NetAtlantic has a
written by Mark Bowden regarding the history of the Conficker worm. It
really is a fascinating article and if you never read any of my offsite links
and you haven’t yet read it elsewhere, you definitely want to take the time
to read this one. It illustrates the complexity of the Conficker worm,
efforts to stop it and why it is so difficult to defeat.
I just can’t resist
posting a few excerpts:
Imagine your computer to
be a big spaceship, like the starship Enterprise on Star Trek.
The ship is so complex and sophisticated that even an experienced commander
like Captain James T. Kirk has only a general sense of how every facet of it
Now imagine a clever
invader, an enemy infiltrator, who does understand the inner workings
of the ship. He knows it well enough to find a portal with a broken lock
overlooked by the ship’s otherwise vigilant defenses—like, say, a flaw in
Microsoft’s operating platform. So no one notices when he slips in. He trips
no alarm, and then, to prevent another clever invader from exploiting the
same weakness, he repairs the broken lock and seals the portal shut behind
him. He improves the ship’s defenses. Ensconced securely inside, he
silently sets himself up as the ship’s alternate commander.
The [Conficker] worm
itself was exquisite. It consisted of only a few hundred lines of code, no
more than 35 kilobytes—slightly smaller than a 2,000-word document. In
comparison, the average home computer today has anywhere from 40 to 200 gigabytes
of storage. Unless you were looking for it, unless you knew how to
look for it, you would never see it. Conficker drifts in like a mote.
Here’s where things get
Analysts with Conficker B
isolated in their sandboxes could watch it regularly call home and receive a
return message. The exchange was encrypted… Rivest’s proposal for the new
[encryption] standard, MD-6 (Message Digest–6), was submitted in the fall of
2008, about a month before Conficker first appeared, and began undergoing
rigorous peer review—the very small community of high-level cryptographers
worldwide began testing it for flaws.
Needless to say, this is
a very arcane game. The entries are comprehensible to very few people.
According to Rodney Joffe, “Unless you’re a subject-matter expert actively
involved in crypto-algorithms, you didn’t even know that MD-6 existed. It
wasn’t like it was put in The New York Times.”
So when the new version
of Conficker appeared, and its new method of encrypting its communication
employed MD-6, Rivest’s proposal for SHA-3, the cabal’s collective
mind was blown.
The plot thickened—it
turned out that Rivest’s proposal, MD-6, had a flaw. Cryptologists in the
competition had duly gone to work trying to crack the code, and one had
succeeded. In early 2009, Rivest quietly withdrew his proposal, corrected it,
and resubmitted it. This gave the cabal an opening. If the original Rivest
proposal was flawed, then so was the encryption method for Conficker B. If
they were able to eavesdrop on communications between Conficker and its
mysterious controller, they might be able to figure out who he was, or who
they were. How likely was it that the creator of Conficker would know about
the flaw discovered in MD-6?
Once again, the good guys
had the bad guys in check.
About six weeks later,
another new version of the worm appeared.
It employed Rivest’s revised
The entire article is a
great read, and I learned a few things about Conficker. I hadn’t
realized just how sophisticated it was. I came away with a couple of
This is, of course,
speculation. And it illustrates just how sophisticated the problem of
Conficker really is.