to everyone in the outlook address book. Many people know or at least should know about viruses and worms by now, but many/most still don't care.

      No: because in case of a truly malicious attack the results could be quite horrible for

      • Re: (Score:2, Informative)

        by troll8901 (1397145)

        in case of a truly malicious attack the results could be quite horrible for the infected users, the Internet or even the world as a whole.

        For us desktop and server technicians - Ka Ching !!

    • Re:Hrm (Score:4, Funny)

      by Yvanhoe (564877) on Wednesday March 25, 2009 @03:46AM (#27325983) Journal
      Hell yeah ! Carry on little skynet !
    • Re: (Score:3, Funny)

      by nmg196 (184961)

      Am I the only one hoping like hell that someone will release this virus for the Mac and Linux platforms? :)

    • by kbahey (102895)

      No.

      I don't use Windows, so I will not be directly affected.

      But it may have an impact on the internet itself. Think about wasted bandwidth, web sites putting measures against it, domain registrars requiring more Draconian measures for registring domains (imagine having to send paperwork, while you don't have to now), ...etc.

  • Tactics? (Score:4, Insightful)

    by nubsac (1329063) on Tuesday March 24, 2009 @10:39PM (#27324029)
    It seizes to amaze me as to why they would make this public, 8 days before conficker is "supposed" to become active.

    It's like telling your enemy "Hey, I know where and when your going to strike"

    We know it's capable to updating itself, this just gives the author an 8 day head start on writing a new pseudo random URL generator.

    • It's been public knowledge since they first discovered the "C" variant. This is just an update on what's being done about it.
    • Hey, I in ur baze iz an im taken ur domainz...

    • Re: (Score:3, Informative)

      by kbahey (102895)

      Yes, it should have been done quietly. Perhaps it is a PR thing "our .ca domains are not vulnerable"? Who knows.

      As I >pointed out [slashdot.org] in another comment, the author(s) scan all the info about Conficker and then modify it to protect itself against the defenses. They did that by releasing the C variant to select domains out of a random number of 50,000 total, after the initial 250 got outed in B.

      I bet that there will be a D variant shortly before April 1st, and it will have more defenses and convolutions.

      Inter

    • Re:Tactics? (Score:5, Informative)

      by qengho (54305) on Tuesday March 24, 2009 @11:54PM (#27324673)

      It seizes to amaze me as to why they would make this public, 8 days before conficker is "supposed" to become active.

      Assuming English isn't your first language: "It never ceases to amaze me" is what you meant, i.e. "I'm always surprised."

    • Re:Tactics? (Score:4, Interesting)

      by grcumb (781340) on Wednesday March 25, 2009 @12:47AM (#27325063) Homepage Journal

      It seizes to amaze me as to why they would make this public, 8 days before conficker is "supposed" to become active.

      It's like telling your enemy "Hey, I know where and when your going to strike"

      We know it's capable to updating itself, this just gives the author an 8 day head start on writing a new pseudo random URL generator.

      Others have already answered to the effect that publicly coordinating actions doesn't significantly raise the exposure in this particular case.

      But going beyond that, are you sure that they're not manoeuvring in the face of the enemy, trying to elicit a response? Once you've got a subject under observation, sometimes the best way to learn its true nature is to poke it and see what it does.

    • by Yvanhoe (564877)
      "they", "we" are a public effort of a great scale only because they openly share information. Being public is the only way of having enough momentum to fight back.
    • by ukyoCE (106879)

      Isn't the auto-generated domain the only way it can update itself? Where do you think all of these compromised computers are going to get the new URL generator from?

      And why do they need the URL generator, if they can contact the compromised machines without it?

    • by KillerBob (217953)

      If they were smart, they'd have kept that little tidbit secret... quietly shuffle the domains off into never-land to help protect the world at large, and still allow them to be registered.

      Have they never heard of a honey pot? Registering a domain in Canada requires you sign several contracts, become a member in CIRA, give them rights to your first born, etc.. Anonymous domain registration is not allowed in Canada, and until quite recently, registering a .CA domain name was restricted to Canadian citizens. I

  • Source code (Score:2, Insightful)

    by ManuelH (1303433)
    Anyone knows where can I take the Confiker source code? Must be enlighting!
    • I'd pay even for just the comments, assuming the developer had the sense to make his code maintainable.

  • by gsgriffin (1195771) on Tuesday March 24, 2009 @10:50PM (#27324139)
    is all the worm pops on the screen and does. Now how much money did you spend trying to ward off this script? That will be the real joke.
    • by cp.tar (871488)

      And then, relieved, people forget to remove it. And on April 2nd, when it is no longer a joke, the real fun begins.

  • Can't somebody just upload their own code to one of said targeted sites? From what I've heard, the virus checks all sites on its list. So anyone could just upload some code to disable the virus, assuming it contacts their site first. Other than the fact that it's probably illegal to do that, even to disable the virus, why hasn't anyone tried this? Like in another country where it wouldn't be illegal? I'd imagine that no one would push for a criminal case against someone who stopped the worm...
    • Re: (Score:3, Informative)

      by Sir_Lewk (967686)
      No. Conflicker will only download/run cryptographically signed code.
    • IIRC the authors were smart enough to use digital signatures to protect against that.

      • by X0563511 (793323)

        ... which makes me worry about what else might be in store.

        They are already way past the script-kiddie stage.

        • by Splab (574204)

          Also its set to go off on 1. April, so when the internet is down and nukes are flying people are just going to laugh thinking its a hoax.

  • by kbahey (102895) on Tuesday March 24, 2009 @11:14PM (#27324379) Homepage

    I saw the article today on CBC (Canada's equivalent of the BBC).

    This effort may help, but given that the worm has so many other TLDs to choose from, it may not help much. Making the 110 TLDs only 109 (or even 75 if other TLD authorities do the same) will not help that much.

    Moreover, there is another mechanism which is not very clear, whereby the infected nodes will contact each other via a See Peer to Peer protocl [sri.com]. So, once the botnet gets going, the need for the domain name (so called "Internet Rendevouz points") may diminish.

    Also, the article contains some inaccuracies:

    "... expected to launch its attack once the system date on an infected machine is on or after April 1, 2009".

    Actually, the worm author(s) are aware that the user may change the clock of the PC to avoid the worm from triggering. So they query several well known sites and check the date/time on the HTTP headers to make this defense point moot. See Internet Date Checking [sri.com]

    "... will try to generate and connect to 50,000 web URLs a day ..."

    It will query only 500 out of 50,000 generated domain names. See the domain generation algorithm [sri.com].

    I bet there will be a revision D shortly before April 1st, and the author(s) will address many of the potential defenses in revision C.

    • by Dr. Cody (554864) on Tuesday March 24, 2009 @11:42PM (#27324577)

      I saw the article today on CBC (Canada's equivalent of the BBC).

      Well, that would certainly explain the "C," wouldn't it?

    • by wvmarle (1070040)

      "... will try to generate and connect to 50,000 web URLs a day ..."

      It will query only 500 out of 50,000 generated domain names.

      This part I still don't get. It means that either the authors plan to register a huge number of domains (very unlikely as in it makes it way too obvious who is behind this worm), or only about 1% of the infected hosts will succeed in connecting to the correct host to receive instructions. Still a large number of course, but how about the other 99% of infected hosts? Are they just going to sit idle? Or if using that p2p functionality to propagate instructions: how are they going to find each other?

      • by shird (566377)

        They use a huge amount to make it impossible for people to put a watch-list on every domain. 50,000 per day, over months is a number too large to watch every domain. People are anxious about the April 1st, but that's unlikely to be when an update occurs. That's just when the worm starts looking for updates. An update is more likely to come much later, or whenever they require pushing out a spambot etc.

        You only need a subset to connect to the rendez-vous domain. The worm keeps a list of the last 100 or so IP

      • by kbahey (102895)

        Here is my educated guess:

        It is based on probability.

        The author(s) of the worm would register just 500 (or so) of the 50,000 domains. That is 1% as you said.

        The worm then generates the 50,000 random names, and tries to contact a sample of 500 of these.

        It has to just succeed in contacting one of them, and downloading a payload.

        There is also the peer to peer protocol, which is not fully understood (the SRI researches say that studying it is an "ongoing concern"), but will allow nodes to act as client and/or s

  • by schmidt349 (690948) on Tuesday March 24, 2009 @11:34PM (#27324509)

    I think I've heard every lexically significant variation on the name of this damn worm by now. I have no idea what "Conficker" actually means or to what it refers, but so far on this thread people have called it "Conflicker," "Cornflicker," and best of all "Cornfucker."

    I think another name for it is "Downadup," which I always read as either "Downandup" or "Download a Duplicate."

    Who gets to name the worms? We know that this one employs neat tricks like code signing peer-to-peer driven software updates and that it might be used for a sort of "evil Google" that people can use to data mine financial stuff and so on. Couldn't we lobby for a more rational taxonomy, so we could call this one "Cryptographically Labyrinthine Internet-Traveling ORganized Information Stumbler?"

    • I have no idea what "Conficker" actually means or to what it refers

      It sounds like the English word, "configure." Also, "ficken" is German for "to fuck", so one would imagine that, like any good piece of malware, it fucks with your configuration.

      I forget where I read that, so [citation needed]. Sorry. I swear, I saw it on Wikipedia, but it's not there now....

    • by mail2345 (1201389)
      Conficker means
      Configuration(conf) F*cker(ficker).

      And yes, the fs are overlapping.
    • Re: (Score:2, Funny)

      by cez (539085)
      Bad idea, the CLITORIS can not be found by man... certainly not a slashdotter.
      • by cp.tar (871488)

        Bad idea, the CLITORIS can not be found by man... certainly not a slashdotter.

        Ever since there has been a bright red clitoris on every ThinkPad, this hasn't been true.

  • Sound like this worm has some significant financial backing. Whats even more crazy is a patch has been sent out for the worm already by Microsoft and people are still having issues.
  • by Anonymous Coward
    i shit out an obama, stimulus plan and all!

    plop!
  • by billcopc (196330) <vrillco@yahoo.com> on Wednesday March 25, 2009 @12:30AM (#27324943) Homepage

    It's cute that they're trying to preempt the worm, but to be effective they pretty much have to disable ALL potential domains. Miss one, and the worm will find it.

    What I don't get is how people can still be surprised/impressed/scared by these things. Today's viruses have little in common with their elegant, obfuscated ancestors. Any twit can assemble a "virus" by tapping into the OS' libraries. Today's worms are essentially package managers, so anything you can do with legitimate software like emailing, flashing your BIOS or opening ports on your firewall, a virus can do the same things. It simply has to talk to its software repository, pull down the pieces it needs and proceed with its dirty deeds.

    Hell, a tiny perl script could turn standard tools like Yum and Emerge into virus delivery agents. They already possess all the required functionality...

    • Re: (Score:3, Informative)

      by rdebath (884132)

      On the contrary, conficker looks very much like something that harkens back to the bad old days. True it doesn't have the hard memory constraints of a boot sector virus but it's not bloated nor is it just a primitive script.

      It uses strong crypto to protect it's updates, it uses peer to peer to distribute it's updates and code obfuscation that puts the best of the old school to shame. The obfuscation is so good in fact that it's proving to be a serious barrier to pulling apart the new peer to peer code; i

    • Today's viruses have little in common with their elegant, obfuscated ancestors.

      So have you found a way to keep inelegant viruses from being dangerous?

  • The root cause IMO (Score:2, Insightful)

    by Onyma (1018104)
    Isn't one of the root causes of all this the fact that the exploit was released into the wild? I am highly against it every time I see one of the security "researchers" releasing these holes into the public knowledge base. Had this exploit been kept quiet with Microsoft rolling out an important update that quietly patched it I believe we wouldn't be in this situation.

    It's like someone announcing on a street corner that the bricks on the south wall of a bank were found to be very thin, but don't worry..
    • Re: (Score:3, Insightful)

      by shentino (1139071)

      The flaw in your argument is trusting MS to be timely about its updates.

      I'd say tell the vendors, and give them about a month.

      If they haven't fixed it by then, there's a chance that someone else has found it, and publishing it won't hurt anything else, and may actually help by putting pressure on the vendor for a fix.

      Keeping an exploit under wraps only works if the vendor is responsive enough so that they don't get beat by a different "researcher" looking to use the hole for his own gain.

    • Re: (Score:3, Insightful)

      by Yvanhoe (564877)
      First, some exploits are made through reverse engineering of MS patches and then targets unpatched machines. This procedure has even been automatized, meaning that a virus could be created in the very first minutes a patch is rolled out of Redmond.

      Second, the general ethics about flaws disclosure is to inform the manufacturer first, but to keep in mind that even if you are a talented security researcher, there are numerous malicious talented security researcher and that if the manufacturer doesn't react,
    • Full Disclosure (Score:2, Insightful)

      by Anonymous Coward

      > Isn't one of the root causes of all this the fact that the exploit was released into the wild?

      Yes and no.

      In the bad old days before full disclosure, vendors would threaten security researchers. That lead to the bad guys knowing everything and being able to hack with impunity, the security researchers being considered the "bad guys" even though they weren't doing anything bad with the holes they found, and the general public being totally ignorant of all the security problems out there.

      In other words,

    • Re: (Score:2, Insightful)

      by cffrost (885375)

      Isn't one of the root causes of all this the fact that the exploit was released into the wild?

      No. Microsoft was (made) aware of the vulnerability and had a patch available on 2008-10-18. According to Symantec's malware database, W32/Conficker.A was first seen on 2008-11-24. If all vulnerable machines had been patched in a timely fashion, Conficker would not have spread.

      Full-disclosure motivates vendors to patch their vulnerable software, and allows administrators and users to take precautions (independent of the vendor's action or inaction). For more information on why full-disclosure is preferabl

  • CIRA is the registrY [wikipedia.org] for the .ca ccTLD, and is the manager for the entire domain name space, selling domains "wholesale" to registrARs [wikipedia.org], which sell them "retail" to the public. Come on, the CBC got it right, can't /.?
    • D'oh, I screwed up the submission. Blame me.

      • by telso (924323)
        But it's so much more fun to blame editors (I know, being one myself). And to be fair, it's not like the names aren't slightly confusing to us registrANTs!

Top Ten Things Overheard At The ANSI C Draft Committee Meetings: (9) Dammit, little-endian systems *are* more consistent!

Working...