Conficker stops spreading as bad guys tighten grip on already-infected PCs

conficker_usat_illo_cropThe Microsoft-supplied diagram (shown below)  depicting how Conficker spreads is accurate, but dated, and therefore somewhat misleading.

The lastest version of Conficker, Variant C,  is not looking for unpatched Windows PCs to infect, according to SRI International and IBM ISS.

The bad guys appear to have infected more PCs than they can productively manage, perhaps well over 10 million, according to OpenDNS founder David Ulevitch.

Conficker  C first appeared on March 5. It’ s singular  purpose is to connect with — and install updates on — PCs previously infected with variants,  B and B++, says Philip Porras, program manager at SRI.

For weeks prior to the arrival of Conficker C, machines infected with B and B++ had been regularly  checking 250 new web addresses each day for new instructions. The good guys, namely the Microsoft-directed Conficker Cabal,  hustled to  cut off access to the fresh list of  250 rendezvous points popping up daily. But on March 5 the bad guys managed to gain control of one or more of the rendezvous points for that day and pass along Conficker C to B and B++ machines, says Porras.

Keep in mind that  Conficker C only reached PCs infected with  variants B and B++. It did not reach  machines infected with Variant A. Those machines reported daily to a completely  different set of 250 web addresses.  Score that one for the good guys. “We have no evidence an A rendezvous point  was seeded with Conficker C,” says Porras.

50,000 new check-in points daily

Not only does Conficker C lack any self-propagating mechanisms, it actually  shuts down the  spreading mechanisms in B and B++  machines.  It  installed new instructions to check in at 500 rendezvous points, selected randomly from a list of 50,000 web domains; this list reconstitutes every 24 hours with 50,000 new rendezvous points.

This new check-in routine  commenced yesterday, April 1. And finally, Conficker C  installed a customized peer-to-peer, or P2P, network, enabling all B and B++ machines to secretly communicate and share files, and easily cleave through most corporate perimeter defenses, such as firewalls, traffic sniffers and intrusion detection systems.

Therefore, the spreading mechanisms,  diagrammed below, would seem to apply only  to machines infected with Conficker A. Or to B and B++ machines that never received  the C update.

conficker_diagram_crop2

LastWatchdog asked SRI’s Porras if it was likely that a high percentage of  B and B++ machines have been updated by now with Variant C? “More likely than not,” Porras replied.

What’s more, B and  B++ machines,  updated with Variant C,  really do not need to use the web domain rendezvous points.  Why? Because they can share files efficiently and privately via  cloaked  P2P communications, similar to how people share pirated  music and  movies.

“Early variants took care of propagation,” says Holly Stewart, IBM ISS threat response manager. “Conficker C is focused on staying put and keeping up communications channels.”

So what did the bad guys gain by going through all the trouble to construct  a customized, proprietary  P2P network from scratch?

“It is an alternate, harder to track and much harder to block mechanism for distributing malicious logic to the infected population,” says Porras. “It effectively gives the Conficker developers an overlay network with decentralized control.”

LastWatchdog scoop

You read it here first: The Conficker Cabal has figured out the algorithm the bad guys use to generate the daily list of 50,000 possible check in points.  Separately,  OpenDNS, working in partnership with Kaspersky Labs, has also figured out this algorithm, says OpenDNS founder Ulevitch.

“We’ve known the 50,000 domains since March 25,” says Ulevitch.

OpenDNS is an alternative way for Internet users to navigate to websites. It is a free, advertising supported service used by more than 10 million people, mostly in North America. Yesterday,  OpenDNS  began  blocking all 50,000 domains Conficker PCs were scheduled to begin pinging  on April 1.  It will continue to block the new daily list each day for the coming week — and well beyond that.  Ulevitch says OpenDNS  will continue blocking all 50,000 domains, day-by-day, one  week at a time, indefinitely.

“As long as we stay a week ahead, we’re in good shape,” Ulevitch told LastWatchdog. “We can generate them (daily list of 50,000 domains) as far out as 10 years if we want to.”

Ulevitch says this defense is unique to OpenDNS users, and that the Microsoft-led cabal has no way to similarly block 50,000 possible  new check-in domains  on a daily basis. The Cabal’s primary tactic has been to pre-register domains that turn up on the daily list, so the bad guys cannot use them as check-in points.  It did this with the 250 daily check-in points prior to April 1, and presumably has stepped up this  practice now that Conficker C machines can check in at any one of 50,000 new domains daily.

“Because we’re a DNS (domain name service) provider, Open DNS can block the IPs of the 50,000 domains from resolving,” says Ulevitch. “The blocking is done at the DNS level. We’re in a unique and advantageous position to protect people.”

Could there be 26 million Conficker C -infected PCs?

Not long after Conficker C machines began executing the new call home instructions yesterday,  OpenDNS  began to see tens of thousands of PCs  checking in at the inaugural set of 50,000 new domains.  Roughly 500,000 such queries were confirmed to come from Conficker C machines, the company says. OpenDNS counted every IP address that connected successfully with two of the rendezvous points, and then stopped checking in. That was part of instructions that came with the C update.

OpenDNS has between  10 million to 15 million users; the company jealously guards the exact number.  That means it saw an infection rate among OpenDNS users of 3.3% to 5%. Extrapolating a conservative infection rate of 3.3 % across the 800 million vulnerable Windows PCs suggests as many as 26  million PCs may be infected with Conficker C. And that doesn’t  include Conficker A machines that never got the C update. Previous estimates of the total number of Conficker-infected PCs range from 3 million to 12 million.

“I think the number of infections could be very much higher than 10 million,” Ulevitch told LastWatchdog. “Our users are no better or no worse than the general population, so if  500,000 of our users are infected, there’s got to be more infections than people have estimated.”

Here’s OpenDNS’s  country-by-country breakdown of where it saw  the 500,000 Conficker C machines checking in on April Fools Day:

conficker_opendns_pie_crop

Last  week,  IBM ISS began monitoring Conficker P2P chatter. Big Blue was able to do this after  ace researcher Mark Yason cracked the worm’s cloaked P2P communications protacals. IBM initially  chose not to release the total number of PCs it could see chattering on Conficker’s secret P2P net,  until the number stabilized.

But today, in this blog post, Stewart disclosed that as of noon EST, April 2, IBM could  see 221,598 unique IP addresses engaging in Conficker P2P chatter. That number represents a steady rise from 37,072 Conficker C machines IBM could see chattering on Monday, March 30.

Here’s IBM ISS’s country-by-country breakdown of where it can see Conficker P2P chatter.

conficker_globalmap3

–Byron Acohido