How much damage can someone with "remote control" of somewhere between 2 million and 15 million computers (the estimated number of conficker infected computers worldwide) actually do?
Think about that. Whoever is "running" this worm has the ability to update the worm, in general, within a few days time, effectively issuing new operating instructions to this vast arsenal of internet connected systems.
So what kind of attack can be launched? How much and/or what specific critical areas of world economy or infrastructure can be attacked?
Is it conceivable that a vast amount of the world economy can be brought to its knees?
I honestly don't know. And so far, I can't find anyone who's saying, aside from vague comments such as "in the worst case, Conficker could be turned into a powerful offensive weapon for performing concerted information warfare attacks that could disrupt not just countries, but the Internet itself."
What not addressed in this kind of comment is the question of degree of impact on the world economy, if attacks could in fact "disrupt the internet itself"? To the degree such a general statement is true...I'd say the world economy could be pretty much brought to a standstill, don't you agree? The world economy is extraordinarily dependent upon the internet, in a way that we haven't really grokked...but we need to, and quickly.
Are we potentially facing one of those comic book moments where Dr. Doom truly causes mass disruption of the world economy, then announces to the world that he'll only re-enable operations if he's sent $100B? Or named world dictator? Or both.
I know it's fantastical...but if there aren't people RIGHT NOW sitting in Pentagon think tanks analyzing the potential level of disruption, I'd be awfully shocked. Unless of course the level of potential disruption is well understood already, in which case they are probably analyzing just what can be done about it.
I've spent some time reading through the detailed descriptions of this nasty little worm, and it's a son of a gun. The problem is that unless people owning/managing the infected computers wipe it out themselves by retaking control of their own computers and running appropriate "disinfectant" software, there's just no darn way to recover control of these 2-15 million computer systems! However, most such people have no clue their machine is infected.
A few key notes if you aren't aware of them:
- this all only started in October of last year, and in that time, this worm has gone through three updates (A=>B=>B++=>C). Of course, not all older version of the worm have successfully evolved to the new versions, so what's out there now is a range of types. These updates have include active measures to counter the "counter-measures" that security researchers has been deploying to block or disable the worm.
- developers are using absolute state of the art technology, literally within days of development (such as MD6; they included first versions only a few weeks after initial development and release to the public, including defects, and then in an update early in '09 included the very new corrections to those defects).
- the worm uses a variety of methods to access updates to itself, the most powerful being a "find a domain on the internet where my master has new code for me to download". A new method for doing this is what "turns on" on April 1 2009. Whether or not April 1 will be a date for a new version of the worm to be downloaded to all the infected machines is rather independent of this "mode switch" date.
- most perniciously, the worm performs sophisticated public/private key based validation of the veracity of the new worm version to be downloaded. The private key is only know by the creators of the worm, and at a key length of 4096 bytes, is quite immune to a brute force attack to derive the private key from the worm code and the public key.
The "easy" way to turn this thing off is to build a "good worm" if you will (some benign code that will terminate itself and stop operating once it has replaced the old version on an infected system), sign this "good worm" with the private key, and put it where all the infected systems will find it and download it. Then all the "bad conficker worms" replace themselves with a new benign version over time, and viola, threat is over. (Remind you of Data sending the "go to sleep" command into the Borg collective in Star Trek TNG? It should...)
Easy right? The core issue is WHAT IS THE PRIVATE KEY? How do we make sure the Borg accept the sleep message as a valid message?
The way to get the private key is "easy", and it's call the rubber hose method. You simply find the criminals responsible for conficker, put them under the rubber hose (if you will), until they share the private key. So the problem becomes one of tracking down the SOB's responsible, which is unfortunately not easy at all. There are some indications that the criminal group of Baka Software (who distributed "anti-virus software for Windows" as a product that was itself a virus, sneaky crooks) MIGHT be responsible. Baka is apparently in Kiev, Ukraine. However, the vague signs pointing their way could also be intentional mis-direction by the real developers.
We can only hope to hear the news reports soon of the attack by a multi-national SWAT team that execute the rubber hose method of private key extraction. I for one will be cheering on the sidelines. I don't want to have to wake up every morning and recite a Pledge of Allegiance to Dr. Doom...
skip to main |
skip to sidebar
Discussion on the latest application security developments and issues, including piracy, code protection, application hardening and cybersecurity.
