I guest-lectured the computer security class here today, and with it being the day Conficker.C starts looking for a payload, I figured it would be an excellent opportunity to deviate from the normal lesson plan. With the well-written Honeynet Project and SRI papers out there that describe the technical details of Conficker.C, it’s a great time to expose the students to malware analysis. There’s some really interesting and clever things that this worm/botnet does, and discussion of it filled an hour’s lecture nicely.
As I promised to the class and to several people on Twitter, I’ve made the slides available here:
…although I fear it won’t be as useful without having been there. It’s more visual aid and points for discussion than a standalone set of slides you can just read. Either way, enjoy!
One thing I’d like to talk about in addition to this: the speculation about what Conficker.C will actually do. The pendulum has been swinging between two extremes of media speculation (“will destroy the internet”-like garbage) and equally ridiculous complete dismissal (“nothing has happened and nothing will”). Many security professionals, including those that are blogging and posting to twitter, are swinging a little bit too far to the latter I think. It seems just as dangerous to completely dismiss it as it is to give it too much hype.
Here’s a few things one needs to keep in mind when speculating about Conficker.C and its effects:
- April 1st isn’t the only important day. It attempts to find a payload every midnight (local time). April 1st is just the first day that it does this–it’s not necessarily the day the operator/originator will register domain(s) and deploy a payload. He/she/they can do this, at their leisure, from now until enough of the infected machines are fixed or go offline to make it not worth it (some time).
- There’s no reason for the operator to walk away from it. There’s tons of computers infected, and a really solidly-written means of getting potential payloads spread around. A lot has been invested in this, and there’s some significant power and revenue to be claimed by whoever can sign a payload for it.
- Chances are, it’s not going to be loud. There’s no money in melting the Internet or indiscriminately destroying Windows installations. This isn’t the Slammer worm choking large parts of the internet with UDP packets spreading itself. Nowadays folks want to make money with malware, and that means routing spam, harvesting information, and things like that. The longer an infected computer acts normally, the longer the malware can stay there, run, and generate revenue
So there you have it. It’s not likely to destroy the Internet, but I would also be very surprised if we don’t see a payload distributed (widely) through it at some point.