indexphinger

Lets kick Conficker's ass!

60 posts in this topic

BTW, did this idea make anyone else think of the da vinci virus disassembly montage in Hackers?

Row, row, row your boat...

I came for the reference, I'm leaving satisfied :)

0

Share this post


Link to post
Share on other sites
Like I said:
The tricky part would be figuring out how the Conficker client communicates with the remote hosts, through analysis of its outgoing traffic and/or reverse-engineering the executables. No small task, which would no doubt involve breaking its encryption.

AH! Missed that part :)

0

Share this post


Link to post
Share on other sites
According to the report I posted, several groups have already reverse-engineered Conficker's domain-generation algorithm. I like F-Secure's approach: register a number of the randomly-generated "rendezvous" domains, then plant honeypots on those domains.

Problem there is that the new variant selects from a pool of 50,000 possible domain names. They have determined the formula that it uses to generate the domains, but that's still a tall order.

The tricky part would be figuring out how the Conficker client communicates with the remote hosts, through analysis of its outgoing traffic and/or reverse-engineering the executables. No small task, which would no doubt involve breaking its encryption.

They know how it communicates, at least how it talks to the domains -- it uses HTTP. Early variants used a search query (which would show up in log files and could be easily identified), but the latest variant makes an empty GET or POST request (I forget which). I believe they have also done some analysis on the P2P protocol it uses. But yes, since it does check the digital signature of any payload, it would be a Herculean task to try to forge something. It also checks a timestamp, so that even a valid package more than X days old (4 I think) will be rejected. (This is a nice way to make sure it only takes current updates.)

0

Share this post


Link to post
Share on other sites

Sending to somebody is no joke and with the author's reputation, there's a good chance he wouldn't get what most people would consider a 'fair trial'. After that he's going to go to jail and go through some serious psychological trauma caused by guards constantly berating him and his getting raped. Viruses are fucked up but prison is even more fucked up so consider what you're going to do to the author and their family before you go all gung-ho and try and land somebody a spot in handcuffs.

0

Share this post


Link to post
Share on other sites
Sending to somebody is no joke and with the author's reputation, there's a good chance he wouldn't get what most people would consider a 'fair trial'. After that he's going to go to jail and go through some serious psychological trauma caused by guards constantly berating him and his getting raped. Viruses are fucked up but prison is even more fucked up so consider what you're going to do to the author and their family before you go all gung-ho and try and land somebody a spot in handcuffs.

true but its what 1.5m counts of computer entrusion? and whatever else they are doing. life and no bail is pretty fair, i mean if some guy breaks into 1.5m houses and breaks up some stuff would go to jail for life too.

0

Share this post


Link to post
Share on other sites

Life in prison for hacking? It's not like he hacked into a hospital and pulled the plug on terminally ill patients or anything ; )

0

Share this post


Link to post
Share on other sites
Sending to somebody is no joke and with the author's reputation, there's a good chance he wouldn't get what most people would consider a 'fair trial'. After that he's going to go to jail and go through some serious psychological trauma caused by guards constantly berating him and his getting raped. Viruses are fucked up but prison is even more fucked up so consider what you're going to do to the author and their family before you go all gung-ho and try and land somebody a spot in handcuffs.

OMG i worked it out! blackbloc is the Conficker author!

Actually, i was reading about the new update to conficker and i was thinking to myself what have these people actually done wrong? If they are caught they would get some serious jail time, but for what? Sure, if they started DDoS/sending spam and all that nasty stuff then ok (and some people do think the authors of conficker are the same people who wrote the storm worm) but personally i'd lay the blame on M$ for allowing such gaping holes in their OS. Doing what they have done isnt very nice but i dont think it should warrant any punishment they receive (until they start using the botnet for something).

0

Share this post


Link to post
Share on other sites
Sending to somebody is no joke and with the author's reputation, there's a good chance he wouldn't get what most people would consider a 'fair trial'. After that he's going to go to jail and go through some serious psychological trauma caused by guards constantly berating him and his getting raped. Viruses are fucked up but prison is even more fucked up so consider what you're going to do to the author and their family before you go all gung-ho and try and land somebody a spot in handcuffs.

OMG i worked it out! blackbloc is the Conficker author!

Actually, i was reading about the new update to conficker and i was thinking to myself what have these people actually done wrong? If they are caught they would get some serious jail time, but for what? Sure, if they started DDoS/sending spam and all that nasty stuff then ok (and some people do think the authors of conficker are the same people who wrote the storm worm) but personally i'd lay the blame on M$ for allowing such gaping holes in their OS. Doing what they have done isnt very nice but i dont think it should warrant any punishment they receive (until they start using the botnet for something).

Of course, because breaching a system of any kind is not ilegal, unless you do something with/to it.

</sarcasm>

0

Share this post


Link to post
Share on other sites

Update on Conficker for all you guys fighting the hopeless battle against it: it's now active. Additionally, they are using the P2P network instead of the HTTP thing. I found that interesting, as I thought they'd rely on HTTP to avoid detection. Nonetheless, I still think the authors of Storm and Conficker are pretty much writing the book on botnet design. They are exceedingly clever, so I'm hesitant to criticize them. (not to mention that retribution probably = DDOS attack on BinRev.com)

http://www.cnn.com/2009/TECH/04/09/confick...ated/index.html

0

Share this post


Link to post
Share on other sites
Sending to somebody is no joke and with the author's reputation, there's a good chance he wouldn't get what most people would consider a 'fair trial'. After that he's going to go to jail and go through some serious psychological trauma caused by guards constantly berating him and his getting raped. Viruses are fucked up but prison is even more fucked up so consider what you're going to do to the author and their family before you go all gung-ho and try and land somebody a spot in handcuffs.

OMG i worked it out! blackbloc is the Conficker author!

Actually, i was reading about the new update to conficker and i was thinking to myself what have these people actually done wrong? If they are caught they would get some serious jail time, but for what? Sure, if they started DDoS/sending spam and all that nasty stuff then ok (and some people do think the authors of conficker are the same people who wrote the storm worm) but personally i'd lay the blame on M$ for allowing such gaping holes in their OS. Doing what they have done isnt very nice but i dont think it should warrant any punishment they receive (until they start using the botnet for something).

Of course, because breaching a system of any kind is not ilegal, unless you do something with/to it.

</sarcasm>

Lol. Yeah, we in the United States don't mind letting others borrow or break our personal property without prior notice. As long as they treat their ill-gotten gains properly, implicating the owner in a minimum amount of crimes, then I don't see a problem

</more-sarcasm>

0

Share this post


Link to post
Share on other sites
Actually, i was reading about the new update to conficker and i was thinking to myself what have these people actually done wrong? If they are caught they would get some serious jail time, but for what? Sure, if they started DDoS/sending spam and all that nasty stuff then ok (and some people do think the authors of conficker are the same people who wrote the storm worm) but personally i'd lay the blame on M$ for allowing such gaping holes in their OS. Doing what they have done isnt very nice but i dont think it should warrant any punishment they receive (until they start using the botnet for something).

Of course, because breaching a system of any kind is not ilegal, unless you do something with/to it.

</sarcasm>

Yeah, for those of you who don't know: here in the USA, Federal law (the CFAA) dictates that gaining unauthorized access to any system is illegal: http://www.panix.com/~eck/computer-fraud-act.html

Doesn't the UK have similar laws?

Edited by Colonel Panic
0

Share this post


Link to post
Share on other sites
Doesn't the UK have similar laws?

not sure about uk but as far as i remember in a topic about some woman being arrested for destroying some guys account, on maplestory for breaking up with her, was arrested in amsterdam? apparantly whatever country saw virtual property, to be the same as real property. but probably every country that has mass amounts of computers

0

Share this post


Link to post
Share on other sites
Doesn't the UK have similar laws?

not sure about uk but as far as i remember in a topic about some woman being arrested for destroying some guys account, on maplestory for breaking up with her, was arrested in amsterdam? apparantly whatever country saw virtual property, to be the same as real property. but probably every country that has mass amounts of computers

I personally hope these guys are smart enough to NOT get caught. Obviously the guy/guys spent a tremendous amount of time engineering this beautiful piece of work and even if this creates a lot of destruction, I hope they don't talk too much within their closed group and get busted. +1 from me.

0

Share this post


Link to post
Share on other sites
Actually, i was reading about the new update to conficker and i was thinking to myself what have these people actually done wrong? If they are caught they would get some serious jail time, but for what? Sure, if they started DDoS/sending spam and all that nasty stuff then ok (and some people do think the authors of conficker are the same people who wrote the storm worm) but personally i'd lay the blame on M$ for allowing such gaping holes in their OS. Doing what they have done isnt very nice but i dont think it should warrant any punishment they receive (until they start using the botnet for something).

Of course, because breaching a system of any kind is not ilegal, unless you do something with/to it.

</sarcasm>

Yeah, for those of you who don't know: here in the USA, Federal law (the CFAA) dictates that gaining unauthorized access to any system is illegal: http://www.panix.com/~eck/computer-fraud-act.html

Doesn't the UK have similar laws?

I dont know the UK law well enough to quote it but i assume we have a similar law however just because it IS a law doesnt mean it should BE a law. If instead of putting bounties on the heads of virus writers M$ encouraged people to try and break their software i bet their code would be better audited and safer and more stable.

IMO it should be what you do with the system once you're in that dictates the severaty of the punishment. Not just the act of getting in. Besides, the authors of conficker havent actually broken into any systems. The software is automated and self replicating. I just dont see how anyone could get into trouble for writing software unless, as i said before, they actually do something malicious with it and i cant see stealing a few clock cycles being especially malicious (i know conficker does a few other things like blocks AV and stuff but lets ignore that for now).

Edited by phr34kc0der
0

Share this post


Link to post
Share on other sites

I understand you fancy yourself a hacker and all, but let's be realistic about this philosophy of yours.

IMO it should be what you do with the system once you're in that dictates the severaty of the punishment. Not just the act of getting in.

What if it was legal for me to sneak into your home and mess around without your knowledge or permission, as long as I didn't remove or damage anything or hurt anyone?

Besides, the authors of conficker havent actually broken into any systems. The software is automated and self replicating.

They engineered a mechanism to allow them to take control of your computer at any time. That's the IT equivalent of surreptitiously copying all your door keys for my own personal use whenever I feel like it.

Say I work at a coat-check at a local restaurant. I take peoples' coats and while they're eating dinner, I copy their keys and replace them in their pockets. Then, as they leave, I watch out the window and take down their license plate numbers. I have a contact inside the police department from whom I can get their addresses. Pretty clever, eh? My little scam works so well that I now possess keys to homes, cars and garages all over town.

Is this alright in your opinion? Should this be legal?

just dont see how anyone could get into trouble for writing software unless, as i said before, they actually do something malicious with it and i cant see stealing a few clock cycles being especially malicious

So, using somebody else's machine for my own purposes without their permission is okay? It's OK to sneak into my neighbor's shed and take his lawn mower without permission, to trim the little strip of grass along my hedges, as long as I return it undamaged? I'm not harming his mower, just using it a little for my own purpose. What's wrong with that?

What if it was OK for me to use my copies of your keys to enter your garage at any time and steal your car to use for whatever purpose I choose, as long as I bring it back and don't get into an accident or otherwise harm it in any way? I can just sneak in, take your car, use it to pick up hookers or purchase crystal meth or whatever, as long as I get it back to you within a few hours. Would you be OK with a law like that? Oh yeah, and I don't have to reimburse you for any maintenance costs or gas, or wear-and-tear, or anything like that either.

(i know conficker does a few other things like blocks AV and stuff but lets ignore that for now).

Why should we ignore that? It's part of the functionality of the worm. The developers put it there for a reason, just like the other functionality. You're advocating for just leaving these criminals alone to do whatever they want because they've devised such a cunning scam, let's see where this philosophy takes us.

I can enter your house any time I want without your permission or knowledge and make myself at home, raid the fridge, play your Xbox, use the toilet, read your mail, masturbate in your bed while ogling photos of your wife, etc. as long as I don't break or steal anything. I can go into your garage and take your car out for a joyride whenever I please, just as long as I bring it back undamaged. I can even disable your home and auto alarm systems so you won't know I've even been there.

All these activities are 100% cool and legal because I'm just so awesome for having figured out some really clever ways to invade peoples' homes and use their stuff without them knowing. I've broken into homes and joyridden in vehicles all over town without being caught because I'm such a brilliant crook, so I deserve to be able to continue doing it with impunity, right?

Would you feel good about having laws like that?

Such an environment would lead to rapid advances in lock technology, that's for sure. Sales of armored window shutters would skyrocket. Razor wire manufacturers would make a killing. The unfortunate trade-off would be far less security for those who cannot afford to drive around in an M1A1 Abrams and live in a house resembling Fort Knox.

My computer is my computer, and you have no business snooping around in my stuff and/or using its resources without my express permission. That's the law, and I wouldn't want it any other way.

Edited by Colonel Panic
0

Share this post


Link to post
Share on other sites

The problem is any infection is costs the victim money.... The other day I got a variant from a codec installer down loaded directly from Windows Media Player (ya, ya, I got owned).... Spent the entire afternoon reinstalling Windows and changing all my passwords... That was just one computer too. A company gets 100 of them infected and that is at the least hundreds of dollars of labor and probably several hours of downtime to make sure the systems are in pristine condition again..

0

Share this post


Link to post
Share on other sites

I totally understand the reasoning of Colonel Panic but I dont think the real world can map so easily onto the digital world.

I understand you fancy yourself a hacker and all

Actually, I just consider myself a computer geek with an interest in security.

Say I work at a coat-check at a local restaurant. I take peoples' coats and while they're eating dinner, I copy their keys and replace them in their pockets. Then, as they leave, I watch out the window and take down their license plate numbers. I have a contact inside the police department from whom I can get their addresses. Pretty clever, eh? My little scam works so well that I now possess keys to homes, cars and garages all over town.

Is this alright in your opinion? Should this be legal?

Well, should it be a $250,000 bounty? What if you were just copying the keys for a completely legit reason like doing research on the most common type of lock? It might not be a very ethical thing to do but no, i dont think it should be illegal, at least to the the extent virus writing is. Actually using the keys and playing with your stuff should be. I would love someone to write a virus with a beneficial payload, but atm the only people who can release viruses are the bad guys.

(i know conficker does a few other things like blocks AV and stuff but lets ignore that for now).

Why should we ignore that? It's part of the functionality of the worm. The developers put it there for a reason, just like the other functionality. You're advocating for just leaving these criminals alone to do whatever they want because they've devised such a cunning scam, let's see where this philosophy takes us.

All i meant was that i was talking in general and not specifically about conficker.

My computer is my computer, and you have no business snooping around in my stuff and/or using its resources without my express permission

I agree and im gonna make sure that no one has the chance to access my machine and that includes using an OS with regular updates and good access control.

0

Share this post


Link to post
Share on other sites

I'm on board. Everyone makes such a big deal out of this worm like it is something new. We have seen things relatively simmilar to this before. I am by no means saying this will be an easy task but people have caught these worm writing a-holes before and hopefully it will happen again. :D

0

Share this post


Link to post
Share on other sites
Well, should it be a $250,000 bounty? What if you were just copying the keys for a completely legit reason like doing research on the most common type of lock? It might not be a very ethical thing to do but no, i dont think it should be illegal, at least to the the extent virus writing is. Actually using the keys and playing with your stuff should be. I would love someone to write a virus with a beneficial payload, but atm the only people who can release viruses are the bad guys.

(i know conficker does a few other things like blocks AV and stuff but lets ignore that for now).

Why should we ignore that? It's part of the functionality of the worm. The developers put it there for a reason, just like the other functionality. You're advocating for just leaving these criminals alone to do whatever they want because they've devised such a cunning scam, let's see where this philosophy takes us.

All i meant was that i was talking in general and not specifically about conficker.

Alright. Here's why writing >and using< exploits, botnets, etc. should remain illegal:

1. Invasion of Privacy and Violation of Personal Property (i.e. consitutional rights)

2. Malware isn't nearly as stable as industry-standard patching or remote desktop software. When infecting a system randomly via the Web, it can have unpredictable side effects. This is why a "good" worm is a bad idea. Google Bruce Schneier's articles on that for more info.

3. Malware uses system resources the author didn't pay for or have any right to. Additionally, the worm's propogation features probably waste a lot of network resources. Illegal access attempts will generate alerts that some well-paid IT worker has to manually check. All in all, it's a big drain on resources at every level and nobody agreed to it.

4. While this last one isn't as concrete, I'd say this path is also unethical. If I see that someone accidentally left their door open in a dangerous neighborhood, I'm going to remind them to lock it. I'm not going to break in, move things around a bit, and then leave. That would be wrong (and criminal). Mostly harmless, but wrong. Likewise, if someone smart enough to write a worm see's a bunch of unpatched PC's, then they are smart enough to get a warning (and clear instructions to fix it) out to all of them:

"Hey, your systems wide open. I'm currently able to gain total access and use it for hosting kiddie pron, etc. Here's a link with instructions you can follow to fix this. Here's another link with guidelines to prevent it in the future."

Of course, some people here might just write a worm to hack them all as quick as possible.... Choosing this over protecting people, we definitely know what the color of those hackers' hats are...

0

Share this post


Link to post
Share on other sites
Well, should it be a $250,000 bounty? What if you were just copying the keys for a completely legit reason like doing research on the most common type of lock? It might not be a very ethical thing to do but no, i dont think it should be illegal, at least to the the extent virus writing is. Actually using the keys and playing with your stuff should be. I would love someone to write a virus with a beneficial payload, but atm the only people who can release viruses are the bad guys.

(i know conficker does a few other things like blocks AV and stuff but lets ignore that for now).

Why should we ignore that? It's part of the functionality of the worm. The developers put it there for a reason, just like the other functionality. You're advocating for just leaving these criminals alone to do whatever they want because they've devised such a cunning scam, let's see where this philosophy takes us.

All i meant was that i was talking in general and not specifically about conficker.

Alright. Here's why writing >and using< exploits, botnets, etc. should remain illegal:

1. Invasion of Privacy and Violation of Personal Property (i.e. consitutional rights)

2. Malware isn't nearly as stable as industry-standard patching or remote desktop software. When infecting a system randomly via the Web, it can have unpredictable side effects. This is why a "good" worm is a bad idea. Google Bruce Schneier's articles on that for more info.

3. Malware uses system resources the author didn't pay for or have any right to. Additionally, the worm's propogation features probably waste a lot of network resources. Illegal access attempts will generate alerts that some well-paid IT worker has to manually check. All in all, it's a big drain on resources at every level and nobody agreed to it.

4. While this last one isn't as concrete, I'd say this path is also unethical. If I see that someone accidentally left their door open in a dangerous neighborhood, I'm going to remind them to lock it. I'm not going to break in, move things around a bit, and then leave. That would be wrong (and criminal). Mostly harmless, but wrong. Likewise, if someone smart enough to write a worm see's a bunch of unpatched PC's, then they are smart enough to get a warning (and clear instructions to fix it) out to all of them:

"Hey, your systems wide open. I'm currently able to gain total access and use it for hosting kiddie pron, etc. Here's a link with instructions you can follow to fix this. Here's another link with guidelines to prevent it in the future."

Of course, some people here might just write a worm to hack them all as quick as possible.... Choosing this over protecting people, we definitely know what the color of those hackers' hats are...

The only problem is who decides what malware and an exploit is? MS would try to pull some sh.... like it competes with remote desktop, Trojan! IMO.. the best out-of-the-box backdoors to use maliciously are command line utilities included in MS Resource Kits..

0

Share this post


Link to post
Share on other sites

My main point is that whether the attackers manually type into a CLI to exploit vulnerabilities on the remote host, or they engineer a program to automate the work, they're still acquiring access to machines that are legally owned by other people. The attackers did not buy the hardware or license the software on that machine, they aren't paying for the bandwidth they're using, they're not legally privy to the information contained on that system, and they don't have the owners' permission to use those machines' resources.

Furthermore, by spreading this malware all around the world and linking the hosts together to form a huge botnet, they're creating a massive drain on worldwide resources and creating a significant security threat which is costing consumers and governments (read: taxpayers) billions of dollars to address.

In regard to the reward offer of $250,000, Microsoft has agreed to pay that amount. If they place that value on catching the criminals responsible for this extremely virulent and pervasive worm, that's their business. I don't understand why somebody would deem that to be excessive or unfair. Why is it wrong to place significant value on eliminating this threat?

Being a person interested in computer security myself, I can appreciate the robust design and attention to detail that went into developing this piece of malware. It is truly a significant accomplishment. But despite that sentiment, I don't understand why anyone would be in favor of some unknown party illegally invading so many machines and leveraging so much power over the Internet. What if they were to use this worm to do something extremely destructive or harmful? What benefit will result from refusing to address this serious security risk? This botnet is an illegal criminal enterprise. What good can come of it, and is it worth the risk to ignore it?

Edited by Colonel Panic
0

Share this post


Link to post
Share on other sites
My main point is that whether the attackers manually type into a CLI to exploit vulnerabilities on the remote host, or they engineer a program to automate the work, they're still acquiring access to machines that are legally owned by other people. The attackers did not buy the hardware or license the software on that machine, they aren't paying for the bandwidth they're using, they're not legally privy to the information contained on that system, and they don't have the owners' permission to use those machines' resources.

True dat... What if someone programmed a robot to rob a bank or commit even worse crimes? They personally should still be held responsible... The software is obvious told by its author to perform actions that are defined as illegal..

0

Share this post


Link to post
Share on other sites
The only problem is who decides what malware and an exploit is? MS would try to pull some sh.... like it competes with remote desktop, Trojan! IMO.. the best out-of-the-box backdoors to use maliciously are command line utilities included in MS Resource Kits..

Fair enough point there. I agree about MS Resource Kits being useful to attackers. PsTool, esp. PsExec, come to mind. {evil grin} As for who decides, we start with the users: they should decide what goes on their machines. Remember that all of these tools are designed to sneak or force their way into a system. Very few legitimate uses for that anyway. As for who decides, the courts will probably decide. Like in all criminal investigations, they will be looking for "intent." So, if someone writes a sneaky worm that exploits any available machine on the Net, the courts may say they probably had "malicious" intent. Could the courts be wrong about these things? Easily. Will this matter in most cases, where nothing good comes of the malware? Probably not.

0

Share this post


Link to post
Share on other sites

Well if you one were to look at it from a moral aspect then I guess were all a bit guilty of "borrowing" resources from others. One can say that ultimately the "InterWebs" does belong to the U.S. Federal Government when it comes to dealing with DNS and all that hooplah. As for virus writers and their intentions, I don't believe they should automatically be labeled Nazi's because of the code they might have produced. I believe it's almost like saying since you have a nuclear bomb, your a threat none the less, such as the US and North Korea. But obviously they will be tried on their intentions for writing said virus and also what they planned on using it for. Also, we all know the internet is very dynamic and that anyone could potentially scan and target infected conficker worm victims and also infect such victims with their own code. Al ot of this happened when MS Blaster hit the scene. Such a circumstance could allow group B to pose as group A and fly under the radar. I guess it is all based on the intention of doing something in the end, but the media really needs to cut the bullshit when they say the worm caused billions of dollars in damage. I mean, what if someone coded a worm that patched the threat? Ultimately would that be illegal even though it was coded in good faith because said code accessed a system unannounced?

0

Share this post


Link to post
Share on other sites

In my opinion. their is really no gray area. I'm sure anybody who has ever been infected and ha had to go through some massive data recovery or data loss can agree with me. These "coders" spend their time finding out how to get into your computer, and hijack it to do their dirty work. That's kinda of like if someone was stealing your power from you're house to power theirs.

Those who do code viruses, although generally very smart, have fuc*ed the game up. Who wants a damn virus? This is one of those things that serves no purpose but to fuck people's things up. Excuse my language everyone, but I remember when I used to use Windows, it was horrible.

Does anyone seriously disagree?

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now