Josh: 00:00

Back in college, I was part of a hacking club. We practiced throughout the school year and then

00:05

traveled to a nearby state to compete in a hacking competition against other universities.

00:11

I learned more here than I did in class, so if you're in college and listening to this,

00:16

try to join one at your school or one in the local area if it exists. At this

00:20

event, we faced off against other schools and industry blockhats who volunteered to try and

00:25

breach each school's mock network. Each team had a separate room they would work from for the

00:31

duration of the competition, and inside that room was five servers and two workstations. Those five

00:37

servers ran seven different services, like web, email, and Active Directory, that your team was

00:43

responsible for managing and making sure they were always up and running. The premise was that your

00:49

team had been hired to take over the company's network after the previous IT team had quit.

00:54

There was no documentation and no one to ask for help. Throughout the competition, you would receive

01:00

various requests from the CEO, many of which were far from ideal from a security standpoint. For example,

01:07

you might get a request like, hey, I was talking to a friend at another company, and they suggested we

01:12

expose our database to the internet. Please make that happen. While they weren't always that absurd,

01:18

they were close. The goal was to mimic real-world corporate scenarios. If you've ever worked at a

01:24

medium-to-large-sized company, or any company for that matter, you've probably experienced the fact

01:29

that security is often not a top priority. Crazy requests that seem obviously dangerous are

01:36

surprisingly common. While this was all happening, your services were being monitored. For every minute

01:42

they stayed operational, your team earned points. If your services went down, you stopped earning points,

01:48

and other teams could take the lead. What made it even more intense was the red team, composed of

01:55

black hats whose mission was to breach your network. Their goal was to break in, steal data, take your

02:01

services down, and generally make your life as difficult as possible. Facing off against real hackers

02:07

in a simulated digital environment was thrilling. It was one hell of an experience, and we looked

02:12

forward to it every year. It's where I first learned about the immutable attribute in Linux,

02:17

chatter plus I, when I couldn't delete a malicious file on one of the systems. Check it out.

02:23

To prepare for the competition, we would meet every week to practice. We set up services, attacked each

02:29

other's systems, and did everything we could to recreate the competition environment as closely as possible.

02:36

Out of all the preparation we did, one thing stands out in my memory.

02:40

MS-08-067, also known as CVE-2008-4250.

02:48

This exploit allowed remote attackers to gain system-level access to a Windows computer.

02:53

Using Metasploit, it took just three commands to exploit a system and gain full control.

02:58

Our networking teacher, who also happened to be the advisor for the hacking club,

03:02

would set up a cluster of Windows machines for different classes to use for practice or

03:06

various projects. My friend and I would often go to the lab in the evenings to practice and to try

03:13

and break things. I'll never forget how reliably MS-08-067 worked. We'd run the exploit, gain access to all

03:21

hosts in the cluster, wipe them, and then laugh the next morning when our teacher was scratching his head

03:26

in class, wondering why he had to keep restoring the virtual machines from snapshots. Good times.

03:33

While we were just having fun, something far more malicious was happening in the wild.

03:38

The same exploit we were just playing with was being used by Conficker. This malware wreaked havoc on the

03:45

world. From exploiting our PC to leveraging a pool of 50,000 domains to download updates on this episode

03:52

of In the Shell.

03:59

...without the operator's knowledge...

04:01

...and if it sounds malicious, it's because it is.

04:03

...40 attacks just this year on educational organizations...

04:06

...and now to the massive cyber attack targeting hotels and casinos in Las Vegas...

04:09

...to a possible cyber attack at one of the nation's busiest airports...

04:12

...a cyber security firm, CrowdStrike, has caused this outage...

04:15

...that it takes you longer to do something by putting it into a computer and calling it up again than

04:20

...if you just kept simple records yourself.

04:22

from the house.

04:25

Conficker had a few other names it was known by. Down Up, Down A.D. Up, and Kaido. There's also a

04:33

couple theories about where the name came from. It's thought to be a combination of the English

04:37

term configure and the German pejorative ficker, which translates to the English word f***er.

04:44

Pretty creative if you ask me. The first variant of Conficker was discovered in early November

04:49

2008. It propagated through the internet by exploiting a vulnerability in a network service

04:55

on Windows 2000, XP, Vista, Server 2003, Server 2008, and Server 2008 R2 Beta. That vulnerability

05:06

it exploited, which I mentioned in the intro, was MS08-067. Like I said, it exploited a vulnerability

05:14

in a place where you can see myождically.

05:14

khi

05:14

a network service on Windows, and that service was RPC. RPC, which is short for Remote Procedure

05:22

Call, is a foundational technology that enables communication between programs,

05:27

not just on the same computer, but across a network. At its core, RPC allows one program

05:33

to execute a function or procedure on another system as if it were a local operation. Think

05:40

of it as a remote control for code, letting one computer tell another, hey, run this function

05:45

for me. So here's how it works. Imagine your program needs to perform a task that resides

05:51

in another machine. With RPC, it sends a request to the remote machine, which processes the request,

05:58

executes the task, and sends back the results. The magic lies in abstraction. All the complexities

06:05

of network communication.

06:07

like creating requests and parsing responses, are handled automatically, making the process seamless for developers.

06:15

RPC operates in a client-server model.

06:18

The client, your program, initiates the request, while the server, the remote machine or service,

06:25

executes the requested action and returns the results.

06:28

It's protocol agnostic, meaning RPC can work over different transport protocols depending on the implementation.

06:35

For example, Microsoft RPC, ms-rpc, often uses the DCE, Distributed Computing Environment, standard,

06:45

which supports communication over TCP IP.

06:49

For example, it powers network file sharing and printer access.

06:53

It supports key services like Active Directory, Windows Management Instrumentation, WMS.

06:59

and the distributed component object model, DCOM. In short, if you've ever accessed a shared folder

07:07

or used a networked printer on Windows, RPC was silently working in the background to make that

07:12

happen. Now here's where things get tricky. Because RPC allows remote systems to execute tasks,

07:19

it's a prime target for attackers if it's not secured. Vulnerabilities like MS08-067,

07:25

which I'm going to refer to now as MS08, exploited weaknesses in the RPC implementation,

07:31

giving attackers a way to run malicious code with system-level privileges. This is why keeping

07:38

RPC services patched and properly configured is so important. Despite its age, RPC is still widely

07:45

used in modern networks, especially within Windows environments. However, newer technologies and

07:51

psychologists get there. Let's do that. Let's see.

07:52

Let's go back to the next slide.

07:52

security measures have improved its resilience. So RPC, that's what Configure exploited to gain

07:58

access to a system. From there, it needed to spread, and it did that using NetBIOS services

08:04

and SMB. NetBIOS, short for Network Basic Input slash Output System, is a fundamental part of

08:12

older networking systems that you've probably encountered if you've worked with local networks

08:17

or older Windows computers. NetBIOS isn't a protocol per se, it's more like a translator that

08:24

helps applications on different devices communicate over a network. Think of it as a middleman for name

08:31

resolution, session management, and data sharing in local networks. So for name resolution, let's say

08:38

your computer wants to find another computer named Office PC on the network. Instead of having to know

08:43

an IP address,

08:44

NetBiOS steps in to map that simple name to the device.

08:48

For session management, once two devices know about each other, they need to set up a session,

08:53

a kind of virtual handshake, to keep communication running smoothly.

08:58

And lastly, it facilitates data sharing, like transferring files or printing a document over

09:04

the network. While MS08 was Configure's entry point, NetBiOS played a critical role in its

09:10

rapid spread. NetBiOS allowed the worm to enumerate systems and shares on the network,

09:15

and then propagate itself by exploiting weak credentials or default passwords on shared

09:20

resources. Here's an example on how that worked. Configure first used NetBiOS to discover computers

09:27

and shared folders on a network. It targeted the admin share visible over NetBiOS. If that share

09:33

was password protected, Configure launched a dictionary attack.

09:37

Tempting to guess the password using a list of common or default credentials, these attacks generated large amounts of network traffic, sometimes triggering account lockouts.

09:46

Once access was gained, Conficker copied itself to shared drives and folders, ensuring it could infect additional systems.

09:54

NetBIOS wasn't the vulnerability, but a tool Conficker leveraged to spread laterally across networks.

10:00

Combined with SMB and other mechanisms, this made Conficker especially effective at propagation.

10:07

But Conficker didn't stop there.

10:10

Variants like Conficker B and C used removable media like USB drives to spread.

10:16

They placed a copy of the virus in Recycle.bin, which meant it would be hidden from someone just casually browsing the drive, and manipulated the autorun.inf file to execute the malware when the drive was plugged into a new machine.

10:30

Configure also added registry keys to ensure it launched itself on system boot.

10:36

Configure wasn't just another piece of malware.

10:39

It was a meticulously designed, modular worm that incorporated several techniques to infect, adapt, and persist.

10:46

Configure had multiple ways to deliver and update its payloads.

10:50

These updates allowed it to evolve into newer, more advanced variants.

10:55

Variant A generated 250 domain names daily across five top-level domains, TLDs, using a pseudo-random number generator, PRNG.

11:05

Infected machines would then try to connect to these domains to pull updates.

11:10

The PRNG ensured all copies of the worm generated the same domain names each day, creating a decentralized update mechanism.

11:18

Variant B increased to eight TLDs and generated domain names.

11:21

disjoint from Variant A, further diversifying its control structure.

11:27

Variant D took this to another level, generating 50,000 domain names daily across 110 TLDs,

11:34

randomly selecting 500 to contact. This made detection nearly impossible and added resilience

11:40

to its update mechanisms. And if that wasn't bad enough, Conficker started to use peer-to-peer

11:46

networking. Variant's D&E created a decentralized peer-to-peer network. This allowed infected

11:52

hosts to exchange payloads directly, bypassing traditional command and control servers.

11:57

Large-scale UDP scanning built up a list of peers, while TCP connections transferred encrypted and

12:03

signed payloads. And of course, like any good malware, to prevent tampering, Conficker used

12:09

encryption. Variant A payloads were hashed with SHA-1, encrypted with RC-4,

12:14

and then RSA signed with a 1024-bit private key. They put more effort into their security than

12:20

most modern-day companies. Later variants switched to MD6 and expanded RSA keys to 4096-bits

12:27

to stay ahead of potential weaknesses in the cryptographic algorithms. These measures ensured

12:32

that only payloads signed by the Worms creators could be executed. It also had some creative

12:39

self-defense mechanisms built in. Configure changed the ownership of its DLL file to a special user

12:45

account called System. Now what's so special about System? In Windows, System is the most powerful

12:51

account. It's the account the operating system itself uses to perform tasks. Even if you are an

12:57

administrator on the computer, you don't have the same level of access as System does. This means

13:02

that once Configure assigned its files to System, even Administrator,

13:06

people who are supposed to have complete control, couldn't delete or modify those files without some

13:12

serious effort. But Conficker didn't stop there. It also made a backup copy of its DLL file,

13:19

cleverly disguising itself as a JPG image hiding in the Internet Explorer cache,

13:24

so even if someone managed to delete the original file, Conficker could restore itself from the

13:29

backup, staying active and ready. If I'm being honest, Conficker has a better backup and restore

13:35

process than I do. It also disabled key system services, such as Windows Automatic Update,

13:41

Security Center, Defender, and error reporting. Nice. Conficker even terminated processes related

13:49

to antivirus software and diagnostic tools. And like Malware I mentioned in previous episodes,

13:54

it blocked access to antivirus websites in the Windows Update service by patching the system

13:59

some Resolver DLL, to prevent DNS lickups for those hosts.

14:04

Despite a patch for MS08 being available when the worm emerged,

14:07

millions of systems remained vulnerable.

14:10

It's both funny and sad that with each episode I make about some global worm or malware,

14:15

I keep saying the same thing over and over.

14:18

There's an exploit, a patch is available, and people don't patch.

14:22

So take this as your reminder to make sure you update all your devices

14:26

and don't use any end-of-life devices.

14:28

Now with that out of the way, back to the episode.

14:32

Conficker is estimated to have infected 7 million systems,

14:35

including government networks, hospitals, and critical infrastructure.

14:40

Its peer-to-peer network remains active to this day in some networks,

14:44

a small reminder of how difficult it is to eradicate such threats.

14:48

The chilling part of Conficker's story is that it never unleashed its full...

14:51

potential. Its creators demonstrated restraint, perhaps unwilling to trigger a global retaliation,

14:58

but the groundwork was there. Configure could have been used to launch massive DDoS attacks,

15:03

steal sensitive data or install ransomware. Its decentralized architecture, robust encryption,

15:09

and ability to adapt inspired later worms that did cause devastating damage.

15:15

Configure wasn't just a one-time crisis, it was a test. And in many ways, we failed.

15:21

By 2017, NotPetya exploited similar negligence in patching systems, showing that the lessons of

15:28

Configure weren't fully absorbed. Configure demonstrated how the combination of human

15:34

negligence, outdated systems, and sophisticated malware could cripple networks. The fact that

15:40

Configure remains in the wild today, dormant but undefeated,

15:44

as a reminder of how much work remains to secure the digital world.

15:52

In the Shell is written, researched, and recorded by me, the Podficker.

15:59

Please share this episode with someone you think would enjoy it.

16:02

Maybe copy it to a few network shares.

16:05

It's what Conficker would want you to do.

16:09

That's it. Take care, and I'll see you next time.