Bedno.com Andrew  Do  See
Code Masters
Technical analysis of the "Conficker" worm program
I just read a newly published technical analysis of the "Conficker" worm program and am here to summarize. Speaking as a pro, it is MUCH more sophisticated than I expected. This program could allow it's unknown masters to command several MILLION computers at will. Though most assume it will be / has been used for spam and identity theft, it could be argued that it now represents as potentially dangerous a force as any rogue nation's military. I kid you not. A variant was recently found to be IN USE by China spying on sensitive documents on thousands of computers worldwide.

Exciting political ramifications aside, I jot here for the tech savy as summary and as reminder about quality of craft:
The Conficker worm is modern and maintained, and even auto-updates itself after infection. No hack job with luck, this is the structured efficient work of software pros. It is carefully designed to persist, defend, spread, and be loyal. Every typical detection and removal approach has been addressed, including multiple autonomous self-defense threads, anti-tracing logic, dynamic file names with NT delete protection, obfuscation of registry and file changes, automatic removal of rollback points and more! It even self-patches the very buffer overrun flaws which allow it to infect at first. Networking has dramatically improved over prior worms, adding massive domain skipping and P2P transfers! It also disables firewalls and redirects DNS through its own filters. When an infected computer is online, there's not much that can be done even at ISP and router levels to stop it from reaching other drones. It spreads aggressively directly through networks (no user actions such as opening attachments required), exploiting both buffer overrun AND weak password vulnerabilities. It may also piggybacking on removable media, and be directly communicated through links to toxic websites or by poisoned files. Finally, its command channel uses state of the art encryption, so that only its masters will command it.

Wasn't this the last Die Hard movie? Muggles, just make sure you have CURRENT top quality virus protection running full-time.

 OFFSITE 
2009.03.28