NetAtlantic has a fantastic article written by Mark Bowden regarding the history of the Conficker worm.  It really is a fascinating article and if you never read any of my offsite links and you haven’t yet read it elsewhere, you definitely want to take the time to read this one.  It illustrates the complexity of the Conficker worm, efforts to stop it and why it is so difficult to defeat.

I just can’t resist posting a few excerpts:

Imagine your computer to be a big spaceship, like the starship Enterprise on Star Trek. The ship is so complex and sophisticated that even an experienced commander like Captain James T. Kirk has only a general sense of how every facet of it works.

Now imagine a clever invader, an enemy infiltrator, who does understand the inner workings of the ship. He knows it well enough to find a portal with a broken lock overlooked by the ship’s otherwise vigilant defenses—like, say, a flaw in Microsoft’s operating platform. So no one notices when he slips in. He trips no alarm, and then, to prevent another clever invader from exploiting the same weakness, he repairs the broken lock and seals the portal shut behind him. He improves the ship’s defenses. Ensconced securely inside, he silently sets himself up as the ship’s alternate commander.

The [Conficker] worm itself was exquisite. It consisted of only a few hundred lines of code, no more than 35 kilobytes—slightly smaller than a 2,000-word document. In comparison, the average home computer today has anywhere from 40 to 200 gigabytes of storage. Unless you were looking for it, unless you knew how to look for it, you would never see it. Conficker drifts in like a mote.

Here’s where things get interesting:

Analysts with Conficker B isolated in their sandboxes could watch it regularly call home and receive a return message. The exchange was encrypted… Rivest’s proposal for the new [encryption] standard, MD-6 (Message Digest–6), was submitted in the fall of 2008, about a month before Conficker first appeared, and began undergoing rigorous peer review—the very small community of high-level cryptographers worldwide began testing it for flaws.

Needless to say, this is a very arcane game. The entries are comprehensible to very few people. According to Rodney Joffe, “Unless you’re a subject-matter expert actively involved in crypto-algorithms, you didn’t even know that MD-6 existed. It wasn’t like it was put in The New York Times.”

So when the new version of Conficker appeared, and its new method of encrypting its communication employed MD-6, Rivest’s proposal for SHA-3, the cabal’s collective mind was blown.

The plot thickened—it turned out that Rivest’s proposal, MD-6, had a flaw. Cryptologists in the competition had duly gone to work trying to crack the code, and one had succeeded. In early 2009, Rivest quietly withdrew his proposal, corrected it, and resubmitted it. This gave the cabal an opening. If the original Rivest proposal was flawed, then so was the encryption method for Conficker B. If they were able to eavesdrop on communications between Conficker and its mysterious controller, they might be able to figure out who he was, or who they were. How likely was it that the creator of Conficker would know about the flaw discovered in MD-6?

Once again, the good guys had the bad guys in check.

About six weeks later, another new version of the worm appeared.

It employed Rivest’s revised MD-6 proposal.

The entire article is a great read, and I learned a few things about Conficker.  I hadn’t realized just how sophisticated it was.  I came away with a couple of points:

  • Whoever is behind Conficker is a professional or group of professionals.

    You can’t write code that is this sophisticated on your own.  Like the article says, you and a bunch of buddies playing Xbox cannot get together over the weekend and crank out a worm that is this silent without having some major initiative behind it.  It requires co-ordination and you need to have some serious programming skillz to know the ins and outs of major operating systems and how computer protocols work.
  • Whoever is behind Conficker is watching to see what anti-malware efforts are being done.

    It is no co-incidence that when Microsoft published a previously undisclosed security update to close a security vulnerability, Conficker started to abuse it only a month later.  And when a new version of the worm came out, it used the most recent submission of a new encryption standard.  And then it used the revised standard just a short time later! 

    Like I said, it is not a weekend coding project to do this.  You would have to actively keep up on the security space in order to implement this, and have the expertise to do it in such a short period of time.  This leads me to believe that the developers have had several years background in the security space and know about anti-malware efforts, and also keep close tabs on the public sites and forums that are dedicated to combating it.  This suggests to me that there is a team of people behind it.  The job of monitoring is a lot of work (I can barely handle it), and there would similarly need to be people in sales and marketing to handle the distribution of payload.

    Yet the team could not be that large.  Microsoft has a bounty of $250,000 for anyone who comes forward with information leading to the arrest of people responsible for creating the worm.  The larger the team behind it, the greater the odds of discovery.  To me, this suggests that either a criminal organization is behind it or perhaps it is state sponsored and they are actively protected.  Whatever the case, security by obscurity is one of the key layers of defense.
  • My guess is that the Ukraine has something to do with it.

    If you get through the article, about 1/3 of the way through they mention that earlier versions of the worm did not infect computers with IP addresses located in the Ukraine.  Why is this?  Why is the Ukraine so special?

    I have a couple of theories.  The first is that this is a professional courtesy.  The original developers of it were located in the Ukraine and did not want to their home country to be prone to it.  It’s kind of like rooting for the home team; infect everyone else’s but yours.

    Another theory is a spin-off of the first.  Perhaps it was also driven by pragmatism than nationalism.  If the originators of the worm were located in the Ukraine, then it might make sense to have everyone else’s computer systems infected but not yours.  That way, if you ever lose control of the botnet, your home country is clean but everyone else is still infected.  In other words, your own country’s computers would be immune to the botnet.  This is quite handy and is a redundant backup in case you ever have to hand over the reins of the botnet to someone else.

    This makes it interesting to me.  We know historically that the Russian Business Network is centered in St. Petersburg, Russia.  But we also know that there were some really bad spammers located in the Ukraine who were involved with CarderPlanet and Shadowcrew.  Some of the people involved in that are now involved in Ukrainian politics.  Is there a connection?  Possibly.  Perhaps the Ukrainian government (or more likely, people in the Ukrainian government acting on their own behalf) commissioned the creation of the botnet using contacts they had in the cyber criminal underworld.

    This is just guess-work and I have no evidence to support it.  All I have is knowledge that Ukraine was excluded… but I don’t know why.

This is, of course, speculation.  And it illustrates just how sophisticated the problem of Conficker really is.