Article

Conficker botnet update: A year on, and still a danger

Ron Condon, U.K. Bureau Chief

Remember all the fuss about Conficker earlier this year? The worm spread like crazy and everyone expected it to do something terrible on April Fools' Day.

Then when the day came, nothing happened. Life went on, the Internet didn't collapse, and most people decided it was just another one of those scare stories (remember the Millennium Bug).

But as we approach the first anniversary of the infection -- it was first detected by the Microsoft Malware Protection Center on November 21, 2008 -- the bad news is that a Conficker botnet is still very much alive. Between 6 million and 7 million machines around the world are currently infected, and infections are still creeping up.

So should we worry? Although the malware is very good at spreading and defending itself once installed, it doesn't destroy files or steal information -- yet.

In the early stages, Conficker certainly caused a lot of trouble, infecting hospital systems, the U.K. Parliament and the Navy. In one incident, a number of French military aircrafts had to be grounded as they were unable to download flight plans due to Conficker. The cleanup costs across the world have been enormous.

Conficker has the ability to spread via USB sticks, as well as over a network. As recently as August, Whipps Cross University Hospital NHS Trust in east London admitted it had just managed to contain an infection of 30 machines, probably caused by an infected USB stick.

And even though Conficker does not destroy

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

or steal information, it is far from harmless. In order to spread, it tries to guess the passwords of other machines on the network. If you have a limit of, say, three failed logins before closing down an account, then users will suddenly find themselves unable to work.

Also, from its second variant, the worm began to disable Windows Update and blocked access to the majority of antimalware websites. In the words of Alexandru Catalin Cosoi, a researcher with Bucharest-based BitDefender, "Conficker's mission until now has been to create a worldwide army of yet-dormant machines, able to communicate, update and receive orders, while also neutralising any defence system in place. Any infected machine can be exploited anytime from now on. It is like having a house with a door wide open all the time, even when you sleep or go to work or on vacation."

And that is the problem: Although the authors of the Conficker botnet have so far made little use of their brainchild, they have created a vast network of machines that could wreak havoc some time, destroying local files, stealing information or launching DDoS attacks.

The many forms of Conficker
On October 23, 2008, Microsoft released a critical security update, MS08-067, to resolve a vulnerability in the Server service of Windows,

The vulnerability allowed an attacker to take full control of a vulnerable system through a network-based attack.  

The following variants of Conficker were released, with each developing new ways of spreading and avoiding detection:  

Conficker A - Nov. 21, 2008
Conficker B - Dec. 29, 2008
Conficker C - February 20, 2009 Conficker D - March 4, 2009 Conficker E - April 8, 2009
"There are 6m or more infected machines out there on the Internet that could act like Google on steroids," said Rodney Joffe, chief technologist at Sterling, Va.-based Neustar Inc. "It is quite possible to use it as a single system, 6 million machines connected to 6 million local disks and networks shares. For instance, you could get it to go and search for any files containing certain information, and bring those back to the criminals controlling the botnet."

However, much has already been done to limit the effects of Conficker, and to track down the culprits. In an unprecedented move, when the scope of the threat was realised, the international security industry came together with law enforcement and formed the Conficker Working Group, which still operates and tracks the worm's progress.

According to Eric Sites, CTO of Sunbelt Software Inc. and member of the Conficker Working Group, the threat of getting caught may have prevented the culprits from showing their hand too openly.

"It's taken an enormous amount of money to clean up after Conficker, so if the person does try to use the network and gets caught in the process, then he's going to go to jail for a long time," he said. "We have narrowed it down to a specific country, and we have a lot of sensors out on the network to try to pinpoint where the communication is coming from. Almost every AV company has a version of Conficker installed in a dirty network waiting for it to update itself to see what is happening and to track the guy down."

Nevertheless, the network has been used for criminal activity. The E variant of the worm, released on April 8, downloaded the Waledac spambot, and started pumping out scareware messages to get people to buy rogue AV software.

For Rodney Joffe, who is also a founder and director of the Conficker Working Group, the Waledac spambot was a significant turning point. "Up until April 8, there was every possibility that Conficker was an experiment that had gone horribly right for a researcher," he said. "At that point we knew we were dealing with people who would use it as a platform to download whatever malicious software they wanted."

He added that the new variant exposed a sophisticated business model. "It is interesting that they only downloaded Waledac if the date was before April 22. In effect, they rented the use of the Conficker botnet to the authors of Waledac for two weeks."

Each new version of Conficker has also demonstrated a level of technical sophistication that Joffe finds alarming. For instance, the code uses MD6, an extremely advanced encryption algorithm developed by Professor Ron Rivest (he's the R in RSA), which is a possible candidate for use by the U.S. government in the next decade.

As Joffe explained, after a buffer overflow vulnerability was discovered in the MD6 algorithm, Professor Rivest produced a patch last February. Within weeks, the patch had been incorporated into the Conficker code. "These guys are hooked into the crypto world enough to know and understand the issues; to recognise the buffer overflow and to have patched it within seven or eight weeks of Ron Rivest's submission," he said. "These are not amateurs. They have chosen an algorithm that is designed to be unbreakable, to defend the U.S. for the next 10 years."

He also noted that while early versions of Conficker used URLs to access command-and-control Web servers, Conficker E uses just peer-to-peer communications, making it much harder to track. "As far as we know, they are currently in touch with all the machines infected with the E variant. But because it is peer-to-peer, we don't know what machines are infected. Unless you have access to one machine on the node, and can see the flow data, you can't tell who else is infected."

How to control Conficker infection
While the security vendors and law enforcement sit poised to pounce on any future use of the Conficker network, individuals and companies just need to follow basic good security practice to avoid infection.

These include:

Top 10 most infected countries between Q1 and Q3 2009

China: 12.96%           
Romania: 8.02%
Vietnam: 7.75% 
India: 7.48%
Thailand: 6.30% 
Malaysia: 5.64% 
Indonesia: 5.05% 
Australia: 3.63%
Philippines: 2.91% 
Mexico: 2.49%
Other countries: 37.76%
  • Patch management -- the MS08-067 security update, which Microsoft issued on October 23, 2008 ahead of the first Conficker outbreak, would have blocked all infections if it had been applied immediately. Any new victims are going to be either users of unlicensed software (see sidebar showing the locations of infections), or companies that have failed to apply the patch to every machine in their network.
  • Applying strong passwords -- Conficker spreads by trying to brute-force passwords on the network.
  • Disabling Autorun to avoid the malware being spread through USB sticks.
  • Ensuring disinfection is complete, as one bad machine can reinfect the rest.

    The fact that new infections are continuing to occur is a sign that organisations have become complacent, according to Orla Cox from the Symantec Response Centre in Dublin. "Some companies know they have infections, but they are prepared to live with it, because it's not causing them any real trouble. But it can cause a lot of noise on the network, and become a real nuisance. It's really not good practice to continue with infected machines."

    Rodney Joffe agrees: "Organisations are not implementing the defences to stop infection and reinfection -- that's why we're not beating this," he said. "If an organisation gets infected, it's because IT folks are not taking it seriously, or they are not enforcing their rules. They are still allowing people to wander around promiscuously with USB drives and get infected. If companies are still getting infected, names should be taken and heads should roll."

    So what can we learn from the Conficker botnet, and what does it tell us about future malware trends?

    Most experts agree that the best thing to come out of the Conficker outbreak is the rapid response of the industry and the formation of the working group to monitor its development and help track down the culprits. "It was impressive that we could pull together a concerted response from 110 different countries in the course of a few days to focus on a single threat. That had never happened before," Joffe said. "That will form the basis for how we fight the next battle."

    But Randy Abrams, director of technical education at antivirus company ESET LLC, had a more cynical view: "Conficker teaches us very little. Those who practice the most basic of security tenets have little problem with Conficker. Those who refuse to learn from history make the same security mistakes over and over again."