[AfrICANN-discuss] PC security forces face April 1 showdown with Conficker worm

Anne-Rachel Inné annerachel at gmail.com
Wed Mar 25 15:58:41 SAST 2009

PC security forces face April 1 showdown with Conficker worm By Byron
Acohido, USA TODAY
SEATTLE — In the brief, tumultuous history of cybercrime, there has never
been anything quite like the Conficker worm.

In the past few months, Conficker's creators have infected at least 3
million Windows PCs worldwide with malicious software, and perhaps as many
as 12 million. At this moment, the bad guys are locked in a high-stakes
showdown with a posse of security groups led by Microsoft.

Conficker's controllers have set a date for what amounts to a cyber-shootout
at the OK Corral. Next Wednesday — April Fools' Day — millions of infected
PCs, called bots, will begin reporting for further instructions, presumably
to begin spreading spam, stealing data or carrying out online scams. And
there appears to be little the good guys can do to cut off such

"We have not yet begun to feel the real impact of Conficker," says Paul
Henry, researcher at security firm Lumension. "We may soon be at the whim of
those in control of what has emerged as a formidable army of infected

*Vintage worm *

Conficker requires no action on the part of the PC user to spread. It's a
throwback to self-replicating worms that scanned the Internet for PCs
displaying known — and unpatched — Windows security holes.

Such worms largely disappeared after 2004, as Microsoft
its process for identifying new holes and quickly issuing patches.
But last September, Chinese hackers began selling a $37.80 program for
tapping into a newly discovered Windows hole on some 800 million machines
worldwide, according to SRI International, a non-profit research firm.

Microsoft took notice, and on Oct. 23, issued a rare emergency patch. Most
home PC users in North America got patched quickly, via Windows Auto update.
But many corporate and government users were lackadaisical about patching.
In China and other nations where pirated copies of Windows are widely used,
patches simply weren't available. "Once the patch was out, no one paid
attention," says Don Jackson, senior researcher at SecureWorks. "They
underestimated the risk."

Precursors of Conficker began spreading on a limited basis, mostly in Asia.
In early January, a full-featured version began seeking out unpatched PCs
across the globe. The worm slithered onto any shared hard drives; it
searched out nearby servers and issued hundreds of combinations of user IDs
and passwords to break in; it copied itself onto any device plugged into a
USB port, such as thumb drives, music players or digital cameras. When that
infected device later got inserted into another work station, that machine
became infected.

Conficker also took extraordinary measures to prevent each new bot from
being disinfected by Microsoft or antivirus programs, or usurped by a rival
botnet group. SRI found, for instance, that Conficker's encryption algorithm
came from MIT's Ron Rivest, copied from a recently published research paper.

On Feb. 12, Microsoft put up a $250,000 bounty for information leading to
the capture of Conficker's creators. The software giant also formed an
alliance of security groups, dubbed the Conficker Cabal, to battle the worm.

The Cabal focused on disrupting what was perhaps Conficker's most unnerving
feature. Eight times a day, each bot tried to connect with a list of 250
randomly generated Web addresses — each a potential rendezvous point to
receive further instructions. Each day, this list of 250 rendezvous points

To cut this off, the Cabal identified the Web addresses scheduled to turn up
on the daily lists, and began registering any that weren't already
registered by someone else. The goal: to "pre-empt registration of those
domains for potential criminal use," says Christopher Budd, of Microsoft's
security response team.

*Upgrade slips through *

Yet, on March 6 and on March 17, the bad guys somehow slipped a malicious
software upgrade to millions of infected PCs. The upgrade began organizing
the bots into a vast peer-to-peer, or P2P, network, says SRI program manager
Phillip Porras. P2P networks are powerful and flexible, because each PC can
function as a command server. They're commonly used to share videos and
music and play complex online games.

The upgrade also included instructions for each bot to begin a daily routine
on April 1 of checking in at 500 rendezvous points, randomly selected from a
pool of 50,000 domain names. This trick will make it more difficult for the
Cabal to preregister addresses, says Porras.

Joe Stewart, a senior researcher at SecureWorks, notes that the infected PCs
are already capable of receiving directives from the controllers via the P2P
network, "so the 50,000 domains aren't really needed. They could even be a
practical joke on the part of the authors."

Botnets have emerged as the cybercrime world's tool of choice to carry out
scams. Josu Franco, Panda Security's director of business development,
surmises that Conficker's controllers may be moving methodically to corner
the market on botnets for hire. "This is free inventory for them," says

The good guys' defense boils down to vigilance. While the Cabal may not be
able to stop the controllers from issuing directives, it remains poised to
disrupt any criminal activity attempted by Conficker bots.

"There may be a second phase of the threat at some point in time,"
acknowledges Microsoft's Budd. "However, we believe, given the tremendous
amount of attention this worm has received, industry and law enforcement
efforts will be a deterrent to a large second wave of attacks."

     Find this article at:

2009/3/25 media tic <media.tic01 at gmail.com>

> Merci
> 2009/3/25 Anne-Rachel Inné <annerachel at gmail.com>:
> > For your information
> > ar
> >
> > _______________________________________________
> > AfrICANN mailing list
> > AfrICANN at afrinic.net
> > https://lists.afrinic.net/mailman/listinfo.cgi/africann
> >
> >
> _______________________________________________
> AfrICANN mailing list
> AfrICANN at afrinic.net
> https://lists.afrinic.net/mailman/listinfo.cgi/africann

Anne-Rachel Inne
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.afrinic.net/pipermail/africann/attachments/20090325/5d12b51f/attachment.htm

More information about the AfrICANN mailing list