Gallery

You've been Conficked...

Posted on 30 Mar 2009 at 15:52

Davey Winder gets to grips with the Conficker worm and discovers that prevention is better than cure.

What does it do?

Although it would be nice to be able to say with some degree of conviction what Conficker actually does, the sad truth is that at the time of writing, we simply don't know. Actually, perhaps I should qualify that statement: the combined knowledge of security researchers around the world quickly determined what measures Conficker takes once it's installed itself onto a system, but what isn't yet known is the final payload - what it's for, why it bothered to infect at all. As things stand, Conficker isn't particularly malicious. It doesn't target files in order to destroy them, it doesn't target users in order to lock them out of their own computers, it doesn't even have much impact upon day-to-day system performance, apart from the usual worm side-effect of causing network congestion thanks to its communications. It does block access to some security vendors' websites and it does disable Windows automatic updates, but those are hardly the dastardly acts of some twisted nutcase. Unfortunately, it's more probable that they're rather the acts of a well-organised crime organisation with some unknown but well-prepared strategy for using Conficked PCs. At the moment, we know that Conficker is just concentrating on infecting as many machines as possible, and the fact that it's added the USB drive infection route is evidence of this - even if you've dutifully patched against the Windows Service vulnerability, it can still get you via AutoRun or file shares. I'll get around to my own best guesses as to what the Conficker gang has in mind in a moment, but first let's examine what it's actually doing right now.

In terms of interfering with your system, we know that Conficker modifies certain Registry settings to prevent you from viewing hidden files, as a means of self-preservation. It does this by adding a "CheckedValue 0" to the HKLMSOFTWAREMicrosoftWindowsCurrentVersionexplorerAdvancedFolderHiddenSHOWALL sub-key. It will also reset your System Restore point in order to re-infect anyone who tries to get rid of it that way. Plus, we know that it's messing with your TCP settings by altering the HKLMSYSTEMCurrentControlSetServicesTcpipParameters sub-key to add a value of 0x00FFFFFE to "TcpNumConnections", which equates in decimal to 16,777,214 (rather a lot of simultaneous connections by anyone's standards). As well as preventing access to security vendors' websites, Conficker attempts to prevent antivirus signature updates by disabling all processes that contain any of the keywords from its block list.

We do know that there's code within Conficker that enables it to create URLs in the format http:///search?q=%d combined with a top-level domain of .biz, .cc, .cn, .com, .info, .net, .org or .ws, and we know that it will connect to one of several selected websites such as google.com, yahoo.com and msn.com in order to verify the system date - and that if the date proves to be after 1 January 2009, it may start downloading arbitrary files. There are some reports of compromised systems downloading assorted malware files, but on the whole there doesn't yet seem to be much concrete evidence of this kind of malware delivery payload (which doesn't mean it might not be coming later).

I mentioned my own payload predictions just now, so here's what I expect to see starting real soon. Once there are enough infected systems (and if ten million aren't enough then the Goddess-only knows what will be), a second-stage strategy will start to kick in. I expect that Conficker will start downloading extra code for either one of two ultimate purposes - to create one of the biggest spamming botnets ever seen, or (and I tend to favour this) to start a massive scareware campaign - the likes of which no-one has previously been able to imagine. You know, those "rogue" antivirus apps whose annoying pop-ups inform you that you're infected (as, indeed, you will be) and offer a removal solution for some silly price that wouldn't work even assuming they ever delivered it. The fact that Conficker can download new versions of itself onto infected machines, and that it achieves this by cunning use of difficult-to-filter, ever-changing IP addresses, makes me think this is almost inevitably its eventual intention.