indexphinger

Lets kick Conficker's ass!

60 posts in this topic

"As of 13 February 2009, Microsoft is offering a $250,000 USD reward for information leading to the arrest and conviction of the individuals behind the creation and/or distribution of Conficker."

I say we should find out who these 14 year olds are and get their asses sent to jail....

Whomever heeps gets a portion of the $250,000 and the rest is going to stank, to keep the site alive.

:) I have waves of boxen to throw at this worm, so I can decifer where it comes from and who it phones home to.

Who's with me?

Edited by IndexPhinger
0

Share this post


Link to post
Share on other sites

i would love to help...

i just dont know what to do to help.....

EDIT..i can search and do some other things but yeah Im mostly a hardware hacker...

i stay away from computer Hackorzing because im afried of the GOVERNMENT...

dont want to go to jail EEEEk

Edited by Treewizard420
0

Share this post


Link to post
Share on other sites

cant really help any but i can give a suggestion i guess, you could try and use a router disto and packet filter everything that goes through the router/box, because confiker may be able to stop arp, if you arp possion and packet filter, but if the router was actually filtering the traffic you'll get everything.

0

Share this post


Link to post
Share on other sites

Well, we can at least try!

1. We information gather. We lump all the information everyone has collected togethor. Learn as much as we can.

2. Image a hard drive and isolate the virus.

3. Decode the virus and pick it apart. Apparently it connected to a server for its instructions.

Add to the mission plan. Anything can be done with a series of little steps.

0

Share this post


Link to post
Share on other sites

Edit: I want 250,000 dollars, I'll start looking around.

Edited by R4p1d
0

Share this post


Link to post
Share on other sites

Um... not to crap all over your enthusiasm or anything, but this worm even has Ph.D.s stumped: http://mtc.sri.com/Conficker/

Top security researchers from around the world are spending every waking moment analyzing this thing in honeynets, and they have only scratched the surface as far as what it *does*, let alone who is behind it.

But hey... go for it if you're motivated. :)

(Also, I severely doubt it is 14 year-olds. This has the smell of organization all over it.)

0

Share this post


Link to post
Share on other sites

Why not just upload a virus into their mother ship?

0

Share this post


Link to post
Share on other sites
Why not just upload a virus into their mother ship?

1. I'm not black.

2. I don't know any jewish dudes.

0

Share this post


Link to post
Share on other sites
Why not just upload a virus into their mother ship?

1. I'm not black.

2. I don't know any jewish dudes.

Your life sucks hard dude. I'm not black either... but how do you not know any jews? How do you get your taxes done?

0

Share this post


Link to post
Share on other sites

I'd think the best way to start would be to research Conficker/Downadup and collect as much technical information as we can about it. After we are up to speed on the current wisdom pertaining to this worm, we'd need to set up a honey pot network to trap it. After isolating it from any other programs and malware on the system, we could capture and analyze the network traffic as it "phones home," and identify, enumerate and reverse-engineer its component parts.

There are 4 variants of Conficker/Downadup: A, B, C and D. Each successive one is apparently a modified or upgraded version.

Here's a decent technical article that describes Conficker in great detail: http://mtc.sri.com/Conficker/

I'm in the mood for a good hunt. Maybe we could start a thread in the "Group Projects" section?

Edited by Colonel Panic
0

Share this post


Link to post
Share on other sites

I actually quite like the idea of this. I know there is already research being done on conficker but maybe the number of us working together might actually make a difference.

BTW, did this idea make anyone else think of the da vinci virus disassembly montage in Hackers?

0

Share this post


Link to post
Share on other sites
"As of 13 February 2009, Microsoft is offering a $250,000 USD reward for information leading to the arrest and conviction of the individuals behind the creation and/or distribution of Conficker."

I say we should find out who these 14 year olds are and get their asses sent to jail....

Whomever heeps gets a portion of the $250,000 and the rest is going to stank, to keep the site alive.

:) I have waves of boxen to throw at this worm, so I can decifer where it comes from and who it phones home to.

Who's with me?

http://www.securitytube.net/Dissecting-the...Worm-video.aspx

F-Secure seems a little bit further in the race. ^_^

0

Share this post


Link to post
Share on other sites

This video presents some of the same information that was given in the report I linked, except the report goes into far greater detail.

The report must be a little older though, because it doesn't mention the Conficker D variant.

You have to admire the cleverness of the extensive precautions implemented by the creators to avoid detection. The malware reportedly encrypts or camouflages most of the files and libraries associated with its functionality, then decrypts them on-the-fly as it runs.

Edited by Colonel Panic
0

Share this post


Link to post
Share on other sites

Making accusations as to who originally released, let alone wrote, code is futile unless someone steps up and claims ownership. With a bounty, I doubt that will ever happen. Nothing guarantees that forensic analysis is going to report anything with the least bit of integrity.

Edited by crackhead
0

Share this post


Link to post
Share on other sites

The way this thing works, probably not.

It'll probably require the resources of several major governments to track down the perpetrator of this one, if it ever happens.

Still, it might be fun to tinker with it. Not every day that you get to examine the inner workings of a state-of-the-art criminal enterprise.

Edited by Colonel Panic
0

Share this post


Link to post
Share on other sites
This video presents some of the same information that was given in the report I linked, except the report goes into far greater detail.

The report must be a little older though, because it doesn't mention the Conficker D variant.

You have to admire the cleverness of the extensive precautions implemented by the creators to avoid detection. The malware reportedly encrypts or camouflages most of the files and libraries associated with its functionality, then decrypts them on-the-fly as it runs.

So you're essentially saying it's packed? Well then, it's very easy to unpack it. Run it, find the real OEP, then dump and rebuild import address table, and vwala.

Well....easier said than done xD But I would be up for it. Does anyone know a site where they offer conficker? :D

But I highly doubt we can do anything that huge virus research organizations can't.

Edited by thepcdude
0

Share this post


Link to post
Share on other sites

I don't have anything to offer this quest other than emotional support, but I can say one thing. If anyone can figure out the inner workings of this thing, the great minds of BinRev can. Free thinking minds can accomplish alot more alot faster when not wrapped up in red tape/business bullshit.

0

Share this post


Link to post
Share on other sites
Does anyone know a site where they offer conficker? :D

Just set up a honeypot running an unpatched Windows, and sooner or later it will find you.

But I highly doubt we can do anything that huge virus research organizations can't.

Maybe not, but like I said, it might be fun to mess with this thing.

0

Share this post


Link to post
Share on other sites
The way this thing works, probably not.

It'll probably require the resources of several major governments to track down the perpetrator of this one, if it ever happens.

Still, it might be fun to tinker with it. Not every day that you get to examine the inner workings of a state-of-the-art criminal enterprise.

Yeay, nobody here's going to catch conficker but might learn something from it. I'd be interested in copying some of its techniques or even code. The way it gets commands may be exploited for sharing info through firewalls in pen tests. Likewise, it has a nice P2P system which allows collaboration while being lightweight and pretty efficient. Finally, a decent implementation of MD6... lol

0

Share this post


Link to post
Share on other sites

Regardless of the intent of the original creators, imagine if some person or group figured out to commandeer the Conficker client's command and software downloading system. They would have the world's largest botnet in history completely at their disposal. Imagine owning nearly ten million machines with a single hack!

According to the report I posted, several groups have already reverse-engineered Conficker's domain-generation algorithm. I like F-Secure's approach: register a number of the randomly-generated "rendezvous" domains, then plant honeypots on those domains. The honeypots could be then used to spoof its command structure and issue commands, provide code for execution, etc. (you could even instruct the entire botnet to disinfect all hosts of the worm). The tricky part would be figuring out how the Conficker client communicates with the remote hosts, through analysis of its outgoing traffic and/or reverse-engineering the executables. No small task, which would no doubt involve breaking its encryption.

0

Share this post


Link to post
Share on other sites

and breaking its encryption is almost impossible?

Edited by Treewizard420
0

Share this post


Link to post
Share on other sites
...then plant honeypots on those domains. The honeypots could be then used to spoof its command structure and issue commands, provide code for execution, etc...

Please correct me if I'm wrong, but if I remember correctly, Conficker does a hash check on everything it receives. I think breaking it's hash check with brute force is out of the question. It is far from a simple string.

0

Share this post


Link to post
Share on other sites

Like I said:

The tricky part would be figuring out how the Conficker client communicates with the remote hosts, through analysis of its outgoing traffic and/or reverse-engineering the executables. No small task, which would no doubt involve breaking its encryption.
0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now