Debate over significance of Conficker phoning home on April Fools Day
Posted on | March 28, 2009 | 6 comments
Many security experts are downplaying the significance of millions of Conficker-infected PCs initiating an elaborate calling home sequence on April 1.
Still, concerns are growing about the much firmer grip the bad guys are on the cusp of securing on the corrupted PCs, whether or not they choose to do anything with them on April Fools Day.
SecureWorks senior researcher Joe Stewart, who gave up playing bass guitar in a rock band to become an elite virus hunter, is the latest good-guy coder to downplay the significance of instructions embedded in Conficker-infected PCs to phone home April 1. On Wednesday, each PC will begin generating a list of 50,000 web addresses, drawn from 110 Top Level Domains, then begin trying to contact 500 of them each day.
Currently, infected PCs attempt to contact 250 randomly generated domains, from the six most common TLDs: .com, .net, .org etc. The Microsoft-led group of defenders, known as the “Conficker Cabal” has been locking down many of these domains so the bad guys cannot use them to send instructions to infected PCs.
Though Microsoft did not invite SecureWorks to be part of the Cabal, Stewart says that the Cabal ought not be underestimated. “These are the security industry’s heavy-hitters,” says Stewart. “And you can be sure they are working diligently to mitigate the domain issue.”
“Even though there are 50,000 domains to look at, they are being closely monitored, and if any malicious servers do appear, they will likely be taken down or null-routed very quickly, ” says Stewart. ” If the author(s) of Conficker planned some massive update of malicious code, they certainly wouldn’t do it on the one day everyone is watching for it.”
Roel Schouwenberg, senior researcher at Kaspersky Lab Americas, also does not see much of an overarching threat.
“Even if the media attention were to die down,” says Schouwenberg. “The attention from the antivirus community would not. We will keep a close watch on Conficker and try to take the right countermeasures if need be.”
Vincent Weafer, vice president, Symantec Security Response, notes that “most malware these days is designed to be used for some type of criminal monetary gain, and conducting such criminal acts typically requires stealth measures to be successful. As such, this makes the odds that a major event will take place on April 1 even less likely since there is so much attention being paid to that day.”
Seeing the forest through the trees
But LastWatchdog wonders is some of the good guys might be staring too intently on the bark of the tree directly in front of them?
Remove the media from the discussion. Consider what these bad guys are on the cusp of achieving. If a large percentage of infected PCs successfully dial home on April 1, they will have established:
- A proven way to get Conficker-infected PCs to randomly check in at a possible 1.5 million rendezvous points a month (50,000 domains X 30 days).
- A proven way to incorporate 110 top-level domains into that mix. Not just .com, .net, .biz and .org. But also .ru (Russia), .cn (China), .ro (Romania), .ua ( Ukraine), .ng (Nigeria) and dozens of other nations unlikely to co-operate with the Cabal in shutting down Conficker rendezvous points.
- A robust, automated technique to use the Internet to push out instructions to millions of Conficker-infected PCs.
“It’s a hedge,” says Sophos researcher Chet Wisniewski. “They’re betting we’re not going to be able to register all those domains and block their access to them.”
Rick Howard, director of security intelligence at iDefense, observes that establishing a communications mode, via a Web domain, is just one of two com modes available to the bad guys. It’s a simple thing for the controllers to insert a fresh PC — one they control — into their custom-built P2P network. From that new machine they can initiate node-to-node communications throughout Conficker’s proprietary P2P network.
“Conficker.C contains a new peer-to-peer update functionality that allows already-infected nodes to scan the Internet for their brethren and send them the latest update,” says Howard. “The combination of these two update mechanisms will help solidify the attacker’s control over the Conficker network, which the cabal has partially wrestled away.”
Paul Royal, principal research scientist at Purewire, likewise, is concerned about Conficker’s ability to receive updates without connecting to any domain. “Conficker-compromised systems with variant C can already scan the Internet to bootstrap themselves into the worm’s P2P overlay network, without the need of a supernode, and with no central point to take down,” Royal says. “Therefore, new malicious software pushed out to one of the systems via the P2P mechanism could propagate like a brushfire across all Conficker C-compromised machines.”
Even if the Cabal can come up with some way to figure out and disrupt a material number of the 50,000 domains, “no such luxury exists in foretelling the P2P-based point of origin that might begin offering new malware.”
In other words, all the bad guys have to do is load the P2P client on a machine they control and add that machine to Conficker’s proprietary P2P network. Any updates initiated from that machine would quickly disperse across the network, leaving little trace of the origination point. That’s the beauty of P2P nets.
Stay tuned.
–Byron Acohido
Comments
6 Comments »
RSS feed for comments on this post.
Although there is a lot of interest and publicity surrounding this piece of malware, if you have been practicing safe computing practices, you are at minimal risk. Both businesses and individual users need to manage all the updates security vendors provide including network infrastructure devices and applications as well as end-user security solutions. By now those computers that can be infected with the Conficker / Downadup / Kido most likely already are.
Rest assured: the vulnerability in the Microsoft operation system has been patched since October 2008. Additionally, the major anti-malware vendors have been working since the original discovery of this worm back in November 2008 to provide detection in their products. Business users and consumers can rely on organizations such as ICSA Labs, which perform periodic tests, anti-malware tests are performed monthly, to validate that vendors are performing their due diligence and keeping their products and solutions up-to-date.
Andy Hayter
Anti-Malcode Program Manager
ICSA Labs
Comment by Andy Hayter — 3/30/2009 @ 3:37 pm
Slowing or stopping the advance of the Conficker worm is a tremendous patch management and configuration management challenge. The problem is that organizations have a hard time knowing what patches are really installed and how systems are actually configured. Small organizations or individuals may be able to retain control, but most organizations are in a constant state of flux: new physical computers join the network, configuration settings change, and new software applications are added. The problem has gotten even worse with the increased emphasis on virtualization. Tools made by companies like Microsoft and Symantec require Agents – software for managing patches and configuration settings — be installed on the systems they are trying to protect. If companies can’t get an agent installed on a machine, they can’t find it, and therefore can’t fix it! The only realistic approach is to have patch management and configuration management software that can work without the need to install agents and has the ability to assess and fix both physical and virtual machines. The Conficker.C variant is particularly nasty in that it targets security software in an effort to disable or render it ineffective. The worm actually blocks the Microsoft patch management agent. At Shavlik we focus on making technology that is simple and does not require software (agents) on the target computer. We have always done this, and at a time like this, our product is uniquely qualified to combat the threat of Conficker.C!
We can talk about our free assessment for the missing patch and misconfigurations.
More details at:
http://www.shavlik.com/landingpage/20090326-conficker.aspx
Mark Shavlik
CEO
Shavlik Technologies
Comment by Mark Shavlik — 3/31/2009 @ 12:45 pm
As a Geek Squad Agent, it’s hard not to make it through a day without someone asking about the Conficker threat and whether they should be worried that the Internet will implode on April 1st.
I do agree that there’s plenty to debate over just how significant the threat of this individual worm is, though I also believe that it depends entirely on who you are.
If you’re an individual looking to protect your family’s home computer, then you should probably be only concerned as much as you would about any malicious software threat. If you take the precautions you should be doing anyway, such as keeping your system up to date, making sure your antivirus and antispyware protection is current, avoid P2P networks and practicing safe Internet habits, then you can probably take a deep breath and go on with the rest of your life.
If you’re one of the big security and software companies that’s part of the “Conficker Cabal” coming together to fight the threat, I’m willing to allow a lot more concern and effort. Mainly, because I’m glad to see how much closer many of these companies are learning to work together to combat this threat, and how that may help build those relationships to better fight future malware. I also like how much further the Cabal has been able to get governments to work with them in terms of domain registrations, something that hasn’t really happened as easily in terms of previous global malware threats.
I’m glad that both individuals and large companies are starting to take action to protect themselves and others against Conficker, because it also helps protect them from other, possible worse, threats.
Agent Derek Meister
Geek Squad
Comment by Agent Derek Meister — 3/31/2009 @ 1:47 pm
Slowing or stopping the advance of the Conficker worm is a tremendous patch management and configuration management challenge. The problem is that organizations have a hard time knowing what patches are really installed and how systems are actually configured. Small organizations or individuals may be able to retain control, but most organizations are in a constant state of flux: new physical computers join the network, configuration settings change, and new software applications are added. The problem has gotten even worse with the increased emphasis on virtualization. Tools made by companies like Microsoft and Symantec require Agents – software for managing patches and configuration settings — be installed on the systems they are trying to protect. If companies can’t get an agent installed on a machine, they can’t find it, and therefore can’t fix it! The only realistic approach is to have patch management and configuration management software that can work without the need to install agents and has the ability to assess and fix both physical and virtual machines. The Conficker.C variant is particularly nasty in that it targets security software in an effort to disable or render it ineffective. The worm actually blocks the Microsoft patch management agent. At Shavlik we focus on making technology that is simple and does not require software (agents) on the target computer. We have always done this, and at a time like this, our product is uniquely qualified to combat the threat of Conficker.C!
We can talk about our free assessment for the missing patch and misconfigurations.
More details at:
http://www.shavlik.com/landingpage/20090326-conficker.aspx
Mark Shavlik
CEO
Shavlik Technologies
Comment by Mark Shavlik — 3/31/2009 @ 4:20 pm
While all the media attention about the Conficker threat is useful in elevating the general populations level of education to the growing botnet threat, I find it rather disconcerting that the focus is upon a threat that has largely been solved (at least from an enterprise perspective).
I commented on this earlier today over at: http://blog.damballa.com/?p=144
I think the bigger concern is that this particular updating mechanism using dynamic/near-random domains will inevitably be adopted in future malware variants (beyond Conficker), so security vendors are going to have to figure out a more permanent solution to this updating technique.
Comment by Gunter Ollmann — 3/31/2009 @ 6:16 pm
As the previous comments indicate, the average home user who practices safe web surfing habits will most likely be ok. Corporations who have not patched their business machines or home users who have dangerous online behaviors (downloading random attachments, using P2P file sharing tools, clicking fake popup ads) should be cautioned to put up a defense, however.
A little proactivity never hurt anyone. Make sure you system has automatic updates on, antivirus tool installed, and a firewall enabled and you should be good to go. Of course nobody can foretell the future 100%. We will have to wait and see what actually happens on that magic April Fools day.
As mentioned in a previously, corporations are starting to work together to combat a common problem and have formed the “Conficker Cabal. The “Conficker Cabal” is a turning point in the way we address large-scale issues such as Conficker.C. Trying to take the rug out from Conficker operates is quite the undertaking. Kudos to the Cabal for pulling out all the stops and cracking down on this threat!
In a day and age where the internet touches almost every aspect of our lives, personally and professionally, it is imperative that we put up defenses on all fronts, from all threats. This is true especially with the growing trend of business and personal time intermingling and even resulting in the sharing of technology between the two. Such as bringing the company laptop home and adding it to your network, or bringing your personal flash-drive to work to upload some information.
I do think it is important to tell the public when such a threat is surfacing. This time around I don’t think the internet is going to suddenly catch fire, however. The hype sort of reminds me of December 31st, 1999, 11:59PM. Y2k wasn’t the end of computing as we know it, neither is Conficker. Keep your computers updated, protected, and use a safe web-surfing mentality and you should be all set.
Double Agent Chris Plath
Geek Squad
Comment by Double Agent Christopher Plath — 3/31/2009 @ 7:24 pm