backtop


Print 16 comment(s) - last by mindless1.. on Feb 24 at 5:57 PM

Infamous botnet evolves

Controllers of the infamous Conficker worm released another update recently, shifting its update strategy towards a completely different direction. It no longer needs to check a web page to receive updates, as it can now receive them directly from other infected computers.

Additions to a lengthy, in-depth analysis of the worm by research institute SRI’s Malware Threat Center indicate that a new variant of Conficker was spotted on February 16, which it dubbed “Conficker B++” pending a further review of its capabilities.

Previously, computers infected with Conficker A and B – also known under the names Downadup or Kido – frequently check for updates from a randomly-generated list of 250 internet domains, which is synchronized and updated regularly between the entire Conficker botnet. Efforts from the Microsoft-led Conficker Cabal appear to have foiled this technique: the randomization algorithm was successfully reverse-engineered, prompting Microsoft and the Cabal to secure every domain the group expects the botnet to hit.

In response, Conficker B++ completely removes the need to check for updates, moving instead towards a structure that resembles a peer-to-peer filesharing network. A URL pointing to updated Conficker code – or a patched version of the Conficker binary – can be sent directly to infected machines through a pair of new backdoors that B++ opens.

SRI notes that while older versions of Conficker also had the ability to accept updates in this fashion, its implementation behaved in such a way that made recognizing the process a trivial affair for anti-malware software.

Conficker’s controllers, in an effort to prevent competing hackers from delivering patches of their own, digitally sign the entire update process.

Compared to the upgrade from Conficker A to Conficker B, writes SRI, the changes that Conficker B++ introduces appear to be a relatively “minor”. In-house metrics indicate that Conficker B++ had an “86.4% similarity” to Conficker B, with the update only modifying three of the original version’s 297 subroutines and adding an additional 39.

Conficker has become such a problem for businesses that Microsoft recently placed a $250,000 bounty on its creators, offering a share of the reward to anyone who can help track them down. In January, the worm spread so fast it infected 8 million business computers within a week.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

What a waste
By djc208 on 2/23/2009 7:00:38 PM , Rating: 4
I'm always amazed at the time and energy people will put into things that only hurt society. If they spent half that energy doing something constructive they'd not only help people but probably make a fortune as well. In the end it's just sad to see the oportunity lost.




RE: What a waste
By Ordr on 2/23/2009 7:15:39 PM , Rating: 2
Hopefully the creator(s) will be imprisoned for a very, very long time and forced to pay for all the damage caused.


RE: What a waste
By xsilver on 2/23/2009 7:58:44 PM , Rating: 4
um the nazi's thought that the mass killings was doing the "right" thing too...

such is the nature of the human race.

oh and plus its also easier to destroy than to create.


RE: What a waste
By omnicronx on 2/23/2009 8:40:56 PM , Rating: 5
quote:
oh and plus its also easier to destroy than to create.
Except in this case he had to create to destroy.


RE: What a waste
By ViroMan on 2/23/2009 9:48:16 PM , Rating: 1
well yes but, creating a program to screw up other peoples lives is like raising a son who goes off to kill the enemy commy bastards and returns a war hero.(or so I imagine from there perspective.)


RE: What a waste
By mmntech on 2/23/2009 8:45:40 PM , Rating: 2
quote:
oh and plus its also easier to destroy than to create.


There lies the rub. Don't make the mistake that these people are geniuses because they're not. The only real work is creating the worm itself. Once the botnet is established, it does all the work of skimming off credit card numbers and sending spam. The developers just sit back and let the cash roll in. You don't have to buy anything, you don't have to hire staff, you don't need office space, you don't have to market or store products. It's the perfect business and easy money.


RE: What a waste
By GeorgeH on 2/23/2009 9:58:09 PM , Rating: 2
We don't live in a soporific world of sunshine, rainbows, and happy thoughts. As such, I'm glad there are people out there trying their hardest to screw with my PC - in fact, the more there are, the better. Why? Because their active presence forces more legitimate entities to produce better and more secure products.

If your immune system wasn't under constant attack by all sorts of devious little nasties, then the first time you encountered a cute, fuzzy little bug you'd end up fighting for your life instead of just shrugging it off.


RE: What a waste
By djc208 on 2/23/2009 10:41:38 PM , Rating: 2
True, but there are enough bad things out there to deal with without us adding to the load.

Besides there are victoms of both the devious little nasties and people trying to screw with your PC. We as a people may be stronger for their loss, but someone still had to lose.


RE: What a waste
By Yojimbo on 2/24/2009 2:35:54 AM , Rating: 2
oh that sounds very simple-minded. anyway, i'd be scared of a society where people put all their efforts into things that helped the society.. simply because it obviously isn't natural. it's natural for ants, but not for humans. if it ever comes to that it's through either doping, genetic modification, oppression, or a mixture of the three. besides, on a more practical and less philosophical note, i'll take inefficiencies in the system over complacency any day. of course, if you try to spin that in the light of what is good or bad, or rather right or wrong, you're gonna run into difficulties. bottom line is, you can go after people who wreak some havoc without asking "why do people do this?" as a precursor to saying "people shouldn't do this..we should stop people from doing this"..because the effects of the success of such wishes would be a lack of robustness and/or oppression. think of it in terms of a dynamical system. these are the truly enlightened concepts that need to be addressed, and not the "oh, we don't need religion" that seems to be flying around.


Digitally signing viruses
By joey2264 on 2/23/2009 7:31:24 PM , Rating: 2
Never thought I would see the day that a virus uses signing technology to protect the "integrity" of its "software". It seems like the malware authors will always be a step ahead of white hats.




RE: Digitally signing viruses
By InternetGeek on 2/23/2009 10:44:42 PM , Rating: 2
From the outside it's easy to say that it's because Windows' security model is not quite that strong. However, even though I'm a developer, security of this kind is beyond my knowledge. Most of us secure our programs with the usual stuff: Signing code, SSL certs, user authentication modules and follow best practices and common sense.

Not sure if there's much you could do under a different model though. But it sounds to me not much beyond mitigating the damage something like this virus could do. I.E: From what I remember in my Unix/Linux lessons in Uni a worm is the worse you could get under those OSs. And that could still be quite dangerous.


RE: Digitally signing viruses
By nixoofta on 2/24/2009 1:31:59 AM , Rating: 2
Does anyone know if they've come out with the "Conficker Genuine Authenticator" yet,...and can auto updates be turned off? I'd much rather get my updates manually. :P


Interesting
By mindless1 on 2/23/2009 7:18:13 PM , Rating: 2
That this is being so actively updated even after it became public and there was a bounty. Is it a game of keep-ahead by the author or is there another motive to maintain it? Hopefully only the former.




RE: Interesting
By Jacerie on 2/24/2009 8:32:45 AM , Rating: 2
Confiker became self-aware at 2:14am...


Why not sue / arrest their supporters?
By Belard on 2/24/2009 10:26:20 AM , Rating: 2
Many of the malware programs - which advertise or prompt you to pay for their "services" such as with their fake-anti-virus software - have a business name and a credit-card / bank account. Some of these pests are advertising with a product/service to buy.

Sue those companies/people who have their payloads added to these worms/malware/whatever programs.

Some of these jerks are really stupid. Like how we all have pop-up stoppers built-into our browsers now. But those tools had to be improved as these jerks would find ways around them. Gee.. guess what, if I have a POP-UP stopper, what makes YOU think I'm going to buy something from you because your circumvent my program that is supposed to keep you out of my face?

So rather than trying to locate these ad-groups, the govts and citizents should file suit against companies that support them.




By mindless1 on 2/24/2009 5:57:39 PM , Rating: 2
I'd imagine the money gets transferred around a lot, plus with the international borders and numbered accounts you might find the criminals aren't so easily brought to court nor funds seized.


"Google fired a shot heard 'round the world, and now a second American company has answered the call to defend the rights of the Chinese people." -- Rep. Christopher H. Smith (R-N.J.)

Related Articles













botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki