http://www.nytimes.com/2009/08/27/technology/27compute.html?ref=science&pagewanted=printCYBERWAR: DEFYING COMPUTER EXPERTS, THE ROGUE COMPUTER CODE KNOWN AS
"CONFICKER" STILL LURKS IN THE DEPTHS OF CYBERSPACE! / The CONFICKER
VIRUS PRESENTLY HAS 5,000,000+ "ZOMBIE COMPUTERS" WHICH IT HAS CO-OPTED
and HAS UNDER ITS FIRM CONTROL DUE TO FLAWS IN THE MICROSOFT WINDOWS
OPERATING SYSTEM ... WHEN WILL THEY ATTACK EN MASSE?! –
By John Markoff, The New York Times, Sunday, August 30, 2009
It is still out there.
Like a ghost ship, a rogue software program that glided onto the
Internet last November has confounded the efforts of top security
experts to eradicate the program and trace its origins and purpose,
exposing serious weaknesses in the world's digital infrastructure.
The program, known as CONFICKER, uses flaws in Windows software to
co-opt machines and link them into a virtual computer that can be
commanded remotely by its authors. With more than 5,000,000 of these
zombies now under its control — government, business and home
computers in more than 200 countries — this shadowy computer has power
that dwarfs that of the world's largest data centers.
Alarmed by the program's quick spread after its debut in November,
computer security experts from industry, academia and government joined
forces in a highly unusual collaboration. They decoded the program and
developed antivirus software that erased it from millions of the
computers. But Conficker's persistence and sophistication has squelched
the belief of many experts that such global computer infections are a
thing of the past.
"It's using the best current practices and state of the art to
communicate and to protect itself," Rodney Joffe, director of the
Conficker Working Group, said of the malicious program. "We have not
found the trick to take control back from the malware in any way."
Researchers speculate that the computer could be employed to generate
vast amounts of spam; it could steal information like passwords and
logins by capturing keystrokes on infected computers; it could deliver
fake antivirus warnings to trick naïve users into believing their
computers are infected and persuading them to pay by credit card to have
the infection removed.
There is also a different possibility that concerns the researchers:
That the program was not designed by a criminal gang, but instead by an
intelligence agency or the military of some country to monitor or
disable an enemy's computers. Networks of infected computers, or
botnets, were used widely as weapons in conflicts in Estonia in 2007 and
in Georgia last year, and in more recent attacks against South Korean
and United States government agencies. Recent attacks that temporarily
crippled Twitter and Facebook were believed to have had political
overtones.
Yet for the most part Conficker has done little more than to extend its
reach to more and more computers. Though there had been speculation that
the computer might be activated to do something malicious on April 1,
the date passed without incident, and some security experts wonder if
the program has been abandoned.
The experts have only tiny clues about the location of the program's
authors. The first version included software that stopped the program if
it infected a machine with a Ukrainian language keyboard. There may have
been two initial infections — in Buenos Aires and in Kiev. Wherever
the authors are, the experts say, they are clearly professionals using
the most advanced technology available.
The program is protected by internal defense mechanisms that make it
hard to erase, and even kills or hides from programs designed to look
for botnets. A member of the security team said that the Federal Bureau
of Investigation had suspects, but was moving slowly because it needed
to build a relationship with "noncorrupt" law enforcement agencies in
the countries where the suspects are located.
An F.B.I. spokesman in Washington declined to comment, saying that the
Conficker investigation was an open case.
The first infections, last Nov. 20, set off an intense battle between
the hidden authors and the volunteer group that formed to counter them.
The group, which first called itself the "Conficker Cabal," changed its
name when Microsoft, Symantec and several other companies objected to
the unprofessional connotation.
Eventually, university researchers and law enforcement officials joined
forces with computer experts at more than two dozen Internet, software
and computer security firms.
The group won some battles, but lost others. The Conficker authors kept
distributing new, more intricate versions of the program, at one point
using code that had been devised in academia only months before. At
another point, a single technical slip by the working group allowed the
program's authors to convert a huge number of the infected machines to
an advanced peer-to-peer communications scheme that the industry group
has not been able to defeat.
Where before all the infected computers would have to phone home to a
single source for instructions, the authors could now use any infected
computer to instruct all the others. In early April, Patrick Peterson,
a research fellow at Cisco Systems in San Jose, Calif., gained some
intelligence about the authors' interests. He studies nasty computer
programs by keeping a set of quarantined computers that capture and
observe them — his "digital zoo."
He discovered that the Conficker authors had begun distributing software
that tricks Internet users into buying fake antivirus software with
their credit cards. "We turned off the lights in the zoo one day and
came back the next day," Mr. Peterson said, noting that in the "cage"
reserved for Conficker, the infection had been joined by a program
distributing an antivirus software scam.
It was the most recent sign of life from the program, and its silence
has set off a debate among computer security experts. Some researchers
think Conficker is an empty shell, or that the authors of the program
were scared away in the spring. Others argue that they are simply biding
their time.
If the misbegotten computer were reactivated, it would not have the
problem-solving ability of supercomputers used to design nuclear weapons
or simulate climate change. But because it has commandeered so many
machines, it could draw on an amount of computing power greater than
that from any single computing facility run by governments or Google. It
is a dark reflection of the "cloud computing" sweeping the commercial
Internet, in which data is stored on the Internet rather than on a
personal computer.
The industry group continues to try to find ways to kill Conficker,
meeting as recently as Tuesday. Mr. Joffe said he, for one, was not
prepared to declare victory. But he said that the group's work proved
that government and private industry could cooperate to counter
cyberthreats.
"Even if we lose against Conficker," he said, "there are things we've
learned that will benefit us in the future."
Copyright © 2009 The New York Times Company / Click below for "Printer
Friendly Version."
