Klaatu, barada, nikto, Conficker!

In Depth - A merciless lens pointed on the hot topics, passionate and detailed retrospectives, reflections beyond the appearances More than a week after the 1st of April, the day when the Internet stood still because according to the press the Conficker/Downup/Downadup/Kido worm could have destroyed the net, the infrastructures, civilized mankind and the entire planet things are going more or less as usual: Internet remains a dangerous place but it hasn’t exploded like a supernova, and bits are flowing quickly from a part to another one of the planet. The true novelty is that the botnet built up by one of the most complex malware ever finally shows what its true purpose is.

At least until the last night, Conficker’s malicious network has remained silent, almost mocking toward those who had predicted the nth unprecedented digital apocalypse that, as usual, didn’t happen: the speculation of an unthinkable disaster spread by the New York Times, the presumed “Dark Google” as a powerful search tool for sensible data on the infected systems haven’t kept up with reality evaporating as generally hype does a minute after the fictitious deadline.

Internet hasn’t exploded, but the mass hysteria spread by baseless reports has caused a true information epidemic among security companies too, that theoretically should provide software useful to protect computer devices and that conversely have lent themselves to the wretched game of hunting the bad worm to further spread the pointless chattering. The information overload whirlpool has captured almost anyone, Symantec, F-Secure, Trend Micro, obviously Microsoft, each one busy at repeating once again what Conficker was, what would have happened on April 1st, how to detect and remove the worm and so on.

While the the information deluge proceeded, the worm continued with no bother to infect sensible networks like the one of the UK parliament, that after the French navy network should be one of the highest profile incidents caused by the malware. The press, however, barely noticed it busy as it was in administering advices, spreading alarms and reducing to a single agent the complex galaxy of evils affecting the worldwide network. Conficker made clamour, so much that someone has thought to profit by its popularity to push, on the search engines, diffusion of rogue software disguised as false antivirus and security tools.

The ground was well prepared for the coming of the new digital Antichrist, and the when midnight struck on April 1st the hearts stopped and the routers winced, Conficker had begun to activate its nasty routines to spread the sores of a computer apocalypse on the interconnected world. As usually happens in these occasions, however, the awaited apocalypse didn’t show up and the only excitements were the ones caused by the laughing of who read the April fool’s day post written by Brian Krebs on the Washington Post.

On April 1st something has actually happened, because as expected the last variant of the worm known until then, Conficker.C/W32.Downadup.C, has initialized for the first time the new payload for remote communication with the authors, drawing out a subset of 500 domain names from the list of 50,000 daily generated addresses and trying to contact them to verify if there was an upgrade to the malicious code.

Beyond the pathetic effects of mass hysteria, Conficker/Downadup.C traits clearly highlight the evolution of the infection during time. Symantec made a summarizing table in which Conficker turns from a network worm with very aggressive distribution routines into a backdoor/botnet that later completely removed such routines, meanwhile refining the upgrade mechanism through domain names and the decentralized P2P protocol already present in the previous version.

Conficker - evolution

With Conficker.C the anointers have strengthen the malicious network, providing it with protections against security software and interfering with the prevention work made by companies involved in the “Conficker Cabal”. P2P communication system has moreover started to work way before April 1st, but the lack of remarkable events due to this fact hasn’t been enough to lessen the unmotiv
ated alarms, nay they have somehow increased.

Gone by the hysteria of the last days, what remains is the fight against the real threat posed by Conficker and its creators: according to the information provided by Symantec, behind the hotter worm of the period there would be the dealers of the aforementioned rogue software, tools like the infamous XP AntiVirus that the first Conficker variant had already tried to store on the infected machines with no luck. Thanks to the work of researchers like Dan Kamisky, exactly the same person involved in the discovery and cure of the DNS system bug, it has been uncovered that the malware leaves an easily detectable fingerprint on any infected system.

Payload activation on April 1st has furthermore allowed an exact measurement of the number of actual bots involved in the network, that drops from the previously estimated tens of millions to the 3.5 millions of these days. The initial figures included all the IP addresses on which the worm was found active, while the last ones would represent how much of the botnet has remained up after disinfections and other events unpredictable for the cyber-criminals gang.

Researchers are currently able to draft detailed maps of the world zones that are mostly affected by the infection, and even to provide immediately effective web-based diagnosis methods. The alarmism excess of these weeks, anyway, hasn’t gone away without consequences: Trend Micro reports that a new worm, called Neeris, has multiplied the number of infected PCs in the same time when Conficker.C payload activated, and even exploiting the same propagation method based on the infamous MS08-067 flaw, still open after six months from the fix release.

Conficker - European infections map

While the entire world was keeping its eyes wide open on Conficker, a new malware has been able to make its own way on-line by slipping through the same door abused by the first. If this is an infection capable of leaving the same mark of Conficker is still early to say, what is sure is that the grotesque simplifications of these days, on a sensitive subject like computer security is, do not help to face and solve increasingly complex problems.

The last development in the Conficker story has been reported in these hours, when the botnet has delivered the so much feared upgrade through the decentralized P2P network built with the previous version. The new Conficker variant, classified by Kaspersky as Net-Worm.Win32.Kido.js, shows substantial differences compared with Conficker.C, and the analyses highlight some kind of regression of the malware that from a bot with no infectious capabilities once again turns into a worm able to spread through the MS08-067 flaw.

Another noteworthy difference is the implementation of a timer scheduled to hit the next 3rd of May, the day when the worm will block its propagation routine. But the most important novelty is that this time Conficker is making much more than updating itself and starting again to infect systems, by downloading two executable files that on a closer look turn out to be a rogue software, Spyware Protect 2009, and a new worm known as Waledac or Iksmas.

When it first appeared in January 2009 – Kaspersky analyst Aleks writes – a lot of IT experts noted the similarity between Kido and Iksmas. The Kido epidemic was mirrored by an email epidemic caused by Iksmas which was on just as large a scale. But up until now, there wasn’t any firm evidence of a link between the two worms“.

Spyware Protect 2009

That evidence appeared last night, Aleks says, and now the two worms are part of the same “gigantic botnet” designed to conduct e-mail spam campaigns. At this point Conficker could even attack the organizations working hard to fight the threat as the Conficker Working Group. In the past hours the CWG website has been temporarily down, but according to SANS Institute‘s Internet Storm Center the cause isn’t the worm attack but a network infrastructure problem.

Leave a Reply

Your email address will not be published. Required fields are marked *