Conficker talk sanitized at Black Hat to protect investigation

Network World - LAS VEGAS -- The international security team tracking down Conficker thought the masterminds behind it would have been apprehended by now, according to one of the leaders of the effort to stamp out the resilient worm.

Take our quiz on Black Hat's most notorious incidents

But that’s not the way it has worked out, and a talk at Black Hat yesterday had to be scaled back because it contained information about Conficker that might tip investigators’ hand and send the perpetrators further underground, says Mikko Hypponen, chief research officer at F-Secure and a member of the Conficker Working Group. 

When Hypponen submitted the abstract for his Black Hat briefing more than six months ago, he thought he’d be presenting a forensic look at a dead worm and that the team who had written and managed it would be out of action.

“I had hoped that by the end of July we would be in a totally different situation, the case would be closed and the group would be in jail,” Hypponen said in an interview after his talk.

His official line was that he was asked last week not to reveal critical information that might help prolong Conficker’s reign over millions of computers and inhibit the ongoing criminal investigation. “So I will end my presentation here,” Hypponen said at the conclusion of his Black Hat session. “Thank you very much. I will not be taking any questions.”

Hypponen said afterward that he wasn’t forced to curtail his remarks (Black Hat has been the site of numerous speech-blockings and speech-blocking attempts, including that of a researcher Cisco Systems Inc. sued because he was to reveal a flaw in the company's IOS code). Rather, Hypponen had already realized that it made sense to hold back some of what the working group has found out.

“It’s better to keep them in the dark about what is known,” he says.

Given the agility and precision with which Conficker alters its tactics, Hypponen doesn’t rule out that the Conficker Working Group itself might have been infiltrated by Conficker operatives.

He wouldn’t say how close he thinks authorities are to bringing down the group, but did say there is an indication that it is based in the Ukraine. Some techniques used in Conficker match those used in an earlier worm, which might mean the same people were behind both.

That earlier worm avoided propagating to machines in the Ukraine, which might mean that the group is based there and was trying to avoid committing a local crime to keep Ukranian police off their backs, Hypponen says.

During his talk Hypponen outlined some of Confickter’s technical sophistication. In one version change – the worm has gone through five major revisions – the worm adopted the MD-6 cryptographic hash algorithm. Investigators estimate that MD-6 was only a month or so old when it was incorporated in Conficker, making the worm one of the earliest implementations of MD-6, he says.