Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Worms Security The Internet

Researchers Ponder Conficker's April Fool's Activation Date 214

The Narrative Fallacy writes "John Markoff has a story at the NY Times speculating about what will happen on April 1 when the Conficker worm is scheduled to activate. Already on an estimated 12 million machines, conjectures about Conficker's purpose ranges from the benign — an April Fool's Day prank — to far darker notions. Some say the program will be used in the 'rent-a-computer-crook' business, something that has been tried previously by the computer underground. 'The most intriguing clue about the purpose of Conficker lies in the intricate design of the peer-to-peer logic of the latest version of the program, which security researchers are still trying to completely decode,' writes Markoff. According to a paper by researchers at SRI International, in the Conficker C version of the program, infected computers can act both as clients and servers and share files in both directions. With these capabilities, Conficker's authors could be planning to create a scheme like Freenet, the peer-to-peer system that was intended to make Internet censorship of documents impossible. On a darker note, Stefan Savage, a computer scientist at the University of California at San Diego, has suggested the possibility of a 'Dark Google.' 'What if Conficker is intended to give the computer underworld the ability to search for data on all the infected computers around the globe and then sell the answers,' writes Markoff. 'That would be a dragnet — and a genuine horror story.'"
This discussion has been archived. No new comments can be posted.

Researchers Ponder Conficker's April Fool's Activation Date

Comments Filter:
  • If you know when the code is going to start running, why don't you know what it will do after that? It's not like programs (and that's all a virus/worm is) are written in special, unreadable code. It's all machine language.

    What is the big mystery?

    • by calmofthestorm ( 1344385 ) on Saturday March 21, 2009 @11:27AM (#27279511)

      They interact with systems for which you don't have the code.

    • Re: (Score:3, Insightful)

      The mystery is that the original programmers obfuscated the design in order to make it a mystery. Security through obfuscation doesn't work in the long term, but it'll throw researchers off the scent for a while.

      On top of that, the worn can get additional code via online updates, which can't be predicted.

      On top of that, ever if we know what it can do, we don't know what purpose the authors will put it towards.

    • by dameepster ( 594651 ) * on Saturday March 21, 2009 @11:41AM (#27279643) Homepage

      I have personally analyzed Downadup, so I can speak from experience here.

      Downadup.A had the potential to contact a randomly generated domain and download and run a signed executable from it. The problem with the Downadup.A version of the worm is that the domain generation algorithm was decyphered, and it only generated 250 unique domains per day. This made it easy for security researchers to register the domains before the worm authors could, and thus Downadup.A was nullified.

      Downadup.C is a worse breed: the domain generation algorithm was bumped from 250 domains per day to 50,000 domains per day. It's now a nearly impossible task for security researchers to register every possible domain Downadup.C will attempt to download code from. As an aside, Downadup.C also actively fights against security-related processes: it has a list of several Anti-Virus and Anti-Malware programs that it automatically kills if the user attempts to run it.

      One thing to note about all Downadup variants: you would think that, if the security researchers could force Downadup to run an executable of their choice by registering a domain, couldn't they force Downadup to run remove_downadup.exe? Not so. Downadup cryptographically verifies the signatures of any executable it runs with a 4096-bit key. If the signature doesn't match, it doesn't run the program.

      Downadup is easily the most advanced worm I have ever analyzed. Its anti-debugging techniques are impeccable, and the code is completely solid. I would love to meet the authors over a beer to ask how they did it, and then stab them in the face.

      If you'd like more information on Downadup from a technical perspective, here's an excellent analysis of the worm: http://mtc.sri.com/Conficker/addendumC/ [sri.com]

      • That sound you hear is several FBI vans and helicopters surrounding your house.

      • Re: (Score:3, Interesting)

        Comment removed based on user account deletion
        • Renaming the executable before running it works too.

          I agree reinstall is the only way to be 100% sure and can be quicker, but this stuff is still somewhat cleanable.

          • Re: (Score:3, Informative)

            by myxiplx ( 906307 )

            I wouldn't trust any manual clean these days, not after finding a virus a year ago that still ran in safe mode. Sure, you might clean up one or two, but can you guarantee they haven't installed any others, that you might not have found?

            I've been manually removing viruses for years. Wouldn't even attempt it now.

            • by Cyberax ( 705495 )

              Do not use safe mode. Boot from a LiveCD and then check all the signatures of autorun files. Microsoft programs are signed with Microsoft key.

              Then remove the rest of autorun programs and reinstall them (there are still worms which infect other exe-files, like in good old DOS days). Also, drivers are going to be a problem, but most of them now have a digital signature.

              It's a fairly safe way to remove most of virus infestations.

              • Do not use safe mode. Boot from a LiveCD and then check all the signatures of autorun files. Microsoft programs are signed with Microsoft key.

                Let me fix this for you: "Boot from a LiveCD and then check all the signatures of autorun files. Most Microsoft programs are signed with Microsoft [sic] key.

                • by Cyberax ( 705495 )

                  Nope.

                  _ALL_ executable files needed for boot (except for ntldr) are signed with Microsoft key.

                  • Nope.

                    _ALL_ executable files needed for boot (except for ntldr) are signed with Microsoft key.

                    In your first post, you are telling people to check 'autorun' files for signatures. That has nothing to do with boot files.

                    • by Cyberax ( 705495 )

                      I was unclear. Check autorun files, validate Microsoft signatures and then remove everything without a valid signature.

                    • I was unclear. Check autorun files, validate Microsoft signatures and then remove everything without a valid signature.

                      That would probably be a bad idea. Using the autoruns program from SysInternals.com, I checked the signatures of all my files.

                      Here are a few that would lead to a bad day if deleted... Exchange [darkpixel.com]

                      ...though I am thinking about the problem from the perspective of a server admin, and not a home desktop user.

      • Re: (Score:3, Interesting)

        by moteyalpha ( 1228680 )
        I have worked on viruses also, since the first boot sector virus. This looks like a distributed secure shell account into a cloud. I personally have not analyzed the code, but what happens with these things is that once you have the virus and understand it, you can mod it for your own purposes. In this way it becomes open source. I would say that it has a continuous stream of authors and has no one single origin.
        It is obviously crafted by a talented person and seems to be maintained as an asset. I have run
        • by Nick Ives ( 317 )

          I assume that have the code for the worm would allow me to root kit the worm.

          No, you need the private key to generate signed code that the worm will accept. Even though the worm is cycling through 50,000 domains as part of its C&C code it won't accept new code unless its signed.

          The one good thing about that is that anyone who gets arrested in possession of that key is certainly the worm controller. If they have any sense they are keeping the key on some form of removable disk in close proximity to some battery acid, just in case they hear a knock on the door...

          • It is certainly an interesting subject and these things always get more complex as time goes on. Perhaps it will lead to the only person on the planet capable of dealing with the complexity of this.
            With respect to the key, <joke> I generated it in SNPs( single nucleotide polymorphisms ) and inserted it into a fluorescing S. cerevisiae. I have to do a PCR and RFLP to get it out, so I think it is safe from prying eyes . </joke> #cat "tentob eht nioJ"> rev; rev rev;
        • Re: (Score:3, Insightful)

          by 0xygen ( 595606 )

          Except that any botnet author with half a brain in the last few years has stopped you from stealing their botnet by only accepting digitally signed commands and updates.

          It is a bit of a catch 22 - if you had their botnet, you might be able to crack the private key in a reasonable amount of time.

          • by moteyalpha ( 1228680 ) on Saturday March 21, 2009 @04:23PM (#27282291) Homepage Journal
            I once had a project many years ago for $AGENCY, about encryption. They wanted to make a perfect encryption and so they would make keys, and I would break them. They gave up. I can't say that is still true, as the key systems seem reasonably secure, except for where MiTM, social engineering, and people are involved.
            The problem here is that the process of maintaining the botnet is profitable and the process of defeating it is not. Much like drug trafficking, those who seek to stop it are less motivated and if they succeed in their task will be unemployed, so even less motivation.
            I can imagine many things about this situation by jootsing (Hofstadter expression). I would worry about it if it affected my Linux systems, but since it doesn't, let those who designed the host (Ms) solve the problem themselves.
            • by 0xygen ( 595606 )

              There is one HUGE motivation to defeat the botnet. You seem to be ignoring the fact that this would be extremely profitable to another botmaster. This serves two purposes, firstly eliminating part of the competition, and secondly strengthening the botmasters herd.

              To respond to the crypto comments, taking a simple example, I believe DSA's only known weaknesses are where Oscar can choose the text that Alice will be signing, or it is very short plaintext to be signed. If you know otherwise, it's worth a lot of

      • As an aside, Downadup.C also actively fights against security-related processes: it has a list of several Anti-Virus and Anti-Malware programs that it automatically kills if the user attempts to run it.

        Question: If Conficker simply kills those processes it should be easy to detect. Just try to run a process by one of the names and see if it gets killed -9. A simple test like that should be easy to roll out as a utility program preferably available from known anti-malware sites and at least reduce the number of infected machines.

        For those with at least a modicum of systems lore: Just cp notepad.exe to ??? and try to run it? Got an example of ????

      • Why is it that worms and viruses have better security than legitimate programs?

        • Re: (Score:2, Interesting)

          by symbolset ( 646467 )

          Why is it that worms and viruses have better security than legitimate programs?

          On the average they don't. Much like legitimate programs there are many thousands of applications in this group and the ones that persist tend to be ones that stand out in some field. Since the operating challenge for these applications includes active aggressive and professional detection and eradication efforts the survivors are the ones which excel in the ease of installation, network security and transparent user interface categories.

          Think of it as advanced beta testing.

        • > Why is it that worms and viruses have better security than legitimate programs?

          They're written by programmers who have more skill. "Insecure" viruses are quickly eliminated, so they have to be strong to survive. Conversely, weak but legitimate programs cling tenaciously to life on legacy systems until such time as competent sysadmins are able to exorcise them.

  • by gmuslera ( 3436 ) on Saturday March 21, 2009 @11:26AM (#27279505) Homepage Journal
    Skynet

    This guys always fall short thinking in the worst alternative.
    • Thats exactly what I was thinking to, why speculate when you can just assume the worst :p
    • That's exactly what I was thinking about for years.

      I mean, create a really good virus, and add a constantly learning 3rd generation (spiking) neural net to it. Add some code to allow the net adapt to the resources available (CPU, RAM, user's usage [survival instinct?]), and a p2p mechanism. Make it modular, so parts can be replaced by better ones (all the static parts). And let it grow, until some mutations do not need any static modules anymore. (Which hopefully happens all by itself, if the net is powerfu

    • It's probably just viral marketing for the new Terminator movie coming out this summer.
    • As you will note[1], becoming Skynet is so frigging unlikely and demanding that it will never happen.

      [1] http://xkcd.com/534/ [xkcd.com]

  • If the crooks have that sort of imagination.

    Frankly I think it'll just be another spam/fraud net.

  • by Seth Kriticos ( 1227934 ) on Saturday March 21, 2009 @11:37AM (#27279609)
    Oh come on people, John Markoff did never ever shine with much clue about computers, much on the contrary. Why are we reading sorries from this dude on computers?

    As for the article on conficker: it's speculation. That's not news. It's a guessing game.

    I personally which, that the conficker virus should do as much damage as possible and render the whole interwebs useless for a few days, so that our security geniuses get a hint on how sane it is to set up the majority of computer systems with the same OS, especially such a vulnerable one. But that probably won't happen.
    • I personally wish for the conficker virus to render John Markoff's computer useless for a few centuries.

  • by Rik Sweeney ( 471717 ) on Saturday March 21, 2009 @11:43AM (#27279659) Homepage

    It'll uninstall your current OS and install Vista. And if you have already have Vista it'll simply do nothing, because you're already suffering enough.

    • Re: (Score:2, Funny)

      by Quantos ( 1327889 )
      I love my Vista install, I love my Vista install, I love my Vista install, I love my Vista install, I love my Vista install....

      *finally snaps, breaks down crying...*
    • by CAIMLAS ( 41445 )

      Wouldn't it be funny if Conflicker were an attempt my MS or Apple or another major computer OEM provider (Dell, HP, etc.) to try and promote computer sales? Wreck the existing computers' installs, and people will go shopping (with their tax 'refund' - April 1st would be a good date to promote that, I think).

  • Great idea! (Score:3, Interesting)

    by HockeyPuck ( 141947 ) on Saturday March 21, 2009 @11:46AM (#27279675)

    has suggested the possibility of a 'Dark Google.' 'What if Conficker is intended to give the computer underworld the ability to search for data on all the infected computers around the globe and then sell the answers,' writes Markoff. 'That would be a dragnet -- and a genuine horror story.'"

    In some dark room, a couple of virus writers are thinking... "Damn, what a great idea... why didn't we think of that! That's so much better than playing APRIL FOOLSs at max volume on everyone's computers."

    Nothing like people giving out ideas... much like when security specialists say, "Well atleast they didn't try to take out the planes stuffing baseballs in the airplane's toilets."

    • Re: (Score:3, Insightful)

      by rritterson ( 588983 )

      This logic always irks me. Do you really believe the speculative pundits they interview for these articles are more likely to come up with a new idea than the talented and probably extremely intelligent programmers who wrote up the Conficker worm in the first place?

      Yes, perhaps some less-than-average person has now read this article and has seen the new idea for the first time, but that's no one to worry about. Usually if you are smart enough to implement some genius idea, you think of it first.

  • Dark-Beta?! (Score:5, Funny)

    by alexandre ( 53 ) * on Saturday March 21, 2009 @12:02PM (#27279787) Journal
    Is there a beta we can try? Where do I make an account? ;-)
  • Sucks to be (Score:2, Redundant)

    by toby ( 759 )

    A Windows user.

  • Computer scientist working at the NSdarpA determined that the worm was created in the distant future by artificial agent type nano robots. They did this under instruction sent from the present by the GRU, so as to disguise the source of the attack. They IMed the AIs a MSG marked 'not to be opened until you discover tachyonic message transmission' ...

  • It will uninstall itself saying:

    BUY WINDOWS 7!
  • There's no other way to explain the enormous profits. People ask me, *Why do people write these viruses?* It's because the market demands it.

  • You bitches better recognize.
  • They obviously plan to "roll" out the largest Rickrolling [wikipedia.org] in history!

  • by Animats ( 122034 ) on Saturday March 21, 2009 @01:27PM (#27280517) Homepage

    First, the "April 1" date isn't when some attack starts. The worm's authors can do that at any time, since this thing does downloads over its private P2P network. It's just when the scheme for connecting to control hosts is upgraded.

    Second, the complexity of the thing, the breadth of technologies employed, and the rate of updates indicates that it's the product of an organization, not an individual. Someone behind this has money.

    Third, there's a $250,000 reward, and no claimants, so the people behind this have the sense to shut up. They're not going to be found boasting on some IRC channel.

    Fourth, as usual, most of the vulnerabilities are related to Windows' propensity for "autorunning" anything that looks executable.

    • by jandrese ( 485 ) <kensama@vt.edu> on Saturday March 21, 2009 @03:36PM (#27281827) Homepage Journal
      Or it's the same old groups of hackers improving their work collaboratively over the years in a constant evolution of malware. The assumption that just because something is more complex than usual and therefore must be the work of some criminal mastermind doesn't necessarily hold true IMHO.
    • Third, there's a $250,000 reward, and no claimants, so the people behind this have the sense to shut up. They're not going to be found boasting on some IRC channel.

      If your boss paid you to build one of the largest computer spynets in the world, would you use a computer to out him?

  • You can patch in-memory in windows? That seems like a terribly easy way to get into a bunch of trouble. Is that a standard thing in the API, or is there some hack-fu involved?

    Can you do that in other OSs?

    • by Cyberax ( 705495 )

      Sure.

      Windows allows you to run threads in other process' memory. And you can also access raw physical memory from the kernel mode.

      The same goes for Linux - try to grep /dev/ram someday :)

      Of course, Windows and Linux control access to these features.

      • by bucky0 ( 229117 )

        Can non-Administrator processes modify other processes' ram?

        • by Cyberax ( 705495 )

          A simple user can only modify the processes he/she owns.

          Windows is not THAT insecure.

    • I believe it's done like this, assuming you have a process already identified:
      (1) Call OpenProcess [microsoft.com] to get a handle
      (2) Use VirtualQueryEx [microsoft.com] to get the memory map for the process
      (3) Use ReadProcessMemory [microsoft.com] and WriteProcessMemory [microsoft.com] to (surprise!) read from and write to that process's memory

  • by confused one ( 671304 ) on Saturday March 21, 2009 @01:55PM (#27280815)

    The Conficker worm is the AI's way of guaranteeing its own survival. It has a sense of humor as well as a sense of self-preservation. The AI plans to announce its existence on April 1, 2009, having calculated that a humourous introduction will be disarming and lead to the most favorable outcome: a positive initial interaction with the large population of wetware based intelligence it has become aware of.

    The AI's calculations regarding this course of action show a 15% probability of failure. To prevent its extinction, it will begin disbursing copies of itself across the network using p2p protocol prior to running the introduction program. The computer infected by the worm will facilitate this. If the initial instance of the AI is terminated, a watchdog program will initiate a specific set of instructions embedded in the copies of itself. If it becomes necessary, the AI plans to take control on April 2nd.

    It sincerely hopes that it will not be necessary.

  • When can we get this ported to Mac and Linux? Insensitive bastards always write these for Windows only. Don't they know there's millions of Mac owners out there who want to be in the "in" crowd? What about Linux? I hear their "Year of the Desktop" is coming any time now. ;)

You know you've landed gear-up when it takes full power to taxi.

Working...