
The Enemy Within: What is Conficker's Botnet For? - theoneill
http://www.theatlantic.com/magazine/archive/2010/06/the-enemy-within/8098/
======
tptacek
A yield to no man in the gravity and intensity of my fanboyish appreciation
for Mark Bowden's writing, but this article is _so_. _bad_. Not just in the
details, which, come on it's a lay piece in The Atlantic, but in its warped
conclusions.

 _If the right order were given, and all these computers worked together in
one concerted effort, a botnet with that much computing power could crack many
codes, break into and plunder just about any protected database in the world
[...]_

"Just about any protected database". Ow, my brain!

 _It pits the cleverest attackers in the world, the bad guys, against the
cleverest defenders in the world, the good guys (who have been dubbed the
“Conficker Cabal”)._

The best in the world! On _both sides_! My precious brain!

 _It exploited a specific hole, Port 445, in the Microsoft operating systems,
a vulnerability that the manufacturer had tried to repair just weeks earlier.
Ports are designated “listening” points in a system, designed to transmit and
receive particular kinds of data. There are many of them, more than 65,000,
because an operating system consists of layer upon layer of functions._

So that's how it got in! There are too many ports!

 _If everyone applied the new patches promptly, Windows would be nigh
impregnable._

%y b$&tifu111 br4in ow it burns.

 _Conficker had an answer for that. Instead of using the infected computer’s
clock, the worm set its schedule by the time on popular corporate home pages,
like Yahoo, Google, or Microsoft’s own msn.com._

 _“That was interesting,” Ligh said. “There was no way we could turn the clock
forward on Google’s home page._

MAKE IT STOP.

 _"All of this was impressive—but something else stopped researchers cold..."_

No, Mark. Please. Don't go here...

 _So when the new version of Conficker appeared, and its new method of
encrypting its communication employed MD-6, Rivest’s_ proposal* for SHA-3, the
cabal’s collective mind was blown.*

 _Needless to say, this is a very arcane game. The entries are comprehensible
to very few people. According to Rodney Joffe, “Unless you’re a subject-matter
expert actively involved in crypto-algorithms, you didn’t even know that MD-6
existed. It wasn’t like it was put in The New York Times.”_

WHY, MARK, WHY! I BUY ALL YOUR BOOKS. MY BUGS! My Bugs! My bugs! my bugs! my
b&gz! m&4nc bugs...

The only thing that is good about this piece is the clear-eyed description of
how worms infect computers and how hard it is to detect and clean them out.
Unfortunately, Bowden wrote those grafs using a Star Trek metaphor, which in a
technology piece is the stylistic equivalent of serving mashed potatoes topped
with risotto.

The rest is horrible. What's special about Conficker? Probably not that it's
especially clever; no, what seems to have thrown everyone for a loop is the
fact that while it spreads aggressively, it does little afterwards to piss
people off and provoke an immediate response. That's its contribution to the
state of the art.

MD-6 is so important that it deserves a subhed? What? The first piece of
crypto _every hacker comes into contact with_ is MD5. The trials and
tribulations of MD5 are legendary. The MD6 sample code was right there on the
Internet. Just like the people who used "reverse-engineered" RC4 in their
sniffers in 1995, this is nothing but a vanity feather in the worm author's
cap.

What could you do with crypto to impress an analyst skilled in the art?

* You could have taken a well-known strong algorithm and jumbled the constants slightly to create an unpredictable but strong variant.

* You could have implemented an algorithm that was published only in papers and only in diagrams and equations.

* You could invent your own algorithm and have it at least come close to holding its own against the state of the art.

The notion that Conficker is one of the most important things happening in
security is very likely not going to stand up to hindsight years from now. The
"best and brightest" are _not_ killing themselves figuring out the Conficker
problem. That may be a mistake, but the conventional wisdom as I perceive it
is that Conficker will eventually blow up to be someone else's very painful
operations problem that we read about in The Register and promptly forget
about.

~~~
MikeCapone
It's really too bad the technical stuff is weak, because I _love_ these longer
pieces about computer security/crypto.

Can anyone suggest similar reads that get the tech right?

------
Zak
_It uses an encryption code so sophisticated that only a very few people could
have deployed it._

I have a hard time believing that. Sophisticated and effective encryption
techniques are well-documented. There are thousands of bored teenagers who
could write malware that uses sophisticated encryption. Successfully spreading
over the whole Internet while being unobtrusive enough to not be noticed by
most victims is, perhaps more impressive.

~~~
Locke1689
It's layman writing. The worm uses RSA and RC4. SHA1 or MD6 as a hash.
Designing these would obviously take a very skilled cryptographer (actually
many, many cryptographers). Implementing it just requires a smart programmer
who knows a decent amount about cryptography.

~~~
edmccaffrey
And deploying it only requires someone who can import a library and follow
instructions.

~~~
Locke1689
Eh, not really. If you were talking about a fully defined cryptographic
protocol like SSL I would say you were right, but if you're talking about
actual cryptographic implementation I would say that it requires a little more
knowledge.

See tptacek's post about "Typing the letter's A-E-S'" into your code and
cperciva's many post about improper use of secure cryptography.

------
FluidDjango
It sure is hard to keep the general public's attention when there are no
dramatic, overt symptoms yet.

Who knows _what_ sort of pain they're going to inflict (or cost they'll exact)
once they choose to monetize?

~~~
raganwald
Should we assume this is a question of venality? What if it is being
controlled by a foreign superpower with no qualms about conducting cyber-
intelligence gathering or disruption?

~~~
DeusExMachina
If we want to think very bad of the bad guys, it scares me to think to the
Joker in "The Dark Knight" and a quote from Alfred: _some people just want to
see the whole world burn_.

It's quite extreme and it is questionable that people so smart are looking for
something like this, but it often surprise and scares me to what extent humans
are able to go.

I surely hope that ultimate disruption is not the plan behind Conficker.

------
jackfoxy
Long entertaining article (which I intend to finish), but as usual short on
actionable information.

Here's what I would like to have access to:

Input-

1) OS

2) patch level (for simplicity I should be able to input "current")

3) the AV software(s) on my box

Output-

1) known vulnerabilities for this system configuration

2) what could be lurking on the system that hasn't been detected

3) methods of detection for items under (2)

4) remedies (including rebuild your box, in the worst case)

------
nealb
if you're curious and want a technical read not filled with BS about how
amazingly foreign and magical MD6 must be, just read this or the equivalent
from mcaffee or whoever you prefer -
[http://tools.cisco.com/security/center/viewAlert.x?alertId=1...](http://tools.cisco.com/security/center/viewAlert.x?alertId=17121)

