Home | Blog | Software | Reviews and Features | Forum | Help | Donate | About us
topbanner_forum
  *

avatar image

Welcome, Guest. Please login or register.
Did you miss your activation email?

Login with username, password and session length
  • December 08, 2016, 03:55:21 AM
  • Proudly celebrating 10 years online.
  • Donate now to become a lifetime supporting member of the site and get a non-expiring license key for all of our programs.
  • donate

Last post Author Topic: Conficker - The Facts  (Read 29120 times)

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Conficker - The Facts
« on: March 30, 2009, 05:27:36 AM »
Hi all.

Firstly, let me apologize for being so retarded as to have called this thing 'Conflicker' for the past month. I didn't find out I was wrong up until about two hours ago. I've only read about 50 news stories about it... Anyway...

Earlier today I finished watching Lesley Stahl's "freak out" on 60 Minutes and it struck me just how many times I'd read the same crap over the past month. I've decided that, to remedy the situation, at least amongst DonationCoder regulars, I will post this purely factual summary of the virus/trojan/worm/whatever Conficker. I am most certainly no Conficker expert, but I believe I can do a better job laying out the facts than much of the mass media, and I'll try to keep the tech talk down.

A huuuge thank you to SRI International for publishing their superb analysis of Conficker which has provided me with a couple of hours of very interesting reading. I highly recommend the more interested parties read it, it makes for a very enlightening read.

In September 2008, a vulnerability was disclosed in the Windows operating system that could allow an attacker to execute code on an unpatched machine with system level privileges. This vulnerability was soon plugged by Microsoft, and heavy press coverage meant that most people paying attention responded swiftly and updated their machines. Unfortunately, Microsoft does not permit pirated copies of Windows to be updated, leaving a large segment of the worlds population perpetually vulnerable.

In November 2008, a virus making use of this vulnerability to infect unpatched machines began sweeping across the globe. This virus is known as Conficker, and is estimated to have infected anywhere between 10-15 million computers worldwide. Since November, Conficker has seen 2 significant upgrades made to its initial form, known as Conficker.B and Conficker.C respectively. This summary will focus on the capabilities of variant C as one can expect this form to be the most prevalent.

It is worth mentioning that Microsoft along with several other corporations have banded together to form what they're a "cabal" in unity against Conficker. They worked to thwart variants A and B and would have succeeded were it not for the C variant.

Conficker infects its potential host by issuing a specially crafted Remote Procedure Call over port 445/TCP, causing the host to execute code embedded in the call which leads to the infection of the machine with Conficker. It is also capable of spreading via USB mass storage devices.

Interestingly, Conficker ignores Ukranian IP addresses thanks to an embedded database of IP address ranges and their geological locations. This is believed to be either a ploy to draw misguided attention to the Ukraine as the home of the virus writers, or a way of ensuring an apathetic response from the Ukrianian Government where Conficker is concerned.

When Conficker first infects a system, it follows the following process:
-Conficker first opens a random high-range port on any local firewall/router via UPNP. This port is used later on in the propogation process. It also retrived the external IP address of its host from a variety of websites which is also used in propogation.
-Conficker patches the vulnerability in Windows that allowed it to infects via an in-memory modification of the vulnerable service. The patch is made in such a manner that it will prevent viruses exploiting the same vulnerability from successfully infecting the host, but will permit newer Conficker variants to update the existing infection.
-Conficker makes further in-memory patches which are designed to prevent products which may threaten Conficker from retriving updates from the internet by preventing specific domains from resolving. Conficker also attempts to disable any patches or anti-virus software it is aware of currently running on the host.
-Conficker will then proceed to make regular attempts to propagate across the internet or the local area network via the method described above.

In its current form, Conficker is not an especially great threat. The only particularly malicious behavior exhibited by Conficker is its attempt to terminate and block anti-virus like software. The part of Conficker that has everyone so concerned is its built-in update mechanism.

Conficker was designed to be easily modified by its authors. On April 1, Conficker C will make its first attempt to retrieve new instructions from its author. Conficker C searches for new instructions from its masters in the following fashion:
-Conficker C will generate a list of 50,000 domain names, comprised of random strings, based on certain factors common to all Conficker infections,to which one of a possible 116 TLDs will be appended. 500 of these will then be selected by Conficker to check for new instructions.
-Each domain will be contacted by Conficker. If it finds a Windows binary is available from one of the domains, it will download, validate, and execute the update package.
-This process will be repeated every 24 hours.

Confickers update mechanism is extremely robust and well protected. It would seem its authors designed it speciifically to be invulnerable to attempts by those other than themselves to make available an update that, say, shut Conficker down. I won't go into the specifics here, but you can read them from the third paragraph of "Implications of Variant C" here.

It is a simple fact that there is indeed no telling what may become of Conficker thanks to this update mechanism, but I find it difficult to imagine an update bringing about the apocalypse as is predicted by many in the media. That said, I do advise everyone to keep their eyes peeled for any signs of Conficker on machines they maintain. I intend to keep this thread updated with news of any updates, should they be released, and I look forward to discussion.

Finally, please see this page at the Internet Storm Center for a listing of removal tools and instructions.

Ehtyar.
« Last Edit: March 30, 2009, 06:32:18 AM by Ehtyar »

mwb1100

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 1,522
    • View Profile
    • Donate to Member
Re: Conficker - The Facts
« Reply #1 on: March 30, 2009, 09:19:28 AM »
Thanks for this nice write up.  WinPatrol's Bill Pytlovany has some blog articles that talk about Conficker and what might happen on March 31/April  1.  His latest article indicates that it's something people should take precautions against (though they are precautions that should be taken normally anyway) but that there probably won't be an Internet meltdown - though that seems a bit toned down from his previous couple of articles.

I've got UPnP turned off on my router and have made sure Win Update has been run along with the Malicious Software Removal tool.

Gothi[c]

  • DC Server Admin
  • Charter Honorary Member
  • Joined in 2006
  • ***
  • Posts: 858
    • View Profile
    • linkerror
    • Donate to Member
Re: Conficker - The Facts
« Reply #2 on: March 30, 2009, 05:29:37 PM »

mouser

  • First Author
  • Administrator
  • Joined in 2005
  • *****
  • Posts: 36,412
    • View Profile
    • Mouser's Software Zone on DonationCoder.com
    • Read more about this member.
    • Donate to Member
Re: Conficker - The Facts
« Reply #3 on: March 30, 2009, 06:01:57 PM »
Also wanted to add my thanks for the thoughtful post Ehtyar.  :up:
From one of your links i came across this article which looks like fun technical reading: http://mtc.sri.com/Conficker/

Deozaan

  • Charter Member
  • Joined in 2006
  • ***
  • Points: 1
  • Posts: 7,716
    • View Profile
    • The Blog of Deozaan
    • Read more about this member.
    • Donate to Member
Re: Conficker - The Facts
« Reply #4 on: March 30, 2009, 06:37:58 PM »
I see removal instructions etc., but how would you even know if you've got the Conficker virus anyway?


cyberdiva

  • Supporting Member
  • Joined in 2006
  • **
  • Posts: 982
    • View Profile
    • Donate to Member
Re: Conficker - The Facts
« Reply #5 on: March 30, 2009, 06:56:02 PM »
I see removal instructions etc., but how would you even know if you've got the Conficker virus anyway?
I've now read several blogs and an article in USA Today that say you should try to log on to the Microsoft, Symantec, and McAfee websites.  If you can do that, you probably don't have Conficker.  The article goes on to explain:  "That’s because Conficker blocks you from reaching any web address that includes Microsoft, Symantec, McAfee, AVG, Kaspersky, Trend Micro, F-Secure, Panda, Sophos, SecureWorks or Sunbelt in the URL. It also blocks URLs that contain 103 other names and phrases that relate to security. You can see the full list by clicking to SRI International's report here and scrolling down to the table listed under 'domain lookup prevention.'"

I'm hoping that info is right  :)

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: Conficker - The Facts
« Reply #6 on: March 30, 2009, 07:06:08 PM »
http://www.eweek.com...-Enterprises-718842/
Well I'm glad someone is reporting some sense, though that article was apparently written before Variant C was released, and thus does not take into account the new p2p update distribution mechanism.
[edit]
After further reading it seems the article was published very recently, but completely ignored both the enhanced domain generation algorithm and p2p update mechanism of Variant C in their conclusion. I'm a fan of their lack of sensationalism, but their lack of accuracy makes for a misguided conclusion.
[/edit]

Also wanted to add my thanks for the thoughtful post Ehtyar.  :up:
From one of your links i came across this article which looks like fun technical reading: http://mtc.sri.com/Conficker/
That article is directly linked in my summary (3rd link). It is where much of the information in the summary was sourced from.

I'm hoping that info is right  :)
It is.

Ehtyar
« Last Edit: March 30, 2009, 07:26:43 PM by Ehtyar »

lanux128

  • Global Moderator
  • Joined in 2005
  • *****
  • Posts: 6,258
    • View Profile
    • Coding Snacks by Lanux128
    • Read more about this member.
    • Donate to Member
Re: Conficker - The Facts
« Reply #7 on: March 30, 2009, 08:01:05 PM »
i have a log file named "KB958644.log" to show that i had seemed to apply the patch some time back, so do i have to be worried about getting infected by the 'C' variant?

PhilB66

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,522
    • View Profile
    • Donate to Member
Re: Conficker - The Facts
« Reply #8 on: March 30, 2009, 08:57:48 PM »
Conficker Working Group's detection and repair tool list


Windows Secrets Run a Conficker removal tool before April 1 article.


J-Mac

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 2,913
    • View Profile
    • Donate to Member
Re: Conficker - The Facts
« Reply #9 on: March 30, 2009, 10:52:26 PM »
The Windows Secrets article that Phil lined to above mentions that most A-V sites and the MS Update site will not be reachable if a machine is infected with Conficker, but you can still get there via the IP addresses for htose same sites. So it would be a good idea to get ahold of those IP addresses sometime ahead of 4/1.

Jim

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: Conficker - The Facts
« Reply #10 on: March 30, 2009, 11:14:03 PM »
Nice links Phil.

i have a log file named "KB958644.log" to show that i had seemed to apply the patch some time back, so do i have to be worried about getting infected by the 'C' variant?
The patch will prevent installation of Conficker from over the internet. However, if you use a weak password you're still at risk of Conficker guessing it from another machine on your LAN.

Ehtyar.

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: Conficker - The Facts
« Reply #11 on: March 30, 2009, 11:18:03 PM »
The Windows Secrets article that Phil lined to above mentions that most A-V sites and the MS Update site will not be reachable if a machine is infected with Conficker, but you can still get there via the IP addresses for htose same sites. So it would be a good idea to get ahold of those IP addresses sometime ahead of 4/1.

Jim
I'm happy to resolve the entire and post it, but I can't find a complete list of what gets blocked. Anyone have one?

Ehtyar.

J-Mac

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 2,913
    • View Profile
    • Donate to Member
Re: Conficker - The Facts
« Reply #12 on: March 31, 2009, 12:50:23 AM »
The Windows Secrets article that Phil lined to above mentions that most A-V sites and the MS Update site will not be reachable if a machine is infected with Conficker, but you can still get there via the IP addresses for htose same sites. So it would be a good idea to get ahold of those IP addresses sometime ahead of 4/1.

Jim
I'm happy to resolve the entire and post it, but I can't find a complete list of what gets blocked. Anyone have one?

Ehtyar.

Actually it blocks access to any URLs containing certain strings. Here is the list of strings that it blocks:

Quote
In its attempt to prevent access to security-related sites for information, help or software updates, the worm attempts to block running applications from accessing URLs containing any of the following strings:

avg.
avp.
bit9.
ca.
cert.
gmer.
kav.
llnw.
llnwd.
msdn.
msft.
nai.
sans.
vet.
agnitum
ahnlab
anti-
antivir
arcabit
avast
avgate
avira
bothunter
castlecops
ccollomb
centralcommand
clamav
comodo
computerassociates
conficker
cpsecure
cyber-ta
db networkassociates
defender
drweb
dslreports
emsisoft
esafe
eset
etrust
ewido
f-prot
f-secure
fortinet
free-av
freeav
gdata
grisoft
hackerwatch
hacksoft
hauri
ikarus
jotti
k7computing
kaspersky
malware
mcafee
microsoft
mirage
mitre
msftncsi
msmvps
mtc.sri
nod32
norman
norton
onecare
panda
pctools
prevx
ptsecurity
quickheal
removal
rising
rootkit
safety.live
securecomputing
secureworks
sophos
spamhaus
spyware
sunbelt
symantec
technet
threat
threatexpert
trendmicro
trojan
virscan
virus
wilderssecurity
windowsupdate

The above list is from CA's page on Conficker, located here.

Hope this helps.

Jim

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: Conficker - The Facts
« Reply #13 on: March 31, 2009, 01:25:13 AM »
C-R-A-P. Anyone have any suggestions on what to resolve? :S

As a universal solution what we want is a utility that will resolve domain names without using the Windows API. Dig and Host will both do it, but neither are particularly user-friendly.

Thanks J-Mac.

Ehtyar.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,029
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Conficker - The Facts
« Reply #14 on: March 31, 2009, 01:28:22 AM »
How does conficker block those URLs? Simply hooking the winsock DNS resolving functions, or setting the machine's DNS server?
- carpe noctem

nosh

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,426
    • View Profile
    • Donate to Member
Re: Conficker - The Facts
« Reply #15 on: March 31, 2009, 02:13:02 AM »
From the Windows Secrets article linked above by PhilB66

Quote
Admins of small and large LANs can use OpenDNS as a Domain Name System server.
The firm introduced on Feb. 9 a new, Conficker-specific feature. If an infected PC on a LAN somehow evaded detection, OpenDNS will prevent it from contacting Conficker's control servers. Best of all, admins can read a report showing which PC tried to connect to a Conficker server.

It's nice to have a proactive DNS provider! :)

Edit: Direct link to the standalone ESET Conficker Removal tool. Just 119 KB and it tells you immediately if Conficker is found in memory.
« Last Edit: March 31, 2009, 02:30:30 AM by nosh »

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: Conficker - The Facts
« Reply #16 on: March 31, 2009, 05:50:34 AM »
How does conficker block those URLs? Simply hooking the winsock DNS resolving functions, or setting the machine's DNS server?
Conflicker patches DnsQuery() in memory.

From the Windows Secrets article linked above by PhilB66

Quote
Admins of small and large LANs can use OpenDNS as a Domain Name System server.
The firm introduced on Feb. 9 a new, Conficker-specific feature. If an infected PC on a LAN somehow evaded detection, OpenDNS will prevent it from contacting Conficker's control servers. Best of all, admins can read a report showing which PC tried to connect to a Conficker server.

It's nice to have a proactive DNS provider! :)
It will be interesting to see if that applies to the millions of domains potentially generated by Variant C. It also won't effect the p2p update mechanism...

Ehtyar.

gally

  • Supporting Member
  • Joined in 2007
  • **
  • default avatar
  • Posts: 19
    • View Profile
    • Donate to Member
Re: Conficker - The Facts
« Reply #17 on: March 31, 2009, 07:14:25 PM »
Here's a partial list assuming all are .com and not .net

windowsupdate.microsoft.com
The IP address for the domain is: 207.46.225.221
 wilderssecurity.com
The IP address for the domain is: 65.175.38.194
trendmicro.com
The IP address for the domain is: 66.35.255.33
symantec.com
The IP address for the domain is: 206.204.52.31
sunbelt.com
The IP address for the domain is: 69.4.229.56
spamhaus.com
The IP address for the domain is: 24.28.193.9
sophos.com
The IP address for the domain is: 213.31.172.77
secureworks.com
The IP address for the domain is: 67.107.53.168
securecomputing.com
The IP address for the domain is: 66.45.10.76
safety.live.com
The IP address for the domain is: 65.55.240.12
prevx.com
The IP address for the domain is: 62.189.194.222
pctools.com
The IP address for the domain is: 67.192.81.184
panda.com
The IP address for the domain is: 206.124.149.114
onecare.com
The IP address for the domain is: 207.46.197.32
 mcafee.com
The IP address for the domain is: 216.49.88.12
norton.com
The IP address for the domain is: 206.204.52.31
: nod32.com
The IP address for the domain is: 72.3.254.86
kaspersky.com
The IP address for the domain is: 195.27.181.34
 grisoft.com
The IP address for the domain is: 193.86.103.19
 emsisoft.com
The IP address for the domain is: 80.237.191.14
comodo.com
The IP address for the domain is: 91.199.212.132
: castlecops.com
The IP address for the domain is: 204.152.184.144
avast.com
The IP address for the domain is: 67.228.112.196
agnitum.com
The IP address for the domain is: 67.15.231.71
: avg.com
The IP address for the domain is: 193.86.103.19

J-Mac

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 2,913
    • View Profile
    • Donate to Member
Re: Conficker - The Facts
« Reply #18 on: March 31, 2009, 10:17:50 PM »
Wow! What a job, gally!

Thank you very much for that!

Jim

wreckedcarzz

  • Charter Member
  • Joined in 2005
  • ***
  • Posts: 1,623
    • View Profile
    • Donate to Member
Re: Conficker - The Facts
« Reply #19 on: March 31, 2009, 11:29:32 PM »
Can someone here assure me that the computers I have are safe (at least to an extent)? I've reformatted 2 computers within the last 3 months, I really don't want to do it again...

Basics:
All computers running Spyware Terminator w/ ClamAV
All computers running Windows Firewall
All patches from Microsoft/Windows Update applied
All computers behind firewalled router w/ OpenDNS nameservers
My primary computer has DMZ enabled, but Windows Firewall enabled as well

Passwords:
My two computers have a dictionary word (although long) password
Dad's computer has a non-dictionary combination word
Home file server requires no password to access via the LAN (can't remember if it has a logon password or not, it does an automatic logon at boot)

What are the chances of any of my computers being infected? What else should I do to lockdown my home network so I don't catch hell if we end up getting this crap?

EDIT: The file server computer had no password assigned to my account (Administrator rights), fixed that...
« Last Edit: March 31, 2009, 11:41:57 PM by wreckedcarzz »

Ehtyar

  • Supporting Member
  • Joined in 2007
  • **
  • Posts: 1,237
    • View Profile
    • Donate to Member
Re: Conficker - The Facts
« Reply #20 on: April 01, 2009, 12:03:18 AM »
The primary things you need to concern yourself with for infection prevention are:
-Update your Windows
-Use a strong administrative password
-Disable autorun

You might want to consider getting yourself a real-time virus scanner, ClamAV was originally designed for use on mail servers.

Not sure what you mean by having a computer with DMZ disabled. If you meant your router, then yes I would recommend not having a DMZ at all and using port forwarding where necessary.

Ehtyar.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,029
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Conficker - The Facts
« Reply #21 on: April 01, 2009, 12:21:59 AM »
DMZ = bad (come on, how bad is it to do manual port forwards?), dictionary password = bad.

- carpe noctem

gally

  • Supporting Member
  • Joined in 2007
  • **
  • default avatar
  • Posts: 19
    • View Profile
    • Donate to Member
Re: Conficker - The Facts
« Reply #22 on: April 01, 2009, 12:26:24 AM »
Your welcome Jim. ... I did find that some of those, even tho they are the sites ips, may not let you get there... some give an 'access denied' such as pctools and others automatically change to the written url, like norton, right after you use the ip to get there... working around in those sites will take alot of copying and pasting ... symantec/norton won't let you (or maybe just me) use the ip in place of 'www.symantec.com' then '/some/rest/of/an/official/link' to get around in there.

f0dder

  • Charter Honorary Member
  • Joined in 2005
  • ***
  • Posts: 9,029
  • [Well, THAT escalated quickly!]
    • View Profile
    • f0dder's place
    • Read more about this member.
    • Donate to Member
Re: Conficker - The Facts
« Reply #23 on: April 01, 2009, 12:32:25 AM »
Going to HTTP://ip.number.here often won't work, since the site won't get the "Host: domain.name.com" HTTP header they expect. You'd have to put the IPs in your hosts files, but that file is probably used by DnsQuery() and thus the method is going to fail because Conficker's patching.
- carpe noctem

app103

  • That scary taskbar girl
  • Global Moderator
  • Joined in 2006
  • *****
  • Posts: 5,666
    • View Profile
    • App's Apps
    • Read more about this member.
    • Donate to Member
Re: Conficker - The Facts
« Reply #24 on: April 01, 2009, 12:38:15 AM »
Going to HTTP://ip.number.here often won't work, since the site won't get the "Host: domain.name.com" HTTP header they expect. You'd have to put the IPs in your hosts files, but that file is probably used by DnsQuery() and thus the method is going to fail because Conficker's patching.

That is very true, but using a proxy like hidemyass.com would probably work, without the need of even trying the IP and using the actual URL that conficker is blocking. And yes, you can download removal tools through that proxy. I tested it.