Conficker, the perfect storm worm
The Conficker worm, also known as Downup, Downadup or Kido, is floating around since October 2008. Security firms know it pretty well, and in the past days the malware has become known as much well to users too having infected a significant amount of machines all over the world. We have returned to the “good” old times of Sasser, Blaster and Mydoom outbreaks, and the already worrisome proliferation of the worm threatens to get even worse because of some conditions that increasingly support its spreading.
As I have previously highlighted, Conficker first of all exploits a bug in the Windows Server service, probing LAN networks and casual targets on the Internet in search for unprotected machines. Once identified the next victim the worm makes use of the bug to execute code remotely, copying itself on the client and inevitably gaining control over the system. The Microsoft security bulletin containing the fix for the bug is available since October 23, 2008, but notwithstanding this the malware spreading hasn’t done anything but growing reaching the levels of a true outbreak less than three months after the flaw disclosure.
According to the last evaluations from F-Secure, rated as “conservative” by the Finnish security firm, in four days Conficker/Downup has succeeded, through its variants, to go from 2.4 millions to 8.9 millions infected machines. The situation is “getting worse” the F-Secure blog says, as the worm has learned new tricks like the one of exploiting the Autorun and Autoplay Windows features to spread through network and removable drives, an expedient that coupled with a bite of social engineering doesn’t leave untouched even the upcoming Windows 7, currently available in beta version.
The Conficker outbreak is what can be defined as a perfect storm, because aside from being able to exploit a manifold number of vectors the infection takes advantage of a series of situations, coincidences and steady habits that enormously increase its proliferation capability and, accordingly, its destructive potential. The third infection mechanism exploited by Conficker is to get the user accounts list of all the machines connected in a network, using a simple yet surprisingly effective brute-force attack based on a dictionary with a hundred words to “guess” the access password.
If the attack is successful, the worm deploys a copy of itself in the System32 folder of the involved account, simultaneously creating a scheduled job to make sure to execute the code on the targeted machine. In this case Conficker profits by the wicked, atavic habit of users and administrators to use mean passwords, very simple to recall (“root”, “123456”, “admin” and so on) yet as much simple to bypass for a malicious code.
So the poor security policies are one of the triggering elements of the perfect storm that feeds the Conficker outbreak, an element heavily blamed by the security enterprise Trend Micro that together with many others ha given and continues to give full coverage to the problem. And here we aren’t only talking about useless passwords but also about the guilty delay in deploying the MS08-067 fix released by Microsoft, despite the news about working exploits had started to spread almost immediately. Once gained control of a system, in that regard, the worm itself closes the hole to cut off the eventual competition from other malicious codes.
And if the inability to protect network accounts isn’t a chance, the update Microsoft released on October 20, 2008 for its anti-copy technology Windows Geniune Advantage (WGA) was surely less predictable, a new version designed to complicate the “pirates” life but that has incidentally brought many users of the most piracy-affected countries to disable the operating system automatic updates. At least this is the assumption made by Symantec, that in one of its articles devoted to investigate specific aspects of Conficker/Downadup compares the nations with the biggest piracy rates and those most affected by the infection discovering highly suspicious similarities.
In this case Microsoft’s business policy has rebounded on the company, further concurring to the worm proliferation with no practical results, what’s more, over those users accustomed to use copied software. In the Conficker vicissitude Microsoft seems to be guilty for more than once, and the US-CERT is right in underlining the release of improper information about disabling the AutoRun feature exploited by the malware. “Now we have learned that the information from the source is not complete“, stated Andrew Storms from nCircle Network Security.
The perfect storm isn’t in any case solely based on chances, carelessness and incompetence of the companies IT staff. At the heart of Conficker outbreak there’s much more, there is a worm professionally designed by people aware of what they were doing, that has eventually been able to improve correcting the early deficiencies and anticipating the moves of security firms analysts like so those of competitors in the huge business of cyber-crime.
Conficker creates a seemingly random daily set of 250 different domain names, waiting for the authors to register one of those to connect the local malware to fresh binary code remotely available with which to update the infection, and preventing the possibility for any other to exploit the feature by injecting elements of a different malware family.
One of the largest botnet ever is even capable of exhibiting a distribution mechanism based on a Peer-to-Peer principle with no mandatory need to have necessarily to pass through the above said web domains to update itself. The analysts know how Conficker works, the only thing that’s still unknown is the purpose, the real aim the worm has been created for. The perfect storm is waiting to fall on its victims.
- Conficker, it’s open war between the industry and malware writers
- W32.Changeup, the eMule-aided worm
- Conficker worm asks for instructions and gets an update
- The 5 all-time worst malware according to Trend Micro
- 22,000 new malware samples per day, a network worm breakout and the sandbox-enabled antivirus