A HOTEL bar in Arlington, Virginia, 23 October 2008. A group of computer security experts has spent the day holed up with law enforcement agencies. It is an annual event that attracts the best in the business, but one the participants like to keep low-key – and under the radar of the cybercriminals they are discussing.
That evening, conversation over drinks turned to a security update Microsoft had just released. Its timing was suspicious: updates usually came once a month, and the next was not due for two weeks. “I remember thinking I should take a look at this,” recalls Paul Ferguson, a researcher at Trend Micro, a web security company in Cupertino, California.
He did. So did the rest of the computer security industry. In fact, they talked, puzzled and worried about little else for months after. The update heralded the birth of the Conficker worm – one of the most sophisticated pieces of malignant software ever seen.
Despite an unprecedented collaboration against them, Conficker’s accomplished creators have been able to bluff and dodge to gain control of machines inside homes, universities, government offices and the armed forces of at least three nations, establishing a powerful and lucrative network of “zombie” computers. New Scientist has pieced together the sobering details of that cat-and-mouse fight.
Conficker’s creators bluffed and dodged to gain control of machines in militaries, universities and governments.
The dry, technical language of Microsoft’s October update did not indicate anything particularly untoward. A security flaw in a port that Windows-based PCs use to send and receive network signals, it said, might be used to create a “wormable exploit”. Worms are pieces of software that spread unseen between machines, mainly – but not exclusively – via the internet (see “Cell spam”). Once they have installed themselves, they do the bidding of whoever created them.
If every Windows user had downloaded the security patch Microsoft supplied, all would have been well. Not all home users regularly do so, however, and large companies often take weeks to install a patch. That provides windows of opportunity for criminals.
No one knows the identity of Conficker’s “patient zero” computer, or precisely when it was infected. It was probably a machine that the hackers already controlled. Once installed, the software set to work, surreptitiously scanning the internet for other vulnerable machines to send itself to.
The new worm soon ran into a listening device, a “network telescope”, housed by the San Diego Supercomputing Center at the University of California. The telescope is a collection of millions of dummy internet addresses, all of which route to a single computer. It is a useful monitor of the online underground: because there is no reason for legitimate users to reach out to these addresses, mostly only suspicious software is likely to get in touch.
The telescope’s logs show the worm spreading in a flash flood. For most of 20 November, about 3000 infected computers attempted to infiltrate the telescope’s vulnerable ports every hour – only slightly above the background noise generated by older malicious code still at large. At 6 pm, the number began to rise. By 9 am the following day, it was 115,000 an hour. Conficker was already out of control.
That same day, the worm also appeared in “honeypots” – collections of computers connected to the internet and deliberately unprotected to attract criminal software for analysis. It was soon clear that this was an extremely sophisticated worm. After installing itself, for example, it placed its own patch over the vulnerable port so that other malicious code could not use it to sneak in. As Brandon Enright, a network security analyst at the University of California, San Diego, puts it, smart burglars close the window they enter by.
Conficker also had an ingenious way of communicating with its creators. Every day, the worm came up with 250 meaningless strings of letters and attached a top-level domain name – a .com, .net, .org, .info or .biz – to the end of each to create a series of internet addresses, or URLs. Then the worm contacted these URLs. The worm’s creators knew what each day’s URLs would be, so they could register any one of them as a website at any time and leave new instructions for the worm there.
It was a smart trick. The worm hunters would only ever spot the illicit address when the infected computers were making contact and the update was being downloaded – too late to do anything. For the next day’s set of instructions, the creators would have a different list of 250 to work with. The security community had no way of keeping up.
No way, that is, until Phil Porras got involved. He and his computer security team at SRI International in Menlo Park, California, began to tease apart the Conficker code. It was slow going: the worm was hidden within two shells of encryption that defeated the tools that Porras usually applied. By about a week before Christmas, however, his team and others – including the Russian security firm Kaspersky Labs, based in Moscow – had exposed the worm’s inner workings, and had found a list of all the URLs it would contact.
Those addresses had to be blocked right away. “The thing could use domains like oxygen,” says Rick Wesson of Support Intelligence, a network security company in San Francisco. “If you take them over, the fire should go out.” Wesson has years of experience with the organisations that handle domain registration, and within days of getting Porras’s list he had set up a system to remove the tainted URLs, using his own money to buy them up.
It seemed like a major win, but the hackers were quick to bounce back: on 29 December, they started again from scratch by releasing an upgraded version of the worm that exploited the same security loophole.
This new worm had an impressive array of new tricks. Some were simple. As well as propagating via the internet, the worm hopped on to USB drives plugged into an infected computer. When those drives were later connected to a different machine, it hopped off again. The worm also blocked access to some security websites: when an infected user tried to go online and download the Microsoft patch against it, they got a “site not found” message.
Other innovations revealed the sophistication of Conficker’s creators. If the encryption used for the previous strain was tough, that of the new version seemed virtually bullet-proof. It was based on code little known outside academia that had been released just three months earlier by researchers at the Massachusetts Institute of Technology.
The new worm strain spread rapidly. Its reach is impossible to measure precisely, but more than 3 million vulnerable machines may ultimately have been infected. These reportedly included computers in branches of the British, French and German militaries, in the British parliament and in hospitals and universities in the US. On 12 February, Microsoft offered a $250,000 award to anyone who could identify Conficker’s authors.
Why the bother, though? For all its ingenious features, the worm had yet to do anything damaging. The answer was – and still is – that there is plenty it could do. The worm’s owners might use its army of zombie PCs to attack the routers that govern internet traffic flow or cripple organisations within which they had managed to infect a large number of machines. “That much resource could be used to do devastating things,” says Ferguson. “It could take down the infrastructure of half the planet.”
Indeed, worse was to come. On 15 March, Conficker presented the security experts with a new problem. It reached out to a URL called rmpezrx.org. It was on the list that Porras had produced, but – those involved decline to say why – it had not been blocked. One site was all that the hackers needed. A new version was waiting there to be downloaded by all the already infected computers, complete with another new box of tricks.
Now the cat-and-mouse game became clear. Conficker’s authors had discerned Porras and Wesson’s strategy and so from 1 April, the code of the new worm soon revealed, it would be able to start scanning for updates on 500 URLs selected at random from a list of 50,000 that were encoded in it. The range of suffixes would increase to 116 and include many country codes, such as .kz for Kazakhstan and .ie for Ireland. Each country-level suffix belongs to a different national authority, each of which sets its own registration procedures. Blocking the previous set of domains had been exhausting. It would soon become nigh-on impossible – even if the new version of the worm could be fully decrypted.
Luckily, Porras quickly repeated his feat and extracted the crucial list of URLs. Immediately, Wesson and others contacted the Internet Corporation for Assigned Names and Numbers (ICANN), an umbrella body that coordinates country suffixes. Wesson did not sleep much. Given the differences in national practices, there was little chance of defusing every time-bomb URL in time for the 1 April deadline, but at least he could ensure that all the country-level operators had been warned.
In the meantime, frenzied headlines were proclaiming the impending meltdown of the internet. But 1 April passed without event. This was not a total surprise. After all, it was just the first date on which the worm’s URL strategy could change – it was still up to its creators to flick the virtual switch. To the outside, it looked like a gigantic April Fool.
And indeed it may have been. In fact, the whole URL business was probably a red herring: using a centralised URL to release a worm upgrade – even one as painstakingly concealed as Conficker’s – is not a particularly sensible approach. It gives the authorities a specific target to counter-attack. From the second version onwards, Conficker had come with a much more efficient option: peer-to-peer (P2P) communication. This technology, widely used to trade pirated copies of software and films, allows software to reach out and exchange signals with copies of itself.
Conficker Worm’s Progress
Six days after the 1 April deadline, Conficker’s authors let loose a new version of the worm via P2P. With no central release point to target, security experts had no means of stopping it spreading through the worm’s network. The URL scam seems to have been little more than a wonderful way to waste the anti-hackers’ time and resources. “They said: you’ll have to look at 50,000 domains. But they never intended to use them,” says Joe Stewart of SecureWorks in Atlanta, Georgia. “They used peer-to-peer instead. They misdirected us.”
The latest worm release had a few tweaks, such as blocking the action of software designed to scan for its presence. But piggybacking on it was something more significant: the worm’s first moneymaking schemes. These were a spam program called Waledac and a fake antivirus package named Spyware Protect 2009. This software was probably not the work of Conficker’s creators. Confident of the strength of the network of machines they had built up, they were now renting out access to other criminals.
Such schemes can be hugely profitable. Just a tiny fraction of people targeted need to click on spam for the advertised business to make money. Storm, a previously widespread spam sender, generated millions of dollars a year in revenue. The same goes for fake software: when the accounts of a Russian company behind an antivirus scam became public last year, it appeared that one criminal had earned more than $145,000 from it in just 10 days.
Since that flurry of activity in early April, all has been uneasily quiet on the Conficker front. In some senses, that marks a victory for the criminals. The zombie network is now established and being used for its intended purpose: to make money. Through its peer-to-peer capabilities, the worm can be updated on the infected network at any time.
It is not an unprecedented situation. There are several other large networks of machines infected with malicious software. Conficker has simply joined the list. The security community will continue to fight them, but as long as the worm remains embedded in any computer there can be no quick fixes.
It’s a depressing message, yet all the experts who spoke to New Scientist said that good things have come out of Conficker and the publicity surrounding it. As the scare grew, academics, industry experts and domain registries came together in an unprecedented collaboration to fight the worm. By sharing information, they were able to warn users and produce scanners to check for it – at least until the next version appeared – and so curb its spread. After this experience, all agree, such collaboration will be much easier. The US Department of Homeland Security is funding a report on what can be learned from it.
That makes the effort worthwhile, says Wesson – despite the financial costs. He put up $30,000 of his own money to secure the URLs that Porras identified, and is still not sure whether he’ll see any return on his investment. He would do it again, though. “We learned an enormous amount,” he says. “Would I pay $30,000 to have the world change the way it looks at malware? Sure.”
Maybe you need more information about conficker worm and how to stop and remove conficker.