The "No Network is 100% Secure" series
- Conficker Worm -
A White Paper

All rights reserved - may not be copied without permission
Easyrider LAN Pro, NOC Design Consultants

Contact Us


Warning!!!!!: Don't use "free" security scans that pop up on many web sites. All too often these are fake, using scare tactics to try to get you to purchase their "full" service. In many cases these are actually infecting you while they run. There is reason to believe that the creators of the Conficker worm are associated with some of these fake security products.

Worried about Conficker (or the gazillion other viruses, trojans, worms and so on that are out there? Well, you should be! Even if you have a professional IT Staff and even if you've already deployed firewalls, anti-virus software and so forth, you still may be vulnerable. If nothing else, our "No Network is 100% Secure" series of white papers has raised your awareness that constant vigilance is key. Consider for a moment what it would cost your company in lost revenue and lost productivity if the conficker worm (or some other virus) has already infected your network. And what about protection for customer information, data, records, credit card numbers and so forth? We're somewhat biased, of course, but we believe that having your site audited by professional security Consultants such as Easyrider LAN Pro just plain makes good sense in these trying and dangerous times. An ounce of prevention is better than a pound of cure, right? So would you prefer to pay a little to have the security of an independent site security audit or would you rather have Consultants spend a week or two on your site trying to clean up the mess a hacker left behind?

What the big deal about Conficker?: Think about the worst virus you've ever dealt with. Conficker is like that virus on steroids. At this time, no one (except the creators) know what the true plan for this worm is. What is known is that millions of computers worldwide have already been infected and that once infected, this worm can be very difficult to get rid of. The worm has also morphed into many different strains to the degree where even professional anti virus software companies are having a very difficult time keeping up. As an example, Symantec has been updating their virus definitions every 5 minutes! AVG software is now recommending that it's users update virus definitions every four hours whereas just a year or two ago, updating once a day seemed like over-kill.

What is the Conficker worm?: Win32/Conficker is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. Depending on the specific variant, it may also spread via removable drives and by exploiting weak passwords. It disables several important system services and security products and downloads arbitrary files.

Also Known As:
TA08-297A (other)
CVE-2008-4250 (other)
VU827267 (other)
Win32/Conficker.A (CA)
Mal/Conficker-A (Sophos)
Trojan.Win32.Agent.bccs (Kaspersky)
W32.Downadup.B (Symantec)
Trojan-Downloader.Win32.Agent.aqfw (Kaspersky)
W32/Conficker.worm (McAfee)
Trojan:Win32/Conficker!corrupt (Microsoft)
W32.Downadup (Symantec)
WORM_DOWNAD (Trend Micro)
Confickr (other)

Microsoft strongly recommends that users apply the update referred to in Security Bulletin MS08-067 immediately. Microsoft also recommends that users ensure that their network passwords are strong to prevent this worm from spreading via weak administrator passwords. Visit Microsoft for more information.

Home users can apply a simple test for the presence of a Conficker/Downadup infection on their home computers. The presence of a Conficker/Downadup infection may be detected if a user is unable to surf to their security solution website or if they are unable to connect to the websites, by downloading detection/removal tools available free from those sites:


If a user is unable to reach any of these websites, it may indicate a Conficker/Downadup infection. The most recent variant of Conficker/Downadup interferes with queries for these sites, preventing a user from visiting them. If a Conficker/Downadup infection is suspected, the system or computer should be removed from the network or unplugged from the Internet - in the case for home users.

Impact: A remote, unauthenticated attacker could execute arbitrary code on a vulnerable system. Readers should note that much is not known about this worm so the information in this white paper should NOT be considered as 100% complete. It is believed that not all machines infected with conficker will exhibit symptoms immediately. This worm has "call home" capailities whereby the worm will check in (with the worm author, presumably) periodically for instructions. It is estimated that millions of computers worldwide have already been infected with this worm. Needless to say, this infection would create a substantial "botnet" that could be used to wreak havoc on the Internet.

What does the Conficker worm do?: The Conficker worm has created secure infrastructure for cybercrime. The worm allows its creators to remotely install software on infected machines. What will that software do? The short answer is that no one (except the authors) know. Most likely the worm will be used to create a botnet that will be rented out to criminals who want to send SPAM, steal IDs and direct users to online scams and phishing sites.

The Conficker worm mostly spreads across networks. If it finds a vulnerable computer, it turns off the automatic backup service, deletes previous restore points, disables many security services, blocks access to a number of security web sites and opens infected machines to receive additional programs from the malware's creator. The worm then tries to spread itself to other computers on the same network.

How does the worm infect a computer?: The Downadup worm tries to take advantage of a problem with Windows (a vulnerability) called MS08-067 to quietly install itself. Users who automatically receive updates from Microsoft are already protected from this. The worm also tries to spread by copying itself into shared folders on networks and by infecting USB devices such as memory sticks.

Infection process: Conficker is delivered as a Dynamic Link Library (DLL), so it cannot run as a standalone program and must be loaded by another application. A vulnerable Windows system is generally infected with the Conficker worm via the MS08067 vulnerability, using exploit shellcode that injects the DLL into the running Windows server service. Other possible infection vectors are accessing network shares or USB drives where the malicious DLL is started via the rundll32.exe application. Once infected, Conficker installs itself as a Windows service to survive reboots. It then computes domain names using a timeseeded random domain name generator and attempts to resolve these addresses. Each resolved address is contacted and a HTTP download is attempted. No successful HTTP download was witnessed until the middle of March 2009, at which point security experts observed nodes that downloaded encrypted binaries from some of the randomly generated domains. Thinking about ways to attack Conficker's infrastructure, this DNS based update feature is obviously a potential target. However, Conficker uses RSA signatures to validate the downloads and rejects them if the check fails, and attacking RSA is not feasible.

Conficker version control: Conficker is definitely a sophisticated piece of malware with built-in version control! Each Conficker version installs a couple of named mutexes during startup, to make sure that older version of the code are not run. This is achieved by registering all previous mutex names plus an additional mutex with a different name in each version. If mutex creation fails, this indicates that another Conficker version is already running which is at least as recent as the one currently being executed. However, there seems to be a flaw in conficker's mutex generation mechanism mechanism. It is assumed that the Conficker authors made a mistake that effectively renders the concept of using mutual exclusion useless. Possibly fixed in the next release?

It is quite common in modern malware to patch a vulnerability after successful exploitation, to prevent other malware from also infecting the compromised system. Conficker is no exception here. Conficker.B contains a routine to update itself by scanning incoming exploitation attempts from other infected machines and downloading the new malware binaries from the attacker.

Conficker generates a series of domain names from which it tries to download updates. Conficker.A and .B create 250 domains per day. This puts high load on the contacted domains and can easily lead to a denial of service against them. Various organizations have made efforts to attempt to preregister these 2 x 250 daily domains in order to hinder Conficker from retrieving updates and to track infected hosts. Conficker.C tries to evade this defensive approach by creating 50.000 domains per day, making preregistration logistically challenging. Conficker.C randomly chooses 500 out of these domains, which are then contacted for updates. connections attempts. After an unsuccessful update attempt, Conficker.C sleeps for 24 hours. In the case of a successful update, Conficker waits 4 days before continuing to attempt to download new updates. Since the next domain to be contacted is chosen randomly, the load is equally distributed over many name servers but leads to the problem that there is no guaranteed set of domains that is contacted on a given day by every host, significantly increasing the effort involved in mitigation at the sinkhole or DNS registrar level.

Conficker employs HTTP requests for updates, which hide update requests amongst the regular web traffic patterns found in most networks. To be even more stealthy, Conficker preresolves the domain names and uses only plain IP addresses in the HTTP Host header. Thus, the use of application level gateways and hostbased filtering of this traffic is not easily possible.

Conficker variants .B and .C contain blacklists of IP address ranges to prevent them from attacking and contacting hosts related to antivirus vendors (AV), some security companies, and Microsoft! The introduction of blacklists in .B can therefore be seen as an improvement for avoiding detection from AVs and Microsoft, and evidence of the worm's author's continuing response to developments in the whitehat community. As the corporate systems typically owned by this type of organization are more likely to be fully patched against the MS08067 exploit, this behavior may also increase spreading performance by avoiding low return netblocks.

Who is at risk?: Users whose computers are not configured to receive patches and updates from Microsoft and who are not running an up to date antivirus product are most at risk. Users who do not have a genuine version of Windows from Microsoft are most at risk since pirated system usually cannot get Microsoft updates and patches.

Question: Am I safe if I don't go to questionable web sites?

Answer: No. The Conficker worm seeks out computers on the same network. You can be in a coffee shop, an airport or in the office and the worm will quietly try to attach to your computer and run itself.

Conficker removal: Not the easiest thing to do.... Conficker versions have introduced more and more security checks to avoid removal. Beyond blocking access to anti-virus web sites, one is the detection of removal tools. In order to apply disinfection or vaccination tools, Conficker has to be terminated first, which is hard without being able to apply a removal tool. A major barrier to easy termination is that Conficker runs inside another process. In most cases, this is a system process, such as svchost.exe. These processes cannot simply be terminated as this would obviously lead to system instability. When Conficker is wiped from running memory it should be noted that this disinfection is only temporary and Conficker will be reloaded after reboot unless further steps are taken.

Several organizations have reported that computers which have been cleaned of Conficker infections were immediately reinfected on restart. There are several possibilities for the cause of this behavior. One is that Conficker's autostart ability and ondisk binaries were not correctly removed. Another is that the computers were immediately reinfected by other compromised computers via the (local) network.

Next in the security white paper series:

How Cyber Criminals will mature over the next ten years
Are you vulnerable to drive-by exploits?
High value sites recent hacks
More 2009 hacks in the news
Still more 2009 hacks in the news
IT employment challenges of the 21st century
Employment reference checking white paper
Competency Certifications White Paper
Firewall White Paper
Virus White Paper
GhostNet White Paper
Password White Paper
Digital Identification Certificates White Paper
Cryptography White Paper
OpenID White Paper
Intrusion Detection Systems IDS White Paper
Rootkit White Paper
Unnecessary Windows XP Services White Paper
Scareware White Paper
Exaflood Internet Brownout White Paper
Cloud Computing White Paper
Proxy Server White Paper
Personal Computer PC Security White Paper
Phishing White Paper
DNS Poisoning White Paper
SPAM White Paper
Best Practices White Paper
Denial of Service DoS White Paper
Port Scanning White Paper
Shelfware White Paper
Monitoring Basics 101 White Paper
Monitoring Basics 102 White Paper
Monitoring Basics 103 White Paper
Virtual Machine Security White Paper
Aurora vulnerability White Paper
Outsourced IT White Paper
Trojan Virus Attacks White Paper

Easyrider LAN Pro Consulting services:

Network Security Audit and PC Tune-up service

- Proxy server installation and configuration
- Enterprise security consultations
- Disaster recovery planning
- Disaster recovery services
- Capacity, migration and upgrade planning
- Build and deploy central syslog server
- Build trouble ticket systems
- Design and build monitoring environments
- Design and build Network Operations Centers (NOC)
- HP Openview, BMC Patrol consulting

Last modified March 25, 2009
Copyright 1990-2009 Easyrider LAN Pro