W32/Conficker.worm is a worm that propagates across the network by exploiting the Microsoft Windows Server service remote procedure call (RPC) request handling code execution vulnerability, which is detailed in IntelliShield Alert 16941. The worm may download and execute additional malicious files on the system.
Upon execution, the worm creates a copy of itself in the \%System% folder using a random filename and a .dll extension. The worm determines if the infected system is running Windows 2000 and, if so, injects itself into the services.exe process. By injecting its code into this Windows process, the worm may evade security-related applications, as this process is safe.
If the infected system is not running Windows 2000, W32/Conficker.worm creates a service using the following characteristics:
Service name: netsvcs Path to executable: \%System%\svchost.exe -k netsvcs
The worm starts an HTTP server by opening a randomly chosen port between 1024 and 10000 and listens for incoming connections. The worm accomplishes this by using APIs to bypass the Windows Firewall. The worm also terminates the Internet connection sharing service.
The worm then connects to the domain trafficconverter.biz and attempts to download additional files. One of the known files is loadadv.exe. Once downloaded, the worm executes the files on the system. The worm may also contact the http://www.maxmind.com domain and download the geoip.dat.gz and geoip.dat files.
W32/Conficker.worm attempts to obtain the public IP address of the infected machine by connecting to one of the following sites that are used to determine the IP address of visitors:
www.getmyip.org getmyip.co.uk checkip.dyndns.org
By obtaining the IP address of the machine, the worm is able to determine the computer's geographic location. Reports indicate that the worm avoids infecting Ukrainian-located machines. The worm contacts the following sites to determine the current date:
Based on the dates that are obtained from these sites, W32/Conficker.worm then downloads files from certain domains. The worm creates a mutex on the system to ensure only one copy of itself is running at a time. The format of the mutex is Global\%random numbers%.
Virus definitions are available.
W32/Conficker.worm is exploiting the Microsoft Windows Server service RPC request handling code execution vulnerability to propagate to all vulnerable machines on the network. The worm starts an HTTP server, downloads and executes potentially malicious files, and modifies the system registry.
The presence of the file loadadv.exe may indicate an infection.
Outgoing connections to any of the following websites could also indicate an infection; however, it should be noted that such sites used to obtain your IP address are legitimate:
In some cases, the %random% value in the above registry addition has been vcdrlxeu; however, this is a random value and will most likely be different.
W32/Conficker.worm, also known as Downadup, received updates that scheduled infected systems to launch attacks against several legitimate domains in March 2009. Security researchers released information that indicated these attacks were targeting jogli.com, wnsux.com, and qhflh.com domains. The wnsux.com domain is run as a secondary domain by Southwest Airlines, which was scheduled to be attacked by the worm on March 13, 2009. A distributed denial of service (DDoS) attack against this domain could have disrupted online check-in as well as other services. The worm has traditionally used a pseudo-random domain name generator, which produced 250 domains a day that infected machines would then try to contact. Now, with the new module and
upgraded domain generation algorithm, the worm is able to generate 50,000 domains a day. With these updates, the worm is attempting to avoid detection and protect the use of currently infected machines. Sources also indicate that the operators of the Conficker botnet are selling portions of the botnet to malicious users.
W32.Downadup.B creates an autorun file and copies itself to the root of all devices with mapped storage. The autorun file is used to automatically run a copy of the worm each time an infected drive is accessed or connected to a new system. Worms that use this type of propagation routine do not typically become widespread because the propagation routine is highly dependent on Windows autorun settings. Users must also physically connect infected removable devices to uninfected systems. One of the reasons this propagation routine is so effective in Windows Vista is that the autorun.info file manipulates the action keyword displayed to the user when the infected device is accessed or connected to a machine. The action keyword reads Open folder to view files, but it is really using the action Install or run program. This social engineering tactic will likely fool many users. This propagation routine also has the ability to bypass well-configured perimeter defenses because the infection could be in the hands of an unsuspecting employee's USB flash drive.
W32/Conficker.worm and W32.Downadup.B are exploiting the Microsoft Windows Server service RPC request handling code execution vulnerability, which is described in IntelliShield Alert 16941. The worms attempt to spread to other systems that reside on the same local subnet by exploiting this vulnerability.
The W32.Downadup.C variant is, in reality, an update to the main Conficker worm. The variant appears to target systems that have been previously infected with Conficker. Security experts speculate that attackers released the variant to prevent recovery operations on systems that are infected with Conficker. The variant disables numerous antivirus and security-related applications, which would make the diagnostic and recovery efforts extremely difficult. As of April 1, 2009, the W32.Downadup.C variant began polling 500 of 50,000 domains per day. Currently, only limited network activity associated with this new routine has been observed with little or no impact to affected systems or networks.
As of April 8, 2009, the Conficker botnet downloaded an update that exhibits more similarities with the Waledac botnet, which is described in IntelliShield Alert 17327. The new update has Conficker and Waledac both contacting the same domains to obtain updates. Also, both botnets appear to hook into the Wireshark application on a client's system in the same way. When a user opens Wireshark on an infected system, the worm terminates the application initially. If the user attempts to open the application again, the worm prevents Wireshark from displaying any network interfaces. Instead of terminating the application, the worm allows the application to run but does not allow a user to view network traffic. This behavior may be unique to these botnets because most malicious code is programmed to terminate specific, targeted applications. The operators of these botnets likely chose this routine in an effort to to make it more difficult for users to view the network traffic that these botnets produce.
The previously reported command and control traffic that used UDP packets over P2P connections to download updates to infected systems has ceased on April 9, 2009. Cisco Security recently observed the command and control traffic using TCP port 443, which are normally used for SSL-encrypted traffic. Similar encrypted traffic was also observed over TCP port 80. Because the traffic is not using an SSL key exchange, administrators may need to update their mitigations to detect and block this traffic.
This change does not affect the W32/Conficker.worm and W32.Downadup.B, which account for most of the infected hosts. Additionally, the W32.Downadup.C variant may continue to use P2P capabilities to gain updates from other infected hosts without contacting a malicious domain.
Some public reports assert that variants of W32/Conficker.worm have infected over 9 million systems as of January 17, 2009. Administrators are advised to block all known domains associated with this worm because the domains carry the exploit and other malicious files. One method an administrator could use would involve implementing BGP black hole filtering techniques to discard network traffic to and from domains known to be associated with the Conficker family of worms. These techniques can allow an entity to disrupt communication between infected hosts and malicious domains with little impact to the rest of the network. Administrators should also take steps to isolate any suspected infected systems until the system can be restored. Many antivirus vendors have released Conficker removal tools to assist in
the restoration of systems that are known to be infected by a variant of Conficker. Additionally, multiple vendors have incorporated Conficker detection capabilities in their scanning products.
Because of the vast number of infected hosts, security groups should assess the risk this worm presents their specific organizations. All key stakeholders from senior staff to security response and IT teams should be briefed on a strategy to prevent and combat infection. An organization should not focus its efforts on one group or technology. Instead, organizations should use defense-in-depth strategies to combat the propagation and update of the worm at multiple levels.
Additionally, administrators can assist in industry-wide efforts to combat Conficker. By sharing information with industry and peer groups, organizations can help identify new trends associated with the worm. One such organization is the ICASI Security Incident Response Team. Additionally, administrators should consider passing examples of suspected new variants of Conficker to antivirus vendors to assist in the timely production of virus definitions and removal tools.
Studies released by antivirus vendors Symantec and F-Secure indicate that the worm mainly affects systems in Argentina, Brazil, China, and Russia. Approximately one percent of the currently infected systems reside in the United States. These studies are available at the following links: F-Secure and Symantec. The Microsoft Malware Protection Center has also released a response blog at the following link: Microsoft. Members of the information technology industry have formed a collaborative group focused on combating the effects of Conficker. A list of articles, removal tools, malicious web sites, and additional details may be found at the Conficker Work Group home page. The group has been working to
block access to the domains to which Conficker attempts to connect.
Rule-based and application-based firewalls are likely to prevent or limit the impact of these worms. Rule-based firewalls are typically set up by an administrator for an entire network. These firewalls are often setup to block all traffic entering and exiting a network except traffic traveling through ports needed for production. Application-based firewalls are often found on client systems and can be configured to allow certain services and process access to the Internet or local network. These firewalls can be configured to prompt a user each time a new process or service is attempting to access the Internet or local network. Both types of firewalls may prevent malicious code from downloading updates or additional files. The firewalls may also prevent the malicious code from contacting an attacker or web site and from accessing local network resources.
Most host intrusion detection/prevention systems software, such as Cisco Security Agent can be configured to warn users when suspicious activity occurs on their systems. This software can be configured to prevent this worm from attempting to execute its infection routines. Host intrusion detection/prevention systems software may also be configured to prompt a user when suspicious activity occurs. Often users can choose whether to allow or deny the activity in question. These factors will limit the infection rate and impact on most systems.
Security best practices dictate that administrators should restrict file formats commonly associated with malicious code from entering the corporate network. User education focused on avoiding malicious code attacks and responding in the case of infection is of equal importance.
Administrators are strongly encouraged to apply the MS08-67 update available from Microsoft to prevent attacks by the malicious code, and to review the aforementioned Cisco Applied Mitigation Bulletin for methods of identifying and mitigating attack attempts.
Administrators are advised to apply the MS08-67 Microsoft update to prevent attacks by these worms.
Develop and maintain corporate policies and procedures to mitigate the risk of malicious code.
Block all file attachments except those specifically required for business purposes.
Use current and well-configured antivirus products at multiple levels in the environment. Configure antivirus products to scan all files and provide full-time or auto-protect functions. Configure antivirus products to scan three levels deep on compressed files.
Configure auto-update features to update daily or manually update antivirus signatures. Establish procedures for immediate antivirus updating in response to high-risk malicious code outbreaks.
Conservatively configure mail perimeter servers, routers, firewalls, and personal computers. Disable all unnecessary products, features, and sharing. Install all security-relevant patches and upgrades as available.
Configure network access controls to establish a default deny posture by limiting incoming and outgoing traffic and limiting network services to those required for business operations.
Establish supplemental protection for remote and mobile users. Include daily updated antivirus, personal firewalls, and network address translation on corporate routers or firewalls.
Provide initial and continuing education to all levels of users throughout the organization.
Network monitoring tools may assist administrators in detecting heavy network usage or trends that could indicate compromised systems.
Cisco Security Research and Operations has tested Cisco Security Agent to verify that it prevents the malicious actions initiated by the worm and also active exploitation of the Microsoft Windows Server service RPC request handling code execution vulnerability. As a result, attempts to infects systems and to propagate using this method by the worm are mitigated. Based on the characteristics of the vulnerability, Cisco expects that Cisco Security Agent will prevent other similar exploitation attempts as well.
The Aladdin Virus Alert for Win32.Conficker is available at the following link: Virus Alert. Virus definitions have been available since January 13, 2008, at the following link: Aladdin
The AVIRA Threat Description for Worm/Conficker is available at the following link: Threat Description. The latest AVIRA Virus Definition File Versions are available at the following link: AVIRA VDF
The BitDefender Virus Threat for Win32.Worm.Downadup.Gen, as well as the signature and engine information, is available at the following link: BitDefender
The CA Virus Threat for Win32/Conficker.A, as well as the signature and engine information, is available at the following link: CA
The CA Virus Threat for Win32/Conficker.B, as well as the signature and engine information, is available at the following link: CA
The CA Virus Threat for Win32/Conficker.C, as well as the signature and engine information, is available at the following link: CA
The F-Secure Virus Description for W32/Downadup.gen is available at the following link: Virus Description. The latest definition updates are available at the following link: F-Secure
The F-Secure Virus Description for W32/Downadup.A is available at the following link: Virus Description. The latest definition updates are available at the following link: F-Secure
The F-Secure Virus Description for W32/Downadup.AL is available at the following link: Virus Description. The latest definition updates are available at the following link: F-Secure
The F-Secure Virus Description for W32/Downadup.AY is available at the following link: Virus Description. The latest definition updates are available at the following link: F-Secure
The Kaspersky virus description for Net-Worm.Win32.Kido.bt is available at the following link: Virus Encyclopedia. The latest Anti-Virus Update files are available at the following link: Kaspersky
The Kaspersky virus description for Net-Worm.Win32.Kido.dv is available at the following link: Virus Encyclopedia. The latest Anti-Virus Update files are available at the following link: Kaspersky
The Kaspersky virus description for Net-Worm.Win32.Kido.fx is available at the following link: Virus Encyclopedia. The latest Anti-Virus Update files are available at the following link: Kaspersky
Kaspersky has also released Anti-Virus Update files that detect the following: Net-Worm.Win32.Kido.a, Net-Worm.Win32.Kido.ae, Net-Worm.Win32.Kido.am, Net-Worm.Win32.Kido.ap, Net-Worm.Win32.Kido.bv, Net-Worm.Win32.Kido.c, Net-Worm.Win32.Kido.cu, Net-Worm.Win32.Kido.ef, Net-Worm.Win32.Kido.eo, Net-Worm.Win32.Kido.fo, Net-Worm.Win32.Kido.gen, Net-Worm.Win32.Kido.he, Net-Worm.Win32.Kido.hr, Net-Worm.Win32.Kido.i, Net-Worm.Win32.Kido.j, Net-Worm.Win32.Kido.r, Net-Worm.Win32.Kido.s, and Net-Worm.Win32.Kido.y
The McAfee Virus Description for W32/Conficker.worm is available at the following link: Virus Description. The latest DAT files are available at the following link: McAfee
The McAfee Virus Description for W32/Conficker.worm.gen.a is available at the following link: Virus Description. The latest DAT files are available at the following link: McAfee
The McAfee Virus Description for W32/Conficker.worm.gen.b is available at the following link: Virus Description. The latest DAT files are available at the following link: McAfee
The Norman antivirus description for W32/Conficker is available at the following link: Virus Description. Users can obtain the latest definitions using the Norman Internet Update module.
The Panda Software Virus Alert for Conficker.A is available at the following link: Virus Alert. The latest virus signature files are available at the following link: Panda Software
The Panda Software Virus Alert for Conficker.C is available at the following link: Virus Alert. The latest virus signature files are available at the following link: Panda Software
Sophos has also released identity files that detect the following: W32/Confick-A, W32/Confick-B, W32/Confick-C, W32/Confick-D,W32/Confick-E, W32/Confick-F, and W32/Confick-G
The Symantec Security Response for W32.Downadup is available at the following link: Security Response. The latest protection included in virus definitions for Intelligent Updater and for LiveUpdate is available at the following link: Symantec
The Symantec Security Response for W32.Downadup.B is available at the following link: Security Response. The latest protection included in virus definitions for Intelligent Updater and for LiveUpdate is available at the following link: Symantec
The Symantec Security Response for W32.Downadup.C is available at the following link: Security Response. The latest protection included in virus definitions for Intelligent Updater and for LiveUpdate is available at the following link: Symantec
The Trend Micro Virus Advisory for WORM_DOWNAD.A is available at the following link: Virus Advisory. The latest pattern files are available at the following link: Trend Micro
The Trend Micro Virus Advisory for WORM_DOWNAD.E is available at the following link: Virus Advisory. The latest pattern files are available at the following link: Trend Micro
Version 17, April 9, 2009, 3:47 PM: IntelliShield has identified recent activity about the Conficker worm. Additional analysis has been provided about this worm.
Version 16, April 1, 2009, 3:51 PM: Limited activity with little or no impact has been observed on April 1, 2009 as Conficker has modified the routines used to contact domains.
Version 15, March 30, 2009, 4:29 PM: Information related to the Conficker Work Group has been added to the analysis section.
Version 14, March 27, 2009, 4:53 PM: Additional technical information and mitigations are available for the W32/Conficker.worm worm and its variants.
Version 13, March 12, 2009, 9:23 AM: CA and F-Secure have released virus definitions to detect aliases of W32.Downadup.DY.
Version 12, March 10, 2009, 10:47 AM: Norman has released virus definitions to detect W32/Conficker, an alias of W32/Conficker.worm.
Version 11, March 9, 2009, 5:50 PM: Symantec has released virus definitions to detect W32.Downadup.C, a variant of W32/Conficker.worm. Sophos has also released virus definitions to detect aliases of W32/Conficker.worm variants.
Version 10, January 27, 2009, 10:23 AM: Kaspersky has released virus definitions that detect aliases of W32/Conficker.worm.
Version 9, January 19, 2009, 3:48 PM: Cisco Security Research and Operations has tested Cisco Security Agent to verify that it prevents the malicious actions initiated by active exploitation of the MS08-067 vulnerability, which may reduce exploitation attempts by W32/Conficker.worm.
Version 8, January 15, 2009, 5:38 PM: Aladdin has released virus definitions that detect Win32.Conficker, an alias of W32/Conficker.worm.
Version 7, January 13, 2009, 12:54 PM: Multiple vendors have released virus definitions to detect aliases of W32/Conficker.worm.
Version 6, January 6, 2009, 5:00 PM: Reports indicate that the W32/Conficker.worm is actively propagating in the wild.
Version 5, January, 6, 2009, 8:37 AM: CA and Microsoft have released virus definitions that detect aliases of W32.Downadup.B. Additional information is also available.
Version 4, January 5, 2009, 8:59 AM: Symantec has released virus definitions that detect W32.Downadup.B, which is a variant of W32/Conficker.worm. F-Secure has also released virus definitions that detect W32/Downadup.AL, an alias of W32.Downadup.B.
Version 3, December 2, 2008, 8:57 AM: F-Secure and Symantec have released virus definitions that detect aliasesof W32/Conficker.worm.
Version 2, November 27, 2008, 11:06 AM: Panda has released virus definitions that detect Conficker.A, an alias of W32/Conficker.worm.
Version 1, November 26, 2008, 12:29 PM:W32/Conficker.worm is a worm that exploits the Windows Server service RPC request handling code execution vulnerability to propagate, and downloads and executes malicious files on the system. Virus definitions are available.
Home Basic Base, SP1 | Home Premium Base, SP1 | Business Base, SP1 | Enterprise Base, SP1 | Ultimate Base, SP1 | Home Basic x64 Edition Base, SP1 | Home Premium x64 Edition Base, SP1 | Business x64 Edition Base, SP1 | Enterprise x64 Edition Base, SP1 | Ultimate x64 Edition Base, SP1
Home Edition Base, SP1, SP2, SP3 | Professional Edition Base, SP1, SP2, SP3 | Professional x64 (AMD/EM64T) Base, SP2
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.