HKCert
Security Blog

Global Conficker worm outbreak, millions of computers fallen

Release Date: 02 / 02 / 2009
Last Update: 01 / 08 / 2012

Introduction


Into 2009, a worm called Conficker (also known as Downadup or Kido) sweeping the globe in a short period of time. According to the estimation by antivirus software company, over a million computers infected in global [Note: 1]. It is the largest computer infection incident in recent years, and the last outbreak of similar incidents dating back to Sasser worm in 2004 [Note: 2]. HKCERT received only one incident report so far and we are closely monitoring the development.

Conficker.A worm

 

The first variant of Conficker worm (Conficker.A) was found in late November 2008 [Note: 3]. The infection is mainly through exploiting computers which have not applied the Microsoft Windows security patch MS08-067 [Note: 4]. This vulnerability affects Windows 2000, XP, 2003, Vista and 2008. Malware analysts found that the worm tried to verify the origin of infected computer. If it comes from Ukraine then the spreading process will not continue. This feature hinted that the author of the worm might be in Ukraine. According to the information from an antivirus software company, it was estimated that the number of infected computer was about 500,000. [Note: 5].

 

Conficker.B worm

 

At the end of December 2008, a new variant of the Conficker worm (Conficker.B) was found. In addition to attack on Microsoft Windows vulnerability, the worm added the following spreading methods:

  1. Worm searches for the network share folder ADMIN $, and attempts to connect using the Administrator account and a custom password list. If the user account has not set a password or password is relatively simple, the worm could automatically copy itself to the computer.
  1. When the worm detects an external storage device, such as USB flash drives, memory cards and external hard drives etc., connected to the infected computer, it will copy itself to the external storage device automatically. If the infected external storage device is connected to other computers, the Windows autorun feature causes the worm to infect the computer instantly.

After adding these two spreading methods, the threat to corporate network has tremendously increased. Generally, the external interface of corporate network is guarded by a firewall, therefore the attack targeting to the Windows RPC vulnerability of internal computers is not applicable. However, when an infected computer or external storage device connect into the internal network, and if the antivirus software cannot detect the new variant immediately, it will be able to spread to the entire network.

 

The impact of worm

 

When the computer worm infected with Conficker.B worm, it causes the system has the following impact [Note: 6,7]:

  1. Disables viewing hidden files and folders;
  2. Modifies the system TCP / IP connection limit parameters;
  3. Terminates a number of Windows system services, including:
 
  • Windows Security Center Service
  • Background Intelligence Transfer Service
  • Windows Defender
  • Error Reporting Service
  • Windows Error Reporting Service
  1. Attempts to terminate the security related process and prohibit to access to the security sites. The purpose may be to make computer cannot update the security software database and access information relating to security;
  2. Resets system restore point ;
  3. Starting on January 1, 2009, connecting to a randomly generated Web site to download files. The purpose may be to update the worm or receiving command;
  4. Runs a HTTP server on a random selected port, use " call back" technique to receive the response from successful exploited computers and then send the worm file to them;
  5. Creates a remote schedule job to activate the worm file on the computer;
  6. Creates a hidden folder Recycler on the infected drive to store the worm file;
  7. Disables Windows Vista TCP/IP auto-tuning feature;
  8. Patches MS08-067 vulnerability within the API function, the purpose may be to avoid other malware using the same exploit.

 

How to calculate the number of infected computers

 

Conficker worm will randomly generate 250 new domain names in daily, and attempt to connect to the generated URL within these domain names. A Finland antivirus software company - F-secure tried to analyze the algorithm of generating the domain names. After solving algorithm, they started pre-registration part of the domain names and created a sinkhole system to receive the network communications generated by worms. By monitoring the networking communications, they retrieved the source IP address in order to estimate the number of infected computers.

 

At present, most of the news media are using the statistics of infection count provided by Fsecure. As of January 16, 2009, it was estimated that the number of infections more than 8,900,000 [Note: 8,9], but this method of calculation still has some shortcomings, such as: recounting re-infected computer.

 

The threat of botnet

 

Although the Conficker worm had not caused any serious damage, but the security experts were very concerned about the threat posed by a huge botnet formed by the computers infected with Conficker worm [Note: 10]. As a large amount of new domain names generated by the worm and link to the URL using these domain names everyday. If someone successfully registered the domain name and establishes a system to control the botnet, such as sending spam, denial of service attack etc. So far, the infected computer had not received any instructions, but only found some rogue antivirus software using the randomly generated domain names. The intention of worm author is still unknown.

 

Conficker worm removal procedure

 

If your computer infected with Conficker worm, please follow the steps below to remove:

  1. Isolates the computer from the network;
  2. Microsoft's MSRT utility has been able to remove the Conficker worm. For usage detail, please refer to: http://www.microsoft.com/taiwan/security/articles/msrt0114.mspx

 

Prevention of infecting Conficker worm

 

To prevent infecting Conficker worm, please follow the steps below:

  1. Installs MS08-067 security patch for all computers in the network immediately;
  2. Set a strong password for all user accounts and network share folders;
  3. Unless it is necessary, please disables autorun feature in Windows. For details, please refer to Microsoft guideline [Note: 11];
  4. Checks your anti-virus software is functioning properly and can update the virus database.

 

Conclusion

 

The production of the malware is becoming professional and driven by monetary incentive. The attacker uses a variety of channels to infect the computer. The infected computer may behave as usual and is difficult to detect. The large scale outbreak of Conficker worm is due to three aspects: lack of installation of security patches, poor password settings, and usage management of external storage device. According to the research data from Qualys [Note: 12] about 30% computers have not installed MS08-067 patch. Several countries with highest infection rate including China, Russia and India are said to have serious problem on pirated software. For the pirated version of Windows, the security patch cannot be applied automatically to fix the vulnerability. Regarding to infection of Autorun virus via the external storage, it is a popular infection channel in recent years. We have to regulate the use of an external storage device and have to pay attention to Windows autorun setting.

 

Reference

  1. http://www.theregister.co.uk/2009/01/26/conficker_botnet/
  2. http://www.hkcert.org/chinese/valert/virus/2004/w32.sasser.worm.html
  3. http://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx
  4. http://www.microsoft.com/taiwan/technet/security/bulletin/MS08-067.mspx
  5. https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/230
  6. http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.B
  7. http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=76852
  8. http://www.f-secure.com/weblog/archives/00001584.html
  9. http://www.f-secure.com/weblog/archives/00001589.html
  10. http://www.theregister.co.uk/2009/01/16/9m_downadup_infections/page2.html
  11. http://support.microsoft.com/kb/953252
  12. http://www.theregister.co.uk/2009/01/19/conficker_worm_feed/