Conficker Summary and Review Dave Piscitello, ICANN Senior Security Technologist 7 May 2010

Transcription

1 ConfickerSummaryandReview ConfickerSummaryandReview DavePiscitello,ICANNSeniorSecurityTechnologist 7May2010 Abstract Thisreportprovidesachronologyofeventsrelatedtothecontainmentof theconfickerworm.itprovidesanintroductionandbriefdescriptionofthe wormanditsevolution,butitsprimaryfocusistopiecetogetherthepostdiscoveryand analysisevents,describethecontainmentmeasures chronologically,anddescribethecollaborativeefforttocontainthespread oftheworm.theauthorcaptureslessonslearnedduringacontainment periodspanningnearlyayearanddescribesrecentactivitiesthatattemptto applythelessonslearnedsothatthesecurityanddnscommunitiescanbe betterpreparedforfutureattacksthatexploittheglobaldns. Thisreportrepresentstheworkoftheauthor,onbehalfoftheICANN SecurityTeam.Theauthorisresponsibleforerrorsoromissions.While membersoftheconfickerworkinggroup,icannssac,individualsecurity researchers,andcertainicannregistrieswereinvitedtocommentor reviewthereport,noneoftheseorganizationswereaskedtoformally endorsethisworkproduct. Introduction TheConfickerwormfirstappearedinOctober2008andquicklyearnedasmuch notorietyascodered 1,Blaster 2,Sasser 3 andsqlslammer 4.Theinfectionisfoundin bothhomeandbusinessnetworks,includinglargemulti nationalenterprise networks.attemptstoestimatethepopulationsofconfickerinfectedhostsatany giventimehavevariedwidely,butallestimatesexceedmillionsofpersonal computers. TheoperationalresponsetoConfickerisperhapsaslandmarkaneventastheworm itself.internetsecurityresearchers,operatingsystemandantivirussoftware vendorsdiscoveredtheworminlate2008.thesepartiesaswellaslawenforcement formedanadhoceffortwithicann,topleveldomain(tld)registriesand registrarsaroundtheworldtocontainthethreatbypreventingconfickermalware writersfromusingtensofthousandsofdomainnamesalgorithmically generated dailybytheconfickerinfection. ConfickermalwarewritersmadeuseofdomainnamesratherthanIPaddressesto maketheirattacknetworksresilientagainstdetectionandtakedown.initial countermeasures sinkholingorpreemptiveregistrationsofdomainsusedto identifyconficker scommandandcontrol(c&c)hosts preventedthemalware writersfromcommunicatingwithconficker infectedsystemsandthus,presumably 1

2 ConfickerSummaryandReview preventedthewritersfrominstructingthebottedhoststoconductattacksorto receiveupdates.theconfickermalwarewritersrespondedtothismeasureby introducingvariantstotheoriginalinfectionthatincreasedthenumberof algorithmicallygenerateddomainnamesanddistributedthenamesmorewidely acrosstlds.torespondtothisescalation,partiesinvolvedincontainingconficker contactedmorethan100tldsaroundtheworldtoparticipateinthecontainment effort. Thecombinedeffortsofallpartiesinvolvedinthecollaborativeresponseshouldbe measuredbymorecriteriathanmitigationalone.thecontainmentmeasuresdidnot eradicatethewormordismantlethebotnetentirely.still,thecoordinated operationalresponsemeritsattentionbecausethemeasuresdisruptedbotnet commandandcontrolcommunicationsandcausedconfickermalwarewritersto changetheirbehavior.thecollaborativeeffortalsodemonstratedthatsecurity communitiesarewillingandabletojoinforcesinresponsetoincidentsthat threatenthesecurityandstabilityofthednsanddomainregistrationsystemsona globalscale. 2

3 ConfickerSummaryandReview ConfickerBackground ThissectiondrawsheavilyfromanexcellentpaperontheConfickerworm publishedatthehoneynetprojectbyauthorsfelixlederandtillmannwerner 5. ThedescriptionherelargelytracksanddistinguishesamongConfickervariants whenchangesaffectedtheworm suseofthedns.itdiscussesthewormingeneral terms.thoseinterestedinaverytechnicalanalysisofconficker sinfection armoringandupdateprocesses,variantsofthedomainnamegenerationalgorithms, signaturesthatcanbeusedbyintrusiondetectionsystemstodetectconficker,and disinfectionissues areencouragedtoreadthefullpaper.lederandtillmannhave alsoproducedashortvideoonthestructureofconfickerandmaintainalistof disinfectantsandscannersatthecontainingconfickerwebpage 6.Listsofdomain namesgeneratedbyconfickervariantsmaybeofparticularinteresttothedomain namecommunityandcanbeobtainedthereaswell.anothersourceforthis summaryisansritechnicalreportbyphillipporras,hassensaidi,andvinod Yegneswaran,whichanalyzestheConfickerpackage,processing,andprotocolin considerabledetail. Confickeriscalledawormbecausethefirstdiscoveredvariantattachedtoa program(executable),wasself replicating,and(importantly)usedanetworkasthe deliverymechanism.thiscombinationofcharacteristicsdistinguisheswormsfrom viruses 7.Confickerisactuallyablendedthreat 8 becauseitcanbedeliveredvia networkfileshares,mappeddrivesandremovablemediaaswell.theconficker infectionisatypeofsoftwarecalledadynamiclinklibrary(dll).adllcannot executealonebutmustbeloadedbyorintoarunningapplication.theconficker DLLlauncheswithrundllonWindows,whichletsitrunasastandaloneprocess.A ConfickerinstallerloadsitsDLLintoaWindowsapplicationbyexploitingtheMS08 067vulnerabilityintheWindowsOperatingSystem 9.Thisvulnerabilityallows Confickermalwarewriterstousewhatiscalledabufferoverflowto inject code intothewindowsserverservice. Abufferoverflowisamethodofexploitingsoftwareprogrammingthatfailstocheck boundariesbeforewritinginformationintomemory.theattackerdiscoversthata programisvulnerabletoabufferoverflowbyattemptingtowritemoreinformation intomemorythantheprogrammerhadallocatedtostoreinformation.specifically, theattackerseekstowriteinformationintomemorythatisadjacenttothememory heoverruns.thisadjacentmemorymaycontaindataoritmaycontainexecutable code;ineithercase,theattackedapplicationwillnotoperateasanticipatedwhenit encountersthemaliciouscodetheattackerinjected.inthecaseofconficker,the attackerinjectedexecutablecodethatgivestheattackerremotecontroloverthe infectedcomputerandinparticular,remotecodeexecutionprivileges.usingthe injectedcode,theattackercanaddorchangecodetomaketheinfectedhost computerdowhateveritchooses. 3

4 ConfickerSummaryandReview Topreventdetection,certainwormsembedthemselvesinabenignmanneronthe infectedcomputer,i.e.,intoaprogramorsoftwarethatisexpectedtorunona computerrunningthewindowsoperatingsystem.thewormthenattemptsto disablesoftwarethatcoulddetectorremovetheinfection.confickervariants disablewindowsautomaticupdate,windowssecuritycenter,windowsdefender andwindowserrorreporting.latervariantsalsouseddnsfilteringtoblock antimalwareprogramsfromobtainingupdates(e.g.,virussignaturesthatwould allowtheresidentavsoftwaretodetectandremoveconfickerrelatedmalware). ConfickermalwarealsoresetstheWindowsSystemRestorepoint 10,whichcontains informationthatcouldbeusedtoremoveconfickermalwarebyrestoringthe infectedcomputer sfilesystemandregistrytoversionssavedpriortotheinfection. EarlyvariantsoftheConfickermalwareenlistedaninfectedmachineintoa Confickerbotnet.Onceenlisted,themalwarerunningoninfectedcomputersusesa domaingenerationalgorithm(dga)tocreateadailylistofdomainnames.the Confickermalwarewritersusedthesamealgorithmtogenerateanidenticallist.The writersthenregisteredasmallnumberofthesedomainsandsetupname resolutionservicefortheselectedsubsetofdomainssothatthedomainnames assignedtointernetrendezvouslogicpoints i canberesolvedtoipaddressesbydns resolvers.theconfickermalwarewritersdidnotappeartousethegenerated domainnamesroutinely,presumablybecausetheydeterminedthenameshadbeen blocked.alatervariantshiftedthebotnetfromemployingrendezvouslogicpoints toapeer to peernetwork.malwareoperatingoninfectedhostsdiscoverotherbots bydetectingattacksfromanotherinfectedhosts,confirmingthecodetheattacking hostsattempttoinjectisthesameasitsowncode,andconnectingbacktothe attackerusinghttpsothathostswithmatchedinfectionscansharefilesdirectly. TheConficker infectedcomputersattempttoconnecttohttpserversoperatingon rendezvouslogicpointsbycontactingdomainsfromthedaily generatedlistof domainnames.iftheyareabletoresolveadomainnameandconnecttoanhttp server,thebottedmachinesareabletoreceiveadditionalmalwareorinstructions toperformcertainactionsusingalready presentexecutables.thewormusesstrong cryptographictechniques(rsaandmd6)tocontrolwhatcodecanbeloadedonto aninfectedbox.allcode"loads"mustbecorrectlysignedortheywillberejected. Presumably,onlytheConfickermalwarewriterhastheprivatesigningkeyfor updates.insomecases,theconfickerbotwillbetoldtotryvariousmeansof infectingotherhosts(e.g.,throughanonymousnetworkshares).inothercases,the Confickerbotscanbecomeanarmythatcanbedirectedatwillbyrendezvous pointstosupportawiderangeofmaliciousorcriminalactivities. Botnetsareextremelydifficulttodismantle.Botnetscanremainoperational andwill continuetoserveasplatformsfornumerousattacks foraslongasthebotted i Arendezvouslogicpointisaserverthatisfunctionallysimilartoacommandand control(c&c)server. 4

5 ConfickerSummaryandReview computersremaininfectedandaslongasthebotscanremotelycommunicatewiththe rendezvouspoint(s). Thefollowingsectionoffersachronologyofeventsthatdescribehowthesecurity, intelligenceanddnscommunitieswereabletodisruptcommunicationsbetween Confickerinfectedhostsandrendezvouslogicpoints. OriginandEvolutionoftheConfickerWorkingGroup PriortotheformationoftheConfickerWorkingGroup,operatingsystemand securitysoftwarevendors(microsoft,symantec,f Secure),othersecurityresearch organizations(shadowserverfoundation,teamcymru)andtheintelligence community(usfederalbureauofinvestigation,ussecretserviceandtheus DepartmentofDefense)hadmonitoredandanalyzedConfickerandhadcooperated tocontainthethreat.f Securehadbegun spot sinkholing ii domainnamesthat Confickerbotswereattemptingtocontacttoestimatethesizeofthebotnet.Several operatorsofthetopleveldomainsinwhichconfickermalwarewriterswere registeringdomains(verisign,afilias,neustar,pir,andws)werealreadyinvolved atthispoint,andicannstaffassistedthesecurityresearchersincontactingcnnic toadvisethemofthethreatandaskfortheirparticipationinthecontainmenteffort. TosupporteffortstomonitorConfickertraffic,analyzetheinfection,identify infectedhostsandestimatethesizeofthebotnet,supportintelligencewas registering500domainnamesidentifiedasconfickeralgorithmicallygenerated domainsperdayacrossasmallnumberoftopleveldomains,throughanicann accreditedregistrar,alice sregistry,inc.aspartofthepreemptiveregistration action,supportintelligenceconfigurednameserverstoresolvetoipaddressesof sinkholinghostsunderthecontrolofsecurityresearchersandmalwareanalysts. Preemptivedomainregistrationshadpreviouslybeenappliedwithsomesuccessby FireEyeMalwareDetectionLabstothwarttheSrizbibotnetinearlyNovember 11 andsecurityresearcherswerehopingforsimilarsuccessbyapplyingthesame technique.inthecaseofconficker,preemptiveregistrationwastoservetwo purposes:preventconfickerinfectedhostsfromcommunicatingwithc&cand directtraffictosinkholehostswheretheconfickerbottrafficcouldbefurther monitoredandanalyzed.on28january2009,asecurityresearcheratsupport IntelligencecontactedICANNstaffregardingtheConfickerthreat.Support Intelligence sblockingactivitieswereself fundedandtheorganizationwasseeking supportfromicanntoobtainfinancialrelieforreimbursementfromregistriesfor thedomainsithadandwascontinuingtoregister. ii The verb sinkholereferstoanactivitywheretrafficsuspectedtobeassociatedwithabotnetis redirectedtoacomputer(s)operatedbysecurityresearchersorlawenforcementforobservationor todivertanattackawayfromanintendedtarget. 5

6 ConfickerSummaryandReview DiscussionsrelatingtheongoingConfickerresponseactivitiesappearedonseveral securitylistsinparallelwiththeseactivities,whichincreasedawarenessofthe globalnatureandscaleofthethreat.forexample,personnelatregistryoperator AfiliaswerediscussingConfickermonitoring,blocking,andfundingissueswith severalrelevantpartiespriortosupportintelligencecontactingicann.cert CC staffhadcontactedstaffatdomainnameregistryoperatorneustartoaskwhether NeustarmightarrangeforsomeassistancefromtheBIZregistrytohelpcontain Conficker.On31January2009,NeustarreceivedbriefingsdescribingSupport Intelligence spreemptiveregistrationinitiativefrommicrosoftstaffandother securityresearchersviaprivatecorrespondence.combined,thesedialogswere essentialinengagingresourcestocontainconficker,buttheywereloosely coordinatedinthesensethatnotallpartieswerekeptinformedatalltimes, informationsharedwasnotuniform,andthatdisseminationofinformationrelied heavilyonindividualwebsoftrust. Bythistime,severalorganizations(Symantec/Kaspersky,eNom)hadbegun contributingfundstoassistwithpaymentofthefeessupportintelligencewas incurringtocontainconficker.thisfinancialaidhelpedpayfororrecover registrationfeestocctlds.recognizingthatthecurrentmethodofpreemptive registrationwas fundamentallyunsustainable evenwithmicrosoft scontributions andthattheoperationalresponseimposedanunreasonableandprecariousburden onasingleindividual,neustarcontactedicann schiefinternetsecurityadvisor andthechairmanoficann ssecurityandstabilityadvisorycommittee(ssac). On3February2009,whileattendinganICANNDNSSSRretreat,severalparties alreadyinvolvedinthecontainmenteffortmetinatlantatoconductabriefingfor seniormanagementfromicannandgtldregistries.participatingwere: ICANNseniormanagement,generalcounsel,andsecuritystaff, Lawenforcement(FBI/NCFTA), Securityresearchers(Microsoft,SupportIntelligence,ISC),and GTLDregistryoperators(VeriSign,Afilias,NeuStar) ParticipantsreviewedhowConfickerhadbeenhandledtodate(seeabove),and discussedhowtosustaintheeffortthroughfebruaryandmarchandhowtomanage publicdisclosure.theoperatorsoftheaffectedregistries initially,biz,com,info, NET,andORG volunteeredtheirparticipationandsetaboutblockingdomain names.theparticipantsdiscussedwaysthaticannmightassistinthepreemptive registrationeffort.icann ssecuritystaffagreedtocoordinatepreemptive registrationswithcctldsandtofacilitateongoingcommunicationsamongthe participants.icannseniormanagementandgeneralcounselagreedtoconsider declaringtheconfickerresponsetobeaspecialcircumstance(exceptioncase)and tomanagecontractualwaiveraspectsoftheresponsesothatthegtldregistries couldcontinuetheirpreemptiveregistrationactivitiesthrough1april2009.the participantsagreedtocontinuetoconferenceregularlytoreportstatusandto exploremechanismstocontainormitigatefuture,similarthreats. 6

7 ConfickerSummaryandReview BasedontrafficanalysisandintelligencegatheredrelatedtoConfickeravailableat thetimeofthemeeting,participantsagreedthattheoperationalresponseplanput intoactioninatlantawouldhavetocontinueforseveralmonthsandaworkflow emerged:researcherswouldgeneratethedailylistsandcontactthetargeted registries,whowouldthentakemeasurestoblockconfickerbotnetoperatorsfrom registeringthedomainnames. On12February,Microsoftpublishedapressreleaseannouncing partnershipwith technologyindustryleadersandacademiatoimplementacoordinated,global responsetotheconficker(a.k.a.downadup)worm 12 andofferinga$250,000 rewardforinformationleadingtothearrestandconvictionofconficker swriters 13. TheannouncementacknowledgedtheparticipationandcooperationofICANN, registryoperators(neustar,verisign,cnnic,afilias,publicinternetregistry)as wellasglobaldomainsinternationalinc.,m1dglobal,aol,symantec,f Secure,ISC, researchersfromgeorgiainstituteoftechnology,theshadowserverfoundation, ArborNetworksandSupportIntelligence.Atthispoint,ArborNetworksjoinedto complementsinkholeoperations.followingthisannouncement,thepressbegan referringtotheadhocpartnershipastheconfickercabal 14.Thepartnershiplater preferredandcontinuestousethenameconfickerworkinggroup. FromearlyFebruarythroughmid April,thestafffromICANNsecurity,services, complianceandlegaldepartmentscoordinatedaseriesofcallswithpartieswho agreedtocollaborateasadnsoperationalresponseteam.theteam,consistingof involvedgtldregistryandregistrarrepresentatives,mettocontinuetoshare informationandtodiscussongoingeffortstocontainconficker.thegroupwas explicitlyavoluntarycollaborationthatfocusedspecificallyontheconficker situation,establishedmechanismsforvettingadditionalmemberstoensuretrustin thoseinvolvedandmadenodeterminationsrelatedtoanycontractualmatters. Manyofthesepartieswerealsoengagedinthebroadersecuritycommunity Confickerworkinggroup.BythispointtheCWGhadmultiplefunctioning subgroups,includingsinkholeoperators,malwareanalyzers,dnsoperators, remediationtoolproducers,etc. On20February,MicrosoftreceivedreportsofaConficker.Cvariant iii.security researchersdeterminedbyexamininginfectionsamplesthatthisvarianthadamore aggressivedomaingenerationalgorithm.cognizantthatthesecurityanddomain namecommunitieswereblockingregistrations,theconfickermalwarewriters seemedintenttotestthelevelofcommitmentoftheconfickerworkinggroup.in AnalysisofConficker.C 15,Parras,Saidi,andYegneswarandescribeConficker.Cas a directretorttotheactionoftheconfickercabal,whichrecentlyblockedalldomain iii ThelabelingofConfickervariantsbecomesconfusingatthispoint.OnesecurityresearcheratSRI obtainedavirussampleandlabeleditb++whereasotheranalystslabeledthevariantc.the8march 2009SRIanalysisofConficker.CthusdescribesthevariantothersinthecommunitylabeledD.Some membersofthesecuritycommunitynowrefertothe1april2009variantasconficker.c/d.atable comparingcertainfeaturesoftheconfickervariantsappearsinappendixa. 7

8 ConfickerSummaryandReview registrationsassociatedwiththeaandbstrains. TheConficker.Cvariant introducedtwofunctionalchanges.thefirstalteredthecontrolchannel communicationsfromac&ctoapeer to peermodel.conficker.calsochangedthe domainnamegenerationalgorithmandrendezvouslogicpointselectionmethod: Conficker.Cnowselectsitsrendezvouspointsfromapoolofover50,000randomly generateddomainnamecandidateseachday.conficker.cfurtherincreases Conficker'stop leveldomain(tld)spreadfromfivetldsinconfickera,toeight TLDsinB,to110TLDsthatmustnowbeinvolvedincoordinationeffortstotrack andblockconficker.c'spotentialdnsqueries. Withthislatestescalationindomainnamemanipulation,Conficker.Cposeda significantchallengetothosehopingtotrackitscensusandcontainthethreatit posed.theconficker.cvariantalsohighlightedtheweaknessofblockingname registrationsasacountermeasure.themeasuredoesnotscale.byintroducing increasinglylargenumbersofpossibleregistrationsandspreadingtheseacrossa largenumberoftldregistries,theconfickerwritersincreasedthelikelihoodof oversightorerror,andalsoincreasethenumberoforganizationsthathadto collaborate. LederandWermannoteintheirreportthatthenewConfickervariantimprovedthe domaingenerationalgorithmmeasurably,butatthesametimerevealed informationthatthewritersshouldhavetakencaretohide: Conficker.Ccontains codethatwillstarttolookforupdatesafter1april2009localtime...itisthis hardcodeddatevaluewithinthecodethathasgeneratedsuchahighdegreeofpress speculationaboutwhattheconfickerbotnetwillormorelikelywon'thappenon AprilFoolsday. HardcodingthedateintotheConficker.Cvariantwasnotvery cleverandinfact,showsthateveninthevirusworldthosewhofailtostudyhistory aredoomedtorepeatit:hardcodingipaddressesofinfectioncodehadearlier providedsecurityresearcherswiththemeanstoblockcommunicationsbetween botsandc&cs. Atthispoint,theCWGfacedseveraluncertaintiesandchallenges.CWGmembers andothershadmadeseveralrepairandremovaltoolsavailable,butthegroupcould notenforceremediationordeterminehowmanyhostsinfectedbypriorconficker variantsremainedinfectedandhadbeenupgradedbytheconfickermalware writersfromtheoriginalavariant(andthuscouldbefurtherupgradedto Conficker.Considerableeffortstomakethepublicawareofthethreatwere underway,butthecwghadtoanticipatethatconficker.cwouldinfectadditional (new)hosts.thecwgfocusedcertainofitsmonitoringactivitiesondetermining whetheranyofthealgorithmicallygenerateddomainsduplicatednamesalready registeredinatldandothereffortstocontinuetoidentifythedomainnames ConfickergeneratedandmaketheseavailabletoTLDssothattheycouldbeblocked. ICANNsecuritystaffandICANNregionalliaisonscontactedthelistofCCTLD operatorsthatsecurityresearchershadidentifiedastargetsforconficker registrations,suppliedeachoperatorwithatailoredlistofnamesconficker 8

9 ConfickerSummaryandReview malwarewriterswouldattempttoregister,andadvisedthemtojoinsecurity mailinglistswherednsresponseissuesrelatedtotheconfickerwormsare discussed;however,certaincctldoperatorswouldnotblockthenamesonthelist withoutacourtorder.icannstaffalsocontactedthechairoftheccnsoandthe managersoftheregionalcctldgroups(centr,aptld,aftld,lactld)toassist incallingattentiontotheanticipatedevent. TheanticipatedApril1updateeventreceivedconsiderablepublicattention 16.The ConfickerWorkingGroup,complementednowbyanumberofCCTLDs,preparedfor theevent.icannsecuritystaffandconfickerworkinggroupmembersrecognized that100%awarenessortimelyparticipationacrosssuchalargenumberofregistry operatorswasdoubtful.cooperationamongthevariousregistriesoperators, althoughunlikelytofullystopconficker,wouldenabletheanti viruscommunity andthoseinvolvedtobettertrackandunderstandthespreadofthewormandthen tousethatinformationtohelpdisinfectsystems. By30March2009,securityresearchersinvolvedinTheHoneynetProjecthad sufficientlyanalyzedconficker.ctopositivelyidentifytheinfection 17.Detection signaturesweremadeavailableandquicklyincludedinfreeandfor feenetwork scanners(nmap,tenablesecurity snessus,mcafeefoundstoneenterprise,and Qualys).Giventhenumberofsystemsthatremainedinfectedandnotpatched, securityresearchersconcededthatthatnumberofsystemsstillinfectedwithearlier ConfickervariantsandstillnotpatchedtomitigatetheMS08 67wouldbeupdated on1april2009withtheconficker.evariantandthattheextentandsuccessofthe updatecouldnotbepredicted. TheintentoftheConficker.Evariantwastoremoveallbutthecoremalware functionalityandupgradecontactedhostswiththenewp2pcommunications ability.accordingtomicrosoftmalwareprotectioncenter 18,theConficker.Evariant executesaself terminationroutinewhenthedateismay32009.thewormdeletes itsmainexecutablecomponentonthisdate.howeverthedllpayloadcomponent (detectedasworm:win32/conficker.e.dll)remainstocontinueparticipatingin P2Pcommunicationamonginfectedpeers. On21September2009,SRIreleaseda ConfickerP2PProtocolandImplementationAnalysis 19.Inthereport,theauthors describethenewp2pscan baseddiscoverymethodconfickermalwarewriters wouldnowusetojoinaninfectedhostintotheconfickerp2pnetwork,themeans bywhichpeerssharemalwareexecutables,andmore. OngoingConfickerWorkingGroupActivity EffortscontinuetoblockregistrationofConfickerdomains.Trafficanalysisefforts havebeenhelpfulindevelopingabetterunderstandingofthedistributionofthe wormandintendedapplicationsoftheconfickerbotnet 20.Microsoftandsecurity vendorscontinuetostudymethodsfordetectionandremovalofknownvariants. 9

10 ConfickerSummaryandReview SecurityresearcherscontinuetopublishanddistributeConfickerscanners, signaturesforintrusionsystems,andgeneralinformation.effortstotargetoutreach toparticularlyinfestednetworkscontinue. TheConfickerinfectionrateremainshighforBandCvariantsbutdecliningforC/E. Remediationcontinuestoposechallenges.Securityresearcherscontinuetotrack Conficker.AnOctober2009snapshotbytheShadowserverFoundationestimates thenumberofsystemsinfectedwithconfickera/b/cvariantsatapproximately sevenmillion 21.TheConfickerWorkingGroupmaintainsvisualtimelineand chronologyofconfickerat[22]totrackhistorical,currentandfutureevents. ActivitiestodetectConfickervariantsandremediateConficker infectedhostswill undoubtedlycontinueforsometime.thisisinevitablegiventhemillionsofinfected computersandhistoricallymarginalsuccessinremediatingmalware.lessons learnedduringtheconfickercontainmentperiodarediscussedinalatersectionof thispaper.securityanddnscommunitiesareworkingtodeviselong termand sustainableapproachesfordealingwithnotonlyconfickerbutalsofuture,similar threats.these,too,arediscussedinalatersectionofthispaper. TheImportanceofRolesinConfickerWorkingGroup AlltheactionsrelatedtomitigatingtheConfickerwormwerenotdirectlynor entirelywithintheremitofanyindividualcwgparticipant.throughoutthe chronologyofconfickerevents,allthecollaboratingpartiesperformedrolesthat wereappropriatetotheirorganizations corecompetencies:malwareresearchers reverseengineeredthedropper/installer,trafficanalysisengineersidentifiedthe lociofinfestations,icannfacilitatedcommunicationsbetweenregistriesand partieswhocompiledthec&cdomainlists,andregistryoperatorsblocked registrationsofconfickerdomains.thecollaboratingpartiestriedtoadheretothe bestpracticesofpublicdisclosureofsecurityincidentsandeventsbymaintaininga lowprofile,protectingsensitiveinformation,andsharingonlyinformationthatthe adhocpartnershipagreedtoshare. SeveralCWGmemberspubliclyexpressedtheirsurpriseandgratitudeformember willingnesstoengageintheconfickercontainment 23.Manysecurityandregistry organizationshadnotencounteredcircumstancessuchasthoseconfickerposed andthusdidnothavecommunicationschannelsinplacetocoordinatecontainment efforts.cwgmembersindicatedthaticann sabilitytofacilitateandexpedite communicationswithtldregistriesacceleratedprocessesthatwouldunderother circumstanceshavechallengingifnotimpossibletoobtainduringthewindowsof opportunityconfickeraffordedthem.icannsecuritystaffandregionalliaisons initiallyfilledthisgapbyrelayinginformationgatheredbysecurityresearchersto TLDoperatorsandlaterbyintroducingcollaboratorsandprovidingdirectcontact information.registryoperatorsblockedconfickerdomainsandadvisedicann 10

11 ConfickerSummaryandReview counselandseniormanagementofthemeasurestheytooktopreventthe registrationofauto generateddomainsbytheconfickermiscreants.theseadhoc methodsprovidedsomeinsightintohowcertainformalconstructsmightprove beneficialinfutureresponseefforts. ConfickerToday InfectiontrackingbytheCWGshowsthatConficker.Cpopulationshavediminished overthepastyearbutthatnumberofcomputersinfectedconfickera+bisstilllarge (graphscourtesyofconfickerworkinggroup 24 ). Overthepastyear,theShadowserverFoundationhastrackedtheConficker populations(a+b,c,andaggregate),whichremaininthemillions. 11

12 ConfickerSummaryandReview LessonsLearned Severallessonsmaybelearnedfromthechronologyandeventsrelatedto containingtheconfickerworm.perhapsthemostpositivelessonlearnedisthat DNS,security,andlawenforcementcancollaboratewhenanincidentofglobal proportionisidentified.apositiveresultfromtheadhocresponsewasthatthe participantsdisruptedthebotnetcommunicationsandthusprevented opportunitiestoputthebotnettomisuse.thecontainment,however,was temporary,andtheconfickermalwarewriterscounteredbymakingthe containmentmeasureincreasinglydifficulttocoordinateandsustain. TheConfickercollaborativeresponsesreliedlargelyonvolunteereffortsand goodwill,informalcommunicationschannels,interventionaloperationalpractices, informalagreements,andassumptionsthatresponsewouldbeuniformand unilateral.eachofthesedependenciesexposedcertainweaknesses: Adhoccollaborativeresponsemaynotbescalableorsustainable.Intheabsenceof (complementary)formalstructuresorcommitments,certainproblemsthat encumberedorconfoundedtheconfickerresponsewillpersist.theconficker responsewasahighlydistributedeffortthatleveragedmanyvolunteersaswellas fulltimestaffacrossmultipleorganizationstogetthejobdone.weneedtoconsider thefactthatwecannotrelyonhavingsufficientresourcesofthecaliberthatwere engagedforconfickertobeavailableatamoment snoticeasarealthreat.aswe studythreatstothedns,weneedtoalsoconsiderthatwehavenotyetencountered asituationwhereresourcesmightbeneededformultiple,simultaneousincidents involvingtheglobaldns. 12

13 ConfickerSummaryandReview Likeothermalwarewriters,worm/botnetwriterswilladapttocountermeasures deployedtodetectorcontainthem.however,westillseeevidencethatwhilebotnet writershaveadaptedtothecontainment,theystillappeartopreferdnstohardencodedipaddressesandstillusesecondlevellabelsacrossmultipletlds.the DNSislikelytocontinuetobepartofmalwarewritertoolkits.Itisthusappropriate toconsiderwaystobuildonthesuccessfulelementsofthisincidentresponseand improvethoseaspectsthatwerenotsosuccessful. Informalcommunicationsmaynotbesufficientforallglobalincidentresponseefforts, especiallyinsituationswherethereiszerotoleranceforerrororomission.conficker demandedconstantattentionfromresponders.confickervariantsgeneratednew domainlistsdaily.securityresearchersmonitoredtrafficandanalyzedcode samplescontinuouslyinanticipationofnewvariants.duringthemonthsofeffortto containconficker,communicationsamongresponderscouldbecharacterizedas havingspikes,lags,anddormantperiodswheresomepartieswereunableto respondorunresponsive.incertaincases,contactinformationavailabletoparties wasnotaccurate,orwasnotsufficienttoreachapartywithauthoritytoacton behalfofthecontactedorganization.inothercases,icannstaffdeterminedthat someregistrycontactinformationmaintainedbyianawasnotaccurateorwasnot thecontactataregistrywithauthoritytoparticipateinincidentresponse.formal channelswithagreed uponormandatoryexchangesandexchangefrequencies shouldbeconsideredforfutureresponseefforts. Maintainingconsistency,completenessandaccuracyofinformationduringthecourse ofalongincidentresponseeffortischallenging.duringtheconfickerresponse, partiesinitiallyusedavailableratherthanformalcommunicationschannels(e.g., securitymaillists,teleconferences,private ,etc.)andreliedoncontact informationathandorpassedhandtohand.theconfickerworkinggroup establishedcommunicationschannelsasthecontainmenteffortgrew,butsensitive informationwasnotconsistentlyclassified,encryptedorsigned.thenatureand levelofdetailcommunicatedamongtheparticipantswasunintentionallybut predictablynotuniform.theadhocnatureofthesecommunicationsalsoresultedin differentpartiesreceivinginformationatdifferenttimes,whichmadeitdifficultto maintainbroadsituationalawareness.noindividualororganizationperformed formalactiontrackingorauditing,andthuschroniclingtheincidentresponsefor post incidentreviewandanalysishasbeendifficult.inparticular,informationthat ispotentiallyvaluableinimprovingresponsetofutureglobalincidentsmaybelost orasyetundisclosed. Scalingtrustishard.Volunteereffortsrelyonpersonalwebsoftrust.Most participantsintheconfickerresponseknewsomeorseveralotherparticipantsbut itisunlikelythatanyonekneweveryoneandunlikelierstillthatanyonecould produceanaccurateaccountingofallpartiestoallinformationsharingduringthe courseofthecontainmenteffort. 13

14 ConfickerSummaryandReview Operationalprocessesthatrelyonblocklistsataregistrylevelarenotscalable.The mostobviousreasonisthatpreemptiveblockingscalespoorly:inresponsetothe blockingefforts,conficker swritersincreasedthenumbersofalgorithmically generateddomainsandthenumbersoftlds.theoperationalburdentoblock domainsincreasesinseveralways;forexample,distributionofnamesacrosslarger numbersoftlds,removalofthenamesfromavailablepoolscanbecomeexpensive, non compensatedcostsforregistryoperators.registriesalsofiltereddomainsto assurethatall collisions betweenconficker sdgadomainsanddomainsthatare alreadyregisteredintldswerenotadverselyaffected. CertainactivitiesrelatedtoincidentresponseraisecontractualissuesforICANN, registries,andregistrars.inthecaseofconficker,icannandgtldregistrieswere abletoresolvemattersrelatingtodomainfeesquickly.thecommunitycannotrely onallcontractualmatterstobesoeasilyhandledforallfutureincidents.regarding theeasebywhichconficker relatedcontractualmatterswereresolve,onesecurity expertobserved(anonymously)that, inthefirstexampleofbreakingtherules, you regivensomeleeway.thesecondtime,thestakesarehigher,andyouhaveto bewarethatasinglemistakewillbedisproportionatelyhighlighted. Certaincountermeasuresorpreemptiveactionscannotbeimplementedunilaterallyby alltldoperators.someregistryoperatorsrequirecourtordersbeforetheytakea particularactioninresponsetoaglobalincident.inascenariolikeconficker,where listsofmaliciousdomainsaregenerateddaily,evenaonedaydelaytoprocessa courtordercaninhibittheresponse. Weshouldrefrainfromconcludingfromtheselessonslearnedthatformal structuresmustreplacevoluntaryones.forexample,establishingformalstructures doesnotaddresstheissuethatsometldswillnotbewillingtoparticipateorto continuetoparticipateincertainkindsofresponseindefinitely.relyingentirelyon formalstructuresmayexcludeparticipationbycertainindividualsforarangeof political,legal,orpersonalreasons.rather,weshouldbearinmindthatresponses withinadequateresourceswillbemorepronetoerrororomissionthanthosegiven adequateresources.effectiveresponsewillinevitablyandultimatelydependupon thesupportandparticipationofrelevantstakeholders,notablythosewhohave delegatedresponsibilityforthevariousassetsinvolved.inotherwords,while certainformalstructurescancomplementandrenderadhocresponsesmore effective,bothmaybenecessarytodealwithfutureeventsoftheconfickerkind. WayForward BaseonthelessonslearnedfromthecollaborativeresponsetoConficker,one elementofawayforwardistoformalizerelationshipsamongpartiesthatbecome involvedwhensecurityeventsofaglobalnatureoccur.icann(theentityand community)hasestablishedcertainformalrelationshipsandstructuresandis workinginconcertwithotherorganizationsonothers. 14

15 ConfickerSummaryandReview WithinthespecificcontextofglobalsecurityeventsinvolvingabuseoftheDNSand domainregistrationservices,andusingconfickerasalearningexperience,icann andthegtldregistrieshavedevelopedanexpeditedregistrysecurityrequest Process(ERSR) 25.Throughthisprocess,gTLDregistriescannowinformICANNofa presentorimminentsecuritythreatagainsttheregistryorthednsinfrastructure andrequestacontractualwaiverforactionstheregistrymighttakeorhastakento mitigateoreliminatethethreat.thecontractualwaiverwouldprovideexemption fromcompliancewithaspecificprovisionoftheregistryagreementforthetime periodnecessarytorespondtothethreat.theersrallowsaregistrytomaintain operationalsecurityduringanincidentwhilekeepingrelevantparties(e.g.,icann, otheraffectedproviders,etc.)informedasappropriate. TheERSRisintendedtohelpregistriesdealwithmaliciousactivityinvolvingthe DNSofscaleandseveritythatthreatenssystematicsecurity,stabilityandresiliency ofatldorthedns.itcanalsobeusedincircumstanceswherearegistrydiscovers unauthorizeddisclosure,alteration,insertionordestructionofregistrydata.the ERSRwouldalsobeanappropriateprocessforaneventwiththepotentialtocause atemporaryorlong termfailureofoneormoreofthecriticalfunctionsofagtld registryasdefinedinicann sgtldregistrycontinuityplan 26. Today,manyorganizationssupportavarietyofactivitiesthatareintendedto improveinternetsecurityawarenessandrespondtosecurityincidents.icann securitystaffhasstudiedincidentandemergencyresponseatnationaland internationallevelstounderstandhowtheseactivitiesmightbecoordinated, especiallyincircumstanceswherethednsiscentraltoglobalincidentsorwhere eventsthreatenthesecurity,stability,orresiliencyofdomainnameserviceata globallevel.withtheassistanceoftheseorganizations,icannhasdevelopedan operationalconceptplanandbusinesscaseforadns CERT 27. Asproposedintheconceptplan,theDNS CERTwouldactasasecuritycoordination centertoassistdnsoperatorsandsupportingorganizationsbyproviding information,expertiseorresourcestorespondtothreatstothesecurity,stability andresiliencyofthednsefficientlyandinatimelymanner.again,asproposed,the centralpurposesofthedns CERTwouldbetomaintainsituationalawareness, facilitateinformationsharing,improvecoordinationwithinthednsoperational community,andimprovecoordinationwiththebroadersecurityandotheraffected communities. Inadditiontotheseprograms,ICANN ssecurityteamisstudyinghowtoimprove andmaintainaccuratecontactinformationincooperationwiththesecurity communityandregistryoperators.staffwillalsostudywaystoimproveand formalizemonitoringresponsestoglobalincidentswhiletheyareinprogress(e.g., auditingandtracking),methodstochronicleincidentresponses,andwaysto coordinatepost incidentreviewandassessment.thesemaybeincorporatedinto thedns CERTprogramasitevolves,ortheyformbethebasesforotherinitiatives 15

16 ConfickerSummaryandReview instigatedbyotherorganizations.icannwillconsiderwhatifanyroleitshould performuponreviewoftheinitiatives. ConcludingRemarks Incertainrespects,thecollaborativeresponsetoConfickerwasasinglevolleyin whatisarguablyanearlybattleofalongcampaign.icannandothermembersof thecwgwillcontinuetoassistinremediationeffortsrelatedtotheconfickerworm. Individualorganizationswillnodoubtusetheirexperiencestohelpdefinerolesin futureglobalincidents.thednsandinternetsecuritycommunitiesmustalso considerhowtheytogethermightestablishmoreformalcollaborativeresponseto futureoccurrencesofconfickerandotherthreatstothednssecurity,stabilityand resiliencyofsimilarnatureandscale. 16

17 ConfickerSummaryandReview Appendix A. Table of Conficker Variants Variant & date Conficker.A Conficker.B SRI Conficker.C a.k.a. Conficker.D Conficker.E Bot Evolution Infects via MS08-67, anonymous shares Resets system restore point, disables security services HTTP callback to download files Infects via MS08-67, anonymous shares, shares with weak passwords, network maps, removable media Reset system restore point Disables security software and security updates via DNS filtering Infects via MS08-67, anonymous shares, shares with weak passwords, network maps, removable media Disables security software and security updates via DNS filtering Changes bot from HTTP C&C to P2P Sets 1 April 2009 as activation date for new DGA Initial exploit uses MS08-67 Only installs if prior Conficker variants present Disables security software and security updates via DNS filtering Resets system restore point Updates to pure P2P network Self-terminates on 3 May 2009: remove all Conficker executables except DLL DNS/Domain Abuse 250 pseudo-randomly generated domains registered in 5 TLDs 250 pseudo-randomly generated domains registered in 8 TLDs Tens of thousands of pseudo-randomly generated domains registered in 100+ TLDs 17

18 ConfickerSummaryandReview Citations 1Code Red (Computer Worm), 2 Blaster worm, 3 Sasser (Computer Worm), 4SQLSlammer, 5 Know Your Enemy: Containing Conficker, 6ContainingConficker, 7TheDifferenceBetweenaComputerVirus,WormandTrojanHorse, 8 What is a Blended Threat? 9 Microsoft Security Bulletin MS Critical, 23 October 2008, 10HowtoRestoreWindowsXPtoapreviousstate, 11DisconnectingfromtheSrizbiBotnet, 12Microsoft Collaborates With Industry to Disrupt Conficker Worm, feb09 en.htm 13MS puts up $250K bounty for Conficker author, 14ConfickerCabal, 15 Analysis of Conficker.C, 16 Alert: April 1 "Conficker" Computer Worm, 17Conficker Researchers Counter April 1 Update With Detection Scan, 18MicrosoftMalwareProtectionCenter Win32/Conficker.E, 19ConfickerP2PProtocolandImplementationAnalysishttp://mtc.sri.com/Conficker/P2P/ 20ConfickerInfectionDistribution, 21ShadowserverFoundationConfickerstatisticspage, 22ConfickerTimeline, 23ShadowserverFoundationAnnouncesNewEffortToCombatConficker 24ConfickerWorkingGroupInfectionTracking 25ExpeditedRegistrySecurityRequestProcess, 26gTLDRegistryContinuityPlan, registrycontinuity plan 25apr09 en.pdf 27GlobalDNS CERTBusinessCase, cert business case 10feb10 en.pdf 18