B
Bluuuue Rajah
Computer Experts Unite to Hunt Worm
March 18, 2009
nytimes.com/2009/03/19/technology/19worm.html
An extraordinary behind-the-scenes struggle is taking place between
computer security groups around the world and the brazen author of a
malicious software program called Conficker.
The program grabbed global attention when it began spreading late last
year and quickly infected millions of computers with software code that
is intended to lash together the infected machines it controls into a
powerful computer known as a botnet.
Since then, the program’s author has repeatedly updated its software in
a cat-and-mouse game being fought with an informal international
alliance of computer security firms and a network governance group known
as the Internet Corporation for Assigned Names and Numbers. Members
refer to the alliance as the Conficker Cabal.
The existence of the botnet has brought together some of the world’s
best computer security experts to prevent potential damage. The spread
of the malicious software is on a scale that matches the worst of past
viruses and worms, like the I Love You virus. Last month, Microsoft
announced a $250,000 reward for information leading to the capture of
the Conficker author.
Botnets are used to send the vast majority of e-mail spam messages. Spam
in turn is the basis for shady commercial promotions including schemes
that frequently involve directing unwary users to Web sites that can
plant malicious software, or malware, on computers.
Botnets can also be used to distribute other kinds of malware and
generate attacks that can take commercial or government Web sites off-
line.
One of the largest botnets tracked last year consisted of 1.5 million
infected computers that were being used to automate the breaking of
“captchas,” the squiggly letter tests that are used to force applicants
for Web services to prove they are human.
The inability of the world’s best computer security technologists to
gain the upper hand against anonymous but determined cybercriminals is
viewed by a growing number of those involved in the fight as evidence of
a fundamental security weakness in the global network.
“I walked up to a three-star general on Wednesday and asked him if he
could help me deal with a million-node botnet,” said Rick Wesson, a
computer security researcher involved in combating Conficker. “I didn’t
get an answer.”
An examination of the program reveals that the zombie computers are
programmed to try to contact a control system for instructions on April
1. There has been a range of speculation about the nature of the threat
posed by the botnet, from a wake-up call to a devastating attack.
Researchers who have been painstakingly disassembling the Conficker code
have not been able to determine where the author, or authors, is
located, or whether the program is being maintained by one person or a
group of hackers. The growing suspicion is that Conficker will
ultimately be a computing-for-hire scheme. Researchers expect it will
imitate the hottest fad in the computer industry, called cloud
computing, in which companies like Amazon, Microsoft and Sun
Microsystems sell computing as a service over the Internet.
Earlier botnets were devised so they could be split up and rented via
black market schemes that are common in the Internet underground,
according to security researchers.
The Conficker program is built so that after it takes up residence on
infected computers, it can be programmed remotely by software to serve
as a vast system for distributing spam or other malware.
Several people who have analyzed various versions of the program said
Conficker’s authors were obviously monitoring the efforts to restrict
the malicious program and had repeatedly demonstrated that their skills
were at the leading edge of computer technology.
For example, the Conficker worm already had been through several
versions when the alliance of computer security experts seized control
of 250 Internet domain names the system was planning to use to forward
instructions to millions of infected computers.
Shortly thereafter, in the first week of March, the fourth known version
of the program, Conficker C, expanded the number of the sites it could
use to 50,000. That step made it virtually impossible to stop the
Conficker authors from communicating with their botnet.
“It’s worth noting that these are folks who are taking this seriously
and not making many mistakes,” said Jose Nazario, a member of the
international security group and a researcher at Arbor Networks, a
company in Lexington, Mass., that provides tools for monitoring the
performance of networks. “They’re going for broke.”
Several members of the Conficker Cabal said that law enforcement
officials had been slow to respond to the group’s efforts, but that a
number of law enforcement agencies were now in “listen” mode.
“We’re aware of it,” said Paul Bresson, an F.B.I. spokesman, “and we’re
working with security companies to address the problem.”
A report scheduled to be released Thursday by SRI International, a
nonprofit research institute in Menlo Park, Calif., says that Conficker
C constitutes a major rewrite of the software. Not only does it make it
far more difficult to block communication with the program, but it gives
the program added powers to disable many commercial antivirus programs
as well as Microsoft’s security update features.
“Perhaps the most obvious frightening aspect of Conficker C is its clear
potential to do harm,” said Phillip Porras, a research director at SRI
International and one of the authors of the report. “Perhaps in the best
case, Conficker may be used as a sustained and profitable platform for
massive Internet fraud and theft.”
“In the worst case,” Mr. Porras said, “Conficker could be turned into a
powerful offensive weapon for performing concerted information warfare
attacks that could disrupt not just countries, but the Internet itself.”
The researchers, noting that the Conficker authors were using the most
advanced computer security techniques, said the original version of the
program contained a recent security feature developed by an M.I.T.
computer scientist, Ron Rivest, that had been made public only weeks
before. And when a revision was issued by Dr. Rivest’s group to correct
a flaw, the Conficker authors revised their program to add the
correction.
Although there have been clues that the Conficker authors may be located
in Eastern Europe, evidence has not been conclusive. Security
researchers, however, said this week that they were impressed by the
authors’ productivity.
“If you suspect this person lives in Kiev,” Mr. Nazario said, “I would
look for someone who has recently reported repetitive stress injury
symptoms.”
March 18, 2009
nytimes.com/2009/03/19/technology/19worm.html
An extraordinary behind-the-scenes struggle is taking place between
computer security groups around the world and the brazen author of a
malicious software program called Conficker.
The program grabbed global attention when it began spreading late last
year and quickly infected millions of computers with software code that
is intended to lash together the infected machines it controls into a
powerful computer known as a botnet.
Since then, the program’s author has repeatedly updated its software in
a cat-and-mouse game being fought with an informal international
alliance of computer security firms and a network governance group known
as the Internet Corporation for Assigned Names and Numbers. Members
refer to the alliance as the Conficker Cabal.
The existence of the botnet has brought together some of the world’s
best computer security experts to prevent potential damage. The spread
of the malicious software is on a scale that matches the worst of past
viruses and worms, like the I Love You virus. Last month, Microsoft
announced a $250,000 reward for information leading to the capture of
the Conficker author.
Botnets are used to send the vast majority of e-mail spam messages. Spam
in turn is the basis for shady commercial promotions including schemes
that frequently involve directing unwary users to Web sites that can
plant malicious software, or malware, on computers.
Botnets can also be used to distribute other kinds of malware and
generate attacks that can take commercial or government Web sites off-
line.
One of the largest botnets tracked last year consisted of 1.5 million
infected computers that were being used to automate the breaking of
“captchas,” the squiggly letter tests that are used to force applicants
for Web services to prove they are human.
The inability of the world’s best computer security technologists to
gain the upper hand against anonymous but determined cybercriminals is
viewed by a growing number of those involved in the fight as evidence of
a fundamental security weakness in the global network.
“I walked up to a three-star general on Wednesday and asked him if he
could help me deal with a million-node botnet,” said Rick Wesson, a
computer security researcher involved in combating Conficker. “I didn’t
get an answer.”
An examination of the program reveals that the zombie computers are
programmed to try to contact a control system for instructions on April
1. There has been a range of speculation about the nature of the threat
posed by the botnet, from a wake-up call to a devastating attack.
Researchers who have been painstakingly disassembling the Conficker code
have not been able to determine where the author, or authors, is
located, or whether the program is being maintained by one person or a
group of hackers. The growing suspicion is that Conficker will
ultimately be a computing-for-hire scheme. Researchers expect it will
imitate the hottest fad in the computer industry, called cloud
computing, in which companies like Amazon, Microsoft and Sun
Microsystems sell computing as a service over the Internet.
Earlier botnets were devised so they could be split up and rented via
black market schemes that are common in the Internet underground,
according to security researchers.
The Conficker program is built so that after it takes up residence on
infected computers, it can be programmed remotely by software to serve
as a vast system for distributing spam or other malware.
Several people who have analyzed various versions of the program said
Conficker’s authors were obviously monitoring the efforts to restrict
the malicious program and had repeatedly demonstrated that their skills
were at the leading edge of computer technology.
For example, the Conficker worm already had been through several
versions when the alliance of computer security experts seized control
of 250 Internet domain names the system was planning to use to forward
instructions to millions of infected computers.
Shortly thereafter, in the first week of March, the fourth known version
of the program, Conficker C, expanded the number of the sites it could
use to 50,000. That step made it virtually impossible to stop the
Conficker authors from communicating with their botnet.
“It’s worth noting that these are folks who are taking this seriously
and not making many mistakes,” said Jose Nazario, a member of the
international security group and a researcher at Arbor Networks, a
company in Lexington, Mass., that provides tools for monitoring the
performance of networks. “They’re going for broke.”
Several members of the Conficker Cabal said that law enforcement
officials had been slow to respond to the group’s efforts, but that a
number of law enforcement agencies were now in “listen” mode.
“We’re aware of it,” said Paul Bresson, an F.B.I. spokesman, “and we’re
working with security companies to address the problem.”
A report scheduled to be released Thursday by SRI International, a
nonprofit research institute in Menlo Park, Calif., says that Conficker
C constitutes a major rewrite of the software. Not only does it make it
far more difficult to block communication with the program, but it gives
the program added powers to disable many commercial antivirus programs
as well as Microsoft’s security update features.
“Perhaps the most obvious frightening aspect of Conficker C is its clear
potential to do harm,” said Phillip Porras, a research director at SRI
International and one of the authors of the report. “Perhaps in the best
case, Conficker may be used as a sustained and profitable platform for
massive Internet fraud and theft.”
“In the worst case,” Mr. Porras said, “Conficker could be turned into a
powerful offensive weapon for performing concerted information warfare
attacks that could disrupt not just countries, but the Internet itself.”
The researchers, noting that the Conficker authors were using the most
advanced computer security techniques, said the original version of the
program contained a recent security feature developed by an M.I.T.
computer scientist, Ron Rivest, that had been made public only weeks
before. And when a revision was issued by Dr. Rivest’s group to correct
a flaw, the Conficker authors revised their program to add the
correction.
Although there have been clues that the Conficker authors may be located
in Eastern Europe, evidence has not been conclusive. Security
researchers, however, said this week that they were impressed by the
authors’ productivity.
“If you suspect this person lives in Kiev,” Mr. Nazario said, “I would
look for someone who has recently reported repetitive stress injury
symptoms.”