Nemesis
Our Projects
Forums
Extra
Controls
|
Lately, there have been a lot of "breaking news" about a new "superworm" called Downadup or Conficker.
According to the security company F-Secure, this worm has infected more than 9 million computers, and this is only the beginning.
They found out that the worm attempts to "call home" - it uses an algorithm to generate different domain names and it tries to connect to them.
Of course, the domain names can be predicted, and lists with possible domains are available on F-Secure blog for anyone to register.
They could had registered all for themselves before sharing the lists to show the world how they successfully prevented the infected machines from being exploited, but they didn't.
They say they could attempt to control the botnet to disinfect the infected computers, but they say that's not ethical.
Look but don't touch
"But we can play this game as well.
So we've determined the possible domains and have registered some of them for ourselves.
Which means the infected machines will also connect to us.
We could attempt to manipulate the infected machines. But of course we won't. In fact, we won't be doing anything at all to them - not even disinfect them - as that could be seen as "unauthorized use". That is illegal, at least in many jurisdictions. (Doing something without being asked is also a very large ethical question.) Look but don't touch is the golden rule." (F-Secure blog, Tuesday, January 13, 2009)
"Our F-Downadup Removal Tool was updated on the 19th." (F-Secure blog, Tuesday, January 20, 2009).
"F-Downadup Note: Computers infected by Downadup are blocked from reaching f-secure.com websites." (F-Secure blog, Tuesday, January 20, 2009).
"Not being able to disinfect all variants of this particular worm does not negate the fact that we are still legally prohibited from doing so in other cases." (F-Secure blog, Wednesday, January 28, 2009 @ 15:50).
Lists of potential domains
Sharing the lists with unregistered domains that can be used to control the botnet shows only one thing: they cannot do anything about it. The bots require a key. A key they don't have.
"Based on analysis, you are correct, the current most common variant of this worm cannot be hijacked due to the encryption." (F-Secure blog, Wednesday, January 28, 2009 @ 15:50)
There is no "worm-master"
"There is nothing on the remote URL _yet_. No one has yet observed any of the domains in hostile hands. Most likely they will push through something sooner or later but I don't they dare to do it yet when they know the whole world is watching. Would be very stupid of them since this malware has hit several governmental sites around the world and the police are very keen to go after them." (F-Secure blog, Sunday, January 18, 2009 @ 13:14).
"It is currently under no one's control. It controls itself. That's how worms work. There is no "worm-master"." (F-Secure blog, Wednesday, January 28, 2009 @ 14:08).
Someone stayed too much in "the cloud" lately. Everyone who watched IP changes for the domains in the list they share could observe that almost all the time some registered domains point to blacklisted IPs, while some are a cloud fast flux that has 1 constant IP among other IPs that change all the time, for more consecutive days.
For the domain list shared by F-Secure for 2009-01-17 - 2009-01-31, a log with IP changes from 17 to 29 can be downloaded from here. The program used to save the log, including source code can be downloaded from here (to start logging, paste the domain list and click "Start").
Download
There are 5 files and 0 directories
for a total of 741384 bytes.
Sample:
| [21:18] The address gnyluuxneo.com ( 24.68.136.198 / 24.36.173.159 / 64.201.192.246 / 64.228.95.93 / 68.56.191.52 / 70.142.56.176 / 70.240.135.23 / 70.243.234.59 / 71.80.11.32 / 71.136.242.74 / 74.129.255.164 / 76.120.154.98 / 99.239.141.71 / 146.57.249.100 / 216.144.105.172 ) was changed to:
64.228.95.93 = bas2-windsor12-1088708445.dsl.bell.ca
24.222.246.2 = blk-222-246-2.eastlink.ca
24.219.191.250 = ip2-250.post-addison.dfw.ygnition.net
24.68.136.198 = S0106000bdbbb52d2.gv.shawcable.net
65.102.56.213 =
68.56.191.52 = c-68-56-191-52.hsd1.fl.comcast.net
70.154.82.100 = adsl-070-154-082-100.sip.flo.bellsouth.net
70.226.112.152 = ppp-70-226-112-152.dsl.toldoh.ameritech.net
70.243.234.59 = ppp-70-243-234-59.dsl.hrlntx.swbell.net
71.235.251.99 = c-71-235-251-99.hsd1.ma.comcast.net
72.48.182.24 =
75.11.10.101 =
76.124.170.244 = c-76-124-170-244.hsd1.pa.comcast.net
82.42.189.145 = 82-42-189-145.cable.ubr07.live.blueyonder.co.uk
99.228.3.150 = CPE0013d34d9009-CM001bd7ac6e3a.cpe.net.cable.rogers.com
[21:20] The address hitsutgat.com ( 74.208.64.191 ) was changed to:
74.208.64.145 =
[21:20] The address hjvuqkdqown.info ( 74.208.64.145 ) was changed to:
74.208.64.191 =
[21:28] The address jihujausoun.info ( 74.208.64.191 ) was changed to:
74.208.64.145 =
[21:30] The address judjmwkt.net ( 74.208.64.191 ) was changed to:
74.208.64.145 =
[21:34] The address kpocuho.org ( 74.208.64.145 ) was changed to:
74.208.64.191 =
74.208.64.145 =
87.106.34.1 =
87.106.86.28 = s15243224.rootmaster.info
[21:34] The address kuniptikiky.info ( 87.106.86.28 ) was changed to:
74.208.64.145 =
74.208.64.191 =
87.106.34.1 =
87.106.86.28 = s15243224.rootmaster.info
[21:36] The address lbbhzmxn.info ( 74.208.64.191 ) was changed to:
74.208.64.191 =
74.208.64.145 =
87.106.34.1 =
87.106.86.28 = s15243224.rootmaster.info
[21:38] The address ltysmhqfxcr.org ( 74.208.64.191 ) was changed to:
74.208.64.145 =
74.208.64.191 =
87.106.34.1 =
87.106.86.28 = s15243224.rootmaster.info
[21:41] The address mmxmslmapk.com ( 74.208.64.145 ) was changed to:
74.208.64.145 =
74.208.64.191 =
87.106.34.1 =
87.106.86.28 = s15243224.rootmaster.info
[21:41] The address mnnvcc.net ( 74.208.64.191 ) was changed to:
74.208.64.145 =
74.208.64.191 =
87.106.34.1 =
87.106.86.28 = s15243224.rootmaster.info
[21:41] The address mnyiero.info ( 74.208.64.145 ) was changed to:
87.106.34.1 =
74.208.64.191 =
74.208.64.145 =
87.106.86.28 = s15243224.rootmaster.info
[21:44] The address njfsqcar.info ( 68.178.232.100 ) was changed to:
64.95.58.5 =
[21:44] The address npukyiia.org ( 74.208.64.145 ) was changed to:
74.208.64.191 =
74.208.64.145 =
87.106.34.1 =
87.106.86.28 = s15243224.rootmaster.info
[21:46] The address nxipfrpw.net ( 74.208.64.191 ) was changed to:
74.208.64.145 =
87.106.34.1 =
74.208.64.191 =
87.106.86.28 = s15243224.rootmaster.info |
|
"Do you want an organization with international legal authority to act against Internet threats?" (F-Secure blog, Tuesday, January 27, 2009)
A corporation who has the authority to act against everything it considers a threat ? No, thanks.
"You do? Then perhaps it's time for some kind of Internetpol." (F-Secure blog, Tuesday, January 27, 2009)
Of course any corporation dreams to be a part of Internetpol. The reasons are not hard to guess.
"We protect our intellectual property rights to the full extent of the law." (Privacy policy)
"F-Secure may also use personal account information and data collected through to generate statistics and aggregate reports for internal use and for sharing with affiliates, subsidiaries, licensees, successors and advertisers." (Privacy policy)
"However, we might share your personally identifiable information with F-Secure business partners who are acting on our behalf." (Privacy policy)
Some people say "sharing is caring". Would you like an international law enforcement authority to share your personal information with affiliates, subsidiaries, licensees, successors, advertisers and its business partners ?
You need to be logged in to be able to post comments
|
|
