Wednesday, February 11, 2009

Downadup/Conficker Worm Details and Removal

Seeing this message in your web browser lately? You are not alone!

Millions of other people are also finding that they can't reach microsoft.com or can't load antivirus websites. The reason is they are infected by the Downadup worm.

Downadup (also called Downad, Kido, Conficker or Conflicker) is a Windows worm that spreads by exploiting weak administrator passwords, use of autorun on removable and network drives, and the MS08-067 exploit.

Once installed, the worm does the following things:

  • Copies itself to the system directory as a randomly-named DLL file
  • Adds itself as a randomly-named system service for persistence after reboot
  • Disables certain Windows services that might aid in cleanup or detection of the worm
  • Deletes existing system restore points
  • Disables access to multiple websites related to antivirus and security, most notably Microsoft and Windows Update.
  • Spreads through the local Microsoft network using password brute-forcing or MS08-067 exploit
  • Adds itself to any removable/network drives using an autorun.inf file
  • Adjusts the Windows TCP/IP settings to allow a greater number of simultaneous connections in order to facilitate the spread of the wrom
  • Waits three hours, then attempts to download additional code by generating 250 different domain names and connecting to each via HTTP. Each day a new set of 250 domain names will be generated.

Despite using fairly old and well-known spreading vectors, and a patch being available for MS08-067 for months now, the worm is having fairly good success at spreading to networks worldwide. Estimates are currently around 10M infected machines, although it is possible that machines are being counted multiple times by some entities. Whatever the real number of infected machines, it is certainly possible that it has infected millions of machines around the world based on the sheer number of IP addresses hitting sinkhole servers that have been set up for observation.

Key indicators of an infection are:

  • Network drives/USB drives with hidden autorun.inf files, especially ones that are larger than 512 bytes.
  • Network logins being locked out for too many failed attempts.
  • Workstations no longer able to access microsoft.com or other security/AV related websites.

The problem of Conficker/Downadup cleanup is exacerbated by the fact that the worm blocks the download of potential removal tools, including Microsoft's own Malicious Software Removal Tool (MSRT) which has been updated to remove Conficker/Downadup. It does this by hooking the system DNS and networking APIs and blocking DNS lookups where certain strings are present in the domain name.

The complete list of strings blocked in DNS requests is below:

cert.
sans.
bit9.
vet.
avg.
avp.
nai.
windowsupdate
wilderssecurity
threatexpert
castlecops
spamhaus
cpsecure
arcabit
emsisoft
sunbelt
securecomputing
rising
prevx
pctools
norman
k7computing
ikarus
hauri
hacksoft
gdata
fortinet
ewido
clamav
comodo
quickheal
avira
avast
esafe
ahnlab
centralcommand
drweb
grisoft
eset
nod32
f-prot
jotti
kaspersky
f-secure
computerassociates
networkassociates
etrust
panda
sophos
trendmicro
mcafee
norton
symantec
microsoft
defender
rootkit
malware
spyware
virus

Obviously not being able to reach any of these domains makes it difficult for an infected party to find information on or cleanup tools for the worm. However, the worm does not prevent use of a proxy server to reach the same websites, so in organizations where a proxy server is already in use for web traffic, removal may be easier.

Conficker/Downadup Removal:

In a network setting, one must take care to isolate infected machines from the other computers on the network while cleaning them, as the machine may be reinfected by other systems not yet cleaned. For more information please refer to Roger's post.

No comments: