University of Michigan researchers are attempting to find Conficker’s Patient Zero.
Researchers are trying to track down the very first victim of Conficker to find out where the worm came from. The University of Michigan is looking to find the so-called "patient zero" of an outbreak that has infected more than 10 million computers to date.
The university uses so-called darknet sensors that were set up about six years ago in order to keep track of malicious activity. With funding from the US Department of Homeland Security, computer scientists have banded together to share data collected from sensors around the world place sensors around the world.
"The goal is to get close enough so you can actually start mapping out how the spread started," said Jon Oberheide, a graduate student with the University of Michigan who is working on the project.
The 'Conficker' worm, also known as Downadup or Kido, has reportedly infected up to 12 million PCs over 110 countries. It has the capability of turning those computers into an army of slaves to attack or spy across the internet.
Conficker, believed to reside on 2 million to 12 million computers worldwide, is designed to turn an infected PC into a slave that responds to commands sent from a remote server that controls an army of slave computers known as a botnet.
"It can be used to attack as well as to spy. It can destroy files, it can connect to addresses on the Internet and it can forward your e-mail," said Gadi Evron, an expert on botnets who helps governments protect against cyber crime.
While 'Conficker' has remained dormant, Canadian researchers recently uncovered another botnet, termed 'Ghostnet' that was used to spy internationally. Due to its sophistication, its suspected that the cyberespionage network was created by a government intelligence agency with China being the primary suspect.
A cyberespionage network, known as GhostNet, possibly operating out of China, is making use of malicious websites and phishing emails to take control of hundreds of sensitive government machines across 103 countries, researchers revealed this weekend. A pair of Canadian researchers at the Munk Center for International Studies at the University of Toronto said GhostNet struck "high-value targets," such as foreign embassies and ministries, and even a NATO network.
"Some of the things they did indicate that they were very sophisticated," Phil Neray, vice president of security strategy for Guardium, told SCMagazineUS.com on Monday. "The machines were told to send the data stolen using a Tor network in an encrypted form. Also, the way the trojans communicated with the command servers made use of a complex control program that enabled them to completely control users' PCs."
"The potential political fallout is enormous," they wrote. "But ultimately, the question of who is behind the GhostNet may matter less than the strategic significance of the collection of affected targets...GhostNet represents a network of compromised computers resident in high-value political, economic and media locations spread across numerous countries worldwide."
The Chinese have denied involvement with 'Ghostnet'.
Xinhua is running denials that the discovery of huge Internet snooping ring has anything to do with anyone in the People's Republic. "This is purely another political issue that the West is trying to exaggerate," military analyst Song Xiaojun told the agency, according to CNN.
Two universities reported finding evidence of what they are calling a cyber-espionage network, dubbed GhostNet by the University of Toronto. Targets of the snoops include embassies, governmental foreign ministries and the Dalai Lama's PC. "GhostNet is capable of taking full control of infected computers, including searching and downloading specific files, and covertly operating attached devices, including microphones and web cameras," the report says.
The researchers found the network involved over 1,295 compromised computers from the ministries of foreign affairs of Iran, Bangladesh, Latvia, Indonesia, Philippines, Brunei, Barbados and Bhutan. They also discovered hacked systems in the embassies of India, South Korea, Indonesia, Romania, Cyprus, Malta, Thailand, Taiwan, Portugal, Germany and Pakistan.
Other potential suspects mentioned by the Canadian reserachers are Russian and American intelligence.
"This could well be the C.I.A. or the Russians. It’s a murky realm that we’re lifting the lid on."
As demonstrated by 'Ghostnet', the capability of a network of 1,300 slave computers is potent. The size of the botnet created through 'Conficker' has been estimated at up to 10,000x that of 'Ghostnet'. Additionally, once embedded 'Conficker' protects itself with military grade encryption.
In the case of Conficker, we have another one of these super worms, following in the success of the Storm Worm, that is able to infect millions of windows machines and act on the bidding of it's mysterious owners. As the latest and greatest, Conficker employs a sophisticated p2p command and control system that uses military grade encryption to cover it's tracks.
An analysis of Conficker.C performed at SRI international has found that it uses the latest encryption hash algorithm produced to date.
In evaluating this mechanism, we find that the Conficker authors have devised a sophisticated encryption protocol that is generally robust to direct attack. All three crypto-systems employed by Conficker's authors (RC4, RSA, and MD-6) also have one underlying commonality. They were all produced by Dr. Ron Rivest of MIT. Furthermore, the use of MD-6 is a particularly unusual algorithm selection, as it represents the latest encryption hash algorithm produced to date. The discovery of MD-6 in Conficker B is indeed highly unusual given Conficker's own development time line. We date the creation of Conficker A to have occurred in October 2008, roughly the same time frame that MD-6 had been publicly released by Dr. Rivest (see http://groups.csail.mit.edu/... While A employed SHA-1, we can now confirm that MD-6 had been integrated into Conficker B by late December 2008 (i.e., the authors chose to incorporate a hash algorithm that had literally been made publicly available only a few weeks earlier).
This million-PC botnet using military-grade encryption has raised concern across the IT spectrum. Advocates for civil liberties may also be concerned of the potential for such a tool to be misused by intelligence agencies. Earlier this year, an NSA whistleblower revealed that spying by his former agency had gone well beyond its previously stated limits.
Russell Tice, a longtime insider at the National Security Agency, is now a whistleblower the agency would like to keep quiet. For 20 years, Tice worked in the shadows as he helped the United States spy on other people's conversations around the world.
"I specialized in what's called special access programs," Tice said of his job. "We called them 'black world' programs and operations."
But now, Tice tells ABC News that some of those secret "black world" operations run by the NSA were operated in ways that he believes violated the law. He is prepared to tell Congress all he knows about the alleged wrongdoing in these programs run by the Defense Department and the NSA in the post-9/11 efforts to go after terrorists.
A previous investigation of a notable worm from 2004 called ‘Witty Worm' traced it back to a computer using a European ISP. The worm, which contaminated 12,000 servers was kick-started through the servers of a U.S. Military base.
The Witty worm, which infected more than 12,000 servers, came from a single computer in Europe and used a US military base's vulnerable systems to kick-start the epidemic, according to an analysis released by three researchers this week.
"Worms typically follow the public posting of exploit code, but Witty didn't follow that model," said Craig Schmugar, virus research manager with security firm McAfee. Further analysis also succeeded in determining the specific initial numbers used by nearly 800 of the worms to start their sequences of pseudo-random numbers. Since the numbers are fairly random and generated from the system clock, discovering their actual values essentially identified the systems and also gave insight into the systems' uptime.
In fact, a group of more than 100 systems belonged to the same class B network and appeared right at the beginning of the Witty worm incident. That class B network belongs to a military base, said the researchers, though they declined to name the facility.
For its part, Homeland Security is keeping tabs on ‘Conficker’ and has released a detection tool for it.
As computer security firms play down the risk posed by the Conficker/Downadup worm, the Department of Homeland Security on Monday released a DHS-developed detection tool to help organizations scan for computers infected by the worm.
The DHS US-CERT team created worm-scanning software for federal and state government agencies, commercial vendors, and critical infrastructure owners. It's being made available through the Government Forum of Incident Response and Security Teams Portal and to private-sector partners through various Information Sharing and Analysis Centers. DHS expects to continue its outreach efforts in the days to come.
US-CERT director Mischel Kwon said in a statement that while other worm-mitigation tools are available, this is the only free tool available for enterprises like government agencies. "Our experts at US-CERT are working around the clock to increase our capabilities to address the cyber risk to our nation's critical networks and systems, both from this threat and all others," he said.
Update: As commented by Scipio, 'Ghostnet' is not related to 'Conficker'.