Jump to content

Conficker

From Wikipedia, the free encyclopedia

This is an old revision of this page, as edited by 116.240.211.77 (talk) at 01:54, 1 April 2009. The present address (URL) is a permanent link to this revision, which may differ significantly from the current revision.

Conficker
Alias
TypeComputer worm
SubtypeComputer virus
ClassificationUnknown

Conficker, also known as Downup, Downadup and Kido, is a computer worm that surfaced in October 2008 and targets the Microsoft Windows operating system.[1] The worm exploits a previously patched vulnerability in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, Windows 7 Beta, and Windows Server 2008 R2 Beta.[2] The worm has been unusually difficult for network operators and law enforcement to counter because of its combined use of advanced malware techniques.[3][4]

Although the origin of the name "conficker" is not known with certainty, Internet specialists and others have speculated that it is a German portmanteau fusing the term "configure" with "ficken", the German word for "fuck."[5] Microsoft analyst Joshua Phillips describes "conficker" as a rearrangement of portions of the domain name 'trafficconverter.biz'.[6]

Operation

Four main variants of the Conficker worm are known and have been dubbed Conficker A, B, C and D.[4] They were discovered 21 November 2008, 29 December 2008, 20 February 2009, and 4 March 2009, respectively.[7]

Initial infection

  • Variants A and B exploit a vulnerability in the Server Service on Windows computers, in which an already-infected source computer uses a specially-crafted remote procedure call request to force a buffer overflow and execute shellcode on the target computer.[8] On the source computer, the worm runs an HTTP server on a port between 1024 and 10000; the target shellcode connects back to this HTTP server to download a copy of the worm in DLL form, which it then runs as a service via svchost.exe.[4]
  • Variant B can remotely execute copies of itself through the ADMIN$ share on computers visible over NetBIOS. If the share is password-protected, it will attempt a brute force attack, potentially generating large amounts of network traffic.[9]
  • Variant C places a copy of itself on any attached removable media (such as USB flash drives), from which it can then infect new hosts through the Windows AutoRun mechanism.[4]
  • Variant D is downloaded and installed by Variant B or Variant C as an "update" and does not contain the spreading functionality from the previous versions. Variant D infects the local computer, terminates services, blocks access to numerous security related Web sites and downloads arbitrary code. Conficker.D can relay command instructions to other Conficker D infected computers via built-in peer-to-peer (P2P) communication.[10]

Payload propagation

The worm has several mechanisms for pushing or pulling executable payloads over the network. To prevent payloads from being hijacked, variant A payloads are RC4-encrypted with a 512-bit key and RSA signed with a 1024-bit key; the payload is unpacked and executed only if the signature verifies with a public key embedded in the worm. Variant B increases the size of the RSA key to 4096 bits. So far, this has been used only to propagate newer versions of the worm.

  • Variant A generates a list of 250 domain names every day across five Top-level domains (TLD). It attempts an HTTP connection to each in turn, expecting from any of them a signed payload. Variant B increases the number of TLDs to eight.[4] As a countermeasure, ICANN and several TLD registrars began in February 2009 a coordinated barring of transfers and registrations for these domains.
    • Variant C contains code to sidestep these countermeasures by generating an expanded daily list of 50000 domains across 110 TLDs. This new pull mechanism, however, is disabled until April 1.[3][7][11]
  • Variant B creates a named pipe, over which it can push URLs for downloadable payloads to other infected hosts on a local area network.[11]
  • Variant C creates an ad-hoc peer-to-peer network to push and pull payloads over the wider Internet. This aspect of the worm is heavily obfuscated in code and not fully understood, but has been observed to use large-scale UDP scanning to build up a peer list of infected hosts and TCP for subsequent transfers of signed payloads. To make analysis more difficult, port numbers for connections are hashed from the IP address of each peer.[11]

Effect

Upon infection, the worm saves a copy of its DLL form to a random filename in the Windows system folder, then arranges to load itself thereafter at boot as a system service with a randomly generated name. Its effects will supposedly get worse and the virus will activate on April 1st.

The worm then resets System Restore points and disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting.[12] Processes matching a predefined list of antiviral, diagnostic or system patching tools are watched for and terminated.[13]

Symptoms

Automated detection

The worm makes several in-memory patches to NetBIOS-related DLLs in order to open re-infection backdoors.[4] On March 27, 2009 Dan Kaminsky, Tillmann Werner and Felix Leder discovered that this gives infected hosts a detectable signature when scanned remotely.[15] Signature updates for a number of network scanning applications are now available including NMap[16] and Nessus [17] and QualysGuard[18]

Impact

Experts say it is the worst infection since 2003's SQL Slammer.[19] Estimates of the number of computers infected range from almost 9 million PCs[20][21] to 15 million computers.[22] The initial rapid spread of the worm has been attributed to the number of Windows computers—estimated at 30%—which have yet to apply the Microsoft MS08-067 patch.[23]

Another antivirus software vendor, Panda Security, reported that of the 2 million computers analyzed through ActiveScan, around 115,000 (6%) were infected with this malware.[24]

Intramar, the French Navy computer network, was infected with Conficker in 15 January 2009. The network was subsequently quarantined, forcing aircraft at several airbases to be grounded because their flight plans could not be downloaded.[25]

The U.K. Ministry of Defence reported that some of its major systems and desktops were infected. The worm has spread across administrative offices, NavyStar/N* desktops aboard various Royal Navy warships and Royal Navy submarines, and hospitals across the city of Sheffield reported infection of over 800 computers.[26][27]

On 13 February 2009, the Bundeswehr reported that about one hundred of their computers were infected.[28]

A memo from the British Director of Parliamentary ICT informed the users of the House of Commons on 24 March 2009 that it had been infected with the worm. The memo, which was subsequently leaked, called for users to avoid connecting any unauthorized equipment to the network.[29]

Response

On February 12, 2009, Microsoft announced the formation of a technology industry collaboration to combat the effects of Conficker. Organizations involved in this collaborative effort include Microsoft, Afilias, ICANN, Neustar, Verisign, CNNIC, Public Internet Registry, Global Domains International, Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, The Shadowserver Foundation, Arbor Networks, and Support Intelligence.

From Microsoft

As of 13 February 2009, Microsoft is offering a $250,000 USD reward for information leading to the arrest and conviction of the individuals behind the creation and/or distribution of Conficker.[30][31][32][33][34][35]

From registrars

ICANN has sought preemptive barring of domain transfers and registrations from all TLD registrars affected by the Conficker C domain generator. Those which have taken action include:

  • On 24 March 2009, CIRA, the Canadian Internet Registration Authority, locked all previously-unregistered .ca domain names expected to be generated by Conficker C over the next 12 months.[36]
  • On 31 March 2009 NASK, the Polish national registrar, locked over 150,000 .pl domains expected to be generated by Conficker C over the coming 5 weeks. NASK has also warned that worm traffic may unintentionally inflict a DDoS attack to legitimate domains which happen to be in the generated set.[37]

Removal

On October 15, 2008, Microsoft released an emergency out-of-band patch to fix vulnerability MS08-067, which the worm exploits to spread.[38] This patch was released prior to the release of the Conficker worm. Removal tools are available from Microsoft,[39] BitDefender,[40] Enigma Software,[41] ESET,[42] F-Secure,[43] Symantec,[44] Sophos,[45] and Kaspersky Lab,[46] while McAfee and AVG can remove it with an on-demand scan.[47][48] While Microsoft has released patches for the later Windows XP Service Packs 2 and 3 and Windows 2000 SP4 and Vista, it has not released any patch for Windows XP Service Pack 1 or earlier versions (excluding Windows 2000 SP4), as the support period for these service packs has expired. Since the virus can spread via USB drives that trigger AutoRun, disabling the AutoRun feature for external media (through modifying the Windows Registry) is recommended.[49] However the United States Computer Emergency Readiness Team (CERT) describes Microsoft's guidelines on disabling Autorun as being "not fully effective," and they provide their own guides.[50] CERT has also made a network-based tool for detecting Conficker-infected hosts available to federal and state agencies.[51] Microsoft has released a removal guide for the worm via the Microsoft website.[52]

See also

References

  1. ^ "Three million hit by Windows worm". BBC News Online. BBC. 2009-01-16. Retrieved 2009-01-16.
  2. ^ Leffall. "Jabulani".
  3. ^ a b Markoff, John (2009-03-19), Computer Experts Unite to Hunt Worm, New York Times, retrieved 2009-03-29
  4. ^ a b c d e f Porras, Phillip; Saidi, Hassen; Yegneswaran, Vinod (2009-03-19), An Analysis of Conficker, SRI International, retrieved 2009-03-29
  5. ^ Richard Grigonis, Microsoft's $5,000,000 Reward for the Conficker Worm Creators, IP Communications, February 13, 2009
  6. ^ Microsoft page on the Conficker worm
  7. ^ a b Tiu, Vincent (2009-03-27), Microsoft Malware Protection Center: Information about Worm:Win32/Conficker.D, Microsoft Technet, retrieved 2009-03-30
  8. ^ CVE-2008-4250, Common Vulnerabilities and Exposures, Department of Homeland Security, 2008-06-04, retrieved 2009-03-29
  9. ^ "Passwords used by the Conficker worm". Sophos. Retrieved 2009-01-16.
  10. ^ "Malware Protection Center: Win32/Conficker". Microsoft. Retrieved 2009-03-31.
  11. ^ a b c Porras, Phillip; Saidi, Hassen; Yegneswaran, Vinod (2009-03-19), An Analysis of Conficker C (draft), SRI International, retrieved 2009-03-29
  12. ^ Win32/Conficker.C, CA, 2009-03-11, retrieved 2009-03-29
  13. ^ Malware Protection Center - Entry: Worm:Win32/Conficker.D, Microsoft, retrieved 2009-03-30
  14. ^ "Virus alert about the Win32/Conficker.B worm". Microsoft. 2009-01-15. Retrieved 2009-01-22.
  15. ^ "Busted! Conficker's tell-tale heart uncovered". theregister.co.uk. March 30, 2009. Retrieved 2009-03-31.
  16. ^ "Scanning for Conficker with Nmap". skullsecurity.org. March 30, 2009. Retrieved 2009-03-31.
  17. ^ "Detecting Conficker with Nessus". blog.tenablesecurity.com. March 30, 2009. Retrieved 2009-03-31.
  18. ^ "Qualys scans for Conficker". http://www.foxbusiness.com. March 31, 2009. Retrieved 2009-03-31. {{cite web}}: External link in |publisher= (help)
  19. ^ Markoff, John (2009-01-22). "Worm Infects Millions of Computers Worldwide". New York Times.{{cite news}}: CS1 maint: date and year (link)
  20. ^ Sean (2009-01-16). "Preemptive Blocklist and More Downadup Numbers". F-Secure. Retrieved 2009-01-16.
  21. ^ Neild, Barry (16 January 2009). "Downadup virus exposes millions of PCs to hijack". CNN. Retrieved 2009-01-18.
  22. ^ "Virus strikes 15 million PCs". UPI.com. 2009-01-26. Retrieved 2009-03-25.
  23. ^ Leyden, John (19 January 2009), Three in 10 Windows PCs still vulnerable to Conficker exploit, The Register, retrieved 2009-01-20
  24. ^ "Six percent of computers scanned by Panda Security are infected by the Conficker worm". Panda Security. 2009-01-21. Retrieved 2009-01-21.
  25. ^ Willsher, Kim (2009-02-07), French fighter planes grounded by computer virus, The Telegraph, retrieved 2009-04-01
  26. ^ Williams, Chris (2009-01-20), MoD networks still malware-plagued after two weeks, The Register, retrieved 2009-01-20
  27. ^ Williams, Chris (2009-01-20), Conficker seizes city's hospital network, The Register, retrieved 2009-01-20
  28. ^ Conficker-Wurm infiziert hunderte Bundeswehr-Rechner (in German), PC Professionell, 2009-02-16, retrieved 2009-04-01
  29. ^ Leyden, John (2009-03-27), Leaked memo says Conficker pwns Parliament, The Register, retrieved 2009-03-29
  30. ^ Neild, Barry (2009-02-13). "$250K Microsoft bounty to catch worm creator". CNN. Retrieved 2009-03-29.
  31. ^ Microsoft announces industry alliance, $250k reward to combat Conficker. Zero Day. February 12, 2009.
  32. ^ Microsoft offers $250,000 reward for Conficker arrest. CNET News. February 12, 2009.
  33. ^ Microsoft announces $250,000 Conficker worm bounty. Network World. February 12, 2009
  34. ^ Microsoft offers $250,000 bounty for capture of Conficker worm creator. Guardian.co.uk. Februaury 13, 2009
  35. ^ "Microsoft bounty for worm creator". BBC. 2009-02-13. Retrieved 2009-02-13. {{cite news}}: |first= missing |last= (help)
  36. ^ CIRA working with international partners to counter Conficker C, CIRA, 2009-03-24, retrieved 2009-03-31
  37. ^ Bartosiewicz, Andrzej (2009-03-31), Jak działa Conficker?, Webhosting.pl, retrieved 2009-03-31
  38. ^ Microsoft Security Bulletin MS08-067, Microsoft, 2008-10-23, retrieved 2009-01-19
  39. ^ "Malicious Software Removal Tool". Microsoft.com. 2005-01-11. Retrieved 2009-03-29.
  40. ^ http://www.bitdefender.com/VIRUS-1000462-en--Win32.Worm.Downadup.Gen.html
  41. ^ "Information about Conficker Removal Tool". Enigma Software. Retrieved 2009-03-30.
  42. ^ ui42. "Eset - Win32/Conficker.AA". Eset.eu. Retrieved 2009-03-29.{{cite web}}: CS1 maint: numeric names: authors list (link)
  43. ^ "Worm:W32/Downadup.AL". F-Secure. Retrieved 2009-03-30.
  44. ^ "W32.Downadup Removal - Removing Help". Symantec. Retrieved 2009-03-29.
  45. ^ "Conficker Clean-up Tool - Free Conficker detection and removal". Sophos.com. 2009-01-16. Retrieved 2009-03-29.
  46. ^ "How to fight network worm Net-Worm.Win32.Kido". Support.kaspersky.com. 2009-03-20. Retrieved 2009-03-29.
  47. ^ "W32/Conficker.worm". Vil.nai.com. Retrieved 2009-03-29.
  48. ^ "Net-Worm.Win32.Kido". Viruslist.com. Retrieved 2009-03-29.
  49. ^ "MS08-067 Worm, Downadup/Conficker". Retrieved 2009-01-08.
  50. ^ "Microsoft Windows Does Not Disable AutoRun Properly". US-CERT. January 29, 2009. Retrieved 2009-02-16.
  51. ^ DHS Releases Conficker/Downadup Computer Worm Detection Tool, Department of Homeland Security, 2009-03-30, retrieved 2009-04-01
  52. ^ "Protect yourself from the Conficker computer worm". microsoft.com. March 27, 2009. Retrieved 2009-03-30.