backtop


Print 16 comment(s) - last by mindless1.. on Feb 24 at 5:57 PM

Infamous botnet evolves

Controllers of the infamous Conficker worm released another update recently, shifting its update strategy towards a completely different direction. It no longer needs to check a web page to receive updates, as it can now receive them directly from other infected computers.

Additions to a lengthy, in-depth analysis of the worm by research institute SRI’s Malware Threat Center indicate that a new variant of Conficker was spotted on February 16, which it dubbed “Conficker B++” pending a further review of its capabilities.

Previously, computers infected with Conficker A and B – also known under the names Downadup or Kido – frequently check for updates from a randomly-generated list of 250 internet domains, which is synchronized and updated regularly between the entire Conficker botnet. Efforts from the Microsoft-led Conficker Cabal appear to have foiled this technique: the randomization algorithm was successfully reverse-engineered, prompting Microsoft and the Cabal to secure every domain the group expects the botnet to hit.

In response, Conficker B++ completely removes the need to check for updates, moving instead towards a structure that resembles a peer-to-peer filesharing network. A URL pointing to updated Conficker code – or a patched version of the Conficker binary – can be sent directly to infected machines through a pair of new backdoors that B++ opens.

SRI notes that while older versions of Conficker also had the ability to accept updates in this fashion, its implementation behaved in such a way that made recognizing the process a trivial affair for anti-malware software.

Conficker’s controllers, in an effort to prevent competing hackers from delivering patches of their own, digitally sign the entire update process.

Compared to the upgrade from Conficker A to Conficker B, writes SRI, the changes that Conficker B++ introduces appear to be a relatively “minor”. In-house metrics indicate that Conficker B++ had an “86.4% similarity” to Conficker B, with the update only modifying three of the original version’s 297 subroutines and adding an additional 39.

Conficker has become such a problem for businesses that Microsoft recently placed a $250,000 bounty on its creators, offering a share of the reward to anyone who can help track them down. In January, the worm spread so fast it infected 8 million business computers within a week.



Comments     Threshold


This article is over a month old, voting and posting comments is disabled

Digitally signing viruses
By joey2264 on 2/23/2009 7:31:24 PM , Rating: 2
Never thought I would see the day that a virus uses signing technology to protect the "integrity" of its "software". It seems like the malware authors will always be a step ahead of white hats.




RE: Digitally signing viruses
By InternetGeek on 2/23/2009 10:44:42 PM , Rating: 2
From the outside it's easy to say that it's because Windows' security model is not quite that strong. However, even though I'm a developer, security of this kind is beyond my knowledge. Most of us secure our programs with the usual stuff: Signing code, SSL certs, user authentication modules and follow best practices and common sense.

Not sure if there's much you could do under a different model though. But it sounds to me not much beyond mitigating the damage something like this virus could do. I.E: From what I remember in my Unix/Linux lessons in Uni a worm is the worse you could get under those OSs. And that could still be quite dangerous.


RE: Digitally signing viruses
By nixoofta on 2/24/2009 1:31:59 AM , Rating: 2
Does anyone know if they've come out with the "Conficker Genuine Authenticator" yet,...and can auto updates be turned off? I'd much rather get my updates manually. :P


“We do believe we have a moral responsibility to keep porn off the iPhone.” -- Steve Jobs

Related Articles













botimage
Copyright 2014 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki