FAQ

Introduction

This page is to list different questions and answers to try and help the end users and those that are trying to remediation gain better clarity into the problems that are being faced.

Q: What will happen on April 1, 2009? Based on our collective technical analysis, we’ve determined that systems infected with the latest version of Conficker will begin to use a new algorithm to determine what domains to contact. We have not identified any other actions scheduled to take place on April 1, 2009.

Q: Will an updated version of Conficker go out to already-infected systems on April 1? It is possible that systems with the latest version of Conficker will be updated with a newer version of Conficker on April 1 by contacting domains on the new domain list. However, these systems could be updated on any date before or after April 1 as well using the “peer- to-peer” updating channel in the latest version of Conficker.

Q: Should the general public be alarmed? Why or why not? No, the general public should not be alarmed. Most home users have been protected by Microsoft Security Update MS08-067 being applied automatically.

Q:What should people who are worried about April 1 and Conficker do? We recommend that home users who have not yet enabled automatic updates do so and ensure their security software is up to date with the latest signatures.

We recommend that enterprises continue to focus on the guidance from experts in industry, academia and governments worldwide and continue to deploy the security update MS08-067, ensure their security software have the latest signatures, clean any systems that are infected with any version of Conficker using the tools and guidance we’ve provided, and evaluate additional security best practices in accordance with their organizations policies and procedures.

Latest version of Conficker (Conficker.D, Conficker.C or Downadup.C)

Q: How were systems infected with upgraded to the latest version of Conficker (Conficker.D, Conficker.C or Downadup.C)? Unlike prior versions of Conficker (Conficker.A, Conficker.B, Conficker.C/Conficker.B++), systems infected with the latest version of Conficker (Conficker.D, Conficker.C or Downadup.C) are not infected by being attacked by other systems infected by Conficker. Systems with the latest version of Conficker (Conficker.D, Conficker.C or Downadup.C) were previously attacked and infected with Conficker.B. These already-compromised systems were then “upgraded” to the latest version of Conficker (Conficker.D, Conficker.C or Downadup.C).

Q: How were Conficker.B systems upgraded to the latest version of Conficker? Some systems infected with Conficker.B were able to access for a brief period of time a small number of domains that the Conficker Working Group was unable to bring under its control. The Conficker malware on these systems was “upgraded” to the latest version, Conficker.D (also known in the industry as Conficker.C or Downadup.C).

Q: How many Conficker.B systems have been upgraded to the latest version of Conficker (Conficker.D, Conficker.C or Downadup.C)? While we don't conclusively know we believe a only minority of Conficker.B systems were upgraded to the latest version of Conficker (Conficker.D, Conficker.C or Downadup.C) based on the limited time window that the small number of domains that were not under the Working Group’s control were available.

Q: If some of the Conficker.B systems were upgraded, doesn’t that mean that the Working Group’s effort has failed? No, the working group has been focused on finding ways to disrupt Conficker activity as much as possible. The fact that most systems infected with Conficker.B have not been upgraded to the latest version of Conficker (Conficker.D, Conficker.C or Downadup.C) shows that we have been successful in those goals.

Q: How is the domain generation algorithm in the latest version of Conficker different from that in earlier versions? The domain generation algorithm in the latest version of Conficker generates a larger number of possible domains to try and contact more domains than earlier versions. Specifically, there are 50,000 possible domains that it will attempt to contact and will visit 500 of these within a 24-hour period.

Q: What is the Conficker Working Group doing about this new algorithm? The Conficker working group has been working continuously to block access to domains that systems infected by Conficker attempt to contact. We are continuing this work and have expanded this effort to include those domains that will be contacted by the latest version of Conficker starting on April 1, 2009.

Q: Are there any other changes in the latest version of Conficker? The latest version of Conficker also introduces a new “peer-to-peer” updating capability. This capability could enable a system infected by the latest version of Conficker to receive a new version or new instructions by contacting another system infected by Conficker rather than by contacting a domain determined by the domain generation algorithm.

Q: When did the latest version of Conficker come out? It was first detected on March 4, 2009.

Impact of Conficker on Affected Systems

Q: What does the Conficker worm do to systems? A system that is successfully infected by the Conficker.A or Conficker.B worm will attempt to infect other systems. Additionally, a system infected any version of the Conficker worm will attempt to contact websites using domain names generated by an algorithm within the Conficker malware. Versions of Conficker.B and later will also seek to disable several important programs on the system related to security and update management on the system.

Q: We’ve seen some reports that this worm blocks people from receiving updates, including antivirus updates. Are you seeing this and what are you doing about it? Yes. Often malware attacks use a variety of tactics to remain on the system and undetected. We continue to encourage people who feel they may be infected with the worm and are unable to access updates, to visit safety.live.com and run the Windows Live OneCare safety scanner to check for and remove any malware.

Conficker Propagation

Q: How does Conficker spread? The Conficker worm family spreads in several ways. Conficker.A and Conficker.B seek to exploit a vulnerability that was addressed at the end of October 2008 with Microsoft Security Bulletin MS8-067. Conficker.B also seeks to spread by targeting weak password policies, unprotected file shares and USB devices.

The latest version of Conficker does not seek to spread itself to uninfected systems. Instead, some systems that were infected with Conficker.B were “upgraded” to the latest version of Conficker (Conficker.D, Conficker.C or Downadup.C) when they contacted a domain under the control of the malware author..

Q: Does Conficker spread through AutoRun? If so, what can I do to protect myself? Conficker.B and Conficker.C/Conficker.B++ do try to spread through the Autorun feature. No other version of Conficker seeks to use the Autorun feature.

Microsoft published guidance on how to mitigate infection attempts using Autorun, which has been a common vector manipulated by the Conficker (a.k.a. Downadup) worm. Information can be found here. Customers who have downloaded MS08-038 and have followed the guidance provided in Microsoft Knowledge Base (KB) article 953252 are protected from this vector of attack.

Q: We hear talk of an impending second phase of attacks from Conficker. What do you anticipate happening next? There may be a second phase of the threat at some point in time, however we believe, with a situation like this that has similarly taken place many times in the past, and given and the tremendous amount of attention this worm has received, industry and law enforcement monitoring and the that these efforts will be a deterrent to a large second wave of attacks. At the end of the day, we can’t speculate on the intentions of criminals, but what we can do is work to limit the impact of any second phase.

Q: Why does Conficker continue to spread even though Microsoft issued the update in October? There is always some percentage of customers who don’t apply an update at any given time, due to a variety of reasons. While most home users have been protected by the patch being applied automatically, once the worm gets a foothold inside an enterprise, it’s difficult to remove and this is where people are having problems.

Q: Why is Conficker using domain names? Is this a new trend? It is trying to download malware from these domains and it also uploads infection counts to these domains, but this is not a new trend.

Domain Technical Questions

Q: How will you disable domains targeted by Conficker? Microsoft is working with partners to identify and register any previously unregistered domains and thus pre-empt registration of those domains for potential criminal use. Secondly, a number of the domains are being redirected toward ‘sinkhole’ servers that are owned by trusted research partners around the world. ‘Sinkhole’ servers allow researchers to observe the worm’s activity.

Q: Are those domains that receive information from Conficker attacks, hosting malware... how is that defined? Microsoft is actively monitoring all the domains. Of the domains not registered through this collaborative effort, none are showing any malware.

Q: What is ICANN's role? Is ICANN telling registrars they have to cooperate? ICANN’s support and partnership has been enormously helpful throughout this collaboration. However, any inquiries about their specific actions and efforts within this group should be directed to ICANN, as we are not in a position to comment for them.

Q: How does this work for registrars that aren't part of this effort? Will they have their name server entries blocked? If an individual attempts to request a domain that has already been registered, they will be denied the ability to register that domain.

Q: When did Microsoft work with ICANN and security researchers to disable domains targeted by Conficker? How many were disabled? Is that an ongoing effort? Up to 500 domains a day are being disabled as part of this ongoing industry collaboration.

Q: Who is in charge of identifying the domains, contacting their owners and then the actual disabling? The overwhelming majority of these domains are not owned and thus only a small percentage need to be addressed. Microsoft is working together with its partners to address the remaining domains.

Q: What is the group doing with these domains? A large percentage of these domains are being blocked from being registered. Secondly, a number of the domains are being redirected toward ‘sinkhole’ servers that are owned by trusted research partners around the world. ‘Sinkhole’ servers allow researchers to observe the worm’s activity.

Q: Are only the “spammy” domains affected? The Conficker worm did not target one top-level domain in particular. Many common TLDs that are in use including TLDs and some commonly used “cc TLDs” were included in the domains affected. Most of the domains are just a semi-random group of characters, nothing meaningful.

Q: How can this algorithm determine if a domain is viable? All domain names are potentially valid.

Q: If registries are registering the domains listed in the worm, can’t Conficker just generate another list? A new variant of the worm would be required for this to happen.

Announcement of Working Group

Q: What did you announce? The Conficker Working Group announced on February 12, 2009 a collaborative effort with technology industry leaders and academia to implement a coordinated, global approach to combating the Conficker worm.

Q: Why are you announcing this now? Is there a new threat? As part of the normal threat mitigation process, Microsoft first gathered information about this threat, and then thoroughly analyzed the issue to determine the best course of action. After review, it was determined that Microsoft would reach out to industry partners to address this threat, effectively continuing a long standing trend of community-based defense against malware and online threats.

As many customers around the world are affected by the Conficker worm, Microsoft feels that it is imperative to protect customers by both leveraging internal expertise and partnering with industry allies to proactively prevent the use of DNS exploits in further attacks.

Q: What does this collective effort hope to accomplish? Through collaboration with ICANN and other industry members and academia, Microsoft has rallied the global security community to help keep customers protected from Conficker.

Q: What was Microsoft’s role in this process? As cyber threats have rapidly evolved, a greater level of industry coordination and new tactics for communication and threat mitigation is required. To optimize the multiple initiatives being employed across the security industry and within academia, Microsoft helped unify these broad efforts to implement a community-based defense to disrupt the spread of the Conficker.

Q: What other parties have been involved in this work? [To be filled in]

Q: Who led this effort? Microsoft has facilitated and led this industry collaboration, but it’s been the collective expertise and contributions that has really made this an unparalleled global security response.

Q: What is different about this collaboration? Why now? Cyber threats have rapidly evolved from disruptive worms and large scale malware to complex, stealthy attacks that can target specific classes of users. This is a unique instance where the broader security community has collectively come together to commit expertise and intelligence to defend beyond our boundaries and better help protect Internet users.

Q: How has government or law enforcement been involved in this effort? Microsoft works with law enforcement to combat cyber crime around the world, and this issue is no exception. Microsoft supports law enforcement by providing them with investigative and forensic assistance, in an effort to identify and target the cybercriminals who are preying on Internet users.

Q: How will the coordination of these parties influence action in the future? Cybercrime is a global issue that ignores boundaries and jurisdictions.  It can’t be tackled by any one agency or industry working in isolation. The future requires broader public/private partnerships on a global scale with cooperation among governments, law enforcement and industry.

Q: Is this an ongoing partnership? As cyber threats have rapidly evolved, a greater level of industry coordination and new tactics for communication and threat mitigation is required. Microsoft helped unify these broad efforts to implement a community-based defense to disrupt the spread of Conficker, and is committed to working with the technology industry through collaborations and formal partnerships. Examples of these include Microsoft’s involvement with ICASI, as well as the collaborative dialogue Microsoft participated in during the DNS vulnerability in 2008.

Q: What is the goal of this Working Group? What’s the measure of success? The working group has been focused on finding and implementing ways to disrupt Conficker activity as much as possible. While eradicating Conficker through our work would be desirable, the realistic goal is to disrupt Conficker-related activity as much as possible to provide customers more time to deploy MS08-067 and clean systems infected by Conficker.

AV Reward

Q: What is the AV Reward? Microsoft has announced a US$250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker worm.

Q: Where should people go with information? Individuals with information about the Conficker worm are encouraged to contact their international law enforcement agencies. Additionally, Microsoft has implemented an Antivirus Reward Hotline, 1-425-706-1111, and an Antivirus Reward Mailbox, avreward@microsoft.com,where tips can be shared.

Q: When was the last time Microsoft announced the use of the reward program? The last time Microsoft announced a reward for information leading to an arrest and prosecution of malware was in 2004 as a result of Sasser.

Q: When was the last time Microsoft paid out a reward? How much has been paid out? Microsoft disclosed a payment of $250,000 in July 2005 in relation to Sasser.

Q: When did AV Reward start? The AV Reward program began in 2003.

F-Secure Questions and Answers

Thanks to F-Secure for the following. The original text can be found here

Q: I heard something really bad is going to happen on the Internet on April 1st! Will it? No, not really.

Q: Seriously, the Conficker worm is going to do something bad on April 1st, right? The Conficker aka Downadup worm is going to change it's operation a bit, but that's unlikely to cause anything visible on April 1st.

Q: So, what will it do on April 1st? So far, Conficker has been polling 250 different domain names every day to download and run an update program. On April 1st, the latest version of Conficker will start to poll 50,000 domains a day to do the same thing.

Q: The latest version? There are different versions out there? Yes, and the latest version is not the most common. Most of the infected machines are infected with the B variant, which became widespread in early January. With B variant, nothing happens on April 1st.

Q: I just checked, and my Windows machine is clean. Is something going to happen to me on April 1st? No.

Q: I'm running a Mac, is something going to happen to me? No.

Q: So… this means that the attackers could use this download channel to run any program on all the machines? On all the machines that are infected with the latest version of the worm, yes.

Q: But what's this peer-to-peer functionality I've heard about? The worm has some peer-to-peer functionality which means that infected computers can communicate with each other without the need for a server. This enables the worm to update itself without the need for any of the 250 or 50,000 domains.

Q: But doesn't that mean that if the bad guys wanted to run something on those machines, they don't need to wait for April 1st? Yes! Which is another reason why it's unlikely anything major will happen on April 1st.

Q: Is there going to be media hype? Oh yes. Like there always is when a widespread worm has a date trigger. Think cases like Michelangelo (1992), CIH (1999), Sobig (2003), Mydoom (2004) and Blackworm (2006).

Q: But in those cases nothing much happened even though everybody expected something to happen! Exactly.

Q: So, should I keep my PC shut down on April 1st? No. You should make sure it's clean before April 1st.

Q: Can I change the date on my machine to protect me? No. The worm does not use the system clock to check the date.

Q: I'm confused. How can you know beforehand that there will be a global virus attack on April 1st? There must be a conspiracy here! Yes, you're confused. There is not going to be a "global virus attack". The machines that are already infected might do something new on April 1st. We know this because we have reverse engineered the worm code and can see that this is what it has been programmed to do.

Q: Would the downloaded program execute with admin privileges? Yes, with local admin rights. Which is pretty bad.

Q: And they could download that program not just on April 1st but also on any day after that? Correct. So there's no reason why they wouldn't do it on, say, April 5th instead of April 1st.

Q: Ok, they could run any program. To do what? We don't know what they are planning to do, if anything. Of course, they could steal your data, send spam, do DDoS, et cetera. But we don't know.

Q: They? Who are they? Who's behind this worm? We don't know that either. But they seem to be pretty professional in what they do.

Q: Professional? Is it true that Conficker is using the MD6 hash algorithm? Yes. This was probably one of the first real-world cases where this new algorithm was used.

Q: Why can't you just infect a PC, set the clock to April 1st and see what happens? That's not the way it works. The worm connects to certain websites to get the time-of-day.

Q: Oh yeah? Then shut down the websites where it gets the time-of-day and the problem will go away! Can't. These are websites like google.com, yahoo.com and facebook.com.

Q: But surely you could spoof google.com in the lab to get a honeypot machine to connect to a download site today! Sure. And the download sites do not have anything to download, today. They might, on April 1st. Or they might not.

Q: Now I'm worried. How do I know if I'm infected? Try to surf to www.f-secure.com. If you can't reach our website you might be infected, as Downadup/Conficker blocks access to security vendor's websites. Don't tell anybody, but users who can't access f-secure.com because of this can surf to www.fsecure.com instead.

Q: Where does the name "Conficker" come from? Conficker is an anagram of sorts from trafficconverter – a website to which the first variant was connecting.

Q: Why does the worm have two names – Downadup and Conficker? It was found at about the same time by multiple security companies and therefore got multiple names. Today most companies use the name Conficker. There's further confusion about the variant letters among vendors. We're all sorry for that.

Q: How many computers are currently infected by Downadup/Conficker? About 1-2 million. How many of those are infected with the latest version? We don't have an exact count.

Q: How is the industry reacting to all this? We reacted by setting up the Conficker Working Group. Members include security vendors (including us), registrars, research units and so on.

Q: I want more technical details on the worm. Sure. Here's our description, and here's SRI's excellent writeup.

Q: When was the first variant of Downadup/Conficker discovered? It was found on November 20, 2008.

Q: More than four months ago? I want a time line on what happened when. Byron Acohido has one.

Q: Is F-Secure able to detect and block this malware? Yes.

Q: Do you have cleaning tool available? Yes, and it's free. F-Secure

Q: Are you going to follow this through? Yes. Stay tuned for updates.