Conficker FUD?

Security

Conficker, aka Downadup is gaining popularity among the non-techy news sites. Today I ran across this article on Rawstory.com. In it, David Perry of Trend Micro is quoted as saying “Downadup uses brute force from the infected network of botnets to break the password of the machine being attacked”.

To my knowledge that isn’t how the worm works, but please correct me if I’m wrong. According to everything I’ve read, a single instance of the worm will indeed try to “brute force” passwords but it isn’t a distributed effort spread across portions of the botnet. In none of the following evaluations of conficker is ‘distributed brute forcing’ mentioned:

Trend Micro (fails to even mention the password-guessing aspect)
Symantec
Sophos
F-Secure
McAfee
Panda (added to my list 1/23/09)

Not to mention the fact that the total number of passwords hardwired into the worm is 184, which is miniscule when compared to Cotse’s “all-words” list of 53,082. The smaller number of passwords was certainly intentional to keep the code lean and mean and doesn’t lend itself to distributed brute force.

The author of the story also states that “A troubling aspect of Conficker is that it harnesses computing power of a botnet to crack passwords.” That, according to everything I’ve read is false. Conficker does not crack passwords, it guesses them from a small list of “weak” passwords. Something like L0phtcrack built into a worm would indeed be new and certainly nasty but what conficker is doing isn’t near what L0phtcrack does…

Can anyone validate Mr. Perry’s statement?

For more information about this topic

posted by Michael on 01.22.09 @ 9:44 am | 4 Comments

I think you’re correct on calling BS to that author.

By LonerVamp on 01.22.09 4:32 pm

I now keep all my passwords on my desk on a piece of paper (my work domain admin passwords) because Perry said so in that last paragraph. I R See Cure!

By LonerVamp on 01.22.09 4:35 pm

You are correct. The worm does not use brute force methods to spread. It uses a dictionary brute force to change user account security policies.

The statement about “harnessing the power botnets to crack passwords” is something I have not seen as a functionality of this worm either.

The detailed breakdown of what is inside Conficker.C can be found at the Panda Security Security Info Page: http://bit.ly/4gi4O3

By Sean-Paul Correll on 01.22.09 11:53 pm

Thank you for the link Sean-Paul. I’ve added it to the post. So far, Panda and F-Secure seem to have the best technical data on the bug.

And LV; I’m with you. I have my passwords on a sticky note hidden under my keyboard.

By Michael on 01.23.09 9:18 am

RSS feed for comments on this post. TrackBack URI