Conficker Working Group – Archive of Materials

Conficker Still Survives!

While public attention to Conficker has faded since the widely publicized April 1st, 2009 “attack date”, the fact is that a huge number of computer systems remain infected with Conficker. As recently as late October 2009, the number of systems infected with the A+B+C variants topped seven million. The Conficker Working Group Core Team still maintains the list of domains, sinkholes those domains, and keeps tabs on the Conficker infections in the world. For the Latest on Conficker – Go to the Shadowserver Wiki. It has the latest monitoring of Conficker infections.

As a founding member of the Conficker Working Group, Shadowserver has studied and reported on the widespread infection & propagation of Conficker. We intend these pages to illustrate the level and extent of Conficker infections that exist around the world. We have listed the top 500 ASN’s that had Conficker identified IP’s. There are over 12,000 ASN’s that daily have Conficker IP’s in their network space. We have limited the data displays to only those that have ten or greater IP’s. The additional ASN’s and the related charts can be found in different country breakdowns.

For the Latest on Conficker – Go to the Shadowserver Wiki. It has the latest monitoring of Conficker infections.

WARNING! If you find these Conficker infections in your network, it would be a sign that really old and infected systems are live and functional. We can attribute more miscreant activity to any location with a Conficker infection. Conficker is the “tip of the iceberg.

Conficker Documents

There are several documents and one book on Conficker. We list here these and referenced in other sections.

Conficker Working Group – Lessons Learned June 2010 (Published January 2011) – whitepaper_76813745321 – The Conficker Working Group was a change in how the industry organized to build a response to malware systems. At the end of the work, we sought funding to document the lessons we learned so that others can gain insight (and not repeat mistakes).

Worm: The First Digital World War by Mark Bowden. It was a surprise to get a call from Mark Bowden about Conficker. It was a bigger surprise to find out he wanted to write a book about the total experience. Barry Greene (one of the Core Team members) volunteered to call people throughout all the Conficker Working Groups communities. The agreement worked out with Mark is that each person would get to say if they wanted attribution. Some did (and were included in the book). Others were “inferred” in the book. This is one of the first “interview the insiders” of a Security Trust Group.

Conficker
 Summary 
and 
Review
 by Dave
 Piscitello, 
ICANN
 Senior 
Security 
Technologist.  Dave was one of the core Conficker Working Group participants. This 
report 
provides 
a
chronology 
of 
events
 related 
to 
the 
containment 
of 
 the 
Conficker 
worm. 
It 
provides 
an 
introduction 
and 
brief 
description 
of 
the 
 worm
 and 
its 
evolution, 
but 
its 
primary
 focus 
is 
to 
piece 
together 
the 
post‐discovery
 and 
analysis 
events, 
describe 
the 
containment
 measures 
 chronologically,
 and 
describe
 the 
collaborative 
effort 
to 
contain 
the 
spread
 of 
the 
worm.
 The 
author 
captures 
lessons 
learned 
during 
a
 containment
 period 
spanning 
nearly 
a 
year 
and
 describes 
recent 
activities 
that 
attempt
 to
 apply
 the 
lessons 
learned
 so 
that 
the
 security
and
 DNS 
communities 
can 
be
 better 
prepared
 for 
future 
attacks 
that 
exploit 
the
 global 
DNS. This 
report 
represents 
the 
work 
of 
the 
author, 
on
 behalf 
of 
the
 ICANN
 Security
Team. The 
author 
is 
responsible
 for 
errors 
or 
omissions.
 While
 members 
of 
the 
Conficker 
Working 
Group, 
ICANN
 SSAC, 
individual 
security
 researchers, 
and 
certain 
ICANN
 registries
 were
invited
 to 
comment 
or
 review
 the 
report, 
none 
of 
these 
organizations 
were 
asked 
to 
formally
 endorse 
this 
work 
product.

Conficker Details

Conficker Introduction

Conficker, also known as Downup, Downandup, Conflicker, and Kido, is a computer worm that surfaced on November 21st, 2008 with Conficker.A and targets the Microsoft Windows operating system. The worm exploits a known vulnerability (MS08-067) in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows 7 Beta. The latest variant (Conficker.C) will begin checking for a payload to download on March 31st, 2009. Conficker.A and Conficker.B variants continue to check for payloads each with a distinct domain generation algorithm.

Operation

The Conficker worm spreads itself primarily through a buffer overflow vulnerability in the Server Service on Windows computers. The worm uses a specially crafted RPC request to execute code on the target computer. When executed on a computer, Conficker disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender, and Windows Error Reporting. It receives further instructions by connecting to a server or peer and receiving a binary update. The instructions it receives may include to propagate, gather personal information, and to download and install additional malware onto the victim’s computer. The worm also attaches itself to certain Windows processes such as svchost.exe, explorer.exe, and services.exe. The worm seems to implement some of the ideas presented by Fucs, Paes de Barros e Pereira at the Blackhat Briefings Europe 2007, specifically: digitally signed additional payload, use of PRNG for communication, and P2P communication.

Payload

The “A” and “B” variants of Conficker will create an HTTP server and open a random port between 1024 and 10000. If the remote machine is exploited successfully, the victim will connect back to the HTTP server and download a worm copy. It will also reset System Restore points, and download files to the target computer.

Symptoms of infection

  • Account lockout policies being reset automatically.
  • Certain Microsoft Windows services such as Automatic Updates, BITS, Windows Defender, and Error Reporting Services are automatically disabled.
  • Domain controllers respond slowly to client requests.
  • The System network gets unusually congested. This can be checked with a network traffic chart on Windows Task Manager.
  • On websites related to antivirus software, Windows system updates cannot be accessed.
  • Launches a brute force attack against administrator passwords to help it spread through ADMIN$ shares, making the choice of sensible passwords advisable.
  • Port 445/TCP scanning (A/B)
  • Multicast UPnP requests
  • High-port TCP and UDP P2P Activity
  • Abnormal DNS lookup activity

Impact

Experts say it is the worst infection since the SQL Slammer. Estimates of the number of computers infected range from almost 9 million PCs to 15 million computers, however, a conservative minimum estimate is more like 3 million which is more than enough to cause great harm. Another anti-virus software vendor, Panda Security, reported that of the 2 million computers analyzed through ActiveScan, around 115,000 (6%) were infected with this malware. The potential scale of infection is large because 30 percent of Windows computers do not have the Microsoft Windows patch released in October 2008 to block this vulnerability. The U.K. Ministry of Defence reported that some of its major systems and desktops were infected. The worm has spread across administrative offices, NavyStar/N* desktops aboard various Royal Navy warships and Royal Navy submarines, and Hospitals across the city of Sheffield reported infection of over 800 computers.

  • On February 1, 2009, Schools in the town of Rochdale, England were infected. The virus spread to 13 schools estimated to have infected 7,500 computers.
  • On February 13, the Bundeswehr reported that some hundred of their computers were infected.
  • On March 27, 2009, the British Director of Parliamentary ICT released a (leaked) memo stating that the House of Commons computer network has been infected with the virus and called for all people who have access to the network to use caution and do not connect any unauthorized equipment to the network.

Response

On February 12, 2009, Microsoft announced the formation of a technology industry collaboration to combat the effects of Conficker. Organizations involved in this collaborative effort include Microsoft, Afilias, ICANN, Neustar, Verisign, CNNIC, Public Internet Registry, Global Domains International, Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, The Shadowserver Foundation, Arbor Networks, and Support Intelligence. As of February 13, 2009, Microsoft is offering a $250,000 USD reward for information leading to the arrest and conviction of the criminals behind the creation and/or distribution of Conficker.

Patching and Removal

On 15 October 2008 Microsoft released a patch (MS08-067) to fix the vulnerability. Removal tools are available from Microsoft, BitDefender, ESET, Symantec, Sophos, and Kaspersky Lab, while McAfee and AVG can remove it with an on-demand scan. While Microsoft has released patches for the later Windows XP Service Packs 2 and 3 and Windows 2000 SP4 and Vista, it has not released any patch for Windows XP Service Pack 1 or earlier versions (excluding Windows 2000 SP4), as the support period for these service packs has expired. Since the virus can spread via USB drives that trigger AutoRun, disabling the AutoRun feature for external media (through modifying the Windows Registry) is recommended. However the United States Computer Emergency Readiness Team describes Microsoft’s guidelines on disabling Autorun as being “not fully effective,” and they provide their own guides. Microsoft has released a removal guide for the worm via the Microsoft website.

Also, on March 16, 2009, BitDefender released an updated tool to remove the already famous Downadup/Conficker worm on a new domain that has not been blocked by the malicious computer code at a website called “bdtools.net”, it also comes as a separate installer dedicated to network administrators. In this way, the scanner can be dispatched throughout networks in order to remotely scan and disinfect workstations.

Refer to Wikipedia for reference URLs http://en.wikipedia.org/wiki/Conficker Text adapted from Wikipedia: All text on this page is available under the terms of the GNU Free Documentation License

 

The Conficker Working Group Lessons Learned Document

Starting in late 2008, and continuing through June of 2010, a coalition of security researchers worked to resist an Internet borne attack carried out by malicious software known as Conficker. This coalition became known as “The Conficker Working Group”, and seemed to be successful in a number of ways, not the least of which was unprecedented cooperation between organizations and individuals around the world, in both the public and private sectors.

In 2009, The Department of Homeland Security funded a project to develop and produce a “Lessons Learned” document that could serve as a permanent record of the events surrounding the creation and operation of the working group so that it could be used as an exemplar upon which similar groups in the future could build. This is the document.

The Rendon Group conducted the research independently, and although a number of members of the Conficker Working Group were interviewed, and provided information to the authors, the report is the sole work product of the Rendon Group. The views and conclusions are not necessarily those of the Conficker Working Group or any of its official or unofficial members. Nonetheless, the Core Committee of the Conficker Working Group believes the report has substantial value and is pleased to provide access to the Rendon document via the Conficker Working Group Website.

An additional thank you to Rick Wesson of Support Intelligence, and David Dagon from Georgia Tech for their efforts in getting the Lessons Learned project funded.

The document can also be downloaded here: Conficker Working Group – Lessons Learned June 2010 (Published January 2011) – whitepaper_7681374532

Rodney Joffe

Chair

Conficker Working Group


Follow up questions can be directed to the Rendon Group at the address below, as well as the following members of the Conficker Working Group Core Committee:

  • The Rendon Group
  • Phone: +1 202-745-4900
  • trginfo@rendon.com

Conficker Working Group Core Committee

The ShadowServer Foundation

  • Andre’ DiMino
  • Co-Founder and Director
  • Phone: +1 914-410-6480
  • Email: adimino@shadowserver.org

Neustar, Inc

  • Rodney Joffe
  • Senior Vice President
  • Phone: +1 202-533-2900
  • Email: rodney.joffe@neustar.biz

Verisign, Inc.

  • Ramses Martinez
  • Director of Information Security
  • Phone: +1 571-723-1874
  • Email: ramartinez@verisign.com

Arbor Networks PR Contact

  • Kevin Whalen
  • kwhalen@arbor.net
  • Phone: +1 978-852-8432

Microsoft PR contact

  • Christine McKeown, Waggener Edstrom
  • (425)638-7465
  • cmckeown@waggeneredstrom.com

SRI International

Internet Systems Consortium

  • Barry Greene
  • President
  • Phone: +1 650-423-1311
  • Email: bgreene@isc.org