· Date: March 31, 2009
· Author: Michael Kassner
· Category: Security
· Tags: Symantec Corp., P2P, Expert, Malware, Domain Name, Computer, Conficker.C, Conficker, AV Application, Domain Names

TechRepublic.com — Conficker’s creators may make the first day of April a painful day for IT types if the experts who reverse engineered the new Conficker code are right. Is there anything we can do?

You may be saying, not another article about Conficker/Downadup! Still, any news about a piece of malware code that’s capable of infecting millions of computers is significant. Especially since Conficker might be finally waking up.

Why do I say that? Apparently a new and more sinister version of Conficker has just been spotted. At least I think so. There are so many different names being used to describe Conficker it’s almost impossible to tell if it’s a new variation or just another AV company deciding to get into the game by calling it something different.

Why so many different names?

I’m not sure why, every AV or anti-malware vendor seems to want to use a different name. For example, let’s look at all the different names being given to the first variation of Conficker. Microsoft calls their version Win32/Conficker.A, and was considerate enough to point out all the other known aliases:

TA08-297A (other)
CVE-2008-4250 (other)
VU827267 (other)
Win32/Conficker.worm.62976 (AhnLab)
Trojan.Downloader.JLIW (BitDefender)
Win32/Conficker.A (CA)
Win32/Conficker.A (ESET)
Trojan-Downloader.Win32.Agent.aqfw (Kaspersky)
W32/Conficker.worm (McAfee)
W32/Conficker.E (Norman)
W32/Confick-A (Sophos)
W32.Downadup (Symantec)
Trojan.Disken.B (VirusBuster)

That’s the first version of Conficker too. I just don’t understand why naming something has to be so complicated, especially when doing so adds complexity to the problem. To keep things simple, I’ll use Conficker to mean all previous versions and Conficker.C to represent the latest variation.

Back to Conficker

This all started with a zero-day exploit for systems using Microsoft operating systems. Microsoft released an out-of band update with their security bulletin MS08-067 way back on 23 Oct 2008, but millions of people aren’t installing the patch. Needless to say, not patching has led to many of those computers becoming infected with Conficker.

To me those numbers are akin to sticker shock. Think about it, millions of computers infected in less than a six-month period. Other malware has used the same approach, so why does Conficker have such a high success rate?

It’s simple actually; Conficker’s developers have morphed the malware into new and increasingly more difficult to detect versions every time the existing variation is compromised. Investigators weren’t too worried though, because all known versions were using methods to contact command and control servers that the good guys knew about and could defeat.

How these first variants of Conficker phone home is really interesting, so I’d like to explain how it works. Each and every day, Conficker uses an algorithm to create a list of 250 seemingly random domain names. Then, via the infected computer’s Internet access, Conficker tries to contact servers advertising the domain names for that specific day to get further instructions.

A dormant Conficker

So far there’s been very little if any communications with command and control servers, hence no real activity on the part of the infected computers, other than to continue spreading. In fact, experts are engaged in an ongoing debate as to whether the infected computers should be considered an organized botnet or not.

Many feel that this inactivity is due in large part to the coordinated defensive response by the Conficker Cabal, an ad hoc partnership that includes several major players:

“Along with Microsoft, organizations involved in this collaborative effort include ICANN, NeuStar, VeriSign, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, the Shadowserver Foundation, Arbor Networks and Support Intelligence.”

I don’t have enough information to make an assessment if that’s the case or not. Ironically, others believe the unusually successful infestation rate of Conficker malware has so overwhelmed the developers, they are still trying to figure out what to do. I’ll let you decide who’s right.

Conficker.C: New and improved

If I may offer my opinion, I think the coalition is getting to Conficker’s owners. Either that or Conficker’s keepers are making a preemptive strike by releasing a new variant that really ups the ante. Remember the 250 new domain names created each day; well that number increased to 50,000 per day in the new version.

That ramp up makes it virtually impossible for the Conficker Cabal to sit on every one of the domain names. Dr. Jose Nazario (an expert I often reference) from Arbor Networks (Conficker Cabal member) was quoted by the New York Times John Markoff as saying:

“It’s worth noting that these are folks who are taking this seriously and not making many mistakes. They’re going for broke.”

Added peer to peer networking

One reason Dr. Nazario feels this way is based on a new capability employed by Conficker.C, which is the ability to create peer to peer networks. That means it’s only going to take one infected PC and one command and control server with an unblocked domain name to pick up new commands. After that, according to Symantec, the command files can be shared using the P2P mechanism:

“During the process shown above, Downadup not only patches the RPC vulnerability in memory, but uses this patch to recognize incoming exploit attempts from other Downadup infected machines. The worm is able to analyze the incoming shellcode and checks if it matches its own exploit shellcode.

If the shellcode matches, information is extracted from the shellcode that allows the worm to connect back to the other infected machine. This “back connect” uses the HTTP protocol, but on a randomly selected port. The other infected machine then responds with a packet of data consisting of the payload files.”

In an ominous tone, Symantec sums it up:

“So, while we know Downadup’s method of operation, we still await its motive.”

Other improvements

Conficker.C doesn’t stop there. It initially was just considered a trojan, but experts are now also calling it a worm as well. Their reasoning is based on Conficker.C’s being able to identify antivirus software and/or malware scanners running on the infected PC along with the ability to disable the identified applications.

Some serious malware

I’m one to give credit when credit is due and the tenacity and drive of Conficker’s developers is something that should be bottled and sold. I’d better explain that comment before I get too hot from all the flaming. Hopefully the following example will point out how sophisticated this malware package is.

During September of 2008, MIT’s Dr. Ronald Rivest published a paper describing a cutting-edge encryption algorithm called MIT MD6 algorithm. Guess what? That’s right; Conficker.C is using MIT MD6 to obscure all P2P and command and control traffic. This prevents rival botmasters from taking control as well as preventing security firms from deciphering command and control traffic. Now I ask you, what encryption algorithms are your latest and greatest programs using?

What to do

As Conficker gets more sophisticated, the workable solutions to remove it start to get limited in scope. Initially, just applying the MS08-067 patch would have been sufficient. I’m afraid it’s not that simple now.

AV applications are trying their best to keep up and provide solutions that will remove the malware. That worked initially, but Conficker.C is shutting those applications down as well as Microsoft’s Windows Update. So that avenue is eliminated. I’ve not heard if MBAM and other TPV scanners were getting the same treatment, so they might be worth a try.

Officially, the only real resolution is to reformat and reload, especially since Conficker.C still resides at the application level. If the developers decide to bury the malware in the BIOS or SMM, it could get ugly.

April Fools or not

371F2FB7-03F3-42FD-A84A-2C3F628F14E7.jpgOkay, that’s Conficker.C in a nutshell. Now I’d better get to explaining what April Fool’s day has to do with this. Apparently, several experts in the Conficker cabal have reversed engineered Conficker.C’s code and determined that April 1st is when computers infected with Conficker.C are supposed to wake up and begin searching for command and control servers. Hopefully the Conficker Cabal has a plan.

It appears that the experts do not want to cry wolf just yet. Kelly Jackson Higgins of InformationWeek’s Dark Reading in the article Notorious Conficker Worm Still Alive and Infecting Unpatched PCs clearly points out that experts have varying opinions as to what’s supposed to happen on the first of April:

“It’s unlikely anything will happen on the first [of April], says Patrik Runald, chief security advisor for F-Secure, which has been following Conficker for months. Considering all the attention going on about April 1st, why would they do something that day? The group behind it could as easily do something on April 4th or April 10th.”

Kelly then presents another expert’s opinion:

“Randy Abrams, director of technical education for ESET, says there’s no way to know for sure at this point what will happen that day. It could be that it does nothing, and April 1 was a joke, diversion, or aborted plan. Or it could be the launch of a massive spam run, DDoS, or infrastructure attack. We really can’t say,”

Final thoughts

If the experts are all over the map about this, where does that leave the rest of us? My humble opinion is that the exact date doesn’t matter. What matters is if the millions of infected computers do get organized. Rock-solid encryption, P2P traffic-routing, and the fact that Conficker.C is still deploying could lead to some very frustrating times.

Michael KassnerMichael Kassner has been involved with with IT for over 30 years. Currently a systems administrator for an international corporation and security consultant with MKassner Net. Twitter at MPKassner.

A chip developed by European scientists simulates the learning capabilities of the human brain.

A smart chip: Scientists in Europe are using techniques to create circuits that mimic the structure and function of the human brain. This early prototype has just 384 neurons and 100,000 synapses, but the latest version contains 200,000 neurons and 50 million synapses.
Credit: Karlheinz Meier

MIT Technology Review, March 27, 2009, by Duncan Graham Rowe — An international team of scientists in Europe has created a silicon chip designed to function like a human brain. With 200,000 neurons linked up by 50 million synaptic connections, the chip is able to mimic the brain’s ability to learn more closely than any other machine.

Although the chip has a fraction of the number of neurons or connections found in a brain, its design allows it to be scaled up, says Karlheinz Meier, a physicist at Heidelberg University, in Germany, who has coordinated the Fast Analog Computing with Emergent Transient States project, or FACETS.

The hope is that recreating the structure of the brain in computer form may help to further our understanding of how to develop massively parallel, powerful new computers, says Meier.

This is not the first time someone has tried to recreate the workings of the brain. One effort called the Blue Brain project, run by Henry Markram at the Ecole Polytechnique Fédérale de Lausanne, in Switzerland, has been using vast databases of biological data recorded by neurologists to create a hugely complex and realistic simulation of the brain on an IBM supercomputer.

FACETS has been tapping into the same databases. “But rather than simulating neurons,” says Karlheinz, “we are building them.” Using a standard eight-inch silicon wafer, the researchers recreate the neurons and synapses as circuits of transistors and capacitors, designed to produce the same sort of electrical activity as their biological counterparts.

A neuron circuit typically consists of about 100 components, while a synapse requires only about 20. However, because there are so much more of them, the synapses take up most of the space on the wafer, says Karlheinz.

The advantage of this hardwired approach, as opposed to a simulation, Karlheinz continues, is that it allows researchers to recreate the brain-like structure in a way that is truly parallel. Getting simulations to run in real time requires huge amounts of computing power. Plus, physical models are able to run much faster and are more scalable. In fact, the current prototype can operate about 100,000 times faster than a real human brain. “We can simulate a day in a second,” says Karlheinz.

While it may sound implausible, neurons are actually very slow, at least compared to computers, says Thomas Serre, a computational neuroscience researcher at MIT. “The reason why computers seem much slower is that they are serial machines, while our brains run in parallel,” he says.

FACETS is not the only group taking this approach. Researchers at Stanford University have also been creating neuronal circuits and the Defense Advanced Research Projects Agency recently started funding a similar project.

“Where FACETS is ahead of anybody else is that they use these complex synapses,” says Markram. While the neurons are quite simple, he says, the synapses are designed to use a very powerful distributed algorithm–developed by Markram–called spike-timing dependent plasticity, that allows the device to learn and adapt to new situations.

Building such complex circuits has required close collaboration with neurobiologists, says Markram. In fact, the project, whose current budget is €10.5 million (US$14.1 million), relies upon the contributions of 15 scientific groups from seven different countries. Among the challenges they face is recreating the three-dimensional structure of the brain in a 2-D piece of silicon, he says.

Despite efforts to make the chips as biologically plausible as possible, Markram admits they are still crude compared to what can be achieved in simulation. “It’s not a brain. It’s a more of a computer processor that has some of the accelerated parallel computing that the brain has,” he says.

Because of this, Markram doubts that the hardware approach will offer much insight into how the brain works. For example, unlike Blue Brain, researchers won’t be able to perform “in silico” drug testing, simulating the effects of drugs on the brain. “It’s more a platform for artificial intelligence than understanding biology,” he says.

The FACETS group now plans to further scale up their chips, connecting a number of wafers to create a superchip with a total of a billion neurons and 1013 synapses.

A new Web service jogs a user’s memory at the right time and place.

In the moment: ReQall jogs users’ memory with the location information gathered by an iPhone or Blackberry.
Credit: ReQall

MIT Technology Review, March 30, 2009, By Erica Naone — Tie a string around your finger. Write a message on a Post-it note. Leave yourself a voice mail. For centuries, people have come up with ingenious ways to aid their memories. But it’s still all too easy to forget. A startup called ReQall, based in Moffett Field, CA, today launches a service designed to jog users’ memories depending on what they’re doing at any given moment.

ReQall already offers a free service that can be accessed using a phone. By calling a toll-free number, users can record a memo, reminder, or appointment, and voice-recognition software will analyze each message, turning it into the appropriate kind of note. The service issues timely reminders via IM or e-mail and a daily summary of appointments. Users can also access and modify their memos online.

A new version of the software called ReQall Pro, which launches today, focuses on issuing reminders in the right place at the right time. ReQall Pro works with iPhones and Blackberrys, using the location information collected by these devices, as well as information gleaned from the contents of each memo, to work out when (and where) to jog a user’s memory. “We believe that computers can help with everyday memory problems and help with organizing,” says Sunil Vemuri, cofounder of ReQall.

ReQall Pro’s “memory jogger” software determines how to issue reminders to users. It performs keyword analysis on memos that a user enters in an effort to link together relevant information. For example, if a meeting with John Doe is approaching, ReQall will present the user with other stored items related to John Doe. A user will also automatically receive reminders when he arrives at certain locations, for example, receiving a grocery list when he reaches the grocery store. Vemuri explains that the system also tries to avoid overloading the user by paying attention to how many notes a user has stored and optimizing the number of reminders issued. It will also adjust to a user’s behavior, issuing a limited number of reminders at locations that a user visits frequently.

Vemuri got the idea for ReQall after doing research for his PhD, which involved recording everything about his life for several years. “I would not advise doing that anymore,” he jokes. “There’s too much bathwater and too few babies in there.” Since then, he has focused instead on helping users store important information more easily, and figuring out how best to filter it.

Michael King, a research director at Gartner specializing in wireless technology, says that he’s impressed by ReQall’s focus on context. “There’s nothing that I’ve really seen out there that takes a bunch of these different aspects of context and melds it into a single application,” King says. He adds that, while ReQall’s service is impressive, assistants of this type will be most useful when they can go even further. For example, instead of reminding a user to purchase tickets, the application might handle the purchase itself.

In addition to the memory jogger technology, ReQall Pro includes integration with Outlook and Google Calendar. The Pro service costs $2.99 a month, or $24.99 a year. Existing users will be able to purchase the service at a discounted rate. ReQall Standard will continue as a free service, but may include advertising in the future.

Aggressive glucose control in critical illness seems to increase mortality, according to a New England Journal of Medicine study released online.

Investigators in the NICE-SUGAR trial attempted to define the best glucose target range by randomizing 6100 medical-surgical ICU patients either to intensive control (81 to 108 mg/dL) or to conventional control (180 mg/dL or less) with use of intravenous insulin. Death by 90 days (the primary outcome) occurred more often with intensive control than with conventional therapy. Intensive control also led to more episodes of severe hypoglycemia (blood glucose, 40 mg/dL or less).

The authors estimate a number needed to harm of 38.

Editorialists point out that the NICE-SUGAR results “contrast starkly” with earlier trials. Their take on the study’s lessons is that “there is no additional benefit from the lowering of blood glucose levels below the range of approximately 140 to 180.”

NEJM article (Free)

NEJM editorial (Free)

Physician’s First Watch coverage of intensive insulin therapy in the pediatric ICU (Free)

Published in Physician’s First Watch March 24, 2009

U.S. Department of Health and Human Services

(NICHD) http://www.nichd.nih.gov/

For Immediate Release: Monday, March 30, 2009

From Immunity to Thyroid Hormones, Pineal Gland Exerts Effects on 600 Genes

The pineal gland — integral to setting the body’s sleep and wake cycles — may be involved in a broad range of bodily functions, according to a study by researchers at the National Institutes of Health and other institutions.

Using a technology that scans for the activity of thousands of genes at a time, the researchers found that the activity of more than 600 genes in the pineal gland are synchronized in some way with the 24-hour sleep and wake cycle. The genes influence such diverse functions as inflammation and immunity.

Researchers have traditionally studied the gland in hopes of gaining insight into the health problems of shift workers and people who frequently travel between time zones. The pineal gland produces the hormone melatonin, which regulates the cycle of sleep and waking.

“The results of this study indicate that the pineal gland may be involved in a far greater range of physiological functions than we thought,” said Duane Alexander, M.D., director of NIH’s Eunice Kennedy Shriver National Institute of Child Health and Human Development (NICHD), where much of the research took place. “An understanding of how the pineal gland interacts with the genes that the researchers identified could provide insight into a broad range of disorders and conditions.”

The study appears in the March 20, 2009 issue of The Journal of Biological Chemistry. The study’s first author was Michael J. Bailey, of the NICHD Section on Neuroendocrinology. Other authors of the paper were from the NIH Center for Information Technology, NIH’s National Institute of Mental Health, Cardiff University, Wales, the University of Copenhagen, Denmark, King’s College of London, England, and The Genomics Institute of the Novartis Research Foundation, San Diego, Calif.

The pineal gland is located within the brain, explained the study’s senior author, David Klein, Ph.D., Chief of the Section on Neuroendocrinology. To conduct the study, Dr. Klein and his colleagues analyzed rodent pineal glands with a gene chip, a device that can analyze the activity of thousands of genes at a time. The researchers found that the activity of 604 genes changed on a 24-hour schedule, more than has been reported to occur in any other tissue.

The researchers discovered that these genes increase their activity from 2- to 100-fold during a 24-hour cycle. About 70 percent of the genes were found to increase activity at night, the remaining 30 percent during the day. The genes are involved in a variety of functions, and govern such processes as:

— inflammation (swelling)

— the immune response

— cell adhesion (how cells bind, or join together)

— the cell cycle (the reproduction and death of cells)

— the cytoskeleton (the inner structural material of cells)

— calcium metabolism

— cholesterol production

— endothelial tissue (the tissue that lines many of the — body’s organs and structures)

— transcription (the process by which DNA sequences are — eventually converted through RNA into proteins)

— effects of the thyroid gland on the pineal gland

— cell signaling (the process through which hormones and — other factors control cells)

— copper and zinc biology

“We were really surprised by what we found,” Dr. Klein said. “We did not expect to find 24-hour rhythms in the functioning of so many genes.”

Dr. Klein said that, as he and his coworkers expected, many of the genes active in the pineal gland are also active in the retina of the eye. The study authors cited this finding as highly compelling evidence that the pineal gland and the retina evolved from the same primitive light detecting structure. An earlier study on this possible evolutionary relationship is available at: .

The pineal gland is controlled by a brain structure known as the suprachiasmic nucleus, located at the base of the brain, Dr. Klein said. The suprachiasmatic nucleus is known as The Mind’s Clock, because it coordinates body rhythms in response to changes in lighting that are detected by the eyes. The suprachiasmatic nucleus is connected to the pineal gland by nerve cells. At night, a brain chemical called norepinephrine, which transmits information through nerve cell networks, is released in the pineal gland. Norepinephrine, in turn, stimulates the production of another compound within the cells of the pineal gland, known as cyclic adenosine monophosphate (cyclic AMP). Cyclic AMP causes the pineal gland to produce melatonin.

The researchers noted that the daily changes in gene activity observed in the study were controlled by the release of norepinephrine and the increase of cyclic AMP.

“This is surprising, because we did not anticipate that the release of one molecule — norepinephrine — would be found to control the activity of hundreds of genes,” Dr. Klein said. “It appears that this one signal triggers a highly complex response that is necessary for normal rhythmic function of the pineal gland.”

Dr. Klein added that he and his colleagues are planning future studies to discern both how the cells of the pineal gland are controlled and how they influence the genes controlling other cellular functions.

“We have a long way to go before we can fully understand the role of the pineal gland and what makes it tick,” Dr. Klein said. “I suspect that the pineal gland plays a much broader role in human health than anyone has ever imagined.”

This research was funded by the Intramural Research Program of the NICHD; the Center for Information Technology; The Wellcome Trust; the Biological Sciences Research Council; the Lundbeck Foundation; the Danish Medical Research Council; the Novo Nordisk Foundation; the Carlsberg Foundation; the Fonden til Lægevidenskabens Fremme; the Simon Fougner Hartmanns Familiefond; and Pennsylvania Commonwealth Health Research Formula Funds.

The NICHD sponsors research on development, before and after birth; maternal, child, and family health; reproductive biology and population issues; and medical rehabilitation. For more information, visit the Institute’s Web site at .

The National Institutes of Health (NIH) — The Nation’s Medical Research Agency — includes 27 Institutes and Centers and is a component of the U.S. Department of Health and Human Services. It is the primary federal agency for conducting and supporting basic, clinical and translational medical research, and it investigates the causes, treatments, and cures for both common and rare diseases. For more information about NIH and its programs, visit .

Tesla Model S Pics Officially Gorgeous

March 30, 2009 |: Tesla Motors


Tesla has always said that they wanted to bring the beauty, power, styling and environmental footprint of the Tesla Roadster to sub-100k sedan. They’ve been planning the Tesla Model-S for ages, and while we were supposed to have to wait for a few more hours to see the first pictures of this beauty, they’ve officially been leaked.

The Model S will (if Tesla is able to get it’s finances together and make them) be an all-electric vehicle with a more than 100-mile range. While Tesla’s Roadster is meant to be impractical (just like all two-seater sports cars) the Model-S reaches out to the luxury segment. The car will have to be comfortable, practical and beautiful to make it with luxury buyers.

We can, at least, announce that it has that last category wrapped up. I imagine most will agree that this car is freaking beautiful.

LOS ANGELES — Photos of Tesla Motors’ much-anticipated Model S sedan have leaked just hours before company CEO Elon Musk was to reveal the car at an invitation-only event in Los Angeles.

The Model S is a landmark for both Tesla and EVs. Tesla’s two-seat Roadster sports car has shown electric cars can be sexy, but it has enjoyed limited appeal. A sedan could prove the Silicon Valley firm is more than a niche player, help push EVs into the mainstream and give Tesla a strong position in the emerging electric car market.

“In the EV community, Tesla is tops,” said Paul Scott, a founder and board member of Plug In America. “But it’s seen as a company making toys for the rich. Now they’re going into the market where Lexus and Infiniti play. This will spread the word about electric vehicles to a much wider audience.”

Photo: Flickr / KevinRose