Conflicker and its legacy: An Overview of the Conficker worm.

Conflicker and its legacy: An Overview of the Conficker worm.

Image for posthttps://www.JasonDion.com

It?s some month in early 2009, you step into your office, jamming to the sounds of ?Touch my Body? by Mariah on your IPhone 3GS. You haven?t updated windows in a while, but who has time for that? You turn on you computer to get to work(Windows, of course. Who needs a ?trendy? when you need to get things done?)?or maybe book tickets to see Twilight (no judgement), to find out that your company installed anti-virus is turned off. Curious, you attempt to access your company?s internal site for updates, but for some reason you?re denied access, something about security settings. Google for some reason keeps turning out ?Page cannot be displayed? or DNS errors when you try to search for a fix. Finally, you decide to restart your computer, but on the first try you?re locked out due to too many attempts you can?t login; which is weird. Without company internal site access, you can?t really do your job, so you report to IT and sit around for the next hour or two for a fix in which five more of your colleagues join you with similar complaints. You just got Conifikered.

This botnet was called Conficker, Downup, Downadup, Kido, and a whole host of other both harmless, as well as nefarious sounding names. At its zenith, it racked up infection counts as high as an estimated 15 million PC?s. If you were a business running Windows OS near the turn of the last decade, seeing any of these terms would immediately raise red flags about your security and how you access your company resources. Let?s dive into to the history of this worm, shall we?

History and Spread

The Conficker worm got its start in November 2008, when it was discovered by Microsoft Malware Protection Center infecting computers via two mechanisms, NetBIOS(network shares, or across a corporate network with shared resources)and later USB thumb drives. The PC based worm attacked the following windows systems: Windows 2000, Windows XP, Windows Vista, Windows Server 2003, and Windows Server 2008.An analysis revealed that it most likely of Ukrainian origin, being as it was programmed not to attack computers with a Ukrainian keyboard or IP address.

It initially caused a panic due to its high virulence and ability to attack personal computers, as well as targets as large and as secure as national defense networks. Some of its major infected systems are as follows:

  • The armed forces of Germany
  • The United Kingdom Ministry of Defense
  • The French Navy ( Where it grounded military craft due to network unavailability)
  • The Houston municipal courts infection, which made the city put a freeze on processing minor charges until a resolution was found and eventually cost the city $25,000 in removal fees
  • Multiple hospitals, including systems that ran the MRI machines and other necessities

This all built up to a April fools ?trigger? date on April ,1 2009. From code analysis it was revealed that on this date, all infected computers would automatically run a process to scan remote sources for instructions. The worm had spread to over 9 million computers at this point, had penetrated governments organizations, banking, and other services, as well as having access to remotely download and upload information. This could have effectively brought entire sectors down in various nations if the instructions were more nefarious, such as putting the information on a ?Dark Google? or a Massive P2P network with all of the information it could have acquired.

The clock strikes midnight.. and nothing bad happens.

Much to everyones relief(and to the dread of several anti-virus companies that had profited off of the paranoia), nothing malicious happened. No mass cyberattack, no leaked official documents or data breaches. The only change was in the amount of domain names checked by the bots for updates per day , which rose from 250 to 50,000. This move perhaps made it a bit more resilient but nothing worse in the ways of destruction.

Microsoft would later offer a $250,000 reward for any information that would lead to the arrest of the perpetrator of the internet scourge, which to this day has gone unclaimed.

To combat the worm, the Conficker Working Group(CWG), was created out of individuals and experts in cyber-security, this group would help spearhead the idea of communications across both private sector companies and governments to help identify and combat large-scale cyber-crimes

Mechanisms

Once infected, depending on the version it might perform a few of the following actions:

  • Gives itself administrator-level rights on any machine it infected
  • Connects to one of 250 domains via a hole in the service server that could allow programs to remote execute, as well as remotely download files.
  • Searches the network for other non infected PC?s and proceed to recursively infect an entire network.
  • Patches MS08?067 in a NetBios push to reopen the security backdoor closed by Microsoft
  • Creates a registry key with a path to itself so it may run in the background
  • Delete any system restore points, to thwart any attempts at removing it via a restore point
  • Attempt to nullify any running any running anti-virus.
  • Blocks access to any anti-malware or anti-virus searches, leaving the affected user without many options outside of a lengthy removal process.
  • in later iterations it would

At this point it would create and open up a server to spread more of itself as far as possible.

Legacy

After the initial hype and upgrades A-E, the creators seemed to have abandoned the project, and it seems to be running on its defined algorithm in the same form as it had in 2009. Since the virus is system dependent(its unable to infect Windows systems from Windows 7 and up due to operating system and security changes make by Microsoft), these days you typically only see it in older operating systems and infection rates are as low as 400,000 instances as of measurements in 2015. As stated above , the efforts of the CWG would prove to drive along future efforts when other worms arose; the cross sector communication was instrumental in identifying all of the possible ways a worm could attack a system, which helped bolster future security efforts.

Parting thoughts

One of the bugs of the century, the Conficker worm was a cautionary tale in keeping up with security updates, as well as the importance of securing a network. Although it did not cause any damage, that it possessed the potential power to easily cripple entire parts of industries, leak secure data, or even shut down entire servers in and of it self was nightmarish enough. It caused up to an estimated 9.1 billion USD in clean up costs and forever changed the way security was viewed in corporate and government sectors.

Resources:

https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-067%20MS08-067

http://edition.cnn.com/2009/TECH/ptech/01/16/virus.downadup/?iref=mpstoryview

http://www.cnn.com/2009/TECH/04/01/tech.viruses/index.html?eref=rss_latest .

https://www.werockyourweb.com/conficker-worm-threat-or-april-fools/.

http://www.rendon.com/conficker-lessons-learned-in-collaboration/ .

http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/LessonsLearned .

https://www.zdnet.com/blog/security/?p=3207 .

12