All talk of the Conficker Worm was sanitised at the Black Hat conference to protect the current investigation.
The criminal ring is very savvy and might have infiltrated the group hunting it down, one investigator says.
The international security team tracking down Conficker thought that the masterminds behind it would have been apprehended by now, according to one of the leaders of the effort to stamp out the resilient worm but that’s not the way it has worked out.
Investigators cautious
A meeting and presentation talk at Black Hat yesterday had to be scaled back because it contained information about Conficker that might tip the investigators’ hand and send the perpetrators further underground, says Mikko Hypponen, chief research officer at F-Secure and a member of the Conficker Working Group.
A Forensic Look
When Hypponen submitted the abstract for his Black Hat briefing more than six months ago, he thought he’d be presenting a forensic look at a dead worm and that the team who had written and managed it would be out of action. “I had hoped that by the end of July we would be in a totally different situation, the case would be closed and the group would be in jail,” Hypponen said in an interview after his talk.
Critical Information
His official line was that he was asked last week not to reveal critical information that might help prolong Conficker’s reign over millions of computers and inhibit the ongoing criminal investigation. “So I will end my presentation here,” Hypponen said at the conclusion of his Black Hat session. “Thank you very much. I will not be taking any questions.”
Holding Back
Hypponen said afterwards that he wasn’t forced to curtail his remarks (Black Hat has been the site of numerous speech-blockings and speech-blocking attempts, including that of a researcher Cisco sued because he was to reveal a flaw in the company's IOS code). Rather, Hypponen had already realised that it made sense to hold back some of what the working group has found out. “It’s better to keep them in the dark about what is known,” he says.
Agility and Precision
Given the agility and precision with which Conficker alters its tactics, Hypponen doesn’t rule out that the Conficker Working Group itself might have been infiltrated by Conficker operatives.
He wouldn’t say how close he thinks authorities are to bringing down the group, but did say there is an indication that it is based in the Ukraine. Some techniques used in Conficker match those used in an earlier worm, which might mean the same people were behind both.
Ukrainian Police
That earlier worm avoided propagating to machines in the Ukraine, which might mean that the group is based there and was trying to avoid committing a local crime to keep Ukrainian police off their backs, Hypponen says.
Technical Sophistication
During his talk Hypponen outlined some of Confickter’s technical sophistication. In one version change – the worm has gone through five major revisions – the worm adopted the MD-6 cryptographic hash algorithm. Investigators estimate that MD-6 was only a month or so old when it was incorporated in Conficker, making the worm one of the earliest implementations of MD-6, he says.
Buffer Overflow
The next major revision of Conficker patched an MD-6 buffer-overflow vulnerability that was publicly announced about six weeks earlier, which means the criminals keep themselves in the loop with the latest advances, he says. (The patch they used was identical to the one issued by MD-6 creators.)
Disables Infected Machines
The worm avoids sending itself to domains owned by members of the Conficker Working Group, and it disables infected machines so they can’t reach sites where they might seek help.
F-Secure Help Site
Hypponen’s company set up a help site with a different domain name from its regular business site that included the term F-secure, and the next version of Conficker blocked it. The company changed the term to Fsecure with no hyphen, and the next revision blocked that, too, he says.
The worm had been propagating to eight top level Internet domains and the working group mustered enough cooperation to shut it down in all those domains, Hypponen says. The next version propagated to 116 domains, he says.
Strategy Weak
“These guys are very good in cryptography and code development,” he says, but maybe not so good about strategy, given the attention they drew to themselves. “They didn’t know better than to infect 10 million computers in a couple of days.” The goal of any botnet ought to be to remain hidden, not draw attention to itself, he says.
“They might have experience in another crime business but hadn’t run a botnet before. If they were more experienced, they’d know better.”
The Malady Lingers on
It would make sense, Hypponen says, for the Conficker gang to abandon its current botnet and build a new one that doesn’t get too big too fast and doesn’t draw a team of experts to fight it. “Maybe they already have,” he says.
The criminal ring is very savvy and might have infiltrated the group hunting it down, one investigator says.
The international security team tracking down Conficker thought that the masterminds behind it would have been apprehended by now, according to one of the leaders of the effort to stamp out the resilient worm but that’s not the way it has worked out.
Investigators cautious
A meeting and presentation talk at Black Hat yesterday had to be scaled back because it contained information about Conficker that might tip the investigators’ hand and send the perpetrators further underground, says Mikko Hypponen, chief research officer at F-Secure and a member of the Conficker Working Group.
A Forensic Look
When Hypponen submitted the abstract for his Black Hat briefing more than six months ago, he thought he’d be presenting a forensic look at a dead worm and that the team who had written and managed it would be out of action. “I had hoped that by the end of July we would be in a totally different situation, the case would be closed and the group would be in jail,” Hypponen said in an interview after his talk.
Critical Information
His official line was that he was asked last week not to reveal critical information that might help prolong Conficker’s reign over millions of computers and inhibit the ongoing criminal investigation. “So I will end my presentation here,” Hypponen said at the conclusion of his Black Hat session. “Thank you very much. I will not be taking any questions.”
Holding Back
Hypponen said afterwards that he wasn’t forced to curtail his remarks (Black Hat has been the site of numerous speech-blockings and speech-blocking attempts, including that of a researcher Cisco sued because he was to reveal a flaw in the company's IOS code). Rather, Hypponen had already realised that it made sense to hold back some of what the working group has found out. “It’s better to keep them in the dark about what is known,” he says.
Agility and Precision
Given the agility and precision with which Conficker alters its tactics, Hypponen doesn’t rule out that the Conficker Working Group itself might have been infiltrated by Conficker operatives.
He wouldn’t say how close he thinks authorities are to bringing down the group, but did say there is an indication that it is based in the Ukraine. Some techniques used in Conficker match those used in an earlier worm, which might mean the same people were behind both.
Ukrainian Police
That earlier worm avoided propagating to machines in the Ukraine, which might mean that the group is based there and was trying to avoid committing a local crime to keep Ukrainian police off their backs, Hypponen says.
Technical Sophistication
During his talk Hypponen outlined some of Confickter’s technical sophistication. In one version change – the worm has gone through five major revisions – the worm adopted the MD-6 cryptographic hash algorithm. Investigators estimate that MD-6 was only a month or so old when it was incorporated in Conficker, making the worm one of the earliest implementations of MD-6, he says.
Buffer Overflow
The next major revision of Conficker patched an MD-6 buffer-overflow vulnerability that was publicly announced about six weeks earlier, which means the criminals keep themselves in the loop with the latest advances, he says. (The patch they used was identical to the one issued by MD-6 creators.)
Disables Infected Machines
The worm avoids sending itself to domains owned by members of the Conficker Working Group, and it disables infected machines so they can’t reach sites where they might seek help.
F-Secure Help Site
Hypponen’s company set up a help site with a different domain name from its regular business site that included the term F-secure, and the next version of Conficker blocked it. The company changed the term to Fsecure with no hyphen, and the next revision blocked that, too, he says.
The worm had been propagating to eight top level Internet domains and the working group mustered enough cooperation to shut it down in all those domains, Hypponen says. The next version propagated to 116 domains, he says.
Strategy Weak
“These guys are very good in cryptography and code development,” he says, but maybe not so good about strategy, given the attention they drew to themselves. “They didn’t know better than to infect 10 million computers in a couple of days.” The goal of any botnet ought to be to remain hidden, not draw attention to itself, he says.
“They might have experience in another crime business but hadn’t run a botnet before. If they were more experienced, they’d know better.”
The Malady Lingers on
It would make sense, Hypponen says, for the Conficker gang to abandon its current botnet and build a new one that doesn’t get too big too fast and doesn’t draw a team of experts to fight it. “Maybe they already have,” he says.
No comments:
Post a Comment