Conficker: In Retrospect

(Ping! Zine Issue 36) – There are a few cardinal rules when it comes to computer security. These rules are easy to follow and can prevent quite a lot of computer viruses and malware infections. The first rule of course is to use strong passwords. The second rule is to update your software. The third rule is to use some form of anti-malware tools. These three rules are basic and have been around for decades now. What is surprising is how few users follow these three simple rules and because of the lack of adherence the stage was set for the virus Conficker to infect 4% of all PCs in the world at its zenith.

The Three Functions of Conficker
Conficker (a.k.a Downup, Downandup, and Kido) first surfaced near at the tail end of November in 2008. It was a rather simple virus with only three main functions: self-propagate, shutdown security, and report back to the command servers.

In order to self-propagate, the worm used a Windows buffer overrun vulnerability. It does so by sending out an RPC (remote procedure call) request and once the overrun occurs it launches code to download the worm file and install it on the new machine. But in order to get to that part in the first place the worm uses brute force attacks to get the Administrator password. Sadly the brute force password table the worm uses includes such heavy passwords as 1, 1111, 1234567, admin, test, and the like.

Once the virus has gained access to the new computer, it ensures its own survival by shutting down the wuauserv (Windows Update Service) and the BITS (Background Intelligence Transfer Service) service. Windows uses both services to download updates. With the services shutdown, Conficker creates a block list for web sites containing certain keywords such as threatexpert, pctools, eset, norton, mcafee, sophos, trendmicro, and the list goes on. Essentially, any web site where you can get tools to scan your system become blacklisted.

The last function of Conficker is to report back to the master control server and receive updates, information, and further commands. It is this function that makes the Conficker an agent for one of the largest botnets in the world. What is surprising though, is that this botnet is still dormant.

The exploits that Conficker uses are all easily fixed. In fact, if Windows users were only using the bare minimum of security protection (e.g. following the three rules), Conficker would probably have been DOA. The Windows vulnerability Conficker exploits to cause a buffer run was already patched by Microsoft the previous month. It does not generate passwords for it brute force attack, instead it uses a table of passwords and the passwords in that table are the type of passwords that no self-respecting PC user would ever use. Lastly, many of the big name anti-virus software companies were able to clean the threat the moment it went live. Several other anti-virus vendors issued updates to their software within days of the initial sighting.

That is how Conficker could have ended. The reality however is much, much different.

Rise of a Botnet Super Power
Conficker first surfaced November 21st, 2008. In the beginning of January, some reports estimated the number of infected computers to be around the 3 million mark. Other reports state it around 2.4 million. F-Secure, an anti-virus security firm, estimated the number to be closer to 9 million on January 19th. Infections were, and still are, difficult to track considering the ease at which the virus spreads and how quickly it can be removed once discovered.

Security experts managed to hack the Conficker virus and made a list of the servers it calls to for updates and instructions. This break through leads investigators to determine that the author of the Conficker virus has something planned for April 1st, 2009. Media scramble to release the information. Although more computer users are actively searching and removing infections, some researchers conclude that month of January ends with roughly 15 million infected computers.

Spearheading the movement to shutdown Conficker, a group of researchers formed the Conficker Work Group. One of the goals of the Work Group was to learn the algorithm Conficker used to contact domains to receive instructions. Upon learning the algorithm, the Work Group set out to use the information to track infections and to shut down the command servers. Without instructions, Conficker would be doomed to extinction. In retaliation, the author of Conficker built variant C.

Variant C used p2p technology with each infected computer becoming a node in a massive update web. If one node received instructions than, it would rapidly pass to all the other infection computers.

Removing the need for a centralized computer, the author essentially shutdown the Work Groups ability to deactivate Conficker. What’s more, instructions were encoded with a digital signature to prevent others from sending their own instructions to the new worm.

The beginning of February shows a different side to the Conficker virus. Originally, media believed that only home, small to midsized business, and a few data center users had been infected. However, reports begin coming out that the French naval air force, Great Britain’s RAF and Royal Navy as well as a number of Fortune 1000 companies were affected by the virus. The virus effectively stopped the French from flying their Rafael multi-role combat interceptors for a number of days and the infection managed to get into the French Intramar navy computer network. In the UK, infections hit more than 24 RAF bases and 75% of the Royal Navy Fleet. Estimations of the number of infections ranges between 9 and 15 million.

April Fool’s day comes and goes without much fanfare. The expected bombshell everyone was waiting for happens without a single shot fired. The fact that the programmed event did not occur means that the Conficker botnet has received new instructions. The new instructions could mean that anything is possible. The media response on the other hand, likens Conficker to the Y2K bug and in several articles explain how the Conficker threat was exaggerated. By mid-April the estimates fluctuate wildly between an estimated 4.6 million infected PCs to as many as 4% of the entire PC population.

At the end of April, Conficker makes its move. The botnet downloads a second virus, which sends out email spam. Conficker then downloads a third virus that warns the computer user that their computer is infected by a harmful computer virus and requires the faux anti-virus software Spyware Protect 2009. After a user purchases the software for $49.95, their credit card information is stolen and the new program goes on to perform more mischief on the user’s computer.

Since then, Conficker has remained unstoppable and uncapturable. The amount of infections has reached the 7 million (unlike previous estimations this estimation has received a vast consensus) mark. It has also remained fairly quite considering its size and its abilities to run malicious code on command.
It is threats like Conficker that show how important protecting your PC truly is. If users had been updating their software, if users had been using strong passwords, and if users had been using security software, Conficker would not have even emerged as a threat, nor would it be in the position of power it is today.

Writer’s Bio: David Dunlap has been both a Web host industry analyst and commentator for the past nine years. Prior to his active writing career, David was a network and communications technician for four years for the U.S. government. He currently is the Editor-in-Chief for