Conficker – One Year After (Part One)

EPISODE ONE

By far, Conficker (a.k.a. Downadup or Kido) was not the cleverest e-threat ever, nor the most dangerous. It is though one of the most intriguing well-written pieces of malware, with a great damaging potential and an intricately smart manner of update.

Since its egression in late October 2008, rumors and scientific data mingled into a cornucopia of facts, while mass-media enjoyed feeding their readers with terrifying figures and apocalyptic scenarios tattling the death of the Internet as we know it on April Fool's Day.

What damage did Conficker do?

The truth is that the worm by itself does not produce any damage. As far as we know it, none of the five existing variants corrupt files or steal data. Yet...

Conficker does more frightening things instead. These show that the malware creators behind engineered it with a lot of craft and succeeded in producing an illustrious heir for its precursors, namely Welchia, Blaster, Sobig, Sasser and Storm.

First and foremost, Conficker's purpose is to spread and compromise as many machines as possible. It achieved this goal using a vulnerability in Microsoft® Windows® RPC Server Service, described in the Microsoft Security Bulletin MS08-067. The flaw is to be held accountable for allowing an attacker to remotely execute code onto an unprotected machine. Early 2009 estimations confirmed Conficker's success in spreading - by the end of Q1, the total number of compromised machines around the globe almost equaled Belgium's or Netherlands' population. Variants B and C also included into the spreading mechanism the exploitation of Autorun function for removable drives and media (such as USB portable storage devices), and the possibility to access by brute force the insufficiently protected network shares (namely those with weak passwords).

The second mission of Conficker is to set up, deploy and maintain a viable stealth communication system between the compromise machines for updating and command purposes. The communication mechanism suffered the most elaborate development from one variant to another and it is responsible for the allegations related to the Internet Apocalypse. Conficker's initial three versions connected to a limited number of domains - around 250 - in order to update. The enhancements introduced in the last two variants are to be held accountable for the generation of 50,000 random domains, Conficker C and D being able to select 500 URLs and randomly check them for updates.

The third purpose of Conficker is to paralyze defensive systems. From its second variant, the worm began to disable Windows Update and block the access to the majority of antimalware Web sites. The consequence translated as the total failure in getting automatic or manual updates for the installed security suites or products. Moreover, any attempt to connect to vendors' or third-parties' Web sites in order to get disinfection tools becomes futile, as malware creators behind Conficker update almost instantaneously the list of URLs to be blocked.

To summarize, Conficker's mission until now was to create a worldwide army of yet-dormant machines, able to communicate, update and receive orders, while also neutralizing any defense system in place.