I recently was given the opportunity to do some research on Conficker, the new worm that has been causing wide-spread panic in the Window user community (poor things).
Having already affected around 2 million computers since November of 2008, Conficker is proving to be one of the most threatening strands of computer viruses to date. Targeting most major releases of the Microsoft operating system, Conficker has evolved into several different variants attacking Windows 2000, XP, Vista and Server. To date, it has reportedly infected such institutions as the French Navy, the United Kingdom Ministry of Defense, and the Federal Republic of Germany. This virus has been imposing so much fear into the Windows user base, that Microsoft and other anti-virus companies are offering a $250,000 reward for information that leads to the arrest of the entity responsible for creating Conficker.
The word Conficker is said to have two possible origins: it is either a mash-up of the word “configure” and “ficker”, the German word for “fucker”, or it is derived from the domain name trafficconverter.biz, which is a domain that the virus attempts to call and download additional binaries from. The virus, more specifically a worm, exploits a Microsoft security hole originally discovered by Chinese hackers, now addressed by Microsoft as MS08-67 in which an HTTP server is booted and allows remote procedure calls to run without authentication, and as of September 2008, reports of infections by Conficker started. The virus uses this RPC exploit to download a shell script to download a DLL file which runs as a network service to download malicious binaries. While the hole was patched by Microsoft by October 2008, the majority of Microsoft operating systems remain vulnerable due to user electing to opt out of security updates, whether by ignorance or, in the case of users with pirated operating systems, by fear.
Conficker is classified as a “botnet”, which is a virus that allows it’s creator to take control of the infected computer, and usually use it for malicious activity such as deploying spam e-mail. There are two main pillars that make Conficker so lethal. The first is the level of intelligence that was put into a number of the stages of the virus’ life cycle: it utilizes a very critical exploit of the operating system, it embeds itself deep within root-level access areas, it has a powerful algorithm for not only generating a list of Internet domains to locate updates released by Conficker developers but also for it’s public/private handshake authentication of newly downloaded binaries, and future generations of the virus utilized different exploit techniques and added to the scope of destruction of the virus. The second is that the Conficker virus “evolves”, moving into different classification based on noted characteristics of it’s behavior and tactics. What is even more startling is the analytical infrastructure that was built into the virus; the aforementioned domains have an API in place to allow the infected host computer to notify the domain about not itself, but how many other computers it has infected.
When people speak of the Conficker virus, there are several different strands that they may be referring to. Each strand is defined by either the utilization of a different exploit, a new self defense tactic, or their very important end result.
Conficker A was first officially noted around November 21, 2008 and it is the original incarnation of the virus. This was the most basic breeds of Conficker, in which it utilized the MS08-067 exploit to download trafficconverter.biz. It also installs a shell script that generates a listing of 250 top-level domains that it will periodically poll to check if the virus’ creators have any updates to the software.
The next evolution was Conficker.B and it appeared around December 29, 2008. To date, this is considered to be most threatening of all variants due to it’s proactive as well as retroactive additions. This variant added two notable differences from it’s predecessor. First, it attempted to gain access to computers on the network via the Microsoft NetBIOS API by using dictionary attacks to gain access to the administration shares. Secondly, and possibly more importantly, this strand of Conficker implemented a scheme to attach itself to removable media, such as a USB drive, which would then install the virus on the computers that the drive connected to via the Windows AutoRun utility.
The virus also added in preventative measures, such as attempts to block Microsoft automatic updates, hoping to discourage any attempt of Microsoft to squelch the exploits.
The Conficker.C strand was the first to implement the regular top level domain calling. In the earlier half of March, it was noted that a small group of computers currently affected with Conficker.B actually started receiving binary updates from some of these domains. These updates upgraded the current virus to Conficker.C. This version increased the domain look up list to up to 50,000 and reverse engineering attempts hinted at a possible utilization of all gathered Conficker bonnets and the queried domains. In April, Conficker.C began a wave of botnet attacks in which it lured victims to fake Anti-Virus sites, getting the users to spend $50 on anti-virus software, which is actually the Conficker virus, and also stored all of their credit card information. The big scare of Conficker.C is the evidence of a Peer-to-Peer network the entire Conficker campaign developed and had begun to employee.
While noted as an individual type, the D strand is not acknowledged with the same merit as the others. It’ noted as a major deviation of Conficker.C as it implemented a prevention mechanism to disallow DNS lookups to know anti-malware websites.
Version E is the current version of Conficker that the world is watching in anticipation. It also has deep connections with the C variation with ties to Anti-Spyware virus sites. More impressive is it’s ability to recognize the B variant and, after confirmation, will update the virus to variant C over the aforementioned Peer-to-Peer network. The world is currently waiting in anticipation of Wednesday, May 5 when reverse-engineers at major Antivirus corporations have confirmed their belief that Conficker.E is set to self destruct.
Symptoms & damage
The Conficker virus is not very difficult to detect on a computer. In the first stages of the virus, the virus implants multiple virus based binary files different areas of the computer. The third stage of the virus shuts down many protection functions of the operating system and any antiviral software. It begins by disabling the Windows update system which includes the MS08-67 update that prevents against the specific exploit which the virus takes advantage of. Additionally, it disables the access of websites which are known anti virus companies use for their software updates.
Perhaps one of the most dangerous aspects of the Conficker virus is its ability to be easily modified and updated remotely. As it has been previously mentioned, there are four main mutations of the Conficker virus, each of which is steadily more harmful and dangerous. Any system with a less than updated version of the virus can be updated through a P2P-like protocol programmed into the virus itself. By this method, a Conficker version A or B can be updated to Conficker C or E. Conficker C and E will download malicious executables and phony anti-spyware software on to your computer which prompt you that you have a virus and ask for your credit card to buy antiviral software. This supposed software is actually the virus and your credit card information is stored.
The process which the virus follows is rather ingenious to fool both the operating system’s in place security and also any anti virus software that might be installed. The Conficker virus begins by checking the host computer for a firewall in place. If the infected computer has a firewall the virus opens a random logical port by sending a Universal Plug-and-Play (UPNP) call to the firewall. Through this open port it is able to download the rest of the virus as a binary stream. The virus has a public packet key which allows it to receive encrypted files from a self-updating random list of hosts which might possibly host the download for a malicious executable.
Prevention and protection
The best first step to protecting your computer is to update windows with Microsoft’s latest operating system updates. The Conficker virus utilizes a well known exploit in Microsoft Windows which Microsoft has acknowledged and has labeled the exploit MS08-067 and released a patch which directly addresses and fixes the exploit in October 2008. The exploit itself allows the possibility to install and execute malicious code remotely by sending it through the RPC (remote procedure call) server. This server is intended to be able to run programs remotely but it is supposed to be a secure protocol in which you must provide a validation to prove you aren’t an attacker. By installing the patch, it reevaluates the methods used for handling RPCs, effectively putting up a solid first line of defense against the virus breaking into your system. In addition to installing the latest Microsoft system updates, keeping a subscription to an antiviral software installed and fully updated is important to prevent and/or treat the Conficker virus. While these methods seem rather basic, the Conficker virus relies on the people who, for whatever reason, haven’t updated their systems completely. If you have a fully updated operating system and anti virus software, you will almost certainly detect and/or prevent the Conficker virus infection almost every time.
The virus propagates through the Internet and through local area networks (LANs). However, if a computer has all of the necessary updates, the virus creators implemented a clever workaround in case some computers on a LAN had prevented the exploit from being used. Conficker can implement a firewall facade, which makes the end-user believe they are protected. The firewall, however, will detect other strands of the virus which are trying to update the infected computer’s current version, and allow them to pass updates through the pseudo-firewall.
The virus also can spread through removable media such as flash memory drives, floppy disks or, CDs you burn form an infected computer. When any of these devices are put into a non-infected computer the windows AutoRun function automatically runs the .DLL file that the virus places on the removable device. In order to prevent the Conficker worm from gaining system access via removable devices, the Windows AutoRun function should be turned off.
The virus also implements a social engineering attack by adding a function which leads the user to believe they are opening folder to view files and even has the same icon as the normal windows option of the same name, however, when selected, this nefarious option executes and copies the virus to the hard drive.
Built into the virus is also a list of commonly used network passwords. Negligence on the part of an administrator or user in password creation allows the bug to easily bypass password prompts by entering in a password from its long list of extremely negligent common passwords. Known as a “dictionary attack”, passwords included in this list are things like strings of the same character, consecutive letters or numbers and very common phrases, such as “PASSWORD”. Setting any password as something this simple and easy to guess is a problem in general, but the Conficker virus uses simple passwords to its advantage. By creating a password that is a random string of characters, numbers and letters you effectively halt the Conficker virus from accessing your computer over a network and disallow it from using your administrator password to infect your files.
If the virus is already infecting your system, prevention is no longer an option and it is much more difficult to remove than before infection. The Conficker virus attaches binary files to many system .dll files including patching scvhost.dll, an important windows runtime library. Additionally, it prevents you from accessing the online databases required to update any software which would be able to stall the virus. While there does not seem to be a good way to repair all of the affected files, Microsoft advertises that its website based anti-virus scan and removal tool is able to isolate and repair affected systems which allows the owner of the system to re-access the Microsoft update site and update windows with the necessary patches. According to the press releases by Microsoft about the virus and the patch update, after installing and running the antivirus, and installing the update, Conficker is essentially neutralizes and no longer poses any threat.
While the world sits and wait in anticipation of what future variations of the virus will do, they are also worried about May 5th, when the E strand of the virus is set to expire. This same expectation occurred in early April, which only lead to more strands. One thing is certain, however: Windows users are more aware of the virus, they are more educated, and are taking more proactive measures to not only treat, but to prevent this virus. While the end of the virus’ life cycle is still unclear, it is plain to see that Conficker has made its impact as prevalent as the Melissa virus and the I Love You virus and will continue to be the main focus of anti-virus corporation and software engineers until the end of it’s reign.
Thanks to Michael Skeffington for his contributions to the report.