Conficker.C: April Fools or maybe not

Conficker’s creators may make the first day of April a painful day for IT types if the experts who reverse engineered the new Conficker code are right. Is there anything we can do?

——————————————————————————————————————-
You may be saying, not another article about Conficker/Downadup! Still, any news about a piece of malware code that’s capable of infecting millions of computers is significant. Especially since Conficker might be finally waking up.

Why do I say that? Apparently a new and more sinister version of Conficker has just been spotted. At least I think so. There are so many different names being used to describe Conficker it’s almost impossible to tell if it’s a new variation or just another AV company deciding to get into the game by calling it something different.

Why so many different names?

I’m not sure why, every AV or anti-malware vendor seems to want to use a different name. For example, let’s look at all the different names being given to the first variation of Conficker. Microsoft calls their version Win32/Conficker.A, and was considerate enough to point out all the other known aliases:

TA08-297A (other)
CVE-2008-4250 (other)
VU827267 (other)
Win32/Conficker.worm.62976 (AhnLab)
Trojan.Downloader.JLIW (BitDefender)
Win32/Conficker.A (CA)
Win32/Conficker.A (ESET)
Trojan-Downloader.Win32.Agent.aqfw (Kaspersky)
W32/Conficker.worm (McAfee)
W32/Conficker.E (Norman)
W32/Confick-A (Sophos)
W32.Downadup (Symantec)
Trojan.Disken.B (VirusBuster)

That’s the first version of Conficker too. I just don’t understand why naming something has to be so complicated, especially when doing so adds complexity to the problem. To keep things simple, I’ll use Conficker to mean all previous versions and Conficker.C to represent the latest variation.

Back to Conficker

This all started with a zero-day exploit for systems using Microsoft operating systems. Microsoft released an out-of band update with their security bulletin MS08-067 way back on 23 Oct 2008, but millions of people aren’t installing the patch. Needless to say, not patching has led to many of those computers becoming infected with Conficker.

To me those numbers are akin to sticker shock. Think about it, millions of computers infected in less than a six-month period. Other malware has used the same approach, so why does Conficker have such a high success rate?

It’s simple actually; Conficker’s developers have morphed the malware into new and increasingly more difficult to detect versions every time the existing variation is compromised. Investigators weren’t too worried though, because all known versions were using methods to contact command and control servers that the good guys knew about and could defeat.

How these first variants of Conficker phone home is really interesting, so I’d like to explain how it works. Each and every day, Conficker uses an algorithm to create a list of 250 seemingly random domain names. Then, via the infected computer’s Internet access, Conficker tries to contact servers advertising the domain names for that specific day to get further instructions.

A dormant Conficker

So far there’s been very little if any communications with command and control servers, hence no real activity on the part of the infected computers, other than to continue spreading. In fact, experts are engaged in an ongoing debate as to whether the infected computers should be considered an organized botnet or not.

Many feel that this inactivity is due in large part to the coordinated defensive response by the Conficker Cabal, an ad hoc partnership that includes several major players:

“Along with Microsoft, organizations involved in this collaborative effort include ICANN, NeuStar, VeriSign, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, the Shadowserver Foundation, Arbor Networks and Support Intelligence.”

I don’t have enough information to make an assessment if that’s the case or not. Ironically, others believe the unusually successful infestation rate of Conficker malware has so overwhelmed the developers, they are still trying to figure out what to do. I’ll let you decide who’s right.

Conficker.C: New and improved

If I may offer my opinion, I think the coalition is getting to Conficker’s owners. Either that or Conficker’s keepers are making a preemptive strike by releasing a new variant that really ups the ante. Remember the 250 new domain names created each day; well that number increased to 50,000 per day in the new version.

That ramp up makes it virtually impossible for the Conficker Cabal to sit on every one of the domain names. Dr. Jose Nazario (an expert I often reference) from Arbor Networks (Conficker Cabal member) was quoted by the New York Times John Markoff as saying:

“It’s worth noting that these are folks who are taking this seriously and not making many mistakes. They’re going for broke.”

Added peer to peer networking

One reason Dr. Nazario feels this way is based on a new capability employed by Conficker.C, which is the ability to create peer to peer networks (P2P). That means it’s only going to take one infected PC and one command and control server with an unblocked domain name to pick up new commands. After that, according to Symantec, the command files can be shared using the P2P mechanism:

“During the process shown above, Downadup not only patches the RPC vulnerability in memory, but uses this patch to recognize incoming exploit attempts from other Downadup infected machines. The worm is able to analyze the incoming shellcode and checks if it matches its own exploit shellcode.

If the shellcode matches, information is extracted from the shellcode that allows the worm to connect back to the other infected machine. This “back connect” uses the HTTP protocol, but on a randomly selected port. The other infected machine then responds with a packet of data consisting of the payload files.”

In an ominous tone, Symantec sums it up:

“So, while we know Downadup’s method of operation, we still await its motive.”

Other improvements

Conficker.C doesn’t stop there. It initially was just considered a trojan, but experts are now also calling it a worm as well. Their reasoning is based on Conficker.C’s being able to identify antivirus software and/or malware scanners running on the infected PC along with the ability to disable the identified applications.

Some serious malware

I’m one to give credit when credit is due and the tenacity and drive of Conficker’s developers is something that should be bottled and sold. I’d better explain that comment before I get too hot from all the flaming. Hopefully the following example will point out how sophisticated this malware package is.

During September of 2008, MIT’s Dr. Ronald Rivest published a paper describing a cutting-edge encryption algorithm called MIT MD6 algorithm. Guess what? That’s right; Conficker.C is using MIT MD6 to obscure all P2P and command and control traffic. This prevents rival botmasters from taking control as well as preventing security firms from deciphering command and control traffic. Now I ask you, what encryption algorithms are your latest and greatest programs using?

What to do

As Conficker gets more sophisticated, the workable solutions to remove it start to get limited in scope. Initially, just applying the MS08-067 patch would have been sufficient. I’m afraid it’s not that simple now.

AV applications are trying their best to keep up and provide solutions that will remove the malware. That worked initially, but Conficker.C is shutting those applications down as well as Microsoft’s Windows Update. So that avenue is eliminated. I’ve not heard if MBAM and other TPV scanners were getting the same treatment, so they might be worth a try.

Officially, the only real resolution is to reformat and reload, especially since Conficker.C still resides at the application level. If the developers decide to bury the malware in the BIOS or SMM, it could get ugly.

April Fools or not

Okay, that’s Conficker.C in a nutshell. Now I’d better get to explaining what April Fool’s day has to do with this. Apparently, several experts in the Conficker cabal have reversed engineered Conficker.C’s code and determined that April 1st is when computers infected with Conficker.C are supposed to wake up and begin searching for command and control servers. Hopefully the Conficker Cabal has a plan.

It appears that the experts do not want to cry wolf just yet. Kelly Jackson Higgins of InformationWeek’s Dark Reading in the article Notorious Conficker Worm Still Alive and Infecting Unpatched PCs clearly points out that experts have varying opinions as to what’s supposed to happen on the first of April:

“It’s unlikely anything will happen on the first [of April], says Patrik Runald, chief security advisor for F-Secure, which has been following Conficker for months. Considering all the attention going on about April 1st, why would they do something that day? The group behind it could as easily do something on April 4th or April 10th.”

Kelly then presents another expert’s opinion:

“Randy Abrams, director of technical education for ESET, says there’s no way to know for sure at this point what will happen that day. It could be that it does nothing, and April 1 was a joke, diversion, or aborted plan. Or it could be the launch of a massive spam run, DDoS, or infrastructure attack. We really can’t say,”

Final thoughts

If the experts are all over the map about this, where does that leave the rest of us? My humble opinion is that the exact date doesn’t matter. What matters is if the millions of infected computers do get organized. Rock-solid encryption, P2P traffic-routing, and the fact that Conficker.C is still deploying could lead to some very frustrating times.

TechRepublic’s IT Security e-mail newsletter (delivered every Tuesday) is a great way to keep on top of security issues related to Information Technology. Please make sure to sign up.