Kaspersky impressed by botnet slickness

Cybercrime fighter Eugene Kaspersky can't help but be impressed by the slick operations behind the Conficker botnet, and says that it could have been worse had the botnet been after more than just money.

"They are high-end engineers who write code in a good way," Kaspersky told ZDNet.com.au Wednesday. "They use cryptographic systems in the right way, they don't make mistakes--they are really professional."

Kaspersky says he's "60 percent certain" that Conficker is being controlled from the Ukraine, but can't be certain. And while the threat posed by Conficker seems serious enough, Kaspersky says, "It could be worse. We are lucky they are just cybercriminals looking to make money and not worse than that."

The unknown threat posed by Conficker, which hit 10 million Windows machines prior to the suspected D-Day of April 1, prompted a coordinated response. Kaspersky, Symantec, Microsoft, the Internet Corporation for Assigned Names and Numbers (ICANN), and the Federal Bureau of Investigations' Cyber Division, among others, began a campaign to frustrate Conficker's attempt to download a software update.

One reason for ICANN's involvement, according to its CEO and president Paul Twomey, was that Conficker was targeting the Internet's Domain Name Service layer, which is equivalent to the address book of the Internet.

During a keynote delivered at the AusCERT 2009 conference held on the Gold Coast this week, Twomey noted the change in tack by botnet operators. "The application layer has typically been used as the attack vector, but we are beginning to see the DNS resolution used as the command and control," said Twomey.

Conficker is the current darling of the Internet's dark side, preceded by others such as Storm, and spam-machine McColo. But all botnets maintain an edge over their various opponents: they are centrally controlled, "located" potentially anywhere, generally don't rely on third-parties, and are free of regulations.

Botnet operators in Russia, however, have started to cooperate with each other, according to Dmitry Levashev and Ruslan Stoyanov, network security experts from Russian ISP RTComm.ru. At the AusCERT 2009 conference, via a translator, the two gave a sobering account of what lies ahead for Australia in the next three years.

"The different botnets work in cooperation. One would say, 'I'm just a bot herder, I don't care about money laundering.' Or 'I do fraud, we just do our own task.' So, one is doing spam, like advertising services, and another is doing money laundering. It's like a manufacturing business," they said.

Indeed it appears to have occurred when Conficker adopted the Waldec virus, previously used by the Storm botnet as a mechanism to self-propagate.

Meanwhile, the group working to frustrate Conficker's attempt to complete a software upgrade on April Fools' Day fought to coordinate themselves. While ICANN was responsible for coordinating Top Level Domains, Microsoft pushed out patches to non-pirated versions of Windows.

Kaspersky says of his company's role that they had found Conficker was using an algorithm to generate random URLs that it would target in order to download updates to its malware.

"The worm used an algorithm which generated a list of domains. Every day it produced a new list. It looked for these URLs, and if they were online, the worm was designed to download upgrades form the URL. The initial version of the 10 million machine botnet would just wait and download. That's why we were really scared on April Fools' Day. We didn't know what was going to happen."

The group was able to exploit that algorithm and second guess the URLs that would be targeted, and block requests to those URLs. But, says Kaspersky, it was only partially successful.

"We blocked all the URL names which the worm was going to generate. It's an algorithm, so we generated all these URLs and registered these domain names, except ones which were already owned by someone. And because of that--the domain names not owned by those in this process--the Conficker authors managed to take control of one of these domains and upgraded the worm. That was scary," he said.

ICANN's Twomey insisted the group's efforts against Conficker proved that key Internet players, such as Top Level Domain registrants, are capable of coordinating a response to such threats. Still, the Conficker response was the exception and not the rule.

It wasn't the first time a botnet operator has attempted to compromise DNS servers to magnify its capacity to add to its army.

At an ICANN conference held in Mexico in March this year, Rod Rasmussen, chief technology officer of phishing take-down firm Internet Identity, showed evidence of a recent nine-hour attack on CheckFree, an online bill payment provider to 22 U.S. financial institutions, which resulted in a two-day shut-down of affected online services and an estimated 10,000 infections over 48 hours.

"Somebody came in and took over the CheckFree's domain name portfolio at their registrar. They changed the DNS servers for those domains and pointed...basically every host name that would resolve under their domain names to a malware server that was in the Ukraine. Anybody who tried to go to CheckFree.com or any of their other domain names were redirected, instead, to a malware server and were exposed to getting malware download on their computer," Rasmussen said.

In a similar vein to the attack on CheckFree, hackers targeted MelbourneIT's New Zealand subsidiary, Domainz. The hackers, who appeared to be politically motivated, defaced Coca-Cola, Microsoft, Xerox, and F-Secure's Web sites by injecting name server records for the domains in question by compromising Domainz' infrastructure. It didn't knock out critical national infrastructure, but it was able to take down several large companies' websites for a few days.

Kaspersky says, "It's a major example of their Internet weapon, because the bad guys can use a botnet this size, not just for commercial interests, but other interest also."

He insists, "I don't admire them" yet there is an undeniable sense of respect he conveys.

Originally published at ZDNet Australia.

[idbabe]

A little off topic, but the country is Ukraine, not "the Ukraine". We don't say "the Russia" or "the China".

[Seaspray0]

Whatever you say... from a person in "the USA".

[ScorpioKing1990]

@ Seaspray0

"The USA" makes sense though because it refers to a collective. Try saying a sentence like "God bless the United States of America" out-loud. Then say "God bless the Israel" or "God bless the China" and tell me if it sounds right. It shouldn't, because while "the USA" is plural, "China" and "Israel" are not. The same thing goes for Ukraine. So idbabe was right. Ukraine does SOUND plural though, so it's an easy mistake to make if you aren't careful.

[willdryden]

Once upon a time, the Ukraine was part of the USSR. The usage carries on.

[aintnorainbowdorothy]

Good one idbabe, I was going to make the same comment but you beat me to the punch. Maybe I'll beat you
next time. After all, writers should at least know the names of countries. I know there are 212 of them, but a simple look at a map, or a check of the Nat Geo site is all it takes to make sure. When there was a Soviet Union, not just Russia and the Iron Curtain countries, then Ukraine was part of the USSR. Now it's an independent country. As are several of the other parts of that conglomerate. I don't understand why people, especially writers, can't get spelling, geographical locations or multiple other things right.

[WriteRight]

Excuse me but I beg to differ on that. My dad was Ukrainian and he always referred to his home country as "The Ukraine". Of course one could argue that English was not his mother tongue, he did have a rather strong accent, but his grammar was impeccable and I would even go so far as to say was some what better then what one usually hears in Britain or the US that's supposed to pass for English. I have noticed though that the use of the definite article in the name has changed in the passed twenty years. Up until the collapse of the Soviet Union the then Ukrainian Soviet Republic was often referred to as "The Ukraine" - usually in literature about WWII. After that and in particular during the Ukrainian orange revolution I noticed that the mass media started dropping the definite article until many people now seem to think that only the term "Ukraine" without the definite article is correct. In my view though whoever wants to can still refer to the country as ?The Ukraine? without anyone telling them otherwise.

[samaycsa]

This is a great article, I am sure an eye opener for some. We have been used to off the "traditional" malware and virus fighting methods for so long that the spammers and virus programmers have gotten use to of the fact.

Just the fact that virus updates are released everyday and unless you connect online and download updates, your PC might not be catching all the malware and threats. Think about a new PC buyer, who might not have a internet connection configured right away, or has his virus program set to a default to check for new definitions every alternate day.

This is changing, "cloud" based anti virus solutions are coming forward, which essentially means that there is a very thin and light weight client on your machine, all the processing happens in the cloud, which means you are always up to date and the cloud based service is always aware of new threats and its intelligent "learning" makes it aware of "potential" new threats found. I recently did an article on this, if you are interested, you can view it at: http://indiawebsearch.com/content/the-first-ever-cloud-computing-based-anti-virus-solution

[antihacker101]

for 15 months, not 1 response from anyone. found out i was blocked. been fighting this worm and hacker since aug of 2008 and details show possibly earlier. i can tell ya the birth of the worm and all the decoys. how its structured, details on hackers, and know theres a shutdown code. the worm was built in my machines. at first a shaky engine. if my new info correct, it leads to other situations years prior affecting the graphics card aka hardware. the worm uses 2 connections to build itself. besides being in layers with each layer keeping its other layers alive, the global layer which is first priority is above boot. it uses a frequency to enter the kernel and going through the graphics card. the hacker uses a wifi smartphone with skyfire browser using a computer AND a phone tower. it collects info from kernel, sends back to hacker, then he routes through computer with IP through browser's PORT or any other open. it starts off with adobe exploit which im sure yall experienced, and once in, he goes directly to the graphics card. between the 2 connections, he alters the drivers allowing him access from the kernel then he dont need the other connection anymore..

recently the worm changed and is using port 445 and 139(i think) to alter programming which seemed to come from my graphics card due to driver uninstall/install a couple times prior. the hackers love decoys. so they waited for a patch so everyone will blame the reboot loop on the patch.
the password files were also a decoy so the fbi and such direct away from the hacker. you can visualize the rest. still no responses. and all this could have been avoided. if you search my emails since april first and up of responder@deepandcrazy.com and helpwithvb@yahoo.com, youll see that i warnded at each level of the worm what it was going to do. and you can see that this is no joke. i faught hackers in the past and know what to look for. and this is why i been a target. now i dont know if the IPs are real or not or who is the goodguys anymore, but beside an ip leading to hundreds of root certificates including banks, also ips from DNS joint forces and MSFT which may be emergency response team according to my patterns i noticed.. here is proof and i have tons of source from the worm accumulated from deleted files.

[INFO] Sat Jan 31 13:05:22 2004 Allowed configuration authentication by IP address 192.168.0.199
[INFO] Sat Jan 31 13:04:01 2004 UPnP deleted entry 255.255.255.255 <-> 96.15.156.218:54581 UDP
[INFO] Sat Jan 31 13:03:28 2004 UPnP renew entry 255.255.255.255 <-> 96.15.156.218:54581 <-> 192.168.0.199:54581 UDP timeout:-1 'Teredo'
[INFO] Sat Jan 31 12:59:20 2004 Above message repeated 11 times
[INFO] Sat Jan 31 12:59:11 2004 Blocked incoming TCP connection request from 96.15.9.152:61924 to 96.15.156.218:445
[INFO] Sat Jan 31 12:41:37 2004 Above message repeated 1 times
[INFO] Sat Jan 31 12:41:21 2004 UPnP renew entry 255.255.255.255 <-> 96.15.156.218:54581 <-> 192.168.0.199:54581 UDP timeout:-1 'Teredo'

[INFO] Sat Jan 31 12:40:46 2004 UPnP renew entry 255.255.255.255 <-> 96.15.156.218:54581 <-> 192.168.0.199:54581 UDP timeout:-1 'Teredo'
[INFO] Sat Jan 31 12:38:10 2004 Above message repeated 4 times
[INFO] Sat Jan 31 12:37:54 2004 Blocked incoming UDP packet from 60.190.49.244:53723 to 96.15.156.218:1434
[INFO] Sat Jan 31 12:37:27 2004 UPnP renew entry 255.255.255.255 <-> 96.15.156.218:54581 <-> 192.168.0.199:54581 UDP timeout:-1 'Teredo'
[INFO] Sat Jan 31 12:36:02 2004 Above message repeated 2 times
[INFO] Sat Jan 31 12:35:51 2004 Blocked incoming TCP connection request from 96.15.9.152:47690 to 96.15.156.218:445
[INFO] Sat Jan 31 12:35:49 2004 Above message repeated 1 times
[INFO] Sat Jan 31 12:35:19 2004 UPnP renew entry 255.255.255.255 <-> 96.15.156.218:54581 <-> 192.168.0.199:54581 UDP timeout:-1 'Teredo'

[antihacker101]

forgot to mention to kasperty that it was your new 2010 trial version that was the first sign to detect any part of the worm on my machines. your worm detected over 60 keyloggers resulting in my audio driver being able to update for the first time in a long time. but shortly after, they added it to the database stored above boot to search using loopback to intercept so now it always shows nothing. but a new antivirus detected over 17 trojans including 2 new ones nov 17 which came from a site at "eset.eu" one of these days someone will contact me and view the info i have which may stop these hackings and bot...