Category Archives: Conficker

Conficker, RSA and RC4

Posted on by
I was reading the excellent paper An Analysis of Conficker’s Logic and Rendezvous Points from SRI and was surprised to learn that Conficker botnet updates are distributed at its rendezvous points as encrypted and signed binaries using RC4 and RSA (the “R” in both cases here stands for Ron Rivest). Both the A and B variants of Conficker use these checks to ensure that the updates have been created by the Conficker authors – just like any other software vendor issuing updates and patches. The paper depicts the update process as follows

image
So each Conficker client carries an RSA public key E for signature verification. A Windows binary file F is encrypted and signed as follows
  • Hash F to produce a 512-bit hash M
  • Encrypt F with RC4 using M as the key
  • Sign M using private key D
A Conficker client authenticates the encrypted binary as follows
  • Using the embedded public key E, compute the signature verification to recover M
  • Decrypt the encrypted binary using RC4 and M as the key
  • Verify that the hash of F is in fact M
For Conficker A, the RSA key is 1024-bits and 2048-bits for Conficker B, both of which are listed in the paper. That’s a large public key for Conficker B but it is dwarfed by the 512-bit symmetric key used in RC4. Yes RC4 can support such huge key sizes, and I will explain in a future post how this is possible.

Conficker and your health

Posted on by

image

A USB stick inserted into a terminal in one of its car parks is being blamed for a massive Conficker infection of Waikato hospital in New Zealand that broke out last December. Over a 3 day period this incident infected 3,000 computer on the hospital network, impacting around 5,000 hospital staff. A full report on the incident is still forthcoming, but a USB-borne strain of Conficker is expected to be named as the culprit. A similar incident occurred in the server of the NHS in Leeds earlier in the year.

What is the LINPACK rating of Conficker?

Posted on by

Rodney Joffe, senior vice president and senior technologist at the infrastructure services firm Neustar, gave a keynote presentation on Cloud Computing for Criminals at the recent Cloud Connect conference. Joffe presents some figures which show that the computational size of the Conficker botnet dwarfs the current commercial offerings, based on measuring the number of systems, the number of CPUs and available bandwidth. For Conficker these values are given (estimated?) as

  • 6,400,000 systems
  • 18,000,000+ CPUs
  • 28 Terabits of bandwidth

These corresponding measures for Google are 500,000 systems, 1,500,000 CPUs and 1,500 Gbps of bandwidth, with Amazon and Rackspace providing significantly less resources. So Conficker is a massive ad hoc computational structure. But is Conficker really like a cloud service? Joffe says yes because

  • It’s available for rent
  • Choose your geographies
  • Choose your networks
  • Choose your bandwidth
  • Choose your OS Version
  • Choose your specialty (DDoS, Spam, Data Exfiltration)

and further the vendor has good qualifications

  • Much more experience (1998)
  • Larger footprint (Millions of systems)
  • Unlimited new resources (New malware)
  • No costs
  • No moral, ethical, or legal constraints

This all reminds me of a mail post by Peter Gutmann from 2007 called, World’s most powerful supercomputer goes online, referring to the Storm botnet

This doesn’t seem to have received much attention, but the world’s most powerful supercomputer entered operation recently. Comprising between 1 and 10 million CPUs (depending on whose estimates you believe), the Storm botnet easily outperforms the currently top-ranked system, BlueGene/L, with a mere 128K CPU cores. Using the figures from Valve’s online survey

http://www.steampowered.com/status/survey.html

for which the typical machine has a 2.3 – 3.3 GHz single core CPU with about 1GB of RAM, the Storm cluster has the equivalent of 1-10M (approximately) 2.8 GHz P4s with 1-10 petabytes of RAM (BlueGene/L has a paltry 32 terabytes). In fact this composite system has better hardware resources than what’s listed at http://www.top500.org.

This may be the first time that a top 10 supercomputer has been controlled not by a government or megacorporation but by criminals. The question remains, now that they have the world’s most powerful supercomputer system at their disposal, what are they going to do with it?

And I wonder what the LINPACK rating for Storm is?

And I wonder what the LINPACK rating is for Conficker?

Related articles by Zemanta
Reblog this post [with Zemanta]

Downadup’s Password Cracking List

Posted on by

This week it was reported that the Downadup worm (also known as Conficker) has infected 3.5 million Windows machines, according to data gathered by security company F-secure. One the ways the worm tries to propagate is by guessing account passwords on the victim machine.

F-secure has a write-up on the worm which includes the list of passwords that it checks (reproduced below). The list of just over 180 passwords candidates contains the usual suspects – the username for the account, repeated digits, qwerty, admin, password and pass1, pass12, pass123. Given that the worm has successfully infected such a large number of machines, this password guessing stragegy must be quite effective. So weak passwords are still letting us down.

(Added April 2nd, 2009: you can see a nice graphic of this password list at Graham Cluley’s blog).

  • [username]
  • [username][username]
  • [reverse_of_username]
  • 00000
  • 0000000
  • 00000000
  • 0987654321
  • 11111
  • 111111
  • 1111111
  • 11111111
  • 123123
  • 12321
  • 123321
  • 12345
  • 123456
  • 1234567
  • 12345678
  • 123456789
  • 1234567890
  • 1234abcd
  • 1234qwer
  • 123abc
  • 123asd
  • 123qwe
  • 1q2w3e
  • 22222
  • 222222
  • 2222222
  • 22222222
  • 33333
  • 333333
  • 3333333
  • 33333333
  • 44444
  • 444444
  • 4444444
  • 44444444
  • 54321
  • 55555
  • 555555
  • 5555555
  • 55555555
  • 654321
  • 66666
  • 666666
  • 6666666
  • 66666666
  • 7654321
  • 77777
  • 777777
  • 7777777
  • 77777777
  • 87654321
  • 88888
  • 888888
  • 8888888
  • 88888888
  • 987654321
  • 99999
  • 999999
  • 9999999
  • 99999999
  • a1b2c3
  • aaaaa
  • abc123
  • academia
  • access
  • account
  • Admin
  • admin
  • admin1
  • admin12
  • admin123
  • adminadmin
  • administrator
  • anything
  • asddsa
  • asdfgh
  • asdsa
  • asdzxc
  • backup
  • boss123
  • business
  • campus
  • changeme
  • cluster
  • codename
  • codeword
  • coffee
  • computer
  • controller
  • cookie
  • customer
  • database
  • default
  • desktop
  • domain
  • example
  • exchange
  • explorer
  • files
  • foobar
  • foofoo
  • forever
  • freedom
  • games
  • home123
  • ihavenopass
  • Internet
  • internet
  • intranet
  • killer
  • letitbe
  • letmein
  • Login
  • login
  • lotus
  • love123
  • manager
  • market
  • money
  • monitor
  • mypass
  • mypassword
  • mypc123
  • nimda
  • nobody
  • nopass
  • nopassword
  • nothing
  • office
  • oracle
  • owner
  • pass1
  • pass12
  • pass123
  • passwd
  • Password
  • password
  • password1
  • password12
  • password123
  • private
  • public
  • pw123
  • q1w2e3
  • qazwsx
  • qazwsxedc
  • qqqqq
  • qwe123
  • qweasd
  • qweasdzxc
  • qweewq
  • qwerty
  • qwewq
  • root123
  • rootroot
  • sample
  • secret
  • secure
  • security
  • server
  • shadow
  • share
  • student
  • super
  • superuser
  • supervisor
  • system
  • temp123
  • temporary
  • temptemp
  • test123
  • testtest
  • unknown
  • windows
  • work123
  • xxxxx
  • zxccxz
  • zxcvb
  • zxcvbn
  • zxcxz
  • zzzzz