The Conficker Worm and Countermeasures

On November 6, 2008, security researchers at Microsoft Corp. warned of a significant increase in the exploits of a Windows bug that it supposedly patched with an emergency fix in October 2008. This confirmed earlier reports by Symantec Corp.

The new attacks, dubbed “Conficker.a” by Microsoft and “Downadup” by Symantec, and other names, exploits a vulnerability in the Windows Server service, which is used by all versions of the operating system to connect to file and print servers on a network. According to Microsoft:

Win32/Conficker is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. Depending on the specific variant, it may also spread via removable drives and by exploiting weak passwords. It disables several important system services and security products and downloads arbitrary files.

Microsoft patched the bug recently after it discovered a small number of infected PCs, most of them in Southeast Asia. In a twisted irony, the worm patches the vulnerable API in memory so the infected computer will not be vulnerable to other malware attacks after it disengages. The worm also resets the machine’s system restore point, which may make it difficult or impossible to “roll back” Windows to a pre-infection state.

A new version, dubbed Conficker.c is updating infected computers with a new variant that sidesteps an industry effort to break the link between the worm and its hacker controllers.

How does it spread? We already talked about the file sharing bug in the Windows Operating System. The worm also spreads by brute-force password attacks – according to Graham Cluley, a senior technology consultant at Sophos, “One of the ways in which the Conficker worm (also known as Confick or Downadup) uses to spread is to try and batter its way into ADMIN$ shares using a long list of different passwords,”. The worm can spread from flash drives. Once it infects a Windows computer, it copies a file, named “autorun.inf” to any USB storage devices, like flash drives, that are connected to the compromised computer. That file name takes advantage of Windows’ Autorun and Autoplay features to copy the worm to any machine that a flash drive, camera or other USB device is plugged into. The worm will infect that PC when the drive or device is connected, or when the user double-clicks the device’s icon within Windows Explorer or from the desktop.

How do you know if your computer is infected? Watch for these symptoms:

  • The following services are disabled or fail to run:
    Windows Security Center Service
    Windows Update Auto Update Service
    Background Intelligence Transfer Service
    Windows Defender
    Error Reporting Service
    Windows Error Reporting Service
  • Some accounts may be locked out due to the following registry modification, which may flood the network with connections:
    “TcpNumConnections” = “0x00FFFFFE”
  • Various security-related Web sites cannot be accessed (because the worm blocks access to a whole host of security companies’ sites in an effort to prevent antivirus software from being updated, which could result in the worm’s detection and eradication).

Users can protect themselves from the worm by installing Microsoft’s MS08-067 security update, using strong passwords and disabling Windows’ Autoplay and Autorun features.