Conficker
Encyclopedia
Conficker, also known as Downup, Downadup and Kido, is a computer worm
targeting the Microsoft Windows
operating system
that was first detected in November 2008. It uses flaws in Windows software and dictionary attack
s on administrator passwords to propagate while forming a botnet
, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. At its peak, the Conficker had infected an estimated seven million government, business and home computers in over 200 countries, making it the largest known computer worm infection since the 2003 SQL Slammer.
in a network service
(MS08-067) on Windows 2000
, Windows XP
, Windows Vista
, Windows Server 2003
, Windows Server 2008, and Windows Server 2008 R2
Beta. While Windows 7 may have been affected by this vulnerability, the Windows 7 Beta was not publicly available until January 2009. Although Microsoft released an emergency out-of-band
patch
on October 23, 2008 to close the vulnerability, a large number of Windows PCs (estimated at 30%) remained unpatched as late as January 2009. A second variant of the virus, discovered in December 2008, added the ability to propagate over LANs through removable media
and network shares. Researchers believe that these were decisive factors in allowing the virus to propagate quickly.
computer network, was infected with Conficker on 15 January 2009. The network was subsequently quarantined, forcing aircraft at several airbases to be grounded because their flight plans could not be downloaded.
The United Kingdom Ministry of Defence
reported that some of its major systems and desktops were infected. The virus has spread across administrative offices, NavyStar/N* desktops aboard various Royal Navy warships and Royal Navy submarines, and hospitals across the city of Sheffield
reported infection of over 800 computers.
On 2 February 2009, the Bundeswehr
, the unified armed forces of the Federal Republic of Germany reported that about one hundred of their computers were infected.
An infection of Manchester City Council's IT system caused an estimated £1.5m worth of disruption in February 2009. USB flash drives have since been banned, as this was believed to be the vector for the initial infection.
A memo from the British Director of Parliamentary IT informed the users of the House of Commons on 24 March 2009 that it had been infected with the virus. The memo, which was subsequently leaked, called for users to avoid connecting any unauthorized equipment to the network.
In January 2010, the Greater Manchester Police
computer network was infected, leading to its disconnection for three days from the Police National Computer
as a precautionary measure; during that time, officers had to ask other forces to run routine checks on vehicles and people.
techniques used by Conficker have seen past use or are well known to researchers, the virus' combined use of so many has made it unusually difficult to eradicate. The virus' unknown authors are also believed to be tracking anti-malware efforts from network operators and law enforcement and have regularly released new variants to close the virus' own vulnerabilities.
Five variants of the Conficker virus are known and have been dubbed Conficker A, B, C, D and E. They were discovered 21 November 2008, 29 December 2008, 20 February 2009, 4 March 2009 and 7 April 2009, respectively. The Conficker Working Group uses namings of A, B, B++, C, and E for the same variants respectively. This means that (CWG) B++ is equivalent to (MSFT) C and (CWG) C is equivalent to (MSFT) D.
To start itself at system boot, the virus saves a copy of its DLL form to a random filename in the Windows system folder, then adds registry keys to have svchost.exe
invoke that DLL as an invisible network service.
or pulling
executable payloads
over the network. These payloads are used by the virus to update itself to newer variants, and to install additional malware.
and RC4
-encrypted with the 512-bit hash as a key
. The hash is then RSA-signed with a 1024-bit private key. The payload is unpacked and executed only if its signature verifies with a public key
embedded in the virus. Variants B and later use MD6
as their hash function and increase the size of the RSA key to 4096 bits. Conficker B adopted MD6 mere months after it was first published; six weeks after a weakness was discovered in an early version of the algorithm and a new version was published, Conficker upgraded to the new MD6.
points and disables a number of system services such as Windows Automatic Update, Windows Security Center
, Windows Defender
and Windows Error Reporting
. Processes matching a predefined list of antiviral, diagnostic or system patching tools are watched for and terminated. An in-memory patch is also applied to the system resolver DLL to block lookups of hostnames related to antivirus software vendors and the Windows Update service.
, Afilias
, ICANN
, Neustar
, Verisign
, China Internet Network Information Center
, Public Internet Registry, Global Domains International, M1D Global, America Online, Symantec
, F-Secure
, ISC, researchers from Georgia Tech, The Shadowserver
Foundation, Arbor Networks, and Support Intelligence.
250,000 reward for information leading to the arrest and conviction of the individuals behind the creation and/or distribution of Conficker.
By mid-April 2009 all domain names generated by Conficker A had been successfully locked or preemptively registered, rendering its update mechanism ineffective.
that Ukraine
is the probable origin of the virus, but declined to reveal further technical discoveries about the virus' internals to avoid tipping off its authors. An initial variant of Conficker did not infect systems with Ukrainian IP addresses or with Ukrainian keyboard layouts. The payload of Conficker.E was downloaded from a host in Ukraine.
to remove the virus, then applying the patch to prevent re-infection.
, McAfee
, Panda Security, BitDefender
, ESET
, F-Secure
, Symantec
, Sophos
, Kaspersky Lab
Trend Micro
and Sunbelt Software
have released detection updates to their products and claim to be able to remove the worm.
It is usually possible to gain temporary access to the websites by opening Command Prompt
, typing in the command "net stop dnscache" and then pressing Enter.
Signature updates for a number of network scanning applications are now available including NMap
and Nessus
. In addition, several commercial vendors have released dedicated scanners, namely eEye and McAfee
.
It can also be detected in passive mode by sniffing broadcast domains for repeating ARP requests.
(US-CERT) recommends disabling AutoRun
to prevent Variant B of the virus from spreading through removable media. Prior to the release of Microsoft knowledgebase article KB967715, US-CERT described Microsoft's guidelines on disabling Autorun as being "not fully effective" and provided a workaround for disabling it more effectively. US-CERT has also made a network-based tool for detecting Conficker-infected hosts available to federal and state agencies.
Computer worm
A computer worm is a self-replicating malware computer program, which uses a computer network to send copies of itself to other nodes and it may do so without any user intervention. This is due to security shortcomings on the target computer. Unlike a computer virus, it does not need to attach...
targeting the Microsoft Windows
Microsoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
operating system
Operating system
An operating system is a set of programs that manage computer hardware resources and provide common services for application software. The operating system is the most important type of system software in a computer system...
that was first detected in November 2008. It uses flaws in Windows software and dictionary attack
Dictionary attack
In cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching likely possibilities.-Technique:...
s on administrator passwords to propagate while forming a botnet
Botnet
A botnet is a collection of compromised computers connected to the Internet. Termed "bots," they are generally used for malicious purposes. When a computer becomes compromised, it becomes a part of a botnet...
, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. At its peak, the Conficker had infected an estimated seven million government, business and home computers in over 200 countries, making it the largest known computer worm infection since the 2003 SQL Slammer.
Prevalence
Recent estimates of the number of infected computers have been notably difficult because the virus has changed its propagation and update strategy from version to version. In January 2009, the estimated number of infected computers ranged from almost 9 million to 15 million. Antivirus software vendor Panda Security reported that of the 2 million computers analyzed through ActiveScan, around 115,000 (6%) were infected with Conficker. More recently, Microsoft has reported the total number of infected computers detected by its antimalware products has remained steady at around 1.7 million from mid-2010 to mid-2011.Name
The origin of the name Conficker is thought to be a portmanteau of the English term "configure" and the German word Ficker. Microsoft analyst Joshua Phillips gives an alternate interpretation of the name, describing it as a rearrangement of portions of the domain name trafficconverter.biz (despite the absence of the letter k in the domain name) which was used by early versions of Conficker to download updates.Discovery
The first variant of Conficker, discovered in early November 2008, propagated through the Internet by exploiting a vulnerabilityVulnerability (computing)
In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance.Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw...
in a network service
Network service
Network services are the foundation of a networked computing environment. Generally network services are installed on one or more servers to provide shared resources to client computers.- Network services in LAN :...
(MS08-067) on Windows 2000
Windows 2000
Windows 2000 is a line of operating systems produced by Microsoft for use on personal computers, business desktops, laptops, and servers. Windows 2000 was released to manufacturing on 15 December 1999 and launched to retail on 17 February 2000. It is the successor to Windows NT 4.0, and is the...
, Windows XP
Windows XP
Windows XP is an operating system produced by Microsoft for use on personal computers, including home and business desktops, laptops and media centers. First released to computer manufacturers on August 24, 2001, it is the second most popular version of Windows, based on installed user base...
, Windows Vista
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
, Windows Server 2003
Windows Server 2003
Windows Server 2003 is a server operating system produced by Microsoft, introduced on 24 April 2003. An updated version, Windows Server 2003 R2, was released to manufacturing on 6 December 2005...
, Windows Server 2008, and Windows Server 2008 R2
Windows Server 2008 R2
Windows Server 2008 R2 is a server operating system produced by Microsoft. It was released to manufacturing on July 22, 2009 and launched on October 22, 2009. According to the Windows Server Team blog, the retail availability was September 14, 2009. It is built on Windows NT 6.1, the same core...
Beta. While Windows 7 may have been affected by this vulnerability, the Windows 7 Beta was not publicly available until January 2009. Although Microsoft released an emergency out-of-band
Out-of-band
The term out-of-band has different uses in communications and telecommunication. In case of out-of-band control signaling, signaling bits are sent in special order in a dedicated signaling frame...
patch
Patch (computing)
A patch is a piece of software designed to fix problems with, or update a computer program or its supporting data. This includes fixing security vulnerabilities and other bugs, and improving the usability or performance...
on October 23, 2008 to close the vulnerability, a large number of Windows PCs (estimated at 30%) remained unpatched as late as January 2009. A second variant of the virus, discovered in December 2008, added the ability to propagate over LANs through removable media
Removable media
In computer storage, removable media refers to storage media which is designed to be removed from the computer without powering the computer off.Some types of removable media are designed to be read by removable readers and drives...
and network shares. Researchers believe that these were decisive factors in allowing the virus to propagate quickly.
Impact in Europe
Intramar, the French NavyFrench Navy
The French Navy, officially the Marine nationale and often called La Royale is the maritime arm of the French military. It includes a full range of fighting vessels, from patrol boats to a nuclear powered aircraft carrier and 10 nuclear-powered submarines, four of which are capable of launching...
computer network, was infected with Conficker on 15 January 2009. The network was subsequently quarantined, forcing aircraft at several airbases to be grounded because their flight plans could not be downloaded.
The United Kingdom Ministry of Defence
Ministry of Defence (United Kingdom)
The Ministry of Defence is the United Kingdom government department responsible for implementation of government defence policy and is the headquarters of the British Armed Forces....
reported that some of its major systems and desktops were infected. The virus has spread across administrative offices, NavyStar/N* desktops aboard various Royal Navy warships and Royal Navy submarines, and hospitals across the city of Sheffield
Sheffield
Sheffield is a city and metropolitan borough of South Yorkshire, England. Its name derives from the River Sheaf, which runs through the city. Historically a part of the West Riding of Yorkshire, and with some of its southern suburbs annexed from Derbyshire, the city has grown from its largely...
reported infection of over 800 computers.
On 2 February 2009, the Bundeswehr
Bundeswehr
The Bundeswehr consists of the unified armed forces of Germany and their civil administration and procurement authorities...
, the unified armed forces of the Federal Republic of Germany reported that about one hundred of their computers were infected.
An infection of Manchester City Council's IT system caused an estimated £1.5m worth of disruption in February 2009. USB flash drives have since been banned, as this was believed to be the vector for the initial infection.
A memo from the British Director of Parliamentary IT informed the users of the House of Commons on 24 March 2009 that it had been infected with the virus. The memo, which was subsequently leaked, called for users to avoid connecting any unauthorized equipment to the network.
In January 2010, the Greater Manchester Police
Greater Manchester Police
Greater Manchester Police is the police force responsible for law enforcement within the metropolitan county of Greater Manchester in North West England...
computer network was infected, leading to its disconnection for three days from the Police National Computer
Police National Computer
The Police National Computer is a computer system used extensively by law enforcement organisations across the United Kingdom. It went live in 1974 and now consists of several databases available 24 hours a day, giving access to information of national and local significance.From October 2009, the...
as a precautionary measure; during that time, officers had to ask other forces to run routine checks on vehicles and people.
Operation
Although almost all of the advanced malwareMalware
Malware, short for malicious software, consists of programming that is designed to disrupt or deny operation, gather information that leads to loss of privacy or exploitation, or gain unauthorized access to system resources, or that otherwise exhibits abusive behavior...
techniques used by Conficker have seen past use or are well known to researchers, the virus' combined use of so many has made it unusually difficult to eradicate. The virus' unknown authors are also believed to be tracking anti-malware efforts from network operators and law enforcement and have regularly released new variants to close the virus' own vulnerabilities.
Five variants of the Conficker virus are known and have been dubbed Conficker A, B, C, D and E. They were discovered 21 November 2008, 29 December 2008, 20 February 2009, 4 March 2009 and 7 April 2009, respectively. The Conficker Working Group uses namings of A, B, B++, C, and E for the same variants respectively. This means that (CWG) B++ is equivalent to (MSFT) C and (CWG) C is equivalent to (MSFT) D.
| Variant | Detection date | Infection vectors | Update propagation | Self-defense | End action |
|---|---|---|---|---|---|
| Conficker A | 2008-11-21 |
|
|
None |
|
| Conficker B | 2008-12-29 |
|
|
|
|
| Conficker C | 2009-02-20 |
|
|
|
|
| Conficker D | 2009-03-04 | None |
|
Safe Mode Safe mode is a diagnostic mode of a computer operating system . It can also refer to a mode of operation by application software. Safe mode is intended to fix most, if not all problems within an operating system...
|
|
| Conficker E | 2009-04-07 |
|
|
|
|
Initial infection
- Variants A, B, C and E exploit a vulnerability in the Server Service on Windows computers, in which an already-infected source computer uses a specially-crafted RPCRemote procedure callIn computer science, a remote procedure call is an inter-process communication that allows a computer program to cause a subroutine or procedure to execute in another address space without the programmer explicitly coding the details for this remote interaction...
request to force a buffer overflowBuffer overflowIn computer security and programming, a buffer overflow, or buffer overrun, is an anomaly where a program, while writing data to a buffer, overruns the buffer's boundary and overwrites adjacent memory. This is a special case of violation of memory safety....
and execute shellcodeShellcodeIn computer security, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine. Shellcode is commonly written in...
on the target computer. On the source computer, the virus runs an HTTP server on a portTCP and UDP portIn computer networking, a port is an application-specific or process-specific software construct serving as a communications endpoint in a computer's host operating system. A port is associated with an IP address of the host, as well as the type of protocol used for communication...
between 1024 and 10000; the target shellcode connects back to this HTTP server to download a copy of the virus in DLL form, which it then attaches to svchost.exeSvchost.exeIn the Windows NT family of operating systems, svchost.exe is a system process which hosts multiple Windows services. Its executable image, %SystemRoot%\System32\Svchost.exe or %SystemRoot%\SysWOW64\Svchost.exe runs in multiple instances, each hosting one or more services...
. Variants B and later may attach instead to a running services.exe or Windows ExplorerWindows ExplorerThis article is about the Windows file system browser. For the similarly named web browser, see Internet ExplorerWindows Explorer is a file manager application that is included with releases of the Microsoft Windows operating system from Windows 95 onwards. It provides a graphical user interface...
process. - Variants B and C can remotely execute copies of themselves through the ADMIN$ share on computers visible over NetBIOSNetBIOSNetBIOS is an acronym for Network Basic Input/Output System. It provides services related to the session layer of the OSI model allowing applications on separate computers to communicate over a local area network. As strictly an API, NetBIOS is not a networking protocol...
. If the share is password-protected, a dictionary attackDictionary attackIn cryptanalysis and computer security, a dictionary attack is a technique for defeating a cipher or authentication mechanism by trying to determine its decryption key or passphrase by searching likely possibilities.-Technique:...
is attempted, potentially generating large amounts of network traffic and tripping user account lockout policies. - Variants B and C place a copy of their DLL form on any attached removable mediaRemovable mediaIn computer storage, removable media refers to storage media which is designed to be removed from the computer without powering the computer off.Some types of removable media are designed to be read by removable readers and drives...
(such as USB flash drives), from which they can then infect new hosts through the Windows AutoRunAutorunAutoRun and the companion feature AutoPlay are components of the Microsoft Windows operating system that dictate what actions the system takes when a drive is mounted....
mechanism.
To start itself at system boot, the virus saves a copy of its DLL form to a random filename in the Windows system folder, then adds registry keys to have svchost.exe
Svchost.exe
In the Windows NT family of operating systems, svchost.exe is a system process which hosts multiple Windows services. Its executable image, %SystemRoot%\System32\Svchost.exe or %SystemRoot%\SysWOW64\Svchost.exe runs in multiple instances, each hosting one or more services...
invoke that DLL as an invisible network service.
Payload propagation
The virus has several mechanisms for pushingPush technology
Push technology, or server push, describes a style of Internet-based communication where the request for a given transaction is initiated by the publisher or central server...
or pulling
Pull technology
Pull technology or client pull is a style of network communication where the initial request for data originates from the client, and then is responded to by the server. The reverse is known as push technology, where the server pushes data to clients.. Usually, customers will look for a site and...
executable payloads
Payload (software)
Payload in computing is the cargo of a data transmission. It is the part of the transmitted data which is the fundamental purpose of the transmission, to the exclusion of information sent with it solely to facilitate delivery.In computer security, payload refers to the...
over the network. These payloads are used by the virus to update itself to newer variants, and to install additional malware.
- Variant A generates a list of 250 domain nameDomain nameA domain name is an identification string that defines a realm of administrative autonomy, authority, or control in the Internet. Domain names are formed by the rules and procedures of the Domain Name System ....
s every day across five TLDTop-level domainA top-level domain is one of the domains at the highest level in the hierarchical Domain Name System of the Internet. The top-level domain names are installed in the root zone of the name space. For all domains in lower levels, it is the last part of the domain name, that is, the last label of a...
s. The domain names are generated from a pseudo-random number generatorPseudorandom number generatorA pseudorandom number generator , also known as a deterministic random bit generator , is an algorithm for generating a sequence of numbers that approximates the properties of random numbers...
(PRNG) seeded with the current date to ensure that every copy of the virus generates the same names each day. The virus then attempts an HTTP connection to each domain name in turn, expecting from any of them a signed payload. - Variant B increases the number of TLDs to eight, and has a generator tweaked to produce domain names disjoint from those of A.
- To counter the virus' use of pseudorandom domain names, Internet Corporation for Assigned Names and NumbersICANNThe Internet Corporation for Assigned Names and Numbers is a non-profit corporation headquartered in Marina del Rey, California, United States, that was created on September 18, 1998, and incorporated on September 30, 1998 to oversee a number of Internet-related tasks previously performed directly...
(ICANN) and several TLDTop-level domainA top-level domain is one of the domains at the highest level in the hierarchical Domain Name System of the Internet. The top-level domain names are installed in the root zone of the name space. For all domains in lower levels, it is the last part of the domain name, that is, the last label of a...
registriesDomain name registryA domain name registry is a database of all domain names registered in a top-level domain. A registry operator, also called a network information center , is the part of the Domain Name System of the Internet that keeps the database of domain names, and generates the zone files which convert...
began in February 2009 a coordinated barring of transfers and registrations for these domains. Variant D counters this by generating daily a pool of 50000 domains across 110 TLDs, from which it randomly chooses 500 to attempt for that day. The generated domain names were also shortened from 8-11 to 4-9 characters to make them more difficult to detect with heuristicHeuristicHeuristic refers to experience-based techniques for problem solving, learning, and discovery. Heuristic methods are used to speed up the process of finding a satisfactory solution, where an exhaustive search is impractical...
s. This new pull mechanism (which was disabled until April 1) is unlikely to propagate payloads to more than 1% of infected hosts per day, but is expected to function as a seeding mechanism for the virus' peer-to-peer network. The shorter generated names, however, are expected to collide with 150-200 existing domains per day, potentially causing a distributed denial-of-service attack (DDoS) on sites serving those domains.
- To counter the virus' use of pseudorandom domain names, Internet Corporation for Assigned Names and Numbers
- Variant C creates a named pipeNamed pipeIn computing, a named pipe is an extension to the traditional pipe concept on Unix and Unix-like systems, and is one of the methods of inter-process communication. The concept is also found in Microsoft Windows, although the semantics differ substantially...
, over which it can push URLsUniform Resource LocatorIn computing, a uniform resource locator or universal resource locator is a specific character string that constitutes a reference to an Internet resource....
for downloadable payloads to other infected hosts on a local area networkLocal area networkA local area network is a computer network that interconnects computers in a limited area such as a home, school, computer laboratory, or office building...
. - Variants B, C and E perform in-memory patchesPatch (computing)A patch is a piece of software designed to fix problems with, or update a computer program or its supporting data. This includes fixing security vulnerabilities and other bugs, and improving the usability or performance...
to NetBIOS-related DLLs to close MS08-067 and watch for re-infection attempts through the same vulnerability. Re-infection from more recent versions of Conficker are allowed through, effectively turning the vulnerability into a propagation backdoor. - Variants D and E create an ad-hoc peer-to-peer network to push and pull payloads over the wider Internet. This aspect of the virus is heavily obfuscated in codeObfuscated codeObfuscated code is source or machine code that has been made difficult to understand for humans. Programmers may deliberately obfuscate code to conceal its purpose or its logic to prevent tampering, deter reverse engineering, or as a puzzle or recreational challenge for someone reading the source...
and not fully understood, but has been observed to use large-scale UDPUser Datagram ProtocolThe User Datagram Protocol is one of the core members of the Internet Protocol Suite, the set of network protocols used for the Internet. With UDP, computer applications can send messages, in this case referred to as datagrams, to other hosts on an Internet Protocol network without requiring...
scanning to build up a peer list of infected hosts and TCPTransmission Control ProtocolThe Transmission Control Protocol is one of the core protocols of the Internet Protocol Suite. TCP is one of the two original components of the suite, complementing the Internet Protocol , and therefore the entire suite is commonly referred to as TCP/IP...
for subsequent transfers of signed payloads. To make analysis more difficult, port numbers for connections are hashedHash functionA hash function is any algorithm or subroutine that maps large data sets to smaller data sets, called keys. For example, a single integer can serve as an index to an array...
from the IP addressIP addressAn Internet Protocol address is a numerical label assigned to each device participating in a computer network that uses the Internet Protocol for communication. An IP address serves two principal functions: host or network interface identification and location addressing...
of each peer.
Armoring
To prevent payloads from being hijacked, variant A payloads are first SHA-1-hashedHash function
A hash function is any algorithm or subroutine that maps large data sets to smaller data sets, called keys. For example, a single integer can serve as an index to an array...
and RC4
RC4
In cryptography, RC4 is the most widely used software stream cipher and is used in popular protocols such as Secure Sockets Layer and WEP...
-encrypted with the 512-bit hash as a key
Key (cryptography)
In cryptography, a key is a piece of information that determines the functional output of a cryptographic algorithm or cipher. Without a key, the algorithm would produce no useful result. In encryption, a key specifies the particular transformation of plaintext into ciphertext, or vice versa...
. The hash is then RSA-signed with a 1024-bit private key. The payload is unpacked and executed only if its signature verifies with a public key
Public-key cryptography
Public-key cryptography refers to a cryptographic system requiring two separate keys, one to lock or encrypt the plaintext, and one to unlock or decrypt the cyphertext. Neither key will do both functions. One of these keys is published or public and the other is kept private...
embedded in the virus. Variants B and later use MD6
MD6
The MD6 Message-Digest Algorithm is a cryptographic hash function. It uses a Merkle tree-like structure to allow for immense parallel computation of hashes for very long inputs...
as their hash function and increase the size of the RSA key to 4096 bits. Conficker B adopted MD6 mere months after it was first published; six weeks after a weakness was discovered in an early version of the algorithm and a new version was published, Conficker upgraded to the new MD6.
Self-defense
Variant C of the virus resets System RestoreSystem Restore
System Restore is a component of Microsoft's Windows Me, Windows XP, Windows Vista and Windows 7, but not Windows 2000, operating systems that allows for the rolling back of system files, registry keys, installed programs, etc., to a previous state in the event of system malfunction or failure.The...
points and disables a number of system services such as Windows Automatic Update, Windows Security Center
Windows Security Center
The Windows Action Center is a component included with Microsoft's Windows XP , Windows Vista and Windows 7 operating systems that provides users with the ability to view the status of computer security settings and services...
, Windows Defender
Windows Defender
Windows Defender, formerly known as Microsoft AntiSpyware, is a software product from Microsoft to prevent, remove, and quarantine spyware in Microsoft Windows...
and Windows Error Reporting
Windows Error Reporting
Windows Error Reporting is a crash reporting technology introduced by Microsoft with Windows XP and included in later Windows versions and Windows Mobile 5.0 and 6.0. Not to be confused with the Dr...
. Processes matching a predefined list of antiviral, diagnostic or system patching tools are watched for and terminated. An in-memory patch is also applied to the system resolver DLL to block lookups of hostnames related to antivirus software vendors and the Windows Update service.
End action
Variant E of the virus was the first to use its base of infected computers for an ulterior purpose. It downloads and installs, from a web server hosted in Ukraine, two additional payloads:- WaledacWaledac botnetWaledac, also known by its aliases Waled and Waledpak, was a botnet mostly involved in e-mail spam. In March 2010 the botnet was taken down by Microsoft.- Operations :...
, a spambotSpambotA spambot is an automated computer program designed to assist in the sending of spam. Spambots usually create fake accounts and send spam using them, although it would be obvious that a spambot is sending it...
otherwise known to propagate through e-mail attachments. Waledac operates similarly to the 2008 Storm wormStorm WormThe Storm Worm is a backdoor Trojan horse that affects computers using Microsoft operating systems, discovered on January 17, 2007...
and is believed to be written by the same authors. - SpyProtect 2009, a scarewareScarewareScareware comprises several classes of scam software with malicious payloads, or of limited or no benefit, that are sold to consumers via certain unethical marketing practices. The selling approach uses social engineering to cause shock, anxiety, or the perception of a threat, generally directed at...
anti-virus product.
Symptoms
- Account lockout policies being reset automatically.
- Certain Microsoft Windows serviceWindows ServiceOn Microsoft Windows operating systems, a Windows service is a long-running executable that performs specific functions and which is designed not to require user intervention. Windows services can be configured to start when the operating system is booted and run in the background as long as...
s such as Automatic UpdatesWindows UpdateWindows Update is a service provided by Microsoft that provides updates for the Microsoft Windows operating system and its installed components, including Internet Explorer...
, Background Intelligent Transfer ServiceBackground Intelligent Transfer ServiceBackground Intelligent Transfer Service is a component of Microsoft Windows XP and later operating systems that facilitates prioritized, throttled, and asynchronous transfer of files between machines using idle network bandwidth...
(BITS), Windows DefenderWindows DefenderWindows Defender, formerly known as Microsoft AntiSpyware, is a software product from Microsoft to prevent, remove, and quarantine spyware in Microsoft Windows...
and Windows Error ReportingWindows Error ReportingWindows Error Reporting is a crash reporting technology introduced by Microsoft with Windows XP and included in later Windows versions and Windows Mobile 5.0 and 6.0. Not to be confused with the Dr...
disabled. - Domain controllers responding slowly to client requests.
- Congestion on local area networks (ARP flood as consequence of network scan).
- Web sites related to antivirus softwareAntivirus softwareAntivirus or anti-virus software is used to prevent, detect, and remove malware, including but not limited to computer viruses, computer worm, trojan horses, spyware and adware...
or the Windows UpdateWindows UpdateWindows Update is a service provided by Microsoft that provides updates for the Microsoft Windows operating system and its installed components, including Internet Explorer...
service becoming inaccessible. - User accounts locked out.
Response
On 12 February 2009, Microsoft announced the formation of an industry group to collaboratively counter Conficker. The group, which has since been informally dubbed the Conficker Cabal, includes MicrosoftMicrosoft
Microsoft Corporation is an American public multinational corporation headquartered in Redmond, Washington, USA that develops, manufactures, licenses, and supports a wide range of products and services predominantly related to computing through its various product divisions...
, Afilias
Afilias
Afilias Limited is the registry operator of the .info and .mobi Top-level domain, and the service provider of the .org generic top-level domain , .asia TLD catering to the Asia, Australia, and Pacific regions, .aero Airline and Aviation Industry TLD, and a provider of domain name registry services...
, ICANN
ICANN
The Internet Corporation for Assigned Names and Numbers is a non-profit corporation headquartered in Marina del Rey, California, United States, that was created on September 18, 1998, and incorporated on September 30, 1998 to oversee a number of Internet-related tasks previously performed directly...
, Neustar
NeuStar
Neustar, Inc. is a provider of clearinghouse and directory services to the global communications and Internet industries.-History:Neustar was incorporated in Delaware in 1998. It started as a business unit within Lockheed Martin Corporation...
, Verisign
VeriSign
Verisign, Inc. is an American company based in Dulles, Virginia that operates a diverse array of network infrastructure, including two of the Internet's thirteen root nameservers, the authoritative registry for the .com, .net, and .name generic top-level domains and the .cc and .tv country-code...
, China Internet Network Information Center
China Internet Network Information Center
The China Internet Network Information Center , or CNNIC, was founded as a non-profit organization on June 3, 1997.CNNIC is the administrative agency responsible for Internet affairs under the Ministry of Information Industry of the People's Republic of China...
, Public Internet Registry, Global Domains International, M1D Global, America Online, Symantec
Symantec
Symantec Corporation is the largest maker of security software for computers. The company is headquartered in Mountain View, California, and is a Fortune 500 company and a member of the S&P 500 stock market index.-History:...
, F-Secure
F-Secure
F-Secure Corporation is an anti-virus and computer security software company based in Helsinki, Finland. The company has 18 country offices and a presence in more than 100 countries, with Security Lab operations in Helsinki, Finland and in Kuala Lumpur, Malaysia...
, ISC, researchers from Georgia Tech, The Shadowserver
Shadowserver
The Shadowserver Foundation is a volunteer group of professional Internet security workers that gathers, tracks and reports on malware, botnet activity and electronic fraud. It aims to improve the security of the Internet by raising awareness of the presence of compromised servers, malicious...
Foundation, Arbor Networks, and Support Intelligence.
From Microsoft
As of 13 February 2009, Microsoft is offering a $USDUnited States dollar
The United States dollar , also referred to as the American dollar, is the official currency of the United States of America. It is divided into 100 smaller units called cents or pennies....
250,000 reward for information leading to the arrest and conviction of the individuals behind the creation and/or distribution of Conficker.
From registries
ICANN has sought preemptive barring of domain transfers and registrations from all TLD registries affected by the virus' domain generator. Those which have taken action include:- On 13 March 2009, NIC Chile, the .cl.cl.cl is the Internet country code top-level domain for Chile, and the Easter Islands. It is administered by the University of Chile. Registration of second-level domains under this TLD is open to anyone, however, foreign registrants must provide a domestic contact with a RUT, the Chilean national...
ccTLD registry, blocked all the domain names informed by the Conficker Working Group and reviewed a hundred already registered from the worm list. - On 24 March 2009, CIRACanadian Internet Registration AuthorityThe Canadian Internet Registration Authority is the organization that manages the .CA country code top-level domain, the policies that support Canada’s Internet community and Canada’s involvement in international Internet governance. CIRA is a member-driven organization...
, the Canadian Internet Registration Authority, locked all previously-unregistered .ca.ca.ca is the Internet country code top-level domain for Canada. The domain name registry that operates it is the Canadian Internet Registration Authority . Registrants of .ca domains must meet the Canadian Presence Requirements as defined by the registry...
domain names expected to be generated by the virus over the next 12 months. - On 27 March 2009, NIC-Panama, the .pa.pa.pa is the Internet country code top-level domain for Panama, administered by NIC-Panama.Since "PA" is also the postal code for the U.S...
ccTLD registry, blocked all the domain names informed by the Conficker Working Group. - On 30 March 2009, SWITCHSWITCH Information Technology ServicesSWITCH is the manager of the .ch and .li country-code top-level domains for Switzerland and Liechtenstein, respectively. It also manages the educational networks among Swiss universities, and the links to other university networks. It also mirrors open source software .- External links :**...
, the Swiss ccTLDCountry code top-level domainA country code top-level domain is an Internet top-level domain generally used or reserved for a country, a sovereign state, or a dependent territory....
registry, announced it was "taking action to protect internet addresses with the endings .ch.ch.ch is the Internet country code top-level domain for Switzerland. It is administered by SWITCH Information Technology Services.The ".ch" domain does not come from the name for Switzerland in any of its national languages; "die Schweiz", "Suisse", "Svizzera" or "Svizra"...
and .li.li.li is the Internet country code top-level domain for Liechtenstein. It was created in 1993. The domain is sponsored and administered by the Hochschule Liechtenstein in Vaduz, but domain names with the extension can also be registered with SWITCH, administrator of Switzerland's .ch ccTLD...
from the Conficker computer worm." - On 31 March 2009, NASK, the PolishPolandPoland , officially the Republic of Poland , is a country in Central Europe bordered by Germany to the west; the Czech Republic and Slovakia to the south; Ukraine, Belarus and Lithuania to the east; and the Baltic Sea and Kaliningrad Oblast, a Russian exclave, to the north...
ccTLD registry, locked over 7,000 .pl.pl.pl is the Internet country code top-level domain for Poland, administered by NASK, Polish research and development organization. It is one of the founding members of CENTR.- History :...
domains expected to be generated by the virus over the following five weeks. NASK has also warned that worm traffic may unintentionally inflict a DDoS attack to legitimate domains which happen to be in the generated set. - On 2 April 2009, Island Networks, the ccTLD registry for GuernseyGuernseyGuernsey, officially the Bailiwick of Guernsey is a British Crown dependency in the English Channel off the coast of Normandy.The Bailiwick, as a governing entity, embraces not only all 10 parishes on the Island of Guernsey, but also the islands of Herm, Jethou, Burhou, and Lihou and their islet...
and JerseyJerseyJersey, officially the Bailiwick of Jersey is a British Crown Dependency off the coast of Normandy, France. As well as the island of Jersey itself, the bailiwick includes two groups of small islands that are no longer permanently inhabited, the Minquiers and Écréhous, and the Pierres de Lecq and...
, confirmed after investigations and liaison with the IANAInternet Assigned Numbers AuthorityThe Internet Assigned Numbers Authority is the entity that oversees global IP address allocation, autonomous system number allocation, root zone management in the Domain Name System , media types, and other Internet Protocol-related symbols and numbers...
that no .gg.gg.gg is the country code top-level domain for Guernsey. It is administered by Island Networks.-Second-level domains:Since 2000, names have been registered principally directly at second level....
or .je.je.je is the Internet country code top-level domain for Jersey. It is administered by Island Networks.-Second-level domains:Since 2000, names have been registered principally directly under the country code....
names were in the set of names generated by the virus.
By mid-April 2009 all domain names generated by Conficker A had been successfully locked or preemptively registered, rendering its update mechanism ineffective.
Origin
The precise origin of Conficker remains unknown. Working group members stated at the 2009 Black Hat BriefingsBlack Hat Briefings
The Black Hat Conference is a computer security conference that brings together a variety of people interested in information security. Representatives of federal agencies and corporations attend along with hackers. The Briefings take place regularly in Las Vegas, Barcelona and Tokyo...
that Ukraine
Ukraine
Ukraine is a country in Eastern Europe. It has an area of 603,628 km², making it the second largest contiguous country on the European continent, after Russia...
is the probable origin of the virus, but declined to reveal further technical discoveries about the virus' internals to avoid tipping off its authors. An initial variant of Conficker did not infect systems with Ukrainian IP addresses or with Ukrainian keyboard layouts. The payload of Conficker.E was downloaded from a host in Ukraine.
Removal and detection
Microsoft has released a removal guide for the virus, and recommends using the current release of its Windows Malicious Software Removal ToolWindows Malicious Software Removal Tool
Microsoft Windows Malicious Software Removal Tool is a freely-distributed virus removal tool developed by Microsoft for the Microsoft Windows operating system. First released on January 13, 2005, it is an on-demand anti-virus tool that scans the computer for specific widespread malware and tries to...
to remove the virus, then applying the patch to prevent re-infection.
Third-party software
Third-party anti-virus software vendors AVG TechnologiesAVG Technologies
AVG Technologies is a privately held Czech company formed in 1991 by Jan Gritzbach and Tomas Hofer, with corporate offices in Europe and the United States...
, McAfee
McAfee
McAfee, Inc. is a computer security company headquartered in Santa Clara, California, USA. It markets software and services to home users, businesses and the public sector. On August 19, 2010, electronics company Intel agreed to purchase McAfee for $7.68 billion...
, Panda Security, BitDefender
BitDefender
BitDefender is an antivirus software suite developed by Romania-based software company Softwin. It was launched in November 2001, and is currently in its 15 build version...
, ESET
Eset
ESET is an IT security company head-quartered in Bratislava, Slovakia that was founded in 1992 by the merger of two private companies. The company was awarded as the most successful Slovak company in 2008, 2009 and 2010...
, F-Secure
F-Secure
F-Secure Corporation is an anti-virus and computer security software company based in Helsinki, Finland. The company has 18 country offices and a presence in more than 100 countries, with Security Lab operations in Helsinki, Finland and in Kuala Lumpur, Malaysia...
, Symantec
Symantec
Symantec Corporation is the largest maker of security software for computers. The company is headquartered in Mountain View, California, and is a Fortune 500 company and a member of the S&P 500 stock market index.-History:...
, Sophos
Sophos
Sophos is a developer and vendor of security software and hardware, including anti-virus, anti-spyware, anti-spam, network access control, encryption software and data loss prevention for desktops, servers, email systems and other network gateways....
, Kaspersky Lab
Kaspersky Lab
Kaspersky Lab is a Russian computer security company, co-founded by Natalia Kaspersky and Eugene Kaspersky in 1997, offering anti-virus, anti-spyware, anti-spam, and anti-intrusion products...
Trend Micro
Trend Micro
Trend Micro Inc. is a computer security company. It is headquartered in Tokyo, Japan and markets Trend Micro Internet Security, Trend Micro Worry-Free Business Security, OfficeScan, and other related security products and services...
and Sunbelt Software
Sunbelt Software
Sunbelt Software was a computer security software company based in Clearwater, Florida. On July 13, 2010, its CEO, Alex Eckelberry, announced in a that GFI Software acquired it in full.Among its products are*Sunbelt Personal Firewall*Counterspy...
have released detection updates to their products and claim to be able to remove the worm.
It is usually possible to gain temporary access to the websites by opening Command Prompt
Command Prompt
Command Prompt is the Microsoft-supplied command-line interpreter on OS/2, Windows CE and on Windows NT-based operating systems...
, typing in the command "net stop dnscache" and then pressing Enter.
Automated remote detection
On 27 March 2009, Felix Leder and Tillmann Werner from the Honeynet Project discovered that Conficker-infected hosts have a detectable signature when scanned remotely. The peer-to-peer command protocol used by variants D and E of the virus has since been partially reverse-engineered, allowing researchers to imitate the virus network's command packets and positively identify infected computers en-masse.Signature updates for a number of network scanning applications are now available including NMap
Nmap
Nmap is a security scanner originally written by Gordon Lyon used to discover hosts and services on a computer network, thus creating a "map" ofthe network...
and Nessus
Nessus (software)
In computer security, Nessus is a proprietary comprehensive vulnerability scanning program. It is free of charge for personal use in a non-enterprise environment. Its goal is to detect potential vulnerabilities on the tested systems. For example:...
. In addition, several commercial vendors have released dedicated scanners, namely eEye and McAfee
McAfee
McAfee, Inc. is a computer security company headquartered in Santa Clara, California, USA. It markets software and services to home users, businesses and the public sector. On August 19, 2010, electronics company Intel agreed to purchase McAfee for $7.68 billion...
.
It can also be detected in passive mode by sniffing broadcast domains for repeating ARP requests.
US CERT
The United States Computer Emergency Readiness TeamUnited States Computer Emergency Readiness Team
The United States Computer Emergency Readiness Team is part of the National Cyber Security Division of the United States' Department of Homeland Security....
(US-CERT) recommends disabling AutoRun
Autorun
AutoRun and the companion feature AutoPlay are components of the Microsoft Windows operating system that dictate what actions the system takes when a drive is mounted....
to prevent Variant B of the virus from spreading through removable media. Prior to the release of Microsoft knowledgebase article KB967715, US-CERT described Microsoft's guidelines on disabling Autorun as being "not fully effective" and provided a workaround for disabling it more effectively. US-CERT has also made a network-based tool for detecting Conficker-infected hosts available to federal and state agencies.
See also
- Timeline of notable computer viruses and wormsTimeline of notable computer viruses and wormsThis is a timeline of noteworthy computer viruses, worms and Trojan horses.- 1966 :* The work of John von Neumann on the "Theory of self-reproducing automata" is published...
- Bot herderBot herderBot herders are hackers who use automated techniques to scan specific network ranges and find vulnerable systems, such as machines without current security patches, on which to install their bot program...
- Network Access ProtectionNetwork Access ProtectionNetwork Access Protection is a Microsoft technology for controlling network access of a computer host based on the system health of the host, first introduced in Windows Server 2008....
External links
- Conficker Working Group
- Conficker Working Group -- Lessons Learned
- Conficker Eye Chart
- Worm: The First Digital World War by Mark BowdenMark BowdenNot to be confused with Mark Bowden, U.N. Resident & Humanitarian Coordinator and UNDP Resident Representative for Somalia.Mark Robert Bowden is an American writer and a contributing editor at Vanity Fair. Born in St. Louis, Missouri, he is a 1973 graduate of Loyola University Maryland...
(2011; ISBN 0-80211-983-2); "The 'Worm' That Could Bring Down The Internet", author interview (audio and transcript), Fresh AirFresh AirFresh Air is an American radio talk show broadcast on National Public Radio stations across the United States. The show is produced by WHYY-FM in Philadelphia, Pennsylvania. Its longtime host is Terry Gross. , the show was syndicated to 450 stations and claimed 4.5 million listeners. The show...
on NPRNPRNPR, formerly National Public Radio, is a privately and publicly funded non-profit membership media organization that serves as a national syndicator to a network of 900 public radio stations in the United States. NPR was created in 1970, following congressional passage of the Public Broadcasting...
, September 27, 2011; preliminarily covered by Bowden in Atlantic magazine article "The Enemy Within" (June 2010).