Countdown to Conficker’s April Fools Day Climax

March 25th, 2009

conficker_usat

Two schools of thought exist about what the Conficker worm will do come the wee hours of April 1, 2009, GMT.

Some experts, like WinPatrol creator Bill Pytlovany, are sensing that the worm’s controllers will run circles around the Microsoft-led “cabal” of security groups trying to block some 3 million to 12 million Conficker-infected PCs from phoning home on April Fools Day.

CLICK HERE for consumer tips on combatting conficker.

“After a lot of research and debate I have been convinced that April 1st is not going to be a good day for the Internet,” says Pytlovany.  “How Conficker will mutate is anyones guess. It could be anything from turning a machine into a spam-bot or launching a widespread cyberterror attack. My guess it will be something designed to make money.”

Others, like SecureWorks senior researcher Joe Stewart note that Conficker’s controllers have come very  far along in organizing millions of infected PCs into powerful,  flexible peer-to-peer (P2P) networks; so they can already convey orders to the infected PCs — right now.

“These PCs already are sending out P2P requests to find each other,” Stewart told LastWatchdog. “This allows them to get further instructions from their peers prior to and after April 1.”

Intrinsic threat

In reporting on this story, published today (Mar. 25) in 2.3 million print edition copies of USA TODAY, I  ran into some  conflicting evidence and troubling lack of transparency on the part of the good guys.

Still, I was able to compile a  timeline, which I believe to be a fairly good representation of how Conficker evolved. Timelines are an investigative reporter’s best friend. In this case, my  timeline shows how the bad guys stayed several steps ahead of the good guys.

CLICK HERE to see timeline showing the evolution of Conficker.

Since last November, Conficker’s creators have infected at least 3 million Windows PCs — the estimate Microsoft gave me — and perhaps as many as 12 million. This profound, intrinsic threat accelerated in early January, causing a handful of tech companies and organizations — led by Microsoft — to form an alliance, dubbed the Conficker Cabal, to take on the mission of quelling Conficker.

That happened in mid-February. Then earlier this month, the criminals found a way to circumvent the Cabal’s primary damper. A major update was successfully delivered to most infected PCs, according to a widely cited research paper by SRI International, a non-profit research firm.

Conficker C update

The update stopped Conficker from spreading and, instead, set all infected PCs to work connecting themselves in a vast P2P network, says SRI program director Phillip Porras. P2P networks are powerful, flexible and can efficiently handle diverse tasks, since each computer is capable of functioning as a central server.

The update did one other thing: it instructed each infected PC, commonly referred to as a bot, to begin reporting for further instructions using a technique Porras and other security experts say the Cabal will find very difficult to block.

The date the infected Conficker bots are to report for duty: April 1.

CLICK HERE to see F-Secure’s comprehensive Conficker FAQ.

What could a network of several million bots be used for? Spreading spam. Stealing data. Conducting denial of service attacks; overwhelming commercial sites to extort cash payments. The Storm email bot network that plagued the Internet in 2007 and 2008, actually pioneered the use of P2P technology for spreading spam.

Storm, which infected an estimated 1 million PCs at its peak, spread by tricking people to click on viral weblinks spammed out in email messages with enticing subject lines.

Old school worm

By contrast, Conficker is an old-school, self-replicating worm that takes advantage of a zero-day security hole discovered by Chinese hackers last fall.

Microsoft took notice, and considered the threat serious enough to push out a rare emergency patch last October. Microsoft typically issues security patches on Patch Tuesday, the second Tuesday of the month.

As many security researcher feared. the worm’s creators were just getting started. Early precursors of Conficker began circulating in November and December, spreading on a limited basis, mostly in Asia.

Most home PC users in North America got patched quickly, via Windows Auto update. But many corporate and government users were more methodical about patching. In China and other nations where pirated copies of Windows are widely used, patches simply weren’t available for tens of millions of PCs.

Then in early January a full-featured version of Conficker began to spread at an accelerated rate. Each newly infected PC scanned the Internet, searching out unpatched PCs. Once an infection reached a corporate PC sitting behind a firewall, other sophiticated features of the worm activated.

Conficker slithered onto any shared hard drives; it searched out nearby servers and directed hundreds of combinations of user IDs and passwords to try to break in; it copied itself onto any device plugged into a USB port, such as any thumb drives, music players, or digital cameras. When that infected device later got inserted into another workstation, that machine became infected.

“Conficker has some very ‘human’ and clever twists that make propagation more successful,” says Paul Royal, principal research scientist at Purewire. ” For example, the fact that the attackers are banking on people not having their Windows machines patched/updated. They banked right. Also, people should make sure the auto-run feature is turned off. While the conveniences of such features are great, malware writers have taken note and using it to further propagate the malware.”

MIT encryption comes in handy

Each infected machine continually scanned the Internet for other unpatched PCs to infect.

The worm also took extraordinary measures to prevent each precious new bot from being cleaned up by Microsoft or any antivirus programs — or usurped by rival bot net controllers. SRI found, for instance, that Conficker’s creators used the freshly-written MIT MD6 algorithm published by MIT’s Dr. Ron Rivest last October.

“It certainly shows the folks that developed this have a variety of skill,” Porras, the SRI program manager told LastWatchdog.

Conficker infected the German military, along with networks in the British and French Air Forces and England’s Sheffield Teaching Hospitals. In mid August, Microsoft put up a $250,000 award for information leading to the capture of its creators and formed the Conficker Cabal.

The Cabal focused on disrupting what was perhaps Conficker most unnerving feature. Once a day each bot tried to connect sequentially with a list of 250 web domains for further instructions. Each day this list of 250 rendezvous points changed.

Early on, several security companies figured out the algorithm that derived the daily list and began registering some of the domains scheduled to turn up on future lists. They did this mainly to get bots to connect to a domain they owned, so they could see what to infected machine did next.

The Cabal stepped up the registering of domains scheduled to turn up on the daily lists as a way to prevent the bad guys from tyring to use that particular address to send intructions. Microsoft began ” working with partners to identify and register any previously unregistered domains and thus pre-empt registration of those domains for potential criminal use,” says Christopher Budd, of Microsoft’s security response team.

Cabal defense fails to stop update

Yet, on March 6 and again on March 17, the bad guys managed to somehow slip a major software update through to millions of PCs reporting to one of the rendezvous addresses, according to the SRI report.  LastWatchdog asked Microsoft’s Budd how the update got through. Budd gave a quizzical non-answer. Here’s the exchange:

LW: Can Microsoft please explain how Conficker C, on March 5, was able to get through the Conficker Cabal’s pre-registration defense?

Budd: Microsoft identified Conficker.D (also known in the industry as Downadup.C) on March 6, 2009 and included a portal entry on the MMPC site. We’ll continue to detect these variants and provide updates to our AV products.

At least 60% — and perhaps as many as 80% — of the infected PCs, received the early March updates, says SRI’s Porras. Using Microsoft’s estimate of 3 million infections to that point, that translates into at least 900,000 PCs carrying the latest variant of Conficker.

The update turned off the Internet-wide scan for other unpatched PCs and organized the infected PCs into P2P networks.

The update also sent down instructions for each bot, on April 1, to begin selecting 500 rendezvous addresses from a pool of 50,0000 possible web domains and check each rendezvous point for fresh instructions.

“This is an attempt at trying to gain control of the botnet,” says Roel Schouwenberg senior researcher at Kaspersky Lab. “Obviously this criminal group has spent a lot of time and money into developing the botnet and they must be very unhappy with losing it like that.”

Yet the unprecedented scale of Conficker infections leaves some to wonder if bad guys could direct a massive botnet attack to achieve terrorists’ objectives, say knock out a nation’s power grid or financial systems.

“In the worse case, Conficker could be turned into a powerful offensive weapon for performing concerted information warfare attacks that could disrupt not just coutnries, but the Internet itself,” says Porras.

Richard Wang, U.S. Manager at SophosLabs, told LastWatchdog he believes it is “extremely unlikely”  that Conficker is a prelude to cyberwar.  “Any attempt to issue commands to Conficker now would be swiftly noticed and aggressively investigated,” says Wang. “To build a successful botnet, hackers need to spread their software but do so quietly. Drawing attention in the way that Conficker has done is ultimately counterproductive to their purpose.”

Neither SRI or Sophos were invited to join the  Cabal, whose membership you can see here.

Several security researchers told LastWatchdog they  believe Conficker’s controllers may have the more mundane goal of cornering the market on botnets for hire. “This is free inventory for them,” says Josu Franco, Panda Security’s director of business development.

Cabal relies on vigilance, secrecy

Microsoft’s Budd argues that Conficker’s high visibility — with the Cabal and law enforcement watching the worm’s every move — “will be a deterrent” to a second stage of attacks.

“At the end of the day, we can’t speculate on the intentions of criminals,” says Budd. “The reality is we don’t really know for sure but Microsoft and others are working to limit the impact of any second phase.”

Giving the Cabal the benefit of the doubt, there certainly is a chance Microsoft is weaving together secret measures to keep Conficker in check over the long haul — measures it deems wise not to disclose publicly,  even in general terms, as per this exchange:

LW: How many URLs has the Cabal pre-registered; how far into the future?

Budd: By revealing these numbers, the criminals’ attack could be aided.

LW: Can you estimate, for instance, how many URLs may already have been pre-registered, by someone other than Microsoft and your partners?

Budd: Again, by revealing these numbers, the criminals’ attack could be aided.

It would appear that no one outside of the Cabal members are privy to even innocuous details of the Cabal’s progress .  How much this abject lack of transparency hinders the collaboration process is hard to know.  One has to wonder how long Microsoft can keep a secretive Cabal pulling together to keep Conficker at bay?

The question beyond that: Will a  Cabal defense  be viable  when the next iteration of  Conficker slithers forth?

–Byron Acohido