Your SlideShare is downloading. ×
Conficker
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×

Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Conficker

502
views

Published on

Published in: Technology

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
502
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Conficker   April Fools btw do you guys know the derivation of April Fools?
  • 2. Remote Procedure Call
    • Computer A asks Computer B to calculate something.
    • Computer B calculates, computer A waits.
    • Computer B answers.
    • Computers A and B go their separate ways.
    • This is just like a call to a function in your program, 
    • only the function resides on another computer.
  • 3. RPC
    • What if A asks B to do something nefarious?
    •      Install some code, say.
    • You hope your operating system could keep you safe.
    •      What if your OS had a bug in its RPC code.
  • 4. Malware
    • What if malware could get into your computer via RPC?
    • How else?
    •          From an infected network you connected to.
    •                  work : 
    •                          do you know any mistake-prone people? 
    •                          They get jobs too.
    •                  Starbucks
    •                  Airports
    •                  RCC
    •                          the people next to you
    •      From an infected thumb drive.
    •                  autoplay options
  • 5. Malware    
    • What kind of bad things?
    •      Commandeer your computer.
    •      Erase your stuff.
    •      Steal your CC info.
    •      Steal your SS info.
    •      Mount a DoS Denial of Service attack on you or others.
    •      Use your computer to spam others.
    •      Link your machine to others to solve some large problem
    •          such as password cracking.
  • 6. Spreading Malware   
    • Once it's on your machine it may look for other machines to infect:
    •          on the web via RPC
    •          on your network via weak passwords
    •          onto shared files on your network
    •          onto your thumb drive
    •         
  • 7. Thumbdrive
    • Conficker specifically installs itself onto usb devices
    • changes the autorun for that device
    • adds an option to the option list
    • that extra option installs Conficker elsewhere when clicked 
  • 8. Peer to Peer    
    • The latest version of Conficker, (called either C or D)
    • has peer to peer abilities:
    •          It can talk to other Conficker machines via the web without
    •          an intermediary server.
  • 9. Safe Passwords
    • Conficker exploits weak passwords on network devices.
    • General rules for strong passwords:
    •      8 characters or more - harder to brute force crack, including
    •          upper case
    •          lower case
    •          numbers
    •          symbols
    •      Changed frequently:
    •          A password is like bubble gum, it's best when it's fresh.
    •      Used only in one place
    •      Used only by one person
    •     
  • 10. Safe Passwords
    • Avoid using your passwords in places where there might be a key stroke capture device:
    •         
    •      internet cafes
    •      computers at airports 
    • Passwords get Sold.
  • 11. Conficker phones home    
    • The three or four versions of Conficker connected to hundreds of web sites looking for updates to themselves.
    • The updates would be the code that tells the bot computer what to do.
    • The worm itself is just infrastructure. 
  • 12. Conficker Day in the Life
    • 1) It gets to your machine.
    • 2) It seeks out other machines to infect.
    • 3) It seeks out websites to connect to, for updates.
    • 4) If it is the D variant, it seeks out peers to pass on updates to.
    • 5) If it has its instructions, it carries them out.
    • What instructions? Dunno.
  • 13. When Conficker is on Your Machine
    • It turns off automatic backups.
    • It deletes previous restores, so you can't restore.
    • It disables security services.
    • It blocks access to security service web sites.
    • It looks for servers on the web for instructions.
    • It looks for peers on the web to pass on instructions.
  • 14. Bot Nets
    • Bot refers to robot
    •          btw robot is czech word for forced labor
    •          related to Russian word for work:  работа 
    • Bot nets refers to armies of commandeered pc's 
    • being put top nefarious purposes. 
    • Maybe mine, maybe yours. The best bots are stealthy, so that they won't be discovered.
    • The people who remotely control them are bot herders.
    • Spam happens this way.
  • 15. Bot Herders and their Opponents
    • The bot needs to call home to get its instructions. 
    • This is the rendezvous point.
    • Maybe it's an IP address. 
    • If a bot is captured in the wild, then it can be reverse-engineered.
    • The IP is discovered.
    • Whoever owns the IP owns the bot net, either the herder or their opponents.
  • 16. IP Blacklisting
    • Once a bot herding ip is discovered, the internet community can blacklist it.
    • Now the bots can't get to that ip address.
    • So the bots need to be re-written. Instead of a fixed ip, how about a fixed domain name with an ever-changing ip address.
    • This solution is called fast flux. 
    • The bot net will search for a domain name and not a black listed ip address.
  • 17. Domain Name blacklisting   
    • If a bot is caught in the wild with a domain name, then the internet community can black list that domain name.
    • What is there are pseudo-random domain names?
    • What's that?
    • Something like this:
    •      ElenaAAA.com
    •      ElenaAAB.com
    •      ...
    •      Elenazzz.com
  • 18. Pseudo-random Domain Names    
    • I'll attach some random string composed of three characters in the range A-Z, a-z and 0-9 to some fixed domain name.
    • There are 26+26+10 possible characters, for 72 characters.
    • There are three random spots.
    • There are 72*72*72 possible domain names beginning with "Elena" and ending with three other characters in the range.
    • There are 373248 such domain names. The internet community won't black list all of these.
  • 19. 50,000 Pseudo Random Domains
    • Conficker limits itself to 50,000 possible domain names in order to find its rendezvous point.
    • Up until those domain names are registered, they are up for grabs.
    • The good guys (or neutral people)  may grab some. 
    • What if Conficker just gets one?
    • With a little patience, (all computers are patient)
    • it can take over the web.
  • 20. Daily Polling
    • In its daily chores, 
    • Conficker will randomly generate 500 domain names 
    • from among its pool of 50,000 possible names.
    • It will try to connect to all of those 500. 
    • If it fails, it will try again tomorrow.
    • If it connects it will download files to run.
  • 21. Can the Good Guys get the Domain?
    • What if some organization such as Microsoft or some anti-virus company get some or lots of those domains and post fake downloads?
    • The "good guys" could force the bots to take some neutralizing code, and render the bot net ineffective.
    • Conficker saw this coming.
  • 22. Cryptography
    • Conficker has very sophisticated cryptography.
    • A conficker bot won't accept updates from any other sources 
    • besides a conficker encrypted file.
    • MD5 and MD6 cryptography.
  • 23. What's with the Name?
    • Conficker has other aliases too, but this name comes from its original rendezvous website.
    • Conficker A (way back in November) tried to connect to a website owned by a company DBA traffic converter.
    • Have you seen some of traffic converter's work? 
  • 24. Traffic Converter
    • You go to some dubious web site by mistake (or not)
    •      hint:
    •              pron, music, and other downloads
    • You download or get downloaded to you some code that 
    • pretends to scan your computer for malware, spyware and adware.
    • It pretends to find some, and flashes alerts non-stop about your computer's grave risk.
    • It asks for $50 to clear your risk.
    • It pretends to disable the malware (it installed) and shuts up.
  • 25. Webmaster Day in the Life
    • You are a webmaster at some dubious site.
    • hint: same as before
    • If you do business with traffic converter, you send visitors to your site to traffic converter sites.
    • For every sale they make with your id 
    • stamped on the incoming http request,
    • you get $XX bucks.
    • Maybe traffic converter wants to install screaming extortion machines onto computers directly and bypass the middle man.
    • Maybe not.