HowToRemoveConficker.com

What is Conficker?

April 13th, 2009 | by admin |

Conficker (It’s short for CONFIGURATION F@#%ER!), also known as Downup, Downadup and Kido, is a computer worm that surfaced in October 2008 and targets the Microsoft Windows operating system. The worm exploits a previously patched vulnerability in the Windows Server service used by Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, Windows 7 Beta, and Windows Server 2008 R2 Beta. The worm has been unusually difficult for network operators and law enforcement to counter because of its combined use of advanced malware techniques.

Although the origin of the name “conficker” is not known with certainty, Internet specialists and others have speculated that it is a German portmanteau fusing the term “configure” with “ficken”, the German word for “fuck.” Microsoft analyst Joshua Phillips describes “conficker” as a rearrangement of portions of the domain name “trafficconverter.biz”

Operation

Four main variants of the Conficker worm are known and have been dubbed Conficker A, B, C and D. They were discovered 21 November 2008, 29 December 2008, 20 February 2009, and 4 March 2009, respectively.

Initial infection

• Variants A and B exploit a vulnerability in the Server Service on Windows computers, in which an already-infected source computer uses a specially-crafted remote procedure call request to force a buffer overflow and execute shellcode on the target computer. On the source computer, the worm runs an HTTP server on a port between 1024 and 10000; the target shellcode connects back to this HTTP server to download a copy of the worm in DLL form, which it then runs as a service via svchost.exe.
• Variant B can remotely execute copies of itself through the ADMIN$ share on computers visible over NetBIOS. If the share is password-protected, it will attempt a brute force attack, potentially generating large amounts of network traffic and tripping user account lockout policies.
• Variant B places a copy of itself on any attached removable media (such as USB flash drives), from which it can then infect new hosts through the Windows AutoRun mechanism.

Payload propagation

The worm has several mechanisms for pushing or pulling executable payloads over the network. These payloads have, so far, been used by variants A, B and C to replace themselves with variant D, which does not infect new hosts over NetBIOS or through removable media.

To prevent payloads from being hijacked, variant A payloads are RC4-encrypted with a 512-bit key and RSA signed with a 1024-bit key; the payload is unpacked and executed only if the signature verifies with a public key embedded in the worm. Variant B increases the size of the RSA key to 4096 bits.

• Variant A generates a list of 250 domain names every day across five Top-level domains (TLD). The domain names are generated from a pseudo-random number generator seeded with the current date to ensure that every copy of the worm generates the same names each day. The worm then attempts an HTTP connection to each domain name in turn, expecting from any of them a signed payload. Variant B increases the number of TLDs to eight.
• To counter the worm’s use of pseudorandom domain names, ICANN and several TLD registrars began in February 2009 a coordinated barring of transfers and registrations for these domains. Variant D contains code to sidestep these countermeasures by daily generating a pool of 50000 domains across 110 TLDs, from which it randomly chooses 500 to attempt for that day. This new pull mechanism (which was disabled until April 1) is unlikely to propagate payloads to more than 1% of infected hosts per day, but is expected to function as a seeding mechanism for the worm’s peer-to-peer network.
• Variant C creates a named pipe, over which it can push URLs for downloadable payloads to other infected hosts on a local area network.

Effect

Upon infection, the worm saves a copy of its DLL form to a random filename in the Windows system folder, then arranges to load itself thereafter at boot as a system service with a randomly generated name.

Variant C of the worm resets System Restore points and disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting. Processes matching a predefined list of antiviral, diagnostic or system patching tools are watched for and terminated. An in-memory patch is also applied to the system resolver DLL to block lookups of hostnames related to antivirus software vendors and the Windows Update service.

Symptoms

• Account lockout policies being reset automatically.
• Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Error Reporting Services disabled.
• Domain controllers responding slowly to client requests.
• Congestion on local area networks.
• Web sites related to antivirus software or the Windows Update service becoming inaccessible.

Automated detection

The worm makes several in-memory patches to NetBIOS-related DLLs in order to open re-infection backdoors. On 27 March 2009, security researcher Dan Kaminsky discovered that this gave infected hosts a detectable signature when scanned remotely. Signature updates for a number of network scanning applications are now available including NMap and Nessus.

Impact

Conficker is believed to be the worst computer worm infection since SQL Slammer in 2003. Estimates of the number of computers infected range from almost 9 million PCs to 15 million computers. The initial rapid spread of the worm has been attributed to the number of Windows computers—estimated at 30%—which have yet to apply the Microsoft MS08-067 patch.

Another antivirus software vendor, Panda Security, reported that of the 2 million computers analyzed through ActiveScan, around 115,000 (6%) were infected with this malware.

Intramar, the French Navy computer network, was infected with Conficker in 15 January 2009. The network was subsequently quarantined, forcing aircraft at several airbases to be grounded because their flight plans could not be downloaded.

The UK Ministry of Defence reported that some of its major systems and desktops were infected. The worm has spread across administrative offices, NavyStar/N* desktops aboard various Royal Navy warships and Royal Navy submarines, and hospitals across the city of Sheffield reported infection of over 800 computers.

On 2 February 2009, the Bundeswehr reported that about one hundred of their computers were infected.

A memo from the British Director of Parliamentary ICT informed the users of the House of Commons on 24 March 2009 that it had been infected with the worm. The memo, which was subsequently leaked, called for users to avoid connecting any unauthorized equipment to the network.

Response

On February 12, 2009, Microsoft announced the formation of a technology industry collaboration to combat the effects of Conficker. Organizations involved in this collaborative effort include Microsoft, Afilias, ICANN, Neustar, Verisign, CNNIC, Public Internet Registry, Global Domains International, Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, The Shadowserver Foundation, Arbor Networks, and Support Intelligence.

From Microsoft

As of 13 February 2009, Microsoft is offering a $250,000 USD reward for information leading to the arrest and conviction of the individuals behind the creation and/or distribution of Conficker.

From registrars

ICANN has sought preemptive barring of domain transfers and registrations from all TLD registrars affected by the Conficker C domain generator. Those which have taken action include:

• On 24 March 2009, CIRA, the Canadian Internet Registration Authority, locked all previously-unregistered .ca domain names expected to be generated by Conficker C over the next 12 months.
• On 31 March 2009, NASK, the Polish ccTLD registrar, locked over 150,000 .pl domains expected to be generated by Conficker C over the coming 5 weeks. NASK has also warned that worm traffic may unintentionally inflict a DDoS attack to legitimate domains which happen to be in the generated set.

Removal

On 15 October 2008, Microsoft released an emergency out-of-band patch to fix vulnerability MS08-067, which the worm exploits to spread. The patch applies only to Windows XP SP 2, Windows XP SP 3, Windows 2000 SP4 and Windows Vista; Windows XP SP 1 and earlier are no longer supported.

Microsoft has since released a removal guide for the worm, and recommends using the current release of its Malicious Software Removal Tool to remove the worm, then applying the patch to prevent re-infection.

Third parties

Third-party anti-virus software vendors BitDefender, Enigma Software, ESET, F-Secure, Symantec, Sophos, and Kaspersky Lab have released detection updates to their products and are able to remove the worm. McAfee and AVG are able to remove it with an on-demand scan.

US federal agencies

The United States Computer Emergency Readiness Team (CERT) recommends disabling AutoRun to prevent Variant B of the worm from spreading through removable media, but describes Microsoft’s guidelines on disabling Autorun as being “not fully effective”. CERT has instead provided its own guide for disabling AutoRun. CERT has also made a network-based tool for detecting Conficker-infected hosts available to federal and state agencies.

The above article is originally created on Wikipedia.org (http://en.wikipedia.org/wiki/Conficker)