Internet Anthropologist Think Tank: “Conficker Cabal”

  • Search our BLOG

  • HOME
    Terrorist Names SEARCH:

    Thursday, March 19, 2009

    “Conficker Cabal”

    The Conficker connection

    ( posted in its Entirety as a PSA; Analysis at the END. G )

     March 18th, 2009 Dave

    In October 2008 a new and nasty bit of malware raised its head in the information technology world. Called Conficker but also known as Downup, it and Kido are probably the most advanced malware that the world has seen to date. By January the worm had already infected over 15 million computers world wide making it one of the most prolific infections of our time.

    The worm exploits a known vulnerability in Windows Server service which makes basically every unpatched version of Microsoft Windows from Windows XP through to Windows 7 vulnerable. What makes this malware more dangerous than others currently out in the wild is its complexity. It seems to use a lot of the concepts discussed at the Blackhat Briefings Europe 2007, which include P2P and PRNG for communication and a digitally signed payload.

    It seems like this little guy got almost everywhere and upset almost everyone. It got into the UK military, the French navy, it infected the German federal defence force (Bundeswehr) and could be found in government and municipal computer networks world wide. Its rate of infection was so quick and so vast that experts are claiming that this is the worst infection since the SQL Slammer worm and has resulted in one of the worlds largest botnets.

    For those of you that don’t know what a botnet is, it is a group of controlled “zombie” computers that are all infected with the virus. All the infected machines communicate with each other to form swarms, and the swarms connect to each other to form botnets, which in turn are controlled by the bot herder (the person in control of the botnet). Bot herders use their botnets for various reasons. The most common of these reasons is to use the zombies to pass on spam, to commit identity theft and fraud, and to launch distributed denial of service attacks (dDos) at corporate and government networks (normally in the form of corporate blackmail).

    This infection was so bad and worried so many industry players that some of the biggest names in the industry got together to try and work out a solution to combat it. Nicknamed the “Conficker Cabal”, the organisations involved in this effort include Microsoft, Afilias, ICANN, Neustar, Verisign, CNNIC, Public Internet Registry, Global Domains International, Inc., M1D Global, AOL, Symantec, F-Secure, ISC, Georgia Tech, The Shadowserver Foundation, Arbor Networks and Support Intelligence. 

    Microsoft have also offered a US$250 000 reward to anyone who can provide the right information to find those responsible for the worm.

    Currently this massive botnet seems to have been used for very few attacks, which does have some experts in the industry confused. On 13 March 2009 the worm attacked SouthWest Airlines. On 18 March it attacked the Women’s Net in Qinghai Province, China, and on 18 March it attacked From my perspective all very strange targets.

    So what’s the next step for this worm? Well experts are still trying to figure out the bot herder’s next step. 

    According to Symantec the Conficker botnet recently updated itself with a new set of instructions. The new version of this worm has being labeled, W32.Downadup.C. The update has made it much more aggressive by targeting processes of security and analysis software and removing them from memory if found on the infected machine. It seem the purpose of this update is not really to infect new machines, but rather to consolidate and protect control of all its current zombies.

    There is a lot of speculation about the origin of this malware. The worm seems to kill itself if there is a Ukrainian keyboard present. While some might see that as evidence of a Ukrainian origin… it seems strange that the worm writer would have left such an obvious clue in the code as to its origins. Its likely that that code was included as a red herring to confuse investigators as to its real origin. 

    Due to the complexity of Conficker I have decided not to go into detailed information about how it works. For those of you who want a detailed breakdown of this malware I suggest that you read the comprehensive anylysis done by SRI International at



    By Gerald Internet Anthropologist Think Tank


      Ridentem dicere verum quid vetat....

    Worst case Paradigm Intel suggest a WMD.
    15 million bots and counting,
    how many bots does it take to take down all
    the 13 Internet Nodes? DOS attack.
    The new modification to take out PC
    security may be a self preservation measure.

    RBN has the technology to develop this worm,
    But I don’t see a motive for them to take out the Internet.

    On the other hand some of the Terrorist groups would
    have the motivation to take out the Internet, but not the technology. ( Except maybe India )

    This could be the vector between those groups,
    But it would be very expensive and dangerous.

    There are 3 ways to stop this, which I won’t discuss

    The Military and NSA should be in the “Conficker Cabal”
    Because of the worst case potential.


    We have been warning about this possibility





    Post a Comment

    Subscribe to Post Comments [Atom]

    << Home