Conficker – The Enemy Within






NetAtlantic has a
fantastic article
written by Mark Bowden regarding the history of the Conficker worm.  It
really is a fascinating article and if you never read any of my offsite links
and you haven’t yet read it elsewhere, you definitely want to take the time
to read this one.  It illustrates the complexity of the Conficker worm,
efforts to stop it and why it is so difficult to defeat.

I just can’t resist
posting a few excerpts:

Imagine your computer to
be a big spaceship, like the starship Enterprise on Star Trek.
The ship is so complex and sophisticated that even an experienced commander
like Captain James T. Kirk has only a general sense of how every facet of it
works.

Now imagine a clever
invader, an enemy infiltrator, who does understand the inner workings
of the ship. He knows it well enough to find a portal with a broken lock
overlooked by the ship’s otherwise vigilant defenses—like, say, a flaw in
Microsoft’s operating platform. So no one notices when he slips in. He trips
no alarm, and then, to prevent another clever invader from exploiting the
same weakness, he repairs the broken lock and seals the portal shut behind
him. He improves the ship’s defenses. Ensconced securely inside, he
silently sets himself up as the ship’s alternate commander.

The [Conficker] worm
itself was exquisite. It consisted of only a few hundred lines of code, no
more than 35 kilobytes—slightly smaller than a 2,000-word document. In
comparison, the average home computer today has anywhere from 40 to 200 gigabytes
of storage. Unless you were looking for it, unless you knew how to
look for it, you would never see it. Conficker drifts in like a mote.

Here’s where things get
interesting:

Analysts with Conficker B
isolated in their sandboxes could watch it regularly call home and receive a
return message. The exchange was encrypted… Rivest’s proposal for the new
[encryption] standard, MD-6 (Message Digest–6), was submitted in the fall of
2008, about a month before Conficker first appeared, and began undergoing
rigorous peer review—the very small community of high-level cryptographers
worldwide began testing it for flaws.

Needless to say, this is
a very arcane game. The entries are comprehensible to very few people.
According to Rodney Joffe, “Unless you’re a subject-matter expert actively
involved in crypto-algorithms, you didn’t even know that MD-6 existed. It
wasn’t like it was put in The New York Times.”

So when the new version
of Conficker appeared, and its new method of encrypting its communication
employed MD-6, Rivest’s proposal for SHA-3, the cabal’s collective
mind was blown.

The plot thickened—it
turned out that Rivest’s proposal, MD-6, had a flaw. Cryptologists in the
competition had duly gone to work trying to crack the code, and one had
succeeded. In early 2009, Rivest quietly withdrew his proposal, corrected it,
and resubmitted it. This gave the cabal an opening. If the original Rivest
proposal was flawed, then so was the encryption method for Conficker B. If
they were able to eavesdrop on communications between Conficker and its
mysterious controller, they might be able to figure out who he was, or who
they were. How likely was it that the creator of Conficker would know about
the flaw discovered in MD-6?

Once again, the good guys
had the bad guys in check.

About six weeks later,
another new version of the worm appeared.

It employed Rivest’s revised
MD-6 proposal.

The entire article is a
great read, and I learned a few things about Conficker.  I hadn’t
realized just how sophisticated it was.  I came away with a couple of
points:

  • Whoever
    is behind Conficker is a professional or group of professionals.

    You can’t write code that is this sophisticated on
    your own.  Like the article says, you and a bunch of buddies
    playing Xbox cannot get together over the weekend and crank out a worm
    that is this silent without having some major initiative behind
    it.  It requires co-ordination and you need to have some serious
    programming skillz to know the ins and outs of major operating systems
    and how computer protocols work.

  • Whoever
    is behind Conficker is watching to see what anti-malware efforts are
    being done.


    It is no co-incidence that when Microsoft published a previously
    undisclosed security update to close a security vulnerability, Conficker
    started to abuse it only a month later.  And when a new version of
    the worm came out, it used the most recent submission of a new
    encryption standard.  And then it used the revised standard
    just a short time later! 

    Like I said, it is not a weekend coding project to do this.  You
    would have to actively keep up on the security space in order to
    implement this, and have the expertise to do it in such a short period
    of time.  This leads me to believe that the developers have had
    several years background in the security space and know about
    anti-malware efforts, and also keep close tabs on the public sites and
    forums that are dedicated to combating it.  This suggests to me
    that there is a team of people behind it.  The job of monitoring is
    a lot of work (I can barely handle it), and there would similarly need
    to be people in sales and marketing to handle the distribution of
    payload.

    Yet the team could not be that large.  Microsoft has a bounty of
    $250,000 for anyone who comes forward with information leading to the
    arrest of people responsible for creating the worm.  The larger the
    team behind it, the greater the odds of discovery.  To me, this
    suggests that either a criminal organization is behind it or perhaps it
    is state sponsored and they are actively protected.  Whatever the
    case, security by obscurity is one of the key layers of defense.

  • My
    guess is that the Ukraine has something to do with it.

    If you get through the article, about 1/3 of the way
    through they mention that earlier versions of the worm did not infect
    computers with IP addresses located in the Ukraine.  Why is
    this?  Why is the Ukraine so special?

    I have a couple of theories.  The first is that this is a
    professional courtesy.  The original developers of it were located
    in the Ukraine and did not want to their home country to be prone to
    it.  It’s kind of like rooting for the home team; infect everyone
    else’s but yours.

    Another theory is a spin-off of the first.  Perhaps it was also
    driven by pragmatism than nationalism.  If the originators of the
    worm were located in the Ukraine, then it might make sense to have
    everyone else’s computer systems infected but not yours.  That way,
    if you ever lose control of the botnet, your home country is clean but
    everyone else is still infected.  In other words, your own
    country’s computers would be immune to the botnet.  This is quite
    handy and is a redundant backup in case you ever have to hand over the
    reins of the botnet to someone else.

    This makes it interesting to me.  We know historically that the
    Russian Business Network is centered in St. Petersburg, Russia. 
    But we also know that there were some really bad spammers located in the
    Ukraine who were involved with CarderPlanet and Shadowcrew.  Some
    of the people involved in that are now involved in Ukrainian
    politics.  Is there a connection?  Possibly.  Perhaps the
    Ukrainian government (or more likely, people in the Ukrainian government
    acting on their own behalf) commissioned the creation of the botnet using
    contacts they had in the cyber criminal underworld.

    This is just guess-work and I have no evidence to support it.  All
    I have is knowledge that Ukraine was excluded… but I don’t know why.

This is, of course,
speculation.  And it illustrates just how sophisticated the problem of
Conficker really is.

Comments (0)

Skip to main content