[LINK] Internet meltdown threat: Conficker worm refuses to turn

Bernard Robertson-Dunn brd at iimetro.com.au
Tue Sep 22 17:23:17 AEST 2009

Internet meltdown threat: Conficker worm refuses to turn
Asher Modes
September 22, 2009 - 12:08PM

The brightest minds in technology and government are finding it "almost 
impossible" to defeat the Conficker worm, which has infected more than 5 
million computers and, experts say, could be used to knock down the 
internet in entire countries.

The worm, first detected in November last year, spreads rapidly to 
computers through a flaw in the Windows operating system.

Infected machines are co-opted into a "botnet" army, which can be 
controlled and used by the hackers to launch unprecedented cyber attacks.

"The general agreement in the security world is that Conficker is the 
largest threat facing us from a cyber crime point of view ... it has 
proven to be extremely resilient. It's almost impossible to remove," 
said Rodney Joffe, a director of the Conficker Working Group formed to 
defeat the worm.

"The best minds in the world have not managed to crack the code behind 
this yet."

The scale of the threat has forced the world's largest computer security 
companies to join together with government around the world in an 
unusual alliance to pool their resources and solve the problem.

Microsoft has offered a $US250,000 ($290,000) reward for information 
leading to the identification of the individuals - or rogue governments 
- behind Conficker.

Those behind the worm can do anything they want with the infected 
machines including stealing users' banking details or flooding 
government servers to knock them offline.

"This could be used to launch the mother of all DDoS [distributed denial 
of service] attacks, it could be used as the basis of major financial 
fraud, it could be used for major spam runs," Joffe said.

"Even a small portion of the infected machines from Conficker have the 
ability to actually take away the usability of the internet in an entire 
country like Australia."

So far the international effort to find a solution has yielded few 
results, and the number of infected machines has remained fairly stable 
at 5 million. They include home, business and Government computers.

Joffe, who is also a senior technologist at US communications company 
Neustar, explained that the remarkable resilience was because Conficker 
had built-in mechanisms to prevent people from scanning their computers 
with anti-virus software. Even for those who wipe their computers clean 
and start fresh, if they back up any important data on a portable hard 
drive, the clean machine is reinfected when the drive is connected to 
the computer.

The worm also spreads automatically between computers on a network and 
infects machines without the user having to do anything other than 
switch their computers on.

"If you've been able to disinfect 99 machines out of 100 and one is 
still infected, it will begin to try to reinfect the others," Joffe said.

Most other botnets can be destroyed by disabling the server used to 
issue commands to infected machines, but with Conficker the location of 
this sever changes every day and state-of-the-art cryptography means 
it's almost impossible to crack.

Every time the security gurus feel they are on to a solution, the 
hackers send a new version of Conficker to the infected machines that 
stops them in their tracks.

"Conficker has proven to be the gold standard for botnets. It's rock 
solid, it's steady and it has mechanisms built in that have made it 
impossible for us to actually crack," Joffe said.

"As of today we have not been able to crack the cryptography behind it 
in order to disrupt it by authenticating ourselves as the command and 

So far the "botnet masters" have been biding their time as the media 
buzz around Conficker dies down, but they have already sent malicious 
code to infected machines that co-opts them to send spam emails. Users 
of infected computers have also been conned with offers to buy fake 
anti-virus software.

In July, Manchester City Council in Britain was prevented from issuing 
hundreds of fines after Conficker knocked out parts of its IT system. 
The infection cost the council £1.5 million in total.

In January, the French Navy had to quarantine its computer network after 
it was infected with Conficker, forcing aircraft at several air bases to 
be grounded.

Joffe said that people who are not yet infected and have installed the 
latest Windows patches and anti-virus software should be safe, as long 
as yet another version of Conficker is not released.

But he said it was rare for people to have all the relevant patches 
installed on their computers, and anti-virus software would be of little 
use to those already infected.

"We're some ways away from being able to take any action, which is what 
is really concerning us," Joffe said.


Bernard Robertson-Dunn
Canberra Australia
brd at iimetro.com.au

More information about the Link mailing list