ESET Threat Blog

Conficker

• If you have not already done so, deploy Microsoft’s MS08-067 patch for the vulnerability initially used by the worm to infect systems.  It is also a good idea to install the MS08-068 and MS09-001 patches as well.
• Disable AutoRun on removable media.  More about this below.
• Use strong passwords.  The Conficker worm contains a set of commonly-used passwords in order to make it easier for the worm to spread across network shares.  A list is mentioned in this news article.  For more information about choosing good passwords, see these three earlier ThreatBlog articles here, here and here.  We also have a white paper on the subject.

Worms continue to spread quick as a flash

Conclusion

Aryeh Goretsky MVP, ZCSE
Distinguished Researcher

[Update: Spiegl Online reports (in German!) that the total may be as high as 50 million infected machines: however, this figure seems to be extrapolated from the number of infections picked up Panda's online scanner. Statistically, I'm not sure it makes any sense at all to try to correlate this self-selecting sample to the total population of online  machines, though. (Thanks, Andreas, for drawing my attention to this item!) By the way, our own online scanner is here.]

9.5 million and climbing. PCs infected by Conficker (Downadup), that is, at least according to some sources. Some doubts have been expressed about how accurate F-Secure’s calculation is or can be, but as the company have made quite clear, there are many factors that complicate the calculation. Nonetheless, it’s clear that there are very high volumes of infected machines out there, though there are signs that the number has started to level off, so it’s unsurprising that it’s attracted so much media attention.

Since its appearance last autumn, our research teams around the globe have been paying close attention to this threat.  Before we share a little more information on some of the malware’s less widely publicized characteristics, though,  let’s stop panicking about the sheer size of the numbers and get back to trying to reduce them. Conficker makes use of a wide range of attack vectors, so here are some approaches to stopping some of the holes.

First of all, of course, use good antimalware programs (we can suggest a particularly good one!), but don’t expect them to give you absolute protection, no matter what you do.

Obviously, systems with up-to-date anti-malware are less likely to fall prey to a Conficker variant than systems that are inadequately protected. Like other companies, we’ve been detecting the many Conficker variants for some time, and regularly have been updating our detections (signatures and heuristic) regularly as more information on new variants come in. The real Conficker story was topical between its discovery in October and the beginning of this year when we were working on more effective ways to detect this threat in memory and to clean it.  This is a sophisticated, complex threat, and it was necessary to create specific algorithms to address it fully, but up to now, detection has been pretty effective. 

However, Conficker variants have gone way out of their way to hide from antimalware: for instance, by blocking domain names incorporating strings that suggest antimalware resources or companies. So it may be necessary to access updates or a Conficker-specific cleaning tool from a known clean machine.

One of the approaches Conficker takes to infection is to exploit the vulnerability described by Microsoft in their bulletin MS08-067, so patch vulnerable machines. (If they’re already infected, they’ll need to be cleaned first.) Another interesting characteristic is that it may patch infected systems that are vulnerable to the MS08-067 vulnerability.  (Since it uses multiple infection vectors, not all infected systems are unpatched.)

The MS08-067 vulnerability is present in the netapi32.NetpwPathCanonicalize function from netapi32.dll.  An out-of-band patch was released by Microsoft on October 23rd last year, intended to fix this problem, but a lot of organizations still haven’t applied the patch to their systems.  This is either because system administrators did not apply the patch in good time, or because home users are afraid to update because they are using pirated versions of their operating system. However, Win32/Conficker patches vulnerable systems by modifying the function containing the vulnerability and adding a jump at its beginning to jump to memory that has been allocated by the worm. (We assume that this is to “spoil” the chances of other malware using the same exploit, rather than a gesture of goodwill by Conficker’s author.)  In this memory area, the worm has copied a patched version of the function.  Since the vulnerable function is self-contained, meaning that it doesn’t need to access any data other than its parameters, this technique is both stable and easy to implement.  We recommend that you re-patch once the system is clean, rather than rely on the efficacy and persistence of the worm’s patching routine.
Clearly, not enough people (especially corporate organizations, it appears) have been patching in a timely manner.  Where a machine is already infected, automatic updating is likely to be disabled (whether by the system owner/administrator or by malware), so you need to (a) understand the problem (b) take appropriate steps to remove the infection. You can’t fix/clean an infected machine simply by patching it: you need to disinfect it first. If you have machines that are uninfected but don’t have the patch, now would be the time to fix that. For some in-depth information on hot patching the MS08-067 vulnerability, please refer to the following web site: http://www.nynaeve.net/?p=226. You might want to apply MS08-068  and  MS09-001 at the same time. 

However, there are other factors such as weakly passworded admin shares (see, for instance, http://news.bbc.co.uk/1/hi/technology/7832652.stm). The worm attempts to access local network shares using a dictionary attack to try really basic login passwords/credentials. In a corporate environment, it makes sense to close admin shares and network-mounted drives while disinfecting, so that cleaned machines aren’t immediately reinfected, and ensure that strong passwords are in use before re-opening them.

Martin Overton made some useful suggestions on an AVIEN mailing list for restricting the spread of the infection over a network, including setting up SMBLure (see http://www.utdallas.edu/~pauls/smblure/ and http://momusings.com/papers/VB2003-Worm_Charming.pdf) to track machines broadcasting infected files to open shares, and using a Snort signature to block malcode with a known MD5 value. Martin is rather handy at using Snort signatures as an anti-malware tool, and has made available (along with other resources) one or two very nice papers on the topic. at http://momusings.com.

Conficker also makes heavy use of the Autorun facility in Windows. We’ve been pointing out for years that this is a facility that should be disabled by default (malware that exploits it is one of the most consistent problems flagged by our Threatsense.Net tracking system). It’s certainly a good idea to disable it at least temporarily while cleaning systems, to cut down on the risk of reinfection. We are pleased to note that Microsoft have now revisited the process for disabling it – see http://support.microsoft.com/kb/953252. However, US-CERT  have an excellent technical note on the process at http://www.us-cert.gov/cas/techalerts/TA09-020A.html.  While The Register is scornful of its high geek content we recommend  the SyS:DoesNotExist solution described in the US-CERT’s bulletin rather than Microsoft’s. Martin also remarks that HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2 key needs to be removed, before rebooting the system: otherwise, USB devices used before will still autorun (also addressed in the US-CERT bulletin).

Pierre-Marc Bureau and David Harley
ESET Research Team
(Tip of the hat to Martin Overton for his input to this blog.)

You might have noticed that Conficker (Downadup) is actually standing up rather well to all the attention it’s receiving at the moment.

Heise (a European publisher sending out a weekly security newsletter that’s often worth a closer look) that 2.5 million PCs are already infected. In The Register, Dan Goodin reports that the total has increased dramatically since Heise’s initial report to nearly 9 million. (If anyone is interested in how these figures were arrived at, F-Secure have described the process here: it’s guesswork, but it looks like sound guesswork to me.

(Incidentally, I looked back at our ThreatSense.Net® statistics for December, and notice that Conficker had already made number 5 in our top ten detections of known malware worldwide by the end of that month, so we’re not exactly talking about a brand-new fast-burner!)

If you’ve read Randy’s earlier blog, you’ll know that while we take the present epidemic very seriously, there’s an argument for concentrating less on the alarming figures and attributing them to the supernatural powers of what has been described by some as a Superworm, and paying more attention to the fact that a fairly prosaic malicious program has managed to cause so much damage, simply because so many people and sites aren’t taking the elementary precautions that would have dramatically mitigated Conficker’s impact.

Randy’s also participated in a podcast with Ira Victor that ’s available now: I haven’t looked at it yet, but I’m sure it will be of interest and provide reassurance and sound advice  to anyone feeling down about downadup.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

There are different techniques that can be used by a program to identify in which country it has been installed.  It can check for time zone information, public IP addresses or even domain names.  Lately, we have seen two different malware families trying to discover their geographic location in an effort to avoid infecting PCs in specific countries.

Here’s the second instalment of the "ten ways to dodge cyberbullets" that I promised you.

Keep applications and operating system components up-to-date with automated updates and patches, and by regularly reviewing the vendors’ product update sections on their web sites.

This point is particularly  relevant right now, given the escalating volumes of Conficker that we’re seeing currently.Win32/Conficker is a network worm that propagates by exploiting a recently-discovered vulnerability in the Windows operating system (MS08-67). The vulnerability is present in the RPC sub system and can be exploited remotely by an attacker. The attacker can perform his attack without valid user credentials. As we mention in our Threat Report for November, Conficker tries to download additional malware likely to be connected with adware, typically the FakeAlert, Wigon families): it avoids infecting Ukrainian PCs. In addition, it shuts down the windows firewall and starts an http server on a random port.

Sometimes, it seems that the whole world assumes that the only vendor that suffers from vulnerabilities in its operating system and other software is Microsoft. To see how misleading claims like this can be, check out the weekly “Consensus Security Vulnerability Alert” published by SANS (see http://portal.sans.org), which summarizes some of the most important vulnerabilities and exploits identified in the preceding week. Even during a week that includes “Patch Tuesday”, you’ll typically find that problems are flagged with a frightening number of applications from other vendors. Certainly, any system administrator should consider making use of this resource.

While ESET has effective detection for Conficker, it’s important for end users to ensure that their systems are updated with the Microsoft patch, which has been available since the end of October, so as to avoid other threats using the same vulnerability. Information on the vulnerability itself is available here.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence