Conficker in control
May 15, 2010 7:10 AM   Subscribe

lies waiting, but for what?

Damn it, I knew I should have written down the crypto key for the control net!
posted by eriko at 7:12 AM on May 15, 2010 [5 favorites]

Probably to spread cat videos.
posted by Harry at 7:17 AM on May 15, 2010 [10 favorites]

I think it's the guys investigating the botnet that created it. The best way to make sure that you aren't caught is to be the investigator in charge of catching yourself.
posted by oddman at 7:18 AM on May 15, 2010 [2 favorites]

I think it's the guys investigating the botnet that created it.

That's reasonable. I also think they are probably aliens.
posted by odinsdream at 7:25 AM on May 15, 2010 [5 favorites]

I think it's the guys investigating the botnet that created it. The best way to make sure that you aren't caught is to be the investigator in charge of catching yourself.

CHUNG CHUNG
posted by availablelight at 7:27 AM on May 15, 2010 [24 favorites]

I think the people who are investigating the botnet are constructs of the botnet, which spread back in time to create itself. Fortunately, it cannot survive before the early 90s. To escape it's fiendish nono-mind clutch, we must travel back to the 80s. That's right! It's Xanadu and Tron for everyone!
posted by GenjiandProust at 7:32 AM on May 15, 2010

This is an interesting article. Thanks caddis.
posted by mazola at 7:35 AM on May 15, 2010 [1 favorite]

The best way to make sure that you aren't caught is to be the investigator in charge of catching yourself.

And to have a Death Note notebook, to kill off anyone who gets too close.
posted by yeloson at 7:37 AM on May 15, 2010 [1 favorite]

A couple years back, I mentioned to some friends that I should put together a "Nice Guy" virus that would replicate itself around the internet, removing other worms from compromised machines, turning on Automatic Updates, maybe even checkdisking and defragging hard drives for it's"victims", etc.

We were getting pretty gung ho about the idea until one of them pointed out that this would likely still be considered illegal and I'd probably wind up locked up for cyber-terrorism or something.
posted by JaredSeth at 7:44 AM on May 15, 2010 [7 favorites]

Slightly glad I have a Mac.
posted by ZeusHumms at 7:48 AM on May 15, 2010 [1 favorite]

At a single, precise moment, the bot will awaken and, in one fell swoop, Google will have indexed everything, everywhere.

Everything.

Everywhere.

Except for the Macs, of course.
posted by Thorzdad at 7:50 AM on May 15, 2010 [6 favorites]

The best way to make sure that you aren't caught is to be the investigator in charge of catching yourself.

YEAAAAAAAAAAAAAA
posted by neustile at 7:51 AM on May 15, 2010 [4 favorites]

One Protocol to rule them all, One Search Engine to find them,
One Internet to bring them all and in the darkness distract them with Farmville
posted by Brandon Blatcher at 8:09 AM on May 15, 2010 [11 favorites]

Slightly glad I have a Mac.

Oh, shit. Here we go.
posted by el_lupino at 8:12 AM on May 15, 2010 [2 favorites]

They're just waiting for when the Zombie Bot Army awakens.
posted by The Whelk at 8:19 AM on May 15, 2010

You don't need a nation state.

It would be possible to build such a thing within a large corporation without many of the people working on it realizing what they were working on, thinking they were making things to strengthen, say, an operating system. The project could be coordinated by a small number of people in the know.

As a matter of fact, there is one company which already works this way.

I guess the iPad really is the future of computing.
posted by jimfl at 8:28 AM on May 15, 2010 [8 favorites]

It's gotta be from China right?
posted by Bonzai at 8:28 AM on May 15, 2010

Slightly glad I have a Mac.

This might be a good time to mention my other virus idea, the "De-Smug-Look-ifier" Mac virus. It wouldn't even have to do any harm...it would just pop up a picture of Nelson from the Simpsons pointing at you every once in a while. No sound. The "HA HA!" would just be implied.

That one might be worth a short prison stint.
posted by JaredSeth at 8:33 AM on May 15, 2010 [8 favorites]

If you read the article, you'll find that it's likely not from China.
posted by Nelson at 8:33 AM on May 15, 2010

Time stamp for the Ultimate in Eponystericality: May 15, 2010, 8:33AM PDT
posted by oneswellfoop at 8:38 AM on May 15, 2010 [3 favorites]

A couple years back, I mentioned to some friends that I should put together a "Nice Guy" virus...

Sorry, it's already been done. See: Welchia.
posted by gemmy at 8:59 AM on May 15, 2010 [3 favorites]

While the inclusion of cutting-edge cryptography is interesting, quotes like "It uses an encryption code so sophisticated that only a very few people could have deployed it." is pure hyperbole.

Anyone with a subscription to Bruce Schneier's RSS feed (In order to learn that MD-6 existed) and basic knowledge of C (In order to integrate the reference implementation published by Rivest) could have put MD-6 in their program a short time after it was created.

They didn't even write their own MD-6 code, there was a bug in Rivest's reference code, which also existed in Conficker. This also shows why the people that made the worm are not good cryptographers - you don't use recently discovered algorithms because they are untested and might possibly contain security breaking flaws. Case in point, Rivest has withdrawn MD-6 from the SHA-3 because he felt he couldn't prove the algorithm was secure enough.
posted by ymgve at 9:05 AM on May 15, 2010 [33 favorites]

Anyone with a subscription to Bruce Schneier's RSS feed (In order to learn that MD-6 existed) and basic knowledge of C (In order to integrate the reference implementation published by Rivest) could have put MD-6 in their program a short time after it was created.

This. They're technically sophisticated, but not crypto researchers on a par with Rivest and others in that community. The author mistakes the size of the second tier of crypto-geeks, the camp followers of the top-tier researchers, who are smart enough to understand what's going on but not able to (or are disinclined to) compete.

My other nitpick with the author (who's generally pretty good about actually understanding what the security guys are telling him) is talking about MD-6 as an encryption method, implying that it's how Conficker communicates in an encrypted fashion. MD and SHA are hash algorithms. You don't use them to encrypt communications that are decrypted on the other end. Hash algorithms play a role in various encryption schemes as a cryptographic primitive (e.g., as part of a message you'd take a hash of the encrypted message and include that hash, encrypted with another algorithm, so that the receiver can verify that the message itself wasn't altered). Perhaps the author glossed over this, since the evolution of the use of MD-6 was the key point, but I'd like to know what, if any, encryption scheme conficker uses.
posted by fatbird at 9:20 AM on May 15, 2010 [3 favorites]

As a journalist friend recently said, news authors are necessarily dilettantes because they can't always write about a certain topic.

But, please, someone, somewhere, hire someone who knows computers to review articles like this, if not write them.
posted by tmcw at 9:30 AM on May 15, 2010

I'd like to know what, if any, encryption scheme conficker uses.

You are only saying that because you really wrote the thing in the first place and want to see how much THEY know about your creation.
posted by hippybear at 9:35 AM on May 15, 2010

Ah

To prevent payloads from being hijacked, variant A payloads are first SHA1-hashed and RC4-encrypted with the 512-bit hash as a key. The hash is then RSA-signed with a 1024-bit private key. The payload is unpacked and executed only if its signature verifies with a public key embedded in the worm. Variants B and later use MD6 as their hash function and increase the size of the RSA key to 4096 bits.

This is reasonably sophisticated, but nothing cutting edge. RC4 as an encryption algorithm is decades old and generally considered insecure (though it's comparatively lightweight in performance terms, so might have been used for that reason). It was superseded by RC5 in the 90s, and RC6 was one of the finalists in the AES competition. Likewise, using a hash function for a digital signature with RSA as the asymmetric encryption algorithm is a decades-old scheme. None of this is bad cryptography, but we're well within the realm of standard practices here.

Though I suppose that, to the security researchers, this is an unparalleled height of execution in comparison to the Visual Basic 6 worms that made my life as an IT manager a living hell when the VP of Sale's assistant opened every goddamned email attachment she received, and some she borrowed from coworkers.
posted by fatbird at 9:36 AM on May 15, 2010

Chuck Norris can sight-read MD-6.
posted by Artful Codger at 9:38 AM on May 15, 2010 [4 favorites]

The interesting thing about the use of RSA and MD6 to digitally sign the payloads is that, if they catch the guy, this is pretty much irrefutable proof that he's the guy. One of the key features of public key encryption is non-repudiation, meaning that the digital signer is proving, cryptographically, that he's the signer. Possession and use of the private key to sign the payloads isn't just circumstantial proof, it's, like, mathematical proof, man.
posted by fatbird at 9:42 AM on May 15, 2010 [5 favorites]

Maybe it's the first AI in the wild. (Looks left, looks right, ducks.)
posted by 517 at 9:46 AM on May 15, 2010 [1 favorite]

Whoever it is, I'll bet pretty soon they will summon all the leaders of the world to the United Nations and demand ONE MEEEELYUN DOLLARS!!!

Quick, somebody contact Agent 007!
posted by briank at 9:54 AM on May 15, 2010

Needless to say, this is a very arcane game. The entries are comprehensible to very few people. According to Rodney Joffe, “Unless you’re a subject-matter expert actively involved in crypto-algorithms, you didn’t even know that MD-6 existed. It wasn’t like it was put in The New York Times.”

That's a little disingenuous. It was put in Slashdot, so it was definitely on the radar of people who care about IT, even casually.
posted by mr_roboto at 9:54 AM on May 15, 2010

> Chuck Norris can sight-read MD-6.

You must be thinking of someone else.
posted by neckro23 at 10:33 AM on May 15, 2010 [1 favorite]

So -- probably a dumb question -- is there a way for Windows users to tell whether they've got Conficker, and to remove it if they do?
posted by msalt at 10:50 AM on May 15, 2010

is there a way for Windows users to tell whether they've got Conficker, and to remove it

Any good virus removal program should take care of your box, the point is the millions of systems that will never have minimal maintenance.
posted by sammyo at 11:27 AM on May 15, 2010

msalt: Microsoft provides this, which will do it for you if you don't have another anti-virus program installed.
posted by tylermoody at 11:35 AM on May 15, 2010

My newish computer has been up to some cryptic bullshit, lately, and I had never before been so convinced that it had been compromised and was working against my interests. Then I realized it was just Vista.

I'm not joking.
posted by Durn Bronzefist at 11:38 AM on May 15, 2010 [1 favorite]

"It would be possible to build such a thing within a large corporation without many of the people working on it realizing what they were working on, thinking they were making things to strengthen, say, an operating system."

While this is true it would be pretty hard to keep it a secret once the bot net was deployed; people are going to recognize their own work.
posted by Mitheral at 11:59 AM on May 15, 2010

Phase 1: Create workwide botnet
Phase 2: ?
Phase 3: Profit
posted by klarck at 12:05 PM on May 15, 2010

lies waiting, but for what?
sending spam.
posted by krautland at 12:26 PM on May 15, 2010 [1 favorite]

Even if the existence of MD6 was restricted to the evaluating peer review group, all you'd have to do is target & hijack a top-level cryptographer's computer then wait a while to reap the rewards. How difficult can that be?
posted by scalefree at 12:29 PM on May 15, 2010

I have a friend who has a Mac and is Ukrainian. I have been kissing up to her on the off chance that she emerges from the chaos as one of the elite.
posted by texorama at 12:30 PM on May 15, 2010 [1 favorite]

It uses an encryption code so sophisticated that only a very few people could have deployed it.
What?

So when the new version of Conficker appeared, and its new method of encrypting its communication employed MD-6, Rivest’s proposal for SHA-3, the cabal’s collective mind was blown.

All of that stuff is out in the open. In fact, using it would have been stupid because the reason it's a proposed standard is because hasn't been fully evaluated and could contain holes. In fact, holes and weaknesses are sometimes found in proposed crypto standards and fixed before the proposals are finalized.
posted by delmoi at 12:32 PM on May 15, 2010

I think what happened here is that some crypto researcher guy just thinks that his skills are pretty spectacular and rare, and that therefore if these Virus writer guys were capable of doing what he was capable of, why they must be pretty damn awesome too!

It's a little ridiculous. I could design a similar crypto system, and I've actually written code to communicate using RSA public key crypto, and symetric key crypto using DES (that was work, I didn't get to pick the algorithm). It's not that hard to use crypto. It's sometimes hard to make sure you don't make any errors that make analysis possible -- even using libraries.

But these guys did make a mistake, in particular by using an untested hash function. Probably not the biggest loss ever, but it means in theory someone else might have been able to sign a payload and take over the network.
posted by delmoi at 12:44 PM on May 15, 2010

Any good virus removal program should take care of your bo... Microsoft provides this

OK, thanks. I update and patch religiously and maintain good antivirus software. But my desktop is 5 years old, I have two preteen daughters and I'm sure some lapses have occurred somewhere along the line. Wasn't sure if it could be embedded underneath all that.
posted by msalt at 1:47 PM on May 15, 2010

I'm putting my money on NSA or CIA origins.
posted by TwelveTwo at 2:00 PM on May 15, 2010

I'm putting my money on NSA or CIA origins.

Would the CIA or NSA use a buggy prototype hash function? Probably not.
posted by delmoi at 2:39 PM on May 15, 2010

Working in instructing new computer users it's a little surreal when we get to the part where we talk about computer security.

"Don't download stuff you don't trust. Don't believe anything that seems too good to be true (there's no free lunch). Try to stay off fishy sites - those free movie and music sites are a good example. Keep both your computer and anti-virus updated."

This is the stuff that I tell them, but it feels like I'm pissing into the wind. How do I tell them to deal with zero-day flash attacks? A woman I work with who had a system that was missing a single flash update (while having current anti-virus, windows mandatory, and other necessary shit) got a virus from fucking Yahoo mail. Yahoo Mail. Like the email site that we recommend to new users (not my choice)!

What do I say to someone who doesn't know how to use a mouse, and has a system running win98 at their house that they've never updated once, and that they routinely search "free porn" on?

Until I got my most recent job as a computer janitor I thought I was 'good with computers' and didn't bother updating my antivirus or running routine checks. I know at least a few of my friends are like me, blinded by being a millenial and being constantly told by our boomer parents how good with computers we are.

I read another article about how botnets have started infiltrating networking equipment, like routers.

I really dislike the iPad, but who can blame people for wanting something that "just works". They get something that works like a toaster and does what it does at the press of a button. Something they've been told will never get a virus, and that they don't have to (and in fact cannot) work on themselves. It just seems like the next frontier to me.

You have these people who don't really want the power of a computer at their fingertips, because there's a lot of responsibility that lies behind that power. You put so much of yourself onto a computer and never even know it - the intangible stream of data that you enter into forms, and store in your temp files. Computers are both dangerous and powerful... sort of like a faustian agreement for many users.

The average user just wants to check their facebook, and maybe their email, and play farmville, and check their bank statements once a month.

On one end, of the legitimate internet, they're being used like docile advertisement reading cattle, not really customers anymore so much as products that their social networking / search engine / email provider cultivates so that they can sell targetted advertising to them.

On the dark end of the internet they're products too - being sold to ID theft rings from computer infections that they may never know about and will likely never understand.

I think we need a concentrated effort to really educate people on how to actually use their computers. You need a computer to operate in mainstream society, and having a majority of users operating insecure systems seems like a recipe for disaster. As does retreating into the walled gardens of Apple and Facebook and the like.
posted by codacorolla at 2:54 PM on May 15, 2010 [15 favorites]

So what is this particular botnet waiting for? Or is that just journalist hysteria?
posted by LarryC at 4:17 PM on May 15, 2010

I think we need a concentrated effort to really educate people on how to actually use their computers. You need a computer to operate in mainstream society, and having a majority of users operating insecure systems seems like a recipe for disaster.

... or maybe not rely on an OS where security was an afterthought, not a design goal.

(Mac - better but not exactly the Grail, unless Steve Jobs actually is Christ risen)

Facebook - a walled garden? Excuse me?
posted by Artful Codger at 4:30 PM on May 15, 2010

Wintermute is coming soon.
posted by atchafalaya at 4:41 PM on May 15, 2010 [2 favorites]

CHUNG CHUNG

If that was supposed to be the Law & Order sound, I'll have you know that I decided that it's properly written DONK DONK. Please conform to this standard in the future.
posted by DecemberBoy at 4:45 PM on May 15, 2010

DONK DONK is hot ass, only you pronounce it ba-donk-a-donk.

Glarkware has spoken.
posted by jeoc at 5:37 PM on May 15, 2010 [1 favorite]

I've been sorta following this (but I did like the article, and the technical errors really weren't that bad).

The reason for using MD-6 was just this - to show the white hats that the black hats are reading exactly the same journals they are. It's only a suboptimal move if you're thinking like a pure geek - if you're wanting to cast fear into the hearts of your opponents, it's an excellent move with almost no downside (because if there is a flaw, you can certainly roll out an update or even a replacement to your encryption in your next update before the white hats can possible take advantage of it against you).

It's just like finding out that the murder suspect has been hanging out in your bar, chatting to your girlfriend - it's surprising and disconcerting.

Really, well done to these guys. I predicted a long time ago that this would happen, and I was exactly right.

If I were them, here's what'd happen next - nothing. I'm sitting there with ten million machines that I can do anything I like to - so now I and my friends go away and write a new version. I use the same peer-to-peer as before, but completely different signatures and all my best tricks.

The big new feature would be billing and accounting. With this, I could rent blocks of machines in the tens of thousands to be used by organized crime directly, without any direct communication between me and the machines, while still keeping control over them for my own use.

Meanwhile, I'm keeping stats on my bot army and throwing out machines that I think might be honeypots - I keep them going but they won't be used for the next step. It might be very easy to update each machine with a little program that analyzed the network traffic of a machine to see if it was a likely honeypot and report home with that fact.

Finally, I then use the old worm to write my new worm onto most of the bots that I'm entirely sure aren't honeypots (and it's OK if a few honeypots get infected if I'm careful) and then bit at a time remove the original worm from them (always keeping quite a few going so Conficker always appears to exist).

Voila, I now have millions of machines under my control, no one else knows, I rent them to the Mafia.
posted by lupus_yonderboy at 5:43 PM on May 15, 2010 [6 favorites]

"Would the CIA or NSA use a buggy prototype hash function? Probably not."

The perfect cover.
posted by Mitheral at 6:26 PM on May 15, 2010

A couple years back, I mentioned to some friends that I should put together a "Nice Guy" virus that would replicate itself around the internet, removing other worms from compromised machines, turning on Automatic Updates, maybe even checkdisking and defragging hard drives for it's"victims", etc.

We were getting pretty gung ho about the idea until one of them pointed out that this would likely still be considered illegal and I'd probably wind up locked up for cyber-terrorism or something.

JaredSeth, if you write a virus that turns on Automatic Updates on my computer, I'll kill you myself with my bare hands.

Don't worry about "the authorities" and their "lockups".
posted by IAmBroom at 9:39 PM on May 15, 2010 [1 favorite]

Love a bit of Mark Bowden.
posted by flippant at 11:59 PM on May 15, 2010

Somethingsomethingskynetsomethingsomething.
posted by cthuljew at 12:16 AM on May 16, 2010

I think we need a concentrated effort to really educate people on how to actually use their computers.

No, that is backwards and will never work, because people have been saying that for nearly two decades (more, if you count the time before these types of concerns). Believe me - some people are not capable of getting it, or they will not make the effort. You can't force them, and still they will buy computers and use them. We need computers that are secure and don't require education.

And I'm also in the business (though I am trying desperately to get out). I used to think like you did. Now I have come around entirely, and I think we need more than one model and device to suit what people need. A lot of people just need something that works that's not too complicated, something that's secure enough and designed well enough where they don't have to take classes to learn how to maintain it, and there's nothing wrong with that.

Yes, Apple is it right now, but I have a feeling they're just on the edge of this, and we're going to be seeing a lot more devices that don't intimidate and constantly confuse people. Well, I hope so anyway. But we'll still have open platforms for those of us who like more control and power. Even so, I'd rather not spend much time being a tech just to maintain my own stuff. I just want it to work, too.
posted by krinklyfig at 3:53 AM on May 16, 2010 [1 favorite]

The big new feature would be billing and accounting. With this, I could rent blocks of machines in the tens of thousands to be used by organized crime directly, without any direct communication between me and the machines, while still keeping control over them for my own use.

This has been happening for some time, as far as I can tell. The people who create the botnets are not typically the ones who want to use them, so the creators are usually contracting out their services and/or their networks under their control.

There are a lot of highly educated, sophisticated programmers in Russia and the former Soviet bloc countries, some of whom work for companies which are, for all intents and purposes, fully legitimate and operating above board, whose sole purpose is to create new infections, malware and adware to sell, and they are not really trying to hide it. I read an article a couple years back about what's considered to be one of the best tech companies to work for in Moscow, essentially a malware shop. Then there are the independent agents who aren't in the industry and farm out their services to the highest bidder. But this isn't really new. It's just that it's become a much bigger business, and almost no infections are created without any financial incentive anymore, just to satiate the creator's curiosity as happened in the '90s and early '00s. Although Melissa was a nasty worm, I do miss those days.
posted by krinklyfig at 4:07 AM on May 16, 2010

it's obviously Chinese military grade ICE.
posted by geekhorde at 5:30 AM on May 16, 2010 [1 favorite]

Bowden's not an idiot, obviously, but this article reads like a half-successful writing exercise of the 'Tell an "exciting" story on a topic you're not already known for writing about.' Alternately pedantic, hoary, grotesquely overwritten, and somewhat embarrassingly credulous. At this point in our (d)evolution, any article about digital security that treats its subject as an Inscrutable Geek Mystery is an act of social irresponsibility, not to mention journalistic laziness. All Bowden's Journo-101-level twattery about Captain Kirk(!!) needlessly obscures this uncomplicated but complex legal/ethical/criminal/technological matters underlying this story.

I learned more from the original MeFi thread than from this article.

(No thanks to our local Mac/PC dickwavers of course.)
posted by waxbanks at 7:02 AM on May 16, 2010

"At the same time that Conficker was spewing into honeypots, it was quietly slipping into personal computers worldwide"

Gigity gigity.
posted by Iron Rat at 7:59 AM on May 16, 2010

What do I say to someone who doesn't know how to use a mouse, and has a system running win98 at their house that they've never updated once, and that they routinely search "free porn" on?

I think for many people something akin to the live cd model might work, meaning their system is either non-writable except for user and config files. People keep talking about the cloud, and all I can think of is all the talk about thin clients some years back. If you design it to be indestructible or at least instantly renewable, and if you get enough people using it ... well, it would make my job a lot easier, anyway.
posted by krinklyfig at 7:05 PM on May 16, 2010

God, that's a badly written and ill-informed article. The analogies were so awful that reading it was like swinging a wombat on a 1000 mile piece of elastic while gargling jelly. Or it was like a car.
posted by w0mbat at 9:42 PM on May 16, 2010 [2 favorites]

I think we can be pretty sure that Bruce Schneier is behind all of this.
posted by clvrmnky at 8:17 AM on May 17, 2010

And now the worm lies there, waiting

*crosses fingers*

Come on, be a super-villain, please be a super-villain. I'm not asking for much, just please, please, please let it be some guy in a hollowed out volcano who demands a billion dollars to not activate the worm and shut down world-wide communications.

And please let him want that billion to build a death-ray for the express purpose of destroying the moon.

Seriously, just think about how interesting it would be to live in that world.
posted by quin at 1:13 PM on May 17, 2010 [2 favorites]