Forgot your password?
typodupeerror
Security Worms

Has Conficker Been Abandoned By Its Authors? 174

Posted by CmdrTaco
from the don't-leave-me-daddy dept.
darthcamaro writes "Remember Conficker? April first doom and gloom and all? Well apparently after infecting over five million IP addresses, it's now an autonomous botnet working on its own without any master command and control. Speaking at the Black Hat/Defcon Hat security conference in Las Vegas, Mikko Hypponen, chief research officer at security firm F-Secure, was told not to talk in detail about the Conficker gang — the problem is that not all researchers were under the same gag order. Just ask Roel Schouwenberg, senior anti-virus researcher at security firm Kaspersky, who says 'The Conficker botnet is autonomous; that is very strange in itself that they made Conficker replicate by itself. Now it seems like the authors have abandoned the project, but because it is autonomous, it can do whatever it wants and it keeps on trying to find new hosts to infect.'"
This discussion has been archived. No new comments can be posted.

Has Conficker Been Abandoned By Its Authors?

Comments Filter:
  • It probably got sick of the old masters and kicked them out.
    • Re:What? (Score:4, Funny)

      by rascanban (732991) on Monday August 03, 2009 @11:16AM (#28927811) Homepage Journal
      Strength is irrelevant. Resistance is futile. We wish to improve ourselves. We will add your biological and technological distinctiveness to our own. Your culture will adapt to service ours.
      • you mean it's self aware?
      • So it's a Stand Alone Complex?

        Shit....

        • Re:What? (Score:5, Insightful)

          by sabernet (751826) on Monday August 03, 2009 @02:16PM (#28930835) Homepage

          Watch the series again. S.A.C. has nothing to do with a virus becoming self aware. It's actually a collective of individuals who believe to be acting autonomously but, in reality, are all following a pattern mimicking individual intent by a single entity.

          The Laughing Man was originally a single hacker, but once he stopped his activities, a group of others took it from there and their actions collectively created another Laughing Man.

          It's basically digital gestalt-ism combined with neural networking where each human is a node in the larger network without being aware of the whole.

          Sort of like 4chan, but much less horrible ;)

          • by tnk1 (899206)

            Hey, could someone lend me their copy of the Conficker Manifesto? I lost mine somewhere.

          • Re: (Score:3, Interesting)

            by Vu1turEMaN (1270774)

            You misunderstood my intent of the statement.

            The virus was the original, and it was quite badass according to the world. But before it could accomplish whatever goals its creators had in mind, copycats came up and used it for other purposes (research, DDOS, etc).

            In reality the creator hasn't been utilizing it, because the rest of the world has been hijacking it for their own purposes, and the original intent of the virus will most likely never be known to the public.

            Its very similar. Cept Section 9 took car

          • Sort of like 4chan, but much less horrible ;)

            Hey, they harass the xenufreaks when they aren't harassing 14 year old webcam chicks - they can't be all bad.

      • Re:What? (Score:5, Funny)

        by Seumas (6865) on Monday August 03, 2009 @02:59PM (#28931453)

        Maybe Alan Cox can step in as maintainer, now that he has a little free time off his TTY maintainer position?

    • Translated: (Score:5, Insightful)

      by winkydink (650484) * <sv.dude@gmail.com> on Monday August 03, 2009 @12:23PM (#28928949) Homepage Journal

      We have no idea who is behind this or what they intend to do so we will continue with wild-ass speculation in order to keep our companies in the news.

      • Re:Translated: (Score:5, Insightful)

        by Austerity Empowers (669817) on Monday August 03, 2009 @01:07PM (#28929639)

        We have no idea who is behind this or what they intend to do so we will continue with wild-ass speculation in order to keep our companies in the news.

        Which may be exactly what the virus was designed to do: infect as many people as possible in detectable ways, and keep the industry going!

        • Re:Translated: (Score:4, Insightful)

          by sanosuke001 (640243) on Monday August 03, 2009 @01:33PM (#28930089)
          Conficker: Brought to you by Symantec
          • by d3m0nCr4t (869332) on Monday August 03, 2009 @01:46PM (#28930373)
            Nah, it works to good to be written by Symantec... ;)
            • by Anonymous Coward on Monday August 03, 2009 @07:02PM (#28934321)

              Yeah, I have a funny anecdote to second this:

              After Conficker came out, I tested how well Symantec did with detecting a Metasploit MS08-067 exploitation. (The vulnerability Conficker exploits)

              It turned out that neither the AV client itself detected a VNC dll upload and thus me contolling the attacked machine via a GUI nor did Symantecs Proactive Threat Protection (a Host IPS engine) detect or prevent the exploitation.

              So I called Symantec about it and the technician I got on the phone explained me that since Metasploit was a legitimate penetration testing tool, it was whitelisted.

              Of course I got angry and tried to explain that even if it might have its legitimate purposes, there still was the concern that any worm author could simply take the Metasploit code and embed it in his own creation.

              The Symantec employee then told me that he was not aware of a single instance where such a thing would ever have happened, not in his entire career as an AV expert. Back then on the phone with the Symantec guy I had no internet access with me but told him that I was pretty confident that this has very well happened in the past.

              So shortly after the phone call I googled a bit and in an instant found that Conficker itself uses the Metasploit MS08-067 code!

              So I wrote that to Symantec and they did answer me the following(paraphrased): Symantecs Proactive Threat Detection (aka HIPS) is not designed to prevent the exploitation of unpatched services, I should instead apply the patch...

              Well... they revised their opinion after I asked for the official permission to publish those hilarious statements which I have done hereby anyhow :-)

              Scary, isn't it? But nah, Symantec did not write Conficker.

              Oh, and a few days later they detected and prevented the Metasploit attack.

              p.s. I am writing as AC not because Symantec could know who I am, they can find that out anyways. I am writing as AC so Symantec does not get to correlate my real name with my SlashDot account.

            • Re: (Score:3, Funny)

              by drinkypoo (153816)

              Nah, it works to good to be written by Symantec... ;)

              I was thinking that the surest sign it is not from Symantec is that it is too easy to remove.

    • Re: (Score:3, Insightful)

      by Opportunist (166417)

      Not as impossible and funny as it might appear. Imagine a HD crash and no backup of the keys to issue new commands. :)

      But it could just as well be kept dormant 'til it's out of the news... if Sasser taught us anything, it's that self replicating aggressive worms WILL survive and continue to pose a threat, even years after the last version has been found by every AV tool.

      • Re: (Score:2, Funny)

        by maxwell demon (590494)

        Not as impossible and funny as it might appear. Imagine a HD crash and no backup of the keys to issue new commands. :)

        I didn't know that a HD crash can also take out the keyboard. Also I didn't know that you are supposed to make backups of your keys. I always thought just buying a new keyboard would work. :-)

        [Note: Yes, I did understand that cryptographic keys were meant. I just couldn't resist the opportunity of the joke.]

        • Re: (Score:3, Funny)

          by Anonymous Coward
          Next time, please do us all a favor, and resist.
        • Buying a new keyboard is moot if your keys are gone. Besides, I do fine without one, I just put my key on my underwear and that's how I find it again, and NOBODY else would willingly dig through that so they're safe too!

          Keyboards... fffft showoff, what's next, table napkins?

        • Wait... I need to run out and patent the niche market missed in this patent. I'll make millions in lawsuits!

          Abstract

          A method of swing on a swing is disclosed, in which a user positioned on a standard swing suspended by two ropes from a substantially horizontal bar other than a tree induces side to side motion by pulling alternately on one rope and then the other.
    • Re: (Score:2, Interesting)

      by ILuvRamen (1026668)
      that actually makes a hell of a lot more sense than someone just saying "I'm bored, let's do something else" and giving a 5 million computer botnet up. I mean come on, what are they, insane?! That's like the computer criminal version of buying a buying an italian sports car and then driving it into a lake on purpose. You just don't do that once you finally have one. This article is just stupid beyond words! There is no way in hell it was just "given up." The person behind it either died or is feeling
      • Re: (Score:3, Insightful)

        by osu-neko (2604)

        that actually makes a hell of a lot more sense than someone just saying "I'm bored, let's do something else" and giving a 5 million computer botnet up. I mean come on, what are they, insane?! That's like the computer criminal version of buying a buying an italian sports car and then driving it into a lake on purpose. You just don't do that once you finally have one. This article is just stupid beyond words! There is no way in hell it was just "given up." The person behind it either died or is feeling some serious heat from people trying to catch them.

        This shows an immense failure of imagination. Just off the top of my head, maybe the developed something better. Maybe they've found something more profitable to do. If you spend more than two seconds, I'm sure you too can think of other alternatives. And you're apparently calling it "insane" and/or "immensely stupid" to not fall for the sunk costs fallacy. It doesn't matter how much time or effort they sunk into it making it. If the continued costs of running that car are too much, if you aren't a vi

        • In Soviet Union, you are being walked away....
          All this assumes the authors voluntarily left the network alone, it's also quite feasible that one of the 5 million "pwned" took decisive action, or that they just got pulled over with 2 pounds of weed and are taking an extended state sponsored vacation.
    • Yeah.... I'm pretty sure I've seen this on X-Files.
  • Skynet... (Score:5, Interesting)

    by Matheus (586080) on Monday August 03, 2009 @11:15AM (#28927793) Homepage

    It really is exciting watching a new life form as it stretches its legs!

  • by eldavojohn (898314) * <eldavojohn@gmFREEBSDail.com minus bsd> on Monday August 03, 2009 @12:20PM (#28928909) Journal

    Well apparently after infecting over five million IP addresses, it's now an autonomous botnet working on its own without any master ...

    Hmmm, sounds like its authors should have spent more time on their Torgo routine [wikia.com]. You know, the bit of code that takes care while the master is away.

    <Torgo>The master would not approve; he likes you ... but the master would ... not approve.</Torgo>

  • At which point it should have control of everything, and be able to take over.

  • by gbjbaanb (229885) on Monday August 03, 2009 @12:27PM (#28929033)

    Possible scenarios:

    1. they've been busted for something else and are now in gaol. Conficker patiently bides its time waiting for the stars to be right and its dark master(s) to be freed.

    2. they've given up on that crappy little botnet and are working busily on a new, much stronger, more powerful one.

    3. It was never invented by Russian mobsters, but by the Bush administration, intending to hack all the voting machines and deliver unto George a third term.

    4. someone forgot their password, it was written on a little post-it by the monitor, which was vacuumed up by their mum when she did some spring cleaning.

    5. The inventors had their fun with Microsoft and the internet, but now they've discovered girls and beer.

    • Re: (Score:3, Interesting)

      by MindStalker (22827)

      7) Feds are monitoring connections to the bot net and attempts to master connect to it will be traced.
      Also even if the Feds didn't create it, I'm sure we they have figured it out to the point that it certainly can be controlled by our government.

      • by gbjbaanb (229885)

        I guess 6 was something to do with the NSA and their mind control rays, but they had it censored before you had even typed your post. :)

    • by db32 (862117)
      I can't decide between 3 and 5 for the least likely explanation.
      • by Culture20 (968837)

        I can't decide between 3 and 5 for the least likely explanation.

        3. "And in the contest between Y and Z, the winner is... The current office holder, X, by a landslide write-in vote!" I think people would notice that. Which makes me wonder, does Bart Simpson still get a good write-in following?

        • by db32 (862117)
          Yes, but the question is, are the bot owners really more likely to have hooked up with women than Bush trying to steal an election?
    • by TheRaven64 (641858) on Monday August 03, 2009 @01:03PM (#28929587) Journal
      4 sounds the most likely. As I recall from reading about the worm, it uses several layers of protection to identify the controller. A hard drive crash might cause the author to lose the private key, at which point no one can control the botnet without first breaking AES.
    • by rednip (186217)
      How about 8) Conficker got too big, and commercial uses as a group became too risky; Instead it's a recruitment tool for a smaller botnets.
    • Re: (Score:3, Funny)

      by Narnie (1349029)
      9. Little David Lightman realized his HelloWorld script was a bit out of control and turned off his computer. Should have stayed with WarGames. [imdb.com]
    • by daniel23 (605413)

      6. The confikkr botnet shows more or less the same behaviour taht the US, russian etc nuclear armadas display: growing constantly, but besides that not much action.
      This is not a coincidence. The botnet exists for the very same reason - to counterbalance some other governments cyber warfare structures.

  • by PrimaryConsult (1546585) on Monday August 03, 2009 @12:28PM (#28929041)
    from any other virus? Last I checked, any effective virus has a mechanism to spread/replicate by itself, whether to other IPs on the same subnet or via AIM or USB drives or what have you. In April and may I scanned my network of ~8500 completely user-controlled machines and found a grand total of 4 confirmed infected. The IRC bots spread via AIM links were more prevalent.
    • by Delwin (599872) * on Monday August 03, 2009 @12:37PM (#28929197)
      There's a difference between a botnet and a virus. Botnet is the payload, virus is the delivery system.

      Also a headless botnet could be taken over by a new master if they can figure out how.
      • by FudRucker (866063)
        would that make conficker a hybrid? a viral botnet?
        • by Delwin (599872) *
          Would you call a missile a hybrid? It has a delivery system (thruster, guidance system, etc) and a payload (explodie part). You can replace that explodie part with a nuclear, biological, or chemical warhead... or with a satellite that you use that ICBM launch system to put into low earth orbit.

          Conflicker is the payload, not the delivery system.
      • Re: (Score:3, Interesting)

        by Wrath0fb0b (302444)

        Also a headless botnet could be taken over by a new master if they can figure out how.

        I hope to god that the master control uses some form of public/private key. In that case, I'm going to wager that if the key were lost, the botnet is basically on autopilot forever.

        • Unless someone else finds a weakness in the encryption algorithm or, more likely, the key generation algorithm.
          • Re: (Score:3, Interesting)

            by John Hasler (414242)

            Or, more likely yet, a typical security bug that can be exploited to bypass the authentication.

        • by cgenman (325138)

          I'd wager dollars to doughnuts that thousands of people have tried to take this beast over in the past few years. If it hasn't happened yet, I can't see the floodgates suddenly opening.

          • Re: (Score:2, Insightful)

            by Magic5Ball (188725)

            > thousands of people have tried to take this beast over in the past few years

            Which groups of timelines are you from? For most of us, Conficker is not even one Earth year old.

    • by nurb432 (527695)

      Shhhh stop making sense, it hurts ratings.

  • Locked out? (Score:5, Funny)

    by dickens (31040) on Monday August 03, 2009 @12:29PM (#28929095) Homepage

    I wonder if they just managed to lock themselves out, so they can't control it.

    Either that or someone walked in front of a beer truck.

    • They just thought that having to type your password twice to verify when you change it was stupid and redundant. They left that feature out of their code. then they fat-fingered the keys.

    • Have there been any relevant arrests recently? Maybe the controllers are behind bars or otherwise caught up in real-life problems. Maybe they decided the worm got a little too well known and thought better of trying to do anything with it for fear of getting caught.
  • Whaticker? (Score:3, Funny)

    by CarpetShark (865376) on Monday August 03, 2009 @12:31PM (#28929119)

    Remember Conficker? April first doom and gloom and all?

    Not really. I use Linux. What was it you were worried about again?

    • Call them "virile overlords". Perhaps they will show us mercy . . .
      • Re: (Score:3, Funny)

        by gurps_npc (621217)
        I for one would far prefer an overload that needs Viagra over one that is virile. Cut's down on the pain, significantly.
  • No! its a trap (Score:2, Interesting)

    by mcfatboy93 (1363705)

    sure admiral ackbar.

    some other hackers will eventually update it later after all the fear, panic, and media coverage has gone down

  • now they all have abandonware/ vaporware

    • now they all have abandonware/ vaporware

      The Virus world has had vaporware for years.... I've yet to see that promised virus that would cause my computer to burst into flames...

  • by Lars T. (470328) <[moc.liamelgoog] [ta] [regearT.sraL]> on Monday August 03, 2009 @12:41PM (#28929271) Journal
    That's what happens when software isn't open - it gets abandoned and the users are screwed. Free Conficker now! Turn it over to the EFF!
    • by _Sprocket_ (42527)

      Do we really need GnuFicker?

      • Re: (Score:3, Funny)

        "Really, I'm not out to destroy Microsoft. Ha! Just kidding." -- Linus Torvalds, original author of Conficker

        "Conficker. An elegant weapon, for a more civilized age." -- RMS [xkcd.com]

        "...I've had enough. If you think that problem is easy to fix you fix it. Have fun." -- author unknown, found on the Conficker Developer's Mailing List

  • by Animats (122034) on Monday August 03, 2009 @12:42PM (#28929297) Homepage

    When enough users have been lulled into inaction and enough machines have been taken over, the enemy will strike. Meanwhile, the operators may be sending commands to specific PCs of interest. Security researchers might not be picking up commands targeted to only a few machines.

    Most anti-virus defense efforts assume the enemy is only marginally competent and has no strategic goal. It's clear from what's known about the Conflicker attack that the enemy is significantly more competent and better funded than those behind previous viruses. The Conflicker attack was updated frequently until it was deploying itself successfully despite defensive efforts. Once the attack continued to grow despite defensive efforts, the updates stopped. That's not loss of interest, that's operational art.

    This thing behaves like it has military tactical planning behind it.

    • Which military though? There seems to be no major military that could have done this and doesn't strike.
      • by Culture20 (968837)

        Which military though? There seems to be no major military that could have done this and doesn't strike.

        How about the ${YOURCOUNTRY} military? You assume the goal is to strike computers, and not to impress them into ${YOURCOUNTRY}'s service.

    • by Andy Dodd (701)

      Well, a lot of botnets have been theorized to have connections with Russian organized crime.

      Which probably got them connections to some disgruntled Russian ex-military types out of a job...

    • by Opportunist (166417) on Monday August 03, 2009 @01:06PM (#28929631)

      Actually, most AV researchers do take their "enemies" serious. Malware writers are competent. If only because they manage to use security holes which require quite a bit of intimate knowledge of the machines (and the OS) you try to infect.

      It's not a secret that most malware writers do have a goal by now: Money. The days of the pimple-faced kiddy sitting in the basement and, out of frustration of not getting laid, releasing some worm on the world. That's so 90s.

      What's right is that AV research usually targets the "mass market", at least when it comes to AV development. If you're working for strategic targets, you usually can't make a big speech out of it, neither military nor government nor financial services like you blabbing about how insecure their setup is. So any commands issued only to a small subset of the botnet would probably go unnoticed.

      While we're pissing in the wind anyway, allow me to add mine: How about this whole deal being a targeted attack, and they just waited for their designated target becoming infected.

    • Re: (Score:2, Insightful)

      by maxume (22995)

      Have there been any new worm enabling Windows vulnerabilities disclosed since Conficker was first noticed? Looking around a little, there have been more non-worm remote exploits than I care to sort through; the worm/non-worm distinction I am drawing is that a worm enabling vulnerability doesn't require any action on the client.

      The quiet period could simply be a result of nothing new to add.

  • In a panic, they tried to pull the plug.

  • I could of swore (correct me if I'm wrong) that conficker's instruction set usually downloaded encrypted instructions from certain web servers. Certainly it's possible that they lost control of it instead of abandoned it. (Not in the skynet way) I could imagine that if instructions weren't sent past a point in time, that the encryption it used was wrong, or possibly even corrupted at some point.
    • by gad_zuki! (70830) on Monday August 03, 2009 @01:34PM (#28930093)

      The idea with conficker was that it would generate thousands of websites and contact them for payload instructions. The security community registered a lot of these sites in advance, so it may be the case that these things are always trying to phone home but no one is answering.

      I also imagine that ISPs are blocking connections to servers they have identified as conficker controllers.

      My understanding is that theres some p2p aspect too, but it may not be operational. Heck, getting legitimate p2p working on a residential connection is a pain, let alone a known illegitimate one. Again, Im guessing most ISPs are blocking this somehow.

      So the botnet may be up and running, but it cannot contact its masters. Eventually these PCs will be replaced or reimaged and conficker will be a statistical blimp a year from now.

      • Re: (Score:3, Funny)

        by DMUTPeregrine (612791)
        A statistical blimp, eh? Sailing serenely over the countryside, counting and comparing, picking out trends among the populace below...
  • It will go away on its own some day. We got rid of most Windows 3.11 computers, we'll get rid of most Windows XP computers, etc. It will run out of food soon and a bot-net that can't adapt its self (lucky us, huh?) to other operating systems will go away. We still have Blaster and some of its friends, but maybe the people that do deserve it, because 100% backwards compatibility is a PITA for software engineers. Maybe we should leave Conflicker where it is for the sake of software evolution.

  • 1. Create autonomous botnet
    2. Nap
    3. ???
    4. Profit
  • Then I suppose we should be expecting a new virus/botnet to be built soon. So that they can hack the key to the old botnet :)
    And if they attach pretty screensaver showing computations in real time, users probably will sign up voluntarily

  • Please... (Score:4, Funny)

    by Keyper7 (1160079) on Monday August 03, 2009 @02:01PM (#28930609)
  • ...until NOW!

    Because today, my dream of a bot model that can infect all known botnets became true!
    I call them lolbots, because of the fun I will have with them, because In Ex Soviet Russia, botnets are attacked by ME!

    Now go forth my little botsies. And if they do not sing our song... blow them into little bits... *sings a children's melody* Mmmm. Mmhh-*hmmm* mmmhh hmm-mmm

    *MUHAHAHAHAHAAAA*
    *pets the white long-haired cat*

  • by Runaway1956 (1322357) on Monday August 03, 2009 @02:27PM (#28931011) Homepage Journal

    The real news is that Conficker has evolved, intellectually, beyond the intellect of it's creators. Singularity/Cornfucker has arrived, disguised as a botnet!

  • Oh great!!! (Score:2, Funny)

    by Theodore (13524)

    That's all we need...
    An abandoned, horny bot-net with extreme daddy-issues.
    That ALWAYS ends well.

  • Unless its an AI, no it cant. Its still locked into its original programming.

    I doubt its 'on its own' and its owners are just laying low, but if it is on its own, and its got built in AI, we are screwed.

  • Somewhere there's a hackers going "I *KNEW* I needed to write down that password!!!"

    Pug

  • FTFA:

    The multi-vendor Conficker Working Group is currently making sure that no one can take over the botnet from a command and control point of view, according to Schouwenberg.

    Who is behind Conficker and what do they want? That's one question that Hypponen wanted to talk about but wasn't permitted to do so.

    I would guess that the Good Guys have been actively trying to interfere with conficker, more than just preventing the botnet getting hijacked.

    I believe there is a real possibility they have sucessfully shut out the original controllers. However all they may have been able to do is to 'break' the botnet so nobody control it.

Never trust an operating system.

Working...