FAQ — The Ominous Downadup/Conficker worm

gatesxlarge1The creators/controllers of the unnerving Downadup/Conficker worm that continues to spread, mostly via unpatched Windows PCs inside corporate networks, have been very good about  holding their cards close, giving few hints of how they plan to use a botnet of several million infected PCs.  Here’s an FAQ I’ve assembled, derived from interviews with F-Secure’s Patrik Runald, Secureworks’ Don Jackson, Arbor Networks’ Jose Nazario, Sunbelt Software’s Eric  Sites and Panda Security’s Inaki Urzay.

Q. How did  Downadup/Conficker originate?

A. Around last September, as everyone focused on the crashing financial markets, a self-spreading Windows OS infection began hitting  a few PCs in China. The attacker took advantage of a zero-day flaw – one for which no patch existed. The flaw was  in a component called RPC-DCOM that’s built into all Windows PCs, of XP or earlier vintage, some 800 million machines world wide.

(A bit of cybercrime history: Back in August 2003, an attacker exploited a similar RPC-DCOM flaw to release the MSBlast worm that circled the globe, infecting 25 million PCs in six months, and very likely contributing to a  major East Coast black out. MsBlast’s creator   was motivated mainly by ego; he famously included this portentious message in the malware’s coding: “billy gates why do you make this possible? stop making money and fix your software!!)

Fast forward to 2008. Soon after the initial trial variant of the 2008 RPC-DCOM worm began spreading in China, Microsoft took notice. The software giant considered the threat serious enough to push out a rare emergency patch last October. Microsoft typically issues security patches on Patch Tuesday, the second Tuesday of the month. As many feared, the worm’s creators were just getting started. Improved variants began circulating in November and December, spreading on a limited basis, mostly in Asia.

Most home PC users in North America got patched quickly, via Windows Auto update. But many corporations have been much more methodical about patching workplace desktops and servers, concerned about the track record of Windows-level patches tending to  break mission-critical business applications. In China and other nations where pirated copies of Windows are widely used, patches simply weren’t available for tens of millions of PCs.

Then on Jan. 7, a full-featured version of the worm began to swarm across the Internet, searching out unpatched PCs. This worm was nothing like the crude, self-spreading worms deployed by script kiddies, like Jeanson Ancheta, a few years ago.   Once an infection reaches a corporate PC sitting behind a firewall, other sophiticated features of the worm activate; these features are expressly designed to spread the worm rapidly through out corporate networks, and prevent infected PCs from being cleaned up.

Q: Why has Downadup/Conficker spread so far and wide?

A: To this point, the worm has been a two-trick pony: it spreads itself, and then it prevents infected PCs from being cleaned up. Once implanted, the worm searches out nearby servers and executes a brute force password breaking program to get access. It also spreads itself to any shared hard drives. What’s more, it makes a copy of itself on any device plugged into a USB port, such as any thumb drives, music players, or digital cameras. When that infected device is later plugged into another PC, it infects that machine, which then begins to similarly spread more infections. This is reportedly how the French Navy got infected.

Q: How many PCs are infected?

A: At least 1 million, perhaps as many as 12 million Windows PCs are now Downadup/Confiker bots. Security researchers differ on how to extrapolate some of the numbers intercepted from a counting mechanism that’s part of the worm. By comparison, the Storm worm that spread via viral spam messages in 2007 is believed to have peaked at about 1 million botted PCs.

Q: What happens to the infected PC?

A: It becomes a bot, and continues spreading. So far, nothing beyond that. That is what makes Downadup/Conficker so unnerving. At least once a day, each infected machine tries to connect sequentially with a list of 250 domains for further instructions. Each day this list of 250 domains — each one a potential command and control server — changes.  Tech vendors have  figured out the simple algorithm the bad guys are using to derive this daily list. Kaspersky, F-Secure, Secureworks and Sophos  have begun registering some domains to cut off the bad guys from sending instructions via those domains.

Yet there is no way to register all potential domains the controllers could use. At 250 new domains a day, that’s 2,500 in 10 days, 5,000 in 20 days,  and so on. It’s probably a good bet that the worm’s controllers have already registered certain domains they intend to use at some point in the future to relay updates and more commands to each infected PC.  In effect, the controllers can, at any time, deploy parts, or all, of a massive botnet,  1 million to 12 million strong, to do their bidding.

It remains a guessing game. Virus hunters and law enforcement have no idea which domain names the bad guys might send commands through, or when they plan to pull that trigger.

Q: Who is behind the worm?

A: Cyber gangs based in the Ukraine are suspected, since the worm has not spread to PCs in the Ukraine. Downadup/Conficker has also has been linked to the Asprox botnet, which has been used to spread pop up ads pitching fake antivirus software subscriptions, usually for $49.

(More historical context: fake antispyware has been a staple money maker since at least 2003. The scam involves alerting the PC user that a certain virus needs to be cleaned up, and asking you to subscribe to a bogus  antivirus suite.  Back in 2003, a St. Petersburg, Russia-based gang, calling themselves the iFramers, ran what in essence was a multi-level marketing empire. It involved recruiting affliates to set up tainted web pages. So anyone who visited the tainted page started receiving pop up ads pitching fake AV subscriptions.  The Asprox botnet gang have gone one better; they are sending pitches for fake AV protection directly to all the PCs they’ve botted.  So they don’t have to wait for a prospective victim to click to a tainted web page. By delivering adds to millions of botted PCs, the crooks can make big profits, even if only a tiny percentage of users of botted PCs follow through with a  purchase. )

Q: What could a botnet of 1 million to 12 million infected PCs be used for?

A: Spreading fraud spam. Selling fake antivirus protection.  Stealing corporate data. Cyber extortion. Cyber militia attacks. Or the worm’s controller could simply be cornering the market on botnets for rent or sale to do all of the above. Josu Franco, Panda Security’s director of business development, surmises that the worm’s creators are simply refining a method to replenish and horde an accessible inventory of botnets, like stocking the larder. “This is basically free infrastructure for them,” says Franco.

Q: How big has the overall cyber crime industry become?

A: Reliable metrics are very difficult to come by.  The Washington Post’s  Brian Kreb,  in this  September 2007 blog post, laid out a well-reasoned argument for the  gross output of  cyber crime falling  somewhere north of $105 billion annually. Just recently,  McAfee  issued a number 10 times higher. At the World Economic Forum in Davos, Switzerland last month, the antivirus giant said cyber crime has become a  $1 trillion global industry, based on a survey of more than 800 chief information officers in the U.S., United Kingdom, Germany, Japan, China, India, Brazil, and Dubai.