The evolution of an extraordinary globe-spanning worm

March 25th, 2009

Conficker timeline
2008 – 2009

CLICK HERE to see F-Secure’s comprehensive Conficker FAQ.

2008

Aug. 20: The Gimmiv Trojan, which exploited the vulnerability Conficker capitalises on, is first spotted running in a virtual machine on a server in South Korea. Experts speculate this was a a test run prior to it being released in the wild. (Source: BBC)

Sept. Chinese malware brokers are spotted  selling  a $37 tool kit that allows anyone to exploit this newly-discovered security hole in a component of Windows, called  RPC-DCOM, which enables file and print sharing. RPC-DCOM is built into all PCs of Windows XP vintage and earlier, some 800 million machines worldwide

Sept. 29: Gimmiv first seen in the wild infecting a PC in Hanoi, Vietnam. Over the next few weeks it manages to infect 200 more machines in 23 nations – most of which were in Malaysia. Mistakes in the way it is coded limit its ability to spread. (Source: BBC)

Oct. 15. MIT’s Dr. Ronald Rivest publishes a cutting- edge security  technique, called the “MIT MD6 hashing algorithm.”

Oct. 23. Microsoft issues a rare emergency patch for the RPC-DCOM vulnerability disclosed  — and exploited by  — the $37 malware kit.

Oct. 26: Word spreads about the $37 Chinese toolkit;  they are forced to give it away. The release of the exploit code prompts many to craft malware that can seek out machines with the bug. (Source: BBC)

Oct. – early Nov. Isolated   Gimmiv attacks unfold against unpatched PCs in Asia.  Sunbelt Software reverse  engineers one of the early attacks-in-the-wild.  Sunbelt researcher Eric Sites discovers that gimmev  installs a  new Dynamic Link Library, or DLL, so that the next time the owner restarts his or her PC, a malicious Trojan takes root and continually runs in the background. Every 10 minutes, it copies all registry information, all logons stored by the Web browser and a bunch of other information and sends it back to the attacker.

Security experts begin to worry that someone will get the bright idea to create a self-replicating worm to seek out unpatched PCs.  “If other bad people find out how to use this, we’re big trouble,” Sites predicts. “A Blaster-type worm could be created very easily, and wreak havoc.”

Nov. 20. Conficker A, a self-replicating worm that scans Internet-wide for other unpatched PCs to infect, begins to spread.

Nov. 22. Microsoft issues a securit alert recommending immediate patching.

Nov. 26. Conficker A’s  “domain generation algorithm” activates. Infected PCs begin trying to contact a different set of 250 web domains daily for further instructions.

late Nov. Security firm Damballa issues a Conficker A census: 500,000 infected machines.

Dec 1. Conficker A-infected machines check in at  trafficconverter.biz,  following instructions hard-coded into Conficker. “This was not part of the domain generation algorithm,” says F-Secure’s Patrik Runald. “It attempted to do a download but the file wasn’t there.”

Trafficconverter is a site well known for fake security product.  It becomes the basis for naming the worm Conficker. Prior to this the worm had been referred to as Downadup.

Dec. 24 -Dec. 27.  Research firm SRI issues Conficker A census: 1.5 million infected machines.

late Dec. Conficker B begins spreading. It incorporates  the MIT MD6 hashing algorithm to obscure all communications moving between infected PCs and the rendezvous points. This is done to prevent rival botnet groups from taking control; it also prevents security firms  from inserting instructions to disinfect PCs.

Dec. 29. Sheffield hospitals in the UK confirms 800 of the computers infected. (Source. BBC)

2009

Jan. 1. Conficker B initiates its own domain generation logic;  infected PCs begin checking in at different sets of 250 rendezvous points .

Jan 6: The UK’s Ministry of Defense suffers its first infections. It takes the department two weeks to clear up the damage. (Source: BBC)

Jan. 11: Microsoft updates its cleanup tool so that it can scan for and clean up early variants of Conficker.

Jan. 15. MIT discloses security hole in its cutting-edge MIT MD6 hasing algorithm and also delivers the patch. This means  the coding used to obscure communications in  Conficker A and Conficker B, unless patched,  are vulnerable to hacks.

mid Jan. to early Feb. Conficker A and Conficker B population of machines  explodes, grabbing news headlines. Estimates range from 3 million to 12 million machines infected.

Feb. 12. Microsoft forms the Conficker Cabal; offers $250,000 bounty for information leading to the arrest of Conficker’s creators.

Feb 16. Conficker.B++ is spotted for the first time. It’s protocol seems to be in direct response to Cabal’s efforts to disable Conficker’s communications strategy. It no longer needs to contact internet rendezvous points for updates, instead these can be flashed centrally from any internet address. (Source: BBC)

mid Feb.-Mar. The Cabal works to stop PCs from connecting to the daily list of 250 rendezvous points. This is accomplished by registering the known set of Conficker A and Conficker B domains, at least those that aren’t already registered.

Mar. 5. Conficker C begins updating all PCs infected with Conficker B and B++. Conficker C halts the Internet-wide scanning; it organizes the infected PCs into P2P networks; and it also embeds instructions for each infected PC, on April 1, to begin checking a random group of 500 rendezvous points selected from 50,000 domains. Finally, Conficker C also patches the security hole in the MIT MD6 hashing algorithm.

early March. While working on this 60-Minutes feature story, CBS News gets hit by Conficker, causing major disruption.

Mar. 31. IBM announces that it has cracked Conficker’s customized P2P client; and can see Conficker  P2P signatures across the globe. Asia has 45% of infections; Europe 32%; South America 14%; North America 6%.

Apr. 1. All PCs updated with Conficker C  begin checking 500 rendezvous points randomly selected from 50,000 web addresses for further instructions.

Apr. 8. An update begins spreading via P2P to Conficker C machines. The update begins propagation anew, covers its tracks better, and installs Waledac antivirus pitches.

Researched by LastWatchdog. Gratitude extended to Microsoft, SRI International, SecureWorks, F-Secure, Sunbelt Software, Kaspersky Lab, Fortify Software, Arbor Networks. Lumension, Damballa , Sophos, IBM ISS, Trend Micro.