Wednesday, February 11, 2009
Raison d'être of the "downadup" or "conficker" worm
- Agent Smith, The Matrix Reloaded
The downadup worm has been the subject of much discussion. Someone spent real resources developing this thing; Symantec calls it "the most prolific worm that we have seen for some time". At the SANS ISC an incident handler wrote, "we can definitely say that the Conficker authors were not amateurs – this looks like professionally written code". The fact that the purpose of the worm is unknown is a little bit spooky; unlike most crimeware, it reportedly does nothing post-infection except connect to a control channel and await instructions. So, we have a sophisticated worm with extensive antiforensics capabilities placing some 10% of the world's computers under the control of unknown actors for unknown purposes.
Why would someone fund the development and deployment a worm with no apparent purpose? If it were simply more crimeware, it seems likely that its authors would desire a rapid return on investment by immediately engaging in financial fraud and/or data theft activities. Why would a worm like this do nothing post-infection? There are several possibilities;
- the worm's developers no longer have a paying customer, because the client who commissioned the worm ceased operations (in this event, with a botnet in the realm of 10 million, one would think they could find new clients)
- the worm's developers are unable to access the command and control channel after losing the encryption keys to accident, data loss or system failure
- the worm's control channel has been seized by a government or law enforcement organization
- the worm was developed by a not-for-profit group who have no desire for monetization
- some other undetermined explanation
What other reasons can we imagine for releasing a worm that takes no action? As a thought experiment, imagine for a moment we were asked to develop a first strike weapon for information warfare. In the kinetic world we have the stealth bomber and the missile boat - first strike weapons designed to resist detection and deliver a massive payload with little or no warning (and if your delivery time is shorter than the defender's response time - or even their decision loop - little warning can be the practical equivalent of no warning).
The basic requirements for a first strike cyber-weapon then would similarly be stealth, availability and reliability. It would need to infiltrate large numbers of hosts and networks in advance and resist detection and removal to the maximum extent possible in order to be operational and capable of delivering an attack payload when the time comes. Another requirement would be to utilize a reliable command and control channel that is resistant to detection and interference. Like the missile boat, it would be deployed well in advance of any actual conflict so that it is ready when needed. Generalized large-scale distribution, rather than targeted distribution, would probably be more successful in infiltrating the target as any deployment targeted at a specific country or network would raise its alert status - ramping up its response and cleanup efforts and reducing the worm's effectiveness in penetrating its target(s) and/or growing a large bot population. Even if the program failed to infiltrate its target network(s) in large numbers, it could still be used to launch denial of service floods against strategic targets like internet service providers, communications networks, financial networks and government networks that are exposed to Internet based attack. A denial of service attack on major ISPs might accomplish much of this in one blow. Obviously a flood of this size would require a massive number of bots; the estimated 10 million hosts infected by downadup might be enough even if only a portion of them were able to hit their targets.
Perhaps the downadup worm essentially fits the description of a first strike cyber-weapon. There is no particular basis for believing it is a weapon; this is but one explanation that fits the available facts. Perhaps it is simply an R&D project for evaluating the effectiveness of various delivery systems, propagation methods and control channels that might be used by an actual weaponized bot in an actual cyberwar. It carries no obvious payload so far as we know but its payload could be easily delivered through its command and control channel. A simple destructive attack like destroying file systems or launching denial of service floods would be relatively simple to implement - probably in a matter of seconds - by sending a few commands down the C&C channel to the listening bots. Even relatively complex attack programs could probably be delivered over the control channel in a matter of minutes. It would probably make sense to hold back any attack payload until the decision had been made to use it as any detection of attack code by malware analysts would result in heightened cleanup operations that would reduce its numbers.
Posted by Craig Chamberlain