W32/Conficker.worm (Aliases include Win32.Conficker (Aladdin), Worm/Conficker (AVIRA), Win32/Conficker.A (CA), Win32.Worm.Downadup.Gen (BitDefender), Worm:W32/Downadup.A (F-Secure), W32/Downadup.gen (F-Secure), Net-Worm.Win32.Kido.bt (Kaspersky), W32/Conficker.worm.gen.a (McAfee), W32/Conficker.worm.gen.b (McAfee), Win32/Conficker.A (Microsoft), W32/Conficker (Norman), Conficker.A (Panda), Conficker.C (Panda), W32/Confick-A, W32/Confick-B, W32/Confick-C, W32/Confick-D, W32/Confick-E (Sophos), W32.Downadup (Symantec), and WORM_DOWNAD.A (Trend Micro).)
Variants include W32.Downadup.B (Symantec) and W32.Downadup.C (Symantec).
W32/Conficker.worm is a worm that propagates across the network by exploiting the Microsoft Windows Server service remote procedure call (RPC) request handling code execution vulnerability, which is detailed in Alert 16941. The worm may download and execute additional malicious files on the system.
Upon execution, the worm creates a copy of itself in the \%System% folder using a random filename and a .dll extension. The worm determines if the infected system is running Windows 2000 and, if so, injects itself into the services.exe process. By injecting its code into this Windows process, the worm may evade security-related applications, as this process is safe.
If the infected system is not running Windows 2000, W32/Conficker.worm creates a service using the following characteristics:
Service name: netsvcs
Path to executable: \%System%\svchost.exe -k netsvcs
The worm starts an HTTP server by opening a randomly chosen port between 1024 and 10000 and listens for incoming connections. The worm accomplishes this by using APIs to bypass the Windows Firewall. The worm also terminates the Internet connection sharing service.
The worm then connects to the domain trafficconverter.biz and attempts to download additional files. One of the known files is loadadv.exe. Once downloaded, the worm executes the files on the system. The worm may also contact the http://www.maxmind.com domain and download the geoip.dat.gz and geoip.dat files.
W32/Conficker.worm attempts to obtain the public IP address of the infected machine by connecting to one of the following sites that are used to determine the IP address of visitors:
By obtaining the IP address of the machine, the worm is able to determine the computer's geographic location. Reports indicate that the worm avoids infecting Ukrainian-located machines. The worm contacts the following sites to determine the current date:
Based on the dates that are obtained from these sites, W32/Conficker.worm then downloads files from certain domains. The worm creates a mutex on the system to ensure only one copy of itself is running at a time. The format of the mutex is Global\%random numbers%.
Virus definitions are available.
is exploiting the Microsoft Windows Server service RPC request handling code execution vulnerability to propagate to all vulnerable machines on the network. The worm starts an HTTP server, downloads and executes potentially malicious files, and modifies the system registry.
The presence of the file loadadv.exe may indicate an infection.
Outgoing connections to any of the following websites could also indicate an infection; however, it should be noted that such sites used to obtain your IP address are legitimate:
Personal firewalls may display a notification message when the W32/Conficker.worm attempts to connect to the Internet and download files.
Host intrusion detection/prevention system software may display a notification when the worm attempts to execute or make modifications to the system.
W32/Conficker.worm adds the value ServiceDll = "%path to executable%" to the following registry key to register itself as a Windows service:
The worm also adds the value ImagePath = "\%operating system drive%\system32\svchost.exe -k netsvcs" to the following registry key as part of the service registration:
In some cases, the %random% value in the above registry addition has been vcdrlxeu; however, this is a random value and will most likely be different.
W32/Conficker.worm, also known as Downadup, received updates that scheduled infected systems to launch attacks against several legitimate domains in March 2009. Security researchers released information that indicated these attacks were targeting jogli.com, wnsux.com, and qhflh.com domains. The wnsux.com domain is run as a secondary domain by Southwest Airlines, which was scheduled to be attacked by the worm on March 13, 2009. A distributed denial of service (DDoS) attack against this domain could have disrupted online check-in as well as other services. The worm has traditionally used a pseudo-random domain name generator, which produced 250 domains a day that infected machines would then try to contact. Now, with the new module and
upgraded domain generation algorithm, the worm is able to generate 50,000 domains a day. With these updates, the worm is attempting to avoid detection and protect the use of currently infected machines. Sources also indicate that the operators of the Conficker botnet are selling portions of the botnet to malicious users.
W32.Downadup.B creates an autorun file and copies itself to the root of all devices with mapped storage. The autorun file is used to automatically run a copy of the worm each time an infected drive is accessed or connected to a new system. Worms that use this type of propagation routine do not typically become widespread because the propagation routine is highly dependent on Windows autorun settings. Users must also physically connect infected removable devices to uninfected systems. One of the reasons this propagation routine is so effective in Windows Vista is that the autorun.info file manipulates the action keyword displayed to the user when the infected device is accessed or connected to a machine. The action keyword reads Open folder to view files, but it is really using the action Install or run program. This social engineering tactic will likely fool many users. This propagation routine also has the ability to bypass well-configured perimeter defenses because the infection could be in the hands of an unsuspecting employee's USB flash drive.
W32/Conficker.worm and W32.Downadup.B are exploiting the Microsoft Windows Server service RPC request handling code execution vulnerability, which is described in Alert 16941. The worms attempt to spread to other systems that reside on the same local subnet by exploiting this vulnerability.
The W32.Downadup.C variant is, in reality, an update to the main Conficker worm. The variant appears to target systems that have been previously infected with Conficker. Security experts speculate that attackers released the variant to prevent recovery operations on systems that are infected with Conficker. The variant disables numerous antivirus and security-related applications, which would make the diagnostic and recovery efforts extremely difficult. As of April 1, 2009, the W32.Downadup.C variant began polling 500 of 50,000 domains per day. Currently, only limited network activity associated with this new routine has been observed with little or no impact to affected systems or networks.
As of April 8, 2009, the Conficker botnet downloaded an update that exhibits more similarities with the Waledac botnet, which is described in Alert 17327. The new update has Conficker and Waledac both contacting the same domains to obtain updates. Also, both botnets appear to hook into the Wireshark application on a client's system in the same way. When a user opens Wireshark on an infected system, the worm terminates the application initially. If the user attempts to open the application again, the worm prevents Wireshark from displaying any network interfaces. Instead of terminating the application, the worm allows the application to run but does not allow a user to view network traffic. This behavior may be unique to these botnets because most malicious code is programmed to terminate specific, targeted applications. The operators of these botnets likely chose this routine in an effort to to make it more difficult for users to view the network traffic that these botnets produce.
The previously reported command and control traffic that used UDP packets over P2P connections to download updates to infected systems has ceased on April 9, 2009. Cisco Security recently observed the command and control traffic using TCP port 443, which are normally used for SSL-encrypted traffic. Similar encrypted traffic was also observed over TCP port 80. Because the traffic is not using an SSL key exchange, administrators may need to update their mitigations to detect and block this traffic.
This change does not affect the W32/Conficker.worm and W32.Downadup.B, which account for most of the infected hosts. Additionally, the W32.Downadup.C variant may continue to use P2P capabilities to gain updates from other infected hosts without contacting a malicious domain.
Some public reports assert that variants of W32/Conficker.worm have infected over 9 million systems as of January 17, 2009. Administrators are advised to block all known domains associated with this worm because the domains carry the exploit and other malicious files. One method an administrator could use would involve implementing BGP black hole filtering techniques to discard network traffic to and from domains known to be associated with the Conficker family of worms. These techniques can allow an entity to disrupt communication between infected hosts and malicious domains with little impact to the rest of the network. Administrators should also take steps to isolate any suspected infected systems until the system can be restored. Many antivirus vendors have released Conficker removal tools to assist in
the restoration of systems that are known to be infected by a variant of Conficker. Additionally, multiple vendors have incorporated Conficker detection capabilities in their scanning products.
Because of the vast number of infected hosts, security groups should assess the risk this worm presents their specific organizations. All key stakeholders from senior staff to security response and IT teams should be briefed on a strategy to prevent and combat infection. An organization should not focus its efforts on one group or technology. Instead, organizations should use defense-in-depth strategies to combat the propagation and update of the worm at multiple levels.
Additionally, administrators can assist in industry-wide efforts to combat Conficker. By sharing information with industry and peer groups, organizations can help identify new trends associated with the worm. One such organization is the ICASI Security Incident Response Team. Additionally, administrators should consider passing examples of suspected new variants of Conficker to antivirus vendors to assist in the timely production of virus definitions and removal tools.
Studies released by antivirus vendors Symantec and F-Secure indicate that the worm mainly affects systems in Argentina, Brazil, China, and Russia. Approximately one percent of the currently infected systems reside in the United States. These studies are available at the following links: F-Secure
. The Microsoft Malware Protection Center has also released a response blog at the following link: Microsoft
. Members of the information technology industry have formed a collaborative group focused on combating the effects of Conficker
. A list of articles, removal tools, malicious web sites, and additional details may be found at the Conficker Work Group
home page. The group has been working to
block access to the domains to which Conficker
attempts to connect.
Rule-based and application-based firewalls are likely to prevent or limit the impact of these worms. Rule-based firewalls are typically set up by an administrator for an entire network. These firewalls are often setup to block all traffic entering and exiting a network except traffic traveling through ports needed for production. Application-based firewalls are often found on client systems and can be configured to allow certain services and process access to the Internet or local network. These firewalls can be configured to prompt a user each time a new process or service is attempting to access the Internet or local network. Both types of firewalls may prevent malicious code from downloading updates or additional files. The firewalls may also prevent the malicious code from contacting an attacker or web site and from accessing local network resources.
Most host intrusion detection/prevention systems software, such as Cisco Security Agent can be configured to warn users when suspicious activity occurs on their systems. This software can be configured to prevent this worm from attempting to execute its infection routines. Host intrusion detection/prevention systems software may also be configured to prompt a user when suspicious activity occurs. Often users can choose whether to allow or deny the activity in question. These factors will limit the infection rate and impact on most systems.
Security best practices dictate that administrators should restrict file formats commonly associated with malicious code from entering the corporate network. User education focused on avoiding malicious code attacks and responding in the case of infection is of equal importance.
The Cisco Applied Intelligence team has released the following companion document to guide administrators in identifying and mitigating attempts to exploit the Microsoft Windows Server service RPC request handling code execution vulnerability prior to applying updated software: Cisco Applied Mitigation Bulletin: Out-of-Band Microsoft Security Bulletin for October 23, 2008.
Administrators are strongly encouraged to apply the MS08-67 update available from Microsoft to prevent attacks by the malicious code, and to review the aforementioned Cisco Applied Mitigation Bulletin for methods of identifying and mitigating attack attempts.
Administrators are advised to apply the MS08-67 Microsoft update to prevent attacks by these worms.
Develop and maintain corporate policies and procedures to mitigate the risk of malicious code.
Block all file attachments except those specifically required for business purposes.
Use current and well-configured antivirus products at multiple levels in the environment. Configure antivirus products to scan all files and provide full-time or auto-protect functions. Configure antivirus products to scan three levels deep on compressed files.
Configure auto-update features to update daily or manually update antivirus signatures. Establish procedures for immediate antivirus updating in response to high-risk malicious code outbreaks.
Conservatively configure mail perimeter servers, routers, firewalls, and personal computers. Disable all unnecessary products, features, and sharing. Install all security-relevant patches and upgrades as available.
Configure network access controls to establish a default deny posture by limiting incoming and outgoing traffic and limiting network services to those required for business operations.
Establish supplemental protection for remote and mobile users. Include daily updated antivirus, personal firewalls, and network address translation on corporate routers or firewalls.
Provide initial and continuing education to all levels of users throughout the organization.
Network monitoring tools may assist administrators in detecting heavy network usage or trends that could indicate compromised systems.
Cisco Security Research and Operations has tested Cisco Security Agent to verify that it prevents the malicious actions initiated by the worm and also active exploitation of the Microsoft Windows Server service RPC request handling code execution vulnerability. As a result, attempts to infects systems and to propagate using this method by the worm are mitigated. Based on the characteristics of the vulnerability, Cisco expects that Cisco Security Agent will prevent other similar exploitation attempts as well.
The Aladdin Virus Alert for Win32.Conficker is available at the following link: Virus Alert. Virus definitions have been available since January 13, 2008, at the following link: Aladdin
The AVIRA Threat Description for Worm/Conficker is available at the following link: Threat Description. The latest AVIRA Virus Definition File Versions are available at the following link: AVIRA VDF
The BitDefender Virus Threat for Win32.Worm.Downadup.Gen, as well as the signature and engine information, is available at the following link: BitDefender
The CA Virus Threat for Win32/Conficker.A, as well as the signature and engine information, is available at the following link: CA
The CA Virus Threat for Win32/Conficker.B, as well as the signature and engine information, is available at the following link: CA
The CA Virus Threat for Win32/Conficker.C, as well as the signature and engine information, is available at the following link: CA
The F-Secure Virus Description for W32/Downadup.gen is available at the following link: Virus Description. The latest definition updates are available at the following link: F-Secure
The F-Secure Virus Description for W32/Downadup.A is available at the following link: Virus Description. The latest definition updates are available at the following link: F-Secure
The F-Secure Virus Description for W32/Downadup.AL is available at the following link: Virus Description. The latest definition updates are available at the following link: F-Secure
The F-Secure Virus Description for W32/Downadup.AY is available at the following link: Virus Description. The latest definition updates are available at the following link: F-Secure
The Kaspersky virus description for Net-Worm.Win32.Kido.bt is available at the following link: Virus Encyclopedia. The latest Anti-Virus Update files are available at the following link: Kaspersky
The Kaspersky virus description for Net-Worm.Win32.Kido.dv is available at the following link: Virus Encyclopedia. The latest Anti-Virus Update files are available at the following link: Kaspersky
The Kaspersky virus description for Net-Worm.Win32.Kido.fx is available at the following link: Virus Encyclopedia. The latest Anti-Virus Update files are available at the following link: Kaspersky
Kaspersky has also released Anti-Virus Update files that detect the following: Net-Worm.Win32.Kido.a, Net-Worm.Win32.Kido.ae, Net-Worm.Win32.Kido.am, Net-Worm.Win32.Kido.ap, Net-Worm.Win32.Kido.bv, Net-Worm.Win32.Kido.c, Net-Worm.Win32.Kido.cu, Net-Worm.Win32.Kido.ef, Net-Worm.Win32.Kido.eo, Net-Worm.Win32.Kido.fo, Net-Worm.Win32.Kido.gen, Net-Worm.Win32.Kido.he, Net-Worm.Win32.Kido.hr, Net-Worm.Win32.Kido.i, Net-Worm.Win32.Kido.j, Net-Worm.Win32.Kido.r, Net-Worm.Win32.Kido.s, and
The McAfee Virus Description for W32/Conficker.worm is available at the following link: Virus Description. The latest DAT files are available at the following link: McAfee
The McAfee Virus Description for W32/Conficker.worm.gen.a is available at the following link: Virus Description. The latest DAT files are available at the following link: McAfee
The McAfee Virus Description for W32/Conficker.worm.gen.b is available at the following link: Virus Description. The latest DAT files are available at the following link: McAfee
The Microsoft Virus Analysis for Win32/Conficker.A is available at the following link: Virus Description. The latest definitions for the Microsoft products are available at the following link: Microsoft Malware Protection Center
The Microsoft Virus Analysis for Win32/Conficker.B is available at the following link: Virus Description. The latest definitions for the Microsoft products are available at the following link: Microsoft Malware Protection Center
The Norman antivirus description for W32/Conficker is available at the following link: Virus Description. Users can obtain the latest definitions using the Norman Internet Update module.
The Panda Software Virus Alert for Conficker.A is available at the following link: Virus Alert. The latest virus signature files are available at the following link: Panda Software
The Panda Software Virus Alert for Conficker.C is available at the following link: Virus Alert. The latest virus signature files are available at the following link: Panda Software
Sophos has also released identity files that detect the following: W32/Confick-A, W32/Confick-B, W32/Confick-C, W32/Confick-D, W32/Confick-E, W32/Confick-F, and W32/Confick-G
The Symantec Security Response for W32.Downadup is available at the following link: Security Response. The latest protection included in virus definitions for Intelligent Updater and for LiveUpdate is available at the following link: Symantec
The Symantec Security Response for W32.Downadup.B is available at the following link: Security Response. The latest protection included in virus definitions for Intelligent Updater and for LiveUpdate is available at the following link: Symantec
The Symantec Security Response for W32.Downadup.C is available at the following link: Security Response. The latest protection included in virus definitions for Intelligent Updater and for LiveUpdate is available at the following link: Symantec
The Trend Micro Virus Advisory for WORM_DOWNAD.A is available at the following link: Virus Advisory. The latest pattern files are available at the following link: Trend Micro
The Trend Micro Virus Advisory for WORM_DOWNAD.E is available at the following link: Virus Advisory. The latest pattern files are available at the following link: Trend Micro