FireEye
Bot.Conficker
Bot.Conficker
| Target: | Windows |
|---|---|
| Aliases: | Win32/Conficker, Mal/Conficker-A, Worm.Win32.Conficker, W32/Downadup.AL, Net-Worm.Win32.Kido |
| References: | Threat Expert: Bot.Conficker sample analysis MS08-067 vulnerability: Download Patch Conficker: Remediation and Manual Removal Wikipedia: Conficker |
| Attributes: | Payload: AV Killer
, Backdoor
, Browser Hijack
, Downloader
Propagation: AutoRun , Exploits , Network Shares Technique: Code Injection , Rootkit UserSpace CnC Architecture: HTTP , P2P |
The FireEye appliance has detected malicious software trying to connect to its Command and Control (C&C) server. The communication observed with this event is normally associated with Bot.Conficker.
Conficker gives a remote attacker complete access to the compromised system. Newly infected computers are added to the botnet to receive further instructions. Conficker is a family of bots having the ability to install backdoor(s), download and execute additional malware, block access to security-related software and websites, hijack DNS lookups, disable system components and services, and propagate through a number of methods, including MS08-067 vulnerability. Some variants of Conficker are also able to spread through network shares, P2P networks and removable media (like USB drives).
Variants of Conficker are able to download and execute other malicious programs like Bot.Waledac and Rogue.SpyProtect2009. Conficker also has the ability to update itself. Conficker performs the downloading and updating tasks by probing a (pseudo) randomly generated list of domains from time to time. Often the list of the randomly generated domains is created many times a day. Once it finds that a probed domain has an active IP address, it attempts to download an executable file from it. The downloaded executable is then verified as authentic by extracting and matching the hash from the executable. If its authenticity has been verified, the executable is run. Some variants include another backdoor component in the form of a named-pipe. This pipe provides another method for getting the URLs of additional malware.
Conficker includes a number of self-defense mechanisms. It has the ability to hook certain DNS querying functions to prevent access to security-related websites. It also has the ability to disable system components like Safe Mode, and Windows Error Reporting and Auto-Update services to hide its presence. Conficker sometimes applies a pseudo, in-memory, patch for MS08-067. URLs, given in Remote Procedure Code (RPC) by exploit code, are then directly downloaded and executed.
Conficker can propagate by sending a specially crafted RPC to randomly generated IP address. Once successful, the victim computer is made to download the actual binary of Conficker from the attacker. Some variants of Conficker are able to spread through removable drives by copying themselves as auto-run programs. Conficker is also able to multiply by attacking and subsequently copying itself in weakly protected network shares (especially admin$ or Inter Process Communication (IPC$) shares). Later variants of Conficker are also able to spread via purpose-built Peer-to-Peer (P2P) functionality. Such variants maintain lists of infected systems, in order to directly communicate with them.
Conficker has the ability to load/inject code into existing processes (like svchost.exe or explorer.exe). To get itself auto-executed, Conficker often creates the following file in the root directory of mapped or removable drives:
Root-Directory\autorun.inf
e.g.:- F:\autorun.inf
Conficker often comes in the form of a randomly named DLL in the System folder, and registers itself as a service by modifying the following registry key:
Key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ {random-name}\Parameters\
Value Name and Data: ServiceDll = [path to DLL extended malware file]
System folder is by default C:\Windows\System (for Windows 95/98/Me), C:\Winnt\System32 (for Windows NT/2000), or C:\Windows\System32 (for Windows XP).
How can I avoid this:
To prevent the initial infection, a user or enterprise should apply security patches to operating systems, web browsers and other software in a timely manner; specifically, MS08-067 vulnerability should be patched. A user or enterprise should run and maintain professional or freeware security tools such as anti-virus, personal firewall, and host based intrusion detection. A user should avoid falling victim to social engineering attacks. Network shares should always be protected with strong passwords. Users should not allow the installation of any program on their computer unless they trust the source of the program and know what the program is supposed to do.
What can I do:
The infected system should be isolated from the network to prevent further damage to other computer systems. Conficker may download additional malware; hence, removing Conficker alone is not a guarantee that machine is malware-free. The most reliable approach to clean your system is to restore it to a known clean restore point, or perform a new install of your system after backing up all your personal data. Other options include:
* Install or update your desktop security programs. Often a user will need to boot into safe mode and then run a full scan to increase the chances of full removal; beware that this may not be possible in all infections of Conficker, as safe mode maybe disabled.
* Brave-hearted users can consult additional resources, such as those given in the references section, to perform a manual clean up. This is not recommended for anyone but an expert.