Cyber Armageddon was supposed to emerge on 1st of April 2009. Rumors around the globe announced an inevitable Doomsday and hostile takeover of millions of machines. The New York Times mentioned an unthinkable disaster. The Guardian called it a deadly threat. CBS network predicted disruption to the internet as a whole. The finest security experts from around the globe joined forces and went on a month’s long battle to seize control.
The situation looked extraordinary.
Especially that no one had a clue who is the enemy.
DOES ANYONE KNOW ANYTHING?
Well… at least the basics. The threat was quickly classified as a net-worm. Net-worm which exploits MS08-067 vulnerability allowing remote code execution with a specially crafted Remote Procedure Call (RPC). Security hole inviting adversaries to attack through a good old stack overflow technique. The worm spreads via internet, local area network and removable media. When multiplying over a network it uses three different methods: exploitation of the vulnerability, file sharing or exploitation of the Windows Autorun.
Moreover, it makes number of changes to the Windows Registry and hides its actions through numerous stealth techniques. It opens a HTTP server and waits quietly for instructions. It goes with the name of Conficker. Or Downadup. Or Kido. And it started spreading on 20th of November 2008.
That was the easy part. Apart from the technicalities, no one has the slightest idea who is behind creation of Conficker (the most popular of the names). Months of investigation brought nothing reliable. No one can imply what is the goal of Conficker. Was it supposed to create a massive botnet of zombie computers? Or was it about infecting users with scareware and extort money? Or was it a state-funded field test before the famous Stuxnet?
$250 000 reward for any useful information from Microsoft has never been collected. Number of infections ranges from 9 to 15 million of machines worldwide. All the notable infections, such as French Navy, UK’s Ministry of Defense or Bundeswehr, faded away without consequences. Instructions were never sent. All the infections went for nothing. What the hell?
DID WHITE HATS STEAL THE SHOW?
Extraordinary situation requires extraordinary activities.
Never before had there been such an endeavor. Non-profit, public sector and business parties joined their forces to fend off Conficker activity. Basically, every single significant party was there. Just name it. Microsoft, Facebook, Cisco, Trend Micro, IBM, F-Secure or AOL. Everyone was there.
Conficker Working Group operated through 3 streams. The first one focused on analysis and research. Delivering samples, coordination of the information flow, exploring emerging variants. The second stream was about communication. Remember, the whole world is watching, right? Press releases, joint messaging.
Finally, the third stream was about to set up the biggest domain blocking project in history. The challenge was quite compelling – to shut down over
1 million domains across 110 countries.
Why to block insane number of domains? To thwart Conficker mode of operation.
Conficker worm tried to call its headquarters once a day. Intending to get instructions. It did it by trying to connect to various web addresses. If the worm found an active web server, it would download and execute a payload. This basically meant bad guys could do whatever they wanted with infected machines.
Web addresses were generated through a complicated algorithm. At the beginning providing 250 pseudorandom domains. Later, trying to download orders from 500 out of 50 000 pseudorandom domains. Predicting, registering and shutting down all those domains would do the trick. Would prevent infected machines from getting any commands. And this was the challenge.
This unprecedented effort was actually successful. The Conficker Working Group managed to almost completely stem the botnet. Without the connection to headquarters it was simply useless. That means full success, correct?
You never know with Conficker…
OR WAS THE WORM TOO SUCCESSFUL TO BE USED?
This is probably the theory most experts incline to. Exploited vulnerability was commonly known as of 23rd of October 2008. This was the date when a security update was published. The very first variant of Conficker did not infect systems with Ukrainian IPs or Ukrainian keyboard layout. This could point out its origin.
As Ukraine is not publicly known for any state-funded cyber attacks, it leads to a conclusion that it were some hoodies trying to infect and then monetize the potential botnet. However, as it went far beyond their expectations and brought immense portion of publicity, their impunity was severely threatened. So, they stepped back. Conficker left in the wild, living on its own. Seems logic, right?
Something cracks here though. If they were scared enough to leave a potential profit aside, what was with the months-long cat-and-mouse game with the cyber industry? Conficker Working Group mentioned 5 main variants of the worm.
Rewrite in the .B variant introduced a backdoor with auto-update functionality.
The .C variant selected its rendezvous points from a pool of over 50,000 randomly generated domain name candidates each day. It increased defenses and added peer-to-peer capabilities.
The .E variant went even further – piggybacking on Conficker.C attempted to install ‘Waldec’, scareware imitating an anti-virus software.
If you are scared and trying to hide, usually you do not come back to the crime scene. Unless you are not really scared.
PERHAPS IT WAS JUST A FOREPLAY BEFORE MATURE CYBERESPIONAGE ERA?
That is obviously just a speculation. However, educated one.
Some security experts are of the opinion that Conficker was simply a smoke screen to hide a real objective of the operation. While eyes of the world were focused on the mysterious worm, important doors were opened. The doors to the Iranian nuclear program.
Could it has been about executing one of the most successful cyberespionage operation in history? Delivering Stuxnet to the underground facility at Natanz?
The speculation goes as follows. Firstly, both Conficker and Stuxnet were written with extraordinary sophistication. Secondly, infection rates for both malware were far higher in Iran than in the United States. Thirdly, there is a date correlation in development and deployment of their different variants.
Finally, both Stuxnet and Conficker used the very same Windows vulnerability and had similar way of spreading and infecting new machines. How do you feel? Is it enough to consider this theory legit?
Both the White House and Israeli’s Prime Minister refused to comment.
TO BE CONTINUED?
Conficker Working Group concluded it is impossible to indicate who initiated Conficker spreading. Months long investigation of the greatest minds of cyber security industry came to no conclusion.
Although the botnet itself got crippled, majority of the infections remained untouched. If it really was a field test of a state-funded hacking group, it was pretty damn successful.
Whereas if it was supposed to be a profit-oriented botnet launched by Ukrainian hoodies, then it really went south.
To be continued? In February 2021 – based on F-Secure Enpoint Clients data – Conficker was the 4th most often detected malware…
When creating this article I used threat descriptions from F-Secure Threat Description, Virus Encyclopedia and Wikipedia. I also used What we’ve learned from 10 years of the Conficker mystery from blog.f-secure.com, Conficker Working Group: Efforts To Fight Botnet A Mixed Bag from threatpost.com, Conficker Working Group says worm is stopped, but not gone from csoonline.com. On top of that I used my own research and interviews.