SCF Advanced Search

  • Total Posts: 40150
  • Total Topics: 14260
  • Online Today: 697
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)

Author Topic: Is Conficker worm waiting to strike again? (Kido, Downadup, Conficker Cabal)  (Read 2278 times)

0 Members and 1 Guest are viewing this topic.


  • SCF Administrator
  • *****
  • Posts: 7528
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • - Samker's Computer Forum

Team of experts has beaten it down but not defeated it.

It is still out there.

Like a ghost ship, a rogue software program that glided onto the Internet in November has confounded the efforts of top security experts to eradicate it and trace its origins and purpose, exposing serious weaknesses in the world's digital infrastructure.

The program, known as Conficker, uses flaws in Microsoft Corp.'s Windows software to co-opt machines and link them into a virtual computer that can be commanded remotely by its authors. With more than 5 million of these zombies now under its control — government, business and home computers in more than 200 countries — this shadow machine may boast power that dwarfs that of the world's largest data centers.

Alarmed by the program's rapid spread after its debut in November, computer security experts from industry, academia and government joined forces in an unusual collaboration, decoding the program and developing anti-virus software that erased it from millions of computers. But Conficker's persistence and sophistication has squelched the belief of many experts that such global computer infections are a thing of the past.

Conficker is "using the best current practices and state of the art to communicate and to protect itself," said Rodney Joffe, director of the Conficker Working Group. "We have not found the trick to take control back from the malware in any way."

Everywhere and nowhere

Researchers speculate that the Conficker network could be employed to generate vast amounts of spam, steal information such as passwords and logins by capturing keystrokes on infected computers, or deliver fake anti-virus warnings to trick users into thinking their computers are infected — and paying by credit card to have the infection removed.

There is also a different possibility that concerns the researchers: that the program was not designed by a criminal gang — but rather by an intelligence agency or the military of some country to monitor or disable an enemy's computers.

Networks of infected computers, or botnets, were widely used as weapons in conflicts in Estonia in 2007 and in Georgia last year, and in more recent attacks against South Korean and U.S. government agencies. Recent attacks that temporarily crippled Twitter and Facebook are thought to have had political overtones.

Yet for the most part, Conficker has done little more than to extend its reach to more and more computers. Although there had been speculation that the computer might be activated to do something malicious on April 1, the date passed without incident, and some security experts wonder whether the program has been abandoned.

The experts have only tiny clues about the location of the program's authors. The first version included software that stopped the program if it infected a machine with a Ukrainian language keyboard. There may have been two initial infections — in Buenos Aires, Argentina, and in Kiev, Ukraine.

Wherever the authors are, experts say, they are clearly professionals using the most advanced technology available. The program is protected by internal defense mechanisms that make it hard to erase, and even kills or hides from programs designed to look for botnets.

A member of the security team said that the FBI had suspects but was moving slowly because it needed to build a relationship with "noncorrupt" law enforcement agencies in the countries where the suspects are located.

An FBI spokesman in Washington declined to comment, saying that the Conficker investigation was an ongoing case.

A sleeping giant?

The first infections, on Nov. 20, set off an intense battle between the hidden authors and the volunteer group that formed to counter them. The group, which first called itself the "Conficker Cabal," changed its name when Microsoft, Symantec and several other companies objected to the unprofessional connotation.

Eventually, university researchers and law enforcement officials joined forces with computer experts at more than two dozen Internet, software and computer security firms.

The group won some battles but lost others. The Conficker authors kept distributing new, more intricate versions of the program, at one point using code that had been devised in academia only months before.

At another point, a single technical slip-up by the working group allowed the program's authors to convert a huge number of the infected machines to an advanced peer-to-peer communications scheme that the industry group has not been able to defeat. Where before all the infected computers would have to phone home to a single source for instructions, the authors could now use any infected computer to instruct all the others.

In April, Patrick Peterson, a research fellow at Cisco Systems in San Jose, Calif., gained some intelligence about the authors' interests. He studies nasty computer programs by keeping a set of quarantined computers that capture them — his "digital zoo."

He discovered that the Conficker authors had begun distributing software that tricks Internet users into buying fake anti-virus software with their credit cards.

"We turned off the lights in the zoo one day and came back the next day," Peterson said, noting that in the "cage" reserved for Conficker, the infection had been joined by a program distributing an anti-virus software scam.

It was the most recent sign of life from the program, and its silence has set off a debate among computer security experts.

Some researchers say Conficker might only be an empty shell or that its authors were scared away in the spring. Others suspect that they are simply biding their time.

If the Conficker computer were to be activated, it would not have the problem-solving ability of supercomputers used to design nuclear weapons or simulate climate change. But because it has commandeered so many machines, it could draw on computing resources greater than that of any single computing facility run by governments or companies.

The industry group continues to try to find ways to kill Conficker, meeting as recently as last week. Joffe said he, for one, was not prepared to declare victory. But he said that the group's work proved that government and private industry could cooperate to counter cyberthreats.

"Even if we lose against Conficker," he said, "there are things we've learned that will benefit us in the future."


Samker's Computer Forum -


With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters)

Enter your email address to receive daily email with ' - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising