Kaspersky impressed by botnet slickness

Cybercrime fighter Eugene Kaspersky can't help but be impressed by the slick operations behind the Conficker botnet, and says that it could have been worse had the botnet been after more than just money.

"They are high-end engineers who write code in a good way," Kaspersky told ZDNet.com.au Wednesday. "They use cryptographic systems in the right way, they don't make mistakes--they are really professional."

Kaspersky says he's "60 percent certain" that Conficker is being controlled from the Ukraine, but can't be certain. And while the threat posed by Conficker seems serious enough, Kaspersky says, "It could be worse. We are lucky they are just cybercriminals looking to make money and not worse than that."

The unknown threat posed by Conficker, which hit 10 million Windows machines prior to the suspected D-Day of April 1, prompted a coordinated response. Kaspersky, Symantec, Microsoft, the Internet Corporation for Assigned Names and Numbers (ICANN), and the Federal Bureau of Investigations' Cyber Division, among others, began a campaign to frustrate Conficker's attempt to download a software update.

One reason for ICANN's involvement, according to its CEO and president Paul Twomey, was that Conficker was targeting the Internet's Domain Name Service layer, which is equivalent to the address book of the Internet.

During a keynote delivered at the AusCERT 2009 conference held on the Gold Coast this week, Twomey noted the change in tack by botnet operators. "The application layer has typically been used as the attack vector, but we are beginning to see the DNS resolution used as the command and control," said Twomey.

Conficker is the current darling of the Internet's dark side, preceded by others such as Storm, and spam-machine McColo. But all botnets maintain an edge over their various opponents: they are centrally controlled, "located" potentially anywhere, generally don't rely on third-parties, and are free of regulations.

Botnet operators in Russia, however, have started to cooperate with each other, according to Dmitry Levashev and Ruslan Stoyanov, network security experts from Russian ISP RTComm.ru. At the AusCERT 2009 conference, via a translator, the two gave a sobering account of what lies ahead for Australia in the next three years.

"The different botnets work in cooperation. One would say, 'I'm just a bot herder, I don't care about money laundering.' Or 'I do fraud, we just do our own task.' So, one is doing spam, like advertising services, and another is doing money laundering. It's like a manufacturing business," they said.

Indeed it appears to have occurred when Conficker adopted the Waldec virus, previously used by the Storm botnet as a mechanism to self-propagate.

Meanwhile, the group working to frustrate Conficker's attempt to complete a software upgrade on April Fools' Day fought to coordinate themselves. While ICANN was responsible for coordinating Top Level Domains, Microsoft pushed out patches to non-pirated versions of Windows.

Kaspersky says of his company's role that they had found Conficker was using an algorithm to generate random URLs that it would target in order to download updates to its malware.

"The worm used an algorithm which generated a list of domains. Every day it produced a new list. It looked for these URLs, and if they were online, the worm was designed to download upgrades form the URL. The initial version of the 10 million machine botnet would just wait and download. That's why we were really scared on April Fools' Day. We didn't know what was going to happen."

The group was able to exploit that algorithm and second guess the URLs that would be targeted, and block requests to those URLs. But, says Kaspersky, it was only partially successful.

"We blocked all the URL names which the worm was going to generate. It's an algorithm, so we generated all these URLs and registered these domain names, except ones which were already owned by someone. And because of that--the domain names not owned by those in this process--the Conficker authors managed to take control of one of these domains and upgraded the worm. That was scary," he said.

ICANN's Twomey insisted the group's efforts against Conficker proved that key Internet players, such as Top Level Domain registrants, are capable of coordinating a response to such threats. Still, the Conficker response was the exception and not the rule.

It wasn't the first time a botnet operator has attempted to compromise DNS servers to magnify its capacity to add to its army.

At an ICANN conference held in Mexico in March this year, Rod Rasmussen, chief technology officer of phishing take-down firm Internet Identity, showed evidence of a recent nine-hour attack on CheckFree, an online bill payment provider to 22 U.S. financial institutions, which resulted in a two-day shut-down of affected online services and an estimated 10,000 infections over 48 hours.

"Somebody came in and took over the CheckFree's domain name portfolio at their registrar. They changed the DNS servers for those domains and pointed...basically every host name that would resolve under their domain names to a malware server that was in the Ukraine. Anybody who tried to go to CheckFree.com or any of their other domain names were redirected, instead, to a malware server and were exposed to getting malware download on their computer," Rasmussen said.

In a similar vein to the attack on CheckFree, hackers targeted MelbourneIT's New Zealand subsidiary, Domainz. The hackers, who appeared to be politically motivated, defaced Coca-Cola, Microsoft, Xerox, and F-Secure's Web sites by injecting name server records for the domains in question by compromising Domainz' infrastructure. It didn't knock out critical national infrastructure, but it was able to take down several large companies' websites for a few days.

Kaspersky says, "It's a major example of their Internet weapon, because the bad guys can use a botnet this size, not just for commercial interests, but other interest also."

He insists, "I don't admire them" yet there is an undeniable sense of respect he conveys.

Originally published at ZDNet Australia.