Introduction

Common aliases: Conficker, Conflicker, Downadup, Kido.

Background and Details

What is Conficker and Why is This an Increased Threat?

Conficker is a family of malicious code that can propagate by scanning and exploiting hosts vulnerable to MS08-067 . Conficker is also spread by infected USB keys utilizing the standard Autorun feature. Later variants of Conficker also have the capability to spread, and communicate via a customer Peer to Peer (P2P) network.

The Conficker family of malware contains functionality that will prevent certain domain names from being resolved, disabling or terminated a variety of security related products including system administration programs and Windows Updates, Error Reporting and Defender services. Conficker also has the capability to manipulate System Restore points and adjust the Windows built-in firewall rule set.

What is the Conficker Working Group and Who is Involved?

The Conficker Working Group is a loose industry affiliation between organizations such as ICANN, Microsoft, registries such as CNNIC, NeuStar, and Verisign, major AV firms such as Kaspersky, Symantec, and F-Secure, ISPs such as AOL, security organizations such as Arbor Networks, Shadowserver, ISC, Support Intelligence, Team Cyrmu and academic research organizations such as Georgia Tech to coordinate an effective response to the Conficker worm. The group has worked to reverse engineer the malware, lock up as many rendezvous domain names as possible, and use HTTP sinkholes to identify infected endpoints. This data is being shared with Network Service Providers (NSP) and Enterprises to help them contain the damage to their customers and the network. For more information see:

http://news.prnewswire.com/DisplayReleaseContent.aspx?ACCT=104&STORY=/www/story/02-12-2009/0004971471&EDATE=

Call to Action

The Conficker Working is asking all Enterprises to help remediate users whose computers have been infected by this malware. The working group has established a number of reputable feeds where Enterprises can obtain a list of Conficker infected computers.

We deem Conficker to be an evolutionary leap in capability – providing the malware with new criminal potential which increases the risk to organizations, its employees, customers and critical infrastructure. While these sorts of threats are not new, the evolution of technological capabilities in Conficker warrant increased Enterprise attention proactively mitigating potential harm to their business.

Consequences of Not Acting

Enterprises who choose not to act will incur increased risk to their business and services. There has always been the capability for malicious code to target an Enterprises’ infrastructure. Conficker’s craft and architecture is radically new, increasing anxiety in the operational security community. This risk assessment is based on Conficker’s breadth of infected computers (tens of millions), the consistent evolution to keep the infections growing, and the aggressive changes in the “BOTNET” control over the infected computers. Not acting to remediate this threat would allow a network of violated computers to be in a position to cause intentional damage and un-intentional, collateral damage, to products and services within an infrastructure.

As it stands today, other than self propagation the Conficker family of malware has not delivered any payload to the compromised hosts within the botnet. This is not to say that they do not have the capability to perform such actions. As you may have already read, the people behind Conficker have the capability to push files down to every compromised host within the botnet – these files could add additional functionality such as DDoS or spam agents, data theft and exfiltration applications and extortion based programs that could encrypt certain files or wipe entire hard drives.

Highlighting the potential payloads available to the attackers is not to be seen as a scare tactic from the Conficker Working Group in an attempt to get your organization to take action, these are all very real possibilities that exist today and are used on a regular basis to generate illicit funds and make political or terroristic statements.

How Information Will Be Distributed

Several trusted organizations in the Conficker Working Group will be able to provide your Enterprise with a list of IP addresses organized by BGP Autonomous System Numbers (ASN). These are time stamped – to facilitate analysis to match the IP address of a NAT/Firewall to the logs and track dynamic address allocation (i.e. Radius/DHCP) to a specific customer. This approach has been used for over 5 years with a multitude of Services Providers and large networks as a means to match external observations to internal data on the customer.

The Conficker Working Group is also spearheading an effort to reach out to the ISP/NSP community, to provide them the data based on the ASNs they are responsible for. This correspondence will be along the lines of matching AS Path information in BGP to the assertion that “Enterprise X is my customer.”

List of Infected Customers

Sinkhole feed formats are usually provider specific but provide the same data. Sinkhole servers run by the Conficker Working Group are used to identify infected hosts and share the information with network operators. Data usually contains a timestamp and a source IP. Destination IP address is usually available, too. Source port information (to help with NAT or firewall logs) may be available in some feeds. The following are Conficker data providers we are working with.

Arbor Networks, ATLAS SRF http://atlas.arbor.net/

  • Cost: Reports are free and available to authorized representatives.
  • Format: CSV, IODEF, or Atom delivered over HTTP.
  • Contact: atlas@arbor.net

Shadowserver Foundation Conficker Reports http://www.shadowserver.org

  • Cost: Reports are free and available to authorized representatives.
  • Format: CSV over email
  • Contact: admin@shadowserver.org

Team Cymru http://www.team-cymru.org/

  • Cost: Reports are free and available to authorized representatives.
  • Format: pipe-separated text delivered over HTTP with optional e-mail notifications
  • Contact: team-cymru@cymru.com

ISC Security Information Exchange (SIE) https://conficker.sie.isc.org

Support Intelligence, Inc. http://support-intelligence.com/

  • Cost: Reports are free and available to authorized representatives.
  • Format: CSV over email
  • Contact: info@support-intelligence.com

Additional Components for Conficker Identification

The Conficker family of malware is made up of a few variants, each performing some network activity that one may be able to leverage to assist in identify compromised hosts. Below is a summary of such activity, a more comprehensive list can be located within the malware write-ups highlighted above.

How Can My Organization Clean Up and Remediate Conficker?

A number of AV firms have made freely available standalone remediation tools available for cleanup. Many of these remediation tool’s licenses allow for an organization to host the software in internal quarantine or remediation sites. A core characteristic of Conficker is the ability of the malware to block access to the official update and remediation sites. So one may need to host it internally or create stand alone solutions that can be inserted into infected computers.

Organizations also need to be aware that Conficker propagated via USB keys, so you’ll want to ensure that you run the AV solution against USB drives that may have come in contact with the infected computer.

The Internet Storm Center is maintaining the comprehensive list of Conficker remediation software:

http://www.dshield.org/diary.html?storyid=5860

A partial list is included here:

Additional Resources