Conficker confidential

The security industry is brimming with reports on the Conficker worm right now. Some of them tell us what it does, some tell us what it could do, but most them tell us what it’s not doing: anything of note. This is a bit of an oddity. Usually, when a new botnet comes online it starts pumping out the pill adverts right away.

SophosLabs never likes to be kept in the dark playing catch-up with the malware authors, so we had our top Protectioneers™ jack into cyberspace to see what they could find. After battling head-on with some of the people responsible with the Conficker worm, they returned to Earth bearing the spoils of cybervictory: a fragment of the bug tracking database used by the worm’s creators. We knew that Conficker was professionally developed compared to other malware but we really weren’t prepared for what we found. The fragment is presented here without further comment.

A SophosLabs Protectioneer engaged in a duel with a hacker.
A SophosLabs Protectioneer™ engaged in a duel with a hacker. The yellow and purple triangles represent megabytes.

++++FRAGMENT BEGINS++++++++++++

Defect #2776 (Accepted)

From: JLaren (Test)

Expected behavior: When user connects to worm should record all account details and transmit them to C&C server

Observed behavior: When user connects to worm continuously orders David Hasselhoff memorabilia for as long as funds allow.

Assigned to: Development

Doables to be actioned: Minor bug. Scheduled for fix Q3 2009. Likely the result of a prank by one of our student interns.

Suggestion #2890 (Accepted)

From: MSharpe (Marketing)

Suggested feature: If Conficker’s geo-IP lookup determines the user to be in either the United Kingdom, Canada, Australia or New Zealand the worm should play God Save the Queen in the background to allay any suspicion or negative reaction from the user. Initial work with test audiences in these territories indicates that users are 30% less likely to remove the worm when it is playing the British national anthem.

Assigned to: Marketing, Development

Doables to be actioned: Marketing to source a sufficiently patriotic recording of the jingle in mp3 format. Development to integrate the needful mp3 playback in the worm service DLL.

Defect #2975 (Accepted)

From MSharpe (Marketing)

Description: Worm isn’t badass enough.

Assigned to: Development

Doables to be actioned: Worm should be more badass. Assigned to development so we can get this in the next release as a priority.

Defect #2977 (Pending approval)

From: JLaren (Test)

Expected behavior: Worm should connect to deterministically-generated domain name and receive further instructions from C&C servers on those domains.

Observed behavior: Nothing is being downloaded from these domains; worm takes no action aside from infecting further PCs.

Assigned to: Development

Comments: No outstanding work items relating to any such functionality. Deferring to prod. man. to see if they have anything in the pipeline re: this.

Assigned to: Product Management

Comments: This was covered by Suggestion #752 (Accepted) that the product should be able to connect to the Command and Control server and “do other stuff” depending on what we want on a go-forward basis. Assigned to Project Management so that we can touch base with them on Project Excelsior, for which this suggestion was a deliverable.

Assigned to: Project Management

Comments: Development reported this complete and shipped Dec 2008. Handing this to the engineer that worked on Excelsior for clarification of the functionality as implemented.

Assigned to: Development

Comments: Implemented this by allowing download and execution of an encrypted executable from the C&C server. It was the only functionality broad enough to cover the requirement to “do other stuff”. Assumed contents of the downloaded executable fell outside the scope of Project Excelsior.

Assigned to: Project Management

Comments: Seems like it was outside the scope of this project.

Assigned to: Product Management

Comments: Looks like this is one piece of functionality that slipped through the cracks. We will need to look at this as a new feature and in light of our new user base and current mind share owned by Conficker as a result of recent media coverage I think we can all agree that we will need an initial blue-skies planning phase synergising the inventivity assets of both Product Management and Marketing before levera++++++++++++FRAGMENT ENDS++++