We realized, we submitted and we presented, still the Antivirus provider market proved once again why they are frequently spotted as lagging behind the creativity of the malware creators. Conflicker seems to be the first botnet engineered with the PRNG idea we (Barros, Fucs & Pereira) presented on Blackhat Europe 2007. This isn't all, at the bottom of the Symantec Security Response Blog, they explain:

"As we have said previously, the authors of Downadup are not beginners and they may have the feeling that someone—sooner or later—would break their domain prediction algorithm. So, to avoid losing their botnet, they put a secondary (strong) protection into the threat, which makes it impossible for anyone (other than the original authors) to upload new malicious components onto compromised machines."

Symantec still did not release details but I guess that Conflicker also introduced the use of digital signatures to ensure integrity and why not, authenticate the content downloaded by the bot.

The idea did not come out of the blue and I hate to sound smug but it was also presented by us… :-)

Botnets – and P2P if that matters – lacked security features to ensure their longevity. We presented 4 main concepts that would emerge as solutions of existing issues on botnet design:

• Modularity, including the use of XML based commands;
  
• Peer 2 Peer communications;
  
• Public key encryption, including support for digitally command messages;
  
• One time tokens used to identify command pages scattered over the network.
  

Still, despite our alert, the antivirus emergency teams were quite surprised by the emergence of the new generation of the Conflicker malware.

It may sound obvious but I have reasons to believe that the use of pseudo random C&C tends to replace the now highly ineffective IRC channel control, however, unlike the Conflicker approach of using domain names, the C&C centre will rely on some other form of reasonably unrestricted traffic channels.

It is hard to guess with precision but I would not be surprised with an attempt to use Google Apps, SSL or another DNS attempt using alternative DNS root servers in the near future. Each of the approaches has its own limitations and I'm sure the botnet designers will soon get to the point that only a hybrid multigenerational P2P botnet[*] will be able to circumvent these limitations.

One possibility that flashes in my mind is that the Conflicker designers did prefer DNS domains for tree main reasons; the first is that DNS traffic is largely unrestricted; the second was an expectation that ICANN would not be able to react quickly to the issue and the third the simple flexibility of the DNS protocol.

Fact is that we all now where botnet design are moving to but a question remains: Are the antivirus development teams already working on it?

Only God knows…

[*] What a hell of a long name for a P2P botnet that still lightly relies on seeding SPoF to wake up, but is able to continue talking with previous generations of botnet on a P2P basis... exactly like... Conficker! :)

Update I: A post from SRI confirms the use of Signed Binaries by the Conficker bot to check downloaded executables. (10 Mar 2009 @ 9:36 GMT)