Tuesday, May 5, 2009

Swine Flu and Conficker: Parallel Worlds Collide

Sick of hearing about "swine flu"? Good, then read this blog instead. It strikes me that there are more than the usual uncanny parallels between these tiny molecular machines, aka viruses, and the tiny digital machines, aka viruses or worms; not the least of which is people's reaction to them, viz., out of sight, out of mind.

Pretty soon, swine flu (SF) will fall out of the hyper-media and be forgotten; just like Conficker (CF). With CF, there was a lot of hype about what it might do on April 1st and then ... just like Y2K .... nothing. Right? Wrong! It's still there. And just as SF will continue to evolve during the so-called "non-flu season" (aka summer--in the northern hemisphere), so will CF (with a little help from its friends). It was the return of H1N1 in 1918 that was catastrophic.

In the meantime, irony of ironies, like separate M-Brane universes intersecting in space-time, CF has now turned up in medical equipment such as might be used to diagnose SF.


So here's my ill-posed question to security experts. Prior to 4/1/09, it was apparently unclear what CF would do precisely. It was all a bit like Y2K; we just waited. And we're still waiting. This seems lame for a 21st Century defense technology. This led me to wonder why CF couldn't just be quarantined and studied in isolation, like the approach taken with H1N1. As with any unknown code, why not just put it in a 'debugger' and step it through it's paces? Clearly, worms are more complex because they are distributed, etc., but that just means a more clever harness and tools are needed. In other words, why can't CF be put in a controlled/monitored network harness/environment where the NTP clock is advanced artificially to expose what CF will do?

Perhaps something like that has been done. This SRI analysis from March 2009 gives some idea why debugging it in a test harness may not be easy, but I still don't have a feel for the degree of difficulty. Is this just a matter of getting a big enough chunk of network to make a diagnostic sub-net or is it more like putting a man on the moon?

The list of features shared by both H1N1 and CF.x (where x = A--E) is noteworthy:
  • Their respective origins are not known with certainty.
  • Both are aggregations of codes that have been seen before.
  • The forms are not cutting edge, but the new composition is very sophisticated.
  • They continue to mutate.
  • At the moment, they are mostly just hanging out in various hosts.
  • The ultimate impact is still unknown and unclear.
Clearly, CF is impressive in the same way the Great Train Robbery was impressive for its planning and execution. But being impressed doesn't imply that you should dash off and start robbing trains. The new range of thousands of IP addresses that get scanned (at a stealthy few pkts/sec) and the increasingly heavy encryption that is being applied by the authors of CF (e.g., MD6) pretty much eliminates any altruistic defense about simply showing up security weakness in the Internet by creating large-scale P2P botnets. For those with licensed versions of Windows, who are busy protecting them, I love this bit of unintended humor from an AV purveyor:
"...make certain that your system is being infected by the real Conficker virus, not some hackneyed copy."
That's right. Accept no substitutes! :-) Finally, a footnote to Creationists:
If H1N1 isn't proof of Darwinian evolution, then it's proof of a malicious Designer. Pick one!
Update (Thu May 21 2009): "Hold that funeral!" 50,000 new Windows systems hit every day. Update (Thu May 28 2009): As Flu Retreats, Scientists Brace for Its Return (WSJ) Update (Thu, Jun 11 2009): Swine flu origins determined (Nature) Update (Fri, Jun 12 2009): The inside story of the Conficker worm (New Scientist) Update (Tue Apr 27 2010): Conficker one year on. Locked and loaded.


steve jenkin said...

The security guys had quarantined CF and fully decomposed it (identified its DNA). That's how the 'go date' was known.

The big BUT was that it downloaded code and even controlling websites.

CF & worms like it are programmable, including the ability to update themselves.

What code was going to be downloaded, and to what ends the botnet would be applied was unknowable. That's what had the sec-squints scared... "what's a coming?"

Neil Gunther said...

Just added an update on the Conficker worm, one year later. It's still there, locked and loaded.

Wonder how that compares to H1N1? I guess we can look to the upcoming Aussie flu season to get a heads-up. :)