IBM ISS cracks open Conficker’s secret communications code
Posted on | March 31, 2009 | 9 comments
An IBM Internet Security Systems researcher, named Mark Yason, has cracked open Conficker’s secret communications protocol — the means by which infected PCs are using Conficker’s customized peer-to-peer, or P2P, network to stay in touch with each other.
This is a major breakthrough. Yason worked straight through a couple of sleepless nights to reverse engineer the coding designed to cloak the ongoing “random chatter” between PCs in Conficker’s custom-built P2P network, says Holly Stewart, IBM ISS threat response manager.
Last Thursday, Big Blue began adjusting intrusion-detection appliances it has in place inside 3,800 corporations in 170 countries. These are subscribers to its Managed Security Services. IBM began to scan for Conficker P2P chatter, and found only a miniscule number of infected PCs inside its customers’ networks.
But it was a different story when IBM turned these same appliances outward to scan the entire Internet. Over the weekend, IBM was able to compile the clearest picture yet of PCs chattering across Conficker’s custom-built P2P network. These machines are no longer scanning for upatched IP addresses through which to spread infections, so they are invisible to most traditional traffic monitoring tools. But as they lay in wait for further instructions, they are keeping in touch with other peers via cloaked P2P chatter.
You can bet top researchers at all the big security firms have been working overtime to crack this. So IBM’s Yason, who is reportedly an unassuming personality, has earned some bragging rights.
IBM is weighing LastWatchdog’s request to disclose the total number of infected Conficker PCs it can see chattering across the worm’s secret P2P network. What it did disclose this morning is the global dispersion of these chattering machines on a percentage basis. Asia has 45% of the chattering Conficker machines IBM can see out on the Internet; Europe 31%; South America 14%; North America 6%; the Middle East 3%.
Debate over full public disclosure
IBM held meetings Thursday and Friday to engage in a classic debate about whether to fully disclose — or keep proprietary — Yason’s code cracking work. The notion of whether to divulge eveything about a vulnerability or attack as soon as possible, so everyone can work to defend against it, has long been a red-hot, divisive issue in the security community.
Big Blue decided, as one might expect, against full public disclosure. “We don’t want the wrong people to use it against our customers,” says Stewart. “If the Conficker writers know exactly what we’ve done to detect their communications, they’ll change it. Our customers are first and foremost in our mind.”
IBM’s logic makes sound business sense, of course. Only those who subscribe to IBM’s managed security services get the benefit of scanning for Conficker chatter; IBM gets to leave its rivals in the dust, scrambling to match Yason’s work. But its decision also underscores a fundamental reason why cybercrime continues to mushroom — and the good guys fall farther behind: the bad guys share information much more freely in underground markets, then hyper competitive security vendors are willing to do in legitimate markets.
LastWatchdog challenged Stewart to defend IBM’s decision not to give greater weight to the greater good. She eventually acknowledged that Big Blue isn’t quite as hard-edged as it’s carefully crafted public pronouncements. She said IBM has initiated talks with certain unnamed tech vendors, including competitors, to discuss conditions under which IBM might be willing to share at least some of Yason’s findings.
“We’re in the process of reaching out to industry partners to talk about what they can do that is simialr to what we did,” says Stewart. “We’re willing to explain to them how to see what we’re seeing.”
by Byron Acohido
Photos of Mark Yason, Holly Stewart
Comments
9 Comments »
RSS feed for comments on this post.
Hats off to Mark Yason for cracking Conficker’s protocol–but what a shame that he needed to do so. We already have the tools to prevent worms like Conficker from infecting us.
Instead of detecting it after it installs, let’s starve the beast. Hackers and crackers can’t profit from malware if we don’t let them install.
Default-deny prevention keeps malware out. Default-allow prevention ensures that even as we kill the Conficker, another malware will rise up to take its place.
Comment by Melih Abdulhayoglu — 4/1/2009 @ 2:04 pm
Kudos to Yason and a rasberry to IBM. Witholding information in order to gain advantage over competitors may be sensible business but it leaves innocent users in the lurch. When there is a threat to all users it should be fought for the sake of all not for the profit of just one organization. The name “Quisling” comes to mind here.
Comment by Marley Wylie — 4/2/2009 @ 9:57 am
Kudos to IBM! Unlike Marley, I think that most people understand propietary ownership of the research is essential to security as well as capiltalism. Why would IBM share what their researchers discovered? If they share that with us then they share that with everyone including the bad guys. Congrats to IBM on the break through. I look forward to “not” knowing how Yason did it.
Comment by C. Manson — 4/2/2009 @ 1:10 pm
Nice work XFORCE! Giddyup!
Comment by David Nagel — 4/6/2009 @ 8:28 am
If you’ve every seen the exploits on the heels of a patch announcement, I think you’ll understand why *all* security researchers are cautious about full disclosure. I don’t expect that any other security company would react differently. I think Stewart’s statement made perfect sense:
“Big Blue decided, as one might expect, against full public disclosure. “We don’t want the wrong people to use it against our customers,” says Stewart. “If the Conficker writers know exactly what we’ve done to detect their communications, they’ll change it. Our customers are first and foremost in our mind.””
Comment by Mumbo — 4/6/2009 @ 10:51 pm
If IBM knows the secret chat channel for Conficker, why don’t they just send a command along that channel to have all of the bots uninstall and erase Conficker from themselves?
Comment by Jimny Cricket — 4/12/2009 @ 8:02 pm
The problem is “cracking the p2p network” could mean a lot of things.
Yason might have complete mastery of the protocol, or might have just identified enough to build a basic IDS signature for one of the packets.
Without peer review, nobody knows.
Comment by HillDozer — 4/14/2009 @ 9:15 am
Today’s presentation “A Look at Conficker and Other Recent Internet Malware” was a nice complimentary review to Yason’s research. Most fascinating was Conficker’s design to use bleeding edge encryption to ensure accurate replication in other machines. Colleague Phil Porras from SRI’s Computer Science Laboratory was commended for providing a comprehensive brief to audience.
Comment by RSA attendee — 4/24/2009 @ 8:07 pm
As a security analyst at Sophos, I can understand IBM’s position on this issue. Conficker’s authors have reacted faster and more aggressively to defend their command and control than any other recent malware writers. The anti-virus, anti-spam, and other security related industries have established methods for communicating sensitive information and samples in place, and although I have no specific insight to this particular topic, I hope and expect IBM to “do the right thing”.
Chet
Comment by Chester Wisniewski — 4/26/2009 @ 5:49 pm