Conficker stops spreading as bad guys tighten grip on already-infected PCs
Posted on | April 2, 2009 | 4 comments
The Microsoft-supplied diagram (shown below) depicting how Conficker spreads is accurate, but dated, and therefore somewhat misleading.
The lastest version of Conficker, Variant C, is not looking for unpatched Windows PCs to infect, according to SRI International and IBM ISS.
The bad guys appear to have infected more PCs than they can productively manage, perhaps well over 10 million, according to OpenDNS founder David Ulevitch.
Conficker C first appeared on March 5. It’ s singular purpose is to connect with — and install updates on — PCs previously infected with variants, B and B++, says Philip Porras, program manager at SRI.
For weeks prior to the arrival of Conficker C, machines infected with B and B++ had been regularly checking 250 new web addresses each day for new instructions. The good guys, namely the Microsoft-directed Conficker Cabal, hustled to cut off access to the fresh list of 250 rendezvous points popping up daily. But on March 5 the bad guys managed to gain control of one or more of the rendezvous points for that day and pass along Conficker C to B and B++ machines, says Porras.
Keep in mind that Conficker C only reached PCs infected with variants B and B++. It did not reach machines infected with Variant A. Those machines reported daily to a completely different set of 250 web addresses. Score that one for the good guys. “We have no evidence an A rendezvous point was seeded with Conficker C,” says Porras.
50,000 new check-in points daily
Not only does Conficker C lack any self-propagating mechanisms, it actually shuts down the spreading mechanisms in B and B++ machines. It installed new instructions to check in at 500 rendezvous points, selected randomly from a list of 50,000 web domains; this list reconstitutes every 24 hours with 50,000 new rendezvous points.
This new check-in routine commenced yesterday, April 1. And finally, Conficker C installed a customized peer-to-peer, or P2P, network, enabling all B and B++ machines to secretly communicate and share files, and easily cleave through most corporate perimeter defenses, such as firewalls, traffic sniffers and intrusion detection systems.
Therefore, the spreading mechanisms, diagrammed below, would seem to apply only to machines infected with Conficker A. Or to B and B++ machines that never received the C update.
LastWatchdog asked SRI’s Porras if it was likely that a high percentage of B and B++ machines have been updated by now with Variant C? “More likely than not,” Porras replied.
What’s more, B and B++ machines, updated with Variant C, really do not need to use the web domain rendezvous points. Why? Because they can share files efficiently and privately via cloaked P2P communications, similar to how people share pirated music and movies.
“Early variants took care of propagation,” says Holly Stewart, IBM ISS threat response manager. “Conficker C is focused on staying put and keeping up communications channels.”
So what did the bad guys gain by going through all the trouble to construct a customized, proprietary P2P network from scratch?
“It is an alternate, harder to track and much harder to block mechanism for distributing malicious logic to the infected population,” says Porras. “It effectively gives the Conficker developers an overlay network with decentralized control.”
LastWatchdog scoop
You read it here first: The Conficker Cabal has figured out the algorithm the bad guys use to generate the daily list of 50,000 possible check in points. Separately, OpenDNS, working in partnership with Kaspersky Labs, has also figured out this algorithm, says OpenDNS founder Ulevitch.
“We’ve known the 50,000 domains since March 25,” says Ulevitch.
OpenDNS is an alternative way for Internet users to navigate to websites. It is a free, advertising supported service used by more than 10 million people, mostly in North America. Yesterday, OpenDNS began blocking all 50,000 domains Conficker PCs were scheduled to begin pinging on April 1. It will continue to block the new daily list each day for the coming week — and well beyond that. Ulevitch says OpenDNS will continue blocking all 50,000 domains, day-by-day, one week at a time, indefinitely.
“As long as we stay a week ahead, we’re in good shape,” Ulevitch told LastWatchdog. “We can generate them (daily list of 50,000 domains) as far out as 10 years if we want to.”
Ulevitch says this defense is unique to OpenDNS users, and that the Microsoft-led cabal has no way to similarly block 50,000 possible new check-in domains on a daily basis. The Cabal’s primary tactic has been to pre-register domains that turn up on the daily list, so the bad guys cannot use them as check-in points. It did this with the 250 daily check-in points prior to April 1, and presumably has stepped up this practice now that Conficker C machines can check in at any one of 50,000 new domains daily.
“Because we’re a DNS (domain name service) provider, Open DNS can block the IPs of the 50,000 domains from resolving,” says Ulevitch. “The blocking is done at the DNS level. We’re in a unique and advantageous position to protect people.”
Could there be 26 million Conficker C -infected PCs?
Not long after Conficker C machines began executing the new call home instructions yesterday, OpenDNS began to see tens of thousands of PCs checking in at the inaugural set of 50,000 new domains. Roughly 500,000 such queries were confirmed to come from Conficker C machines, the company says. OpenDNS counted every IP address that connected successfully with two of the rendezvous points, and then stopped checking in. That was part of instructions that came with the C update.
OpenDNS has between 10 million to 15 million users; the company jealously guards the exact number. That means it saw an infection rate among OpenDNS users of 3.3% to 5%. Extrapolating a conservative infection rate of 3.3 % across the 800 million vulnerable Windows PCs suggests as many as 26 million PCs may be infected with Conficker C. And that doesn’t include Conficker A machines that never got the C update. Previous estimates of the total number of Conficker-infected PCs range from 3 million to 12 million.
“I think the number of infections could be very much higher than 10 million,” Ulevitch told LastWatchdog. “Our users are no better or no worse than the general population, so if 500,000 of our users are infected, there’s got to be more infections than people have estimated.”
Here’s OpenDNS’s country-by-country breakdown of where it saw the 500,000 Conficker C machines checking in on April Fools Day:
Last week, IBM ISS began monitoring Conficker P2P chatter. Big Blue was able to do this after ace researcher Mark Yason cracked the worm’s cloaked P2P communications protacals. IBM initially chose not to release the total number of PCs it could see chattering on Conficker’s secret P2P net, until the number stabilized.
But today, in this blog post, Stewart disclosed that as of noon EST, April 2, IBM could see 221,598 unique IP addresses engaging in Conficker P2P chatter. That number represents a steady rise from 37,072 Conficker C machines IBM could see chattering on Monday, March 30.
Here’s IBM ISS’s country-by-country breakdown of where it can see Conficker P2P chatter.
–Byron Acohido
Comments
4 Comments »
RSS feed for comments on this post.
Woahh, that almost seems like computer terrorism, serious stuff. I admire those who are able to program so efficiently, though.
Comment by Free Wii Points — 7/30/2009 @ 8:15 am
The bad guys appear to have infected more PCs than they can productively manage, perhaps well over 10 million, according to OpenDNS founder David Ulevitch.
Comment by Glennis Pogue — 10/3/2012 @ 1:57 am
That day and pass along Conficker C to B and B++ machines, says Porras.
Comment by Sook Rickman — 10/12/2012 @ 12:07 am
The bad guys appear to have infected more PCs than they can productively manage, perhaps well over 10 million, according to OpenDNS founder David Ulevitch.
Comment by Ratzzz — 1/6/2013 @ 8:40 am