NetAtlantic has a
written by Mark Bowden regarding the history of the Conficker worm. It
really is a fascinating article and if you never read any of my offsite links
and you haven’t yet read it elsewhere, you definitely want to take the time
to read this one. It illustrates the complexity of the Conficker worm,
efforts to stop it and why it is so difficult to defeat.
I just can’t resist
posting a few excerpts:
Imagine your computer to
be a big spaceship, like the starship Enterprise on Star Trek.
The ship is so complex and sophisticated that even an experienced commander
like Captain James T. Kirk has only a general sense of how every facet of it
Now imagine a clever
invader, an enemy infiltrator, who does understand the inner workings
of the ship. He knows it well enough to find a portal with a broken lock
overlooked by the ship’s otherwise vigilant defenses—like, say, a flaw in
Microsoft’s operating platform. So no one notices when he slips in. He trips
no alarm, and then, to prevent another clever invader from exploiting the
same weakness, he repairs the broken lock and seals the portal shut behind
him. He improves the ship’s defenses. Ensconced securely inside, he
silently sets himself up as the ship’s alternate commander.
The [Conficker] worm
itself was exquisite. It consisted of only a few hundred lines of code, no
more than 35 kilobytes—slightly smaller than a 2,000-word document. In
comparison, the average home computer today has anywhere from 40 to 200 gigabytes
of storage. Unless you were looking for it, unless you knew how to
look for it, you would never see it. Conficker drifts in like a mote.
Here’s where things get
Analysts with Conficker B
isolated in their sandboxes could watch it regularly call home and receive a
return message. The exchange was encrypted… Rivest’s proposal for the new
[encryption] standard, MD-6 (Message Digest–6), was submitted in the fall of
2008, about a month before Conficker first appeared, and began undergoing
rigorous peer review—the very small community of high-level cryptographers
worldwide began testing it for flaws.
Needless to say, this is
a very arcane game. The entries are comprehensible to very few people.
According to Rodney Joffe, “Unless you’re a subject-matter expert actively
involved in crypto-algorithms, you didn’t even know that MD-6 existed. It
wasn’t like it was put in The New York Times.”
So when the new version
of Conficker appeared, and its new method of encrypting its communication
employed MD-6, Rivest’s proposal for SHA-3, the cabal’s collective
mind was blown.
The plot thickened—it
turned out that Rivest’s proposal, MD-6, had a flaw. Cryptologists in the
competition had duly gone to work trying to crack the code, and one had
succeeded. In early 2009, Rivest quietly withdrew his proposal, corrected it,
and resubmitted it. This gave the cabal an opening. If the original Rivest
proposal was flawed, then so was the encryption method for Conficker B. If
they were able to eavesdrop on communications between Conficker and its
mysterious controller, they might be able to figure out who he was, or who
they were. How likely was it that the creator of Conficker would know about
the flaw discovered in MD-6?
Once again, the good guys
had the bad guys in check.
About six weeks later,
another new version of the worm appeared.
It employed Rivest’s revised
The entire article is a
great read, and I learned a few things about Conficker. I hadn’t
realized just how sophisticated it was. I came away with a couple of
is behind Conficker is a professional or group of professionals.
You can’t write code that is this sophisticated on
your own. Like the article says, you and a bunch of buddies
playing Xbox cannot get together over the weekend and crank out a worm
that is this silent without having some major initiative behind
it. It requires co-ordination and you need to have some serious
programming skillz to know the ins and outs of major operating systems
and how computer protocols work.
is behind Conficker is watching to see what anti-malware efforts are
It is no co-incidence that when Microsoft published a previously
undisclosed security update to close a security vulnerability, Conficker
started to abuse it only a month later. And when a new version of
the worm came out, it used the most recent submission of a new
encryption standard. And then it used the revised standard
just a short time later!
Like I said, it is not a weekend coding project to do this. You
would have to actively keep up on the security space in order to
implement this, and have the expertise to do it in such a short period
of time. This leads me to believe that the developers have had
several years background in the security space and know about
anti-malware efforts, and also keep close tabs on the public sites and
forums that are dedicated to combating it. This suggests to me
that there is a team of people behind it. The job of monitoring is
a lot of work (I can barely handle it), and there would similarly need
to be people in sales and marketing to handle the distribution of
Yet the team could not be that large. Microsoft has a bounty of
$250,000 for anyone who comes forward with information leading to the
arrest of people responsible for creating the worm. The larger the
team behind it, the greater the odds of discovery. To me, this
suggests that either a criminal organization is behind it or perhaps it
is state sponsored and they are actively protected. Whatever the
case, security by obscurity is one of the key layers of defense.
guess is that the Ukraine has something to do with it.
If you get through the article, about 1/3 of the way
through they mention that earlier versions of the worm did not infect
computers with IP addresses located in the Ukraine. Why is
this? Why is the Ukraine so special?
I have a couple of theories. The first is that this is a
professional courtesy. The original developers of it were located
in the Ukraine and did not want to their home country to be prone to
it. It’s kind of like rooting for the home team; infect everyone
else’s but yours.
Another theory is a spin-off of the first. Perhaps it was also
driven by pragmatism than nationalism. If the originators of the
worm were located in the Ukraine, then it might make sense to have
everyone else’s computer systems infected but not yours. That way,
if you ever lose control of the botnet, your home country is clean but
everyone else is still infected. In other words, your own
country’s computers would be immune to the botnet. This is quite
handy and is a redundant backup in case you ever have to hand over the
reins of the botnet to someone else.
This makes it interesting to me. We know historically that the
Russian Business Network is centered in St. Petersburg, Russia.
But we also know that there were some really bad spammers located in the
Ukraine who were involved with CarderPlanet and Shadowcrew. Some
of the people involved in that are now involved in Ukrainian
politics. Is there a connection? Possibly. Perhaps the
Ukrainian government (or more likely, people in the Ukrainian government
acting on their own behalf) commissioned the creation of the botnet using
contacts they had in the cyber criminal underworld.
This is just guess-work and I have no evidence to support it. All
I have is knowledge that Ukraine was excluded… but I don’t know why.
This is, of course,
speculation. And it illustrates just how sophisticated the problem of
Conficker really is.