From Wikipedia, the free encyclopedia

Jump to: navigation, search
Common name Conficker
Classification Unknown
Type Computer worm
Subtype Computer virus

Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in October 2008.[1] An early variant of the worm propagated through the Internet by exploiting a vulnerability in the network stack of Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, Windows 7 Beta, and Windows Server 2008 R2 Beta that was discovered earlier that month.[2] The worm has been unusually difficult for network operators and law enforcement to counter because of its combined use of advanced malware techniques.[3][4]

Although the origin of the name "conficker" is not known with certainty, Internet specialists and others have speculated that it is a German portmanteau fusing the term "configure" with "ficken", the German word for "to fuck".[5] Microsoft analyst Joshua Phillips describes "conficker" as a rearrangement of portions of the domain name "".[6]


[edit] Impact

Conficker is believed to be the most widespread computer worm infection since SQL Slammer in 2003.[7] The initial rapid spread of the worm has been attributed to the number of Windows PCs (estimated at 30%) which have yet to apply the Microsoft patch for the MS08-067 vulnerability.[8]

By January 2009, the estimated number of infected computers ranged from almost 9 million[9][10] to 15 million.[11] Antivirus software vendor Panda Security reported that of the 2 million computers analyzed through ActiveScan, around 115,000 (6%) were infected with Conficker.[12]

Intramar, the French Navy computer network, was infected with Conficker on 15 January 2009. The network was subsequently quarantined, forcing aircraft at several airbases to be grounded because their flight plans could not be downloaded.[13]

The UK Ministry of Defence reported that some of its major systems and desktops were infected. The worm has spread across administrative offices, NavyStar/N* desktops aboard various Royal Navy warships and Royal Navy submarines, and hospitals across the city of Sheffield reported infection of over 800 computers.[14][15]

On 2 February 2009, the Bundeswehr, the unified armed forces of the Federal Republic of Germany, reported that about one hundred of their computers were infected.[16]

A memo from the British Director of Parliamentary ICT informed the users of the House of Commons on 24 March 2009 that it had been infected with the worm. The memo, which was subsequently leaked, called for users to avoid connecting any unauthorized equipment to the network.[17]

[edit] Operation

Four main variants of the Conficker worm are known and have been dubbed Conficker A, B, C and D. They were discovered 21 November 2008, 29 December 2008, 20 February 2009, and 4 March 2009, respectively.[18]

Variant name Detection date Infection vectors Update propagation Self-defense
Conficker A 2008-11-21
  • NetBIOS
    • Exploits MS08-067 vulnerability in Server service[4]
  • HTTP pull
    • Downloads from
    • Downloads daily from any of 250 pseudorandom domains over 5 TLDs[19]


Conficker B 2008-12-29
  • NetBIOS
    • Exploits MS08-067 vulnerability in Server service[4]
    • Dictionary attack on ADMIN$ shares[20]
  • Removable media
    • Creates DLL-based AutoRun trojan on attached removable drives[21]
  • HTTP pull
    • Downloads daily from any of 250 pseudorandom domains over 8 TLDs[19]
  • NetBIOS push
    • Patches MS08-067 to open reinfection backdoor in Server service[22]
  • Blocks DNS lookups
  • Disables AutoUpdate
Conficker C 2009-02-20
  • NetBIOS
    • Exploits MS08-067 vulnerability in Server service[4]
    • Dictionary attack on ADMIN$ shares[20]
  • Removable media
    • Creates DLL-based AutoRun trojan on attached removable drives[21]
  • HTTP pull
    • Downloads daily from any of 250 pseudorandom domains over 8 TLDs[19]
  • NetBIOS push
    • Patches MS08-067 to open reinfection backdoor in Server service[22]
    • Creates named pipe to receive URL from remote host, then downloads from URL
  • Blocks DNS lookups
  • Disables AutoUpdate
Conficker D 2009-03-04 None
  • HTTP pull
    • Downloads daily from any 500 of 50000 pseudorandom domains over 110 TLDs[19]
  • P2P push/pull
    • Uses custom protocol to scan for peers via UDP, then transfer via TCP[23]
  • Blocks DNS lookups
    • Does an in-memory patch of DNSAPI.DLL to block lookups of anti-malware related web sites
  • Disables AutoUpdate
  • Kills anti-malware
    • Scans for and terminates processes with names of anti-malware, patch or diagnostic utilities at one-second intervals

[edit] Initial infection

  • Variants A and B exploit a vulnerability in the Server Service on Windows computers, in which an already-infected source computer uses a specially-crafted remote procedure call request to force a buffer overflow and execute shellcode on the target computer.[24] On the source computer, the worm runs an HTTP server on a port between 1024 and 10000; the target shellcode connects back to this HTTP server to download a copy of the worm in DLL form, which it then attaches to svchost.exe. Variants B and later may attach instead to a running services.exe or Windows Explorer process.[4]
  • Variant B can remotely execute copies of itself through the ADMIN$ share on computers visible over NetBIOS. If the share is password-protected, it will attempt a brute force attack, potentially generating large amounts of network traffic and tripping user account lockout policies.[25]
  • Variant B places a copy of itself on any attached removable media (such as USB flash drives), from which it can then infect new hosts through the Windows AutoRun mechanism.[21]

To start itself at system boot, the worm saves a copy of its DLL form to a random filename in the Windows system folder, then adds keys to the registry to have svchost.exe invoke that DLL as an invisible network service.[4]

[edit] Payload propagation

The worm has several mechanisms for pushing or pulling executable payloads over the network. These payloads have, so far, been used by variants A, B and C to replace themselves with variant D, which does not infect new hosts over NetBIOS or through removable media.

  • Variant A generates a list of 250 domain names every day across five Top-level domains (TLD). The domain names are generated from a pseudo-random number generator seeded with the current date to ensure that every copy of the worm generates the same names each day. The worm then attempts an HTTP connection to each domain name in turn, expecting from any of them a signed payload.[4]
    • Variant B increases the number of TLDs to eight, and has a generator tweaked to produce domain names disjoint from those of A.[4]
    • To counter the worm's use of pseudorandom domain names, ICANN and several TLD registries began in February 2009 a coordinated barring of transfers and registrations for these domains.[26] Variant D counters this by generating daily a pool of 50000 domains across 110 TLDs, from which it randomly chooses 500 to attempt for that day. The generated domain names have also been shortened from 8-11 to 4-9 characters to make them more difficult to detect with heuristics. This new pull mechanism (which was disabled until April 1)[18][27] is unlikely to propagate payloads to more than 1% of infected hosts per day, but is expected to function as a seeding mechanism for the worm's peer-to-peer network.[19] The shorter generated names, however, are expected to collide with 150-200 existing domains per day, potentially causing a DDoS on sites serving those domains.[28]
  • Variant C creates a named pipe, over which it can push URLs for downloadable payloads to other infected hosts on a local area network.[27]
  • Variants B and C perform an in-memory patches to NetBIOS-related DLLs to close MS08-067 and watch for re-infection attempts through the same vulnerability. Re-infection from more recent versions of Conficker are allowed through, effectively turning the vulnerability into a propagation backdoor.[22]
  • Variant D creates an ad-hoc peer-to-peer network to push and pull payloads over the wider Internet. This aspect of the worm is heavily obfuscated in code and not fully understood, but has been observed to use large-scale UDP scanning to build up a peer list of infected hosts and TCP for subsequent transfers of signed payloads. To make analysis more difficult, port numbers for connections are hashed from the IP address of each peer.[27][23]

[edit] Armoring

To prevent payloads from being hijacked, variant A payloads are MD6-hashed, RC4-encrypted with the 512-bit hash as a key and then the hash signed with a 1024-bit RSA key. The payload is unpacked and executed only if it verifies with a public key embedded in the worm. Variants B and later increase the size of the RSA key to 4096 bits.[27]

[edit] Self-defense

Variant C of the worm resets System Restore points and disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting.[29] Processes matching a predefined list of antiviral, diagnostic or system patching tools are watched for and terminated.[30] An in-memory patch is also applied to the system resolver DLL to block lookups of hostnames related to antivirus software vendors and the Windows Update service.[27]

[edit] Symptoms

[edit] Automated detection

On 27 March 2009, security researcher Dan Kaminsky discovered that Conficker-infected hosts have a detectable signature when scanned remotely.[32] Signature updates for a number of network scanning applications are now available including NMap[33] and Nessus.[34]

[edit] Response

On 12 February 2009, Microsoft announced the formation of a technology industry collaboration to combat the effects of Conficker. Organizations involved in this collaborative effort include Microsoft, Afilias, ICANN, Neustar, Verisign, CNNIC, Public Internet Registry, Global Domains International, Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, The Shadowserver Foundation, Arbor Networks, and Support Intelligence.[35][3]

[edit] From Microsoft

As of 13 February 2009, Microsoft is offering a $250,000 USD reward for information leading to the arrest and conviction of the individuals behind the creation and/or distribution of Conficker.[36][37][38][39][40]

[edit] From registries

ICANN has sought preemptive barring of domain transfers and registrations from all TLD registries affected by the worm's domain generator. Those which have taken action include:

  • On 24 March 2009, CIRA, the Canadian Internet Registration Authority, locked all previously-unregistered .ca domain names expected to be generated by the worm over the next 12 months.[41]
  • On 30 March 2009, SWITCH, the Swiss ccTLD registry, announced it was "taking action to protect internet addresses with the endings .ch and .li from the Conficker computer worm."[42]
  • On 31 March 2009, NASK, the Polish ccTLD registry, locked over 7,000 .pl domains expected to be generated by the worm over the following five weeks. NASK has also warned that worm traffic may unintentionally inflict a DDoS attack to legitimate domains which happen to be in the generated set.[43]
  • On 2 April 2009, Island Networks, the ccTLD registry for Guernsey and Jersey, confirmed after investigations and liaison with the IANA that no .gg or .je names were in the set of names generated by the worm.

[edit] Removal

On 15 October 2008, Microsoft released an emergency out-of-band patch for vulnerability MS08-067, which the worm exploits to spread. The patch applies only to Windows XP SP 2, Windows XP SP 3, Windows 2000 SP4 and Windows Vista; Windows XP SP 1 and earlier are no longer supported.[44]

Microsoft has since released a removal guide for the worm, and recommends using the current release of its Malicious Software Removal Tool[45] to remove the worm, then applying the patch to prevent re-infection.[46]

[edit] Third parties

Third-party anti-virus software vendors BitDefender,[47] Enigma Software,[48] ESET,[49] F-Secure,[50] Symantec,[51] Sophos,[52] and Kaspersky Lab[53] have released detection updates to their products and are able to remove the worm. McAfee and AVG are able to remove it with an on-demand scan.[54][55]

[edit] US federal agencies

The United States Computer Emergency Readiness Team (CERT) recommends disabling AutoRun to prevent Variant B of the worm from spreading through removable media, but describes Microsoft's guidelines on disabling Autorun as being "not fully effective". CERT has instead provided its own guide for disabling AutoRun.[56] CERT has also made a network-based tool for detecting Conficker-infected hosts available to federal and state agencies.[57]

[edit] See also

[edit] External links

Conficker Working Group

[edit] Notes

  1. ^ "Three million hit by Windows worm". BBC News Online (BBC). 2009-01-16. Retrieved on 2009-01-16. 
  2. ^ Leffall, Jabulani (2009-01-15). "Conficker worm still wreaking havoc on Windows systems". Government Computer News. Retrieved on 2009-03-29. 
  3. ^ a b Markoff, John (2009-03-19), Computer Experts Unite to Hunt Worm, New York Times,, retrieved on 2009-03-29 
  4. ^ a b c d e f g h Porras, Phillip; Saidi, Hassen; Yegneswaran, Vinod (2009-03-19), An Analysis of Conficker, SRI International,, retrieved on 2009-03-29 
  5. ^ Grigonis, Richard (2009-02-13), Microsoft's $5,000,000 Reward for the Conficker Worm Creators, IP Communications,, retrieved on 2009-04-01 
  6. ^ Phillips, Joshua, Malware Protection Center - Entry: Worm:Win32/Conficker.A, Microsoft,, retrieved on 2009-04-01 
  7. ^ Markoff, John (2009-01-22). "Worm Infects Millions of Computers Worldwide". New York Times. 
  8. ^ Leyden, John (2009-01-19), Three in 10 Windows PCs still vulnerable to Conficker exploit, The Register,, retrieved on 2009-01-20 
  9. ^ Sullivan, Sean (2009-01-16). "Preemptive Blocklist and More Downadup Numbers". F-Secure. Retrieved on 2009-01-16. 
  10. ^ Neild, Barry (2009-01-16), Downadup virus exposes millions of PCs to hijack, CNN,, retrieved on 2009-01-18 
  11. ^ Virus strikes 15 million PCs,, 2009-01-26,, retrieved on 2009-03-25 
  12. ^ "Six percent of computers scanned by Panda Security are infected by the Conficker worm". Panda Security. 2009-01-21. Retrieved on 2009-01-21. 
  13. ^ Willsher, Kim (2009-02-07), French fighter planes grounded by computer virus, The Telegraph,, retrieved on 2009-04-01 
  14. ^ Williams, Chris (2009-01-20), MoD networks still malware-plagued after two weeks, The Register,, retrieved on 2009-01-20 
  15. ^ Williams, Chris (2009-01-20), Conficker seizes city's hospital network, The Register,, retrieved on 2009-01-20 
  16. ^ (in German)Conficker-Wurm infiziert hunderte Bundeswehr-Rechner, PC Professionell, 2009-02-16,, retrieved on 2009-04-01 
  17. ^ Leyden, John (2009-03-27), Leaked memo says Conficker pwns Parliament, The Register,, retrieved on 2009-03-29 
  18. ^ a b Tiu, Vincent (2009-03-27), Microsoft Malware Protection Center: Information about Worm:Win32/Conficker.D, Microsoft,, retrieved on 2009-03-30 
  19. ^ a b c d e Park, John (2009-03-27), W32.Downadup.C Pseudo-Random Domain Name Generation, Symantec,, retrieved on 2009-04-01 
  20. ^ a b Chien, Eric (2009-02-18), Downadup: Locking Itself Out, Symantec,, retrieved on 2009-04-03 
  21. ^ a b c Nahorney, Ben; Park, John (2009-03-13), "Propagation by AutoPlay", The Downadup Codex, Symantec, pp. 32,, retrieved on 2009-04-01 
  22. ^ a b c Chien, Eric (2009-01-19), Downadup: Peer-to-Peer Payload Distribution, Symantec,, retrieved on 2009-04-01 
  23. ^ a b W32.Downadup.C Bolsters P2P, Symantec, 2009-03-20,, retrieved on 2009-04-01 
  24. ^ CVE-2008-4250, Common Vulnerabilities and Exposures, Department of Homeland Security, 2008-06-04,, retrieved on 2009-03-29 
  25. ^ "Passwords used by the Conficker worm". Sophos. Retrieved on 2009-01-16. 
  26. ^ Robertson, Andrew (2009-02-12), Microsoft Collaborates With Industry to Disrupt Conficker Worm, ICANN,, retrieved on 2009-04-01 
  27. ^ a b c d e Porras, Phillip; Saidi, Hassen; Yegneswaran, Vinod (2009-03-19), An Analysis of Conficker C (draft), SRI International,, retrieved on 2009-03-29 
  28. ^ Leder, Felix; Werner, Tillmann (2009-04-02), Containing Conficker, Institute of Computer Science, University of Bonn,, retrieved on 2009-04-03 
  29. ^ Win32/Conficker.C, CA, 2009-03-11,, retrieved on 2009-03-29 
  30. ^ Malware Protection Center - Entry: Worm:Win32/Conficker.D, Microsoft,, retrieved on 2009-03-30 
  31. ^ "Virus alert about the Win32/Conficker.B worm". Microsoft. 2009-01-15. Retrieved on 2009-01-22. 
  32. ^ Goodin, Dan (2009-03-30), Busted! Conficker's tell-tale heart uncovered, The Register,, retrieved on 2009-03-31 
  33. ^ Bowes, Ronald (2009-03-30), Scanning for Conficker with Nmap, SkullSecurity,, retrieved on 2009-03-31 
  34. ^ Asadoorian, Paul (2009-04-01), Updated Conficker Detection Plugin Released, Tenable Security,, retrieved on 2009-04-02 
  35. ^ O'Donnell, Adam (2009-02-12), Microsoft announces industry alliance, $250k reward to combat Conficker, ZDNet,, retrieved on 2009-04-1 
  36. ^ Neild, Barry (2009-02-13). "$250K Microsoft bounty to catch worm creator". CNN. Retrieved on 2009-03-29. 
  37. ^ Mills, Elinor (2009-02-12), Microsoft offers $250,000 reward for Conficker arrest, CNET,, retrieved on 2009-04-02 
  38. ^ Messmer, Ellen (2009-02-12), Microsoft announces $250,000 Conficker worm bounty, Network World,, retrieved on 2009-04-02 
  39. ^ Arthur, Charles (2009-02-13), Microsoft puts $250,000 bounty on Conficker worm author's head, Guardian,, retrieved on 2009-04-02 
  40. ^ "Microsoft bounty for worm creator". BBC. 2009-02-13. Retrieved on 2009-02-13. 
  41. ^ CIRA working with international partners to counter Conficker C, CIRA, 2009-03-24,, retrieved on 2009-03-31 
  42. ^ D'Alessandro, Macro (2009-03-30), SWITCH taking action to protect against the Conficker computer worm, SWITCH,, retrieved on 2009-04-01 
  43. ^ Bartosiewicz, Andrzej (2009-03-31), Jak działa Conficker?,,, retrieved on 2009-03-31 
  44. ^ Microsoft Security Bulletin MS08-067, Microsoft, 2008-10-23,, retrieved on 2009-01-19 
  45. ^ Malicious Software Removal Tool, Microsoft, 2005-01-11,, retrieved on 2009-03-29 
  46. ^ Protect yourself from the Conficker computer worm, Microsoft, 2009-03-27,, retrieved on 2009-03-30 
  47. ^ Radu, Daniel; Cimpoesu, Mihai, Win32.Worm.Downadup.Gen, BitDefender,, retrieved on 2009-04-01 
  48. ^ Information about Conficker Removal Tool, Enigma Software,, retrieved on 2009-03-30 
  49. ^ ui42. "Eset - Win32/Conficker.AA". Retrieved on 2009-03-29. 
  50. ^ "Worm:W32/Downadup.AL". F-Secure. Retrieved on 2009-03-30. 
  51. ^ "W32.Downadup Removal - Removing Help". Symantec. Retrieved on 2009-03-29. 
  52. ^ "Conficker Clean-up Tool - Free Conficker detection and removal". 2009-01-16. Retrieved on 2009-03-29. 
  53. ^ "How to fight network worm Net-Worm.Win32.Kido". 2009-03-20. Retrieved on 2009-03-29. 
  54. ^ "W32/Conficker.worm". Retrieved on 2009-03-29. 
  55. ^ "Net-Worm.Win32.Kido". Retrieved on 2009-03-29. 
  56. ^ Technical Cyber Security Alert TA09-020A: Microsoft Windows Does Not Disable AutoRun Properly, CERT, 2009-01-29,, retrieved on 2009-02-16 
  57. ^ DHS Releases Conficker/Downadup Computer Worm Detection Tool, Department of Homeland Security, 2009-03-30,, retrieved on 2009-04-01 
Personal tools