Profile

unixronin: Galen the technomage, from Babylon 5: Crusade (Default)
Unixronin

December 2012

S M T W T F S
      1
2345678
9101112131415
16171819202122
23242526272829
3031     

Most Popular Tags

Expand Cut Tags

No cut tags
Thursday, April 9th, 2009 09:51 am

PC Magazine, ITWeb and the Register are all reporting that Conficker is actively downloading updates via P2P.  The Register, at least, is calling the new variant Conficker-E.  According to Trend Micro and Kaspersky Labs, the new version is also talking to servers known to be associated with Waledec malware and the Storm botnet, possibly downloading further code or content from them.  There’s still no evidence that the botnet is actually doing anything except update itself, though there is “circumstantial evidence” that it may be distributing the W32.Waledec trojan, which “steals sensitive information, turns computers into spam zombies, and establishes a back door remote access”, but is already well known to most antivirus software.

The really interesting development, according to Trend Micro, is that the current version of the worm apparently includes new code to clean itself up and delete itself from infected hosts on May 3.

I previously speculated that Conficker’s expanded host polling that began April 1 was a red herring, misdirection to distract attention from what it was really doing.  It appears possible that was the case — or possibly the Conficker authors simply laid low and cancelled that planned update route to avoid exposing themselves.  Now, seeing the reports of scheduled self-removal after allowing adequate time for the removal code to propagate to the entire botnet, I find myself wondering:  What if the whole purpose of the current Conficker infection is simply a proof-of-concept — a “dry run”, as it were?

Tags:
Thursday, April 9th, 2009 02:21 pm (UTC)
and what if it was the NSA or china or some other agency? or ALIENS? not just organized crime? mmm.

#
Thursday, April 9th, 2009 02:41 pm (UTC)
Heh.

Maybe it was designed by white-hats to get people to update their damned computers. ;)
Thursday, April 9th, 2009 04:46 pm (UTC)
My dears, aren't we forgetting something? Perhaps the Internet is in the throes of waking up...

I have had a number of odd occurrences with google lately which have me thinking more along these lines than I certainly ever expected to...
Thursday, April 9th, 2009 06:24 pm (UTC)
Something is going on. The people behind Conficker are very well educated in computer science, and they are very patient. Immediate profit is obviously not the goal. A test suite against the white hats to see how well they can respond to a threat? A government program to test penetration into foreign networks? It is looking less and less like it is organized crime, they have a much different risk/reward outlook, and a shorter ROI timeframe.

Whatever it is, kudos to those who are working hard to figure it out! In industry, we write code for clarity, so it can be easily understood. Here, we are taking obfuscation to new levels of what the processors are capable of. Different process than what many Computer Science programs follow. It is sometimes harder to think backwards and sideways, all at the same time.
Thursday, April 9th, 2009 06:41 pm (UTC)
Yeah, that's my thinking too. There's more going on here than meets the eye. It's a question of figuring out what as much as who.