Websense’ Security Alert about Conficker
March 2009 by Websense
Conficker is a large botnet that has a lot of potential to do harm. It hasn’t happened just yet, and most security vendors predict it won’t happen necessarily on April 1, and we agree. However, the bot gives its perpetrators a lot of power, and at some point, we believe, that Conficker will do something "bad" on infected machines like, stealing data, sending spam, issuing DDOS attacks, and more. The worm might already do some harm by attempting to access the 50K domains it generates each day and thus DDoS’ing some legitimate sites that the Worm’s DGA happen to generate. Reverse-engineering the DGA algorithm and knowing all the domains the worm will try and contact gives us the ability to be proactive. The domain generation algorithm and the way the worm operates can be updated at any time.
April’s approach has created a lot of chatter about Conficker, a worm largely considered to be one of the most widespread infections in recent years. Some estimates put peak infection at over 10,000,000 hosts.
A large effort has been made by the white-hat community and the Conficker Cabal Group to mitigate Conficker infections, and with success. The current estimate indicates that the number of infected hosts has fallen to 1 to 2 million, which is still a very large number when factored against recent bot counts.
There is a good deal of speculation about what’s going to happen on April 1, a special date that is hard coded into the latest variant of the worm’s binary file. The wider Internet community is fortunate in that some very good research has been conducted into the different variants of the worm: A, B, B++ & C.
In this blog entry we’re going to focus on and recap the major changes in the C variant, including some ideas on how to deal with it. In addition, we’ll draw some conclusions and make a few predictions.
A brief note to Websense customers before we dig more deeply into Conficker:
Websense customers are protected.
We have the domain name generation algorithm (more on this in a separate update) and we are proactively classifying those URLs. Machines already infected with Conficker will be prevented from phoning home for updates.
Websense is actively classifying the malicious binary executables and Web sites Websense accomplishes this through generic and specific detection, and through ThreatSeeker Network Web Reputation
First things first: Protect yourself
The Conficker worm propagates in 3 ways: MS08-67 Propagation, NetBIOS Shares, and Removable Media Drives (USB, FireWire etc.).
The first step in protection is to make sure that you’re patched by going to Windows Add/Remove Programs and verifying that update KB958644 is installed (a shortcut for going there is going to RUN and typing ’appwiz.cpl’ ). If you’re a system admin, verify that you applied the patch to all of your systems.
The NetBIOS propagation is done through brute-forcing administrator shares (ADMIN$ shares). The worm uses a pre-defined list of commonly used passwords and if successful in brute forcing a machine, it then creates a scheduled task to run itself. So make sure you use a strong password and that strong password policies are in place.
The last propagation technique, and one of the most frustrating, is removable media drive propagation. The worm copies itself from the infected host to its local removable media drives and when an infected drive is attached to another computer that has Autorun and Autoplay enabled, it might social engineer the user into running the worm. This is best resolved by disabling AutoPlay and AutoRun (which aren’t the same thing).
If you suspect you’re infected you can check for symptoms. (Recovery and more preemptive measures here.)
Conficker blocks access to URLs and sites with specific strings in them to stop the user from downloading any detection or removal tools, so a good way to verify a suspected infection is to attempt to access sites from the list below. For example: microsoft.com or virusscan.jotti.org. Confirm that you have Internet access before testing access to a blocked site. Be cautious about jumping to quick and possibly incorrect conclusions.
Preserve the investment
Curiously, the Conficker C variant doesn’t have any propagation methods. The updating process to the C variant from the previous variants, which began around March 4, doesn’t include the propagation functionality mentioned earlier. So the latest variant just sits there, you ask? In a way, yes. It waits on infected machines for orders to come through. Bear in mind that most of the Conficker variants on infected hosts haven’t been updated to the C variant. Of course, A, B, and B++ still propagate.
And there are more changes. The authors made some important updates to the C variant, including adding more protection mechanisms and Peer to Peer functionality. It’s estimated that only 15% of the previous code variants was preserved. This makes sense if the first purpose of the worm was to infect as many machines as possible, while the new variant is aimed at preserving and protecting the investment, keeping the number of infected hosts as large as possible. The new functionalities in the C variant are simply countermeasures to the efforts the security community, like the Conficker Cabal, against the worm. The latest variant of the worm shifted to a propagative mode from a preservation mode—for now, although not having a propagation functionality doesn’t mean the authors can’t update it, at will, to have one.
Domain Generation Algorithm (DGA): What’s going to happen April 1?
What’s going to happen in April 1? This date is hard coded in Conficker.C variants and this is why a lot of attention is focused on it. On that date, Conficker is going to update its domain generation algorithm to 50,000 domains per day and will try to access 500 of those once a day. This is one of the countermeasures and protections the authors of the worm introduced to the successful efforts of the Cabal group to stop the registration of 250 domains that the older variants (A, B, and B++) try to access each day. This change, starting April 1, 2009, will only affect already infected machines. It also means that Conficker C variants on those machines will generate a list of 50,000 domains a day. The worm will actually try and access 500 of those domains. Only the people behind Conficker know which domains they’re actually going to register and activate. They could, in fact, only register one domain a day (or fewer, or more), but when they do that—if they don’t get interrupted by the Cabal Group again—the infected machines will try to access those domains, potentially getting updates to do something - potentially. It doesn’t necessarily mean that the worm is going to do something bad that day since it all depends if an update will be available for the worm to download. Besides the latest variants are equipped with a P2P mechanism, so orders may have already been relayed to the bots.
When the people behind Conficker decide it’s time to do something that will earn them some money, like stealing data, issuing DDOS attacks, sending spam, etc., they will be able to do so at will. It doesn’t have to be on April 1. Our assumption is that the people behind Conficker are waiting for sometime after that date to achieve a maximum bot update. Time equals money and it’s logical to assume that something is going to happen soon enough. It also seems that those who are behind the worm are examining their options carefully and might be even trying more "business" relations to decide which path will be most safe and profitable.
Reverse-engineering the Domain Generation Algorithm
At Websense Security Labs, we reverse-engineered the different Conficker variants to discover the domains the worm will try to contact each day. As mentioned, the latest C variant generates a list of 50,000 domains a day. Of those, the worm will try to access 250 domains.
Given the industry efforts to mitigate this problem, one of the obvious predictions is that the worm’s authors will try to preserve the number of infected bots as much as possible. One of the potential options is to actually update the worm to download instructions from compromised web sites. This move could actually disrupt the Cabal group efforts, since it’s easier to stop the registration of new domains, and harder to take down and stop compromised domains with good reputations. We also predict that Conficker will re-start and continue propagation through a spam based mechanism. We don’t believe that the worm’s authors will stick to only updates via the P2P mechanism, but will also strive to keep using the HTTP-based update mechanism, so the worm on infected hosts will be accessible to updates within networks that use Firewalls and Network Address Translation (NAT), which disrupt P2P traffic. It seems that the group behind Conficker is considering their moves carefully. If they’re indeed a China based group they’ll need some Western-based connections to commit cyber crimes more effectively. Establishing these connections is what we suspect they have been doing in the meantime.