History SuperWorm

Variants of the Conficker worm, which first appeared back in November, spread using a variety of tricks. All strains of the superworm exploit a vulnerability in the Microsoft Windows server service (MS08-067) patched by Redmond in October.

In Conficker A and B, there appeared only one method to submit Win32 binaries to the digital signature validation path, and ultimately to the CreateProcess API call. This path required the use of the Internet rendezvous point to download the binary through an HTTP transaction.

Under Conficker B++, two new paths to binary validation and execution have been introduced to Conficker drones, both of which bypass the use of Internet Rendezvous points: an extension to the netapi32.dll patch and the new named pipe backdoor. These changes suggest a desire by the Conficker’s authors to move away from a reliance on Internet rendezvous points to support binary update, and toward a more direct flash approach.

Conficker’s most sophisticated routine is what researchers call its “rendezvous” mechanism, the way it reaches back to its creators for further instructions. Every few hours, the worm generates a list of hundreds of new Web domain names; the domain names are nonsensical strings of characters seeded by the current date and time, meaning that they’re constantly shifting but can be reproduced by the worm’s controllers. In theory, this is how Conficker’s authors will tell it what to do next. They’ll register one of the domain names, put up a program for Conficker to run, and, boom—millions of machines around the world will be acting in sync.

Once it infects one machine on a network, the worm spreads across network shares. Infection can also spread via contaminated USB sticks. This combined approach, in particular the worm’s attempts to hammer across corporate LANs, have made Conficker the biggest malware problem for years, since the default activation of the Windows firewall put the brakes on previous network worms such as Nimda and Sasser.

SRI reckons that Conficker-A has infected 4.7m Windows PC over its lifetime, while Conficker-B has hit 6.7m IP addresses. These figures, as with other estimates, come from an analysis of call-backs made to pre-programmed update sites. Infected hosts get identified and cleaned up all the time, as new machines are created. Factoring this factor into account the botnet controlled by Conficker-A and Conficker-B respectively is reckoned to be around 1m and 3m hosts, respectively, about a third of the raw estimate.

Estimates of how many machines are infected by the Conficker-C variant are even harder to come by.

But however you slice and dice the figure its clear that the zombie network created by Conficker dwarfs the undead army created by the infamous Storm worm, which reached a comparatively lowly 1 million at its peak in September 2007. Activation of this resource may not come next week or even next month but the zombie army established by the malware nonetheless hangs over internet security like a latter-day Sword of Damocles.

Some security watchers are sure it will get used eventually, if not on 1 April. Sam Masiello, a security analyst at MX Logic, said: “Why go through all of this effort to create such a huge botnet then not utilize it for something?”

What does the Conficker worm do?

The Conficker worm has created secure infrastructure for cybercrime. The worm allows its creators to remotely install software on infected machines. What will that software do? We don’t know. Most likely the worm will be used to create a botnet that will be rented out to criminals who want to send SPAM, steal IDs and direct users to online scams and phishing sites.

The Conficker worm mostly spreads across networks. If it finds a vulnerable computer, it turns off the automatic backup service, deletes previous restore points, disables many security services, blocks access to a number of security web sites and opens infected machines to receive additional programs from the malware’s creator. The worm then tries to spread itself to other computers on the same network.

How does the worm infect a computer?

The Downadup worm tries to take advantage of a problem with Windows (a vulnerability) called MS08-067 to quietly install itself. Users who automatically receive updates from Microsoft are already protected from this. The worm also tries to spread by copying itself into shared folders on networks and by infecting USB devices such as memory sticks.

Who is at risk?

Users whose computers are not configured to receive patches and updates from Microsoft and who are not running an up to date antivirus product are most at risk. Users who do not have a genuine version of Windows from Microsoft are most at risk since pirated system usually cannot get Microsoft updates and patches.

What to do if you are infected

If you are reading this page, your computer is probably not infected with Conficker as the worm blocks access to most security web sites.

Advice to Stay Safe from the Downadup Worm:

1. Run a good security suite.
2. Keep your computer updated with the latest patches. If you don’t know how to do this, have someone help you set your system to update itself.
3. Don’t use “free” security scans that pop up on many web sites. All too often these are fake, using scare tactics to try to get you to purchase their “full” service. In many cases these are actually infecting you while they run. There is reason to believe that the creators of the Conficker worm are associated with some of these fake security products.
4. Turn off the “autorun” feature that will automatically run programs found on memory sticks and other USB devices.
5. Be smart with your passwords. This includes

1. Change your passwords periodically
2. Use complex passwords – no simple names or words, use special characters and numbers
3. Using a separate, longer password for each site that has sensitive personal information or access to your bank accounts or credit cards.

Taken from various sources on the internet