Conficker worm – The Return?
p2pnet news view | Security:- The Conficker worm will be active again on April 1st, according to an analysis of its most recent variant, Conficker.C, by the net security firm CA.
This malicious piece of software, also known as Downup, Downadup and Kido, spreads among computers running most variants of the Windows operating system and turns them into nodes on a multi-million member ‘botnet’ of zombie computers that can be controlled remotely by the worm’s as yet unidentified authors.
Since it first appeared last October it has apparently infected over fifteen million computers around the internet, though even that number is no more than an educated guess because the worm works very hard to disguise its presence on a PC.
Conficker spreads through a security vulnerability in the Windows Server Service that allows a carefully written program to persuade the attacked computer to run malicious code instead of the Microsoft-written software.
Once installed it turns off Windows Automatic Update and stops you using the Windows Security Centre. It disables a range of internal services that could be used by anti-malware programs, blocks access to a number of anti-virus websites and and even resets and deletes system restore points so you can’t go back to an uninfected installation of your operating system.
And at some point it connects to a remote site to download additional malware and register itself as part of the botnet. The analysis of the latest version indicates that this will next happen on April 1st, and the day may be be a bad one because the way it does this has changed in the latest version of the worm, making it significantly harder to stop.
Previous Conficker infections were controlled to some extent because security researchers were able to determine which servers the worm was going to try to contact and block access to them before it did so. But the C variant has a much larger pool of potential domains to choose from, as it selects five hundred target servers from a pool of fifty thousand while previous versions chose thirty-two from two hundred and fifty.
As a result the ad hoc group of security researchers who have been working to limit the botnet’s use, the Conficker Cabal, will have a much harder time ensuring that infected systems do not make the connection to the remote service that may allow them to be used to send spam email, log user keystrokes or launch denial of service attacks on other computers.
We will have to wait until April to see how effective efforts at controlling Conficker are, but the analysis that has been done to date shows that it is a particularly well-designed program, one that will be hard to beat.
The overall sophistication of the current generation of malicious software is rather impressive, and I occasionally find myself admiring the skill of its developers in the same way that I can appreciate the technical skill and imagination that goes into fighter planes, tanks and modern armaments. I may not approve of the use to which the ingenuity is being put, but I can’t deny that Conficker’s developers are ingenious in the way they have developed and distributed their code.
Whatever happens with this particular worm, we have to hope that the security features in Windows 7 will reduce the impact of all types of malicious software in the Microsoft ecosystem, although there will probably be enough unpatched systems around for some years to sustain Conficker and other worms, especially if the growth of netbooks means that Windows XP is still being used.
But while it’s easy to blame Microsoft for making their systems vulnerable we should also acknowledge that our own demands have contributed a great deal to the current situation and may make a complete solution unachievable.
We have demanded complex, sophisticated computers that are easy to use, simple to interact with and able to connect to the internet as full peers. We want what Jonathan Zittrain calls ‘generative’ systems that can run new software to take advantage of new services and connect us to new people. And we do not want to spend hours configuring firewalls, locking down features or scanning for potential malware.
Perhaps we should not be surprised that attempts to make these systems secure have failed.
I see a parallel between our attempts to have security and reliability in the complex computer systems we are building today and the attempts by philosophers at the turn of the twentieth century to reduce all of mathematics to formal logic.
The work of Frege, Russell and Whitehead was undermined by the Austrian mathematician Kurt Gödel when he published his Incompleteness Theorem in 1931. He showed that in any sufficiently complex mathematical system there will be statements that cannot be proved either true or false, and that this is not because of errors or mistakes but is a fundamental property of the system.
His work made it clear that attempts to explain all of mathematics in terms of formal logic were doomed to failure, and there are clear similarities between our attempts to free our computers and the network from malware and the world described by Gödel. There will always be flaws and security holes in the rich, complex computing environment, and as a result there will always be space for malicious software to propagate.
That doesn’t mean our attempts to limit its spread and control the potential damage are futile, but it does mean they will be never-ending.
Bill Thompson – AndFinally
[Thompson is a UK-based writer and broadcaster. He has a weekly column on the BBC WebWise site, and contributes both on and off-line to The Guardian, The Register and The New Statesman, among others. His "inappropriately-titled 'billblog' "appears weekly on BBC News Online in the technology news section.]
March, 2009
Use free p2pnet newsfeeds for your site. It’s really easy!
Subscribe to p2pnet.net | | rss feed: http://p2pnet.net/p2p.rss | | Mobile – http://p2pnet.net/index-wml.php
Net access blocked by government restrictions? Use Psiphon from the Citizen Lab at the University of Toronto. Go here for details.
March 23rd, 2009 at 4:21 pm
How come the record industry etc can get IP address’s and chase loads of people to insanity but we can’t do the same with the servers/hosts what have you for these bot nets?
It seems we can or did block them before, therefore we knew the servers IP addy and therefore could trace them to a phisical place and owner, it seems very odd to me!
March 23rd, 2009 at 5:13 pm
greenpete: Generally, the servers and DNS entries for these servers are set up in countries that couldn’t give a damn, for example (and I apologize for reinforcing a stereotype), but Russia for example can host many malware-industry ‘companies’ because it’s so incredibly difficult to get those servers taken down.
March 24th, 2009 at 7:20 am
It is not so much that security is impractical in a “generative” environment as it is that the security issue just has not been addressed sufficiently.
When the IBM/PC and AT were initially marketed they were regarded as nuisance systems. Tee hee. See _The PC that ate Armonk_. I have been active in IT and software during that entire time. The little nuisance PC has become the mainstay of computing all around the world.
The PC was a totally open system when it was created, and this “generative” (if I may) aspect of that system was the direct cause of its explosive growth and adoption.
The first viruses were boot sector virus that were passed around on diskettes. And these were just a harbinger of things to come. But, enamored with the glitter and dazzled by the possibilities in these new available computers we have charged ahead making terriffic progress — but exposing vulnerabilities at the same time.
Today, the security issue is drawing considerable attention. Microsoft launched a massive initiative to address the problem, resulting in the deployment of firewalls in XP (at SP2 if I remember right). This effort continues in Vista and in W7 with the UAC which will continue to be refined.
The central issue remains clear however, that being that we must establish the practice of distributing and operating software in such a manner that un-authorized modifications are not made. This is possible and can be done by simply using digital signatures to authenticate distributed software.
remember always that computer security is like a balloon: a pin-prick and pop! it’s gone. the system owner must win by a shut-out. the new vulnerability in intel chips / poison cache for example must be activated from a program running in ring0 on the x86. There should not be any un-authorized code running in ring0.