· Visits since 09-04-2008 ·
· Info & Contacts ·

Introduction

Usage guide

Get in touch
· Topics ·
· Recent posts ·
· Recent comments ·
· Archives ·
· Feeds & Accounts ·

Conficker worm asks for instructions and gets an update

March 16, 2009 · Filed Under News, Security

Conficker/Downup/Downadup/Kido malware, Symantec writes in the first edition of The Downadup Codex, “is, to date, one of the most complex worms in the history of malicious code“. At first spread through a flaw within the Windows Server service, the threat has grown immensely because of a combination of elements that facilitated its diffusion and drove the IT industry to unite in the attempt to block its further proliferation.

Even if the botnet continues to be silent, with no apparent malicious action ordered by the worms creator, network infrastructures are starting to suffer collateral damages from the infection and, after the already reported episode of the French navy computers, at the beginning of March Sophos revealed that during this month some legit domains would have suffered a sort of unintentional distributed denial of service (DDoS) attack caused by the worm’s remote communication feature.

Sophos made known the presence, within the daily lists of 250 pseudo-random domains generated by Conficker during the month of March, of domain names owned by organizations or companies that have nothing to do with malware writing. Among these there is the Texan airway Southwest Airlines, which other than domain southwest.com also owns the “alternative” resource wnsux.com pointing to the first address. Unfortunately for the company, such resource just matches one of those remote servers that the millions machines infected by Conficker are trying to contact in these days, waiting for instructions or a possible code update.

The botnet assaulted the domain on March 13, and if the company hadn’t prepared the right countermeasures after having been warned by Sophos it surely would have had to face serious issues for site access and functionality. Southwest Airlines suitably prevented resolution of an IP address for the blamed domain, now the next deadlines for Conficker DDoS “attacks” are scheduled for March 18 (qhflh.com, Women’s Net in Qinghai Province) and March 31 (praat.org, Praat: doing phonetics by computer).

Besides the effects of the domain names generation mechanism, anyway, according to data collected by company Arbor Networks it seems that Conficker proliferation have reached its peak and the number of unique infected IP addresses have halted at about 3 millions per day. The botnet does not grow anymore, but this state of things doesn’t prevent its puppeteers to try to manage zombie-PCs already under their control and, above all, to adequately reply to the “Conficker Cabal”, the plot planned by Microsoft and its allies to stop the malware run.

According to Symantec, contrariwise to the previous, alleged new variant Conficker B++, this time the authors have updated the worm for real and the last detected version, dubbed W32.Downadup.C, adds new features to malware code and makes the threat even more dangerous and worrisome than before.

The first analyses on Downadup.C reveal that the worm continues to rely on the usual mechanisms for its proliferation (hence the MS08-067 flaw, removable drives and network shares), but it has also become much more aggressive by targeting processes of security and analysis software removing them from memory if found on the infected machine. The reply to Conficker Cabal has then become real with improvement of the algorithm for domain names lists creation, that now includes something like 50,000 different daily domains plus one of the 116 existing suffixes.

What are the objectives of the new update? “Authors are now aiming for increasing the longevity of the existing Downadup threat on infected machines - Symantec writes - Instead of trying to infect further systems, they seem to be protecting currently infected Downadup machines from antivirus software and remediation“.

The number of infections doesn’t seem to have grown further, but the appearance of Downadup.C is particularly important because according to Symantec it represents “the first real case” of a successful communication between malware writers and the worm, that in return gets the new binary code to update the infection. Considering the somewhat scarce number of machines affected by the update, anyway, Symantec is currently unable to decide if it is a restricted test or the first phase of a broader strategy.

This post has been featured on Slashdot on March 16, 2009, producing on the blog a maximum daily peak of 4050 unique visitors and 5299 pageviews (source: LLOOGG).

Share this post!

Comments

13 Responses to “Conficker worm asks for instructions and gets an update”

the one who blogs on March 16th, 2009 5:15 pm

Maybe they should sent a counter-worm to fight it. Or is it considered too dangerous? Someonce could take over the control of the counter-worm?

Browser Opera 9.64 on the O.S. Windows XP
Opera/9.64 (Windows NT 5.1; U; en) Presto/2.1.1
Kevin on March 17th, 2009 3:40 am

Maybe if windows users didn’t use root all the time, this mess wouldn’t be a problem…

Browser Debian IceWeasel 3.0.6 on the O.S. Debian GNU/Linux
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.6) Gecko/2009020407 Iceweasel/3.0.6 (Debian-3.0.6-1)
Dustin on March 17th, 2009 4:28 am

If only microsoft were brave enough to create a default environment that didn’t have full administrative access, then lucrative botware markets would have a hard time surviving.

Browser Firefox 3.0.7 on the O.S. Ubuntu
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.7) Gecko/2009030422 Ubuntu/8.10 (intrepid) Firefox/3.0.7
Kirn Gill on March 17th, 2009 5:55 am

Even if users ran as limited-users, I am certain that the malware writers will just find an local privilege escalation exploit to get the access they need.

Browser Google Chrome 1.0.154.48 on the O.S. Windows 7
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/525.19 (KHTML, like Gecko) Chrome/1.0.154.48 Safari/525.19
coffee on March 17th, 2009 6:36 am

Sometimes I wonder if it’s actually useful to publish vulnerabilities when more than half the computers that have been affected have NOT been patched yet.

Browser Firefox 3.0.6 on the O.S. Gentoo
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.6) Gecko/2009022320 Gentoo Firefox/3.0.6
Angus on March 17th, 2009 6:56 am

Theoretically malware could run without root; sending spam and DDoSes is something an ordinary user account can do.

Browser Debian IceWeasel 3.0.7 on the O.S. Debian GNU/Linux
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.7) Gecko/2009030810 Iceweasel/3.0.7 (Debian-3.0.7-1)
Sir Arthur, King of Ghouls'n Ghosts on March 17th, 2009 10:07 am

Well, imho here the problem is simply the over-exposure of Microsoft OSes. Windows problems (root access from the start, plenty of ways to modify system settings, etc…) aren’t really problems, they are features.

Hence the problem will never be solved for good. Just look at all the fuss about the modified UAC on Windows Seven….

Browser Firefox 2.0.0.16 on the O.S. Windows XP
Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16
some lame guy on March 17th, 2009 12:04 pm

If only software was not written in a lousy lame unsafe language that has the “undefined behavior” none of this would’ve happen! Yes bugs would’ve still exist but they would be a completly different category - logical bugs. Much harder to abuse and much easier to fix! Yes, if only.

Browser Opera 9.64 on the O.S. Windows XP
Opera/9.64 (Windows NT 5.1; U; bg) Presto/2.1.1
Reto on March 17th, 2009 12:46 pm

I think that such problems are rather caused by the poor basic design of the OS (lack of concept in the architecture), than by code written in a “lousy unsafe language”.

Browser Debian IceWeasel 2.0.0.19 on the O.S. Debian GNU/Linux
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.19) Gecko/20081202 Iceweasel/2.0.0.19 (Debian-2.0.0.19-0etch1)
Sir Arthur, King of Ghouls'n Ghosts on March 17th, 2009 12:53 pm

I think that such problems are rather caused by the poor basic design of the OS (lack of concept in the architecture), than by code written in a “lousy unsafe language”.

I don’t think so I mean, XP has the same codebase of the NT architecture that got into Windows 2000, unanimously considered the best MS OS ever…

The programming unsafe language, again, seems to me more of a feature than a problem (conceptually speaking): could it be possible, in 2009 or even in 2000, to force anyone write code in ASM language? I doubt it….

Browser Firefox 2.0.0.16 on the O.S. Windows XP
Mozilla/5.0 (Windows; U; Windows NT 5.1; it; rv:1.8.1.16) Gecko/20080702 Firefox/2.0.0.16
Jim Prendergast on March 17th, 2009 1:57 pm

If you have a PC or Terminal with secure files, mirror files to check file content against, back-up only files and wipe all applications periodically and reload new versions wouldn’t that give some measure of security? Oh yes, clear the O.S. and install new as well of course. That is what I do.
Who in their right mind would use M.S. anyway?

Browser Firefox 3.0.7 on the O.S. Ubuntu
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.7) Gecko/2009030423 Ubuntu/8.10 (intrepid) Firefox/3.0.7
Javier O. Augusto on March 17th, 2009 3:45 pm

I wonder how many XP licences did Microsoft sell after the Conflicker worm issue…

coincidence?

Browser Gran Paradiso 3.0.7 on the O.S. GNU/Linux
Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.0.7) Gecko/2009030719 GranParadiso/3.0.7
caffeine head on April 1st, 2009 6:47 am

It’s good at least that there was advance warning for the Conficker worm; i’m sure a lot of people were spared a lot of hardship because of this

Browser Firefox 3.0.8 on the O.S. Windows Vista
Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US; rv:1.9.0.8) Gecko/2009032609 Firefox/3.0.8 (.NET CLR 3.5.30729)