Pretty soon, swine flu (SF) will fall out of the hyper-media and be forgotten; just like Conficker (CF). With CF, there was a lot of hype about what it might do on April 1st and then ... just like Y2K .... nothing. Right? Wrong! It's still there. And just as SF will continue to evolve during the so-called "non-flu season" (aka summer--in the northern hemisphere), so will CF (with a little help from its friends). It was the return of H1N1 in 1918 that was catastrophic.
In the meantime, irony of ironies, like separate M-Brane universes intersecting in space-time, CF has now turned up in medical equipment such as might be used to diagnose SF.
So here's my ill-posed question to security experts. Prior to 4/1/09, it was apparently unclear what CF would do precisely. It was all a bit like Y2K; we just waited. And we're still waiting. This seems lame for a 21st Century defense technology. This led me to wonder why CF couldn't just be quarantined and studied in isolation, like the approach taken with H1N1. As with any unknown code, why not just put it in a 'debugger' and step it through it's paces? Clearly, worms are more complex because they are distributed, etc., but that just means a more clever harness and tools are needed. In other words, why can't CF be put in a controlled/monitored network harness/environment where the NTP clock is advanced artificially to expose what CF will do?
Perhaps something like that has been done. This SRI analysis from March 2009 gives some idea why debugging it in a test harness may not be easy, but I still don't have a feel for the degree of difficulty. Is this just a matter of getting a big enough chunk of network to make a diagnostic sub-net or is it more like putting a man on the moon?
The list of features shared by both H1N1 and CF.x (where x = A--E) is noteworthy:
- Their respective origins are not known with certainty.
- Both are aggregations of codes that have been seen before.
- The forms are not cutting edge, but the new composition is very sophisticated.
- They continue to mutate.
- At the moment, they are mostly just hanging out in various hosts.
- The ultimate impact is still unknown and unclear.
"...make certain that your system is being infected by the real Conficker virus, not some hackneyed copy."That's right. Accept no substitutes! :-) Finally, a footnote to Creationists:
If H1N1 isn't proof of Darwinian evolution, then it's proof of a malicious Designer. Pick one!Update (Thu May 21 2009): "Hold that funeral!" 50,000 new Windows systems hit every day. Update (Thu May 28 2009): As Flu Retreats, Scientists Brace for Its Return (WSJ) Update (Thu, Jun 11 2009): Swine flu origins determined (Nature) Update (Fri, Jun 12 2009): The inside story of the Conficker worm (New Scientist) Update (Tue Apr 27 2010): Conficker one year on. Locked and loaded.
The security guys had quarantined CF and fully decomposed it (identified its DNA). That's how the 'go date' was known.
ReplyDeleteThe big BUT was that it downloaded code and even controlling websites.
CF & worms like it are programmable, including the ability to update themselves.
What code was going to be downloaded, and to what ends the botnet would be applied was unknowable. That's what had the sec-squints scared... "what's a coming?"
Just added an update on the Conficker worm, one year later. It's still there, locked and loaded.
ReplyDeleteWonder how that compares to H1N1? I guess we can look to the upcoming Aussie flu season to get a heads-up. :)