The evolution of an extraordinary globe-spanning worm

March 25th, 2009

Conficker timeline
2008 – 2009

CLICK HERE to see F-Secure’s comprehensive Conficker FAQ.

2008

Aug. 20: The Gimmiv Trojan, which exploited the vulnerability Conficker capitalises on, is first spotted running in a virtual machine on a server in South Korea. Experts speculate this was a a test run prior to it being released in the wild. (Source: BBC)

Sept. Chinese malware brokers are spotted  selling  a $37 tool kit that allows anyone to exploit this newly-discovered security hole in a component of Windows, called  RPC-DCOM, which enables file and print sharing. RPC-DCOM is built into all PCs of Windows XP vintage and earlier, some 800 million machines worldwide

Sept. 29: Gimmiv first seen in the wild infecting a PC in Hanoi, Vietnam. Over the next few weeks it manages to infect 200 more machines in 23 nations – most of which were in Malaysia. Mistakes in the way it is coded limit its ability to spread. (Source: BBC)

Oct. 15. MIT’s Dr. Ronald Rivest publishes a cutting- edge security  technique, called the “MIT MD6 hashing algorithm.”

Oct. 23. Microsoft issues a rare emergency patch for the RPC-DCOM vulnerability disclosed  — and exploited by  — the $37 malware kit.

Oct. 26: Word spreads about the $37 Chinese toolkit;  they are forced to give it away. The release of the exploit code prompts many to craft malware that can seek out machines with the bug. (Source: BBC)

Oct. – early Nov. Isolated   Gimmiv attacks unfold against unpatched PCs in Asia.  Sunbelt Software reverse  engineers one of the early attacks-in-the-wild.  Sunbelt researcher Eric Sites discovers that gimmev  installs a  new Dynamic Link Library, or DLL, so that the next time the owner restarts his or her PC, a malicious Trojan takes root and continually runs in the background. Every 10 minutes, it copies all registry information, all logons stored by the Web browser and a bunch of other information and sends it back to the attacker.

Security experts begin to worry that someone will get the bright idea to create a self-replicating worm to seek out unpatched PCs.  “If other bad people find out how to use this, we’re big trouble,” Sites predicts. “A Blaster-type worm could be created very easily, and wreak havoc.”

Nov. 20. Conficker A, a self-replicating worm that scans Internet-wide for other unpatched PCs to infect, begins to spread.

Nov. 22. Microsoft issues a securit alert recommending immediate patching.

Nov. 26. Conficker A’s  “domain generation algorithm” activates. Infected PCs begin trying to contact a different set of 250 web domains daily for further instructions.

late Nov. Security firm Damballa issues a Conficker A census: 500,000 infected machines.

Dec 1. Conficker A-infected machines check in at  trafficconverter.biz,  following instructions hard-coded into Conficker. “This was not part of the domain generation algorithm,” says F-Secure’s Patrik Runald. “It attempted to do a download but the file wasn’t there.”

Trafficconverter is a site well known for fake security product.  It becomes the basis for naming the worm Conficker. Prior to this the worm had been referred to as Downadup.

Dec. 24 -Dec. 27.  Research firm SRI issues Conficker A census: 1.5 million infected machines.

late Dec. Conficker B begins spreading. It incorporates  the MIT MD6 hashing algorithm to obscure all communications moving between infected PCs and the rendezvous points. This is done to prevent rival botnet groups from taking control; it also prevents security firms  from inserting instructions to disinfect PCs.

Dec. 29. Sheffield hospitals in the UK confirms 800 of the computers infected. (Source. BBC)

2009

Jan. 1. Conficker B initiates its own domain generation logic;  infected PCs begin checking in at different sets of 250 rendezvous points .

Jan 6: The UK’s Ministry of Defense suffers its first infections. It takes the department two weeks to clear up the damage. (Source: BBC)

Jan. 11: Microsoft updates its cleanup tool so that it can scan for and clean up early variants of Conficker.

Jan. 15. MIT discloses security hole in its cutting-edge MIT MD6 hasing algorithm and also delivers the patch. This means  the coding used to obscure communications in  Conficker A and Conficker B, unless patched,  are vulnerable to hacks.

mid Jan. to early Feb. Conficker A and Conficker B population of machines  explodes, grabbing news headlines. Estimates range from 3 million to 12 million machines infected.

Feb. 12. Microsoft forms the Conficker Cabal; offers $250,000 bounty for information leading to the arrest of Conficker’s creators.

Feb 16. Conficker.B++ is spotted for the first time. It’s protocol seems to be in direct response to Cabal’s efforts to disable Conficker’s communications strategy. It no longer needs to contact internet rendezvous points for updates, instead these can be flashed centrally from any internet address. (Source: BBC)

mid Feb.-Mar. The Cabal works to stop PCs from connecting to the daily list of 250 rendezvous points. This is accomplished by registering the known set of Conficker A and Conficker B domains, at least those that aren’t already registered.

Mar. 5. Conficker C begins updating all PCs infected with Conficker B and B++. Conficker C halts the Internet-wide scanning; it organizes the infected PCs into P2P networks; and it also embeds instructions for each infected PC, on April 1, to begin checking a random group of 500 rendezvous points selected from 50,000 domains. Finally, Conficker C also patches the security hole in the MIT MD6 hashing algorithm.

early March. While working on this 60-Minutes feature story, CBS News gets hit by Conficker, causing major disruption.

Mar. 31. IBM announces that it has cracked Conficker’s customized P2P client; and can see Conficker  P2P signatures across the globe. Asia has 45% of infections; Europe 32%; South America 14%; North America 6%.

Apr. 1. All PCs updated with Conficker C  begin checking 500 rendezvous points randomly selected from 50,000 web addresses for further instructions.

Apr. 8. An update begins spreading via P2P to Conficker C machines. The update begins propagation anew, covers its tracks better, and installs Waledac antivirus pitches.

Researched by LastWatchdog. Gratitude extended to Microsoft, SRI International, SecureWorks, F-Secure, Sunbelt Software, Kaspersky Lab, Fortify Software, Arbor Networks. Lumension, Damballa , Sophos, IBM ISS, Trend Micro.

 
Sort by:   newest | oldest | most voted
Razvan Stoica
Guest

Shameless plug follows:

We’ve released free tools that reliably wipe Conficker.
The tools can even be deployed over an enterprise network.

MNPundit
Guest

Why can’t western hackers every develop something this nasty to be used on Chinese or Russian machines?

I feel so inadequate.

King
Guest
Excellent timeline and summary. One small nit: MD6 is a hashing algorithm, not an encryption algorithm. MD6 does not encrypt anything itself, it produces a short signature of its input. Two inputs that hash to the same value are extremely likely to be the same inputs (multiple inputs exist that will hash to the same value, but if the hash is secure, it is not possible to purposely create another input that hashes to a specific output value). Hashes are used to guarantee the payload has not been modified. Conficker probably uses MD6 to verify its updates, but encrypting the… Read more »
caffeine head
Guest

It’s good at least that there was advance warning for the Conficker worm; i’m sure a lot of people were spared a lot of hardship because of this

Free Microsoft Points
Guest

There will continue to be viruses and trojans ect for many of years because as technology grows on developing patches for infectious viruses and so, viruses and so will also get tougher and tougher.

Free Wii Points
Guest

Only gonna get worse, the further we depend on computers, the more dangerous these hackers become.

bodo unger
Guest

The writer of the conficker virus is Mario Fiege a German in the Philippines. he is working with glavmed.com.stimul-cash.com , rx-promotion.com , spamit.com. He is pretending to be a russian in the internet while hacking domains,,hijacking forums and sending millions of email spam out of malware ghettos like asian.
He is using proxyway.com

Cory Dennington
Guest

Who is mario fiege? and is he in jail at this time?

Bodo Unger
Guest

He was between the updates in Jail.

Bodo Unger
Guest

If you want to trace him ,,just monitor my ip,,you should have it,,he is permanently hacking me.
you also can find him in pharmacy spam forums like: forum.ea.com/
or search for drolux + pharmacy.
I know where he is , i just can not catch him alone,,i need some help to bring him to a us or german base.

cory dennington
Guest

I do not have your ip. send it to me via email or facebook please

wpDiscuz