Information security impact arising from Conficker.C worm
Introduction
Conficker (also known as Downadup, Kido) is a computer worm that targets the Microsoft Windows operating system. It keeps on evolving since its first appearance in November 2008. Variant A, B, B++ were reported in from November 2008 to February 2009. HKCERT had published an incident analysis on the February 2009 issue of Newsletter to introduce the Conficker worm. In the past week, news reports (1) revolved around the development of the new Conficker.C variant which appeared in the beginning of March. The new variant is set to activate the domain generation algorithm on April 1, 2009 and may generate certain new security threat. Conficker.C worm has caused HKCERT to elevate the alert level and issue an advisory.
Major enhancement of Conficker.C
According to the SRI Addendum "An Analysis of Conficker C", Conficker.C is a significant restructuring of previous version. New features are built for bulletproof defense, to increasing the longevity of the Conficker on infected machines. It has several major enhancements below:
- New Domain Generation Algorithm
Starting from 1 April 2009 Conficker.C generates 50,000 domains in the daily list in 116 top-level domains (TLDs). Conficker.C queries only 500, once per day for updates. This new mechanism is designed to evade the effort of global security teams to pre-empt domain registration by Conficker authors.
- P2P update
Uses P2P protocol to distribute digitally signed files for update. Each infected machine can act as server or client.
- Security features to prevent third-party hijacking
Employs the latest crypto-system MD-6 to authenticate author of uploaded file, so as to prevent other groups from uploading arbitrary binaries to their infected drone population.
- Better defense to combat security services
Increases the ability to detect and terminate security services, so as to combat anti-malware. It has domain lookup prevention feature to avoid lookup to domains of security vendors. It terminates firewall, Windows defender and a list of security services.
Impact
The Conficker.C worm does *NOT* attack Internet users on its own. However the mechanism it connect with update servers will create the following security impact (3):
- Impact to machines previsouly infected by Conficker A & B
Machines which are infected by Conficker.A or Conficker.B but has not yet been cleaned up, will attempts to upgrade to Conficker.C via HTTP. Conficker.C worm has better defense features and is much harder to remove.
- Traffic impact arising from Conficker.C worm
There is a side effect of the new domain generation mechanism. The pseudo-random domain generation mechanism may cover some legitimate domains. From 1-Apr-2009 onwards Conficker.C worms will try to connect the generated domains, causing a DDoS attack to the web server of the legitimate domains. The flooding of traffic will affect the website owner, as well the related ISP network.
List of legitimate domains random generated by Conficker.C worm:
http://iv.cs.uni-bonn.de/uploads/media/collisions_april.zip
- Potential hack attack by Conficker.C authors
Conficker.C authors may also try to exploit servers of legitimate domains which are on the list of domain generation algorithm, to prepare these servers as the rendezvous points.
Solution
Prevention |
|
| |
| |
| |
| |
| |
Detection (4) |
|
| |
| |
| |
Response |
|
|
Related Link
(1) Conficker worm information and news
http://isc.sans.org/diary.html?storyid=6211
http://isc.sans.org/diary.html?storyid=5860
http://www.confickerworkinggroup.org/wiki/pmwiki.php?n=Main.HomePage
http://blogs.technet.com/mmpc/archive/2009/01/22/centralized-information-about-the-conficker-worm.aspx
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9130228&intsrc=news_ts_head
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9130228&intsrc=news_ts_head
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9129239&intsrc=news_ts_head
http://bits.blogs.nytimes.com/2009/03/19/the-conficker-worm-april-fools-joke-or-unthinkable-disaster/
https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-C-Bolsters-P2P/ba-p/393331#A253
(2) Conficker worm analysis papers
http://mtc.sri.com/Conficker
http://mtc.sri.com/Conficker/addendumC/
https://www.honeynet.org/files/KYE-Conficker.pdf
(3) Questions and Answers of Conficker worm
http://www.f-secure.com/weblog/archives/00001647.html
http://www.f-secure.com/weblog/archives/00001636.html
(4) Detecting Conficker Worm
http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
http://www.confickerworkinggroup.org/infection_test/cfeyechart.html
http://mtc.sri.com/Conficker/contrib/scanner.html
Share with