The Enemy Within: What is Conficker's Botnet For?

A yield to no man in the gravity and intensity of my fanboyish appreciation for Mark Bowden's writing, but this article is <i>so</i>. <i>bad</i>. Not just in the details, which, come on it's a lay piece in The Atlantic, but in its warped conclusions.<p><i>If the right order were given, and all these computers worked together in one concerted effort, a botnet with that much computing power could crack many codes, break into and plunder just about any protected database in the world [...]</i><p>"Just about any protected database". Ow, my brain!<p><i>It pits the cleverest attackers in the world, the bad guys, against the cleverest defenders in the world, the good guys (who have been dubbed the “Conficker Cabal”).</i><p>The best in the world! On <i>both sides</i>! My precious brain!<p><i>It exploited a specific hole, Port 445, in the Microsoft operating systems, a vulnerability that the manufacturer had tried to repair just weeks earlier. Ports are designated “listening” points in a system, designed to transmit and receive particular kinds of data. There are many of them, more than 65,000, because an operating system consists of layer upon layer of functions.</i><p>So that's how it got in! There are too many ports!<p><i>If everyone applied the new patches promptly, Windows would be nigh impregnable.</i><p>%y b$&#38;tifu111 br4in ow it burns.<p><i>Conficker had an answer for that. Instead of using the infected computer’s clock, the worm set its schedule by the time on popular corporate home pages, like Yahoo, Google, or Microsoft’s own msn.com.</i><p><i>“That was interesting,” Ligh said. “There was no way we could turn the clock forward on Google’s home page.</i><p>MAKE IT STOP.<p><i>"All of this was impressive—but something else stopped researchers cold..."</i><p>No, Mark. Please. Don't go here...<p><i>So when the new version of Conficker appeared, and its new method of encrypting its communication employed MD-6, Rivest’s </i>proposal* for SHA-3, the cabal’s collective mind was blown.*<p><i>Needless to say, this is a very arcane game. The entries are comprehensible to very few people. According to Rodney Joffe, “Unless you’re a subject-matter expert actively involved in crypto-algorithms, you didn’t even know that MD-6 existed. It wasn’t like it was put in The New York Times.”</i><p>WHY, MARK, WHY! I BUY ALL YOUR BOOKS. MY BUGS! My Bugs! My bugs! my bugs! my b&#38;gz! m&#38;4nc bugs...<p>The only thing that is good about this piece is the clear-eyed description of how worms infect computers and how hard it is to detect and clean them out. Unfortunately, Bowden wrote those grafs using a Star Trek metaphor, which in a technology piece is the stylistic equivalent of serving mashed potatoes topped with risotto.<p>The rest is horrible. What's special about Conficker? Probably not that it's especially clever; no, what seems to have thrown everyone for a loop is the fact that while it spreads aggressively, it does little afterwards to piss people off and provoke an immediate response. That's its contribution to the state of the art.<p>MD-6 is so important that it deserves a subhed? What? The first piece of crypto <i>every hacker comes into contact with</i> is MD5. The trials and tribulations of MD5 are legendary. The MD6 sample code was right there on the Internet. Just like the people who used "reverse-engineered" RC4 in their sniffers in 1995, this is nothing but a vanity feather in the worm author's cap.<p>What could you do with crypto to impress an analyst skilled in the art?<p>* You could have taken a well-known strong algorithm and jumbled the constants slightly to create an unpredictable but strong variant.<p>* You could have implemented an algorithm that was published only in papers and only in diagrams and equations.<p>* You could invent your own algorithm and have it at least come close to holding its own against the state of the art.<p>The notion that Conficker is one of the most important things happening in security is very likely not going to stand up to hindsight years from now. The "best and brightest" are <i>not</i> killing themselves figuring out the Conficker problem. That may be a mistake, but the conventional wisdom as I perceive it is that Conficker will eventually blow up to be someone else's very painful operations problem that we read about in The Register and promptly forget about.

<i>It uses an encryption code so sophisticated that only a very few people could have deployed it.</i><p>I have a hard time believing that. Sophisticated and effective encryption techniques are well-documented. There are thousands of bored teenagers who could write malware that uses sophisticated encryption. Successfully spreading over the whole Internet while being unobtrusive enough to not be noticed by most victims is, perhaps more impressive.

It sure is hard to keep the general public's attention when there are no dramatic, overt symptoms yet.<p>Who knows <i>what</i> sort of pain they're going to inflict (or cost they'll exact) once they choose to monetize?

Long entertaining article (which I intend to finish), but as usual short on actionable information.<p>Here's what I would like to have access to:<p>Input-<p>1) OS<p>2) patch level (for simplicity I should be able to input "current")<p>3) the AV software(s) on my box<p>Output-<p>1) known vulnerabilities for this system configuration<p>2) what could be lurking on the system that hasn't been detected<p>3) methods of detection for items under (2)<p>4) remedies (including rebuild your box, in the worst case)

if you're curious and want a technical read not filled with BS about how amazingly foreign and magical MD6 must be, just read this or the equivalent from mcaffee or whoever you prefer - <a href="http://tools.cisco.com/security/center/viewAlert.x?alertId=17121" rel="nofollow">http://tools.cisco.com/security/center/viewAlert.x?alertId=1...</a>