Debate over significance of Conficker phoning home on April Fools Day

joestewart2Many security experts are downplaying the significance of  millions of Conficker-infected PCs initiating an elaborate calling home sequence on April 1.

Still, concerns are growing  about the much firmer grip the bad guys are on the cusp of securing on the corrupted PCs, whether or not they choose to do anything with them on April Fools Day.

SecureWorks senior researcher Joe Stewart, who gave up playing bass guitar in a rock band to become an elite virus hunter, is the latest good-guy coder to downplay the significance of instructions embedded in  Conficker-infected PCs to phone home April 1. On Wednesday, each PC will begin generating a list of 50,000 web addresses, drawn from 110 Top Level Domains, then begin trying to contact 500 of them each day.

Currently, infected PCs attempt to contact 250 randomly generated domains, from the six most common TLDs:  .com, .net, .org etc. The Microsoft-led group of defenders, known as the “Conficker Cabal” has been locking down many of these domains so the bad guys cannot use them to send instructions to infected PCs.

Though Microsoft did not invite SecureWorks to be part of the Cabal, Stewart says that the Cabal ought not be underestimated. “These are the security industry’s heavy-hitters,” says Stewart. “And you can be sure they are working diligently to mitigate the domain issue.”

“Even though there are 50,000 domains to look at, they are being closely monitored, and if any malicious servers do appear, they will likely be taken down or null-routed very quickly, ” says Stewart. ” If the author(s) of Conficker planned some massive update of malicious code, they certainly wouldn’t do it on the one day everyone is watching for it.”

Roel Schouwenberg, senior researcher at Kaspersky Lab Americas, also does not see much of an overarching threat.

“Even if the media attention were to die down,” says Schouwenberg. “The attention from the antivirus community would not. We will keep a close watch on Conficker and try to take the right countermeasures if need be.”

Vincent Weafer, vice president, Symantec Security Response, notes that  “most malware these days is designed to be used for some type of criminal monetary gain, and conducting such criminal acts typically requires stealth measures to be successful. As such, this makes the odds that a major event will take place on April 1 even less likely since there is so much attention being paid to that day.”

Seeing the forest through the trees

But LastWatchdog wonders is some of the good guys might be staring too intently on the bark of the tree directly in front of them?

Remove the media from the discussion. Consider what these bad guys are on the cusp of achieving. If a large percentage of infected PCs successfully dial home on April 1, they will have established:

  • A proven way to get Conficker-infected PCs to randomly check in at a possible 1.5 million rendezvous points a month (50,000 domains X 30 days).
  • A proven way to incorporate 110 top-level domains into that mix. Not just .com, .net, .biz and .org. But also .ru (Russia), .cn (China), .ro (Romania), .ua ( Ukraine), .ng (Nigeria) and dozens of other nations unlikely to co-operate with the Cabal in shutting down Conficker rendezvous points.
  • A robust, automated technique to use the Internet to push out instructions to millions of Conficker-infected PCs.

“It’s a hedge,” says Sophos researcher Chet Wisniewski. “They’re betting we’re not going to be able to register all those domains and block their access to them.”

Rick Howard, director of security intelligence at iDefense, observes that establishing a communications mode, via a Web domain,  is just one of two com modes available to the bad guys.  It’s a simple thing for the controllers to insert a fresh PC — one they control — into their custom-built P2P network. From that new machine they can  initiate node-to-node communications throughout  Conficker’s proprietary P2P network.

“Conficker.C contains a new peer-to-peer update functionality that allows already-infected nodes to scan the Internet for their brethren and send them the latest update,” says Howard. “The combination of these two update mechanisms will help solidify the attacker’s control over the Conficker network, which the cabal has partially wrestled away.”

Paul Royal, principal research scientist at Purewire,  likewise, is concerned about  Conficker’s ability to receive updates without connecting to any domain.  “Conficker-compromised systems with variant C can already scan the Internet to bootstrap themselves into the worm’s P2P overlay network, without the need of a supernode, and with no central point to take down,” Royal says. “Therefore, new malicious software pushed out to one of the systems via the P2P mechanism could propagate like a brushfire across all Conficker C-compromised machines.”

Even if the Cabal can come up with some way to figure out and disrupt a material number  of the 50,000 domains,  “no such luxury exists in foretelling the P2P-based point of origin that might begin offering new malware.”

In other words, all the bad guys have to do is load the P2P client on a machine they control and add that machine to Conficker’s proprietary P2P network.  Any updates initiated from that machine would quickly disperse across the network, leaving little trace of the origination point. That’s the beauty of P2P nets.

Stay tuned.

–Byron Acohido