Comments on: IBM ISS cracks open Conficker’s secret communications code

By: Chester Wisniewski

Chester Wisniewski — Sun, 26 Apr 2009 23:49:46 +0000

As a security analyst at Sophos, I can understand IBM’s position on this issue. Conficker’s authors have reacted faster and more aggressively to defend their command and control than any other recent malware writers. The anti-virus, anti-spam, and other security related industries have established methods for communicating sensitive information and samples in place, and although I have no specific insight to this particular topic, I hope and expect IBM to “do the right thing”.

Chet

By: RSA attendee

RSA attendee — Sat, 25 Apr 2009 02:07:54 +0000

Today’s presentation “A Look at Conficker and Other Recent Internet Malware” was a nice complimentary review to Yason’s research. Most fascinating was Conficker’s design to use bleeding edge encryption to ensure accurate replication in other machines. Colleague Phil Porras from SRI’s Computer Science Laboratory was commended for providing a comprehensive brief to audience.

By: HillDozer

HillDozer — Tue, 14 Apr 2009 15:15:20 +0000

The problem is “cracking the p2p network” could mean a lot of things.

Yason might have complete mastery of the protocol, or might have just identified enough to build a basic IDS signature for one of the packets.

Without peer review, nobody knows.

By: Jimny Cricket

Jimny Cricket — Mon, 13 Apr 2009 02:02:50 +0000

If IBM knows the secret chat channel for Conficker, why don’t they just send a command along that channel to have all of the bots uninstall and erase Conficker from themselves?

By: Mumbo

Mumbo — Tue, 07 Apr 2009 04:51:26 +0000

If you’ve every seen the exploits on the heels of a patch announcement, I think you’ll understand why *all* security researchers are cautious about full disclosure. I don’t expect that any other security company would react differently. I think Stewart’s statement made perfect sense:

“Big Blue decided, as one might expect, against full public disclosure. “We don’t want the wrong people to use it against our customers,” says Stewart. “If the Conficker writers know exactly what we’ve done to detect their communications, they’ll change it. Our customers are first and foremost in our mind.””

By: David Nagel

David Nagel — Mon, 06 Apr 2009 14:28:47 +0000

Nice work XFORCE! Giddyup!

By: C. Manson

C. Manson — Thu, 02 Apr 2009 19:10:41 +0000

Kudos to IBM! Unlike Marley, I think that most people understand propietary ownership of the research is essential to security as well as capiltalism. Why would IBM share what their researchers discovered? If they share that with us then they share that with everyone including the bad guys. Congrats to IBM on the break through. I look forward to “not” knowing how Yason did it.

By: Marley Wylie

Marley Wylie — Thu, 02 Apr 2009 15:57:51 +0000

Kudos to Yason and a rasberry to IBM. Witholding information in order to gain advantage over competitors may be sensible business but it leaves innocent users in the lurch. When there is a threat to all users it should be fought for the sake of all not for the profit of just one organization. The name “Quisling” comes to mind here.

By: Melih Abdulhayoglu

Melih Abdulhayoglu — Wed, 01 Apr 2009 20:04:13 +0000

Hats off to Mark Yason for cracking Conficker’s protocol–but what a shame that he needed to do so. We already have the tools to prevent worms like Conficker from infecting us.

Instead of detecting it after it installs, let’s starve the beast. Hackers and crackers can’t profit from malware if we don’t let them install.

Default-deny prevention keeps malware out. Default-allow prevention ensures that even as we kill the Conficker, another malware will rise up to take its place.