HKCert
Security Blog

Information security impact arising from Conficker.C worm

Release Date: 25 / 03 / 2009
Last Update: 01 / 08 / 2012

Introduction

 

Conficker (also known as Downadup, Kido) is a computer worm that targets the Microsoft Windows operating system. It keeps on evolving since its first appearance in November 2008. Variant A, B, B++ were reported in from November 2008 to February 2009. HKCERT had published an incident analysis on the February 2009 issue of Newsletter to introduce the Conficker worm. In the past week, news reports (1) revolved around the development of the new Conficker.C variant which appeared in the beginning of March. The new variant is set to activate the domain generation algorithm on April 1, 2009 and may generate certain new security threat. Conficker.C worm has caused HKCERT to elevate the alert level and issue an advisory.

 

Major enhancement of Conficker.C

 

According to the SRI Addendum "An Analysis of Conficker C", Conficker.C is a significant restructuring of previous version. New features are built for bulletproof defense, to increasing the longevity of the Conficker on infected machines. It has several major enhancements below:

  1. New Domain Generation Algorithm
    Starting from 1 April 2009 Conficker.C generates 50,000 domains in the daily list in 116 top-level domains (TLDs). Conficker.C queries only 500, once per day for updates. This new mechanism is designed to evade the effort of global security teams to pre-empt domain registration by Conficker authors.
  1. P2P update
    Uses P2P protocol to distribute digitally signed files for update. Each infected machine can act as server or client.
  1. Security features to prevent third-party hijacking
    Employs the latest crypto-system MD-6 to authenticate author of uploaded file, so as to prevent other groups from uploading arbitrary binaries to their infected drone population.
  1. Better defense to combat security services
    Increases the ability to detect and terminate security services, so as to combat anti-malware. It has domain lookup prevention feature to avoid lookup to domains of security vendors. It terminates firewall, Windows defender and a list of security services. 

Impact

 

The Conficker.C worm does *NOT* attack Internet users on its own. However the mechanism it connect with update servers will create the following security impact (3)

  1. Impact to machines previsouly infected by Conficker A & B
    Machines which are infected by Conficker.A or Conficker.B but has not yet been cleaned up, will attempts to upgrade to Conficker.C via HTTP. Conficker.C worm has better defense features and is much harder to remove.
  1. Traffic impact arising from Conficker.C worm
    There is a side effect of the new domain generation mechanism. The pseudo-random domain generation mechanism may cover some legitimate domains. From 1-Apr-2009 onwards Conficker.C worms will try to connect the generated domains, causing a DDoS attack to the web server of the legitimate domains. The flooding of traffic will affect the website owner, as well the related ISP network.

    List of legitimate domains random generated by Conficker.C worm:
    http://iv.cs.uni-bonn.de/uploads/media/collisions_april.zip
  1. Potential hack attack by Conficker.C authors
    Conficker.C authors may also try to exploit servers of legitimate domains which are on the list of domain generation algorithm, to prepare these servers as the rendezvous points.

Solution

 

 Prevention
  1. Patch Windows PC with MS08-067 which was issued in October 24, 2008.
  1. Install antivirus software and keep updated virus signature file.
  1. Install and enable firewall. Users directly connected to Internet, e.g. mobile Internet users and users who do not have a firewall router should have firewall software enabled. 
  1. Use strong passwords in for user account and file shares. 
  1. Disable AutoRun and AutoPlay features for removable devices, if possible.
  1. For corporate with web proxy server (e.g. Squid), IDS, or content filtering software, monitor the HTTP get string in incoming and outgoing traffic (2)
    - http://{domainname}/search?q=n \&aq=7} (for Conficker A)
    - http://{domainname}/search?q=n (for Conficker B)
 Detection (4)
  1. Check machines which failed to connect to security vendor sites or download security updates. It may be infected machines.

    The below website has a simple test to identify this condition:
    Online Conficker Infection Test for Conficker A to C
    http://www.confickerworkinggroup.org/infection_test/cfeyechart.html
    Online Conficker Infection Test for Conficker B to D
    http://four.cs.uni-bonn.de/fileadmin/user_upload/werner/cfdetector/
  1. For corporation using Active Directory, check if there is a number of AD account intrusion lockout everyday. This may be a sign of malware trying to brute force password attack.The network may have infected machines.
  1. For corporation network, using the network scanning tools to search the infected machines on the network.
    Note: Before install/execute the tools, please read the usage instruction provided by the software vendor.
    1. Conficker Remote Scanner - scs2.exe (for Conficker A to D)
      http://four.cs.uni-bonn.de/uploads/media/scs2.zip
    2. Nmap 4.85beta7 or above version (for Conficker A and B)
      http://nmap.org/download.html
    3. Conficker Active P2P Scanner (for Conficker C)
      http://mtc.sri.com/Conficker/contrib/scanner.html
  1. For corporation with Snort IDS, deploy the specific IDS signature to detect the Conficker exploitation attempts or identify the infected machines on the network.
    Note: Before install/execute the tools, please read the usage instruction provided by the software vendor.
    1. Snort IDS signature (for Conficker A and B)
      http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
 Response
  1. For machines infected by Conficker, download the below Coficker worm removal tools to clean up the machines.
    Note: Before install/execute the tools, please read the usage instruction provided by the software vendor.

    http://www.bdtools.net/how-to-remove-downadup.php
  1. For website owner, if the website encounter a DDoS attack during this period, please contact ISP and HKCERT for assistance.

 

Related Link

 

(1) Conficker worm information and news
http://isc.sans.org/diary.html?storyid=6211
http://isc.sans.org/diary.html?storyid=5860
http://www.confickerworkinggroup.org/wiki/pmwiki.php?n=Main.HomePage
http://blogs.technet.com/mmpc/archive/2009/01/22/centralized-information-about-the-conficker-worm.aspx
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9130228&intsrc=news_ts_head
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9130228&intsrc=news_ts_head
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9129239&intsrc=news_ts_head
http://bits.blogs.nytimes.com/2009/03/19/the-conficker-worm-april-fools-joke-or-unthinkable-disaster/
https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-C-Bolsters-P2P/ba-p/393331#A253

 

(2) Conficker worm analysis papers
http://mtc.sri.com/Conficker
http://mtc.sri.com/Conficker/addendumC/
https://www.honeynet.org/files/KYE-Conficker.pdf

 

(3) Questions and Answers of Conficker worm
http://www.f-secure.com/weblog/archives/00001647.html
http://www.f-secure.com/weblog/archives/00001636.html

 

(4) Detecting Conficker Worm
http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
http://www.confickerworkinggroup.org/infection_test/cfeyechart.html
http://mtc.sri.com/Conficker/contrib/scanner.html