2010 za con_barry_irwin
TRANSCRIPT
INTRO
WH
AT IS IN A N
AM
E ? • Conficker - also known as Downup, Downadup and Kido
• The origin of the name Conficker thought to be blend of the English term "configure" and the German word “Ficker”
• Alternative interpretation of the name, describing it as a rearrangement of portions of the domain name trafficconverter.biz
• Five variants • Conficker A, B, C, D and E • Discovered 21/11/2008, 29/12/2008, 20/2/2009, 4/3/2009 and
7/4/2009
• Microsoft Naming is the more popular one used • The Conficker Working Group uses
• A, B, B++, C, and E for the same variants respectively. • (CWG) B++ (MSFT) C && (CWG) C (MSFT) D.
RPC/D
CO
M - N
OT PRETTY
MS08-067 - O
WC
H
HISTORY
OU
TBREAK
• Aug. 20: Gimmiv Trojan, first spotted running on a server in South Korea
• ~Mid Sept. Chinese malware brokers are spotted selling a $37 tool • Sept. 29: Gimmiv seen in the wild (Vietnam). Mistakes limit its ability
to spread • Oct. 15. Dr. Ronald Rivest publishes “MIT MD6 hashing algorithm.” • Oct. 23. Microsoft issues emergency patch for RPC-DCOM vuln
MS08-067 • Oct. 26: Chinese toolkit is given away for free. Bloom of related
malware. • Oct. – early Nov. Gimmiv attacks unfold against unpatched PCs in
Asia. Security experts begin to worry that someone will get the bright idea to create a self-replicating worm to seek out unpatched PCs – Blaster Redone ?
OU
TBREAK
• Nov. 20. Conficker A, a self-replicating worm begins to spread. • Nov. 22. Microsoft issues a security alert recommending
immediate patching. • Nov. 26. Conficker A’s “domain generation algorithm”
activates. Infected PCs begin trying to contact a different set of 250 web domains daily for further instructions.
• late Nov. Conficker A census: 500,000 infected machines. • Dec 1 Infected machines check for downloads at
trafficconverter.biz • Trafficconverter is a site well known for fake security product. It
becomes the basis for naming the worm Conficker. Prior to this the worm had been referred to as Downadup.
• Dec. 24 -Dec. 27. Conficker A census: 1.5 million infected machines.
• late Dec. Conficker B begins spreading. Incorporates MIT MD6 hashing algorithm to obscure communications.
OU
TBREAK
• Jan. 1. Conficker B initiates its own domain generation logic: 250 points/day
• Jan. 11: Microsoft updates its cleanup tool so that it can scan for and clean up early variants of Conficker.
• Jan. 15. MIT discloses security hole in MIT MD6 hashing algorithm.
• mid Jan. to early Feb. Conficker A and Conficker B population of machines explode: Estimates range from 3 million -12 million infected.
• Feb. 12. Microsoft forms Conficker Cabal; offers $250,000 bounty (still unclaimed)
• Feb 16. Conficker.B++ (aka C) is spotted. Introduces p2p protocol.
• mid Feb.-Mar. The Cabal works to stop daily RV points, by registering domains generated by A & B variants
OU
TBREAK
• Mar. 5. Conficker C begins updating B and B++. • Halts the Internet-wide scanning • Organizes the infected PCs into P2P networks • Instructions on April 1, to begin checking a random group of 500
rendezvous points selected from 50,000 domains. • Finally, Conficker C also patches the security hole in MIT MD6
hashing algorithm. • Mar. 31. IBM reverses Conficker’s P2P client;
• Asia has 45%; Europe 32%; • South America 14%; North America 6%.
• Apr. 1. Infected systems begin checking 500/50K RV points • Impossible to defeat using previous methods
• Apr. 8. An update begins spreading via P2P to Conficker C machines. • The update begins propagation anew, • Improved stealth • Installs Waledac antivirus patches. • SPAM components
• Current : ~8-10 million infected
RESPONSE
THE EYE C
HA
RT
http://www.joestewart.org/cfeyechart.html
THE EYE C
HA
RT
MALWARE ACTION
MA
LWARE’
S DEF
ENS
E
http
://en
.wik
iped
ia.o
rg/w
iki/C
onfic
ker
SPREAD
Spread
http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionDistribution
Spread
http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionDistribution
THOUGH THE TELESCOPE
TELE-WH
AT ?
REFLECTION
WH
AT W
E HA
VE LEA
RNED
• Highly sophisticated • Well planned/executed • Nation state/Corporate/Underground support
is highly likely • People still don’t patch
• SQL Slammer proves this too! • Researchers still uncertain as to purpose
• It was the next big thing….until the advent of STUXNET
OU
TBREAK
Aug. 20: The Gimmiv Trojan, which exploited the vulnerability Conficker capitalises on, is first spotted running in a virtual machine on a server in South Korea. Experts speculate this was a a test run prior to it being released in the wild. (Source: BBC) Sept. Chinese malware brokers are spotted selling a $37 tool kit that allows anyone to exploit this newly-discovered security hole in a component of Windows, called RPC-DCOM, which enables file and print sharing. RPC-DCOM is built into all PCs of Windows XP vintage and earlier, some 800 million machines worldwide Sept. 29: Gimmiv first seen in the wild infecting a PC in Hanoi, Vietnam. Over the next few weeks it manages to infect 200 more machines in 23 nations – most of which were in Malaysia. Mistakes in the way it is coded limit its ability to spread. (Source: BBC) Oct. 15. MIT’s Dr. Ronald Rivest publishes a cutting- edge security technique, called the “MIT MD6 hashing algorithm.” Oct. 23. Microsoft issues a rare emergency patch for the RPC-DCOM vulnerability disclosed — and exploited by — the $37 malware kit. Oct. 26: Word spreads about the $37 Chinese toolkit; they are forced to give it away. The release of the exploit code prompts many to craft malware that can seek out machines with the bug. (Source: BBC) Oct. – early Nov. Isolated Gimmiv attacks unfold against unpatched PCs in Asia. Sunbelt Software reverse engineers one of the early attacks-in-the-wild. Sunbelt researcher Eric Sites discovers that gimmev installs a new Dynamic Link Library, or DLL, so that the next time the owner restarts his or her PC, a malicious Trojan takes root and continually runs in the background. Every 10 minutes, it copies all registry information, all logons stored by the Web browser and a bunch of other information and sends it back to the attacker. Security experts begin to worry that someone will get the bright idea to create a self-replicating worm to seek out unpatched PCs. “If other bad people find out how to use this, we’re big trouble,” Sites predicts. “A Blaster-type worm could be created very easily, and wreak havoc.”
OU
TBREAK
Nov. 20. Conficker A, a self-replicating worm that scans Internet-wide for other unpatched PCs to infect, begins to spread. Nov. 22. Microsoft issues a securit alert recommending immediate patching. Nov. 26. Conficker A’s “domain generation algorithm” activates. Infected PCs begin trying to contact a different set of 250 web domains daily for further instructions. late Nov. Security firm Damballa issues a Conficker A census: 500,000 infected machines. Dec 1. Conficker A-infected machines check in at trafficconverter.biz, following instructions hard-coded into Conficker. “This was not part of the domain generation algorithm,” says F-Secure’s Patrik Runald. “It attempted to do a download but the file wasn’t there.” Trafficconverter is a site well known for fake security product. It becomes the basis for naming the worm Conficker. Prior to this the worm had been referred to as Downadup. Dec. 24 -Dec. 27. Research firm SRI issues Conficker A census: 1.5 million infected machines. late Dec. Conficker B begins spreading. It incorporates the MIT MD6 hashing algorithm to obscure all communications moving between infected PCs and the rendezvous points. This is done to prevent rival botnet groups from taking control; it also prevents security firms from inserting instructions to disinfect PCs.
OU
TBREAK
Jan. 1. Conficker B initiates its own domain generation logic; infected PCs begin checking in at different sets of 250 rendezvous points . Jan 6: The UK’s Ministry of Defense suffers its first infections. It takes the department two weeks to clear up the damage. (Source: BBC) Jan. 11: Microsoft updates its cleanup tool so that it can scan for and clean up early variants of Conficker. Jan. 15. MIT discloses security hole in its cutting-edge MIT MD6 hasing algorithm and also delivers the patch. This means the coding used to obscure communications in Conficker A and Conficker B, unless patched, are vulnerable to hacks. mid Jan. to early Feb. Conficker A and Conficker B population of machines explodes, grabbing news headlines. Estimates range from 3 million to 12 million machines infected. Feb. 12. Microsoft forms the Conficker Cabal; offers $250,000 bounty for information leading to the arrest of Conficker’s creators. Feb 16. Conficker.B++ is spotted for the first time. It’s protocol seems to be in direct response to Cabal’s efforts to disable Conficker’s communications strategy. It no longer needs to contact internet rendezvous points for updates, instead these can be flashed centrally from any internet address. (Source: BBC) mid Feb.-Mar. The Cabal works to stop PCs from connecting to the daily list of 250 rendezvous points. This is accomplished by registering the known set of Conficker A and Conficker B domains, at least those that aren’t already registered.
OU
TBREAK
Mar. 5. Conficker C begins updating all PCs infected with Conficker B and B++. Conficker C halts the Internet-wide scanning; it organizes the infected PCs into P2P networks; and it also embeds instructions for each infected PC, on April 1, to begin checking a random group of 500 rendezvous points selected from 50,000 domains. Finally, Conficker C also patches the security hole in the MIT MD6 hashing algorithm. early March. While working on this 60-Minutes feature story, CBS News gets hit by Conficker, causing major disruption. Mar. 31. IBM announces that it has cracked Conficker’s customized P2P client; and can see Conficker P2P signatures across the globe. Asia has 45% of infections; Europe 32%; South America 14%; North America 6%. Apr. 1. All PCs updated with Conficker C begin checking 500 rendezvous points randomly selected from 50,000 web addresses for further instructions. Apr. 8. An update begins spreading via P2P to Conficker C machines. The update begins propagation anew, covers its tracks better, and installs Waledac antivirus pitches. Researched by LastWatchdog. Gratitude extended to Microsoft, SRI International, SecureWorks, F-Secure, Sunbelt Software, Kaspersky Lab, Fortify Software, Arbor Networks. Lumension, Damballa , Sophos, IBM ISS, Trend Micro.