Gallery

You've been Conficked...

Posted on 30 Mar 2009 at 15:52

Davey Winder gets to grips with the Conficker worm and discovers that prevention is better than cure.

The name of the Conficker worm is a German hacker pun that means screwing ("ficken" being the German verb for sexual intercourse) with your configuration. And infected PCs do indeed become well and truly, er, ficked. So how does Conficker spread, what does it do, and how can you protect yourself against it? And if you're unlucky enough to be one of the ten million plus already infected, how do you remove it? I'm devoting this month's column to answering such questions, getting down and dirty with the most worrying security problem since the days of Blaster, Love Bug and Sobig.

What is it?

Let's start at the beginning by deciding what Conficker actually is. This particular worm is known by a bunch of different names, the most popular being Conficker, Downadup Kido and, slightly less memorably, Trojan.Win32.Agent.bccs. Call it what you will, the worm has already infected millions of networked computers by exploiting an old vulnerability in the Windows Server Service (svchost.exe), which according to Microsoft remains unpatched on something like 30% of the Windows systems online. Put another way, those ten million computers already infected are a drop in the ocean when you consider that there are at least 300 million PCs at risk worldwide. Current thinking has it that a well-organised gang of cybercriminals behind Conficker is biding its time before unleashing the real payload, and there's much speculation about what that might be. First, we need to know how Conficker gets onto your computer in the first place.

How does it spread?

The simple answer is that Conficker exploits apathetic, cocky and stupid users. You know, the ones who don't apply critical security patches in a timely fashion; the ones who think they're above being infected by anything.

Conficker.B essentially uses a three-pronged propagation method by exploiting that Windows Server Service critical vulnerability, network shares and the Windows AutoPlay function. You'll note that I'm talking about the current, highly virulent variant of Conficker, rather than the original type A worm from November 2008. That only propagates via the Server Service vulnerability, which is why it hasn't become as huge a problem as its sibling.

Conficker gets into systems where the security patch hasn't yet been rolled out, copying itself into the Windows system, Internet Explorer or Movie Maker folder as a hidden DLL with a random file name. It looks for vulnerable computers and gets them to download a copy of itself via HTTP using a random port between 1024 and 10000, which it helpfully opens. To ensure that it's run every time Windows starts up, it also creates a Registry entry with a random name value, but a data value of "rundll32.exe .dll,", and a sub-key of "HKCUSoftwareMicrosoftWindowsCurrentVersionRun". Its exact modus operandi seems to vary somewhat, and there are reports of Conficker loading itself as a service to be launched alongside the netscvs group, or loading as a fake service registered as "HKLMSYSTEMCurrentControlSetServices".

However, Conficker will also always try to copy itself to the ADMIN$ share (Windows folder) of a target machine by either using the currently logged on user's credentials (assuming they have admin rights and that same account is used across multiple computers, a whole network is soon compromised), or by looking for weak passwords for any user account with write permissions. The worm has a list of hundreds of such weak passwords to refer to, including the brainless classics "1234", "admin", "admin123", "qwerty", "passwd", "foobar", "secret" and "letmein" to name but a few.