Conficker talk sanitized at Black Hat to protect investigation

The criminal ring is very savvy and might have infiltrated the group hunting it down, one investigator says

A talk at Black Hat had to be scaled back because it contained information about Conficker that might tip investigators’ hand and send the perpetrators further underground, says F-Secure's chief research officer.

LAS VEGAS -- The international security team tracking down Conficker thought the masterminds behind it would have been apprehended by now, according to one of the leaders of the effort to stamp out the resilient worm.

Take our quiz on Black Hat's most notorious incidents

But that’s not the way it has worked out, and a talk at Black Hat yesterday had to be scaled back because it contained information about Conficker that might tip investigators’ hand and send the perpetrators further underground, says Mikko Hypponen, chief research officer at F-Secure and a member of the Conficker Working Group

When Hypponen submitted the abstract for his Black Hat briefing more than six months ago, he thought he’d be presenting a forensic look at a dead worm and that the team who had written and managed it would be out of action. “I had hoped that by the end of July we would be in a totally different situation, the case would be closed and the group would be in jail,” Hypponen said in an interview after his talk.

His official line was that he was asked last week not to reveal critical information that might help prolong Conficker’s reign over millions of computers and inhibit the ongoing criminal investigation. “So I will end my presentation here,” Hypponen said at the conclusion of his Black Hat session. “Thank you very much. I will not be taking any questions.”

Hypponen said afterwards that he wasn’t forced to curtail his remarks (Black Hat has been the site of numerous speech-blockings and speech-blocking attempts, including that of a researcher Cisco sued because he was to reveal a flaw in the company's IOS code). Rather, Hypponen had already realized that it made sense to hold back some of what the working group has found out. “It’s better to keep them in the dark about what is known,” he says.

Given the agility and precision with which Conficker alters its tactics, Hypponen doesn’t rule out that the Conficker Working Group itself might have been infiltrated by Conficker operatives.

He wouldn’t say how close he thinks authorities are to bringing down the group, but did say there is an indication that it is based in the Ukraine. Some techniques used in Conficker match those used in an earlier worm, which might mean the same people were behind both.

That earlier worm avoided propagating to machines in the Ukraine, which might mean that the group is based there and was trying to avoid committing a local crime to keep Ukranian police off their backs, Hypponen says.

During his talk Hypponen outlined some of Confickter’s technical sophistication. In one version change – the worm has gone through five major revisions – the worm adopted the MD-6 cryptographic hash algorithm. Investigators estimate that MD-6 was only a month or so old when it was incorporated in Conficker, making the worm one of the earliest implementations of MD-6, he says.

The next major revision of Conficker patched an MD-6 buffer-overflow vulnerability that was publicly announced about six weeks earlier, which means the criminals keep themselves in the loop with the latest advances, he says. (The patch they used was identical to the one issued by MD-6 creators.)

The worm avoids sending itself to domains owned by members of the Conficker Working Group, and it disables infected machines so they can’t reach sites where they might seek help. Hypponen’s company set up a help site with a different domain name from its regular business site that included the term F-secure, and the next version of Conficker blocked it. The company changed the term to Fsecure with no hyphen, and the next revision blocked that, too, he says.

The worm had been propagating to eight top level Internet domains and the working group mustered enough cooperation to shut it down in all those domains, Hypponen says. The next version propagated to 116 domains, he says.

“These guys are very good in cryptography and code development,” he says, but maybe not so good about strategy, given the attention they drew to themselves. “They didn’t know better than to infect 10 million computers in a couple of days.” The goal of any botnet ought to be to remain hidden, not draw attention to itself, he says.

“They might have experience in another crime business but hadn’t run a botnet before. If they were more experienced, they’d know better.”

It would make sense, Hypponen says, for the Conficker gang to abandon its current botnet and build a new one that doesn’t get too big too fast and doesn’t draw a team of experts to fight it. “Maybe they already have,” he says.

Learn more about this topic

Conficker: Forgotten but not gone

IBM sees Conficker hitting 4% of PCs

Conficker still infecting 50,000 PCs per day
Insider Shootout: Best security tools for small business
Join the discussion
Be the first to comment on this article. Our Commenting Policies