Conficker , also known as Downup , Downadup and Kido , is a computer worm that targets the first Microsoft Windows operating system was detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator passwords to propagate while forming botnets, and has been very difficult to resist due to the combined use of many advanced malware techniques. Conficker worms infect millions of computers including government computers, businesses and homes in over 190 countries, making it the largest known computer worm infection ever since Welchia 2003.
Video Conficker
Prevalence
The latest estimates of the number of infected computers have been very difficult because the virus has changed propagation and strategy updates from version to version. As of January 2009, the estimated number of infected computers ranged from nearly 9 million to 15 million. Microsoft has reported the number of infected computers detected by its antimalware products remains stable at around 1.7 million from mid-2010 to mid-2011. By mid 2015, the total number of infections has fallen to about 400,000.
Maps Conficker
History
Name
The origin of the Conficker name is considered a combination of the English term "configure" and the German derogatory term Ficker (engl. asshole ). Microsoft analyst Joshua Phillips provides an alternative interpretation of the name, describing it as rearranging part of the domain name trafficconverter.biz (with the letter k, not found in the domain name, added as "trafficker", to avoid "soft" c sound " used by early versions of Conficker to download updates.
Discovery
The first variant of Conficker, discovered in early November 2008, is distributed over the Internet by exploiting vulnerabilities in network services (MS08-067) on Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 Beta. While Windows 7 may have been affected by this vulnerability, Windows 7 Beta was not available to the public until January 2009. Although Microsoft released an emergency out-of-band patch on October 23, 2008 to shut down vulnerabilities, a large number of Windows PCs (estimated at 30%) fixed not stuck until the end of January 2009. The second variant of the virus, discovered in December 2008, adds the ability to disseminate via LAN through removable media and network sharing. The researchers believe that this is the decisive factor in allowing the virus to spread rapidly.
Impact on Europe
Intramar, the French Navy's computer network, was infected by Conficker on January 15, 2009. The network was then quarantined, forcing aircraft at several airbases to be grounded because their flight plans could not be downloaded.
The United Kingdom's Ministry of Defense reported that some of its major systems and desktops were infected. The virus has spread across the desktop administrative offices of various Royal Navy warships and Royal Navy submarines, and hospitals throughout the city of Sheffield report more than 800 computer outbreaks.
On February 2, 2009, the Bundeswehr, the unified German armed forces, reported that about a hundred of its computers were infected.
IT system infections Manchester City Council caused a disruption worth 1.5 million pounds in February 2009. The use of USB flash drives is prohibited, as this is believed to be a vector for early infections.
A memo from the ICT Service Director of the British Parliament informs users of the House of Representatives on March 24, 2009 that they have been infected with the virus. The memo, which was later leaked, prompts the user to avoid connecting unauthorized equipment to the network.
In January 2010, the computer network of the Greater Manchester Police was infected, resulting in a three-day termination of the National Computer Police as a precaution; During that time, officers should ask other troops to conduct regular checks on vehicles and people.
Operation
Although almost all the advanced malware techniques used by Conficker have seen previous uses or are well known to the researchers, the combined use of viruses from so many has made it extremely difficult to eradicate. The unknown author of the virus is also believed to track anti-malware efforts from network operators and law enforcement and regularly releases new variants to cover virus vulnerabilities itself.
Five variants of the Conficker virus are known and have been dubbed Conficker A, B, C, D and E. They were found November 21, 2008, December 29, 2008, February 20, 2009, March 4, 2009 and April 7, 2009, respectively. The Conficker Working Group uses the naming of A, B, B, C, and E for the same variant. This means that (CWG) B is equivalent to (MSFT) C and (CWG) C equivalent to (MSFT) D.
Initial infection
- Variants A, B, C and E exploit vulnerabilities in Server Services on Windows computers, where an infected source computer uses a custom-made RPC request to force buffer overflow and execute shellcode on the target computer. On the source computer, the virus runs an HTTP server on ports between 1024 and 10000; the target shellcode connects back to this HTTP server to download a copy of the virus in the form of a DLL, which then attaches to svchost.exe. Variant B and then can attach to services services running service.exe or Windows Explorer. Attaching to the process may be detected by the application confidence feature of the installed firewall.
- Variants B and C can execute copies of themselves through ADMIN $ share on computers seen on NetBIOS. If sharing is password protected, dictionary attacks are attempted, potentially generating large amounts of network traffic and establishing user account closure policies.
- Variants B and C place copies of their DLL forms in recycle.bin of any removable removable media (such as USB flash drives), from which they can infect new hosts through Windows The autorun mechanism uses manipulation autorun.inf .
To start itself on a boot system, the virus saves a copy of the DLL form to a random file name in a Windows system or system32 folder, then adds a registry key to have svchost.exe call that DLL as an invisible network service.
Load propagation
Viruses have several mechanisms to encourage or withdraw payloads that can be executed through the network. This payload is used by viruses to update itself to newer variants, and install additional malware.
- Variant A generates a list of 250 domain names daily at five TLDs. Domain names generated from the pseudo-random number generator (PRNG) are featured with the current date to ensure that every copy of the virus generates the same name every day. The virus then tries HTTP connections to each domain name in turn, expecting from one of their signed payloads.
- Variant B increases the number of TLDs to eight, and has a tweaked generator to generate a disjoint domain name from A.
- To counter the use of pseudorandom domain names by viruses, Internet Corporation for Assigned Names and Numbers (ICANN) and some TLD registers began in February 2009 a coordinated restriction of transfers and registration for this domain. The D variant calculates this by generating each day a collection of 50,000 domains at 110 TLD, from which randomly selects 500 to try for the day. The resulting domain name is also shortened from 8-11 to 4-9 characters to make it more difficult to detect with heuristics. This new pull mechanism (which is disabled until April 1, 2009) is not possible to distribute cargo to more than 1% of infected hosts per day, but is expected to function as a seeding mechanism for 'peer-to-peer' viruses. Shorter generated names, however, are expected to collide with existing 150-200 domains per day, potentially leading to distributed denial-of-service attacks (DDoS) on sites that serve those domains. However a large number of domains are generated and the fact that not every domain will be contacted for a given day will probably prevent a DDoS situation.
- Variant C creates a named pipe, where it can push URLs for payloads that can be downloaded to other infected hosts on a local area network.
- Variants B, C, and E make in-memory patches to NetBIOS-related DLLs to close MS08-067 and monitor re-infection efforts through the same vulnerabilities. Reinfection of newer versions of Conficker is allowed through, effectively turning vulnerabilities into backdoor propagation.
- Variants D and E create an ad-hoc peer-to-peer network to push and pull payload over the wider Internet. The aspect of this virus is severely obscured in code and not fully understood, but it has been observed to use large-scale UDP scans to build peer lists of infected hosts and TCP for signed signed payload transfers. To make the analysis more difficult, the port number for the hash-to-connect connection from each peer's IP address.
Armoring
To prevent payload from being hijacked, payload variant A is SHA-1-hash and RC4-encrypted with 512-bit hash as key. Hash is then signed RSA with 1024-bit private key. The payload is dismantled and run only if the signature verifies with a public key embedded in the virus. Variant B and then use MD6 as their hash function and increase the RSA key size to 4096 bits. Conficker B adopted MD6 just months after it was first published; six weeks after the weakness was found in an early version of the algorithm and a new version was published, Conficker was upgraded to the new MD6.
Self-defense
The DLL-Forms virus is protected again by deleting its ownership to " SYSTEM ", which locks off the deletion even if the user is granted with administrator privileges. The virus keeps a backup copy of this DLL disguised as a.jpg image in the Internet Explorer cache of the network service user.
The C variant of the virus resets System Restore points and disables some system services such as Windows Automatic Updates, Windows Security Center, Windows Defender, and Windows Error Reporting. Processes that match a list of antiviral, system diagnostic or patching tools that are monitored and stopped. Patches in memory are also applied to the system resolver DLL to block host name matches associated with antivirus software vendors and Windows Update services.
End action
The E variant of the virus is the first to use an infected computer base for hidden purposes. It downloads and installs, from a hosted web server in Ukraine, two additional payloads:
- Waledac, a spambot or known to spread through email attachments. Waledac operates similarly to the worm Storm 2008 and is believed to be written by the same author.
- SpyProtect 2009, a rogue antivirus product.
Symptoms
- The account lockout policy is reset automatically.
- Certain Microsoft Windows Services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Windows Error Reporting are disabled.
- The domain controller responds slowly to client requests.
- Congestion in local area network (ARP floods as a consequence of network scanning).
- The websites associated with the antivirus software or the Windows Update service are becoming inaccessible.
- The user account is locked.
Response
On February 12, 2009, Microsoft announced the creation of an industry group to collaborate against Conficker. Groups that have since been informally dubbed Conficker Cabal, including Microsoft, Afilias, ICANN, Neustar, Verisign, China Internet Network Information Center, Public Internet Registry, Global Global Domain, M1D Global, America Online, Symantec, F-Secure, ISC from Georgia Tech, The Shadowserver Foundation, Arbor Networks, and Support Intelligence.
From Microsoft
On February 13, 2009, Microsoft offered a $ US250,000 reward for information leading to the capture and confidence of individuals behind the manufacture and/or distribution of Conficker.
From registry
ICANN has sought a preemptive ban on domain transfers and registration of all TLD registers that are affected by virus domain generators. Those who have taken action include:
- On March 13, 2009, Chile's NIC, the.cl ccTLD registry, blocked all domain names informed by the Conficker Working Group and reviewed a hundred already registered from the worm list.
- On March 24, 2009, CIRA, the Canadian Internet Registration Authority, locked all previously unregistered.ca domain names that are expected to be generated by viruses over the next 12 months.
- On March 27, 2009, NIC-Panama, registry of ccTLD.pa, blocked all domain names informed by the Conficker Working Group.
- As of March 30, 2009, SWITCH, the Swiss ccTLD registry, announces that "take action to protect internet addresses with the.ch and.li suffixes of Conficker computer worms."
- As of March 31, 2009, the NASK, the Polish ccTLD register, locked more than 7,000.pl domains expected to be generated by viruses over the next five weeks. The NASK has also warned that worm traffic can inadvertently cause DDoS attacks to legitimate domains that occur in the resulting set.
- On April 2, 2009, Island Networks, ccTLD registers for Guernsey and Jersey, were confirmed after an investigation and associated with IANA that there is no.gg or.je name set in the name created by the virus.
By mid-April 2009 all domain names generated by Conficker A have been successfully locked or registered preemptively, so the update mechanism becomes ineffective.
Origin
The origins of Conficker are still unknown. Members of the working group stated in the 2009 Black Hat Briefings that Ukraine is the possible origin of the virus, but refused to disclose further technical findings about internal viruses to avoid tipping from its authors. The initial variant of Conficker did not infect the system with the IP address of Ukraine or with the Ukrainian keyboard layout. Payload Conficker.E downloaded from host in Ukraine.
Removal and detection
Because the key of the virus file to deletion during the system is running, manual or automatic removal itself must be done during the boot process or with an installed external system. Deleting an existing backup copy is an important step.
Microsoft has released removal guidelines for the virus, and recommends using the release of the Windows Malicious Software Removal Tool to remove viruses, then apply patches to prevent re-infection.
Third-party software
Many third-party anti-virus software vendors have released detection updates for their products and claim to remove the worms. The growing process of malware suggests some adoption to common removal software, so it is likely that some of them may delete or at least disable some variants, while others remain active or, even override, give false positives to the removal software and become active by rebooting next.
Automatic remote detection
On March 27, 2009, Felix Leder and Tillmann Werner of the Honeynet Project found that hosts infected with Conficker had signatures detected when scanned remotely. The peer-to-peer command protocol used by D and E variants of the virus has since been partially reverse engineered, allowing researchers to mimic virus network command packets and positively identify mass-infected computers.
Signature updates for a number of network scanning applications are now available including NMap and Nessus. In addition, several commercial vendors have released special scanners, eEye and McAfee.
It can also be detected in passive mode by sniffing the broadcast domain to repeat the ARP request.
US CERT
The US Computer Emergency Preparedness Team (AS-CERT) recommends disabling AutoRun to prevent Variant B from viruses from spreading through removable media. Before the release of KB967715 Microsoft knowledgebase article, US-CERT described Microsoft's guidance on disabling Autorun as "not fully effective" and providing solutions to disable it more effectively. US-CERT has also created network-based tools to detect infected hosts-Conficker available to federal and state agencies.
See also
- Botnet
- The time range of known computer viruses and worms
- Bothopper
- Network Access Protection
- Zombie (computer science)
- Software
References
External links
- Conficker Working Group
- Conficker Working Group - Lessons Learned
- Conficker's Eye Chart
- Worm: First World Digital War by Mark Bowden (2011; ISBNÃ, 0-8021-1983-2); "The 'Worm' That Can Bring The Internet", author interview (audio and transcript), Fresh Air on NPR, September 27, 2011; before being shut down by Bowden in "The Enemy Within" (June 2010) magazine article The Atlantic magazine.
Source of the article : Wikipedia