Published on

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide


  1. 1. Conficker   April Fools btw do you guys know the derivation of April Fools?
  2. 2. Remote Procedure Call <ul><li>Computer A asks Computer B to calculate something. </li></ul><ul><li>Computer B calculates, computer A waits. </li></ul><ul><li>Computer B answers. </li></ul><ul><li>Computers A and B go their separate ways. </li></ul><ul><li>This is just like a call to a function in your program,  </li></ul><ul><li>only the function resides on another computer. </li></ul>
  3. 3. RPC <ul><li>What if A asks B to do something nefarious? </li></ul><ul><li>     Install some code, say. </li></ul><ul><li>You hope your operating system could keep you safe. </li></ul><ul><li>     What if your OS had a bug in its RPC code. </li></ul>
  4. 4. Malware <ul><li>What if malware could get into your computer via RPC? </li></ul><ul><li>How else? </li></ul><ul><li>         From an infected network you connected to. </li></ul><ul><li>                 work :  </li></ul><ul><li>                         do you know any mistake-prone people?  </li></ul><ul><li>                         They get jobs too. </li></ul><ul><li>                 Starbucks </li></ul><ul><li>                 Airports </li></ul><ul><li>                 RCC </li></ul><ul><li>                         the people next to you </li></ul><ul><li>     From an infected thumb drive. </li></ul><ul><li>                 autoplay options </li></ul>
  5. 5. Malware     <ul><li>What kind of bad things? </li></ul><ul><li>     Commandeer your computer. </li></ul><ul><li>     Erase your stuff. </li></ul><ul><li>     Steal your CC info. </li></ul><ul><li>     Steal your SS info. </li></ul><ul><li>     Mount a DoS Denial of Service attack on you or others. </li></ul><ul><li>     Use your computer to spam others. </li></ul><ul><li>     Link your machine to others to solve some large problem </li></ul><ul><li>         such as password cracking. </li></ul>
  6. 6. Spreading Malware    <ul><li>Once it's on your machine it may look for other machines to infect: </li></ul><ul><li>         on the web via RPC </li></ul><ul><li>         on your network via weak passwords </li></ul><ul><li>         onto shared files on your network </li></ul><ul><li>         onto your thumb drive </li></ul><ul><li>         </li></ul>
  7. 7. Thumbdrive <ul><li>Conficker specifically installs itself onto usb devices </li></ul><ul><li>changes the autorun for that device </li></ul><ul><li>adds an option to the option list </li></ul><ul><li>that extra option installs Conficker elsewhere when clicked  </li></ul>
  8. 8. Peer to Peer     <ul><li>The latest version of Conficker, (called either C or D) </li></ul><ul><li>has peer to peer abilities: </li></ul><ul><li>         It can talk to other Conficker machines via the web without </li></ul><ul><li>         an intermediary server. </li></ul>
  9. 9. Safe Passwords <ul><li>Conficker exploits weak passwords on network devices. </li></ul><ul><li>General rules for strong passwords: </li></ul><ul><li>     8 characters or more - harder to brute force crack, including </li></ul><ul><li>         upper case </li></ul><ul><li>         lower case </li></ul><ul><li>         numbers </li></ul><ul><li>         symbols </li></ul><ul><li>     Changed frequently: </li></ul><ul><li>         A password is like bubble gum, it's best when it's fresh. </li></ul><ul><li>     Used only in one place </li></ul><ul><li>     Used only by one person </li></ul><ul><li>     </li></ul>
  10. 10. Safe Passwords <ul><li>Avoid using your passwords in places where there might be a key stroke capture device: </li></ul><ul><li>         </li></ul><ul><li>     internet cafes </li></ul><ul><li>     computers at airports  </li></ul><ul><li>Passwords get Sold. </li></ul>
  11. 11. Conficker phones home     <ul><li>The three or four versions of Conficker connected to hundreds of web sites looking for updates to themselves. </li></ul><ul><li>The updates would be the code that tells the bot computer what to do. </li></ul><ul><li>The worm itself is just infrastructure.  </li></ul>
  12. 12. Conficker Day in the Life <ul><li>1) It gets to your machine. </li></ul><ul><li>2) It seeks out other machines to infect. </li></ul><ul><li>3) It seeks out websites to connect to, for updates. </li></ul><ul><li>4) If it is the D variant, it seeks out peers to pass on updates to. </li></ul><ul><li>5) If it has its instructions, it carries them out. </li></ul><ul><li>What instructions? Dunno. </li></ul>
  13. 13. When Conficker is on Your Machine <ul><li>It turns off automatic backups. </li></ul><ul><li>It deletes previous restores, so you can't restore. </li></ul><ul><li>It disables security services. </li></ul><ul><li>It blocks access to security service web sites. </li></ul><ul><li>It looks for servers on the web for instructions. </li></ul><ul><li>It looks for peers on the web to pass on instructions. </li></ul>
  14. 14. Bot Nets <ul><li>Bot refers to robot </li></ul><ul><li>         btw robot is czech word for forced labor </li></ul><ul><li>         related to Russian word for work:  работа  </li></ul><ul><li>Bot nets refers to armies of commandeered pc's  </li></ul><ul><li>being put top nefarious purposes.  </li></ul><ul><li>Maybe mine, maybe yours. The best bots are stealthy, so that they won't be discovered. </li></ul><ul><li>The people who remotely control them are bot herders. </li></ul><ul><li>Spam happens this way. </li></ul>
  15. 15. Bot Herders and their Opponents <ul><li>The bot needs to call home to get its instructions.  </li></ul><ul><li>This is the rendezvous point. </li></ul><ul><li>Maybe it's an IP address.  </li></ul><ul><li>If a bot is captured in the wild, then it can be reverse-engineered. </li></ul><ul><li>The IP is discovered. </li></ul><ul><li>Whoever owns the IP owns the bot net, either the herder or their opponents. </li></ul>
  16. 16. IP Blacklisting <ul><li>Once a bot herding ip is discovered, the internet community can blacklist it. </li></ul><ul><li>Now the bots can't get to that ip address. </li></ul><ul><li>So the bots need to be re-written. Instead of a fixed ip, how about a fixed domain name with an ever-changing ip address. </li></ul><ul><li>This solution is called fast flux.  </li></ul><ul><li>The bot net will search for a domain name and not a black listed ip address. </li></ul>
  17. 17. Domain Name blacklisting    <ul><li>If a bot is caught in the wild with a domain name, then the internet community can black list that domain name. </li></ul><ul><li>What is there are pseudo-random domain names? </li></ul><ul><li>What's that? </li></ul><ul><li>Something like this: </li></ul><ul><li> </li></ul><ul><li> </li></ul><ul><li>     ... </li></ul><ul><li> </li></ul>
  18. 18. Pseudo-random Domain Names     <ul><li>I'll attach some random string composed of three characters in the range A-Z, a-z and 0-9 to some fixed domain name. </li></ul><ul><li>There are 26+26+10 possible characters, for 72 characters. </li></ul><ul><li>There are three random spots. </li></ul><ul><li>There are 72*72*72 possible domain names beginning with &quot;Elena&quot; and ending with three other characters in the range. </li></ul><ul><li>There are 373248 such domain names. The internet community won't black list all of these. </li></ul>
  19. 19. 50,000 Pseudo Random Domains <ul><li>Conficker limits itself to 50,000 possible domain names in order to find its rendezvous point. </li></ul><ul><li>Up until those domain names are registered, they are up for grabs. </li></ul><ul><li>The good guys (or neutral people)  may grab some.  </li></ul><ul><li>What if Conficker just gets one? </li></ul><ul><li>With a little patience, (all computers are patient) </li></ul><ul><li>it can take over the web. </li></ul>
  20. 20. Daily Polling <ul><li>In its daily chores,  </li></ul><ul><li>Conficker will randomly generate 500 domain names  </li></ul><ul><li>from among its pool of 50,000 possible names. </li></ul><ul><li>It will try to connect to all of those 500.  </li></ul><ul><li>If it fails, it will try again tomorrow. </li></ul><ul><li>If it connects it will download files to run. </li></ul>
  21. 21. Can the Good Guys get the Domain? <ul><li>What if some organization such as Microsoft or some anti-virus company get some or lots of those domains and post fake downloads? </li></ul><ul><li>The &quot;good guys&quot; could force the bots to take some neutralizing code, and render the bot net ineffective. </li></ul><ul><li>Conficker saw this coming. </li></ul>
  22. 22. Cryptography <ul><li>Conficker has very sophisticated cryptography. </li></ul><ul><li>A conficker bot won't accept updates from any other sources  </li></ul><ul><li>besides a conficker encrypted file. </li></ul><ul><li>MD5 and MD6 cryptography. </li></ul>
  23. 23. What's with the Name? <ul><li>Conficker has other aliases too, but this name comes from its original rendezvous website. </li></ul><ul><li>Conficker A (way back in November) tried to connect to a website owned by a company DBA traffic converter. </li></ul><ul><li>Have you seen some of traffic converter's work?  </li></ul>
  24. 24. Traffic Converter <ul><li>You go to some dubious web site by mistake (or not) </li></ul><ul><li>     hint: </li></ul><ul><li>             pron, music, and other downloads </li></ul><ul><li>You download or get downloaded to you some code that  </li></ul><ul><li>pretends to scan your computer for malware, spyware and adware. </li></ul><ul><li>It pretends to find some, and flashes alerts non-stop about your computer's grave risk. </li></ul><ul><li>It asks for $50 to clear your risk. </li></ul><ul><li>It pretends to disable the malware (it installed) and shuts up. </li></ul>
  25. 25. Webmaster Day in the Life <ul><li>You are a webmaster at some dubious site. </li></ul><ul><li>hint: same as before </li></ul><ul><li>If you do business with traffic converter, you send visitors to your site to traffic converter sites. </li></ul><ul><li>For every sale they make with your id  </li></ul><ul><li>stamped on the incoming http request, </li></ul><ul><li>you get $XX bucks. </li></ul><ul><li>Maybe traffic converter wants to install screaming extortion machines onto computers directly and bypass the middle man. </li></ul><ul><li>Maybe not.  </li></ul>