Your SlideShare is downloading. ×
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply



Published on

Published in: Technology

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Conficker   April Fools btw do you guys know the derivation of April Fools?
  • 2. Remote Procedure Call
    • Computer A asks Computer B to calculate something.
    • Computer B calculates, computer A waits.
    • Computer B answers.
    • Computers A and B go their separate ways.
    • This is just like a call to a function in your program, 
    • only the function resides on another computer.
  • 3. RPC
    • What if A asks B to do something nefarious?
    •      Install some code, say.
    • You hope your operating system could keep you safe.
    •      What if your OS had a bug in its RPC code.
  • 4. Malware
    • What if malware could get into your computer via RPC?
    • How else?
    •          From an infected network you connected to.
    •                  work : 
    •                          do you know any mistake-prone people? 
    •                          They get jobs too.
    •                  Starbucks
    •                  Airports
    •                  RCC
    •                          the people next to you
    •      From an infected thumb drive.
    •                  autoplay options
  • 5. Malware    
    • What kind of bad things?
    •      Commandeer your computer.
    •      Erase your stuff.
    •      Steal your CC info.
    •      Steal your SS info.
    •      Mount a DoS Denial of Service attack on you or others.
    •      Use your computer to spam others.
    •      Link your machine to others to solve some large problem
    •          such as password cracking.
  • 6. Spreading Malware   
    • Once it's on your machine it may look for other machines to infect:
    •          on the web via RPC
    •          on your network via weak passwords
    •          onto shared files on your network
    •          onto your thumb drive
  • 7. Thumbdrive
    • Conficker specifically installs itself onto usb devices
    • changes the autorun for that device
    • adds an option to the option list
    • that extra option installs Conficker elsewhere when clicked 
  • 8. Peer to Peer    
    • The latest version of Conficker, (called either C or D)
    • has peer to peer abilities:
    •          It can talk to other Conficker machines via the web without
    •          an intermediary server.
  • 9. Safe Passwords
    • Conficker exploits weak passwords on network devices.
    • General rules for strong passwords:
    •      8 characters or more - harder to brute force crack, including
    •          upper case
    •          lower case
    •          numbers
    •          symbols
    •      Changed frequently:
    •          A password is like bubble gum, it's best when it's fresh.
    •      Used only in one place
    •      Used only by one person
  • 10. Safe Passwords
    • Avoid using your passwords in places where there might be a key stroke capture device:
    •      internet cafes
    •      computers at airports 
    • Passwords get Sold.
  • 11. Conficker phones home    
    • The three or four versions of Conficker connected to hundreds of web sites looking for updates to themselves.
    • The updates would be the code that tells the bot computer what to do.
    • The worm itself is just infrastructure. 
  • 12. Conficker Day in the Life
    • 1) It gets to your machine.
    • 2) It seeks out other machines to infect.
    • 3) It seeks out websites to connect to, for updates.
    • 4) If it is the D variant, it seeks out peers to pass on updates to.
    • 5) If it has its instructions, it carries them out.
    • What instructions? Dunno.
  • 13. When Conficker is on Your Machine
    • It turns off automatic backups.
    • It deletes previous restores, so you can't restore.
    • It disables security services.
    • It blocks access to security service web sites.
    • It looks for servers on the web for instructions.
    • It looks for peers on the web to pass on instructions.
  • 14. Bot Nets
    • Bot refers to robot
    •          btw robot is czech word for forced labor
    •          related to Russian word for work:  работа 
    • Bot nets refers to armies of commandeered pc's 
    • being put top nefarious purposes. 
    • Maybe mine, maybe yours. The best bots are stealthy, so that they won't be discovered.
    • The people who remotely control them are bot herders.
    • Spam happens this way.
  • 15. Bot Herders and their Opponents
    • The bot needs to call home to get its instructions. 
    • This is the rendezvous point.
    • Maybe it's an IP address. 
    • If a bot is captured in the wild, then it can be reverse-engineered.
    • The IP is discovered.
    • Whoever owns the IP owns the bot net, either the herder or their opponents.
  • 16. IP Blacklisting
    • Once a bot herding ip is discovered, the internet community can blacklist it.
    • Now the bots can't get to that ip address.
    • So the bots need to be re-written. Instead of a fixed ip, how about a fixed domain name with an ever-changing ip address.
    • This solution is called fast flux. 
    • The bot net will search for a domain name and not a black listed ip address.
  • 17. Domain Name blacklisting   
    • If a bot is caught in the wild with a domain name, then the internet community can black list that domain name.
    • What is there are pseudo-random domain names?
    • What's that?
    • Something like this:
    •      ...
  • 18. Pseudo-random Domain Names    
    • I'll attach some random string composed of three characters in the range A-Z, a-z and 0-9 to some fixed domain name.
    • There are 26+26+10 possible characters, for 72 characters.
    • There are three random spots.
    • There are 72*72*72 possible domain names beginning with "Elena" and ending with three other characters in the range.
    • There are 373248 such domain names. The internet community won't black list all of these.
  • 19. 50,000 Pseudo Random Domains
    • Conficker limits itself to 50,000 possible domain names in order to find its rendezvous point.
    • Up until those domain names are registered, they are up for grabs.
    • The good guys (or neutral people)  may grab some. 
    • What if Conficker just gets one?
    • With a little patience, (all computers are patient)
    • it can take over the web.
  • 20. Daily Polling
    • In its daily chores, 
    • Conficker will randomly generate 500 domain names 
    • from among its pool of 50,000 possible names.
    • It will try to connect to all of those 500. 
    • If it fails, it will try again tomorrow.
    • If it connects it will download files to run.
  • 21. Can the Good Guys get the Domain?
    • What if some organization such as Microsoft or some anti-virus company get some or lots of those domains and post fake downloads?
    • The "good guys" could force the bots to take some neutralizing code, and render the bot net ineffective.
    • Conficker saw this coming.
  • 22. Cryptography
    • Conficker has very sophisticated cryptography.
    • A conficker bot won't accept updates from any other sources 
    • besides a conficker encrypted file.
    • MD5 and MD6 cryptography.
  • 23. What's with the Name?
    • Conficker has other aliases too, but this name comes from its original rendezvous website.
    • Conficker A (way back in November) tried to connect to a website owned by a company DBA traffic converter.
    • Have you seen some of traffic converter's work? 
  • 24. Traffic Converter
    • You go to some dubious web site by mistake (or not)
    •      hint:
    •              pron, music, and other downloads
    • You download or get downloaded to you some code that 
    • pretends to scan your computer for malware, spyware and adware.
    • It pretends to find some, and flashes alerts non-stop about your computer's grave risk.
    • It asks for $50 to clear your risk.
    • It pretends to disable the malware (it installed) and shuts up.
  • 25. Webmaster Day in the Life
    • You are a webmaster at some dubious site.
    • hint: same as before
    • If you do business with traffic converter, you send visitors to your site to traffic converter sites.
    • For every sale they make with your id 
    • stamped on the incoming http request,
    • you get $XX bucks.
    • Maybe traffic converter wants to install screaming extortion machines onto computers directly and bypass the middle man.
    • Maybe not.