Announcement

Collapse
No announcement yet.

Conficker C

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Conficker C

    http://mtc.sri.com/Conficker/addendumC/index.html

    ...some of the craziest malware I've heard about in awhile.
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B0
    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B1
    [ redacted ]

  • #2
    Re: Conficker C

    I'd like to spend some quality alone time with the fucker that wrote this one.

    Comment


    • #3
      Re: Conficker C

      Yeah for sure. I used to dream of writing a "superworm" (although I never actually would've gone through with it, of course!) and this goes well beyond anything I had in mind. Reading about the P2P rendezvous protocol was pretty absurd.

      Some additional background info:

      http://arstechnica.com/security/news...activation.ars
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B0
      45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B1
      [ redacted ]

      Comment


      • #4
        Re: Conficker C

        I wonder what the end-market intent of this is...
        Is it even a remote possibility to track this kind of thing, or is any kind of accountability just fantasy?

        Kinda weird - you'd think it would be harder to maintain this kind of thing(from the attacker side, since there are a great many teams devoted to defeating it) such that the longer it goes on...just makes you wonder if the attacker intends to do *anything* at all.

        Anyone with more experience in this kind of thing know what the end-market goals of this kind of worm might be?

        Comment


        • #5
          Re: Conficker C

          The problem with this worm is that it is very tenacious. Once it latches onto a machine without the proper patching, it'll crawl to everything else using network shares, without exploiting anything else, just using normal windows functionality. That is part of the reason it spreads so fast. I've had to deal with it myself (check out my blog, shameless plug etc) at work. It has not been a fun thing to screw around with.

          Originally posted by hinges View Post
          I wonder what the end-market intent of this is...
          Is it even a remote possibility to track this kind of thing, or is any kind of accountability just fantasy?

          Kinda weird - you'd think it would be harder to maintain this kind of thing(from the attacker side, since there are a great many teams devoted to defeating it) such that the longer it goes on...just makes you wonder if the attacker intends to do *anything* at all.

          Anyone with more experience in this kind of thing know what the end-market goals of this kind of worm might be?
          Well, its a botnet. So once the worm has solidified its hold on PCs, they can use it for whatever they want to use it for, spam, ddos, a very ambitious folding@home project, etc. And you are right, he could just be doing it for the lulz, there is no way to tell unless he is caught, but we know for sure he has longterm goals set in mind, as the C variant now pings 500 out of 50,000(possible) addresses a day for updates versus the 250(possible) a day that the B variant did. As far as high upkeep, it really isn't that big of a deal (cept domain name registration), because each client acts as a server in a giant P2P net. Out of all the botfarms, this is probably one of the most easiest to manage.
          Last edited by g3k_; March 23, 2009, 09:33. Reason: I keep thinking of things
          "As Arthur C Clarke puts it, "Any sufficiently advanced technology is indistinguishable from magic". Here is my corollary: "Any sufficiently technical expert is indistinguishable from a witch"."

          Comment


          • #6
            Re: Conficker C

            Originally posted by g3k_ View Post
            ...a very ambitious folding@home project
            Please disambiguate. I do not understand.

            Originally posted by g3k_ View Post
            but we know for sure he has longterm goals set in mind, as the C variant now pings 500 out of 50,000(possible) addresses a day for updates versus the 250(possible) a day that the B variant did.
            I had reasoned that the driving force behind that change was the Conficker Cabal's combatting it by registering all the domains, but I like your angle a bit better.


            Originally posted by g3k_ View Post
            As far as high upkeep, it really isn't that big of a deal (cept domain name registration), because each client acts as a server in a giant P2P net. Out of all the botfarms, this is probably one of the most easiest to manage.
            I just meant in terms of keeping ahead of the white hats, but that's interesting. I don't know the first thing about bot farms, or combatting worms for that matter, although I am familiar with the attacks you mentioned(ddos, spam etc).

            This is the...third? biggest worm(not talking % wise, because morris was ~1/6th of all connected devices) that has been released, and if the author(s) of this worm have thought 'outside the box' so far (http rendezvous have not been used this way before, right?) I wonder what they'd do...

            It'd be kinda...funny...if the author(s)'s(') (<---it makes sense I swear) intent was to use distributed computing and just start cranking out solutions to np problems or something...

            hinges

            PS: I wouldn't know how to *begin* calculating the combined processing power of say ~30mil PCs of various design and hardware, but I wonder if it would compare to the power of a supercomputer like IBM's Roadrunner in Los Alamos.

            Comment


            • #7
              Re: Conficker C

              Originally posted by hinges View Post
              I wonder what the end-market intent of this is...
              Generally: selling access to spammers
              45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B0
              45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B1
              [ redacted ]

              Comment


              • #8
                Re: Conficker C

                Originally posted by hinges View Post
                Please disambiguate. I do not understand.
                It was a joke :3 http://folding.stanford.edu/

                Originally posted by hinges View Post
                I had reasoned that the driving force behind that change was the Conficker Cabal's combatting it by registering all the domains, but I like your angle a bit better.
                This is true. What I was saying is that this is his response to the consortium of people either blocking domains or scooping them up before the conficker author can register them. By now scanning a possible of 500 domains a day, how can defenders keep up against that?

                Originally posted by hinges View Post
                I just meant in terms of keeping ahead of the white hats, but that's interesting. I don't know the first thing about bot farms, or combatting worms for that matter, although I am familiar with the attacks you mentioned(ddos, spam etc).
                Most botnets typically use a controller computer, like for instance when Mcolo was taken down (http://en.wikipedia.org/wiki/McColo) a lot of controller computers for various botnets were taking down, which led to a slight decline in botnet activity for a few months. Conficker, however uses a P2P type system, while it still phones home to try and update the client, one can imagine that if even one Conficker.B zombie updates to Conficker.C, it is very likely that it could send the update to any of the other Conficker.B zombies out there in the wild. (Conficker.B, the newest variant, the older variant didn't have this functionality.)
                Originally posted by hinges View Post
                This is the...third? biggest worm(not talking % wise, because morris was ~1/6th of all connected devices) that has been released, and if the author(s) of this worm have thought 'outside the box' so far (http rendezvous have not been used this way before, right?) I wonder what they'd do...
                :shrug: according to wikipedia it's the largest attack since SQLSlammer. I know for one its one of the fastest growing botnets ever. I remember reading an article that said on a wednesday in february 2million PCs got infected, and then on that thursday another 3 million :3 This is a nasty sonofabitch.

                I would also like to point out that I'm no pro at this, I've basically had the crash course in this over the last few weeks. I've been keeping up to date on worms and I've always had an interest in botnets, but I'm only starting to learn all this stuff for realz. So tldr, disclaimer, some things I say may be innacurate.
                Last edited by g3k_; March 23, 2009, 12:06.
                "As Arthur C Clarke puts it, "Any sufficiently advanced technology is indistinguishable from magic". Here is my corollary: "Any sufficiently technical expert is indistinguishable from a witch"."

                Comment


                • #9
                  Re: Conficker C

                  Originally posted by barry99705 View Post
                  I'd like to spend some quality alone time with the fucker that wrote this one.
                  That and the guy who invented slotted screws.

                  xor
                  Just because you can doesn't mean you should. This applies to making babies, hacking, and youtube videos.

                  Comment


                  • #10
                    Re: Conficker C

                    Originally posted by g3k_ View Post
                    :shrug: according to wikipedia it's the largest attack since SQLSlammer. I know for one its one of the fastest growing botnets ever. I remember reading an article that said on a wednesday in february 2million PCs got infected, and then on that thursday another 3 million :3 This is a nasty sonofabitch.
                    The Storm Worm was estimated to infect anywhere from 1 million to 10 million machines

                    --

                    On April 1st, Conficker C's DNS-based rendezvous system will go live. Anyone care to speculate what happens then?
                    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B0
                    45 5F E1 04 22 CA 29 C4 93 3F 95 05 2B 79 2A B1
                    [ redacted ]

                    Comment


                    • #11
                      Re: Conficker C

                      Originally posted by xor View Post
                      That and the guy who invented slotted screws.

                      xor
                      Hahahahahaahahahaha!! I think that all the time too..... If any of you went to see that piece of crap they called Watchmen, this dude would look like Rorschach at the end when I'm done with him. I've already had to deal with the A and B variants.

                      Comment


                      • #12
                        Re: Conficker C

                        Originally posted by bascule View Post
                        The Storm Worm was estimated to infect anywhere from 1 million to 10 million machines

                        --

                        On April 1st, Conficker C's DNS-based rendezvous system will go live. Anyone care to speculate what happens then?
                        Well for one, Southwest Air's (wnsux.com is owned by SWA, and it redirects to the main site) website and a few others are going to be DDoS'd on accident due to the algorithm choosing legitimate site names as all the zombies try to phone home. Checking that URL I just wrote in, it doesn't seem to redirect. The knee jerk reaction problem is that things like OpenDNS is working to block some of these URLs. According to this guy (http://infosecurity.us/?p=6681) there are only 42 of the possible 7750 domain names that resolve. Among those 42, 14 are owned by people who snatched them up in an attempt to keep them from being owned by the author.

                        So basically I have no idea whats gonna happen April 1st. It should be interesting, I'm curious how much traffic is going to be generated from these millions of clients phoning home. This is like the Battle of Helms Deep, I believe, the last ditch effort to stop this thing from spreading further.
                        "As Arthur C Clarke puts it, "Any sufficiently advanced technology is indistinguishable from magic". Here is my corollary: "Any sufficiently technical expert is indistinguishable from a witch"."

                        Comment


                        • #13
                          Re: Conficker C

                          Originally posted by g3k_ View Post
                          This is like the Battle of Helms Deep, I believe, the last ditch effort to stop this thing from spreading further.
                          I know I'm gonna be looking to the east at dawn on the third day, or I'll just not bother to get on the inturwebs that day.
                          A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

                          Comment


                          • #14
                            Re: Conficker C

                            Originally posted by streaker69 View Post
                            I know I'm gonna be looking to the east at dawn on the third day, or I'll just not bother to get on the inturwebs that day.
                            I wonder if even Gandalf can unclog the tubes.
                            "\x74\x68\x65\x70\x72\x65\x7a\x39\x38";

                            Comment


                            • #15
                              Re: Conficker C

                              So what are my fellow BoFH's going to be doing before April 1st to prepare for this?

                              Should we warn our users ahead of time that internet access may be limited during that time frame?

                              Someone posted this on another forum:

                              http://www.bothunter.net/

                              I haven't had a chance to use it yet, but it seems like it might be a good way to track down if you have any machines that are currently infected.
                              A third party security audit is the IT equivalent of a colonoscopy. It's long, intrusive, very uncomfortable, and when it's done, you'll have seen things you really didn't want to see, and you'll never forget that you've had one.

                              Comment

                              Working...
                              X