Conficker

Estimates of the number of infected computers were difficult because the virus changed its propagation and update strategy from version to version. In January 2009, the estimated number of infected computers ranged from almost 9 million to 15 million. Microsoft has reported the total number of infected computers detected by its antimalware products has remained steady at around 1.7 million from mid-2010 to mid-2011. By mid-2015, the total number of infections had dropped to about 400,000, and it was estimated to be 500,000 in 2019. == History ==

Name The origin of the name Conficker is thought to be a combination of the English term "configure" and the German expletive Ficker (engl. fucker). Microsoft analyst Joshua Phillips gives an alternative interpretation of the name, describing it as a rearrangement of portions of the domain name trafficconverter.biz (with the letter k, not found in the domain name, added as in "trafficker", to avoid a "soft" c sound) which was used by early versions of Conficker to download updates. Discovery The first variant of Conficker, discovered in early November 2008, propagated through the Internet by exploiting a vulnerability in a network service (MS08-067) on Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2 Beta. While Windows 7 may have been affected by this vulnerability, the Windows 7 Beta was not publicly available until January 2009. Although Microsoft released an emergency out-of-band patch on October 23, 2008, to close the vulnerability, a large number of Windows PCs (estimated at 30%) remained unpatched as late as January 2009. A second variant of the virus, discovered in December 2008, added the ability to propagate over LANs through removable media and network shares. Researchers believe that these were decisive factors in allowing the virus to propagate quickly. Impact in Europe Intramar, the French Navy computer network, was infected with Conficker on 15 January 2009. The network was subsequently quarantined, forcing aircraft at several airbases to be grounded because their flight plans could not be downloaded. The United Kingdom Ministry of Defence reported that some of its major systems and desktops were infected. The virus had spread across administrative offices, NavyStar/N* desktops aboard various Royal Navy warships and Royal Navy submarines, and hospitals across the city of Sheffield reported infection of over 800 computers. On 2 February 2009, the Bundeswehr, the unified armed forces of Germany, reported that about one hundred of its computers were infected. An infection of Manchester City Council's IT system caused an estimated £1.5m worth of disruption in February 2009. The use of USB flash drives was banned, as this was believed to be the vector for the initial infection. A memo from the Director of the UK Parliamentary ICT service informed the users of the House of Commons on 24 March 2009 that it had been infected with the virus. The memo, which was subsequently leaked, called for users to avoid connecting any unauthorised equipment to the network. In January 2010, the Greater Manchester Police computer network was infected, leading to its disconnection for three days from the Police National Computer as a precautionary measure; during that time, officers had to ask other forces to run routine checks on vehicles and people. == Operation ==

Although almost all of the advanced malware techniques used by Conficker have seen past use or are well known to researchers, the virus's combined use of so many has made it unusually difficult to eradicate. The virus's unknown authors are also believed to be tracking anti-malware efforts from network operators and law enforcement and have regularly released new variants to close the virus's own vulnerabilities. Five variants of the Conficker virus are known and have been dubbed Conficker A, B, C, D and E. They were discovered 21 November 2008, 29 December 2008, 20 February 2009, 4 March 2009 and 7 April 2009, respectively. The Conficker Working Group uses namings of A, B, B++, C, and E for the same variants respectively. This means that (CWG) B++ is equivalent to (MSFT) C and (CWG) C is equivalent to (MSFT) D. Initial infection • Variants A, B, C and E exploit a vulnerability in the Server Service on Windows computers, in which an already-infected source computer uses a specially-crafted RPC request to force a buffer overflow and execute shellcode on the target computer. On the source computer, the virus runs an HTTP server on a port between 1024 and 10000; the target shellcode connects back to this HTTP server to download a copy of the virus in DLL form, which it then attaches to svchost.exe. • Variants B and C place a copy of their DLL form in the recycle.bin of any attached removable media (such as USB flash drives), from which they can then infect new hosts through the Windows AutoRun mechanism Variant D counters this by generating daily a pool of 50,000 domains across 110 TLDs, from which it randomly chooses 500 to attempt for that day. The generated domain names were also shortened from 8–11 to 4–9 characters to make them more difficult to detect with heuristics. This new pull mechanism (which was disabled until April 1, 2009) • Variant C creates a named pipe, over which it can push URLs for downloadable payloads to other infected hosts on a local area network. Processes matching a predefined list of antiviral, diagnostic or system patching tools are watched for and terminated. An in-memory patch is also applied to the system resolver DLL to block lookups of hostnames related to antivirus software vendors and the Windows Update service. • Waledac, a spambot otherwise known to propagate through e-mail attachments. Waledac operates similarly to the 2008 Storm worm and is believed to be written by the same authors. • SpyProtect 2009, a scareware rogue antivirus product. == Symptoms ==

Symptoms of a Conficker infection include: • Account lockout policies being reset automatically. • Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Windows Error Reporting disabled. • Domain controllers responding slowly to client requests. • Congestion on local area networks (ARP flood as consequence of network scan). • Web sites related to antivirus software or the Windows Update service becoming inaccessible. • User accounts locked out. == Response ==

On 12 February 2009, Microsoft announced the formation of an industry group to collaboratively counter Conficker. The group, which has since been informally dubbed the Conficker Cabal, includes Microsoft, Afilias, ICANN, Neustar, Verisign, China Internet Network Information Center, Public Internet Registry, Global Domains International, M1D Global, America Online, Symantec, F-Secure, ISC, researchers from Georgia Tech, The Shadowserver Foundation, Arbor Networks, and Support Intelligence. From Microsoft On 13 February 2009, Microsoft offered a $USD250,000 reward for information leading to the arrest and conviction of the individuals behind the creation and/or distribution of Conficker. From registries ICANN has sought preemptive barring of domain transfers and registrations from all TLD registries affected by the virus's domain generator. Those which have taken action include: • On 13 March 2009, NIC Chile, the .cl ccTLD registry, blocked all the domain names informed by the Conficker Working Group and reviewed a hundred already registered from the worm list. • On 24 March 2009, CIRA, the Canadian Internet Registration Authority, locked all previously unregistered .ca domain names expected to be generated by the virus over the next 12 months. • On 27 March 2009, NIC-Panama, the .pa ccTLD registry, blocked all the domain names informed by the Conficker Working Group. • On 30 March 2009, SWITCH, the Swiss ccTLD registry, announced it was "taking action to protect internet addresses with the endings .ch and .li from the Conficker computer worm." • On 31 March 2009, NASK, the Polish ccTLD registry, locked over 7,000 .pl domains expected to be generated by the virus over the following five weeks. NASK has also warned that worm traffic may unintentionally inflict a DDoS attack to legitimate domains which happen to be in the generated set. • On 2 April 2009, Island Networks, the ccTLD registry for Guernsey and Jersey, confirmed after investigations and liaison with the IANA that no .gg or .je names were in the set of names generated by the virus. By mid-April 2009 all domain names generated by Conficker A had been successfully locked or preemptively registered, rendering its update mechanism ineffective. ==Origin==

Working group members stated at the 2009 Black Hat Briefings that Ukraine is the probable origin of the virus, but declined to reveal further technical discoveries about the virus's internals to avoid tipping off its authors. An initial variant of Conficker did not infect systems with Ukrainian IP addresses or with Ukrainian keyboard layouts. In 2011, working with the FBI, Ukrainian police arrested three Ukrainians in relation to Conficker, but there are no records of them being prosecuted or convicted. A Swede, Mikael Sallnert, was sentenced to 48 months in prison in the U.S. after a guilty plea. == Removal and detection ==

Due to the lock of the virus files against deletion as long as the system is running, the manual or automatic removal itself has to be performed during boot process or with an external system installed. Deleting any existing backup copy is a crucial step. Microsoft released a removal guide for the virus, and recommended using the current release of its Windows Malicious Software Removal Tool to remove the virus, then applying the patch to prevent re-infection. Newer versions of Windows are immune to Conficker. Signature updates for a number of network scanning applications are now available. It can also be detected in passive mode by sniffing broadcast domains for repeating ARP requests. US CERT The United States Computer Emergency Readiness Team (US-CERT) recommends disabling AutoRun to prevent Variant B of the virus from spreading through removable media. Prior to the release of Microsoft knowledgebase article KB967715, US-CERT described Microsoft's guidelines on disabling Autorun as being "not fully effective" and provided a workaround for disabling it more effectively. US-CERT has also made a network-based tool for detecting Conficker-infected hosts available to federal and state agencies. == See also ==