29 internautes sur 36 ont trouvé ce commentaire utile
Loyd E. Eskildson
- Publié sur Amazon.com
Author Bowden does a great job of summarizing malware in general, and the Conficker worm in particular. He begins by explaining that there are three types of malware - Trojans, viruses, and worms. A Trojan is a piece of software that masquerades as one thing to get inside a computer, then attacking. A virus attacks its host computer after entering its operating system - it depends on the operator opening an e-mail attachment or clicking on a lilnk. A worm works like a virus, but doesn't attack once it enters - it's primarily designed to spread, then wait for instructions delivered later.
Some computer malware is intended to damage or destroy one's computer, and victims quickly realize the problem. A computer worm, by contrast, is a packet of computer code designed to infiltrate a computer without attracting attention and then scans for others to invade, spreading exponentially. The Conficker computer worm emerged in November, 2008 and infiltrated 1.5 million of the world's computers in the first month. By January, 2009 it had spread to at least 8 million computers, exploiting flaws in Microsoft Windows that it closed after entering. They constantly check with its unknown creaters at their unknown location for directions. Frustrated cyber-security experts at Microsoft, Symantec, SRI International, etc. have merged forces to try and defeat it - so far they've been unsuccessful. Bowden's 'Worm' tells how hackers, entrepreneurs, and computer security experts are trying to defend the Internet from Conficker - what the author calls 'the first digital world war.'
In the 'good old days,' infected computers slowed down because user commands had to compete with viral invaders for processing power. Computers would slow down, and programs would freeze. Worm-linked computers ('botnets') can be used to steal information, assist fraudulent schemes, or launch denial-of-service attacks. So far, Conficker (35 kilobytes of code - less than a 2,000-word document) has done none of those things, and been activated only once to perform a short, simple spamming operation that sold a fake anti-spyware program for two weeks, then stopped.
The Microsoft operating system has over 65,000 ports designed to transmit and receive certain kinds of data. Conficker exploited Port 445, which Microsoft had tried to repair 10/23/2008. Firewalls are security programs that guard these ports, but Port 445 was vulnerable even when protected by a firewall if both print-sharing and file-sharing were enabled. However, many fail to apply new patches promptly, and others run pirated Windows systems which Microsoft doesn't update. Thus, reverse-engineering patches allows attackers to create targeted worms.
Experts trying to disable Conficker have learned that it tries to prevent communication with security providers, it avoided Ukrainian IP addresses, and disabled system restore points that allowed users to reset infected machines to a date prior to infection. To prevent IT-defenders from predicting how the infected computer would try to communicate home by setting the computer's clock ahead and then watching what happened (it generates 250 random-codes/day for each of 8 domains - eg. .com, .edu, .uk, etc.). Conficker-infected computers use system clocks (eg. Google, Yahoo) that can't be set ahead. The 'bad guys' only have to pay $10 to register one address, and wait for botnetted computers to make contact. Unfortunately for computer defenders, that communication used coding techniques employed in the latest standard, MD-6, revised.
Defenders, however, were flooded by 50,000 domain names/day needing investigation. Each requires checking to ensure it belongs to a good guy, and their spread out all over the world. Worse yet, a newer version introduced peer-to-peer communication, meaning that all infected computers no longer needed to call home for instructions, and defenders no longer have any way of telling how many computers are infected.
Another insidious Conficker attribute is that it could also be spread by USB drives - thus, systems not connected to the Internet were also vulnerable.
Most of the world's 'best' malware comes from Eastern Europe, drawing on high levels of technical expertise and organized criminal gangs. That's a very big area within which to search.