Machines which had not applied this patch were vulnerable. It is not uncommon in large organisations to wait for a suitable time before installing even critical patches because of the requirement in many cases to reboot the systems which may cause disruption to business
The worm operates by copying itself to a Windows system folder using a random name, modifies registry keys, attempts connection to well-used websites to obtain the public address of the target machine, and tries to download more malware from other sites.
Using a random port, it starts an HTTP server and scans for vulnerable machines to copy the worm from the fake server.
Later versions utilise brute force attacks using the most common passwords employed to exploit individual accounts.
- Where it will attack
ConFlicker, in its newest form, will attack the system at various points, attempting to embed itself wherever possible, in hopes that it will not be detected, plus it will be very hard to remove it if detected.
ConFlicker will attack the following areas of your computer:
- Creates hidden DLL file with various names in Windows System folder.
- Creates hidden DLL file under ProgramFiles\Internet Explorer or ProgramFiles\Movie Maker folders.
- Creates entry in Registry under HKCU\Software\Microsoft\Windows\CurrentVersion\Run.
- Loads itself as a service in the Registry under HKLM\SYSTEM\CurrentControlSet\Services.
- Attempts to copy itself onto target machines under the ADMIN$ share using current credentials of logged on user.
- Attempts to “hack user passwords” of target machine’s local SAM using common weak passwords.
- Creates remote scheduled task on target machine (if username and password is compromised).
- Copies itself to all mapped and removable drives.
- creates an autorun.inf file on all drives which will exploit the AutoPlay feature if enabled, thus launching the worm on the infected share during autorun.
- Disables the viewing of hidden files.
- Modifies the system's TCP settings to allow a large number of simultaneous connections.
- Deletes the Registry key for Windows Defender.
- Resets System Restore Points.
- Downloads files from various Web sites.
- How fast it spreads
From the initial reports which prompted security software companies to offer mechanisms to combat the worm, its reported spread in late 2008 was about 2.9 million rising to approximately 15 million machines by early 2009.
Conficker can spread in three ways.
Firstly, it attacks a HYPERLINK "http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx" \t "_blank" vulnerability in the Microsoft Server service. Computers without the October patch can be remotely attacked and taken over.
Secondly, Conficker can attempt to guess or 'brute force' Administrator passwords used by local networks and spread through network shares.
And thirdly, the worm infects removable devices and network shares with an autorun file that executes as soon as a USB drive or other infected device is connected to a victim PC.
- The damage it caused
There are large infections in Europe, the United States and in Asia. It is a Windows worm and almost all the cases are corporate networks. There are very few reports of independent home computers affected.
The cost is not easily quantifiable, as it involves disinfection of affected machines, users being unable to work because of being locked out with consequent possible loss of business, and use of considerable amounts of IT staff time in the cleanup operation.
It is the most serious large scale HYPERLINK worm outbreak in recent years because of how widespread it is, but it is not very serious in terms of what it does. So far it doesn't try to steal personal information or credit card details.
Microsoft was so concerned about the impact (and the effect on their reputation), that it was reported as offering $250,000 to find out who was behind the worm. In 2003 Microsoft created its reward programme with $5 million in funding to assist law enforcement agencies bring computer virus and worm authors to justice.
The cost is sometimes unquantifiable in pound or dollar terms, but significant and widespread in disruption of a large infrastructure. In 2008, a systems administrator in San Francisco, facing dismissal in the city’s technology department, locked the city out of access to its new Fibre Wan network by creating a super password. The impact was inability to access confidential databases including law enforcement, payroll and jail booking records. The repair estimate was more than £670,000.
- Defences against it
The prime defence is to obtain and install the Microsoft patch released in October. Microsoft, as part of its monthly security update, issued a removal tool on 13th January.
All the major security software vendors have since issued updates to prevent or eliminate by quarantine or deletion the worm. Another way is password security. Use long, difficult passwords, particularly for administrators who cannot afford to be locked out of the machines they will have to fix.
Microsoft has a tool that is able to remove the original worm along with any new variants as well. Additionally the F-Secure company has provided a Conficker blocklist for use by network administrators to reduce the threat of the worm’s attempts to connect to websites.
These are specific defences against the Conficker virus and its variants, but precautions exist relevant to prevention of all types of malicious software.
These include, training of users in safe procedures, installation of antivirus software on every desktop, installation of personal firewalls on desktops, protection network servers, scheduling regular antivirus updates at least weekly, bookmarking sources of virus information and hoaxes, and ensuring regular and tested backup programs.
Of these precautions, perhaps a robust password policy which is enforced is one of the most effective measures, as many viruses, Conficker included, utilise common passwords for intrusion and propagation. Passwords should be at least 8 characters in length, ideally contain numbers, and not be everyday dictionary words. They should be forcibly changed at regular intervals, disabled after three false attempts. Any person who leaves employment should have his/her account disabled immediately, and in the event of a person with administrative access leaving, all privileged passwords should be changed immediately, especially if the person concerned is dismissed.
There are large numbers of commercial companies offering software solutions and information on viruses, Trojans, worms, and malware of all types. The respected Computer Emergency Response Team (CERT), a federally funded research and development centre at Carnegie Mellon University in Pittsburgh, USA, is responsible for communication coordination among experts during emergency situations affecting computers and helping prevent future incidents.
- Legal issues
Very few successful legal prosecutions have taken place. One of the few for malicious hacking was in 1995 with a plea of guilty. This was the first case in British history since the introduction of the Computer Misuse Act in 1990. The perpetrator was an unemployed computer programmer. The authorities estimated the tracing and repairing of the damage caused cost in excess of a million pounds. Downsizing organisations during periods of economic recession can cause widespread discontent among employees, with the potential for an increase in extortion and sabotage incidents.
It should be noted that the business technology magazine, Computer Weekly, On Jan 2009, reported that Microsoft was to cut 500 jobs over the next 18 months. In addition it was reported that the first of an expected 16,000 layoffs have been made in the software group, sales and administration in the USA and Canada by IBM.
The notorious hacker, Gary McKinnon, is facing extradition from the United Kingdom to the USA to face charges there. The UK Crown Prosecution Service is still to decide whether his signed confession, and health problems, would help him avoid extradition and a potential of a 70 year prison sentence. A similar guilty plea in the UK would result in a sentence of two and a half years. McKinnon reportedly caused damages to NASA systems resulting in £470,000 worth of cost in tracking and correcting the problems. As regards motive it was reported that McKinnon was looking for proof of UFO’s.
- How it would be prevented
One of the clear lessons emanating from the Conficker worm is the need to apply patches, especially critical ones, as soon as feasible.
Running an antivirus software package which offers elimination of problems, from a reputable vendor who also provides regular updates which can be downloaded automatically, is a good precaution in today’s world.
Network servers protecting company LAN’s should be firewalled and individual machines for home use should run a personal firewall. The use of USB’s should be subject to restrictions, especially where there is a mobile workforce, who may access other company’s systems. Some companies have tried to disable USB ports and CD drives, but their value to business activities makes such action unrealistic.
The greatest value in prevention comes from raising user awareness by means of education and regular audits. The European Network and Information Security Agency have published a user guide which contains the essentials for this purpose. Login messages to remind users of their responsibilities, if varied on a regular timescale are also effective.
One of the most adept of all hackers, Kevin Mitnick is quoted as saying ‘The methods that will most effectively minimise the ability of intruders to compromise information security are comprehensive user training and education. Policies will not suffice and only the willingness of people to bypass such procedures allowed me to compromise systems successfully’.
- References
5. BBC News, 13 February 2009.
6. Bott, E., Siechert, C., (2002), Microsoft Windows Security Inside Out, Microsoft Press, Washington, USA.
12. Computer Weekly, January 27, 2009.
13. Info Security January 2009, Volume 6, Elsevier Ltd, Oxford.
7. McKeown P., (2003), Information Technology and the Networked Economy, Thomson Learning, Inc, Boston, USA.
15. Mitnick, K.D., (2002), The Art of Deception, Wiley Publishing, Indiana, USA.
11., Parker, D. B., (1998), Fighting Computer Crime, John Wiley & Sons, Inc, New York, USA.
6. Secure Computing Magazine, December 2008, Haymarket Specialist, London.
8. Stair, R.M., Reynolds, G.W., ((2003), Fundamentals of Information Systems, Second Edition, Thomson Learning, Inc, Boston, USA.
4. The Telegraph Newspaper, 13 February 2009.
7. Error! Hyperlink reference not valid.
1. http://www.symantec.com/norton/theme.jsp@themeid=conficker_worm.
2. Error! Hyperlink reference not valid.
3. http://vil.mcafeesecurity.com/vil/content/v_153464.htm.
14. Error! Hyperlink reference not valid.
