Conficker Worm Technical Analysis


« Microsoft Patch Tuesday: Another Angle | Main | New Trojan Targets Unpatched Microsoft Excel Flaws »

02/20/2009



Conficker Worm Technical Analysis

Kevin R. Smith
Co-Editor


Looking for the latest on Conficker/Downandup today, I came across one of the finest technical papers on a virus I've seen in a long time.

The piece, published by SRI International, is an excellent example of the type of analysis that's needed to bring worms like Conficker to a halt.

For those unfamiliar with SRI International, it's an independent, nonprofit research institute that used to be called, "Stanford Research Institute." Their speciality? Conducting client-sponsored research and development.

In short: businesses and governments pay the smart people at SRI to research certain things on their behalf. Nice.

In the case of Conficker, the researchers, Phillip Porras, Hassen Saidi, and Vinod Yegneswaran, performed a deep and thorough technical analysis of Conficker, including:

  • Conficker A
  • Conficker B
  • Conficker C

  • One of their conclusions?

    "...as scan and infect worms go, we have not seen such a dominating infection outbreak since Sasser [6] in 2004. Nor have we seen such a broad spectrum of antivirus tools do such a consistently poor job at detecting malware binary variants since the Storm [4] outbreak of 2007." (emphasis ours)

    Clearly, Conficker is a serious threat to computer security. And it's tough to stop.

     Anyone not running Internet security software is just racing a clock. If not, in my humble opinion, it's not a question of if infection will happen, it's a question of when.

    Why both?

    Conficker is an interesting worm in that it infects via multiple methods. It infects via things like USB drives and via networks. This makes for an unusual and challenging combination.

    If someone gets their PC at home infected, then brings in a USB thumbdrive into the office with their work on it, chances are very, very high that the office network will get infected, too, as soon as they plug the USB drive into their office computer.

    Once the USB drive is inserted, it "autoruns," and in doing so the virus starts trying to propagate instantly throughout the office network via a bug in the Windows RPC (Remote Procedure Call) service running on port 445. Ouch.

    From there, it continues willy-nilly. So back to the original question: why both firewall and antivirus software?

    Good firewall software makes it difficult for things to get in or out of your computer. Each computer has 65,536 TCP ports. RPC runs on port 445. Correctly configured firewall software closes the ports on your computer inbound and outbound and only lets in the communications you authorize.

    Thus, a firewall is your first layer of defense.

    There are cases though, like file and printer sharing, where you have to open up port 445. No port 445, no shared printers. Fine. So you open port 445 and unfortunately, the worm tries to wiggle its way onto your system.

    This is where the anti-virus software comes in. Good antivirus software, with updated signatures, should be able to stop the worm in its tracks and prevent further infections from happening--at least from happening because of your computer.

    The same is true with USB-based infections, too. Let's say someone, perhaps a client, brings a USB drive into your office with documents on it. Unfortunately, the USB thumbdrive has Conficker on it, too.

    In goes the drive into your USB port, and the worm begins trying to wiggle out onto your system and onto the network. As with a network-based Conficker attack, USB-based attacks should be picked up and stopped by your antivirus software, too.

    The key thing of it is having good antivirus software and keeping your signatures updated. Software from 2007 with old signatures isn't going to be of much use.

    Lastly, of great importance in the whole Conficker mess, as the folks as SRI remind us: patching our OSes,

    "Why Conficker has been able to proliferate so widely may be an interesting testament to the stubbornness of some PC users to avoid staying current with the latest Microsoft security patches."

    So, in summary:

    1. patch your OS (in IE, click Tools, Windows Update)
    2. install a software firewall
    3. run antivirus software
    4. make sure it signatures are updated.

    TrackBack

    TrackBack URL for this entry:
    http://www.typepad.com/services/trackback/6a0133f40d81f4970b0134876491c6970c

    Listed below are links to weblogs that reference Conficker Worm Technical Analysis :

    Comments

    You can follow this conversation by subscribing to the comment feed for this post.

    how in the world might such a ridiculous worm get in my system in the first place, i wonder?

    Wow. Quite an omission. Thanks much for pointing that out. :-)Full reference now included in 5th paragraph.

    link to SRI article?

    What we know about the worm is that it spreads two ways:1.) Via USB drives through the Windows 'Autorun' feature. (Discussed here among other places: http://www.pcantivirusreviews.com/update/2009/01/virus-protection-warning-about.html)2.) Via a flaw in the Windows 'Server' Service. This is a service that runs by default to allow computers (typically on a local area network like in a home, school, or office) to share files and printer access with one another. (Discussed here among other places: http://www.pcantivirusreviews.com/update/2009/01/worm-attack-9-million-pcs-hit.html)

    The comments to this entry are closed.