Conficker Cabal fights threat to security, Internet

Conficker Cabal fights threat to security, Internet

Summary: ICANN is leading the white hats in an "extraordinary behind-the-scenes struggle" against the forces behind the Conficker malware, John Markoff reports in the Times.Dancho Danchev noted recently that:Among the key innovations of the Conficker worm (W32.

SHARE:
16
ICANN is leading the white hats in an "extraordinary behind-the-scenes struggle" against the forces behind the Conficker malware, John Markoff reports in the Times. Dancho Danchev noted recently that:
Among the key innovations of the Conficker worm (W32.Downadup) was the pseudo-random domain generation algorithm used for the generation of dynamic command and control locations in order to make it nearly impossible for researchers and the industry to take them down.

The impressive botnet has coalesced global security experts into the so-called Conficker Cabal.

“I walked up to a three-star general on Wednesday and asked him if he could help me deal with a million-node botnet,” said Rick Wesson, a computer security researcher involved in combating Conficker. “I didn’t get an answer.”
Think of Conflicker as a botcloud.
The Conficker program is built so that after it takes up residence on infected computers, it can be programmed remotely by software to serve as a vast system for distributing spam or other malware.

In the first week of March, the fourth known version of the program, Conficker C, expanded the number of the sites it could use to 50,000. That step made it virtually impossible to stop the Conficker authors from communicating with their botnet.

“It’s worth noting that these are folks who are taking this seriously and not making many mistakes,” said Jose Nazario, a member of the international security group and a researcher at Arbor Networks, a company in Lexington, Mass., that provides tools for monitoring the performance of networks. “They’re going for broke.”

Not just a botcloud but one with very real national security implications, Phillip Porras, a research director at SRI International and one of the authors of a report on the virus, told the Times.
Perhaps the most obvious frightening aspect of Conficker C is its clear potential to do harm. Perhaps in the best case, Conficker may be used as a sustained and profitable platform for massive Internet fraud and theft. In the worst case, Conficker could be turned into a powerful offensive weapon for performing concerted information warfare attacks that could disrupt not just countries, but the Internet itself.

Topics: Malware, Browser, Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

16 comments
Log in or register to join the discussion
  • Video Tutorial on How to Remove Malware

    For those curious on how to remove Malware, Viruses and Trojans here is a detailed walkthrough:

    http://pcwizkidstechtalk.com/index.php/malware-removal.html

    Cheers
    PCWizKid
    • Yeah, like we are going to click on an unknown URL

      Nice try buddy - try posting some verifiable bona fides first.
      Confused by religion
      • Too quit to judge.

        I simply put the site on Yahoo! Search, as I do for any site that is suspicious and it's legit. In fact, this guy does really good reports, but that's my opinion.
        megamanx
  • RE: Conficker Cabal fights threat to security, Internet

    With all the buzz about countries editing the internet or confining their citizens to an intranet, has anyone considered that there is a government behind this particular malware? After all, in the article it is stated that this particular malware could take down the entire internet. What better way to limit people's access to the internet than to destroy it?
    LeslieMcQuade
    • Possible, but not probable

      I doubt that any country in the world would want to take down the entire internet. Maybe a site here and there that they didn't like or were opposed to, but not the entire internet since every country in the world, even North Korea, uses it.
      Lerianis
  • When are we going to stop playing softball ...

    ... with these malware writers and spammers? It's time that one or more teams of armed "00" agents be sent against the perpetrators to take them out for good.
    Tony R.
    • Time the government got serious.

      I'm being honest here. It is time that somebody got serious and some laws/regulations showed up that meant the service providers started to seriously look for and shut these guys down.

      I also don't understand why the national governments haven't gone after people paying to send spam. That could put spammers out of business in a hurry. They aren't doing it for fun. They do it because advertisers pay them to do it.


      deowll
      • Yeah, inaction on spam makes no sense.

        When you think about it, spam email is an affront to both liberal and conservative principles. You'd think it would be one of a very few things that Congress could agree upon and take real action to stop.
        masonwheeler
      • I agree.

        So, these guys happen to get paid to do viruses, spyware, etc. But for what? To give the Anti-virus companies more work and a challenge? It's pretty rough when the anti-virus programs can't detect them, or if they happen to detect them and can't remove them, how are we suppose to take that while sitting down? Heck, why not add the part of how much information the malware took up before it was found (if it was found), removed (if it could be removed).
        megamanx
    • Never going to happen

      That is murder and the public does not like murder happening against someone, especially since there is the possibility that they will get the wrong person.

      No, the public likes TRIALS, and most of the countries in the world that these spammers and malware writers are hiding in would go to war with any country that sent teams into their countries to kill anyone, civilian or not.
      Lerianis
  • Conficker can be completely eradicated.

    It doesn't affect me, or any of the 10's of machines that I care for.

    We can beat it by Microsofting it - cut off its air supply - use Linux everywhere.

    The governments everywhere should get EXTREMELY hard on Microsoft for allowing this to go on. Microsoft should be banned wherever productivity and progress are the goals.
    Amelioration
    • Microsoft is not allowing this to go on

      They just have made an operating system that is easier to use than Linux (where everything is command-line only).

      Stop blaming Microsoft for this, it is NOT their fault. They have improved security in Vista and Windows 7, and if some people haven't moved to those things to stop malware such as this.... they are stupid!
      Lerianis
      • Wrong century

        "They just have made an operating system that is easier to use than Linux (where everything is command-line only)."

        Have not actually tried any Windows
        alternatives, I guess.
        TranMan
      • It is ALL Microsofts fault

        "They just have made an operating system that is easier to use than Linux (where everything is command-line only).

        Stop blaming Microsoft for this, it is NOT their fault. They have improved security in Vista and Windows 7, and if some people haven't moved to those things to stop malware such as this.... they are stupid!"

        I don't know what decade you came from but you are obviously ignorant. I run 10+ linux machines as both a system admin and a user and I can't remember the last time I EVER had to use the command line interface. Everything is easier that windows and uses a flashy GUI now.

        It is DEFINATELY ALL MICROSOFTS FAULT! Three words "Windows Genuine Advantage". How do you explain it to a person in a third world country that saves up for a year to buy a computer for less than $200US that came with Windows XP preinstalled. They go to Microsofts Windows Update site to update security patches but can't because Microsoft "Thinks" their copy of XP isn't legitimate. After months of not being able to update their computer its now a zombie on some botnet. All this can be solved if Microsoft would remove WGA checks on Windows Update. I am not even going to mention Vista or 7 since most computers can't run either.
        Skyhawk_z
      • LOL!

        The 2 previous posts before this are right. I have tried Ubuntu (not sure the version), but I didn't see a Command Prompt anywhere. It might just happen that I was too lazy to try and look, but everything was a UI, and it ran just like XP, and all other versions of Windows. Heck, tweaks apply immediately compared to the Microsoft's restart for the changes to apply, at least on the changes I made that make me restart when using Windows.
        megamanx
  • RE: Conficker Cabal fights threat to security, Internet

    ok, this is rediculouse, i started on cnn.com with a search of worm and it lead me to a team called conficker cabal group which may be able to help me and help themselves. i feel that unless i talk to them directory, that i wont get a response. how do i contact them? im not after any reword or trying to get attention, but i feel its my duty to report what i know and learned. i feel that i have information and resources and proof leading to the person responsible for the worm which i know but no one else knows that those worms that came out may have been just a decoy and the worm that i been fighting for over 7 months waiting for them to make a mistake and unfortanately, they made the mistake the same day that all my friends called me and they had a worm that sounds like the same one i have on the news. i did my best not to spread it, but my mother has it now.

    i guess for proof i can explain here just from what i have learned its intent.


    he uses every resource avail. as smart as i am with computers, i gained a hole lot of new knowledge on window. one example is certain features that i seen him use. cookies for example. i know that in internet explorer, you have the option to block, allow and view.
    what ya dont know is that the info already came through the pipe/stream/tcp/ip. so no matter what option you choose, his bot intercepts the cookies and there is codes that tells the worm what to do. i am not sure why he uses netbios and metatags, but for some reason, he sends info that way. he may be using the netbios to help the worm spread but that part is only theary.


    this worm and hacker has a system. first, it creates fat12 and fat16 in the first boot sector of the 2 giving it full access to your computer before windows. it needs any 2 drives on any system on the network to keep itself alive which i just realized that it monitors itself for any tampering. when i tried to low level format for example, it always cut out of the program formatting, and would never finish, but when i choose only 1, it works and wipes the drives. this hacker portrays as being an IT tech. he uses a program on my computer to create any root certificate for any website as he needs them.
    he seems to stay in a virtual computer in my memory using address 3e7. and 0409 sticks out a lot. i think on different systems, the bot changes slighly different.


    before the worm hit, i found a new script in my root directory to attach to unfinished burned cds and dvds. later on, by using a dos program to scan the hidden fat12 and fat16, i found info that he was studying info on a nachi worm. he alters a lot of windows programs and attaching certificates saying all his stuff is from microsoft. he programs using visual c++ in the visual studio. most likely 2005 version. later on, i learned that he takes all your drivers and changes the info slighty so its naked to the eye and an window pops up to install a new driver. this allows him to add keyloggers, attach to any usb drive. i realized that what he is doing is taking the best qualitys of the worst viruses, and making them 1 system.
    i found 4 intents of this worm.

    first, he makes it where his tracks are covered, and the worm is hidden and unnoticable which is cause when this version hits, there are things noticable at first, and the other worms may be a distraction in the meanwhile. i could be wrong on that theary.
    second, it appears to be very knowledgable about any electronic device. i bought 2 hubs and 2 routers, and through all my test, they are affected and have gliches which im trying to find a way to reverse. he used telnet

    3rd, it has a direct connect with the hacker. they communicate through info using smtp and uses dollar signes before and after words to let the user and bot know its from the bot.
    the 2 i observed while watching him was $chicago$ which i found in a lot of sound driver files and $daniele$ which lead me to a phone number which validates the hacker and eliminated the possibility of them being a victom which i hope i have the opportunity to explain.
    this is where they made their mistake which i will explain below. i have so much info, that its overwhelming and i could loose someone interest.


    4th this is the one that makes me know its my responsiblity to do what i can to stop it. so far no one has listened, and for the first time, i got an email from microsoft support to help me get rid of it. this program appears to be able to break through any security. i tried all combinations of antiviruses and firewalls for the validation that the programs themselves are too good for their own use.
    from a clean format, my computer came with norton and mcfee antiviruses. and i installed right away the newest at the time firewall from zonealarm. i downloaded a lot of programs from sysinternals.net and got a packetsniffer from colasoft, and found a program called resource hacker.
    using the program from sysinternal called process monitor, and hunting down the logs that the bot makes, i watched him break through all 3 in less than an hour. when hes in my computer, he swiches his info to my info. so it thinks its a local user, i put the firewall on the highest security settings so it is not suppose to even trust me, or certificate certified, and watched it still break through with at firt a million "access denied". it used both sides of the connection to break through.

    what i learned from the hacker himself is that he has a big god like ego, and that he doesnt work good under pressure. im hoping to get something started so this can be fully investigated. this worm and hacker doesnt limit to computers. he also alters the phone system.



    now its time to explain its intent. i watched it not only breaking through any security, such as encryption, and access keys, but i watched it search for a lot of things for purposes of spying. it searched for microphones, webcams, blutooths, smartphones, and he watches the monitor, i was fighting him one day, and i clicked on something wrong, which gave me the option of "send to" which had 2 displays when i only had 1. i interlaced and saw his desktop. he used a program at the time from nvidea called desktop manager that allowed multiple displays including remote. after that one time, he must have fixed it, and i never got to do it agian.

    i can write a list of ways to tell if you have t his version of the worm, cause no antivirus or any program detects it. the closes i got was some root virus detectors noticed some suspitions in the registry as NULL.

    how i can tell if ya got the worm.
    1. if you format, and wipe everything, when windows is back up, it will be slower for days, not faster, cause it uses a lot of resources to copy the operating system to the end of the hardrive, and add registry keys used to hide all his stuff.
    2. the bigest way to tell is to do a full scan of your hardrive using dos programs such as deleters and to extended search. and if you get cluster $mfb and the boot sectors dont match, then thats it.

    3. one annoying thing is that even though you can gain full access right away each time, it appears that your mouse has a mind of its own. you could be moving right, and then it will appear 4 inches away to the left. i believe its does this, cause it is using api mouse commands to focus on textboxes before it changes info.

    when i formated my 8 gig usb drive, i noticed it ended up having 4 gigs instead. i had to low level format it as well.

    you will get a lot of errors and windows claiming to be part of the operating system tricking the user to help it along. when these errors come through, it is most likely the hacker on a remote anonymouse connection making changes to log keystrokes for example.

    make note that the worm may act different on different machines 100 miles away. after my mom complained after i used my usb drive with similar symtons, after it was done, it seems fast, but its still there.

    i believe that i know where the worm i got originated. but im hoping to hear from this conficker cabal group so i can give them this info. i dont want to take a chance of going overboard and displain discrimianting details which may become a lawsuit later.

    i will say that it did originate from my htc smartphone from a 2 gig chip transfer which i didnt know at the time, but a chain of events happened.

    i will keep trying to find a link to the conficker cabal group such as an email address or a website. but can you direct me there. thanks for listening, and this is no joke..

    my email is helpwithvb@yahoo.com
    and if someone wants to contact me directly, i can give my phone and address if needed.
    helpwithvb