Conficker, it’s open war between the industry and malware writers
Conficker (also known as Downup, Downadup or Kido) is the worm that first, after the Sasser outbreak in 2004, was able to exploit a flaw in a Windows remote service, and due to this unusual ability the malware became in turn the target of a large part of the IT industry that, leaded by Microsoft, is trying in these days to defuse the time bomb of an enormous botnet yet with unknown practical outcomes.
The war against Conficker is currently brought on more fronts. One of the first defensive lines has been built up by Kaspersky and OpenDNS, united for restraining the remote communication feature between the worm and its authors. As previously explained, Conficker is able to generate daily a random set of 250 different domain names, waiting that the malware writers register one and use it as an host to deliver a newer version of the worm, a new piece of the infection or a binary code of any other kind.
Kaspersky, like other security firms, decoded the domain names creation algorithm hence it’s able to know beforehand the ones that Conficker authors could decide to register. By taking advantage of such knowledge, OpenDNS built the Botnet Protection service to block the worm spreading and alert network admins if the worm was detected on a LAN. In essence the OpenDNS shield works proactively but only to prevent the further worsening of the infection or the exploitation of the botnet for malicious intents.
Who conversely has decided to deal more closely with the threat is Microsoft, that not only has joined forces with other IT giants and security companies but has spent its own financial resources to breathe down cyber-criminal’s neck. Thanks to Microsoft, in fact, now on their head there is a “reward” of 250,000 dollars, a sum that Redmond will pay in to anyone will be able, in any country of the world according to the local laws, to provide useful information to arrest those involved with the creation and spreading of the worm.
Microsoft is evidently conscious of its non secondary liability for Conficker outbreak, considering that just the Windows Server service flaw was the first opening by which the malware get through infecting millions of PC. Other that Microsoft, the anti-Conficker team includes ICANN (Internet Corporation for Assigned Names and Numbers), AOL, VeriSign, Arbor Networks, F-Secure, Public Internet Registry and others: in brief it’s a coalition with a huge opposing potential, and a very good exemplification of how much seriously the danger posed by the worm is considered.
The coalition also includes Symantec, which is writing extensively on Conficker/Downadup with in depth articles on the more interesting features of the worm (including the spreading mechanism through network shares and the cryptographic protection of file exchange on the botnet) and that highlights how the main task of the international team will be to cut off from the net the same updating mechanism based on domain names already targeted by Kaspersky and OpenDNS.
“The millions of systems infected by W32.Downadup pose a risk to Internet users as well as to the infrastructure of the Internet - Symantec states - Under the control of attackers, the millions of infected systems could be used to launch distributed denial-of-service (DDoS) attacks against specific users or organizations, crippling their ability to function on the Internet. Additionally, the infected systems could be used to deploy further threats, such as seeding a new worm that targets a more recent or undisclosed vulnerability“.
Furthermore Symantec has called into question the reports recently appeared on what has been defined the new variant of the worm, going around since an unknown period of time yet carrying additional payloads to the ones already known. According to Symantec this new variant, “discovered” by SRI International and dubbed Conficker B++ or Conficker.C, wouldn’t be other than a sample of the two already known versions of the malware (Downadup.A and Downadup.B in the security firm nomenclature) in which SRI found the already mentioned P2P-based distribution mechanism, a much more complicated system to tear down in respect of the domain names-based one targeted by the industry.
Whatever it is Conficker continues to represent a sort of mystery because of its apparent inactivity: a botnet that, according to the last figures, would count more than 10 millions PC yet whose goal it’s still unknown. The worm is at the very heart of a malicious network that could be used for terrific DDoS attacks as Symantec suggests, to further multiply the alreadly frightening numbers of e-mail spam or act like the forerunner for an even more sophisticated and dangerous infection, but that however remains silent, inoperative.
Even if it’s quiet, Conficker’s botnet has nevertheless already caused damages to crucial computer infrastructures, as happened in the case of the French navy that has suddenly found itself with its jet fighters unable to lift off because they couldn’t “download their flight plans” due to the infection of some systems in the air base of Villacoublay.
- W32.Changeup, the eMule-aided worm
- Sality, the virus that turned into the ultimate malware
- How the security industry reacts to a bootkit maker
- The 5 all-time worst malware according to Trend Micro
- Klaatu, barada, nikto, Conficker!
- Rootkits penetrate the heart of the machine
- Conficker worm asks for instructions and gets an update
- Conficker, the perfect storm worm
- 22,000 new malware samples per day, a network worm breakout and the sandbox-enabled antivirus
- Internet? A very dangerous place