Another Conficker Variant

This is one well-designed piece of malware:

Conficker B++ is somewhat similar to Conficker B, with 294 of 297 sub-routines the same and 39 additional subroutines. The latest variant, first spotted on 16 February, is even more sneaky than its previous incarnations, SRI explains.

Conficker B++ is no longer limited to reinfection by similarly structured Conficker DLLs, but can now push new self-contained Win32 applications. These executables can infiltrate the host using methods that are not detected by the latest anti-Conficker security applications.

[...]

The malware also creates an additional backdoor on compromise machines to create an altogether trickier infectious agent, SRI explains.

In Conficker A and B, there appeared only one method to submit Win32 binaries to the digital signature validation path, and ultimately to the CreateProcess API call. This path required the use of the Internet rendezvous point to download the binary through an HTTP transaction.

Under Conficker B++, two new paths to binary validation and execution have been introduced to Conficker drones, both of which bypass the use of Internet Rendezvous points: an extension to the netapi32.dll patch and the new named pipe backdoor. These changes suggest a desire by the Conficker's authors to move away from a reliance on Internet rendezvous points to support binary update, and toward a more direct flash approach.

SRI reckons that Conficker-A has infected 4.7m machines, at one time or another, while Conficker-B has hit 6.7m IP addresses. These figures, as with previous estimates, come from an analysis of the number of machines that have ever tried to call into malware update sites. The actual number of infected hosts at any one time is lower than that. SRI estimates the botnet controlled by Conficker-A and Conficker-B is around 1m and 3m hosts, respectively, or a third of the raw estimate.

Posted on February 24, 2009 at 5:23 AM • 27 Comments

Comments

BF SkinnerFebruary 24, 2009 6:06 AM

Fm the register about why an english hospital CHOSE to shut off MS autoupdate and got infected by Conficker...

"Don't you just hate it when your boss is so computer illiterate yet has the power to veto the simplest of ideas to catastrophic end," said one, who asked to remain anonymous.

this one is going on a tshirt

Larry SeltzerFebruary 24, 2009 6:35 AM

There is a serious question as to whether B++ (a.k.a. Conficker.C) can spread seriously. The update mechanisms for the earlier variants has effectively been shut down.

clvrmnkyFebruary 24, 2009 8:05 AM

Man, if you built a routine to randomly hit "malware update sites" but did nothing else, you would /really/ screw up their stats.

So, if you wanted to skew infection rate reports for an otherwise brittle and unsuccessful worm, I guess you could. I don't know /why/ you would, but then again I'm not in the malware business.

Impossibly StupidFebruary 24, 2009 8:08 AM

The article has 0 mentions of Windows, just 1 mention of Microsoft (and only then in reference to taking down sites), but 3 mentions of "machines". Is it really so surprising that this crap keeps happening when reporters have stopped informing the public of the root cause?

bobFebruary 24, 2009 8:11 AM

The best way to deal with any form of malware is to cold boot from a known good OS (CDROM is ideal since its unwritable if you forget to remove it from the drive when you go back to your normal OS) which is different from the OS you normally run.

Then run virus scanners and use the alternate file system to delete infected/corrupted files. Knoppix is great for this. The only problem is getting the virus scanner updates. That would need to be a signature file stored on a second CD (data only, not an executable) which has a hash precomputed to compare to.

I do not understand why the antivirus makers do not make it easy to do this.

Colossal SquidFebruary 24, 2009 8:20 AM

@bob
Once a machine has been compromised you cannot trust any component of the OS from the kernel up.
The only way to be certain is to take off and nuke the OS from orbit and restore your data from backups.
(You do have data backups, don't you?)

DudeFebruary 24, 2009 8:25 AM

@Colossal Squid
It's a good thing that he's planing to run the anti-virus scanner a separate OS then isn't it?

Colossal SquidFebruary 24, 2009 9:29 AM

Well, if the AV has an integrated rootkit detector that's reliable, then yes.
But its generally less hassle to nuke and rebuild anyway. Also a salutary lesson for the user.

Impossibly StupidFebruary 24, 2009 11:50 AM

@Colossal Squid
You trust your backups to be clean, do you?
As I noted in a previous post, backups do not represent a security enhancement, they represent a security *liability*.

Not newFebruary 24, 2009 12:32 PM

Not new...

https://forums.symantec.com/t5/Malicious-Code/A-New-Downadup-Variant/ba-p/391186#A245

"However, the important point regarding Downadup is not whether this is another variant, but rather is it a new variant; i.e., if it has been released recently. Fortunately, Downadup.B++ / Conficker.C is not a newly released variant. This variant has been around since the main outbreak of Downadup, and most vendors already have detections for it.

The main item that has prompted the industry to highlight this sample as another variant is the emergence of its peer-to-peer behavior. This behavior was analyzed and discussed previously, in detail, by Eric Chien in the blog entry Downadup: Peer-to-Peer Payload Distribution. Symantec customers have been protected from this Downadup.B++ / Conficker.C variant for some time now, as long as they have kept their definitions up to date."

MFebruary 24, 2009 12:36 PM

This is the second time in a week Bruce has commented on how effective the Conficker virus and variants are. Bruce, did you write Conficker to demonstrate the needs for good passwords?

RavanFebruary 24, 2009 1:22 PM

This is why I'm actually gaining traction in my household for Linux with virtual Windows. The plan is to have the base OS be Linux running a virtualization engine. Then the desired Windows variant and its associated applications are loaded to a virtual machine, and a snapshot is taken before any web sites are visited. Storage is either temporary, or to removable media. If the virtualized instance gets infected, it is wiped and restored from the snapshot.

I have already had to fight with one of those craptastic worms. I hate doing Windows support to start with (dlls are evil) and this makes it worse. Now, I can tell my roomies to just restore from snapshot.

Even Mitnick was advising this type of thing (without saying the L word) on the local radio yesterday.

JamesFebruary 24, 2009 4:41 PM

Real security will never be achieved because

a) Techno-geeks think it is cool to be in a "war" with other hackers
b) Security programs depend on security flaws for their survival
c) Writing secure code is like writing a program that doesn't crash, according to Microsoft it's impossible.
d) All of the above

RHFebruary 24, 2009 4:49 PM

Real security WILL be achieved, James. It just takes someone a little too ready to press the launch button on some nukes, and we'll find a substantial lack of computers to remain insecure!

AnonymousFebruary 24, 2009 5:29 PM

> Knoppix is great for this. The only problem is getting the virus scanner
> updates. That would need to be a signature file stored on a second CD (data
> only, not an executable) which has a hash precomputed to compare to.

> I do not understand why the antivirus makers do not make it easy to do this.

There's a German computer magazine which produces and publishes such a CD once per year, with three different virus scanners on it and free updates for at least the full coming year. Virus definitions can be added through a USB stick or other storage media, or downloaded for free. It's called "Knoppicillin", it has English language support and I'm sure a torrent file can be found for it if you look hard enough

Avi NorowitzFebruary 24, 2009 11:08 PM

Avira has a free rescue CD which they update daily:

http://www.free-av.de/en/tools/12/...

The user interface is buggy, but Avira's on-demand file scanner is one of the best available (see reports at av-comparatives.org). Further, the rescue environment makes it easy to clean out rootkits and DLL's that inject themselves into critical processes.

gregFebruary 25, 2009 7:21 AM

I have never run anti virus software. I have never got a virus. Yes I mainly use slackware or other uni* OS's. But i have also used windows a bit when forced too.

Personally virus checkers etc seem to be a cure worse than the disease and they don't even work that well. They either are a root kit or a told to ignore "special valid" root kits (aka sony cd protection).

As for windows updates. Whats worse? the windows update that breaks your system or a virus you don't even notice?

A nonny BunnyFebruary 25, 2009 7:37 AM

@greg
"As for windows updates. Whats worse? the windows update that breaks your system or a virus you don't even notice?"

I'd go with "the virus that I don't notice until it was too late and someone plundered my online banking account".
The problem is the viruses you DO notice, only, too late.

gregFebruary 25, 2009 11:06 AM

@A nonny Bunny

But which option is the one taken by most people.

Anyway, how long before it is the windows update feature that spreads the virus?

AnonymousFebruary 25, 2009 8:31 PM

When you realize that windows IS a virus that turns your box into swiss cheese, then you will realize that the windows update feature _does_ spread the virus.

dot tilde dotFebruary 26, 2009 3:48 AM

@1915bond:

virtual machine bios data should be in the snapshot, so where's the problem?

.~.

AlanFebruary 27, 2009 9:16 AM

@Ravan:
So how are you detecting the malware? Or do you always start from a clean machine?

JohnJFebruary 27, 2009 3:36 PM

I'm guessing the boot CD/scanners are ineffective against hard drives with full disk encryption since they would load and the PGP/SafeBoot(McAfee/whatever stub never would.

Major Variola (ret)March 15, 2009 1:01 PM

>>I'd go with "the virus that I don't notice until it was too late and someone plundered my online banking account".
The problem is the viruses you DO notice, only, too late.

Also, you are infectious to others
during the period when you haven't
noticed the infection. Kinda like
HIV, a very successful parasite.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..