Hi all.
Firstly, let me apologize for being so retarded as to have called this thing 'Conflicker' for the past month. I didn't find out I was wrong up until about two hours ago. I've only read about 50 news stories about it... Anyway...
Earlier today I finished watching Lesley Stahl's
"freak out" on 60 Minutes and it struck me just how many times I'd read the same crap over the past month. I've decided that, to remedy the situation, at least amongst DonationCoder regulars, I will post this purely factual summary of the virus/trojan/worm/whatever Conficker. I am most certainly no Conficker expert, but I believe I can do a better job laying out the facts than much of the mass media, and I'll try to keep the tech talk down.
A huuuge thank you to
SRI International for publishing their
superb analysis of Conficker which has provided me with a couple of hours of very interesting reading. I highly recommend the more interested parties read it, it makes for a very enlightening read.
In September 2008, a
vulnerability was disclosed in the Windows operating system that could allow an attacker to execute code on an unpatched machine with system level privileges. This vulnerability was soon plugged by Microsoft, and heavy press coverage meant that most people paying attention responded swiftly and updated their machines. Unfortunately, Microsoft does not permit pirated copies of Windows to be updated, leaving a large segment of the worlds population perpetually vulnerable.
In November 2008, a virus making use of this vulnerability to infect unpatched machines began sweeping across the globe. This virus is known as Conficker, and is estimated to have infected anywhere between 10-15 million computers worldwide. Since November, Conficker has seen 2 significant upgrades made to its initial form, known as Conficker.B and Conficker.C respectively. This summary will focus on the capabilities of variant C as one can expect this form to be the most prevalent.
It is worth mentioning that Microsoft along with several other corporations have banded together to form what they're a "cabal" in unity against Conficker. They worked to thwart variants A and B and would have succeeded were it not for the C variant.
Conficker infects its potential host by issuing a specially crafted Remote Procedure Call over port 445/TCP, causing the host to execute code embedded in the call which leads to the infection of the machine with Conficker. It is also capable of spreading via USB mass storage devices.
Interestingly, Conficker ignores Ukranian IP addresses thanks to an embedded database of IP address ranges and their geological locations. This is believed to be either a ploy to draw misguided attention to the Ukraine as the home of the virus writers, or a way of ensuring an apathetic response from the Ukrianian Government where Conficker is concerned.
When Conficker first infects a system, it follows the following process:
-Conficker first opens a random high-range port on any local firewall/router via UPNP. This port is used later on in the propogation process. It also retrived the external IP address of its host from a variety of websites which is also used in propogation.
-Conficker patches the vulnerability in Windows that allowed it to infects via an in-memory modification of the vulnerable service. The patch is made in such a manner that it will prevent viruses exploiting the same vulnerability from successfully infecting the host, but will permit newer Conficker variants to update the existing infection.
-Conficker makes further in-memory patches which are designed to prevent products which may threaten Conficker from retriving updates from the internet by preventing specific domains from resolving. Conficker also attempts to disable any patches or anti-virus software it is aware of currently running on the host.
-Conficker will then proceed to make regular attempts to propagate across the internet or the local area network via the method described above.
In its current form, Conficker is not an especially great threat. The only particularly malicious behavior exhibited by Conficker is its attempt to terminate and block anti-virus like software. The part of Conficker that has everyone so concerned is its built-in update mechanism.
Conficker was designed to be easily modified by its authors. On April 1, Conficker C will make its first attempt to retrieve new instructions from its author. Conficker C searches for new instructions from its masters in the following fashion:
-Conficker C will generate a list of 50,000 domain names, comprised of random strings, based on certain factors common to all Conficker infections,to which one of a possible 116 TLDs will be appended. 500 of these will then be selected by Conficker to check for new instructions.
-Each domain will be contacted by Conficker. If it finds a Windows binary is available from one of the domains, it will download, validate, and execute the update package.
-This process will be repeated every 24 hours.
Confickers update mechanism is extremely robust and well protected. It would seem its authors designed it speciifically to be invulnerable to attempts by those other than themselves to make available an update that, say, shut Conficker down. I won't go into the specifics here, but you can read them from the third paragraph of "Implications of Variant C"
here.
It is a simple fact that there is indeed no telling what may become of Conficker thanks to this update mechanism, but I find it difficult to imagine an update bringing about the apocalypse as is predicted by many in the media. That said, I do advise everyone to keep their eyes peeled for any signs of Conficker on machines they maintain. I intend to keep this thread updated with news of any updates, should they be released, and I look forward to discussion.
Finally, please see
this page at the Internet Storm Center for a listing of removal tools and instructions.
Ehtyar.