I recently read an article where two experts expressed different ideas of what Conficker represented. One expert argued that Conficker was clearly not a botnet, as it lacked some of the basic abilities typically found in botnets. While the other expert said Conficker indeed was a botnet, In the end they both agreed Conficker represented a significant threat. So what is Conficker? Well in the case of our two experts, they were both right...
and wrong. In my opinion, Conficker appears as a package or a mesh of several different threats, each one with its own purpose.
For example, the attacker has to find a way to deliver Conficker to its target. Delivery is performed via phishing emails, email attachments, spam and enticing websites. This represents the first component in the complete package. The second component is the delivery device; for Conficker it is in the form of a worm (W32.Downadup). Once executed, it delivers its payload and then begins to look for new hosts to infect. The third component is the exploitation of a weakness in Microsoft's Windows code intended to assist in taking over the infected target. Taking advantage of the weakness gives the attacker greater ability and access to the host. Then finally the fourth component, the botnet, is then delivered providing the attacker with control over the exploited target.
So now that we have a basic understanding of the "how," we still need to answer what is Conficker? Understanding Conficker's actions will help define what it is and provides us with some idea of what the end goal may be.
So to define Conficker as a botnet we only need to answer two questions:
- Can the installed threat on a client take action on its own without the attacker having to log into the client?
- Can many infected clients act in a unified manner to accomplish a common goal?
In this case Conficker has clearly demonstrated it can meet both of these requirements and therefore is a botnet. Since its inception, Conficker evolved by altering its own code to defeat detection attempts and preventing antivirus from performing its task. It was also believed that on April 1, 2009 version (C) with increased command and control abilities and a new set of anti-detection measures would turn itself on to call home for instructions. While April 1 turned out to be uneventful, to say that nothing happened would be a mistake. Eight days later on April 8, version (E) appeared again, demonstrating that it was still in contact with its command and control.
Botnets and Conficker:
VIDEO: Jose Nazario on botnets, cyberwarfare: Botnets are being used to silence political dissenters, explains Jose Nazario of Arbor Networks. DDoS attacks are a growing part of cyberwarfare.
Conficker updates with no problems reported: Despite hyped reports of a trail of destruction, the latest Conficker worm upped the ante April 1, but security researchers are successfully blocking it from receiving orders.
Conficker leaves security industry looking clueless: The true Conficker story may well turn into an introspective of the security industry. It should start with hard questions of security vendors and service providers.
Now the big question yet to be answered, is the why? In the past, a botnet's intent or its "why" could be traced to the motivation to make money. Their creators did not go to great lengths to hide this detail. However, in the case of Conficker, I believe the why may be a bit more complex. Since its arrival it has remained relatively quiet, but this in no way means it is harmless. In fact, I believe the lack of action on the part of Conficker is a telling indication of its true intent.
My theory on Conficker is that it's a dry run, an intelligence gathering exercise intended to test a response to a threat. To support my theory, we look at Conficker's actions and its lack of actions. Version (A) simply established that the worm could gain access and deliver its payload. In addition, the version demonstrated that the payload worked by taking advantage of a weakness in Windows, giving the attacker control of the host. Between November and February 2009, Conficker continued to spread; taking advantage of unpatched Windows based computers. During this time it did not take on typical roles and stayed mostly inactive. I believe that during this time it was gathering information that would be used to develop the next two versions.
Between mid-February and early March Version (B) and (C) arrived, and with information collected from the earlier version, Conficker then adapted to defend itself. It disabled Windows services, antivirus and blocked access to antivirus vendor websites. Conficker also developed a way to hide its command and control servers. This was performed by having it randomly select 500 domain names each day from a list of 50,000. It then attempted to contact these 500 random domains to receive its next command. This made it difficult to trace the domain where new commands would originate.
In addition, it is highly possible that there is more than one command and control server. It is also likely that commands are fragmented between several servers. Only after it makes contact with enough servers and receives all of the fragmented pieces does it then execute the next command. This would make it very hard to pinpoint the command and control servers. These fragmented commands might even be missed or discarded as useless information. This may be why it appeared that nothing happened on April 1, as it took eight days for each infected host to receive a complete set of commands.
As we have seen, Conficker will use the information collected to evolve and defend itself. It has also demonstrated that it will take extreme measures to protect its command and control servers. A significant point to make is that unlike other well-known botnets, there has been no obvious attempt by Conficker to generate income. All this together implies it is still learning and evolving.
So what did Conficker learn from the April 1 deadline? This deadline was a social engineering exercise on the part of Conficker. Let's think of it as the boy who cried wolf; Conficker implied that on April 1 some major event would take place. Media reports on Conficker helped fuel the hype of some impending event that we were unable to prevent. Then when April 1 arrived, and the anticipated disastrous event failed to appear, people were disappointed and began to discount further reports.
This helps Conficker, because as humans, once we are drawn into the hype of an event and then disappointed when it doesn't occur, we tend to discredit it in the future. The proof of this leading up to April 1 was the national media's reporting on the impending event. However, once this date passed and nothing happened the reporting stopped. Even on April 8 when version (E) was discovered it was not widely reported. By crying wolf, it became easier for Conficker to evolve and spread as most will discount future warnings as unfounded hype.
Conficker became active and evolved to version (E) by installing an enhanced spam bot with phony antivirus software on infected host computers. These two new components would restore the worm's ability to begin spreading to a new host. This was also the first time Conficker took on the normal role of a botnet with the ability to begin generating income for its owners. Part of Conficker's new design is the bot called Waledac, and it's believed that Waledac is the successor to the Storm bot. Conficker is now demonstrating it can take on many different roles. With the addition of Waledac, it can now be used to generate spam or scareware, but most notably it has returned to propagating again.
If my theory is correct, and this is a dry run intended to collect information and evolve, it would indicate that it's much larger than any one individual. It is likely that Conficker is backed by a well funded group or government and that the development lifecycle of Conficker will lead to a much larger threat. This threat would likely come in a form that would exploit multiple known and unknown weaknesses in our operating systems. It will install quietly, leave little evidence of its presence and avoid detection. Once on a computer it will remain dormant until activated and run almost transparent to the users. It is not out of the realm of possibility that a well funded and backed entity could develop such a threat, but the development process would require live test or dry runs, I believe based on behavior that Conficker may be part of such a development cycle.
Brian C. Sears is director of information systems at Benson & McLaughlin. He wrote this column as part of a research paper for the Information System Security course at the University of Washington.