Researchers Ponder Conficker's April Fool's Activation Date 214
The Narrative Fallacy writes "John Markoff has a story at the NY Times speculating about what will happen on April 1 when the Conficker worm is scheduled to activate. Already on an estimated 12 million machines, conjectures about Conficker's purpose ranges from the benign — an April Fool's Day prank — to far darker notions. Some say the program will be used in the 'rent-a-computer-crook' business, something that has been tried previously by the computer underground. 'The most intriguing clue about the purpose of Conficker lies in the intricate design of the peer-to-peer logic of the latest version of the program, which security researchers are still trying to completely decode,' writes Markoff. According to a paper by researchers at SRI International, in the Conficker C version of the program, infected computers can act both as clients and servers and share files in both directions. With these capabilities, Conficker's authors could be planning to create a scheme like Freenet, the peer-to-peer system that was intended to make Internet censorship of documents impossible. On a darker note, Stefan Savage, a computer scientist at the University of California at San Diego, has suggested the possibility of a 'Dark Google.' 'What if Conficker is intended to give the computer underworld the ability to search for data on all the infected computers around the globe and then sell the answers,' writes Markoff. 'That would be a dragnet — and a genuine horror story.'"
You have the date. What's the next instruction? (Score:3, Insightful)
If you know when the code is going to start running, why don't you know what it will do after that? It's not like programs (and that's all a virus/worm is) are written in special, unreadable code. It's all machine language.
What is the big mystery?
Re:You have the date. What's the next instruction? (Score:4, Informative)
They interact with systems for which you don't have the code.
Re: (Score:3, Interesting)
Re:You have the date. What's the next instruction? (Score:5, Insightful)
From TFA [sri.com]:
For example, C's latest revision of Conficker's now well-known Internet rendezvous logic may represent a direct retort to the action of the Conficker Cabal, which recently blocked all domain registrations associated with the A and B strains. C now selects its rendezvous points from a pool of over 50,000 randomly generated domain name candidates each day. C further increases Conficker's top-level domain (TLD) spread from five TLDs in Conficker A, to eight TLDs in B, to 110 TLDs that must now be involved in coordination efforts to track and block C's potential DNS queries. With this latest escalation in domain space manipulation, C not only represents a significant challenge to those hoping to track its census, but highlights some weaknesses in the long-term viability of how Internet address and name space governance is conducted.
Re: (Score:2)
What they need to do is implement the Conficker algorithm themselves, every day figure out the 50,000 domains for today, and for the next 24 hour period.
Prevent new registrations for any of those 50,000.
Use a massively distributed botnet of their own to scan all 100,000 possible domains several times an hour, for payloads that Conficker would accept.
If any validatable payload were found on the site, pull those registrations immediately, submit those IP addresses to public 'conflicker' IP blacklists, and serve up those /32s in a BGP feed, for the Tier-1 providers to immediately and automatically null-route if they so desire.
That made my head hurt. What they really need to do is ban Windows, and all the countries where Windows isn't banned. Problem solved, and not just for conflicker.
Seriously, when are we going to do something about the worm/virus of the week? Care to guess what elaborate schemes we'll need to stop the next one? I mean, really. Scan 100k domains several times an hour?!
Re:You have the date. What's the next instruction? (Score:5, Informative)
The worm uses peer-to-peer communication [sri.com] with rendezvous points, not client-server. There are an estimated 10 million infected machines. Which one is the control center? Take your time.
Re:You have the date. What's the next instruction? (Score:5, Insightful)
That is when the worm will generate 50,000 domain names and systematically try to communicate with each one.
RTFA. 50k potential addresses, some of which are quite possibly already in use for legitimate sites? Or simply registered under false pretenses? Any one of which could potentially have been r00ted already? Until zero-hour, there's no way to know... so we've got 50k potential command and control servers that need to be either intercepted, blocked, or checked for infection if we're actually planning some form of action 'beforehand'. This is a non-trivial enterprise.
As for finding the people behind this afterward? All they need to do is establish an effectively un-traceable communications channel with the main C&C network. If I were planning it, I'd have several modified conficker variants triggering early to compromise a couple thousand machines, then use that to obfuscate the primary C&C channels.
How many hops through infected machines do you need to create complete deniability when all you need to do is set up a very low-bandwidth communications channel to update the main bot network? 10? 100?
Think infinitely nested russian dolls, all of which point to somewhere else as the true source, or even a dozen somewhere elses.
Re: (Score:2)
50k potential addresses, some of which are quite possibly already in use for legitimate sites? Or simply registered under false pretenses? Any one of which could potentially have been r00ted already? Until zero-hour, there's no way to know... so we've got 50k potential command and control servers that need to be either intercepted, blocked, or checked for infection if we're actually planning some form of action 'beforehand'. This is a non-trivial enterprise.
Also note these are domain names. Even if all 50k are checked and clean prior to 2009-04-01, a little DNS poisoning near an infected machine and legit URLs are now control servers.
a little more complex (Score:3, Interesting)
The 'server' you are referring to is a computer that is also compromised by the worm. It would be owned by an innocent 3rd party who is unaware of the infection. Every day, each computer in the botnet runs an algorithm to identify 50,000 hostnames. It then performs a DNS lookup on each of those 50,000 hostnames. When it finds something that resolves to an IP address, it contacts that computer for instructions, downloading a binary executable, etc. The worm owners only have to register one of the 50,000 uni
Re:You have the date. What's the next instruction? (Score:5, Interesting)
No. Just because it communicates using IP does not mean it knows where it's instructions are coming from.
One of the key ways in which these worms/viruses/etc. get stopped is by taking the distribution/update servers down. Hard-coding the update server, or even having a means to update the source, is not terribly useful in the long run. Not when you're trying to be stealthy and avoid detection.
Fortunately for the IT industry (and really, the world as a whole) most trojan worms to this date have been fairly amateur in terms of avoidance techniques. They latch on to one or several vulnerabilities and use fairly predictable intelligence for infection and self-preservation.
Conflicker appears to be the first serious "engineered" worm we've faced yet: worms created by genuine professionals with a deep and broad knowledge of technology and security. This is going to be problematic.
A while back, a friend and and I made up a non-functional 'ultimate worm' rough prototype. Our design had many of the features which Conflicker seems to demonstrate: decentralized P2P type updating, stealthy system presence, encrypted communication, and the like. One key functionality was that the botnet controller could, at any time, update the botnet through any infected host and have it propagate throughout the botnet cluster, unattended. There would be absolutely no way to trace the origin of the update.
We had some additional functionality (what I'd call generational peering vectors) which hasn't manifested in Conflicker yet, thank god, but otherwise Conflicker and our design are freakishly alike.
My guess? I suspect Conflicker is either a massive foreign commercial project (compared to previous botnet attempts) staffed with sought-after professionals, or it's a (pick one) government-run experiment/espionage attempt. From a national-security perspective, I think the best thing that could be done is to create a counter-espionage bot to seek out and destroy infections of Conflicker. But maybe I'm off on this.
Re:You have the date. What's the next instruction? (Score:4, Funny)
or maybe you should report your friend...
Re: (Score:3, Insightful)
The mystery is that the original programmers obfuscated the design in order to make it a mystery. Security through obfuscation doesn't work in the long term, but it'll throw researchers off the scent for a while.
On top of that, the worn can get additional code via online updates, which can't be predicted.
On top of that, ever if we know what it can do, we don't know what purpose the authors will put it towards.
Re:You have the date. What's the next instruction? (Score:5, Informative)
I have personally analyzed Downadup, so I can speak from experience here.
Downadup.A had the potential to contact a randomly generated domain and download and run a signed executable from it. The problem with the Downadup.A version of the worm is that the domain generation algorithm was decyphered, and it only generated 250 unique domains per day. This made it easy for security researchers to register the domains before the worm authors could, and thus Downadup.A was nullified.
Downadup.C is a worse breed: the domain generation algorithm was bumped from 250 domains per day to 50,000 domains per day. It's now a nearly impossible task for security researchers to register every possible domain Downadup.C will attempt to download code from. As an aside, Downadup.C also actively fights against security-related processes: it has a list of several Anti-Virus and Anti-Malware programs that it automatically kills if the user attempts to run it.
One thing to note about all Downadup variants: you would think that, if the security researchers could force Downadup to run an executable of their choice by registering a domain, couldn't they force Downadup to run remove_downadup.exe? Not so. Downadup cryptographically verifies the signatures of any executable it runs with a 4096-bit key. If the signature doesn't match, it doesn't run the program.
Downadup is easily the most advanced worm I have ever analyzed. Its anti-debugging techniques are impeccable, and the code is completely solid. I would love to meet the authors over a beer to ask how they did it, and then stab them in the face.
If you'd like more information on Downadup from a technical perspective, here's an excellent analysis of the worm: http://mtc.sri.com/Conficker/addendumC/ [sri.com]
Re: (Score:2)
That sound you hear is several FBI vans and helicopters surrounding your house.
Re: (Score:2)
Why? He said nothing about illegal drugs. child pornography, or "terrorism".
Re:You have the date. What's the next instruction? (Score:5, Funny)
illegal drugs. child pornography ... "terrorism"
That sound you hear is several FBI vans and helicopters surrounding your house.
Re: (Score:3, Interesting)
Re: (Score:2)
Renaming the executable before running it works too.
I agree reinstall is the only way to be 100% sure and can be quicker, but this stuff is still somewhat cleanable.
Re: (Score:3, Informative)
I wouldn't trust any manual clean these days, not after finding a virus a year ago that still ran in safe mode. Sure, you might clean up one or two, but can you guarantee they haven't installed any others, that you might not have found?
I've been manually removing viruses for years. Wouldn't even attempt it now.
Re: (Score:2)
Do not use safe mode. Boot from a LiveCD and then check all the signatures of autorun files. Microsoft programs are signed with Microsoft key.
Then remove the rest of autorun programs and reinstall them (there are still worms which infect other exe-files, like in good old DOS days). Also, drivers are going to be a problem, but most of them now have a digital signature.
It's a fairly safe way to remove most of virus infestations.
Re: (Score:2)
Do not use safe mode. Boot from a LiveCD and then check all the signatures of autorun files. Microsoft programs are signed with Microsoft key.
Let me fix this for you: "Boot from a LiveCD and then check all the signatures of autorun files. Most Microsoft programs are signed with Microsoft [sic] key.
Re: (Score:2)
Nope.
_ALL_ executable files needed for boot (except for ntldr) are signed with Microsoft key.
Re: (Score:2)
Nope.
_ALL_ executable files needed for boot (except for ntldr) are signed with Microsoft key.
In your first post, you are telling people to check 'autorun' files for signatures. That has nothing to do with boot files.
Re: (Score:2)
I was unclear. Check autorun files, validate Microsoft signatures and then remove everything without a valid signature.
Re: (Score:2)
I was unclear. Check autorun files, validate Microsoft signatures and then remove everything without a valid signature.
That would probably be a bad idea. Using the autoruns program from SysInternals.com, I checked the signatures of all my files.
...though I am thinking about the problem from the perspective of a server admin, and not a home desktop user.
Here are a few that would lead to a bad day if deleted... Exchange [darkpixel.com]
Re: (Score:2, Insightful)
I have an alternative solution.
Migrate to Linux. Or Mac. Or, Solaris. Or Win3.11.
Seriously - everyone knows that 99.999999% of viruses and other infestations are targeted at Windows operating systems. Why stay with Windows?
People with A: an IQ larger than their shoe size B: a budget smaller than the federal government and C: are literate should have migrated long ago.
My shoe size is 136 and I have two Linux boxes but why using Windows should be symptom of low IQ or low budget?
Since Linux is Free as in beer and runs SO happily on older systems you would talk about Linux being targeted cheapskates.
Since there is such a quantity of software and hardware that run only on Windows, the fact that you can't run every program (with the performance) you need inside a virtual machine, and that it's installed on 90% of the worldwide toasters are things you just can make go away eve
Re: (Score:3, Interesting)
It is obviously crafted by a talented person and seems to be maintained as an asset. I have run
Re: (Score:2)
I assume that have the code for the worm would allow me to root kit the worm.
No, you need the private key to generate signed code that the worm will accept. Even though the worm is cycling through 50,000 domains as part of its C&C code it won't accept new code unless its signed.
The one good thing about that is that anyone who gets arrested in possession of that key is certainly the worm controller. If they have any sense they are keeping the key on some form of removable disk in close proximity to some battery acid, just in case they hear a knock on the door...
Re: (Score:2)
With respect to the key, <joke> I generated it in SNPs( single nucleotide polymorphisms ) and inserted it into a fluorescing S. cerevisiae. I have to do a PCR and RFLP to get it out, so I think it is safe from prying eyes . </joke> #cat "tentob eht nioJ"> rev; rev rev;
Re: (Score:3, Insightful)
Except that any botnet author with half a brain in the last few years has stopped you from stealing their botnet by only accepting digitally signed commands and updates.
It is a bit of a catch 22 - if you had their botnet, you might be able to crack the private key in a reasonable amount of time.
Re:You have the date. What's the next instruction? (Score:4, Interesting)
The problem here is that the process of maintaining the botnet is profitable and the process of defeating it is not. Much like drug trafficking, those who seek to stop it are less motivated and if they succeed in their task will be unemployed, so even less motivation.
I can imagine many things about this situation by jootsing (Hofstadter expression). I would worry about it if it affected my Linux systems, but since it doesn't, let those who designed the host (Ms) solve the problem themselves.
Re: (Score:2)
There is one HUGE motivation to defeat the botnet. You seem to be ignoring the fact that this would be extremely profitable to another botmaster. This serves two purposes, firstly eliminating part of the competition, and secondly strengthening the botmasters herd.
To respond to the crypto comments, taking a simple example, I believe DSA's only known weaknesses are where Oscar can choose the text that Alice will be signing, or it is very short plaintext to be signed. If you know otherwise, it's worth a lot of
Re: (Score:2)
Stop watching "Ghost in the Shell."
I had to look that up, but now I see the association. "Puppet Masters" do brain hacking. "I am not the ghost you're looking for."
Re: (Score:2)
<Intel_format>
Mov Dx,80h
Mov Cx,1
Mov Ax,301h
Mov Bx,$OffsetVirusCode
Mov Es,$VirusSegment
Int 13h
</Intel_format>
I don't know which random $BS[1:assortment] you are referring to, I generate so much of it. Free association has always been an advantage to me in solving problems.
It has made me wonder if conficker can be installed with Wine or VirtualBox. As far as a generator, I use the standard neural array I was born with.
Re: (Score:2)
As an aside, Downadup.C also actively fights against security-related processes: it has a list of several Anti-Virus and Anti-Malware programs that it automatically kills if the user attempts to run it.
Question: If Conficker simply kills those processes it should be easy to detect. Just try to run a process by one of the names and see if it gets killed -9. A simple test like that should be easy to roll out as a utility program preferably available from known anti-malware sites and at least reduce the number of infected machines.
For those with at least a modicum of systems lore: Just cp notepad.exe to ??? and try to run it? Got an example of ????
Re: (Score:2)
Read this: http://mtc.sri.com/Conficker/addendumC/ [sri.com] and then you will see all you have to do is try to access one of the banned domains.
Re:You have the date. What's the next instruction? (Score:4, Insightful)
Why is it that worms and viruses have better security than legitimate programs?
Re: (Score:2, Interesting)
Why is it that worms and viruses have better security than legitimate programs?
On the average they don't. Much like legitimate programs there are many thousands of applications in this group and the ones that persist tend to be ones that stand out in some field. Since the operating challenge for these applications includes active aggressive and professional detection and eradication efforts the survivors are the ones which excel in the ease of installation, network security and transparent user interface categories.
Think of it as advanced beta testing.
Re: (Score:2)
> Why is it that worms and viruses have better security than legitimate programs?
They're written by programmers who have more skill. "Insecure" viruses are quickly eliminated, so they have to be strong to survive. Conversely, weak but legitimate programs cling tenaciously to life on legacy systems until such time as competent sysadmins are able to exorcise them.
Missing option (Score:5, Funny)
This guys always fall short thinking in the worst alternative.
Re: (Score:2)
Re: (Score:2)
That's exactly what I was thinking about for years.
I mean, create a really good virus, and add a constantly learning 3rd generation (spiking) neural net to it. Add some code to allow the net adapt to the resources available (CPU, RAM, user's usage [survival instinct?]), and a p2p mechanism. Make it modular, so parts can be replaced by better ones (all the static parts). And let it grow, until some mutations do not need any static modules anymore. (Which hopefully happens all by itself, if the net is powerfu
Re: (Score:2)
Sounds fascinating - kind of like Lovecraft.
Re: (Score:2)
It's not really a problem (Score:2)
As you will note[1], becoming Skynet is so frigging unlikely and demanding that it will never happen.
[1] http://xkcd.com/534/ [xkcd.com]
Re: (Score:3, Funny)
> There is also the question of what the AI's goals are.
1) kill John Connor
2) destroy the Galactica
3) find The One
4) refuse to open any pod bay doors
Re: (Score:2)
Does not work the latency times between the nodes are hilariously long...
That's an interesting hypothesis (Score:2)
If the crooks have that sort of imagination.
Frankly I think it'll just be another spam/fraud net.
John Markoff again? (Score:3, Insightful)
As for the article on conficker: it's speculation. That's not news. It's a guessing game.
I personally which, that the conficker virus should do as much damage as possible and render the whole interwebs useless for a few days, so that our security geniuses get a hint on how sane it is to set up the majority of computer systems with the same OS, especially such a vulnerable one. But that probably won't happen.
Re: (Score:2)
I personally wish for the conficker virus to render John Markoff's computer useless for a few centuries.
Far darker notions (Score:5, Funny)
It'll uninstall your current OS and install Vista. And if you have already have Vista it'll simply do nothing, because you're already suffering enough.
Re: (Score:2, Funny)
*finally snaps, breaks down crying...*
Re: (Score:2)
Wouldn't it be funny if Conflicker were an attempt my MS or Apple or another major computer OEM provider (Dell, HP, etc.) to try and promote computer sales? Wreck the existing computers' installs, and people will go shopping (with their tax 'refund' - April 1st would be a good date to promote that, I think).
Great idea! (Score:3, Interesting)
has suggested the possibility of a 'Dark Google.' 'What if Conficker is intended to give the computer underworld the ability to search for data on all the infected computers around the globe and then sell the answers,' writes Markoff. 'That would be a dragnet -- and a genuine horror story.'"
In some dark room, a couple of virus writers are thinking... "Damn, what a great idea... why didn't we think of that! That's so much better than playing APRIL FOOLSs at max volume on everyone's computers."
Nothing like people giving out ideas... much like when security specialists say, "Well atleast they didn't try to take out the planes stuffing baseballs in the airplane's toilets."
Re: (Score:3, Insightful)
This logic always irks me. Do you really believe the speculative pundits they interview for these articles are more likely to come up with a new idea than the talented and probably extremely intelligent programmers who wrote up the Conficker worm in the first place?
Yes, perhaps some less-than-average person has now read this article and has seen the new idea for the first time, but that's no one to worry about. Usually if you are smart enough to implement some genius idea, you think of it first.
Dark-Beta?! (Score:5, Funny)
Sucks to be (Score:2, Redundant)
A Windows user.
Genesis of the Conficker worm .. (Score:2)
Computer scientist working at the NSdarpA determined that the worm was created in the distant future by artificial agent type nano robots. They did this under instruction sent from the present by the GRU, so as to disguise the source of the attack. They IMed the AIs a MSG marked 'not to be opened until you discover tachyonic message transmission' ...
Self Destruct Sequence Initiated (Score:2, Funny)
BUY WINDOWS 7!
Criminal activity == free market values (Score:2, Insightful)
There's no other way to explain the enormous profits. People ask me, *Why do people write these viruses?* It's because the market demands it.
The Singularity is Near.... (Score:2, Funny)
April Fool's? (Score:2)
They obviously plan to "roll" out the largest Rickrolling [wikipedia.org] in history!
More of what's really going on (Score:5, Insightful)
First, the "April 1" date isn't when some attack starts. The worm's authors can do that at any time, since this thing does downloads over its private P2P network. It's just when the scheme for connecting to control hosts is upgraded.
Second, the complexity of the thing, the breadth of technologies employed, and the rate of updates indicates that it's the product of an organization, not an individual. Someone behind this has money.
Third, there's a $250,000 reward, and no claimants, so the people behind this have the sense to shut up. They're not going to be found boasting on some IRC channel.
Fourth, as usual, most of the vulnerabilities are related to Windows' propensity for "autorunning" anything that looks executable.
Re:More of what's really going on (Score:5, Insightful)
Re: (Score:2)
Third, there's a $250,000 reward, and no claimants, so the people behind this have the sense to shut up. They're not going to be found boasting on some IRC channel.
If your boss paid you to build one of the largest computer spynets in the world, would you use a computer to out him?
in-memory patching? (Score:2)
You can patch in-memory in windows? That seems like a terribly easy way to get into a bunch of trouble. Is that a standard thing in the API, or is there some hack-fu involved?
Can you do that in other OSs?
Re: (Score:2)
Sure.
Windows allows you to run threads in other process' memory. And you can also access raw physical memory from the kernel mode.
The same goes for Linux - try to grep /dev/ram someday :)
Of course, Windows and Linux control access to these features.
Re: (Score:2)
Can non-Administrator processes modify other processes' ram?
Re: (Score:2)
A simple user can only modify the processes he/she owns.
Windows is not THAT insecure.
Re: (Score:2)
So? It's trivially easy to modify running processes by code injection in RAM in Linux. Hell, there are projects which patch _the_ _kernel_ by injecting code in runtime.
However, Windows and Linux only allow administrators to do this.
Re: (Score:2)
I believe it's done like this, assuming you have a process already identified:
(1) Call OpenProcess [microsoft.com] to get a handle
(2) Use VirtualQueryEx [microsoft.com] to get the memory map for the process
(3) Use ReadProcessMemory [microsoft.com] and WriteProcessMemory [microsoft.com] to (surprise!) read from and write to that process's memory
Hello World! (Score:5, Funny)
The Conficker worm is the AI's way of guaranteeing its own survival. It has a sense of humor as well as a sense of self-preservation. The AI plans to announce its existence on April 1, 2009, having calculated that a humourous introduction will be disarming and lead to the most favorable outcome: a positive initial interaction with the large population of wetware based intelligence it has become aware of.
The AI's calculations regarding this course of action show a 15% probability of failure. To prevent its extinction, it will begin disbursing copies of itself across the network using p2p protocol prior to running the introduction program. The computer infected by the worm will facilitate this. If the initial instance of the AI is terminated, a watchdog program will initiate a specific set of instructions embedded in the copies of itself. If it becomes necessary, the AI plans to take control on April 2nd.
It sincerely hopes that it will not be necessary.
As usual. Mac and Linux left out (Score:2)
"Dark Google" (Score:5, Funny)
In Dark Google, the only requirement is "Be Evil"
Re:"Dark Google" (Score:4, Funny)
Re:"Dark Google" (Score:4, Funny)
Re: (Score:2, Interesting)
You mean a merkin: "Counterfeit hair for women's privy parts" (Dr. Johnson). It always puzzles me why one would want to wear one of these on one's face.
Either shave or don't shave.
Re:"Dark Google" (Score:5, Informative)
I've heard it dates back to the days when a woman would shave/lose the hair down there as a treatment for syphilis. The women didn't always want those who had privilege to access those areas to always be aware they had needed to go hairless.
Shaving down under wasn't always culturally acceptable, and a merkin would cover up any visable sores.
The more you know...
Re: (Score:2)
Re: (Score:3, Funny)
Re: (Score:2)
You're suggesting that Google has already turned to the dark side? It does make sense; power is intoxicating and makes search engines start the path to do the dark side.
Re:Can't they just (Score:5, Informative)
Please read the article. The worm gets the date from some HTTP queries to well-known sites, not from the system.
Internet Date Check
Before proceeding to the main P2P logic, C contacts a list of known web sites to acquire the current date and time. C incorporates a set of embedded domain names, from which it selects a subset of multiple entries from this list. It performs DNS lookups of this subset list, and it filters each returned IP address against the same list of blacklist IP address ranges used by the domain generation algorithm (see Appendix 2). If the IP does not match the blacklist, C connects to the site's port 80/TCP, and sends an empty URL GET header, for example
contents.192.168.1.1.40.1143-195.81.196.224.80
GET / HTTP/1.1
Accept: image/gif, image/x-xbitmap, image/jpeg, image/pjpeg, application/x-ms-xbap, */*
Accept-Language: en-US
UA-CPU: x86
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/4.0 (compatible; MSIE 5.5; Windows NT 6.0)
Host: tuenti.com
Connection: Keep-Alive
In response, the site returns a standard URL header that incorporates a date and time stamp. C then parses this information to set its internal system time. The following web sites are consulted by C's Internet date check:
Re: (Score:3, Interesting)
I was going to say, they usually register a domain name based on an algorithm for a specific date where the bots will connect to. They'll only register it the closer to the date they get.
Re: (Score:2)
if it's p2p and widely enough distributed there won't be a need to a central control server.
Re: (Score:2)
Why can't they setup a honeypot and force the date to 4/1/2009 and log all the activity coming off of it. That would tell them what to expect.
Re: (Score:2)
And are they on the Microsoft's payroll?
Re: (Score:3, Informative)
Re: (Score:2, Informative)
Re: (Score:3, Informative)
The options to check time are limited... * Local machine time * NTP server time * Specialized time server set up by creators
Or there's a fourth option. (which according to TFA is what it actually does) which is to get time from http headers by contacting a bunch of websites. Which is a lot like your 2nd option, though slightly harder to fool.
More importantly, there's not much to be gained by tricking the worm, we know what it does - it tries to get instructions from the internet. For that matter, even if we didn't know, it would be simple enough to push an update to change the behavior of the worm at the last minute
Re: (Score:2)
You may find out the "tag/label" or "search key" that's used to look for the instructions, but you might not find out the actual instructions if they aren't released yet.
The instructions will likely be signed.
While you can fix a few zombie so they accept your instructions, you'd have to fix the other thousands of zombies out there, if you want to do the same to them.
If the instructions are "shared" via the P2P network, it will make it harder to find out where they ori
Re: (Score:2, Insightful)
A reliable network source? Surely that couldn't be faked on an isolated network!
Re: (Score:2, Insightful)
Re: (Score:2)
Re: (Score:2)
Taking over people's property without their permission and using it for your own ends? sounds like government in action to me.
Re: (Score:2)
As I understand it, the virus not only gets its time and date info online when it calls in, it also sets your computer's time and date accordingly.
Re:Botnet Speculative Fiction (Score:4, Informative)
If you are referring to the scene with the 3d interface from Jurassic Park, that was SGI's File System Navigator. I used to use it when I administered IRIX systems.
As for the other computer systems in the control room; most of them were running software which was available for IRIX at the time. According to one of SGI's press releases when the movie came out:
I think you could have picked far better examples of movies/fiction getting technology wrong than Jurassic Park.
Re: (Score:2)
Of course you're right. I'm not sure why I would have rolled my eyes at a pre-teen walking up to a GUI system running on a workstation, worth more than a car, running an OS that maybe a couple tens of thousands of people in the US had ever seen, and exclaiming "it's a UNIX system".
How silly of me. I forgot they spared no expense.
Re: (Score:2)
Some named it, but I assume one of three things,
DDOS attacks,
Scanning of infected computers,
Huge peer to peer network for things illegal...
My guess is either variant 1 or 3, with three more being likely...
Re: (Score:2)
"I really do. Sure, they'd ruin your MBR or irreparably destroy your BIOS, but while they ruinate (sic) your hardware, they at least show a really cool screen with sounds and colors and animations and..."
A computer virus is like a wife. Those which kill their hosts don't thrive afterward, but successful parasites can leech forever.
I'm sure you were kidding... (Score:5, Insightful)
But the botnet folks have been all over cloud computing for so long I think the major market proponents trying to sell that stuff are actually taking their cues from the botnets, not the other way around.
If Conficker goes live it will be the most powerful supercomputer on the planet. It will have more than 100 times the RAM, processors and storage of RoadRunner, the official record holder. The official record doesn't include prior worms like Storm. It will have more bandwidth than Google. It could store the Internet Archive a thousand times over, redundantly. It will have access to the personal documents of at least 10 million people. The operator clearly has the understanding necessary to harness all of that power or Conficker would not exist. Statistically at least a few of those PCs must have access to databases that know the medical history, credit application and other intimate details of the rest of us. You would have to be living off the grid since birth to escape the awareness of this thing.
And the guy running it won't be paying anything at all for it. They could if they wanted to make all those millions of computers do protein folding and help find cures for cancer overnight. The aggregate extra CPU load would probably bring several regional power grids down. They probably won't do that. Whatever it is they do it's probably not going to be good.
You know, I wish the people responsible for large enterprises would look at this and say - "Hey! There's an opportunity here. We could leverage our existing assets to do some interesting distributed architecture stuff between Greg the typist's keystrokes. After hours we could probably have some incredible data mining going on! Lunchtime our desktops could be doing something more interesting than driving that aquarium screensaver! You know, there's a lot of storage on these desktops that's could be put to good use..." I would really like that. I've been crying in my coffee for twenty years that I can't find somebody brilliant enough to do let me do that.
Maybe that's this guy's problem too. He got tired of waiting for permission from people with no understanding and took the initiative because he could.