Introduction

Leads: Jose Nazario (jose@arbor.net), Donald Smith (dsmith@isc.sans.org) & Barry Raveendran Greene (bgreene@juniper.net)

The proposed plan of action will be to start with NSP-SEC. We start with a E-mail update and move to a conference call if the need arises.

Some other "briefings" we're looking at:

  • ISAC briefings. Telcom ISAC Japan, IT ISAC, REN ISAC, Communications ISAC, etc.
  • Vendor Channels: Microsoft's GIAS, Cisco's ISP-SWAT, Juniper's JSOC, etc.

NSP-SEC Communications Plan

  1. E-mail to the community on Friday March 27, 2009. Jose Nazario (jose@arbor.net), Donald Smith (dsmith@isc.sans.org) & Barry Raveendran Greene (bgreene@juniper.net) will be the contacts for the community.
  2. Objective is to validate the ASN based list used for remediation. This technique is used by NSP-SEC for most of their malware remediation approaches.
  3. NSP Information Sheet is the latest PDF version of the information sheet.

Conficker Information Sheet for Network Providers (Version: 20090327-03)

Distribution: The initial audience for this document is the SP’s Operational Security Community (NSP-SEC) and the ISAC Community. You are encouraged to share document with your organizational teams and Autonomous System Peer Organizations. Be mindful that public disclosure of this document will provide the people driving Conficker and other hijacking malware with information on how your network can be put at risk.

Call to Action

The Conficker Working Group is asking all Service Providers, ISPs, and other custodians of Autonomous Systems Numbers (ASNs) to help remediate users and customers whose computer has been infected by this Hijacking Malware. The working group is providing list of Conficker infected computers.

We deem Conficker to be an evolutionary leap in capability – providing the hijacking malware with new criminal potential which increases the risk to users and critical infrastructure. While these sorts of threats are not new, the evolution of technological capabilities in Conficker warrant increased Service Provider attention proactively mitigating potential harm to their business.

Consequences of Not Acting

Service Providers who choose not to act will incur increased risk to their business and services. Hijacking Malware and BOTNETs are not new threats. There has always been the capability for a BOTNET to target the SP’s infrastructure. Conficker’s craft and architecture is radically new, increasing anxiety in the operational security community. This risk assessment is based on Conficker’s breath of infected computers (tens of millions), the consistent evolution to keep the infections growing, and the aggressive changes in the “BOTNET” control over the infected computers.1 Not acting to remediate this threat would allow a network of infected computers to be in a position to cause intentional and un-intentional (collateral damage to product and regulated SP services) damage.

How Information Will Be Distributed

Several organizations in the Conficker Working Group will be able to provide any SPs list of IP addresses organized by BGP Autonomous System Numbers (ANS). These are time stamped – to facilitated analysis to match the IP address of a NAT/Firewall to the logs and track dynamic address allocation (i.e. Radius/DHCP) to a specific customer. This approach has been used for over 5 years with a multitude of Services Providers and large networks as a means to match external observations to internal data on the customer.

These reports can be arranged to be E-mailed (pushed) or accessed via the web. Current details are listed below.

SPs that are Network Service Providers (NSPs) or have large Enterprise customers can correspond with the organizations to provide the data to get the ASN list for your directly connected customers. This correspondence will be along the lines of match AS Paths in BGP to the assertion that “Enterprise X is my customer.”

Background and Details

What is Conficker and Why is This an Increased Threat?

SRI has been providing comprehensive analysis of the Conficker hijacking malware. Current and archived analysis can be found at: http://mtc.sri.com/Conficker

The latest major variant released: “Conficker.C.2” This variant was first seen approximately March 6, 2009. Conficker has since been updated, with the miscreants behind the coding actively updating code. Some other references are listed here:

Microsoft’s Malware Protection Center Write up on Confickerhttp://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.D
Computer Associate’s Write Uphttp://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=77976
Symantec’s Write Uphttp://www.symantec.com/en/th/enterprise/security_response/writeup.jsp?docid=2009-030614-5852-99
  • Links to analysis of older versions: http://www.dshield.org/diary.html?storyid=5860
  • Common aliases: Conficker, Conflicker, Downadup, Kido.
  • We have found millions of bots are in the wild, with nearly every ASN reporting at least some infections.

What is the Conficker Working Group and Who is Involved?

The Conficker Working Group is a loose industry affiliation between organizations such as ICANN, Microsoft, registries such as CNNIC, Neustar, and Verisign, major AV firms such as Kaspersky, Symantec, and F-Secure, ISPs such as AOL, security organizations such as Arbor Networks, Shadowserver, ISC, Support Intelligence, and academic research organizations such as Georgia Tech to coordinate an effective response to the Conficker worm. The group has worked to reverse engineer the malware, lock up as many rendezvous domain names as possible, and use HTTP sinkholes to identify infected endpoints. This data is being shared with network service providers to help them contain the damage to their customers and the network. For more information see:

http://news.prnewswire.com/DisplayReleaseContent.aspx?ACCT=104&STORY=/www/story/02-12-2009/0004971471&EDATE=

How do I get My List of Infected and Infected Customer?

Sinkhole feed formats are usually provider specific but provide the same data. Sinkhole servers run by the Conficker Working Group to identify infected hosts and share the information with network operators. Data usually contains a timestamp and a source IP. Destination IP address is usually available, too. Source port information (to help with NAT or firewall logs) may be available in some feeds. The following are Conficker data providers we are working with.

Arbor Networks, ATLAS SRF

  • http://atlas.arbor.net/
  • Cost: free, ATLAS accounts are free, Conficker feeds are free and available to authorized representatives. Format is in CSV, IODEF, or Atom delivered over HTTP. Questions about how this information can be accessed can be sent to: atlas@arbor.net

Shadowserver Foundation Conficker Reports

  • http://www.shadowserver.org
  • Cost: Reports are free and available to authorized representatives. Format is in CSV over email. Questions about how this information can be accessed can be sent to: admin@shadowserver.org

Team Cymru

  • http://www.team-cymru.org/
  • Cost: Free for NSP-SEC community members. Format is pipe-separated text delivered over HTTP with optional e-mail notifications. Questions about how this information can be accessed can be sent to: Contact team-cymru@cymru.com

ISC Security Information Exchange (SIE)

Support Intelligence, Inc.

Additional Components for Conficker Identification

The Conficker family of malware is made up of a few variants, each performing some network activity that one may be able to leverage to assist in identify compromised hosts. Below is a summary of such activity, a more comprehensive list can be located within the malware write-ups highlighted above.

  • Port 445/TCP scanning, specifically targeting MS08-067 (A/B variant)
  • DNS lookups or HTTP GET requests for trafficconvert.biz (A variant)
  • Up to 250 DNS lookups/HTTP GET request across 8 TLDs per day (A/B variant)
  • Up to 500 DNS lookups/HTTP GET request across 110 TLDs per day (C variant)
    • Domain names are between 4-9 lowercase alpha chars in length
  • Prevention of certain security related domain name lookups (A/B/C variant)
  • Disabling or terminating certain security products (A/B/C variant)
    • Many of the major Antivirus products
    • Windows built in security and update features
    • System Administration tools
  • Brute force attack against network shares (B variant)
  • Removal of all System Restore Points (C variant)
  • High-port TCP and UDP P2P activity (C variant)

How Can My Customers Clean Up and Remediate Conficker?

A number of AV firms have made standalone remediation tools available for cleanup. Many of these redemption tools’ licenses allow for an organization to host the software in internal quarantine or remediation sites. A core characteristic of Conficker is the ability of the highjacking malware to block access to official update and remediation sites.

The Internet Storm Center is maintaining the comprehensive list of Conficker remediation software: http://www.dshield.org/diary.html?storyid=5860

A partial list is included here:

Do you want to volunteer time to Fight Conficker?

Service Providers who would like to help fight Conficker are encouraged to join two efforts. First, we have NSP-SEC. NSP-SEC is a community of SPs who collaborate to maintain the stability and robustness of the Global Internet. Information to apply and join can be found here: https://puck.nether.net/mailman/listinfo/nsp-security

Special Conficker-SP Working Group. The Conficker Working group has created an alias to allow for SPs who are not part of NSP-SEC or SPs who would like to participate more aggressively to become part of the community’s collaboration. Please visit this page and apply: http://shadowserver.org/mailman/listinfo/conficker-public

ISACs

  • IT-ISAC has a briefing planned for Monday, March 30th. This is their latest documents briefing their membership: IT-ISAC Conficker Bulletin