Conficker


Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming a botnet, and has been unusually difficult to counter because of its combined use of many advanced malware techniques. The Conficker worm infected millions of computers including government, business and home computers in over 190 countries, making it the largest known computer worm infection since the 2003 SQL Slammer worm.
Despite its wide propagation, the worm did not do much damage, perhaps because its authors – believed to have been Ukrainian citizens – did not dare use it because of the attention it drew. Four men were arrested, and one pled guilty and was sentenced to four years in prison.

Prevalence

Estimates of the number of infected computers were difficult because the virus changed its propagation and update strategy from version to version. In January 2009, the estimated number of infected computers ranged from almost 9 million to 15 million. Microsoft has reported the total number of infected computers detected by its antimalware products has remained steady at around 1.7 million from mid-2010 to mid-2011. By mid-2015, the total number of infections had dropped to about 400,000, and it was estimated to be 500,000 in 2019.

History

Name

The origin of the name Conficker is thought to be a combination of the English term "configure" and the German expletive . Microsoft analyst Joshua Phillips gives an alternative interpretation of the name, describing it as a rearrangement of portions of the domain name trafficconverter.biz which was used by early versions of Conficker to download updates.

Discovery

The first variant of Conficker, discovered in early November 2008, propagated through the Internet by exploiting a vulnerability in a network service on Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 Beta. While Windows 7 may have been affected by this vulnerability, the Windows 7 Beta was not publicly available until January 2009. Although Microsoft released an emergency out-of-band patch on October 23, 2008, to close the vulnerability, a large number of Windows PCs remained unpatched as late as January 2009. A second variant of the virus, discovered in December 2008, added the ability to propagate over LANs through removable media and network shares. Researchers believe that these were decisive factors in allowing the virus to propagate quickly.

Impact in Europe

Intramar, the French Navy computer network, was infected with Conficker on 15 January 2009. The network was subsequently quarantined, forcing aircraft at several airbases to be grounded because their flight plans could not be downloaded.
The United Kingdom Ministry of Defence reported that some of its major systems and desktops were infected. The virus had spread across administrative offices, NavyStar/N* desktops aboard various Royal Navy warships and Royal Navy submarines, and hospitals across the city of Sheffield reported infection of over 800 computers.
On 2 February 2009, the Bundeswehr, the unified armed forces of Germany, reported that about one hundred of its computers were infected.
An infection of Manchester City Council's IT system caused an estimated £1.5m worth of disruption in February 2009. The use of USB flash drives was banned, as this was believed to be the vector for the initial infection.
A memo from the Director of the UK Parliamentary ICT service informed the users of the House of Commons on 24 March 2009 that it had been infected with the virus. The memo, which was subsequently leaked, called for users to avoid connecting any unauthorised equipment to the network.
In January 2010, the Greater Manchester Police computer network was infected, leading to its disconnection for three days from the Police National Computer as a precautionary measure; during that time, officers had to ask other forces to run routine checks on vehicles and people.

Operation

Although almost all of the advanced malware techniques used by Conficker have seen past use or are well known to researchers, the virus's combined use of so many has made it unusually difficult to eradicate. The virus's unknown authors are also believed to be tracking anti-malware efforts from network operators and law enforcement and have regularly released new variants to close the virus's own vulnerabilities.
Five variants of the Conficker virus are known and have been dubbed Conficker A, B, C, D and E. They were discovered 21 November 2008, 29 December 2008, 20 February 2009, 4 March 2009 and 7 April 2009, respectively. The Conficker Working Group uses namings of A, B, B++, C, and E for the same variants respectively. This means that B++ is equivalent to C and C is equivalent to D.
VariantDetection dateInfection vectorsUpdate propagationSelf-defenseEnd action
Conficker A2008-11-21
  • NetBIOS
  • * Exploits MS08-067 vulnerability in Server service
  • HTTP pull
  • * Downloads from
  • * Downloads daily from any of 250 pseudorandom domains over 5 TLDs
    		• None
    • Updates self to Conficker B, C or D
    Conficker B2008-12-29
  • NetBIOS
  • * Exploits MS08-067 vulnerability in Server service
  • * Dictionary attack on shares
  • Removable media
  • * Creates DLL-based AutoRun trojan on attached removable drives
  • HTTP pull
  • * Downloads daily from any of 250 pseudorandom domains over 8 TLDs
  • NetBIOS push
  • * Patches MS08-067 to open reinfection backdoor in Server service
  • Blocks certain DNS lookups
  • Disables AutoUpdate
  • Updates self to Conficker C or D
    • Conficker C2009-02-20
  • NetBIOS
  • * Exploits MS08-067 vulnerability in Server service
  • * Dictionary attack on shares
  • Removable media
  • * Creates DLL-based AutoRun trojan on attached removable drives
  • HTTP pull
  • * Downloads daily from 500 of 50,000 pseudorandom domains over 8 TLDs per day
  • NetBIOS push
  • * Patches MS08-067 to open reinfection backdoor in Server service
  • * Creates named pipe to receive URL from remote host, then downloads from URL
  • Blocks certain DNS lookups
  • Disables AutoUpdate
  • Updates self to Conficker D
    • Conficker D2009-03-04-
  • HTTP pull
  • * Downloads daily from any 500 of 50,000 pseudorandom domains over 110 TLDs
  • P2P push/pull
  • * Uses custom protocol to scan for infected peers via UDP, then transfer via TCP
  • Blocks certain DNS lookups
  • * Does an in-memory patch of to block lookups of anti-malware related web sites
  • Disables Safe Mode
  • Disables AutoUpdate
  • Kills anti-malware
  • * Scans for and terminates processes with names of anti-malware, patch or diagnostic utilities at one-second intervals
  • Downloads and installs Conficker E
    • Conficker E2009-04-07
  • NetBIOS
  • * Exploits MS08-067 vulnerability in Server service
  • NetBIOS push
  • * Patches MS08-067 to open reinfection backdoor in Server service
  • P2P push/pull
  • * Uses custom protocol to scan for infected peers via UDP, then transfer via TCP
  • Blocks certain DNS lookups
  • Disables AutoUpdate
  • Kills anti-malware
  • * Scans for and terminates processes with names of anti-malware, patch or diagnostic utilities at one-second intervals
  • Updates local copy of Conficker C to Conficker D
  • Downloads and installs malware payload:
  • * Waledac spambot
  • * SpyProtect 2009 scareware
  • Removes self on 3 May 2009

    • Initial infection

  • Variants A, B, C and E exploit a vulnerability in the Server Service on Windows computers, in which an already-infected source computer uses a specially-crafted RPC request to force a buffer overflow and execute shellcode on the target computer. On the source computer, the virus runs an HTTP server on a port between 1024 and 10000; the target shellcode connects back to this HTTP server to download a copy of the virus in DLL form, which it then attaches to svchost.exe. Variants B and later may attach instead to a running services.exe or Windows Explorer process. Attaching to those processes might be detected by the application trust feature of an installed firewall.
  • Variants B and C can remotely execute copies of themselves through the ADMIN$ share on computers visible over NetBIOS. If the share is password-protected, a dictionary attack is attempted, potentially generating large amounts of network traffic and tripping user account lockout policies.
  • Variants B and C place a copy of their DLL form in the recycle.bin of any attached removable media, from which they can then infect new hosts through the Windows AutoRun mechanism using a manipulated autorun.inf.
    • To start itself at system boot, the virus saves a copy of its DLL form to a random filename in the Windows system or system32 folder, then adds registry keys to have svchost.exe invoke that DLL as an invisible network service.

    Payload propagation

    The virus has several mechanisms for pushing or pulling executable payloads over the network. These payloads are used by the virus to update itself to newer variants, and to install additional malware.
    • Variant A generates a list of 250 domain names every day across five TLDs. The domain names are generated from a pseudo-random number generator seeded with the current date to ensure that every copy of the virus generates the same names each day. The virus then attempts an HTTP connection to each domain name in turn, expecting from any of them a signed payload.
    • Variant B increases the number of TLDs to eight, and has a generator tweaked to produce domain names disjoint from those of A.
    • * To counter the virus's use of pseudorandom domain names, Internet Corporation for Assigned Names and Numbers and several TLD registries began in February 2009 a coordinated barring of transfers and registrations for these domains. Variant D counters this by generating daily a pool of 50,000 domains across 110 TLDs, from which it randomly chooses 500 to attempt for that day. The generated domain names were also shortened from 8–11 to 4–9 characters to make them more difficult to detect with heuristics. This new pull mechanism is unlikely to propagate payloads to more than 1% of infected hosts per day, but is expected to function as a seeding mechanism for the virus's peer-to-peer network. The shorter generated names, however, are expected to collide with 150–200 existing domains per day, potentially causing a distributed denial-of-service attack on sites serving those domains. However the large number of generated domains and the fact that not every domain will be contacted for a given day will probably prevent DDoS situations.
    • Variant C creates a named pipe, over which it can push URLs for downloadable payloads to other infected hosts on a local area network.
    • Variants B, C and E perform in-memory patches to NetBIOS-related DLLs to close MS08-067 and watch for re-infection attempts through the same vulnerability. Re-infection from more recent versions of Conficker are allowed through, effectively turning the vulnerability into a propagation backdoor.
    • Variants D and E create an ad-hoc peer-to-peer network to push and pull payloads over the wider Internet. This aspect of the virus is heavily obfuscated in code and not fully understood, but has been observed to use large-scale UDP scanning to build up a peer list of infected hosts and TCP for subsequent transfers of signed payloads. To make analysis more difficult, port numbers for connections are hashed from the IP address of each peer.