Conficker Mystery to Continue at Black Hat Conference
For all that has been written and said about the notorious Conficker worm, much remains unknown to the public. Who was behind it? What was their motive? Unfortunately, those mysteries will not be unraveled this week at the Black Hat security conference, when F-Secure Chief Research Officer Mikko Hypponen gives his presentation on the worm. "The original plan of what I was supposed to be talking about on Thursday I will not be able to talk about," he said. "I got requested to not go into detail because of ongoing investigations relating to the real topic of my talk, which was the motives of the Conficker gang ... which really is the main Conficker mystery." Still, the malware helped build one of the biggest botnets in years—at one point reaching around several million, according to some estimates. In May, even after months of publicity and work by vendors and researchers, the worm was still attempting to infect some 50,000 new PCs daily. There are still more than a million infected nodes out there, many of them in places like India, Vietnam and Brazil, Hypponen said. "The good news is that it is dormant," he said. "My understanding of the people behind it is that these guys were experts in things like encryption and coding ... but they probably were not experienced botnet owners." If they were, he explained, they would not have violated a cardinal rule of cyber-crime—avoid publicity. It was, after all, the notoriety of Conficker that galvanized the security community into coming together and creating cooperatives such as the Conficker Working Group. "[Experienced crooks] control the infection rates [and] keep them low on purpose," he said. "Conficker was running loose and my understanding, or my guess, on why that was happening was that it was the first botnet these guys were operating and they didn't realize that that's a bad idea." The minds behind the worm may have been newbies to cyber-crime, but their use of the MD6 hash algorithm and their self-defense mechanisms that kept victims from logging on to the Websites of security vendors to clean their systems underscore the level of sophistication involved in the attack. In fact, Conficker.B is believed to be the first production use of the MD6 algorithm. "I have never seen MD6 used anywhere, much less any malware, except Conficker," he said. "I hope so, but in practice, probably not." |
Comments (2)
The conficker discussion is one of several interesting areas that didn't materialize this BH. In that regard, conference didn't have the sizzle it has in the past. I was slightly depressed at the number of "easy" attacks that were highlighted (e.g. Jeremiah Grossman's gig), which further emphasize that the mundane things can still bite us in the tail.
Posted by John Dickson | July 30, 2009 8:35 PM
I would be interested in seeing a cloud like breakdown of where this worm, on a global scale. A sort of heat map for the virus.I agree that this was glaringly absent from BH, but you have to think that was for a reason (waiting to have something to say instead of just talking to talk).
Posted by Malware | November 4, 2009 10:59 AM