Conficker, at the airbase and hospital near you…

Old news: Fighter jets grounded, base infected with Conficker!
Recent news: Hospital equipment infected by Conficker worm!

What? How can a supposedly secure environment like a military installation or a hospital catch a worm? Panic everywhere.

Why is everyone so scared of Conficker? The worm basically does nothing! It only tries to dig in and wait. According to a build in the timer something should have happened on April 1st 2009. April 1st came and went, and nothing happened. Everyone was expecting a doomsday scenario, where the worm was expected to do something horrific, but nothing happened apart from an update to a newer version, and more waiting for commands. So far there have been 5 versions of the worm observed, labelled as A, B, C, D and E. They seem to be modifications of the original, as the author tries to get things right and build a bigger bot army.

Only the latest version E was observed as actually doing something: send spam, and install scareware. Technically, it’s not Conficker itself that does this, it’s the payload that it downloads and executes on demand.

So why is it so dangerous?

The payload is the keyword. The infected machine is at the disposal of the attacker to do anything he wants. An unknown payload executed on demand could be anything from DOS attacks to extortion, spamming to spying. It also updates itself, to enhance its own capabilities, and plugs entry points to avoid infection from competing worms. Very flexible isn’t it? All this is secured by hash signatures and encryption.

How does the thing actually spread?

It spreads in two ways:

• Network
• Removable Storage

The worm tries to attack a known vulnerability in the DCE-RPC service running on port 445, also used for various services needed by Windows file sharing. A patch for this hole was released in October 2008 – MS08-067; regardless, the worm still succeeded in spreading. Another way of spreading is old fashioned copying. It places a copy of itself on removable storage, and uses the autorun feature for infection. Also worth mentioning is a dictionary attack on administrative network shares, but this might not have been a very successful infection vector, because it seems to be missing in the latest versions of the worm.

How to spot the infection?

Conficker uses a number of self defense mechanisms, which are a giveaway. It disables a number of services –  Automatic Update, Security Center, Defender and Error Reporting. It also creates its own service to stay resident. The name is constructed from two random words from titles of other services. Another type of self-defense employed is the redirection of domain names related to AV products and the Windows Update.

An infection can also be spotted using a professional product. Most AV vendors offer a stand alone tool to detect a Conficker infection. GFI LANguard 9 is also capable of detecting infected machines remotely as well as detecting missing patches regardless of infection. Once an infection is detected a removal tool should be employed and the systems should be patched to avoid repeated infection.

Back to the question, how can this worm spread into supposedly secure institutions? Well, the problem mostly lies in people – People who are naïve or who do not follow the security guidelines set by the organization.

• Developers: Environment choices, running a whole Windows system on an embedded black box such as an MRI or a heart monitor might not be the best choice.
• Administrators: Not updating systems as required by choice; in some cases not being able to do it because of the black box nature of a system where only the vendor is allowed to update, thus leading to substantial delays in updating that might leave the system vulnerable.
• End users: Not following rules, and trying everything to work around restrictions.

So, what can we expect to see of Conficker in the future? According to some research, there are now only around 200,000 infected machines. However, this might be just the tip of the iceberg, because this includes only the latest version of the worm – version E.

Version E is set to expire on 3rd May 2009, but not the previous versions. Are all versions destined to eventually upgrade to E and retire? Did it serve its purpose? Is it going to be replaced by something else?

More questions than answers. The future will tell. The moral of the story so far – keep your systems updated.