IBM ISS cracks open Conficker’s secret communications code

March 31st, 2009

markyason_crop4An IBM Internet Security Systems researcher, named Mark Yason, has cracked open Conficker’s secret communications protocol — the means by which infected PCs are using Conficker’s customized peer-to-peer, or  P2P,  network to stay in touch with each other.

This is a major breakthrough. Yason worked straight through a couple of sleepless nights to reverse engineer the coding designed to cloak the ongoing “random chatter” between PCs in Conficker’s custom-built P2P network, says Holly Stewart, IBM ISS threat response manager.

Last Thursday, Big Blue began adjusting intrusion-detection appliances it has in place inside 3,800 corporations in 170 countries. These are  subscribers to its Managed Security Services. IBM began to  scan for Conficker P2P chatter, and  found only a miniscule number of infected PCs inside its customers’ networks.

But it was a different story when IBM turned these same appliances  outward to scan the entire Internet. Over the weekend, IBM was able to compile the clearest picture yet of PCs chattering across Conficker’s custom-built P2P network. These machines are no longer  scanning for upatched IP addresses through which to spread infections,  so they are invisible to most traditional traffic monitoring tools.  But as they lay in wait for further instructions, they are keeping in touch with other peers via cloaked P2P chatter.

You can bet top researchers at all the big security firms have been working overtime to crack this. So IBM’s  Yason, who is reportedly an unassuming personality,  has earned some bragging rights.

IBM is weighing LastWatchdog’s request to disclose the total number of infected Conficker PCs it can see chattering across the worm’s secret P2P network. What it did disclose this morning is the global dispersion of these chattering machines on a percentage basis.  Asia has 45% of the chattering Conficker machines IBM can see out on the Internet;  Europe 31%; South America 14%; North America 6%; the Middle East 3%.

conficker_globalmap

Debate over full public disclosure

IBM held meetings Thursday and Friday to engage in a classic debate about whether to fully disclose — or keep proprietary — Yason’s code cracking work.  The notion of whether to divulge eveything about  a vulnerability or attack as soon as possible, so everyone can work to defend against it, has long been a red-hot, divisive  issue in the security community.

hollystewart_cropBig Blue decided, as one might expect, against full public disclosure.  “We don’t want the wrong people to use it against our customers,” says Stewart. “If the Conficker writers know exactly what we’ve done to detect their communications, they’ll change it. Our customers are first and foremost in our mind.”

IBM’s logic makes sound business sense, of course. Only those who subscribe to IBM’s managed security services get the benefit of scanning for  Conficker chatter; IBM gets to leave its rivals in the dust, scrambling to match Yason’s work. But its decision also underscores a fundamental reason why cybercrime continues to mushroom — and the good guys fall farther behind: the bad guys share information much more freely in underground markets, then hyper competitive security vendors are willing to do in legitimate markets.

LastWatchdog challenged Stewart to defend IBM’s decision  not to give greater weight to the greater good. She eventually acknowledged that Big Blue isn’t quite as hard-edged as it’s carefully crafted public pronouncements. She said IBM has initiated talks with certain unnamed tech vendors, including competitors,  to discuss conditions under which IBM might be willing to share at least some of Yason’s findings.

“We’re in the process of reaching out to industry partners to talk about what they can do that is simialr to what we did,” says Stewart. “We’re willing to explain to them how to see what we’re seeing.”

by Byron Acohido

Photos of Mark Yason, Holly Stewart