…the wanderings

Conficker and the Curious Yellow

I was not planning on writing another post so soon, but Utopiah here has referred a very nice article in his comments to my previous post. If you have not already read Brandon Wiley’s Curious Yellow: The First Coordinated Worm Design, I urge you to read it through.

It hits right on spot about fast distribution through a peer-to-peer network. I used the concept to hypothesize a patch propagation (described as an anti-worm by him).

The paper describes a scenario comparable to a powerful chess game turning the yellow worm to blue and backwards. Probably in recognition of this idea, Conficker uses latest encryption , very likely making a first field implementation of the MD6 algo and its fixes too!. It appears that the Conficker writer is very well versed with this paper and current technology 🙂

Besides the points made by Wiley on that page, there is one more ‘common goal’ such a network can target, and I am sure its already stated somewhere: These compromised systems can be pooled to brute force encryption security.

April 21, 2009 Posted by | security | , , , | Leave a comment

The White Botnet

This is a work of fiction. Any resemblance to reality is entirely unexpected. All similarities (like pigs can fly) are coincidental. Of course, all trademark names used here (starting right from the next line) are property of their owners.

As the first quarter of 2009 ended people had mixed feelings about the Conficker worm (aka Downadup, Kido). It was simultaneously not a joke or an immediate disaster. But, very few knew that this was a beta run of what would eventually be a White Hat vulnerability-patching network. It was clear that the botnet could only hit systems that were not patched for a long known vulnerability. The infection smartly started protecting the systems it conquered and made them safe from further malware. It moved on to become a server of protection that located other weak hosts and propagated towards them in a race against other malware.

The Microsoft Windows machines that are not patched against known attack vectors are usually because of pirated software or Overworked IT Administrators. Is that a good enough reason for malware to propagate towards unprepared legal users? That is where the Open Group came together to build a distributed protection system. This system had to work as a secondary solution in tandem with the existing anti-virus and anti-spyware securities. It had to be disconnected and, by that reason, at crossroads with these solutions.

The solution is to propagate a neutralizing white-botnet across the Internet. It is maintained by a group that partly consists of people from the AV/AS, OS vendors and search engine companies; though most of these vendors are themselves not yet directly associated with it. Google has tweaked its search algorithms to locate and assimilate zero-day vulnerability information quickly. These public postings are verified (coz, they might be poisoned) and associated patches are pushed through the white botnet to manage the ‘compromised’ machines. The window of attack reduces again to the time a patch is found for a zero-day exploit. All hosts will be patched one-way or the other.

…and pigs will fly!

April 20, 2009 Posted by | writing | , , | 2 Comments