Conficker Worm fighting back - new variant disables security measures (Update)by Steve Ragan - Mar 13 2009, 19:00
Security vendor CA pointed out an interesting bit of information this week. According to them, Conficker has a rather large joke to play next month, and it isn’t funny.
“This worm, detected as Win32/Conficker.C, is getting ready for April Fool’s Day on 1 April, although it definitely won’t be fooling around. On that day, Conficker.C will commence its attempt to generate 50,000 URLs daily and try to access (download or report back to) 500 of them. It is a clever strategy, but the security industry is certainly on the lookout.”
The warning from CA is important, but how will the companies who have teamed up to deal with Conficker handle 50,000 domains, at one time, daily? So far none of them have mentioned any solid plans.
Original article below:
In a previous article, The Tech Herald made a joking reference to Conficker variant C++. It would appear that Murphy’s Law applied, as Symantec is reporting that a new variant of Conficker, version C, is digging trenches and preparing for a long, cold, bitter war against the security researchers who are dedicated to fighting it.
Symantec says they have discovered a new update that is being pushed to some systems infected by the Conficker (Downadup) Worm. The update does’t add any new methods of propagation, but considering that new systems are still being infected daily, the authors of the Worm do not need to update that part of the code, at least not yet.
The new addition is that the new variant targets security researchers, security software, and even security related applications. If the Worm detects processes on an infected system that contain security testing and analysis, or anti-Virus related strings, it kills them. Wireshark, Unlocker, TCPview, filemon, ms08-06, kb958, kb890, confick, hotfix, and downad, are all strings that are killed-off by the Worm.
Another update to the new variant is the domain generation algorithm. Earlier variants would generate 250 domains, which were contacted by the infected system to receive updates and instructions. Researchers cracked the domain generation and started registering and blocking the domains before they could be used, limiting the scope of this method of further infection. However, some domains generated by Conficker turned out to be legit, causing some concern because of an elevated attack vector.
Now, Symantec says the 250 domain limit is gone, replaced by a 50,000-a-day generation algorithm, using one of a possible 116 domain suffixes, such as com, net, org, tv, info, ws, etc.
“These early findings may suggest that the Downadup authors are now aiming for increasing the longevity of the existing Downadup threat on infected machines. Instead of trying to infect further systems, they seem to be protecting currently infected Downadup machines from antivirus software and remediation. Also, currently we are not seeing an increase in customer infections for this threat but are keeping a close eye on it,” Symantec said.
Last month, SRI International reported about new code in the variant of Conficker named B++, that foreshadowed the possibility that the Worm’s authors were looking for ways to fight the researchers.
“Under Conficker B++, two new paths to binary validation and execution have been introduced to Conficker drones, both of which bypass the use of Internet Rendezvous points: an extension to the netapi32.dll patch and the new named pipe backdoor. These changes suggest a desire by the Conficker's authors to move away from a reliance on Internet rendezvous points to support binary update, and toward a more direct flash approach,” the SRI research stated.
If the people behind the Conficker are working to protect the systems they have now, then why would they up the number of generated domains? What no one has been able to ascertain is the planned use for the infected systems.
While the infection rate has slowed, this does not mean that we won’t see a slight boost over the coming months. This is because no matter how good the researchers are, 50,000 domains are hard to fight, and even harder to predict and block before the Worm can access them. All the Worm needs is a few hundred domains, and a quick download of new code to the infected systems. It is this new code, and the concern of what it will do, that bothers most security experts the most.
The odds are stacked against the researchers, but like before, they will work something out. For now, the cat and mouse game keeps going.