Weighing in on Conficker

If you follow online security news, there’s little chance that you haven’t heard about Conficker – a new worm that has received extensive media coverage in the past weeks, due in part to Microsoft’s offer of a $250,000 bounty in return for information leading to the arrest of the malware’s perpetrators.

From our perspective here at Lavasoft Malware Labs, Conficker (also known as Downup, Downadup and Kido), has proven to be one of the more sophisticated pieces of malware. It attempts to avoid being reverse engineered by employing various obfuscation techniques. It displays classic malware behavior – once a machine is infected, Conficker scans for the presence of a firewall.  If a firewall exists, the malware asks the firewall to open a backdoor to download more malware. It also searches for vulnerable machines by probing randomly generating IP addresses (early variants avoided Ukrainian IP addresses and machines that had Ukrainian keyboard settings and simply aborted the infection process). Conficker also attempts to disable various anti-virus applications it finds on the machine and block access to security websites.

Also interesting to note is that Conficker generates a list of domain names, based on a randomizing function, which are then contacted to download, validate and execute further files. Infected machines become part of a botnet. At this time, there are several million machines that are part of this botnet.

There are reports that on April 1, 2009, the Conficker botnet will activate some kind of 'armageddon-like' payload. In reality, the threat posed is subjective. We simply do not know for certain what will happen. Here’s what we do know: the malware checks for updates, and so it is possible that April 1 is part of a scheduled update; we know that infected machines are part of a botnet which, theoretically, can be used for anything from propagating spam to denial of service attacks to pushing rogue anti-malware applications. While some reports claim that millions of machines will be damaged on April 1, for the time being, it’s worth remembering – without understating the seriousness of the Conficker epidemic – that this is speculation.

To learn more about Conficker, keep reading, below, for our quick guide to help you understand how the malware spreads and ways to lessen the chances of infection.

Conficker propagates by exploiting:

  • A known vulnerability in the Windows Server service, the MS08-067 vulnerability.
  • Weak passwords – home and corporate networks are exposed to a 'brute force' password attack using commonly used passwords.
  • USB devices – the worm copies itself as the autorun.inf file onto the device which is executed every time the compromised USB device is inserted into a PC.

There are 3 specific steps that you can take to mitigate your chances of infection:

  1. Check for and install Windows updates. Once the latest updates have been installed, set your PC to automatically download and install these updates. The patch that fixed the MS08-067 vulnerability was published in October 2008 yet Conficker continues to thrive, meaning people are still not in the habit of installing security updates.
  2. Ensure all passwords, especially for network drive shares, are not easily guessable. 
  3. Disable the Autoplay function. Instructions can be found on Microsoft’s Help and Support pages.