Report: Facts and information on the Conficker Worm (UPDATE 2)by Steve Ragan - Feb 26 2009, 03:04
The Facts about the Conficker Worm (IMG:moviewallpapers)
There is a new location for the most recent news and information regarding Conficker. You can view that information here.
For anyone who has issues disabling AutoRun, even after watching the video below or following the steps, you may need an update released by Microsoft this week. The update addresses issues where AutoRun still functions even after it is disabled.
Some users will not experience these issues. The Knowledge Base article released this week, KB967715, will supersede the original article KB953252. Moreover, if you tried and subsequently failed to disable AutoRun before February 24, Microsoft has pushed this update via Windows Update and Microsoft Update to customers.
After you apply the update, via automatic updates or direct download, if there are still issues with AutoRun visit the new KB Article for more information and workarounds.
The update applies to Microsoft Windows 2000, Windows XP (SP2 and SP3), and Windows 2003 (SP1 and SP2).
First off, despite mounting rumors, there is no Drive-by-download or e-mail avenue of infection for Conficker. No one has been infected by opening an e-mail message, and no one has been infected by visiting a Web site.
There are three ways for the Conficker Worm to infect your system or network.
The first is a failure to patch your Windows system with MS08-067. However, while this is the major infection point, this is only one of the known methods.
The Worm actually patches your system against the vulnerability addressed last October when Microsoft released MS08-067. How’s that for sick?
The second method of infection is removable storage. Conficker will attempt to spread itself on removable media, such as USB drives. In the case of USB media, if Autoplay (AutoRun) is enabled then the Worm triggers it by creating an autorun.inf file.
The third known infection method deals with networked computers and mapped drives.
By using a dictionary attack to guess the ADMIN$ share passwords on an infected network, the Worm can move about if the passwords are weak. Because of this, any mapped network drive where the system allows ADMIN$ access to remote users is a potential victim. If the remote system on the network also has attached USB storage, there is twice the chance for infection.
Note: For the most part, all Windows-based systems will have ADMIN$ shares allowed.
Research performed by The Tech Herald on four known samples infected a small network in seconds. On one system, the fake AV software XP-AntiVirus was installed. On each system, access rights to all accounts were removed, leading to complete loss of control over the system. In a matter of minutes, four computers in the lab environment were rendered useless.
BitDefender told The Tech Herald the Worm uses some APIs to avoid emulation. They pertain to math functions from an available library found in Windows. These math-related API functions are rarely used in day-to-day programs. One example of a math function being exploited was a function related to trigonometry.
Conficker will use various sources to gain access to the system IP, such as connecting to http://checkip.dyndns.org. Once the IP address is determined, the Worm will then attempt to infect other computers on the subnet by creating a small HTTP server, thus allowing it to serve the Malware to other systems without the need to rely on a central location.
Using NetServerEnum, Conficker will use a rather impressive list of common passwords in an attempt to gain legitimate remote access to systems on the same network, simply following the train of mapped drives and local IPs.
If the active user account on the infected system does not have administrator rights on the remote system, the Worm will use NetUserEnum to acquire a list of usernames that are granted access and the same password list will go to work in an attempt to login.
Completely self contained, the Worm will use Google, Yahoo, Ask, and other search engines to check the date. Once the date has been obtained, a list of domains is then generated and used to either download more Malware or update the Worm itself.
"The Worm generates the domains it looks for updates based on the current date. It first connects to a site to learn the current date and generates domain names based on an algorithm that takes into account the current date," BitDefender explained.
For example, the following are domains created by Conficker:
Another aspect to the Worm is a built-in filtering process.
There is a whole list of terms such as CERT, SANS, Microsoft, AVG, Bit9, Windows Update and others, which, if discovered in a loaded process or Internet domain, the Worm will deny user access to.
Essentially, if the application or term is related to Malware removal, security, or patching in any shape or form, you will have no access to the resource.
Some tools have been designed to help remove the infection, but current success rates are mixed at best. Complete information and two removal tools can be found here.
Considering the methods of infection, there are a few tricks you can perform to prevent becoming one of the millions of users who have a system completely owned by the Conficker Worm.
The first is to protect your system with the official Microsoft patch before you fall to infection. Most of the trouble you are reading about in the media focuses on business networks.
Home-based users can run Windows Update and apply all patches that are missing. In the future, because this will not be the last we're likely to see of these types of Worms, make sure that Windows Update is set to automatically download and install whenever updates are issued.
Next, you need to disable AutoRun. There are two separate sets of steps to take depending on which operating system you're using.
Windows XP, 2000, 2003:
Click START then RUN
Type GPEDIT.MSC into the OPEN box and click OK
Under Computer Configuration, click Administrative Templates, and then System
Right click on Turn off Autoplay (Disable Autoplay on Win 2000) and select Properties
Click Enabled, and then in the dropdown select All Drives. Click OK and close the GP Editor
The comment below raises an important issue.
“I found no selection for 'System' and therefore could not progress with disabling AutoRun. Why? And how can I correct? Thank you for your help. Steve”
What do you do when System is missing?
The video will explain what extra steps that are needed. In addition to explaining what steps to take if System is missing, the video will also explain the entire process for disabling AutoRun on Windows XP.
Click START, type GPEDIT.MSC in the search box and hit enter
Note: You might need to enter your administrator password at this point
Under Computer Configuration, expand both Administrative Templates and Windows Components, and then click Autoplay Policies
Double click Turn off Autoplay
Finally, the largest prevention method from the Conficker infection is a solid and strong password. Using a password that's easy to guess, located in a dictionary of any language, or less than eight characters is not recommended.
Adding to the steps above, business users have some other layers of defense at their disposal. Under Server Service Vulnerability on the MS08-076 Security Bulletin, read up on the workarounds Microsoft has provided.
There is also a granular level of control for AutoRun, which is explained here.
There is another variant of Conficker as well. Called Conficker B++, you can learn more here.