Wednesday 24 March 2010

The Conficker Business Model

Dark Cloud

When the Cloud Connect Convention, "the only event which brings together the entire cloud computing ecosystem", was held at California's Santa Clara Centre on March 15-18, exhibitor Neustar's Senior VP & Technologist Rodney Joffe (pic: © 2010 by techweb) caused a stir by claiming that the cloud is "mostly dark"; which is to say, largely controlled by criminals.

The example he used to establish this was the Conficker worm network, comprising worldwide some 6.4 million zombified computers with 18 million CPUs, and a total bandwidth of 28TB/sec. This vast dark net, he claimed in his presentation Cloud Computing for Criminals, satisfies any useful working definition of a cloud service provider, offering a choice of operating system, bandwidth, etc., and providing services such as mass distribution of unsolicited emails, denial-of-service attacks, and data snooping (exfiltration via covert channels), available for rent anywhere in the world. On this last point, Joffe clarifies, it has infected 230 out of the total 260 existing top level domains.

Compared to the relative "startup" offerings from the likes of Amazon, Google, and new kid Microsoft Azure, the larger footprint Conficker net has been running much longer (since 1998), continually commanding unlimited new resources, spreading its worm far and wide, illegally taking over more and more computers. "And there are no costs. And there are no moral, ethical or legal constraints", said Joffe.

Provider
# PCs
# CPUs
Gbps
Conficker6,400,00018,000,00028,000
Google500,0001,000,0001,500
Amazon160,000320,000400
Rackspace65,000130,000300

Obviously that's because the villains steal their computing and communication capacity, as well as their data, from others! So Joffe wasn't advocating this as a business strategy for companies considering how to run their own IT systems, or considering signing up for, or even providing, cloud services. But his presentation did make some good security points. Botnets such as Conficker will repay diligent study. You must assume that some day, you will become a target for them - "they're great learners" says Joffe - and protect your own infrastructure, and your applications, appropriately. And when you do subscribe to a cloud computing service, remember that your provider can be a security resource, monitoring your general patterns of behaviour, and watching for anything abnormal that could indicate you've been compromised, what they call a "black cloud".

Conficker has been comparatively quiet recently, partly perhaps because of the $250,000 reward offered by Microsoft in February 2009, for any information leading to the arrest and conviction of those particular malware goons. However their most recent really big attack, when Conficker was rented by the Waledac worm perps for spamming duties, actually postdated that, in April 2009. And then there was the Greater Manchester Police shutdown event just last month (update: end of January, actually). Conficker is still alive, still an active threat. And of course, there are many others using the same business model.

No comments:

Post a Comment