MA-151.032009: MyCERT Special Alert: Conficker.C Worm

Initial Release: 27 March 2009
Updated: 2 April 2009

1.0 Introduction

MyCERT has been observing discussions and information sharing about a worm variant called Conficker.C on the Internet. It is expected that the enhanced version of previous worm variant Conficker.A and Conficker.B will trigger on the 1st of April 2009. Security researchers believe, the latest spread of the latest varian of Conficker began first spreading at roughly 6 p.m. PST, 4 March 2009 (5 March UTC). MyCERT would like to highlight that this is neither a new outbreak nor a new piece of malware. Removal and mitigation strategies were highlighted in our previous advisory: http://www.mycert.org.my/en/services/advisories/mycert/2009/main/detail/626/index.html

MyCERT is working together with various parties globally to mitigate and reduce the risk of the new variant.

2.0 Worm Description

Conficker.C represents the third major revision of the Conficker malware family, which first appeared on the Internet on the 20th of November 2008. This variant distinguishes itself as a significant revision to Conficker B. It is clear that the Conficker authors are well informed and are tracking efforts to eliminate the previous Conficker epidemics at the host and Internet governance level. In Conficker C, they have now responded with many of their own countermeasures to thwart these latest defenses. Some of the major enhancements are:

• Domain Generation Algorithm - Conficker.C will select 500 domains out of a randomized pool of 50,000 instead of 32 out of 250 for the previous variants.
  
  
• Peer to peer logic - This new coordination strategy employs a P2P protocol, and the Conficker authors have taken some care to hinder its analysis through code obfuscation.
  
  
• Local host patch logic - This is to protect its host from other malware that would attempt to reexploit the MS08-067 buffer overflow, while still allowing re-infection from other Conficker hosts.
  
  
• Security product disablement - Most antivirus and security software domain lookup will be prevented, important MS Windows security service will be disabled, security products process termination, obfuscating its installation and presence as well as MS Windows firewall disablement.

3.0 Software Affected

• All unpatched Microsoft Windows XP and Vista for advisory MS08-067.

MyCERT had earlier released an advisory to address this. Please follow this link for more details on advisory: http://www.mycert.org.my/en/services/advisories/mycert/2009/main/detail/626/index.html

4.0 Technical Details

Once installed, Conficker.C implements a variety of nasty behaviors. The worm will attempt to disable Windows Automatic Update and stop access to the Windows Security Center, can detect and kill SysInternals' Process Explorer program, and will interfere with the operation of a number of other search-and-destroy programs including WireShark and SysClean.

It will also reset and delete system restore points, disable various services (including WinDefend, BITS (Background Intelligent Transfer Service) ERSvc (Error Reporting Service) and WerSvc (Windows Error Reporting Service, Vista-only). In a final fit of pique, Conficker.C will prevent any attempt to connect to a variety of antivirus software services or websites.

5.0 Mitigation

Generally, doing the following shall mitigate infection and spread of Conficker:

• Apply the latest Microsoft Windows updates
• Apply the latest antivirus signatures and updates.
• Browse the Internet with least privilege user to limit the execution of the malicious file.
• Do not open questionable email attachments and/or browse to unknown websites received via email from unknown person or received email unexpectedly.

Users can do a quick check on whether their computers are infected with Conficker by using this online test: http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

If your system have been infected by this worm, please download removal tools provided by trusted parties. Below is the list of tools (sorted in alphabetical order):

• http://global.ahnlab.com/global/file_removeal_down.jsp?filename=123718304758%2021&down_filename=v3conficker.zip
• http://www.bitdefender.com/site/Downloads/downloadFile/1584/FreeRemovalTool
• http://download.eset.com/special/EConfickerRemover.exe
• http://data2.kaspersky-labs.com:8080/special/KKiller_v3.4.1.zip
• ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip
• http://vil.nai.com/vil/stinger/
• http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
• http://www.sophos.com/products/free-tools/conficker-removal-tool.html
• http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDownadup.exe
• http://www.trendmicro.com/ftp/products/pattern/spyware/fixtool/SysClean-WORM_DOWNAD.zip
• http://vil.nai.com/vil/conficker_stinger/Stinger_Coficker.exe
• http://www.mcafee.com/us/enterprise/confickertest.html

Microsoft had released a comprehensive guide for removing Conficker and it can be accessed here: http://support.microsoft.com/kb/962007

In addition, the Conficker Working Group, a global initiative set up to mitigate the spread of the worm, has published a guide for service providers (ISP), enterprises and also registrars to deal with Conficker The latest version of the documents can be obtained from http://www.confickerworkinggroup.org/wiki/

6.0 References

[1] http://mtc.sri.com/Conficker/addendumC/index.html
[2] http://arstechnica.com/security/news/2009/03/confickerc-primed-for-april-fools-activation.ars
[3] http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=77976
[4] http://en.wikipedia.org/wiki/Conficker
[5] http://www.mycert.org.my/en/services/advisories/mycert/2009/main/detail/626/index.html
[6] http://support.microsoft.com/kb/962007
[7] http://www.avertlabs.com/research/blog/index.php/2009/03/27/w32conficker-much-ado-about-nothing/
[8] http://www.confickerworkinggroup.org/infection_test/cfeyechart.html