I guest-lectured the computer security class here today, and with it being the day Conficker.C starts looking for a payload, I figured it would be an excellent opportunity to deviate from the normal lesson plan. With the well-written Honeynet Project and SRI papers out there that describe the technical details of Conficker.C, it’s a great time to expose the students to malware analysis. There’s some really interesting and clever things that this worm/botnet does, and discussion of it filled an hour’s lecture nicely.
As I promised to the class and to several people on Twitter, I’ve made the slides available here:
…although I fear it won’t be as useful without having been there. It’s more visual aid and points for discussion than a standalone set of slides you can just read. Either way, enjoy!
One thing I’d like to talk about in addition to this: the speculation about what Conficker.C will actually do. The pendulum has been swinging between two extremes of media speculation (“will destroy the internet”-like garbage) and equally ridiculous complete dismissal (“nothing has happened and nothing will”). Many security professionals, including those that are blogging and posting to twitter, are swinging a little bit too far to the latter I think. It seems just as dangerous to completely dismiss it as it is to give it too much hype.
Here’s a few things one needs to keep in mind when speculating about Conficker.C and its effects:
- April 1st isn’t the only important day. It attempts to find a payload every midnight (local time). April 1st is just the first day that it does this–it’s not necessarily the day the operator/originator will register domain(s) and deploy a payload. He/she/they can do this, at their leisure, from now until enough of the infected machines are fixed or go offline to make it not worth it (some time).
- There’s no reason for the operator to walk away from it. There’s tons of computers infected, and a really solidly-written means of getting potential payloads spread around. A lot has been invested in this, and there’s some significant power and revenue to be claimed by whoever can sign a payload for it.
- Chances are, it’s not going to be loud. There’s no money in melting the Internet or indiscriminately destroying Windows installations. This isn’t the Slammer worm choking large parts of the internet with UDP packets spreading itself. Nowadays folks want to make money with malware, and that means routing spam, harvesting information, and things like that. The longer an infected computer acts normally, the longer the malware can stay there, run, and generate revenue
So there you have it. It’s not likely to destroy the Internet, but I would also be very surprised if we don’t see a payload distributed (widely) through it at some point.
Still a decent read regardless (the slides). You make some good points as well. This person or group has alot of time invested in this project and more than likely will not just let it go. Just because it hasn’t hit yet doesn’t mean it should simply be overlooked. I think it still has alot of potential whether patches and such have been announced or not. Patches and fixes are released for viruses all the time, yet they still make thier way onto peoples machines all the time. Also, the publisher may be waiting until a later date now that the date is so publicly being announced. People are expecting it now. Maybe they are waiting for another day so that they can catch people off guard.
I’m in an oracle training class so I don’t have time to really read the slides, but they look like some good info. I agree that the stance to take is somewhere between the two extremes:
It’s not going to melt the internet. It’s impact likely won’t be the armageddon.
But at the same time, it’s out there for a reason, and it’s not just going to be forgotten about by those that control the botnet. It’ll do something, sometime… be ready….
I don’t know the dirty details of what is known about it, and I’m not by any means a professional in computer security, but I often wonder if the patches that are out are truly fixing the problem. What if the coders were really whitty and what we know as Conficker.C, is actually just a cover for something more serious exploiting a zero-day exploit very subtly in the background. Conficker.C is good at spreading, but are we 100% sure that something else wasn’t piggy backed along with it? What if one of the infected domains sends conficker it’s payload, but it also passes along something else that’s a whole separate baddy.
I could just be a paranoid, conspiracy nut on this, but I always have doubt. There’s never any way to know with 100% certainty that we have fixed a problem entirely.
Lets all put our foil hats on and see what happens (probably not any time too soon IMO).
Thanks for the comment Tom!
The payload *will be* a “whole separate baddy”, and won’t need to exploit anything to do whatever it is it needs to do. It’ll already be running with system privileges on however-many hosts just like conficker.c is now. No zero-day required.
While the true end-goal/purpose is currently unknown, it’s only because it hasn’t been made available. If you check out the papers linked from the presentation slides (especially the SRI paper), you can see that malware analysts have a very good handle on what Conficker.C’s code does. The same would also apply to any payload that’s deployed, soon after a sample is obtained. If it were to start exploiting other systems with zero-day at that point, it’d be pretty obvious in a sniffer pretty quickly.
Seems like a waste of good zero-day, when zero-day isn’t cheap and you already have millions of compromised systems.
[...] see too many news articles regarding the blasted thing. Some people seem to think that this is exactly how it should be, though (and I agree). However, you can’t deny that the Internet is still wholly intact. [...]