Blog        Forum        Spam        Check & Secure                      
Articles > The Conficker Botnet

The Conficker Botnet

Overview

On October 23, 2008, Microsoft published the following critical security bulletin: MS08-067, Vulnerability in Server Service Could Allow Remote Code Execution (958644). Microsoft explained that the vulnerability in the server service could allow remote code execution if an affected system received a specially crafted remote procedure call (RPC) request.

This could allow an attacker to exploit this vulnerability without authentication to run arbitrary code on Windows 2000 Service Pack (SP) 4, Windows XP SP2 and SP3, Windows Server 2003 SP1 and SP2, Vista Gold SP1, Windows Server 2008 and Windows 7 systems. Additionally, Microsoft warned that this vulnerability could be used in the crafting of a wormable exploit.

The Common Vulnerabilities and Exposures (CVE) site references this vulnerability as CVE-2008-4250.

The Common Vulnerability Scoring System (CVSS), which provides an open framework for communicating the characteristics and impacts of Information Technology (IT) vulnerabilities, rated this vulnerability with a 10.0, which is their most severe rating and indicates a vulnerability with high impact and high exploitability.

Description

When installed, Conficker / Downadup will copy itself to your C:\Windows\System32 folder as a random named DLL file. If it has problems copying itself to the System32 folder, it may instead copy itself to the %ProgramFiles%\Internet Explorer or %ProgramFiles%\Movie Maker folders.
It will then create a Windows service that automatically loads this DLL via svchost.exe, which is a legitimate file, every time you turn on your computer.
The infection will then change a variety of Windows settings that will allow it to efficiently infect other computers over your network or the Internet.

Like most current malware, Conficker is a blended threat, combining features of several different approaches. Once Conficker infects a computer, it disables many security features and automatic backup settings, deletes restore points and opens connections to receive instructions from a remote computer. Once the first computer is configured, Conficker uses it to gain access to the rest of the network.

Here is a partial list of what Conficker can do:

  • Disable important system services and security products, such as Windows Defender, Microsoft Security Essentials, or Windows Update.
  • Download arbitrary files.
  • Prevent you from visiting websites, including those that allow you to download security updates.

Impact

Recent estimate of the number of infected computers have been notably difficult because the virus has changed its propagation and update strategy from version to version. In January 2009, the estimated number of infected computers ranged from almost 9 million to 15 million.

Microsoft has reported the total number of infected computers detected by its antimalware products has remained steady at around 1.7 million from mid-2010 to mid-2011.

How does the Conficker worm work?

The following image shows how the Conficker worm works.

Signs and Symptoms of Infection

Conficker and all of its variants perform the following to an infected system:

  • Modification of system settings
  • Disabling of TCP/IP Tuning
  • Termination\disablement of the following Windows services:
  • Windows Security Service
  • Windows Auto Update, Background Intelligent Transfer Service (BITS)
  • Windows Defender
  • Windows Error Reporting Service
  • Termination\disablement of third-party security services/software that deal with system security (anti-virus, firewalls, etc)
  • Resetting system restore points
  • Deleting backup files
  • Checking for internet connectivity and downloading arbitrary files
  • Users will not be able to browse certain security-related Web sites with URLs containing specific key words and phrases.
  • Increase in traffic on port 445
  • Access to administrator shared files is denied
  • Sluggish response due to increase in network traffic

Solution

There are several Conficker removal tools available for download. Most Anti-Virus vendors have developed removal tools and/or provided instructions for removing Conficker and links to some of these are listed below:

The above are examples only and do not constitute an exhaustive list.

Conficker Prevention

The Conficker worm serves as a great reminder to everyone to continually and consistently practice Defense-In-Depth and provide multiple layers of defense to protect consumer and business systems.

The spread of the Conficker worm is a sign that all PC users are stubborn and continue to avoid keeping their Windows installations up to date with the latest security patches. The infection has spread to computers all over the world and includes home, business and government users. Methods of preventing this and other types of infections include the following:

  • Keep security patches up to date. This includes not only patches for the operating system, but for all applications and plug-ins as well. Remember, Downadup/Conficker spread so widely because so many computers simply did not have a simple security patch, released months before the infections ever started, applied.
  • Use a robust security software suite that has multiple layers of protection. Furthermore, make sure your security software is always on and up to date. Even patched systems are continuing to become infected with the .A and .B variants. In many instances, this is occurring because the worm is being passed on via infected removable media, such as USB thumb drives, that are essentially acting as host carriers. In nearly all cases, up-to-date security software will detect the threat before it has the chance to jump from the removable device to the computer.
  • Enable a firewall (Windows or Third-Party) on your computer and follow industry best practices on what should and should not be allowed through the firewall
  • Limit user privileges on the computer. Provide access only to those who need it.(Need to Know)
  • Use caution when opening attachments and accepting file transfers.
  • Use caution when clicking on links to Web pages.
  • Avoid downloading pirated software.
  • Protect yourself against social engineering attacks.
  • Use strong passwords.

References

Regarding the security of your computer please consider the following basic rules:

  1. Check your computer for infection.
  2. Install current Service Packs and Security Updates for your system. Activate automatic updates.
  3. Check your internet browser and the embedded plugins (e.g. Java, Flash, Shockwave, Quicktime) regularly for Actuality.
  4. Install a virus scanner and update it regularly.
  5. Use a Firewall e.g. Windows built-in Firewall or a Router.

Good to know

Inform
Find out what botnets are, the damage they cause, and how they threaten the data on your computer.

Clean
Here you can find small programs and tutorials which enable you to remove a botnet infection from your computer.

Protect
In this section you will find many tips on how to protect your computer from infection.

Copyright © 2014-2015 CERT-RO. All rights reserved.