Posted on | April 2, 2009 | 4 comments
The Microsoft-supplied diagram (shown below)Ã‚Â depicting how Conficker spreads is accurate, but dated, and therefore somewhat misleading.
The lastest version of Conficker, Variant C,Ã‚Â is not looking for unpatched Windows PCs to infect, according to SRI International and IBM ISS.
The bad guys appear to have infected more PCs than they can productively manage, perhaps well over 10 million, according to OpenDNS founder David Ulevitch.
ConfickerÃ‚Â C first appeared on March 5. It’ s singularÃ‚Â purpose is to connect with — and install updates on — PCs previously infected with variants,Ã‚Â B and B++, says Philip Porras, program manager at SRI.
For weeks prior to the arrival of Conficker C, machines infected with B and B++ had been regularlyÃ‚Â checking 250 new web addresses each day for new instructions. The good guys, namely the Microsoft-directed Conficker Cabal,Ã‚Â hustled toÃ‚Â cut off access to the fresh list ofÃ‚Â 250 rendezvous points popping up daily. But on March 5 the bad guys managed to gain control of one or more of the rendezvous points for that day and pass along Conficker C to B and B++ machines, says Porras.
Keep in mind thatÃ‚Â Conficker C only reached PCs infected withÃ‚Â variants B and B++. It did not reachÃ‚Â machines infected with Variant A. Those machines reported daily to a completelyÃ‚Â different set of 250 web addresses.Ã‚Â Score that one for the good guys. “We have no evidence an A rendezvous pointÃ‚Â was seeded with Conficker C,” says Porras.
50,000 new check-in points daily
Not only does Conficker C lack any self-propagating mechanisms, it actuallyÃ‚Â shuts down theÃ‚Â spreading mechanisms in B and B++Ã‚Â machines.Ã‚Â ItÃ‚Â installed new instructions to check in at 500 rendezvous points, selected randomly from a list of 50,000 web domains; this list reconstitutes every 24 hours with 50,000 new rendezvous points.
This new check-in routineÃ‚Â commenced yesterday, April 1. And finally, Conficker CÃ‚Â installed a customized peer-to-peer, or P2P, network, enabling all B and B++ machines to secretly communicate and share files, and easily cleave through most corporate perimeter defenses, such as firewalls, traffic sniffers and intrusion detection systems.
Therefore, the spreading mechanisms,Ã‚Â diagrammed below, would seem to apply onlyÃ‚Â to machines infected with Conficker A. Or to B and B++ machines that never receivedÃ‚Â the C update.
LastWatchdog asked SRI’s Porras if it was likely that a high percentage ofÃ‚Â B and B++ machines have been updated by now with Variant C? “More likely than not,” Porras replied.
What’s more, B andÃ‚Â B++ machines,Ã‚Â updated with Variant C,Ã‚Â really do not need to use the web domain rendezvous points.Ã‚Â Why? Because they can share files efficiently and privately viaÃ‚Â cloakedÃ‚Â P2P communications, similar to how people share piratedÃ‚Â music andÃ‚Â movies.
“Early variants took care of propagation,” says Holly Stewart,Ã‚Â IBM ISS threat response manager. “Conficker C is focused on staying put and keeping up communications channels.”
So what did the bad guys gain by going through all the trouble to constructÃ‚Â a customized, proprietaryÃ‚Â P2P network from scratch?
“It is an alternate, harder to track and much harder to block mechanism for distributing malicious logic to the infected population,” says Porras. “It effectively gives the Conficker developers an overlay network with decentralized control.”
You read it here first: The Conficker Cabal has figured out the algorithm the bad guys use to generate the daily list of 50,000 possible check in points.Ã‚Â Separately,Ã‚Â OpenDNS, working in partnership with Kaspersky Labs, has also figured out this algorithm, says OpenDNS founder Ulevitch.
“We’ve known the 50,000 domains since March 25,” says Ulevitch.
OpenDNS is an alternative way for Internet users to navigate to websites. It is a free, advertising supported service used by more than 10 million people, mostly in North America. Yesterday,Ã‚Â OpenDNSÃ‚Â beganÃ‚Â blocking all 50,000 domains Conficker PCs were scheduled to begin pingingÃ‚Â on April 1.Ã‚Â It will continue to block the new daily list each day for the coming week — and well beyond that.Ã‚Â Ulevitch says OpenDNSÃ‚Â will continue blocking all 50,000 domains, day-by-day, oneÃ‚Â week at a time, indefinitely.
“As long as we stay a week ahead, we’re in good shape,” Ulevitch told LastWatchdog. “We can generate them (daily list of 50,000 domains) as far out as 10 years if we want to.”
Ulevitch says this defense is unique to OpenDNS users, and that the Microsoft-led cabal has no way to similarly block 50,000 possibleÃ‚Â new check-in domainsÃ‚Â on a daily basis. The Cabal’s primary tactic has been to pre-register domains that turn up on the daily list, so the bad guys cannot use them as check-in points.Ã‚Â It did this with the 250 daily check-in points prior to April 1, and presumably has stepped up thisÃ‚Â practice now that Conficker C machines can check in at any one of 50,000 new domains daily.
“Because we’re a DNS (domain name service) provider, Open DNS can block the IPs of the 50,000 domains from resolving,” says Ulevitch. “The blocking is done at the DNS level. We’re in a unique and advantageous position to protect people.”
Could there be 26 million Conficker C -infected PCs?
Not long after Conficker C machines began executing the new call home instructions yesterday,Ã‚Â OpenDNSÃ‚Â began to see tens of thousands of PCsÃ‚Â checking in at the inaugural set of 50,000 new domains.Ã‚Â Roughly 500,000 such queries were confirmed to come from Conficker C machines, the company says. OpenDNS counted every IP address that connected successfully with two of the rendezvous points, and then stopped checking in. That was part of instructions that came with the C update.
OpenDNS has betweenÃ‚Â 10 million to 15 million users; the company jealously guards the exact number.Ã‚Â That means it saw an infection rate among OpenDNS users of 3.3% to 5%. Extrapolating a conservative infection rate of 3.3 % across the 800 million vulnerable Windows PCs suggests as many as 26Ã‚Â million PCs may be infected with Conficker C. And that doesn’tÃ‚Â include Conficker A machines that never got the C update. Previous estimates of the total number of Conficker-infected PCs range from 3 million to 12 million.
“I think the number of infections could be very much higher than 10 million,” Ulevitch told LastWatchdog. “Our users are no better or no worse than the general population, so ifÃ‚Â 500,000 of our users are infected, there’s got to be more infections than people have estimated.”
HereÃ¢â‚¬â„¢s OpenDNS’sÃ‚Â country-by-country breakdown of where it sawÃ‚Â the 500,000 Conficker C machines checking in on April Fools Day:
LastÃ‚Â week,Ã‚Â IBM ISS began monitoring Conficker P2P chatter. Big Blue was able to do this afterÃ‚Â ace researcher Mark Yason cracked the wormÃ¢â‚¬â„¢s cloaked P2P communications protacals. IBM initiallyÃ‚Â chose not to release the total number of PCs it could see chattering on Conficker’s secret P2P net,Ã‚Â until the number stabilized.
But today, in this blog post, Stewart disclosed that as of noon EST, April 2, IBM couldÃ‚Â see 221,598 unique IP addresses engaging in Conficker P2P chatter. That number represents a steady rise from 37,072 Conficker C machines IBM could see chattering on Monday, March 30.
HereÃ¢â‚¬â„¢s IBM ISSÃ¢â‚¬â„¢s country-by-country breakdown of where it can see Conficker P2P chatter.