From Wikipedia, the free encyclopedia
 | |
| Common name | Conficker |
|---|---|
| Aliases |
|
| Classification | Unknown |
| Type | Computer worm |
| Subtype | Computer virus |
Conficker, also known as Downup, Downadup and Kido, is a computer wormMicrosoft Windows operating system that was first detected in November 2008.[1] The worm uses a combination of advanced malware techniques which has made it difficult to counter, and has since spread rapidly into what is now believed to be the largest computer worm infection since the 2003 SQL Slammer.[2] targeting the
Contents[hide] |
[edit] History
Name
The origin of the name Conficker is thought to be a portmanteau of the term "configure" with German word Ficker, which means "fucker."[3][4] On the other hand, Microsoft analyst Joshua Phillips described the name as a rearrangement of portions of the domain name trafficconverter.biz,[5] which was used by early versions to download updates.
Discovery
The first variant of Conficker, discovered in early November 2008, propagated through the Internet by exploiting a vulnerability in a network service (MS08-067) on Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 Beta.[6]. While Windows 7 may have been affected by this vulnerability, the Windows 7 Beta was not publicly available until January 2009. Although Microsoft released an emergency out-of-band patch[7] a large number of Windows PCs (estimated at 30%) remained unpatched as late as January 2009.[8] A second variant of the worm, discovered in December 2008, added the ability to propagate over LANs through removable media and network shares.[9] Researchers believe that these were decisive factors in allowing the worm to propagate quickly: by January 2009, the estimated number of infected computers ranged from almost 9 million[10][11][12] to 15 million.[13] Antivirus software vendor Panda Security[14] on October 23, 2008 to close the vulnerability, reported that of the 2 million computers analyzed through ActiveScan, around 115,000 (6%) were infected with Conficker.
Recent estimates of the number of infected computers have been more notably difficult because of changes in the propagation and update strategy of recent variants of the worm.[15]
Impact in Europe
Intramar, the French Navy computer network, was infected with Conficker on 15 January 2009. The network was subsequently quarantined, forcing aircraft at several airbases to be grounded because their flight plans could not be downloaded.[16]
The United Kingdom Ministry of Defence reported that some of its major systems and desktops were infected. The worm has spread across administrative offices, NavyStar/N* desktops aboard various Royal Navy warships and Royal Navy submarines, and hospitals across the city of Sheffield reported infection of over 800 computers.[17][18]
On 2 February 2009, the Bundeswehr, the unified armed forces of the Federal Republic of Germany reported that about one hundred of their computers were infected.[19]
A memo from the British Director of Parliamentary ICT informed the users of the House of Commons on 24 March 2009 that it had been infected with the worm. The memo, which was subsequently leaked, called for users to avoid connecting any unauthorized equipment to the network.[20]
On 29 May 2009, the University of Southampton's central Windows servers were affected by an outbreak of the virus, causing campus-wide disruption including software license control, corporate applications, student workstations, Internet access, and central notification of fire alarms. The computing department's systems had been patched, and thus not directly affected.
Operation
Although almost all of the advanced malware techniques used by Conficker have seen past use or are well-known to researchers, the worm's combined use of so many has made it unusually difficult to eradicate.[21] The worm's unknown authors are also believed to be tracking anti-malware efforts from network operators and law enforcement and have regularly released new variants to close the worm's own vulnerabilities.[22][23]
Five variants of the Conficker worm are known and have been dubbed Conficker A, B, C, D and E. They were discovered 21 November 2008, 29 December 2008, 20 February 2009, 4 March 2009 and 7 April 2009, respectively.[24][25]
| Variant | Detection date | Infection vectors | Update propagation | Self-defense | End action |
|---|---|---|---|---|---|
| Conficker A | 2008-11-21 |
|
| None |
|
| Conficker B | 2008-12-29 |
|
| ||
| Conficker C | 2009-02-20 |
|
| ||
| Conficker D | 2009-03-04 | None |
| ||
| Conficker E | 2009-04-07 |
|
|
|
Initial infection
- Variants A, B, C and E exploit a vulnerability in the Server Service on Windows computers, in which an already-infected source computer uses a specially-crafted RPC request to force a buffer overflow and execute shellcode on the target computer.[38] On the source computer, the worm runs an HTTP server on a port between 1024 and 10000; the target shellcode connects back to this HTTP server to download a copy of the worm in DLLsvchost.exe.[30] Variants B and later may attach instead to a running services.exe or Windows Explorer process.[23] form, which it then attaches to
- Variants B and C can remotely execute copies of themselves through the ADMIN$ share on computers visible over NetBIOS. If the share is password-protected, a dictionary attack is attempted, potentially generating large amounts of network traffic and tripping user account lockout policies.[39]
- Variants B and C place a copy of their DLL form on any attached removable media (such as USB flash drives), from which they can then infect new hosts through the Windows AutoRun mechanism.[9]
To start itself at system boot, the worm saves a copy of its DLL form to a random filename in the Windows system folder, then adds registry keys to have svchost.exe invoke that DLL as an invisible network service.[23]
Payload propagation
The worm has several mechanisms for pushing or pulling executable payloads over the network. These payloads are used by the worm to update itself to newer variants, and to install additional malware.
- Variant A generates a list of 250 domain names every day across five TLDs. The domain names are generated from a pseudo-random number generator[23] seeded with the current date to ensure that every copy of the worm generates the same names each day. The worm then attempts an HTTP connection to each domain name in turn, expecting from any of them a signed payload.
- Variant B increases the number of TLDs to eight, and has a generator tweaked to produce domain names disjoint from those of A.[23]
- To counter the worm's use of pseudorandom domain names, Internet Corporation for Assigned Names and Numbers (ICANN) and several TLDregistries began in February 2009 a coordinated barring of transfers and registrations for these domains.[40] Variant D counters this by generating daily a pool of 50000 domains across 110 TLDs, from which it randomly chooses 500 to attempt for that day. The generated domain names were also shortened from 8-11 to 4-9 characters to make them more difficult to detect with heuristics. This new pull mechanism (which was disabled until April 1)[24][33] is unlikely to propagate payloads to more than 1% of infected hosts per day, but is expected to function as a seeding mechanism for the worm's peer-to-peer network.[26] The shorter generated names, however, are expected to collide with 150-200 existing domains per day, potentially causing a distributed denial of service attack (DDoS) on sites serving those domains.[41]
- Variant C creates a named pipe, over which it can push URLs for downloadable payloads to other infected hosts on a local area network.[33]
- Variants B, C and E perform in-memory patches to NetBIOS-related DLLs to close MS08-067 and watch for re-infection attempts through the same vulnerability. Re-infection from more recent versions of Conficker are allowed through, effectively turning the vulnerability into a propagation backdoor.[29]
- Variants D and E create an ad-hoc peer-to-peer network to push and pull payloads over the wider Internet. This aspect of the worm is heavily obfuscated in code and not fully understood, but has been observed to use large-scale UDP scanning to build up a peer list of infected hosts and TCP for subsequent transfers of signed payloads. To make analysis more difficult, port numbers for connections are hashed from the IP address of each peer.[31][33]
Armoring
To prevent payloads from being hijacked, variant A payloads are first SHA1-hashed and RC4-encrypted with the 512-bit hash as a key. The hash is then RSA-signed with a 1024-bit private key.[30] The payload is unpacked and executed only if its signature verifies with a public key embedded in the worm. Variants B and later use MD6 as their hash function and increase the size of the RSA key to 4096 bits.[33]
Self-defense
Variant C of the worm resets System Restore points and disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting.[42] Processes matching a predefined list of antiviral, diagnostic or system patching tools are watched for and terminated.[43] An in-memory patch is also applied to the system resolver[33] DLL to block lookups of hostnames related to antivirus software vendors and the Windows Update service.
End action
Variant E of the worm was the first to use its base of infected computers for an ulterior purpose.[36] It downloads and installs, from a web server hosted in Ukraine, two additional payloads:[44]
- Waledac, a spambot otherwise known to propagate through e-mail attachments.[45] Waledac operates similarly to the 2008 Storm worm and is believed to be written by the same authors.[46][47]
- SpyProtect 2009, a scareware anti-virus product.[48]
Symptoms
- Account lockout policies being reset automatically.
- Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Windows Error Reporting disabled.
- Domain controllers responding slowly to client requests.
- Congestion on local area networks.
- Web sites related to antivirus software or the Windows Update service becoming inaccessible.[49]
- User accounts locked out.[50]
Response
On 12 February 2009, Microsoft announced the formation of a technology industry collaboration to combat the effects of Conficker. Organizations involved in this collaborative effort include Microsoft, Afilias, ICANN, Neustar, Verisign, China Internet Network Information Center, Public Internet Registry, Global Domains International, Inc., M1D Global, America Online, Symantec, F-Secure, ISC, researchers from Georgia Tech, The Shadowserver Foundation, Arbor Networks, and Support Intelligence.[22][51]
From Microsoft
As of 13 February 2009, Microsoft is offering a $USD250,000 reward for information leading to the arrest and conviction of the individuals behind the creation and/or distribution of Conficker.[52][53][54][55][56]
From registries
ICANN has sought preemptive barring of domain transfers and registrations from all TLD registries affected by the worm's domain generator. Those which have taken action include:
- On 13 March 2009, NIC Chile, the .cl ccTLD registry, blocked all the domain names informed by the Conficker Working Group and reviewed a hundred already registered from the worm list.[57]
- On 24 March 2009, CIRA, the Canadian Internet Registration Authority, locked all previously-unregistered .ca domain names expected to be generated by the worm over the next 12 months.[58]
- On 30 March 2009, SWITCH, the Swiss ccTLD registry, announced it was "taking action to protect internet addresses with the endings .ch and .li from the Conficker computer worm."[59]
- On 31 March 2009, NASK, the Polish ccTLD registry, locked over 7,000 .plDDoS attack to legitimate domains which happen to be in the generated set.[60] domains expected to be generated by the worm over the following five weeks. NASK has also warned that worm traffic may unintentionally inflict a
- On 2 April 2009, Island Networks, the ccTLD registry for Guernsey and Jersey, confirmed after investigations and liaison with the IANA that no .gg.je names were in the set of names generated by the worm. or
Removal and detection
Microsoft has released a removal guide for the worm, and recommends using the current release of its Malicious Software Removal Tool[61] to remove the worm, then applying the patch to prevent re-infection.[62]
Third parties
Third-party anti-virus software vendors BitDefender,[63] Enigma Software,[64]ESET,[65] F-Secure,[66] Symantec,[67] Sophos,[68], Kaspersky Lab[69] and Trend Micro[70] have released detection updates to their products and are able to remove the worm.
Automated remote detection
On 27 March 2009, Felix Leder and Tillmann Werner from the Honeynet Project discovered that Conficker-infected hosts have a detectable signature when scanned remotely.[30] The peer-to-peer command protocol used by variants D and E of the worm has since been partially reverse-engineered, allowing researchers to imitate the worm network's command packets and positively identify infected computers en-masse.[71][72]
Signature updates for a number of network scanning applications are now available including NMap[73] and Nessus.[74]
US federal agencies
The United States Computer Emergency Readiness Team (CERT) recommends disabling AutoRun to prevent Variant B of the worm from spreading through removable media. Prior to the
