Conficker
Conficker
Type Internet worm
Creator
Date Discovered 2008.11.20
Place of Origin Ukraine, China?
Source Language
Platform MS Windows
File Type(s) .dll
Infection Length
Reported Costs $9.1 billion

Conficker, also known as Downadup or Kido, is a worm that gained a great deal of media attention in early Spring of 2009. In late March of 2009, it was grossly hyped by the media, who said it would deliver some massively destructive payload. While that never happened, it is remarkable for the number of computers it is alleged to have infected.

Behavior

Conficker begins infecting a new system by sending code that exploits the MS08-067 vulnerability. The target computer will receive an RPC request containing exploit code that makes use of a buffer overflow vulnerability to download and execute the worm. It will be downloaded from an http server the worm created on the infecting machine as a .jpg file.

When the worm is executed, it checks if the system uses a Ukrainian keyboard, and will exit if it does not. If it finds a non-Ukrainian keyboard, it copies itself to the system folder as a randomly-named .dll file. The worm creates the service named netsvcs. It will then delete any user-created system restore points. The worm creates a registry key to which it adds its path as a value.

Conficker creates an http server on a random port of the machine. It connects to the following websites to check its own computer's IP address:

  • http://checkip.dyndns.org
  • http://getmyip.co.uk
  • http://www.getmyip.org

It will then send the IP address to a remote computer and use it to set up an HTTP server on a random port (between 1024 and 10000) of the infected computer. When the worm has successfully exploited another computer, the new target computer will download a copy from that server. Every time a new system is successfully infected, The worm increments a value stored in a registry key.
It contacts the following sites to get the current time, which it will use to choose a domain to access from a list contained in the worm:

  • http://www.w3.org
  • http://www.ask.com
  • http://www.msn.com
  • http://www.yahoo.com
  • http://www.google.com
  • http://www.baidu.com

Based on this number, it will attempt to access one or more of 250 domains to obtain updates of itself or download other files.
Conficker will patch the infected system in memory. This is done likely to make sure that another worm does not enter the system and disrupt Conficker's operations. It may block the user from visiting some antivirus websites. SecureWorks created an "eyechart" which uses images from security sites that will be blocked on an infected machine.

If the date is past 2008.12.19, it will download the file loadadv.exe from the site http;//trafficconverter.biz/4vir/antispyware/. This file was unavailable shortly after the release of the worm, but some antivirus researchers believe it may have been a rogue anti-spyware program.

Variants

The names of Conficker variants differ depending on which news source or antivirus product is being used. The first is generally agreed to be named Conficker.A, the second, Conficker.B, but the third is sometimes referred to as Conficker.B++ as well as Conficker.C. The fourth variant mat be Conficker.C or Conficker.D, as in the Wikipedia entry for the worm. Here, Conficker.C is used where it is known as Conficker.D in Wikipedia.

Conficker.B

Conficker.B and most if not all subsequent variants do not check for a Ukrainian keyboard. When it is downloaded from the HTTP server, the file may also be a .bmp, .gif or .png. It will drop a .dll file with a random name (all lowercase letters) in the folders of Internet Explorer and MovieMaker as well as the all users application data folder and temporary folder. It will also drop a .tmp file with a random name (lower and uppercase letters) in the temporary folder.
It may also spread through shared network folders. If a computer on the network is password protected, it will try to bruteforce the password. It will drop itself into the system folder of the machine as a file with 5 to 8 lower case characters and an extension that is anything other than dll. It executes this file by running rundll32.exe.

The worm can also spread through removable devices. On these devices, it will create a hidden RECYCLER folder where it will place a copy of itself and a file named autorun.inf. Some versions use a social engineering tactic that displays an Autoplay window with the option of opening the folder to view the files when the USB drive is inserted. The user will think that clicking the button will open the drive, but will actually execute the worm. The F-Secure blog reports that it was able to work on Windows 7, which was in beta testing at the time.

In addition to the sites used by the original to check the time, Conficker.B also uses these:

  • aol.com
  • cnn.com
  • ebay.com
  • myspace.com

This is the first worm to use the MD6 hash algorithm. The algorithm was later revised as an unrelated buffer overflow vulnerability was discovered. The creators likely used encryption to prevent a third party hijacker from taking control of the botnet.

Conficker.C

Conficker.C does not use the buffer overflow vulnerability to spread, instead spreading mostly as an update of the B variant. In addition to dropping the randomly named .dll file in the system folder, the worm also drops a file in the Internet Explorer, Movie Maker, Windows Media Player and Windows NT folders in the Program files folder. The files will be hidden and inaccessible to the user. It uses 50,000 domain names to update itself instead of 250, and will check 500 of these domains once per day.
A computer on the Botnet set up by the worm can act as both a client and server, able to pass code between different computers on the botnet.

This variant will disable some security processes. It will stop its own process when run under a debugger.

Conficker.E

Conficker.E communicates with servers associated with the Waledac spambot family. Waledac was suspected of having been created by the same creators of the Storm worm. The E variant is installed as an update to A, B and C. It does not infect machines that are not already infected with an earlier variant.

Effects

The worm is likely among the most hyped self-replicating programs in history. At first the media took little interest in it. Soon there came the wild reports of ridiculously high numbers of infected computers (up to 20 million reported by a few media outlets from a source who remains nameless). One of the most ridiculous figures came from the German magazine Spiegel, which claimed 50 million systems had been infected. The worm is said to have caused 9.1 billion in damage, mostly in Asia, South America and Europe.

The actual number of systems ever infected by the worm probably does not go much above 15 million. In mid January, F-Secure reported that there were 8.97 million infected systems. According to Cisco, 10 million computers were infected with 150 nations affected, including China with 3 million infections (13.7% of the Conficker population), Brazil with 1 million (10.4%), Russia with 800,000 (9.3%) and the United States with a half million (another report said the US had 35,000 infections or 2.6%). Shortly after the alleged doomsday April 1 payload (or lack of it) was released, the number of systems infected with the worm was around 3.5 million. A Vietnamese company, Bach Khoa Internetwork Security (BKIS) claimed there were 1,384,100 computers in Vietnam infected with Conficker.

In late February, Microsoft released a "non-security" patch to allow users to disable the Autorun feature. This feature was seen as a convenience, as a simple script could allow a program to run as soon as a CD, USB drive or other removable media is attached to the computer. However, the risks of such a feature are all too obvious, as it can allow many programs that the user never intended to run on his/her computer. CERT had chastised Microsoft for not providing effective instructions on disabling this feature. When Microsoft released the patch, they gave a nebulous explanation for it, but many security experts believed it was a result of the worm. Microsoft offered a US$250,000 reward for the capture of the Conficker creator as it did for Blaster, Sobig, Mydoom and Sasser.

Ironically, for all of the media hype it received, very few antivirus vendors seemed particularly interested in the worm. Few if any took notice in any way, such as raising the "threat levels" posted on their home pages.

While it may have simply been the fact that the media hyped these partucular incidents, the worm seemed to have a preference for hospital and military computers, some of them in critical areas.

As of July 2014, the worm was still active. Trend Labs reported that in the second quarter of 2014, the nearly six-year-old worm was generating 45% of the Internet's malware-related spam. It spam was also still coming from around a million unique IP addresses every day. By spring of 2016, it was still spreading, a situation which the director of UK's national Computer Emergency Response Team called "enourmously depressing". It was still accounting for one in six attacks for at least one month of that year. Conficker's longevity was compared to Sality and Zeroaccess, the former of which had been around since 2003.

The worm, which was 7 year old at the time was found on the Martel Frontline model of Police body cams that come with a GPS. It was discovered in November of 2015 during testing of the product by iPower, a network integration company, when their antivirus flagged and quarantined the offending files. Further analysis by Wireshark showed the files attempting to infect other computers and an upload to VirusTotal confirmed it to be the B variant of Conficker.

Europe and Britain

Systems belonging to Britain's House of Commons were infected by the worm. This caused the Parliamentary IT staff to ban the use of portable storage devices. Also in Britain, the worm managed to infect Defence Ministry computers as well as on some Royal Navy war ships. Hospitals in Sheffield reported that 800 computers were infected in February of 2009. Two hospitals in Scotland were also affected.

On February 12 on a Thursday, hundreds of computers of the German Bundeswehr (military) were infected. The infection occurred on Hundreds of computers in various departments of the Bundeswehr. Individual departments of the Bundeswehr had to be isolated to contain the infection. About a week later, a college in Güstrow, Mecklenburg-Vorpommern in northeastern Germany was infected with the worm.

The communications department of the French Navy was disrupted for several days on January 12. Communications were severely restricted, but it did not affect any of the navy's operations. As with countless other places affected by worms and viruses, the department briefly went back to using technology that existed before modern computers, in this case, phone and fax. According to the French Navy's Chief of Information and Public Relations, Jérôme Erulin, the worm infected the department's computers when a military employee brought in a USB drive from home. Erulin denied any negligence and said the systems had been properly patched. Since the incident, USB sticks are prohibited in the department until their contents are verified.

North America

In America, about 475 computers of Houston's judicial system were infected on February 6. Municipal courts shut down and police stopped making arrests for minor crimes such as drug posession. Arrests for violent crimes were not affected. Releasing of prisoners on bond and handling bond payments slowed. Hearings were postponed, but some offices for the paying of fines were kept open. The city paid US$25,000 to rid the offices of the worm. This was one of a few incidents in the United States, which went mostly unscathed while the worm was attacking.

Several hundred machines at many different hospitals in the US were infected with Conficker. These included devices that control heart monitors and MRI machines. They were not supposed to be connected to the Internet, but they were connected to an internal network that was connected to another network with access to the internet. Much of this equipment was provided as a part of the economic stimulus, which spent billions of dollars on modern equipment for hospitals. Regulations on the hospitals using this equipment prohibited them from modifying the equipment in any way for 90 days, which incuded removing the worm.

The Canadian government locked down the .ca domain from any unauthorised registrations. This would prevent the later variants of the worm that generate 50,000 domain names from using .ca.

Asia-Pacific

The Ministry of Health in New Zealand was infected with the worm in early January. Employees of the ministry were without internet access for a long period of time. A ministry spokesman described the worm as a "smart piece of software" and said that it was very difficult to remove.

Accidental Distribution

Conficker was accidentally distributed twice by vendors. In 2009.06.15, the Finnish ISP Elisa accidentally shipped Conficker in a Huawei Nettitikku E160 Router. In a second incident in 2011.07.29, over two years after the worm was discovered and after it was to release its devastating payload, the Germany-based retail chain Aldi accidentally sold Fission External 4-in-1 Hard Drives with the worm on them.

Name/Origin

The name of the worm is a play on the word "Configuration" and "Ficker", a German obscenity akin to the English word "Fucker". The name essentialy means "[thing that] screws around with configuration. It is just as commonly called "Downadup", but the press more commonly refers to it as Conficker.

Because the worm avoids infecting computers with a Ukrainian keyboard, it is commonly thought that this worm may come from Ukraine. In late March of 2009, a Vietnamese firm, BKIS, claimed to have found evidence that it actually originated in China. They also claimed to have found similarities between Conficker and the (at the time) nearly eight year old Nimda. The exploit that the original version of the worm uses to spread was discovered in China.

Other Facts

The vulnerability that allowed Conficker to spread had been patched for a little over a month before the worm appeared. Still, millions of computers were not updated. Well over a month after the worm came into existence, almost 1/3 of all systems had not been patched for the vulnerability that allowed the worm to spread.

Internet security researchers believe the Conficker worm has many dire implications. Aside from spam concerns, the botnet could be used for massive multi-million or -billion dollar fraud and it may even have military uses. Links to Stuxnet have been proposed, but cannot be proven. One security analyst noted that the knowledge of the creator or creators of the worm had to have remarkable knowledge in multiple areas of computing, including networking, cryptography and the Windows OS. Another at Cisco said the creators put "an insane amount of effort in engineering this".

One security writer noted that with the multiple infection vectors and how widespread the worm managed to become, it seemed the "bad old days" of epidemics like Blaster, Nimda and Sasser. An employee of patching company Shavlik Technologies said he had not seen such an advanced worm in years.

New variants of the four year old Neeris worm began to appear with modifications that were very similar to Conficker. Later variants of this worm began using Autorun to infect USB drives. There was some speculation that the Neeris creators may have been working with the Conficker creators, but this has never been confirmed.

Because of its alleged payload trigger date, Conficker was often the subject of April Fools jokes. One of those jokes involved the alleged capture of the creators of conficker in Belarus.

The original Conficker was 58,368 bytes long. The other variants were much larger, well over 100,000 bytes.

Sources

Phillip Porras, Hassen Saidi, Vinod Yegneswaran. SRI International Technical Report, An Analysis of Conficker. 2009.02.04-03.19

-. -, CONFICKER C ANALYSIS. 2009.03.08

Takayoshi Nakayama and Sean Kiernan. Symantec Security Response, W32.Downadup.

F-Secure Antivirus, Worm:W32/Downadup.A.

Fortiguard Center, W32/Conficker.B!worm.

Bojan Zdrnja. SANS Internet Storm Center, Conficker's autorun and social engineering. 2009.01.15

Computer Associates, Win32/Conficker.C. 2009.03.11-31

Microsoft Technet, Microsoft Security Bulletin MS08-067 – Critical. 2008.10.23

Elinor Mills. CNet, Internet worm exploits Windows vulnerability. 2008.11.26

John Leyden. The Register, Conficker zombie botnet drops to 3.5 million. 2009.04.03

-. -, Conficker botnet stirs to distribute update payload. 2009.04.09

-. -, Final countdown to Conficker 'activation' begins. 2009.03.26

-. -, Three in 10 Windows PCs still vulnerable to Conficker exploit. 2009.01.19

-. -, Leaked memo says Conficker pwns Parliament. 2009.03.27

-. -, Countdown to Conficker activation begins. 2009.03.23

-. -, Houston justice system laid low by Conficker worm. 2009.02.09

-. -, Scottish hospitals laid low by malware infection. 2009.03.09

-. -, Old worm learns new Conficker tricks. 2009.04.06

Dan Goodin. -, Superworm seizes 9m PCs, 'stunned' researchers say. 2009.01.16

-. -, Microsoft aims 'non-security' update at gaping security hole. 2009.02.25

Dizzy Thinks, EXCLUSIVE: UK Parliamentary network joins virus bot-net. 2009.03.26

Marco Dettweiler. Die Frankfurter Allegemeine Zeitung, Wer hat Angst vorm bösen Wurm?. 2009.03.18

Die Sueddeutsche Zeitung, "Conficker" greift Bundeswehr an. 2009.02.14

Le Figaro, Armée : un réseau informatique perturbé. 2009.02.09

Alexander Landsberg. Spiegel Online, Conficker legt deutsche Hochschule lahm. 2009.02.25

Jarrod Booker. The New Zealand Herald, Health computers take sick leave after virus hits. 2009.01.23

Neil J. Rubenking. PC Magazine, OpenDNS: 'Conficker' Barely Scratched U.S. 2009.04.02

Rob Rosenberger. Vmyths.com, Downadup.

Seth Rosenblatt. CNet, Eye chart can help diagnose Conficker 2009.04.03

Chris Keall. The National Business Review, Shock, horror: Chinese behind Conficker. 2009.03.31

Dong Ngo. CNet News, Conficker worm might originate in China. 2009.03.29

Joel Hruska. Ars Technica, Canadian .ca domain prepares united Conficker.C defense. 2009.03.25

Ellen Messmer. Network World, Conficker on April 1st: Eve of destruction or big joke?. 2009.03.31

Gregg Keizer. Techworld, Conficker.c controls 4% of all infected PCs, IBM says. 2009.04.06

Ronald L. Rivest. The MD6 hash function: A proposal to NIST for SHA-3. 2008.10.27 (PDF)

Richard Grigonis. Microsoft's $5,000,000 Reward for the Conficker Worm Creators. 2009.02.13

NPR, Talk of the Nation. 2009.03.31

Stephanie Condon. CNet News, Feds' red tape left medical devices infected with computer virus. 2009.05.02

Elinor Mills. CNet News, Conficker infected critical hospital equipment, expert says. 2009.04.23

Dancho Danchev, ZDNet, Conficker's estimated economic cost? $9.1 billion. 2009.04.23

Zack Whittaker. - , An eight-year-old virus is still infecting thousands of PCs. 17-MAY-2016

Cyber Secure Institute, Cyber Secure Institute on the Conficker Controversy. 2009.04.20

Jim Finkle. Reuters, Insight: Did Conficker help sabotage Iran program. 2011.12.02

Attrition.org, Certified Pre-0wned.

iPower Technologies, Hidden Virus Discovered in Martel Police Body Camera. 2015.11.12

Maria Manly, Maydalene Salvador. Trend Labs Blog, Jul1 DOWNAD Tops Malware Spam Source in Q2 2014. 2014.07.01

Conficker Working Group, Infection Tracking.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License