Inside Cyber Warfare - Jeffrey Carr [11]
--Phillip Porras, Hassen Saidi, and Vinod Yegneswaran “An Analysis of Conficker’s Logic and Rendezvous Points,” SRI International report updated March 18, 2009
There are at least two sustained mysteries surrounding the Conficker worm: who is behind it, and what do they plan to do with it?
Regarding the former, researchers who have studied the code contained in the worm as well as its A, B, and C variants can say with some certainty that the authors are skilled programmers with knowledge about the latest developments in cryptography along with an in-depth knowledge of Windows internals and security. They are also adept at code obfuscation and code packing, and they are closely monitoring and adapting to attempts to thwart Conficker’s operation.
Perhaps more importantly, the Conficker authors have shown that they are innovative, agile, and quick to implement improvements in their worm. Quoting from the SRI report:
They are among the first to introduce the Internet rendezvous point scheme, and have now integrated a sophisticated P2P protocol that does not require an embedded peer list. They have continually seeded the Internet with new MD5 variants, and have adapted their code base to address the latest attempts to thwart Conficker. They have infiltrated government sites, military networks, home PCs, critical infrastructure, small networks, and universities, around the world. Perhaps an even greater threat than what they have done so far, is what they have learned and what they will build next.
There has been an unprecedented amount of collaboration in the software community to overcome the threat posed by Conficker. Microsoft has offered a $250,000 reward for information leading to the arrest and conviction of Conficker’s authors. Although the idea of a bounty is interesting, the amount offered is ridiculously low. There are carders (cyber criminals who engage in illegal credit card transactions) who earn that much in one month.
The software giant has also established a “Conficker Cabal” in the hope that collaboration will yield more results than one company’s efforts alone. Members of the cabal include ICANN, NeuStar, VeriSign, CNNIC, Afilias, Public Internet Registry, Global Domains International, Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, the Shadowserver Foundation, Arbor Networks, and Support Intelligence.
As of this writing, no progress has been made on discovery or mitigation of this threat, and the Conficker worm continues to propagate.
Africa: The Future Home of the World’s Largest Botnet?
African IT experts estimate an 80% infection rate on all PCs continent-wide, including government computers. It is the cyber equivalent of a pandemic. Few can afford to pay for anti-virus software, and for those who can, the download time on a dial-up connection makes the update out of date by the time the download is complete.
Now, with the arrival of broadband service delivered via undersea cables by initiatives like SEACOM (July 23, 2009), Teams cable (September 2009), and the East African Submarine Cable System (mid-year 2010), there will be a massive, target-rich environment of almost 100 million computers available for botnet herders to add infected hosts to their computer armies (Figure 1-2).
Figure 1-2. Evolution of cyber attacks
One botnet of one million hosts could conservatively generate enough traffic to take most Fortune 500 companies collectively offline. A botnet of 10 million hosts (like Conficker) could paralyze the network infrastructure of a major Western nation.
As of today, there is no unified front to combat botnets of this size. However, since these botnets are Windows-based, a switch