An investigation into the Conficker worm published last week by security researchers at SRI International highlighted the technical ability of the worm's coders and the danger posed when the program starts checking a greatly expanded list of Internet drop sites come April 1.
In their Conficker C Analysis, three researchers at SRI International found that the latest update to the Conficker worm, which started appearing on compromised systems on March 5, changed more than 80 percent of the B-version of the worm's code. Computer systems infected with the new version dubbed Conficker.C and Downadup.C by different security firms will begin generating a list of 50,000 psuedo-random domain names every day starting April 1 and attempt to download new commands from 500 of those domains.
In addition, the worm program blocks security software, distributes code by creating a peer-to-peer network, and attempts to prevent anyone but the authors from updating its code by authenticating updates using a hash algorithm known as MD6 that is only a few months old. The collection of those capabilities worried the researchers.
"In the best case, Conficker may be used as a sustained and profitable platform for massive Internet fraud and theft," wrote Phillip Porras, Hassen Saidi and Vinod Yegneswaran, all of SRI International. "In the worst case, Conficker could be turned into a powerful offensive weapon for performing concerted information warfare attacks that could disrupt, not just countries, but the Internet itself."
The Conficker worm started spreading last November, using a just-patched flaw in Microsoft's Windows operating system. In December, a new variant, Conficker.B, started spreading, outpacing its earlier cousin. The worm checked for updates from 500 randomly generated domains every day. The update mechanism referred to as Internet drop, or rendezvous, points forces defenders to block all the randomly generated domains ahead of time, or risk that the worm will get updated with attack code. A group of security firms, Internet service providers and response groups banded together, calling themselves the Conficker Cabal, to do just that.
However, the creators of Conficker managed to dodge the Cabal's defenses. On March 5, about 20 percent of Conficker-infected machines updated themselves from the B variant to the C variant, the SRI report stated. Two weeks later, about half the remaining machines successfully updated, the researchers wrote.
On April 1, systems infected with the latest variant of the Conficker worm will start scanning more than 50,000 random domains daily, looking for updates, making the update mechanism numerically much more difficult to stop.
"It is clear that the Conficker authors are well informed and are tracking efforts to eliminate the previous Conficker epidemics at the host and Internet governance level," the SRI researchers wrote. "In Conficker C, they have now responded with many of their own countermeasures to thwart those latest defenses."
Microsoft, a member of the Conficker Cabal, has offered $250,000 for information leading to the arrest and conviction of those responsible for the worm.
If you have tips or insights on this topic, please contact SecurityFocus.
Posted by: Robert Lemos