Monday, January 26, 2009

The Conficker Virus

In recent weeks, a worm called Conficker has infected 9 million Microsoft Windows desktops and servers throughout the world via a Windows security flaw identified in October 2008.

The BIDMC Security team has provided me with several briefings that I'd like to share with you.

Day 1
We are still looking at how to identify the infection from network based activity. Our managed workstations are not at risk as they have the Windows MS08-067 patch applied. This is of course assuming that the MS08-067 vulnerability is the only vector.

The larger risk is the introduction by a non-patched, non-managed workstation that then passes this on to other systems on the network that are vulnerable.

This is a very well written and nasty virus. It has an extensive list of dynamic DNS entries to phone home to - the list is ever changing. The list for last week was over 1000 entries long. I have not seen the new list for this week.

My biggest fear are the medical devices. Vendors often claim that FDA 510k approval does not allow application of operating system patches. This makes the ability to detect this via network behavior very critical.

Day 2
We have kicked off a type of scan that will identify all our systems that are susceptible to the Conficker attack ie systems that do not have the MS08-067 patch applied.

The risk an infected system posses is still an unknown as it still is unclear what the intent of the virus is.

Day 3
The approach we are taking is:

1. Looking back 4 weeks into the web content filters to see if any systems that we monitor had accessed any of the suspect 1000 urls. The results of that are that there were no hits as of the late Friday night. We have set a job up that will run at midnight and examine the prior 24 hours of web activity for any hits.

2. We are running a scan process that looking at all systems that are online. This scan is a non-invasive scan that can conclusively determine if the system is missing the Microsoft patch that closes the vulnerability.

3. We have also found some information on how to examine a systems registry and identify systems that might be infected. This will work only managed systems. This is important due to the nature of the virus. The virus can infect via a usb key. Once on the system it shuts down the Anti-virus on the system as well as a wide range of anti-spyware programs.

4. We alerted the help desk to be on the look out for a rise in user complaints about their anti-virus not working correctly. The latest on the virus also indicates that it then attempts dictionary type attacks to break into the accounts it finds on the systems. This would show up as a rise in user password resets or account unlocks.

Desktops and servers need to be monitored since one of the targets of the virus is file servers located via mapped drives.

We are members of HTCIA and InfraGard. These organizations, particularly InfraGard, provide information that is often not immediately available to the general public. We are keeping an eye out for any early additional information regarding the viruses behaviour. IfraGard is a tasked with protection of the national infrastructure from both physical and cyber threat - this virus has gotten their full attention.

Day 4
We now have a copy of the Conficker code. It is VMWare aware and shuts itself down and hides when it detects that it is running under VM. This is new tactic of the better written viruses and trojans - it means you can not load it up onto a Virtual Desktop to examine it's behavior making it slower to generate AV signatures.

It also has built in code to detect that the Windows debugger has been invoked to examine it. If it detects the debugger it again shuts itself down and "hides" to disable the ability to use the debugger to examine its behavior.

There has been some press about the believe that the payload of the code may be flawed and that only the delivery mechanism is well written. That may be the case but assuming that position is very risky. There are already growing variants of the code. I think we have not seen the true purpose of the virus yet. This has a IRCbot component to it, it is pulling content and instructions from command and control sites. We can only hope that the ultimate purpose and payload are flawed as this still spreading rapidly.


Clearly, this is a very nasty virus and we are on the highest alert since the SQL Slammer Worm in 2003. All CIOs should ensure their security staff are briefed on this new worm and are proactively defending against it.

No comments:

Post a Comment