The Next Conficker: The Worm Steps it up and Researchers slam it down
The hackers who control the Conficker bot-network are touted to be pushing out an update that will strengthen and reinforce the malware’s stronghold on a computer system when the date changes to April 1.
But like a great movie or soap opera — just in the nick of time security researchers have found a fingerprint that can identify if a system is infected by Conficker. This fingerprint can be seen from the network and hence infected systems can be identified in network scans. “Researchers figured out that malware tries to patch the same security flaw (MS08-067) that it exploited during the initial infection. Conficker uses a binary patch — NetpwPathCanonicalize() works quite a bit differently — which means that network scanners can pinpoint the existence of the malware.”[1]
Many popular tools are going to have Conficker detection support including Tenable/Nessus (check 36036), McAfee/Foundstone, nmap (v4.85BETA5), ncircle, and Qualys[2]. There is another tool that is more of a prototype[3] written by the honeynet project that seems to be reported to work albeit quite slowly. If you find an infected system Microsoft has also released a free removal tool.
It is an understatement to say that administrators and systems managers need to DROP EVERYTHING and scan their networks as one of their highest priorities before April 1. And why is that?
Anti-Virus, Malware, Trojans, and all the other malicious items running around on the Internet evolve over time. On April 1 the Conficker worm/botnet will update to run in a whole different context. Researchers are still trying to work exactly what is going to happen but some of the highlights seem to be:
- Using web sites to get the current time and activate April 1. Traditionally, nefarious software would just check the system date. This would allow researchers just to move the date and activate, or deactivate, the software. This new version checks several internet sites and scrapes the date off those.
- Re-engineered the computation of command and control domains to visit in a day. The first versions tried to contact 250 different domains in a day to get updates. These domains ended up being bought up by security research organizations and black-holed. The new version will attempt to contact 50,000 domains in a day.
- Consolidate and Protect. It seems the updated Conficker may look to fortify the existing infections rather then trying to propagate. If this is the case, detection based on the propagation characteristics, like domain/AD account lockouts, will be all but impossible. It may also make detection on the local system more difficult.
Given that a fingerprint is out for the worm, it is only a matter of time that another update gets pushed out by the creators to ‘fix the glitch’. It is imperative that systems get scanned and cleaned as soon as possible before the next conficker version is even harder to find and remove!
References and Further Reading:
[1] “German researchers score Conficker detection breakthrough” (ZDNet)
[2] “Busted! Conficker’s tell-tale heart uncovered” (The Register)
[3] Conficker Network Scanner
Another option is to actively scan for Conficker machines. There is a way to distinguish infected machines from clean ones based on the error code for some specially crafted RPC messages. Conficker tries to filter out further exploitation attempts which results in uncommon responses. Our python script scs.py implements a simple scanner based on this observation. Here is a sample output:
./scs.py 127.43.16.76 Could not send SMB request to 127.43.16.76:445/tcp../scs.py 127.99.100.2 127.99.100.2 seems to be infected by Conficker../scs.py 127.36.15.80 127.36.15.80 seems to be clean.The script can be downloaded here:
“Conficker: The Windows Worm That Won’t Go Away” (eWeek)
“Conficker’s next move a mystery to researchers” (ComputerWorld)
“Group launches strategy to block Conficker worm from .ca domain” (CBCNews, Canada)
