Conficker: Before the Flood (April Showers)

I don’t, of course, know for sure what’s going to happen on April 1st, when Conficker is timed, potentially, to go to its next stage of evolution. We do know, from inspecting code in the variants and subvariants that have come our way, that infected machines will be looking for instructions and updates on that date.

At the very least, as our colleagues in Slovakia have pointed out here, machines infected with the latest variants will have a lot more addresses to "call home" to. The number of domains generated on a daily basis for communication between Conficker-infected machines and the potential botnet’s Command and Control (C&C) servers has increased from 250 a day to 50,000, increasing the difficulty of tracking and the risk of "collisions" with legitimate domains.

While we can only guess at the total number of zombie machines (infected systems that can be used by the botnet), it’s likely to be over a million. Analysis of our ThreatSense.net threat monitoring system shows that a hair-raising 3.88% of PCs owned by our customers were attacked this week by Conficker, and would have been at direct risk of infection, had they not been protected.

This suggests that if and when Conficker starts to act like a real botnet, the chances are that even if it only does the things that botnets usually do (send spam and scams, carry out click fraud and Distributed Denial of Service (DDoS) attacks, and so on), it will have plenty of machines to make use of and no shortage of bandwidth for communicating between the attackers and the "work force". The updating mechanism is notably stealthy and resistant to interference from security researchers.

Many people are panicking about the possibility that these somewhat scary resources will be used to carry out devastating attacks on the infrastructure of the internet. Certainly such coordinated attacks have been carried out (or at least attempted) in the past, for instance against authoritative DNS servers (the top layer of a network of machines holding the addressing and routing information that allows internet-connected machines to find other connected systems).

However, attackers nowadays mostly prefer to misuse such services for their own financial advantage rather than to try to bring them down altogether. For instance, by misdirecting web searches towards malware-hosting URLs, adware sites, fake AV and so on.

In fact, the earliest Conficker variant also had an update mechanism: in that instance, it had the very specific purpose of downloading a file called loadav.exe. From its name, it’s likely that this was a fake security application, but no-one ever saw it because the server on which it was to be hosted never went online. And there are reports today of search engine optimization being used to misdirect people googling for Conficker-related information to web sites serving fake AV.

So what is ESET doing about Conficker?

• Well, in terms of detection, we have very decent generic detection for Conficker and all the latest variants have been detected generically without our needing to add specific signatures or further generic detection, though we did have to write a completely separate disinfection routine for Conficker, as this malware is extremely resistant to detection and removal.  (The cleaner is, you’ll remember from previous posts, available as a stand-alone utility: the latest version is here.
• We have a monitoring system in place which allows us to peek over the bot’s shoulder when the new searching algorithm is activated, giving us immediate visibility into what (if anything) happens.
• Juraj Malcho, the Head of ESET Virus Lab, tells us that the lab’s staff are being augmented as April 1st gets closer.
• And we’re working closely with security researchers in other organizations on Conficker-related issues.

What can you do? Well, we’ve covered that ground pretty well already in previous posts, but it does no harm to recap on the main points.

• As Randy suggests, disable Autorun
• Check  that you have firewall prevention and antivirus protection, and that they’re still active: Conficker has a nasty habit of disabling security software.
• If you don’t have AV right now, we have a free online scanner here. We don’t advocate that you rely on online scanners for malware protection, but using one now is a quick way of checking whether you might have malware infection at this moment. But whether or not you have an infection, I’d earnestly recommend that you install AV. Real AV, that is: if you don’t like ours, make sure you follow Randy’s suggestions for avoiding scareware (and worse) and fake security applications.
• As Juraj suggests, make sure you’ve applied the patches that fix the vulnerabilities used by Conficker. We talked about those in some detail here and here.
• If you find you do have a Conficker infection, try the removal tool linked above.

 Finally, here are some useful resources for finding out more about Conficker.

• If you check the blog archives box at the top right of this page, you’ll see a link to "other archives": the page that it links to includes ways of searching by month or by subject (category).
• There’s a very thorough analysis by SRI here.
• There are links to other resources at the Internet Storm Center.

David Harley & Pierre-Marc Bureau
Malware Intelligence Team