Monday, January 19, 2009

Downadup / Conflicker Worm: 8? 9? 10 Million Infected?

Its been quite a while since we've had a true run-away worm on the Internet, but if the claims of F-Secure are accurate, we've certainly got one on our hands now. At the end of this article are a list of the domain names ACTUALLY USED by the worm on January 13-16. The headlines have been ticking the number of infected machines forward for five days now, all based on F-Secure's successful monitoring of the worm via calculated domain names:

Jan 14 - Researcher: Worm infects 1.1 Million Windows PCs in 24 hours
Jan 15 - 2.5 million PCs infected with Conficker worm
Jan 15 - The Downadup Worm Hits 3.5 Million

Jan 19 - Fast spreading Windows virus already compromised 9 million computers
Jan 19 - Virus affects 10 million computers worldwide

The source for nearly every one of the thousands of media pieces about this worm has been F-Secure. In Friday's blog, they answered the many challenges about their methodology that they have received in their article Calculating the Size of the Downadup Outbreak. Briefly, each worm-infected computer has the ability to calculate a seemingly random domain name where it can receive new updates of the malware. There are as many as 250 possible domain names each day being calculated by the worm. As long as ANY of those domains are still live, the worm will be able to update itself to perform new functions. F-Secure has registered some of these domain names itself, and counts the number of infected computers which contact the domains it controls looking for an update. Each of the infected computers will show its IP address, as well as the number of computers which it claims to have infected itself. In a single day as many as 350,000 unique computers hit the domains controlled by F-Secure. Adding up the number of computers each of these computers claims to have infected -- and some are claiming more than 100 infections each -- is how F-Secure reaches its estimate, which they are calling conservative, knowing that many of the computers are choosing domain names other than their own with which to check in for an update.

The underlying vulnerability used to spread the Conficker worm was addressed by Microsoft with the patch MS08-067 back on October 23, 2008, the malware has only recently started a true run-away spread.

According to SC Magazine's Dan Kaplan, in his article No end in sight for massive Windows worm outbreak we haven't seen a worm this big since Nimda back in 2001.

Malware researchers report that the vast majority of the infected computers are on corporate networks, not home computers. There are two reasons for this:

As counter-intuitive as this sounds, many corporate networks have disabled the "automatic patching" that many home users have set as their default machine behavior. Because of a need for greater testing in corporate environments, many corporations believe it is acceptable to delay weeks or even months before applying recommended security patches from vendors. Any IT organization that willingly chose NOT to install this patch, after it was issued as a rare "emergency out of cycle patch" seriously needs to investigate whether their security staff needs training in Risk Management. HINT: If Microsoft breaks its Second Tuesday rule to issue a patch, they have performed the risk formla (Risk = Threats x Vulnerabilities x Value of Assets) and determined the Risk Is Very High!

Secondly, this is because the worm scans for a direct connection to the computer, rather than relying on human interaction. Most firewalls will actually block the worm, so the best way of catching it is to have an infected computer ON THE SAME SIDE OF THE FIREWALL as your machine. Because the other primary infection vector is an infected USB drive, employees who shuttle data back and forth to the house on a USB drive are often the Patient Zero for a corporate network outbreak. Once the worm arrives into an organization on an infected thumb drive, if the organization has not patched their machines, EVERY MACHINE IN THE CORPORATION is now an open target.

Because the worm can also spread by learning or guessing the Administrative password on network drives, organization that allow administrators to connect to every workstation machine on the network using the same administrative password share are especially vulnerable. As soon as the worm either guesses or learns via observation the Administrator password, every machine on the network can execute the worm code EVEN IF IT IS PATCHED! The Patch prevents the machine from being hacked via the Windows Server RPC Vulnerability. It does not prevent an Administrator from logging in to the machine and executing code, which is what the worm does if it correctly attempts a password. The Worst Case Scenario? A Domain Administrator visits an infected machine to try to disinfect it, sits down at the keyboard and logs in using his Domain Administrator password. As soon as that occurs, every machine on the network can be quickly compromised.

Computerworld's Gregg Keizer reported on January 15th that 1 in 3 Windows PCs remained vulnerable.

On the second Tuesday in January, the Microsoft Software Removal Tool was updated to be able to remove Conficker. You can follow the exploits of this worm and efforts to remove it at the Microsoft Malware Protection Center Blog and the F-Secure Blog.

A new Support article containing removal tips was released by Microsoft on January 15th: Virus alert about the Win32/Conficker.B worm.

The primary means for the virus to restart itself on an infected machine is the registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost

That key contains many critical Network Services which should be allowed to execute. If infected, the last entry on the list will be a key that was named with a random name generator. The example in Microsoft's article is "axyczbfsetg", but yours will be something different. There are many more steps to manual removal which can be found in the Microsoft support document above (KB 962007).

F-Secure has been posting lists of domain names which are being calculated by DownAdUp, their most recent list, for domains which would have been used over the weekend, contained exactly 1,000 domain names. 250 each for Jan 13, 14, 15, and 16. Rather than list all 1,000, I took the approach of running a WHOIS against each of the 1,000 domains on their list, and recording which ones were actually registered. So, here are the domains which ACTUALLY HAVE BEEN REGISTERED, out of the list of 1,000 potential names.

In all there were 57 domain names which had been registered out of the 1,000.

A tip of the hat to our friends at Georgia Tech, F-Secure, and Shadow Server, for reasons each will understand.

In what could be horrible news for certain domain name owners, five of the domains being automatically calculated on this list belong to actual domain owners. Apparently the malware's random domain calculator can randomly calculate some actual domains. Fortunately, of the domains thus affected only one is an actual company, (a German company, whose logs I would REALLY like to get my hands on!) while the other four seem to have been registered speculatively by domain investors. I've excluded all five from my results.

If any of those sites are in your logs for the past four days, Congratulations, and welcome to Conflicker.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.