Editors note:This tip is part of a two-part series. Here Ron Condon will discuss how the Conficker botnet spread. In his second installment, he will discuss how to stop Conficker from spreading and unveil several anti-Conficker defense strategies.
Remember all the fuss about the Conficker worm earlier this year? The worm spread like crazy and everyone expected it to do something terrible on April Fools' Day.
Then when the day came, nothing happened. Life went on, the Internet didn't collapse, and most people decided it was just another one of those scare stories (remember the Millennium Bug).
But as we approach the first anniversary of the initial Conficker virus-- it was first detected by the Microsoft Malware Protection Center on November 21, 2008 -- the bad news is that a Conficker botnet is still very much alive. Between 6 million and 7 million machines around the world are currently infected, and infections are still creeping up.
So should we worry? Although the malware is very good at spreading and defending itself once installed, it doesn't destroy files or steal information – yet.
In the early stages, the Conficker worm certainly caused a lot of trouble, infecting hospital systems, the U.K. Parliament and the Navy. In one incident, a number of French military aircrafts had to be grounded as they were unable to download flight plans due to Conficker. The cleanup costs across the world have been enormous.
How does the Conficker worm spread?
So, how does the Conficker worm spread? Conficker has the ability to spread via USB sticks, as well as over a network. As recently as August, Whipps Cross University Hospital NHS Trust in east London admitted it had just managed to contain an infection of 30 machines, probably caused by an infected USB stick.
And even though the Conficker worm does not destroy or steal information, it is far from harmless. In order to spread, it tries to guess the passwords of other machines on the network. If you have a limit of, say, three failed logins before closing down an account, then users will suddenly find themselves unable to work.
Also, from its second variant, the worm began to disable Windows Update and blocked access to the majority of antimalware websites. In the words of Alexandru Catalin Cosoi, a researcher with Bucharest-based BitDefender, "Conficker's mission until now has been to create a worldwide army of yet-dormant machines, able to communicate, update and receive orders, while also neutralising any defence system in place. Any infected machine can be exploited anytime from now on. It is like having a house with a door wide open all the time, even when you sleep or go to work or on vacation."
And that is the problem: Although the authors of the Conficker botnet have so far made little use of their brainchild, they have created a vast network of machines that could wreak havoc some time, destroying local files, stealing information or launching DDoS attacks.
"There are 6 million or more infected machines out there on the Internet that could act like Google on steroids," said Rodney Joffe, chief technologist at Sterling, Va.-based Neustar Inc. "It is quite possible to use it as a single system, 6 million machines connected to 6 million local disks and networks shares. For instance, you could get it to go and search for any files containing certain information, and bring those back to the criminals controlling the botnet."
However, much has already been done to limit the effects of the Conficker worm, and to track down the culprits. In an unprecedented move, when the scope of the threat was realised, the international security industry came together with law enforcement and formed the Conficker Working Group, which still operates and tracks the worm's progress.
According to Eric Sites, CTO of Sunbelt Software Inc. and member of the Conficker Working Group, the threat of getting caught may have prevented the culprits from showing their hand too openly.
"It's taken an enormous amount of money to clean up after Conficker, so if the person does try to use the network and gets caught in the process, then he's going to go to jail for a long time," he said. "We have narrowed it down to a specific country, and we have a lot of sensors out on the network to try to pinpoint where the communication is coming from. Almost every AV company has a version of Conficker installed in a dirty network waiting for it to update itself to see what is happening and to track the guy down."
More Conficker work info
Conficker variant has ties to Storm botnet.
Conficker leaves security industry looking clueless.
Nevertheless, the network has been used for criminal activity. The E variant of the worm, released on April 8, downloaded the Waledac spambot, and started pumping out scareware messages to get people to buy rogue AV software.
For Rodney Joffe, who is also a founder and director of the Conficker Working Group, the Waledac spambot was a significant turning point. "Up until April 8, there was every possibility that Conficker was an experiment that had gone horribly right for a researcher," he said. "At that point we knew we were dealing with people who would use it as a platform to download whatever malicious software they wanted."
He added that the new variant exposed a sophisticated business model. "It is interesting that they only downloaded Waledac if the date was before April 22. In effect, they rented the use of the Conficker botnet to the authors of Waledac for two weeks."
Each new version of the Conficker worm has also demonstrated a level of technical sophistication that Joffe finds alarming. For instance, the code uses MD6, an extremely advanced encryption algorithm developed by Professor Ron Rivest (he's the R in RSA), which is a possible candidate for use by the U.S. government in the next decade.
As Joffe explained, after a buffer overflow vulnerability was discovered in the MD6 algorithm, Professor Rivest produced a patch last February. Within weeks, the patch had been incorporated into the Conficker code. "These guys are hooked into the crypto world enough to know and understand the issues; to recognise the buffer overflow and to have patched it within seven or eight weeks of Ron Rivest's submission," he said. "These are not amateurs. They have chosen an algorithm that is designed to be unbreakable, to defend the U.S. for the next 10 years."
He also noted that while early versions of Conficker used URLs to access command-and-control Web servers, Conficker E uses just peer-to-peer communications, making it much harder to track. "As far as we know, they are currently in touch with all the machines infected with the E variant. But because it is peer-to-peer, we don't know what machines are infected. Unless you have access to one machine on the node, and can see the flow data, you can't tell who else is infected."