Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
Security Worms

Has Conficker Been Abandoned By Its Authors? 174

Posted by CmdrTaco from the don't-leave-me-daddy dept.
darthcamaro writes "Remember Conficker? April first doom and gloom and all? Well apparently after infecting over five million IP addresses, it's now an autonomous botnet working on its own without any master command and control. Speaking at the Black Hat/Defcon Hat security conference in Las Vegas, Mikko Hypponen, chief research officer at security firm F-Secure, was told not to talk in detail about the Conficker gang — the problem is that not all researchers were under the same gag order. Just ask Roel Schouwenberg, senior anti-virus researcher at security firm Kaspersky, who says 'The Conficker botnet is autonomous; that is very strange in itself that they made Conficker replicate by itself. Now it seems like the authors have abandoned the project, but because it is autonomous, it can do whatever it wants and it keeps on trying to find new hosts to infect.'"
This discussion has been archived. No new comments can be posted.

Has Conficker Been Abandoned By Its Authors? More

Has Conficker Been Abandoned By Its Authors?

Comments Filter:

  • Skynet... (Score:5, Interesting)

    by Matheus ( 586080 ) on Monday August 03, 2009 @11:15AM (#28927793) Homepage

    It really is exciting watching a new life form as it stretches its legs!

  • Re:Skynet... (Score:2, Interesting)

    by Anonymous Coward on Monday August 03, 2009 @12:25PM (#28928993)

    Here is the real skynet [wikipedia.org]

  • No! its a trap (Score:2, Interesting)

    by mcfatboy93 ( 1363705 ) on Monday August 03, 2009 @12:33PM (#28929145) Homepage

    sure admiral ackbar.

    some other hackers will eventually update it later after all the fear, panic, and media coverage has gone down

  • Re:How is this 'autonomy' any different... (Score:5, Interesting)

    by Delwin ( 599872 ) * on Monday August 03, 2009 @12:37PM (#28929197)
    There's a difference between a botnet and a virus. Botnet is the payload, virus is the delivery system.

    Also a headless botnet could be taken over by a new master if they can figure out how.

  • Re:How is this 'autonomy' any different... (Score:3, Interesting)

    by Wrath0fb0b ( 302444 ) on Monday August 03, 2009 @12:52PM (#28929445)

    Also a headless botnet could be taken over by a new master if they can figure out how.

    I hope to god that the master control uses some form of public/private key. In that case, I'm going to wager that if the key were lost, the botnet is basically on autopilot forever.

  • Re:What? (Score:2, Interesting)

    by ILuvRamen ( 1026668 ) on Monday August 03, 2009 @12:53PM (#28929463)
    that actually makes a hell of a lot more sense than someone just saying "I'm bored, let's do something else" and giving a 5 million computer botnet up. I mean come on, what are they, insane?! That's like the computer criminal version of buying a buying an italian sports car and then driving it into a lake on purpose. You just don't do that once you finally have one. This article is just stupid beyond words! There is no way in hell it was just "given up." The person behind it either died or is feeling some serious heat from people trying to catch them.

  • Always possible they lost control of it instead... (Score:2, Interesting)

    by Thantik ( 1207112 ) on Monday August 03, 2009 @12:57PM (#28929507)
    I could of swore (correct me if I'm wrong) that conficker's instruction set usually downloaded encrypted instructions from certain web servers. Certainly it's possible that they lost control of it instead of abandoned it. (Not in the skynet way) I could imagine that if instructions weren't sent past a point in time, that the encryption it used was wrong, or possibly even corrupted at some point.

  • Re:so where are they now? (Score:3, Interesting)

    by MindStalker ( 22827 ) <mindstalker@@@gmail...com> on Monday August 03, 2009 @12:58PM (#28929525) Journal

    7) Feds are monitoring connections to the bot net and attempts to master connect to it will be traced.
    Also even if the Feds didn't create it, I'm sure we they have figured it out to the point that it certainly can be controlled by our government.

  • Re:How is this 'autonomy' any different... (Score:3, Interesting)

    by John Hasler ( 414242 ) on Monday August 03, 2009 @01:35PM (#28930117) Homepage

    Or, more likely yet, a typical security bug that can be exploited to bypass the authentication.

  • Re:What? (Score:3, Interesting)

    by Vu1turEMaN ( 1270774 ) on Monday August 03, 2009 @02:45PM (#28931273)

    You misunderstood my intent of the statement.

    The virus was the original, and it was quite badass according to the world. But before it could accomplish whatever goals its creators had in mind, copycats came up and used it for other purposes (research, DDOS, etc).

    In reality the creator hasn't been utilizing it, because the rest of the world has been hijacking it for their own purposes, and the original intent of the virus will most likely never be known to the public.

    Its very similar. Cept Section 9 took care of this one earlier.

  • Re:Is Conficker Hype? (Score:2, Interesting)

    by Magic5Ball ( 188725 ) on Monday August 03, 2009 @03:17PM (#28931677)

    Of course, you knew that some malware will patch their host to retain exclusive access by preventing infection by other malware, right? Depending on what the "few petty IRC-bot infections" consisted of, you may have had a reasonably well inoculated machine protected by someone with an active interest in preventing further infections, especially against well-publicized vectors as were contained in conficker.

  • Funny Symantec/Conficker anecdote (Score:4, Interesting)

    by Anonymous Coward on Monday August 03, 2009 @07:02PM (#28934321)

    Yeah, I have a funny anecdote to second this:

    After Conficker came out, I tested how well Symantec did with detecting a Metasploit MS08-067 exploitation. (The vulnerability Conficker exploits)

    It turned out that neither the AV client itself detected a VNC dll upload and thus me contolling the attacked machine via a GUI nor did Symantecs Proactive Threat Protection (a Host IPS engine) detect or prevent the exploitation.

    So I called Symantec about it and the technician I got on the phone explained me that since Metasploit was a legitimate penetration testing tool, it was whitelisted.

    Of course I got angry and tried to explain that even if it might have its legitimate purposes, there still was the concern that any worm author could simply take the Metasploit code and embed it in his own creation.

    The Symantec employee then told me that he was not aware of a single instance where such a thing would ever have happened, not in his entire career as an AV expert. Back then on the phone with the Symantec guy I had no internet access with me but told him that I was pretty confident that this has very well happened in the past.

    So shortly after the phone call I googled a bit and in an instant found that Conficker itself uses the Metasploit MS08-067 code!

    So I wrote that to Symantec and they did answer me the following(paraphrased): Symantecs Proactive Threat Detection (aka HIPS) is not designed to prevent the exploitation of unpatched services, I should instead apply the patch...

    Well... they revised their opinion after I asked for the official permission to publish those hilarious statements which I have done hereby anyhow :-)

    Scary, isn't it? But nah, Symantec did not write Conficker.

    Oh, and a few days later they detected and prevented the Metasploit attack.

    p.s. I am writing as AC not because Symantec could know who I am, they can find that out anyways. I am writing as AC so Symantec does not get to correlate my real name with my SlashDot account.

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close