The story of Conficker

One of my favorite stories in the recent edition of the Microsoft Security and Intelligence Report v7, pp 29-32, is that of the story of Conficker.  I thought I would repost it here because it illustrates the problem of Conficker and the way the industry worked together to respond to the problem.

Case Study: The Conficker Working Group

The appearance in late 2008 of Win32/Conficker, an aggressive and technically complex new family of worms, posed a serious challenge to security responders and others charged with ensuring the safety of the world’s computer systems and data. (“Win32/Conficker Update,” beginning on page 95, explains the technical details of the Conficker worm and the methods it uses to propagate.) Working together, however, the security community was able to react quickly to the threat and contain much of the damage, in the process establishing a potentially groundbreaking template for future cooperative response efforts. On October 23, 2008, Microsoft released critical security update MS08-067, addressing CVE-2008-4250, a vulnerability in the Windows Server service that could allow malicious code to spread silently between vulnerable computers across the Internet.

The vulnerability affected most currently supported versions of Windows, although architectural improvements in Windows Vista and Windows Server 2008 made them more difficult to exploit than earlier versions. Like the worms that plagued the Internet earlier this decade, malware that exploited the vulnerability would be able to spread without user interaction by taking advantage of the protocols computers use to communicate with each other across networks. For this reason, and because actual attack code that exploited the vulnerability was known to exist in the wild at the time, the MSRC took the unusual step of releasing MS08-067 “out of band” rather than wait for the next scheduled release of Microsoft security updates, which takes place on the second Tuesday of every month. Security Bulletin MS08-067 happened to be released on the last day of the eighth annual meeting of the International Botnet Task Force in Arlington, Virginia, a suburb of Washington, D.C., where attendees agreed to closely monitor developments around what appeared to be the first legitimately “wormable” vulnerability to be discovered in Windows in several years.

The November appearance of Win32/Conficker, the first significant worm that exploited the MS08-067 vulnerability, marked a major challenge for security researchers, due to the aggressive tactics several of its variants used to propagate. Despite this, researchers soon discovered a way to limit or eliminate the Conficker bot-herders’ ability to issue instructions to infected computers. As described on page 96, the authors of the Conficker malware used an algorithm to generate 500 new domain names every day (250 for each of the first two Conficker variants discovered) to use for command-and-control servers. Computers infected with Conficker would attempt to contact each of these generated domain names every day. If the authors had a task they wanted the computers in the botnet to perform, they would simply use the same algorithm to generate domain names in advance and register a few of them, which they could then use to host command-and-control servers.

Fortunately, researchers from Microsoft and other organizations were able to reverse engineer the domain-name-generation algorithms used by the first two variants, designated Worm:Win32/Conficker.A and Worm:Win32/Conficker.B, soon after each variant was discovered. This enabled them to begin registering the domain names before the botnet operators could, thereby impeding the Conficker malware from obtaining new instructions. Initially, the researchers resorted to registering the domains commercially through the domain name registrars for the eight top-level domains (TLDs) (.com, .net, .org, .info, .biz, .ws, .cn, and .cc) used by Conficker, an approach that quickly became unworkable. Registering 500 domain names per day would cost thousands of (U.S.) dollars per day for the foreseeable future—and the cost would only increase if new variants appeared using different name-generation algorithms. It was clear that more help would be needed.

Part 1

Part 2

Part 3

Comments (2)

  1. longilambe says:

    What is Conficker worm? That like a virus? Why this articles sound give attention to Conficker worm? Is that really dangerous? Can we save our data right a way?

  2. Scott Landry (MSFT) says:

    To answer those questions, see the Conficker info page on Technet: