MyCERT has been observing increasing trend of IT security related discussion and information sharing about a worm variant called Conficker.C on the internet. It is expected that the enhanced version of previous worm variant Conficker.A and Conficker.B will trigger on the coming 1st of April. Security researchers believe, the latest outbreak of Conficker variant C began first spreading at roughly 6 p.m. PST, 4 March 2009 (5 March UTC). MyCERT would like to highlight that this is not a new outbreak nor a new piece of malware. Removal and mitigation strategies were highlighted in our previous advisory.
MyCERT is working together with various parties local and abroad to mitigate and reduce the risk of the new variant.
2.0 Worm Description
Conficker.C represents the third major revision of the Conficker malware family, which first appeared on the Internet on 20 November 2008. C distinguishes itself as a significant revision to Conficker B. It is clear that the Conficker authors are well informed and are tracking efforts to eliminate the previous Conficker epidemics at the host and Internet governance level. In Conficker C, they have now responded with many of their own countermeasures to thwart these latest defenses. Some of the major enhancements are:
- Domain Generation Algorithm - Conficker.C will select 500 domains out of a randomized pool of 50,000 instead of 32/250 for the previous variants.
- Peer to peer logic - This new coordination strategy employs a P2P protocol, and the Conficker authors have taken some care to hinder its analysis through code obfuscation.
- Local host patch logic - This is to protect its host from other malware that would attempt to reexploit the MS08-067 buffer overflow, while still allowing re-infection from other Conficker hosts.
- Security product disablement - Most antivirus and security software domain lookup will be prevented, important MS Windows security service will be disabled, security products process termination, obfuscating its installation and presence as well as MS Windows firewall disablement.
3.0 Software Affected
All unpatched Microsoft Windows XP and Vista for advisory MS08-067. MyCERT had earlier released an advisory for this. Please follow this link for more details on advisory. http://www.mycert.org.my/en/services/advisories/mycert/2009/main/detail/626/index.html
4.0 Technical Details
Once installed, Conficker.C implements a variety of nasty behaviors. The worm will attempt to disable Windows Automatic Update and stop access to the Windows Security Center, can detect and kill SysInternals' Process Explorer program, and will interfere with the operation of a number of other search-and-destroy programs including WireShark and SysClean.
It will also reset and delete system restore points, disable various services (including WinDefend, BITS (Background Intelligent Transfer Service) ERSvc (Error Reporting Service) and WerSvc (Windows Error Reporting Service, Vista-only). In a final fit of pique, Conficker.C will prevent any attempt to connect to a variety of antivirus software services or websites.
Generally doing the following shall mitigate infection and spread of conficker
- Apply the latest Microsoft Windows updates
- Apply the latest antivirus signatures and updates.
- Browse the Internet with least privilege user to limit the execution of the malicious file.
- Do not open questionable email attachments and/or browse to unknown websites received via email from unknown person or received email unexpectedly.
If you believe that your system have been infected by this worm, please download removal tools provided by trusted parties. Below is the list of tools (in alphabet order):
In addition, Microsoft had released a guide for removing Conficker http://support.microsoft.com/kb/962007