c24747d47f31bc8380701ff788183a301
March 22, 2009

Experts Team Up To Battle Conficker Botnet

Some of the world's top computer security experts are fighting a spectacular cat-and-mouse battle with the brazen creator of a malicious software program known as Conficker, according to a New York Times report.

The program received global attention late last year when it began infecting millions of machines with malicious code, which ties together the infected computers into something known as a botnet.

Botnets are used to send the vast majority of e-mail spam messages, which are often the basis for questionable commercial promotions that frequently direct unsuspecting users to Web sites that can plant malicious software, or malware, on their computers. Botnets can also be used to send other types of malware to generate attacks that can shutdown commercial or government Web sites.

Conficker has been consistently updated since last year, and an informal global alliance of computer security firms and a network governance group known as the Internet Corporation for Assigned Names and Numbers (ICAAN) are now working hard to address the problem.  Members of the alliance refer to themselves as the "Conficker Cabal."  Meanwhile, the botnet has brought together some of the world's top computer security experts to avert potential damage.

The spread of Conficker is on a scale that rivals some of the worst viruses and worms of the past, such as the I Love You virus.  Last month, Microsoft announced a $250,000 reward for any information leading to the capture of the Conficker author. 

Last year, one of the biggest botnets involved 1.5 million infected computers that were used to automate the breaking of "captchas," the squiggly letter tests that applicants for Web services use to prove they are human.

The inability of computer security experts to get ahead of the anonymous but resolute cybercriminals is viewed by some as evidence of a basic weakness in the global network.

"I walked up to a three-star general on Wednesday and asked him if he could help me deal with a million-node botnet," Rick Wesson, a computer security researcher involved in fighting Conficker, told the New York Times.

"I didn't get an answer."

Those involved in battling the malicious code say the zombie computers are programmed to contact a control system on April 1 for instructions. Speculation about the nature of the threat ranges from a simple wake-up call to a destructive attack.

Researchers disassembling the Conficker code have been unable to determine the location of the author, or authors, or whether one person or a group of hackers is maintaining the program.

There is increasing suspicion that Conficker will ultimately turn out to be a computing-for-hire scheme, imitating the hottest trend in the industry, known as cloud computing, in which companies such as Microsoft and Amazon sell computing as a service over the Internet.

Security researchers say prior botnets were designed to be split up and rented via black market schemes common in the Internet underground.

The Conficker program is created so that once it infects a computer, it can be programmed remotely by software to serve as a system for distributing spam or other malware.

Many who have analyzed various versions of the program said Conficker's authors were obviously tracking efforts to restrict the program, and had consistently shown that their skills were at the leading edge of computer technology.

For instance, Conficker had already gone through several versions when the alliance seized control of 250 Internet domain names the system was planning to use to send instructions to millions of infected computers.

A short time later during the first week of March, Conficker C, the fourth known version of the code, extended the number of the sites it could use to 50,000. The move made it virtually impossible to stop Conficker's creator from communicating with their botnet.

"It's worth noting that these are folks who are taking this seriously and not making many mistakes," Jose Nazario, a member of the international security group and a researcher at Lexington, Mass-based Arbor Networks, which provides tools for monitoring network performance.

"They're going for broke," he told the New York Times.

Several members of the Conficker Cabal lamented that law enforcement officials had been initially slow in responding to the group's efforts, but that a number of agencies were now in "listen" mode.

"We're aware of it," FBI spokesman Paul Bresson told the New York Times.

"We're working with security companies to address the problem."

A new report due to be released Thursday by the nonprofit research group SRI International finds that Conficker C constitutes a major rewrite of the original code.  In addition to making it far more difficult to block communication with the program, it has additional capability to disable many commercial antivirus programs and Microsoft's security update features.

"Perhaps the most obvious frightening aspect of Conficker C is its clear potential to do harm," wrote the report's author Phillip Porras, a research director at SRI International.

"Perhaps in the best case, Conficker may be used as a sustained and profitable platform for massive Internet fraud and theft," the New York Times quoted him as saying.

"In the worst case"¦.Conficker could be turned into a powerful offensive weapon for performing concerted information warfare attacks that could disrupt not just countries, but the Internet itself."

Researchers said the program's original version contained a recent security feature developed by M.I.T. computer scientist Ron Rivest, which had been made public only weeks before.  And when Dr. Rivest's group issued a revision to correct a flaw, the Conficker authors updated their program to add the correction.

While some suspect the Conficker authors may be located in Eastern Europe, the evidence so far is inconclusive.   However, security researchers said this week that they were impressed by the authors' productivity.

"If you suspect this person lives in Kiev," said Mr. Nazario. "I would look for someone who has recently reported repetitive stress injury symptoms," he added.

---

On the Net: