Links
Conficker Variant Activates April 1st
GSA Reference Number: AD090330-01
Simply Put: A small media frenzy has been created as many security professionals and groups have released research which indicates that the Conficker worm will be changing the way it works on April 1st, 2009. On April 1st, Conficker will be reconfiguring its updating functionality, making it easier for infected machines to receive updates. While the code update is important news, researchers have found no indication of an attack beginning on April 1st. These updates will be occurring to machines that are already infected. However, the risk of a new Conficker infection is something that is always prevalent. April 1st will certainly be an important date to monitor network traffic, but the Conficker worm will be just as dangerous before and after April 1st, as many of Conficker’s attack and propagation techniques have been very effective to date.
Vulnerability Details: The Conficker worm has a few ways of initially infecting machines. It first attempts to exploit a vulnerability in Microsoft’s Server Service. This vulnerability then allows the worm to execute shell code on the machine, thus infecting the device. This device then makes connections to web servers that are coded into the worm, and downloads .dll copies of the worm, which it can use to propagate. A second variant of the worm adds ways in which the worm can spread itself throughout a network. Conficker.B adds the ability to execute itself by compromising weak or nonexistent passwords to ADMIN$ network shares. Another clever addition to the B variant is allowing the worm to copy itself to any removable media attached to the infected device, including USB drives and removable hard drives. Once copied over to removable media, Conficker could then infect new machines through Microsoft Auto run when the removable media is inserted into new PC’s.
Once infected, machines then try to download the “payload” (malicious files or executables) by creating a new list of 250 domains every day, and sequentially connecting to each one. Also, the payloads downloaded are encrypted with RSA signed keys, and the size of the keys increases with each variant. The biggest change occurring on April 1st involves Conficker’s payload delivery process. The new Conficker.C variant updates the domain lookup functionality by increasing the number of domains it will look up and attempt to connect to 500 domains out of a pool of 50,000 generated daily. Conficker.C also creates a peer-to-peer network with which it can push and pull malicious payloads.
There are some symptoms that may indicate a device is infected with Conficker. The attempts to brute force passwords on network shares may create large amounts of failed logins or locked accounts. This large amount of network traffic may also cause noticeable congestion on the active directory server or even the internal network. The PCs infected with the worm will notice that access to multiple security sites has also been removed, as Conficker will black hole attempts to these sites. Local security will also be disabled on the system as Conficker will disable Windows Update, Windows Defender, and even Windows Security Center.
Countermeasures: The best way to protect a network against Conficker at this point is to patch all Windows implementations to their latest patch levels. The vulnerability that Conficker first exploited was actually patched before the worm was released in Microsoft’s MS08-67 patch bulletin. Also, Microsoft has recently reconfigured the Auto run functionality to make it easier for users to disable this function, and it is recommended to disable the Auto run function in secure environments. Limiting the use of removable drives is also important, as these are not usually scanned on a regular basis for malicious programs. Lastly, make sure that all anti-virus programs and related signature databases are updated regularly. Many anti-virus applications have the option to automatically update regularly or on a scheduled basis.
For devices that may already be infected, many software vendors, including Microsoft, have released Conficker removal tools,. The infected device will most likely not be able to connect out to security sites, and so removal files will need to be transferred. Creating a removal CD (compact disc) with the tools included will be the safest route as CDs, once finalized, cannot have data written to them by infected devices.
Related Links:
- F-Secure Conficker FAQ (http://www.f-secure.com/weblog/archives/00001636.html)
- SRI Conficker Technical Report (http://mtc.sri.com/Conficker/addendumC/index.html)