OT: NY Times ('via' acm TechNews): PC worm -- known as Conflicker or Downadup

[Charles Jones]

Mike Schwartz wrote:
> *
> quotes:  ("The worm [...] [exploits] a MS Windows vulnerability [...]");  
>     http://www.nytimes.com/2009/01/23/technology/internet/23worm.html?hp
> /New York Times (01/23/09) Markoff, John/ 
> the above news item was summarized (and, linked to) from:
>   http://technews.acm.org/archives.cfm?fo=2009-01-jan/jan-23-2009.html#396185
> in an item titled 
> Worm Infects Millions of Computers Worldwide *
> ("forwarded" to PLUG-Discuss by:)
I was thinking about this today...
"Each day it generates a new list of 250 domain names. Instructions from 
any one of these domain names would be obeyed. To control the botnet, an 
attacker would need only to register a single domain to send 
instructions to the botnet globally"

So what is keeping *anyone* (besides the author/botherder) from 
disassembling the worm to find out what DNS names its looking for (or 
heck, even just run wireshark on your machine to see), and then 
registering the domain themselves and using it to take control of the 
entire botnet? The only hurdle would be figuring out the protocol, which 
could probably be easily gleaned from looking at the disassembled code, 
or sniffing the connection of a compromised machine once the botherder 
does finally take control of it.

I guess the answer to my question is "nothing". Actually probably the 
fact that the authorities are now looking for the botherder, so they 
probably have a honeypot and/or compromised machines and waiting to 
catch the guy, so anyone else taking advantage would be mistaken for the 
real author...oops.

Interesting that they chose not to infect computers with Ukranian 
keyboards...I'd guess the author didn't want to screw over his home 
country :P
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20090123/fb18a636/attachment.htm