ConfickerSummaryandReview ConfickerSummaryandReview DavePiscitello,ICANNSeniorSecurityTechnologist 7May2010 Abstract Thisreportprovidesachronologyofeventsrelatedtothecontainmentof theconfickerworm.itprovidesanintroductionandbriefdescriptionofthe wormanditsevolution,butitsprimaryfocusistopiecetogetherthepostdiscoveryand analysisevents,describethecontainmentmeasures chronologically,anddescribethecollaborativeefforttocontainthespread oftheworm.theauthorcaptureslessonslearnedduringacontainment periodspanningnearlyayearanddescribesrecentactivitiesthatattemptto applythelessonslearnedsothatthesecurityanddnscommunitiescanbe betterpreparedforfutureattacksthatexploittheglobaldns. Thisreportrepresentstheworkoftheauthor,onbehalfoftheICANN SecurityTeam.Theauthorisresponsibleforerrorsoromissions.While membersoftheconfickerworkinggroup,icannssac,individualsecurity researchers,andcertainicannregistrieswereinvitedtocommentor reviewthereport,noneoftheseorganizationswereaskedtoformally endorsethisworkproduct. Introduction TheConfickerwormfirstappearedinOctober2008andquicklyearnedasmuch notorietyascodered 1,Blaster 2,Sasser 3 andsqlslammer 4.Theinfectionisfoundin bothhomeandbusinessnetworks,includinglargemulti nationalenterprise networks.attemptstoestimatethepopulationsofconfickerinfectedhostsatany giventimehavevariedwidely,butallestimatesexceedmillionsofpersonal computers. TheoperationalresponsetoConfickerisperhapsaslandmarkaneventastheworm itself.internetsecurityresearchers,operatingsystemandantivirussoftware vendorsdiscoveredtheworminlate2008.thesepartiesaswellaslawenforcement formedanadhoceffortwithicann,topleveldomain(tld)registriesand registrarsaroundtheworldtocontainthethreatbypreventingconfickermalware writersfromusingtensofthousandsofdomainnamesalgorithmically generated dailybytheconfickerinfection. ConfickermalwarewritersmadeuseofdomainnamesratherthanIPaddressesto maketheirattacknetworksresilientagainstdetectionandtakedown.initial countermeasures sinkholingorpreemptiveregistrationsofdomainsusedto identifyconficker scommandandcontrol(c&c)hosts preventedthemalware writersfromcommunicatingwithconficker infectedsystemsandthus,presumably 1
ConfickerSummaryandReview preventedthewritersfrominstructingthebottedhoststoconductattacksorto receiveupdates.theconfickermalwarewritersrespondedtothismeasureby introducingvariantstotheoriginalinfectionthatincreasedthenumberof algorithmicallygenerateddomainnamesanddistributedthenamesmorewidely acrosstlds.torespondtothisescalation,partiesinvolvedincontainingconficker contactedmorethan100tldsaroundtheworldtoparticipateinthecontainment effort. Thecombinedeffortsofallpartiesinvolvedinthecollaborativeresponseshouldbe measuredbymorecriteriathanmitigationalone.thecontainmentmeasuresdidnot eradicatethewormordismantlethebotnetentirely.still,thecoordinated operationalresponsemeritsattentionbecausethemeasuresdisruptedbotnet commandandcontrolcommunicationsandcausedconfickermalwarewritersto changetheirbehavior.thecollaborativeeffortalsodemonstratedthatsecurity communitiesarewillingandabletojoinforcesinresponsetoincidentsthat threatenthesecurityandstabilityofthednsanddomainregistrationsystemsona globalscale. 2
ConfickerSummaryandReview ConfickerBackground ThissectiondrawsheavilyfromanexcellentpaperontheConfickerworm publishedatthehoneynetprojectbyauthorsfelixlederandtillmannwerner 5. ThedescriptionherelargelytracksanddistinguishesamongConfickervariants whenchangesaffectedtheworm suseofthedns.itdiscussesthewormingeneral terms.thoseinterestedinaverytechnicalanalysisofconficker sinfection armoringandupdateprocesses,variantsofthedomainnamegenerationalgorithms, signaturesthatcanbeusedbyintrusiondetectionsystemstodetectconficker,and disinfectionissues areencouragedtoreadthefullpaper.lederandtillmannhave alsoproducedashortvideoonthestructureofconfickerandmaintainalistof disinfectantsandscannersatthecontainingconfickerwebpage 6.Listsofdomain namesgeneratedbyconfickervariantsmaybeofparticularinteresttothedomain namecommunityandcanbeobtainedthereaswell.anothersourceforthis summaryisansritechnicalreportbyphillipporras,hassensaidi,andvinod Yegneswaran,whichanalyzestheConfickerpackage,processing,andprotocolin considerabledetail. Confickeriscalledawormbecausethefirstdiscoveredvariantattachedtoa program(executable),wasself replicating,and(importantly)usedanetworkasthe deliverymechanism.thiscombinationofcharacteristicsdistinguisheswormsfrom viruses 7.Confickerisactuallyablendedthreat 8 becauseitcanbedeliveredvia networkfileshares,mappeddrivesandremovablemediaaswell.theconficker infectionisatypeofsoftwarecalledadynamiclinklibrary(dll).adllcannot executealonebutmustbeloadedbyorintoarunningapplication.theconficker DLLlauncheswithrundllonWindows,whichletsitrunasastandaloneprocess.A ConfickerinstallerloadsitsDLLintoaWindowsapplicationbyexploitingtheMS08 067vulnerabilityintheWindowsOperatingSystem 9.Thisvulnerabilityallows Confickermalwarewriterstousewhatiscalledabufferoverflowto inject code intothewindowsserverservice. Abufferoverflowisamethodofexploitingsoftwareprogrammingthatfailstocheck boundariesbeforewritinginformationintomemory.theattackerdiscoversthata programisvulnerabletoabufferoverflowbyattemptingtowritemoreinformation intomemorythantheprogrammerhadallocatedtostoreinformation.specifically, theattackerseekstowriteinformationintomemorythatisadjacenttothememory heoverruns.thisadjacentmemorymaycontaindataoritmaycontainexecutable code;ineithercase,theattackedapplicationwillnotoperateasanticipatedwhenit encountersthemaliciouscodetheattackerinjected.inthecaseofconficker,the attackerinjectedexecutablecodethatgivestheattackerremotecontroloverthe infectedcomputerandinparticular,remotecodeexecutionprivileges.usingthe injectedcode,theattackercanaddorchangecodetomaketheinfectedhost computerdowhateveritchooses. 3
ConfickerSummaryandReview Topreventdetection,certainwormsembedthemselvesinabenignmanneronthe infectedcomputer,i.e.,intoaprogramorsoftwarethatisexpectedtorunona computerrunningthewindowsoperatingsystem.thewormthenattemptsto disablesoftwarethatcoulddetectorremovetheinfection.confickervariants disablewindowsautomaticupdate,windowssecuritycenter,windowsdefender andwindowserrorreporting.latervariantsalsouseddnsfilteringtoblock antimalwareprogramsfromobtainingupdates(e.g.,virussignaturesthatwould allowtheresidentavsoftwaretodetectandremoveconfickerrelatedmalware). ConfickermalwarealsoresetstheWindowsSystemRestorepoint 10,whichcontains informationthatcouldbeusedtoremoveconfickermalwarebyrestoringthe infectedcomputer sfilesystemandregistrytoversionssavedpriortotheinfection. EarlyvariantsoftheConfickermalwareenlistedaninfectedmachineintoa Confickerbotnet.Onceenlisted,themalwarerunningoninfectedcomputersusesa domaingenerationalgorithm(dga)tocreateadailylistofdomainnames.the Confickermalwarewritersusedthesamealgorithmtogenerateanidenticallist.The writersthenregisteredasmallnumberofthesedomainsandsetupname resolutionservicefortheselectedsubsetofdomainssothatthedomainnames assignedtointernetrendezvouslogicpoints i canberesolvedtoipaddressesbydns resolvers.theconfickermalwarewritersdidnotappeartousethegenerated domainnamesroutinely,presumablybecausetheydeterminedthenameshadbeen blocked.alatervariantshiftedthebotnetfromemployingrendezvouslogicpoints toapeer to peernetwork.malwareoperatingoninfectedhostsdiscoverotherbots bydetectingattacksfromanotherinfectedhosts,confirmingthecodetheattacking hostsattempttoinjectisthesameasitsowncode,andconnectingbacktothe attackerusinghttpsothathostswithmatchedinfectionscansharefilesdirectly. TheConficker infectedcomputersattempttoconnecttohttpserversoperatingon rendezvouslogicpointsbycontactingdomainsfromthedaily generatedlistof domainnames.iftheyareabletoresolveadomainnameandconnecttoanhttp server,thebottedmachinesareabletoreceiveadditionalmalwareorinstructions toperformcertainactionsusingalready presentexecutables.thewormusesstrong cryptographictechniques(rsaandmd6)tocontrolwhatcodecanbeloadedonto aninfectedbox.allcode"loads"mustbecorrectlysignedortheywillberejected. Presumably,onlytheConfickermalwarewriterhastheprivatesigningkeyfor updates.insomecases,theconfickerbotwillbetoldtotryvariousmeansof infectingotherhosts(e.g.,throughanonymousnetworkshares).inothercases,the Confickerbotscanbecomeanarmythatcanbedirectedatwillbyrendezvous pointstosupportawiderangeofmaliciousorcriminalactivities. Botnetsareextremelydifficulttodismantle.Botnetscanremainoperational andwill continuetoserveasplatformsfornumerousattacks foraslongasthebotted i Arendezvouslogicpointisaserverthatisfunctionallysimilartoacommandand control(c&c)server. 4
ConfickerSummaryandReview computersremaininfectedandaslongasthebotscanremotelycommunicatewiththe rendezvouspoint(s). Thefollowingsectionoffersachronologyofeventsthatdescribehowthesecurity, intelligenceanddnscommunitieswereabletodisruptcommunicationsbetween Confickerinfectedhostsandrendezvouslogicpoints. OriginandEvolutionoftheConfickerWorkingGroup PriortotheformationoftheConfickerWorkingGroup,operatingsystemand securitysoftwarevendors(microsoft,symantec,f Secure),othersecurityresearch organizations(shadowserverfoundation,teamcymru)andtheintelligence community(usfederalbureauofinvestigation,ussecretserviceandtheus DepartmentofDefense)hadmonitoredandanalyzedConfickerandhadcooperated tocontainthethreat.f Securehadbegun spot sinkholing ii domainnamesthat Confickerbotswereattemptingtocontacttoestimatethesizeofthebotnet.Several operatorsofthetopleveldomainsinwhichconfickermalwarewriterswere registeringdomains(verisign,afilias,neustar,pir,andws)werealreadyinvolved atthispoint,andicannstaffassistedthesecurityresearchersincontactingcnnic toadvisethemofthethreatandaskfortheirparticipationinthecontainmenteffort. TosupporteffortstomonitorConfickertraffic,analyzetheinfection,identify infectedhostsandestimatethesizeofthebotnet,supportintelligencewas registering500domainnamesidentifiedasconfickeralgorithmicallygenerated domainsperdayacrossasmallnumberoftopleveldomains,throughanicann accreditedregistrar,alice sregistry,inc.aspartofthepreemptiveregistration action,supportintelligenceconfigurednameserverstoresolvetoipaddressesof sinkholinghostsunderthecontrolofsecurityresearchersandmalwareanalysts. Preemptivedomainregistrationshadpreviouslybeenappliedwithsomesuccessby FireEyeMalwareDetectionLabstothwarttheSrizbibotnetinearlyNovember 11 andsecurityresearcherswerehopingforsimilarsuccessbyapplyingthesame technique.inthecaseofconficker,preemptiveregistrationwastoservetwo purposes:preventconfickerinfectedhostsfromcommunicatingwithc&cand directtraffictosinkholehostswheretheconfickerbottrafficcouldbefurther monitoredandanalyzed.on28january2009,asecurityresearcheratsupport IntelligencecontactedICANNstaffregardingtheConfickerthreat.Support Intelligence sblockingactivitieswereself fundedandtheorganizationwasseeking supportfromicanntoobtainfinancialrelieforreimbursementfromregistriesfor thedomainsithadandwascontinuingtoregister. ii The verb sinkholereferstoanactivitywheretrafficsuspectedtobeassociatedwithabotnetis redirectedtoacomputer(s)operatedbysecurityresearchersorlawenforcementforobservationor todivertanattackawayfromanintendedtarget. 5
ConfickerSummaryandReview DiscussionsrelatingtheongoingConfickerresponseactivitiesappearedonseveral securitylistsinparallelwiththeseactivities,whichincreasedawarenessofthe globalnatureandscaleofthethreat.forexample,personnelatregistryoperator AfiliaswerediscussingConfickermonitoring,blocking,andfundingissueswith severalrelevantpartiespriortosupportintelligencecontactingicann.cert CC staffhadcontactedstaffatdomainnameregistryoperatorneustartoaskwhether NeustarmightarrangeforsomeassistancefromtheBIZregistrytohelpcontain Conficker.On31January2009,NeustarreceivedbriefingsdescribingSupport Intelligence spreemptiveregistrationinitiativefrommicrosoftstaffandother securityresearchersviaprivatecorrespondence.combined,thesedialogswere essentialinengagingresourcestocontainconficker,buttheywereloosely coordinatedinthesensethatnotallpartieswerekeptinformedatalltimes, informationsharedwasnotuniform,andthatdisseminationofinformationrelied heavilyonindividualwebsoftrust. Bythistime,severalorganizations(Symantec/Kaspersky,eNom)hadbegun contributingfundstoassistwithpaymentofthefeessupportintelligencewas incurringtocontainconficker.thisfinancialaidhelpedpayfororrecover registrationfeestocctlds.recognizingthatthecurrentmethodofpreemptive registrationwas fundamentallyunsustainable evenwithmicrosoft scontributions andthattheoperationalresponseimposedanunreasonableandprecariousburden onasingleindividual,neustarcontactedicann schiefinternetsecurityadvisor andthechairmanoficann ssecurityandstabilityadvisorycommittee(ssac). On3February2009,whileattendinganICANNDNSSSRretreat,severalparties alreadyinvolvedinthecontainmenteffortmetinatlantatoconductabriefingfor seniormanagementfromicannandgtldregistries.participatingwere: ICANNseniormanagement,generalcounsel,andsecuritystaff, Lawenforcement(FBI/NCFTA), Securityresearchers(Microsoft,SupportIntelligence,ISC),and GTLDregistryoperators(VeriSign,Afilias,NeuStar) ParticipantsreviewedhowConfickerhadbeenhandledtodate(seeabove),and discussedhowtosustaintheeffortthroughfebruaryandmarchandhowtomanage publicdisclosure.theoperatorsoftheaffectedregistries initially,biz,com,info, NET,andORG volunteeredtheirparticipationandsetaboutblockingdomain names.theparticipantsdiscussedwaysthaticannmightassistinthepreemptive registrationeffort.icann ssecuritystaffagreedtocoordinatepreemptive registrationswithcctldsandtofacilitateongoingcommunicationsamongthe participants.icannseniormanagementandgeneralcounselagreedtoconsider declaringtheconfickerresponsetobeaspecialcircumstance(exceptioncase)and tomanagecontractualwaiveraspectsoftheresponsesothatthegtldregistries couldcontinuetheirpreemptiveregistrationactivitiesthrough1april2009.the participantsagreedtocontinuetoconferenceregularlytoreportstatusandto exploremechanismstocontainormitigatefuture,similarthreats. 6
ConfickerSummaryandReview BasedontrafficanalysisandintelligencegatheredrelatedtoConfickeravailableat thetimeofthemeeting,participantsagreedthattheoperationalresponseplanput intoactioninatlantawouldhavetocontinueforseveralmonthsandaworkflow emerged:researcherswouldgeneratethedailylistsandcontactthetargeted registries,whowouldthentakemeasurestoblockconfickerbotnetoperatorsfrom registeringthedomainnames. On12February,Microsoftpublishedapressreleaseannouncing partnershipwith technologyindustryleadersandacademiatoimplementacoordinated,global responsetotheconficker(a.k.a.downadup)worm 12 andofferinga$250,000 rewardforinformationleadingtothearrestandconvictionofconficker swriters 13. TheannouncementacknowledgedtheparticipationandcooperationofICANN, registryoperators(neustar,verisign,cnnic,afilias,publicinternetregistry)as wellasglobaldomainsinternationalinc.,m1dglobal,aol,symantec,f Secure,ISC, researchersfromgeorgiainstituteoftechnology,theshadowserverfoundation, ArborNetworksandSupportIntelligence.Atthispoint,ArborNetworksjoinedto complementsinkholeoperations.followingthisannouncement,thepressbegan referringtotheadhocpartnershipastheconfickercabal 14.Thepartnershiplater preferredandcontinuestousethenameconfickerworkinggroup. FromearlyFebruarythroughmid April,thestafffromICANNsecurity,services, complianceandlegaldepartmentscoordinatedaseriesofcallswithpartieswho agreedtocollaborateasadnsoperationalresponseteam.theteam,consistingof involvedgtldregistryandregistrarrepresentatives,mettocontinuetoshare informationandtodiscussongoingeffortstocontainconficker.thegroupwas explicitlyavoluntarycollaborationthatfocusedspecificallyontheconficker situation,establishedmechanismsforvettingadditionalmemberstoensuretrustin thoseinvolvedandmadenodeterminationsrelatedtoanycontractualmatters. Manyofthesepartieswerealsoengagedinthebroadersecuritycommunity Confickerworkinggroup.BythispointtheCWGhadmultiplefunctioning subgroups,includingsinkholeoperators,malwareanalyzers,dnsoperators, remediationtoolproducers,etc. On20February,MicrosoftreceivedreportsofaConficker.Cvariant iii.security researchersdeterminedbyexamininginfectionsamplesthatthisvarianthadamore aggressivedomaingenerationalgorithm.cognizantthatthesecurityanddomain namecommunitieswereblockingregistrations,theconfickermalwarewriters seemedintenttotestthelevelofcommitmentoftheconfickerworkinggroup.in AnalysisofConficker.C 15,Parras,Saidi,andYegneswarandescribeConficker.Cas a directretorttotheactionoftheconfickercabal,whichrecentlyblockedalldomain iii ThelabelingofConfickervariantsbecomesconfusingatthispoint.OnesecurityresearcheratSRI obtainedavirussampleandlabeleditb++whereasotheranalystslabeledthevariantc.the8march 2009SRIanalysisofConficker.CthusdescribesthevariantothersinthecommunitylabeledD.Some membersofthesecuritycommunitynowrefertothe1april2009variantasconficker.c/d.atable comparingcertainfeaturesoftheconfickervariantsappearsinappendixa. 7
ConfickerSummaryandReview registrationsassociatedwiththeaandbstrains. TheConficker.Cvariant introducedtwofunctionalchanges.thefirstalteredthecontrolchannel communicationsfromac&ctoapeer to peermodel.conficker.calsochangedthe domainnamegenerationalgorithmandrendezvouslogicpointselectionmethod: Conficker.Cnowselectsitsrendezvouspointsfromapoolofover50,000randomly generateddomainnamecandidateseachday.conficker.cfurtherincreases Conficker'stop leveldomain(tld)spreadfromfivetldsinconfickera,toeight TLDsinB,to110TLDsthatmustnowbeinvolvedincoordinationeffortstotrack andblockconficker.c'spotentialdnsqueries. Withthislatestescalationindomainnamemanipulation,Conficker.Cposeda significantchallengetothosehopingtotrackitscensusandcontainthethreatit posed.theconficker.cvariantalsohighlightedtheweaknessofblockingname registrationsasacountermeasure.themeasuredoesnotscale.byintroducing increasinglylargenumbersofpossibleregistrationsandspreadingtheseacrossa largenumberoftldregistries,theconfickerwritersincreasedthelikelihoodof oversightorerror,andalsoincreasethenumberoforganizationsthathadto collaborate. LederandWermannoteintheirreportthatthenewConfickervariantimprovedthe domaingenerationalgorithmmeasurably,butatthesametimerevealed informationthatthewritersshouldhavetakencaretohide: Conficker.Ccontains codethatwillstarttolookforupdatesafter1april2009localtime...itisthis hardcodeddatevaluewithinthecodethathasgeneratedsuchahighdegreeofpress speculationaboutwhattheconfickerbotnetwillormorelikelywon'thappenon AprilFoolsday. HardcodingthedateintotheConficker.Cvariantwasnotvery cleverandinfact,showsthateveninthevirusworldthosewhofailtostudyhistory aredoomedtorepeatit:hardcodingipaddressesofinfectioncodehadearlier providedsecurityresearcherswiththemeanstoblockcommunicationsbetween botsandc&cs. Atthispoint,theCWGfacedseveraluncertaintiesandchallenges.CWGmembers andothershadmadeseveralrepairandremovaltoolsavailable,butthegroupcould notenforceremediationordeterminehowmanyhostsinfectedbypriorconficker variantsremainedinfectedandhadbeenupgradedbytheconfickermalware writersfromtheoriginalavariant(andthuscouldbefurtherupgradedto Conficker.Considerableeffortstomakethepublicawareofthethreatwere underway,butthecwghadtoanticipatethatconficker.cwouldinfectadditional (new)hosts.thecwgfocusedcertainofitsmonitoringactivitiesondetermining whetheranyofthealgorithmicallygenerateddomainsduplicatednamesalready registeredinatldandothereffortstocontinuetoidentifythedomainnames ConfickergeneratedandmaketheseavailabletoTLDssothattheycouldbeblocked. ICANNsecuritystaffandICANNregionalliaisonscontactedthelistofCCTLD operatorsthatsecurityresearchershadidentifiedastargetsforconficker registrations,suppliedeachoperatorwithatailoredlistofnamesconficker 8
ConfickerSummaryandReview malwarewriterswouldattempttoregister,andadvisedthemtojoinsecurity mailinglistswherednsresponseissuesrelatedtotheconfickerwormsare discussed;however,certaincctldoperatorswouldnotblockthenamesonthelist withoutacourtorder.icannstaffalsocontactedthechairoftheccnsoandthe managersoftheregionalcctldgroups(centr,aptld,aftld,lactld)toassist incallingattentiontotheanticipatedevent. TheanticipatedApril1updateeventreceivedconsiderablepublicattention 16.The ConfickerWorkingGroup,complementednowbyanumberofCCTLDs,preparedfor theevent.icannsecuritystaffandconfickerworkinggroupmembersrecognized that100%awarenessortimelyparticipationacrosssuchalargenumberofregistry operatorswasdoubtful.cooperationamongthevariousregistriesoperators, althoughunlikelytofullystopconficker,wouldenabletheanti viruscommunity andthoseinvolvedtobettertrackandunderstandthespreadofthewormandthen tousethatinformationtohelpdisinfectsystems. By30March2009,securityresearchersinvolvedinTheHoneynetProjecthad sufficientlyanalyzedconficker.ctopositivelyidentifytheinfection 17.Detection signaturesweremadeavailableandquicklyincludedinfreeandfor feenetwork scanners(nmap,tenablesecurity snessus,mcafeefoundstoneenterprise,and Qualys).Giventhenumberofsystemsthatremainedinfectedandnotpatched, securityresearchersconcededthatthatnumberofsystemsstillinfectedwithearlier ConfickervariantsandstillnotpatchedtomitigatetheMS08 67wouldbeupdated on1april2009withtheconficker.evariantandthattheextentandsuccessofthe updatecouldnotbepredicted. TheintentoftheConficker.Evariantwastoremoveallbutthecoremalware functionalityandupgradecontactedhostswiththenewp2pcommunications ability.accordingtomicrosoftmalwareprotectioncenter 18,theConficker.Evariant executesaself terminationroutinewhenthedateismay32009.thewormdeletes itsmainexecutablecomponentonthisdate.howeverthedllpayloadcomponent (detectedasworm:win32/conficker.e.dll)remainstocontinueparticipatingin P2Pcommunicationamonginfectedpeers. On21September2009,SRIreleaseda ConfickerP2PProtocolandImplementationAnalysis 19.Inthereport,theauthors describethenewp2pscan baseddiscoverymethodconfickermalwarewriters wouldnowusetojoinaninfectedhostintotheconfickerp2pnetwork,themeans bywhichpeerssharemalwareexecutables,andmore. OngoingConfickerWorkingGroupActivity EffortscontinuetoblockregistrationofConfickerdomains.Trafficanalysisefforts havebeenhelpfulindevelopingabetterunderstandingofthedistributionofthe wormandintendedapplicationsoftheconfickerbotnet 20.Microsoftandsecurity vendorscontinuetostudymethodsfordetectionandremovalofknownvariants. 9
ConfickerSummaryandReview SecurityresearcherscontinuetopublishanddistributeConfickerscanners, signaturesforintrusionsystems,andgeneralinformation.effortstotargetoutreach toparticularlyinfestednetworkscontinue. TheConfickerinfectionrateremainshighforBandCvariantsbutdecliningforC/E. Remediationcontinuestoposechallenges.Securityresearcherscontinuetotrack Conficker.AnOctober2009snapshotbytheShadowserverFoundationestimates thenumberofsystemsinfectedwithconfickera/b/cvariantsatapproximately sevenmillion 21.TheConfickerWorkingGroupmaintainsvisualtimelineand chronologyofconfickerat[22]totrackhistorical,currentandfutureevents. ActivitiestodetectConfickervariantsandremediateConficker infectedhostswill undoubtedlycontinueforsometime.thisisinevitablegiventhemillionsofinfected computersandhistoricallymarginalsuccessinremediatingmalware.lessons learnedduringtheconfickercontainmentperiodarediscussedinalatersectionof thispaper.securityanddnscommunitiesareworkingtodeviselong termand sustainableapproachesfordealingwithnotonlyconfickerbutalsofuture,similar threats.these,too,arediscussedinalatersectionofthispaper. TheImportanceofRolesinConfickerWorkingGroup AlltheactionsrelatedtomitigatingtheConfickerwormwerenotdirectlynor entirelywithintheremitofanyindividualcwgparticipant.throughoutthe chronologyofconfickerevents,allthecollaboratingpartiesperformedrolesthat wereappropriatetotheirorganizations corecompetencies:malwareresearchers reverseengineeredthedropper/installer,trafficanalysisengineersidentifiedthe lociofinfestations,icannfacilitatedcommunicationsbetweenregistriesand partieswhocompiledthec&cdomainlists,andregistryoperatorsblocked registrationsofconfickerdomains.thecollaboratingpartiestriedtoadheretothe bestpracticesofpublicdisclosureofsecurityincidentsandeventsbymaintaininga lowprofile,protectingsensitiveinformation,andsharingonlyinformationthatthe adhocpartnershipagreedtoshare. SeveralCWGmemberspubliclyexpressedtheirsurpriseandgratitudeformember willingnesstoengageintheconfickercontainment 23.Manysecurityandregistry organizationshadnotencounteredcircumstancessuchasthoseconfickerposed andthusdidnothavecommunicationschannelsinplacetocoordinatecontainment efforts.cwgmembersindicatedthaticann sabilitytofacilitateandexpedite communicationswithtldregistriesacceleratedprocessesthatwouldunderother circumstanceshavechallengingifnotimpossibletoobtainduringthewindowsof opportunityconfickeraffordedthem.icannsecuritystaffandregionalliaisons initiallyfilledthisgapbyrelayinginformationgatheredbysecurityresearchersto TLDoperatorsandlaterbyintroducingcollaboratorsandprovidingdirectcontact information.registryoperatorsblockedconfickerdomainsandadvisedicann 10
ConfickerSummaryandReview counselandseniormanagementofthemeasurestheytooktopreventthe registrationofauto generateddomainsbytheconfickermiscreants.theseadhoc methodsprovidedsomeinsightintohowcertainformalconstructsmightprove beneficialinfutureresponseefforts. ConfickerToday InfectiontrackingbytheCWGshowsthatConficker.Cpopulationshavediminished overthepastyearbutthatnumberofcomputersinfectedconfickera+bisstilllarge (graphscourtesyofconfickerworkinggroup 24 ). Overthepastyear,theShadowserverFoundationhastrackedtheConficker populations(a+b,c,andaggregate),whichremaininthemillions. 11
ConfickerSummaryandReview LessonsLearned Severallessonsmaybelearnedfromthechronologyandeventsrelatedto containingtheconfickerworm.perhapsthemostpositivelessonlearnedisthat DNS,security,andlawenforcementcancollaboratewhenanincidentofglobal proportionisidentified.apositiveresultfromtheadhocresponsewasthatthe participantsdisruptedthebotnetcommunicationsandthusprevented opportunitiestoputthebotnettomisuse.thecontainment,however,was temporary,andtheconfickermalwarewriterscounteredbymakingthe containmentmeasureincreasinglydifficulttocoordinateandsustain. TheConfickercollaborativeresponsesreliedlargelyonvolunteereffortsand goodwill,informalcommunicationschannels,interventionaloperationalpractices, informalagreements,andassumptionsthatresponsewouldbeuniformand unilateral.eachofthesedependenciesexposedcertainweaknesses: Adhoccollaborativeresponsemaynotbescalableorsustainable.Intheabsenceof (complementary)formalstructuresorcommitments,certainproblemsthat encumberedorconfoundedtheconfickerresponsewillpersist.theconficker responsewasahighlydistributedeffortthatleveragedmanyvolunteersaswellas fulltimestaffacrossmultipleorganizationstogetthejobdone.weneedtoconsider thefactthatwecannotrelyonhavingsufficientresourcesofthecaliberthatwere engagedforconfickertobeavailableatamoment snoticeasarealthreat.aswe studythreatstothedns,weneedtoalsoconsiderthatwehavenotyetencountered asituationwhereresourcesmightbeneededformultiple,simultaneousincidents involvingtheglobaldns. 12
ConfickerSummaryandReview Likeothermalwarewriters,worm/botnetwriterswilladapttocountermeasures deployedtodetectorcontainthem.however,westillseeevidencethatwhilebotnet writershaveadaptedtothecontainment,theystillappeartopreferdnstohardencodedipaddressesandstillusesecondlevellabelsacrossmultipletlds.the DNSislikelytocontinuetobepartofmalwarewritertoolkits.Itisthusappropriate toconsiderwaystobuildonthesuccessfulelementsofthisincidentresponseand improvethoseaspectsthatwerenotsosuccessful. Informalcommunicationsmaynotbesufficientforallglobalincidentresponseefforts, especiallyinsituationswherethereiszerotoleranceforerrororomission.conficker demandedconstantattentionfromresponders.confickervariantsgeneratednew domainlistsdaily.securityresearchersmonitoredtrafficandanalyzedcode samplescontinuouslyinanticipationofnewvariants.duringthemonthsofeffortto containconficker,communicationsamongresponderscouldbecharacterizedas havingspikes,lags,anddormantperiodswheresomepartieswereunableto respondorunresponsive.incertaincases,contactinformationavailabletoparties wasnotaccurate,orwasnotsufficienttoreachapartywithauthoritytoacton behalfofthecontactedorganization.inothercases,icannstaffdeterminedthat someregistrycontactinformationmaintainedbyianawasnotaccurateorwasnot thecontactataregistrywithauthoritytoparticipateinincidentresponse.formal channelswithagreed uponormandatoryexchangesandexchangefrequencies shouldbeconsideredforfutureresponseefforts. Maintainingconsistency,completenessandaccuracyofinformationduringthecourse ofalongincidentresponseeffortischallenging.duringtheconfickerresponse, partiesinitiallyusedavailableratherthanformalcommunicationschannels(e.g., securitymaillists,teleconferences,privateemail,etc.)andreliedoncontact informationathandorpassedhandtohand.theconfickerworkinggroup establishedcommunicationschannelsasthecontainmenteffortgrew,butsensitive informationwasnotconsistentlyclassified,encryptedorsigned.thenatureand levelofdetailcommunicatedamongtheparticipantswasunintentionallybut predictablynotuniform.theadhocnatureofthesecommunicationsalsoresultedin differentpartiesreceivinginformationatdifferenttimes,whichmadeitdifficultto maintainbroadsituationalawareness.noindividualororganizationperformed formalactiontrackingorauditing,andthuschroniclingtheincidentresponsefor post incidentreviewandanalysishasbeendifficult.inparticular,informationthat ispotentiallyvaluableinimprovingresponsetofutureglobalincidentsmaybelost orasyetundisclosed. Scalingtrustishard.Volunteereffortsrelyonpersonalwebsoftrust.Most participantsintheconfickerresponseknewsomeorseveralotherparticipantsbut itisunlikelythatanyonekneweveryoneandunlikelierstillthatanyonecould produceanaccurateaccountingofallpartiestoallinformationsharingduringthe courseofthecontainmenteffort. 13
ConfickerSummaryandReview Operationalprocessesthatrelyonblocklistsataregistrylevelarenotscalable.The mostobviousreasonisthatpreemptiveblockingscalespoorly:inresponsetothe blockingefforts,conficker swritersincreasedthenumbersofalgorithmically generateddomainsandthenumbersoftlds.theoperationalburdentoblock domainsincreasesinseveralways;forexample,distributionofnamesacrosslarger numbersoftlds,removalofthenamesfromavailablepoolscanbecomeexpensive, non compensatedcostsforregistryoperators.registriesalsofiltereddomainsto assurethatall collisions betweenconficker sdgadomainsanddomainsthatare alreadyregisteredintldswerenotadverselyaffected. CertainactivitiesrelatedtoincidentresponseraisecontractualissuesforICANN, registries,andregistrars.inthecaseofconficker,icannandgtldregistrieswere abletoresolvemattersrelatingtodomainfeesquickly.thecommunitycannotrely onallcontractualmatterstobesoeasilyhandledforallfutureincidents.regarding theeasebywhichconficker relatedcontractualmatterswereresolve,onesecurity expertobserved(anonymously)that, inthefirstexampleofbreakingtherules, you regivensomeleeway.thesecondtime,thestakesarehigher,andyouhaveto bewarethatasinglemistakewillbedisproportionatelyhighlighted. Certaincountermeasuresorpreemptiveactionscannotbeimplementedunilaterallyby alltldoperators.someregistryoperatorsrequirecourtordersbeforetheytakea particularactioninresponsetoaglobalincident.inascenariolikeconficker,where listsofmaliciousdomainsaregenerateddaily,evenaonedaydelaytoprocessa courtordercaninhibittheresponse. Weshouldrefrainfromconcludingfromtheselessonslearnedthatformal structuresmustreplacevoluntaryones.forexample,establishingformalstructures doesnotaddresstheissuethatsometldswillnotbewillingtoparticipateorto continuetoparticipateincertainkindsofresponseindefinitely.relyingentirelyon formalstructuresmayexcludeparticipationbycertainindividualsforarangeof political,legal,orpersonalreasons.rather,weshouldbearinmindthatresponses withinadequateresourceswillbemorepronetoerrororomissionthanthosegiven adequateresources.effectiveresponsewillinevitablyandultimatelydependupon thesupportandparticipationofrelevantstakeholders,notablythosewhohave delegatedresponsibilityforthevariousassetsinvolved.inotherwords,while certainformalstructurescancomplementandrenderadhocresponsesmore effective,bothmaybenecessarytodealwithfutureeventsoftheconfickerkind. WayForward BaseonthelessonslearnedfromthecollaborativeresponsetoConficker,one elementofawayforwardistoformalizerelationshipsamongpartiesthatbecome involvedwhensecurityeventsofaglobalnatureoccur.icann(theentityand community)hasestablishedcertainformalrelationshipsandstructuresandis workinginconcertwithotherorganizationsonothers. 14
ConfickerSummaryandReview WithinthespecificcontextofglobalsecurityeventsinvolvingabuseoftheDNSand domainregistrationservices,andusingconfickerasalearningexperience,icann andthegtldregistrieshavedevelopedanexpeditedregistrysecurityrequest Process(ERSR) 25.Throughthisprocess,gTLDregistriescannowinformICANNofa presentorimminentsecuritythreatagainsttheregistryorthednsinfrastructure andrequestacontractualwaiverforactionstheregistrymighttakeorhastakento mitigateoreliminatethethreat.thecontractualwaiverwouldprovideexemption fromcompliancewithaspecificprovisionoftheregistryagreementforthetime periodnecessarytorespondtothethreat.theersrallowsaregistrytomaintain operationalsecurityduringanincidentwhilekeepingrelevantparties(e.g.,icann, otheraffectedproviders,etc.)informedasappropriate. TheERSRisintendedtohelpregistriesdealwithmaliciousactivityinvolvingthe DNSofscaleandseveritythatthreatenssystematicsecurity,stabilityandresiliency ofatldorthedns.itcanalsobeusedincircumstanceswherearegistrydiscovers unauthorizeddisclosure,alteration,insertionordestructionofregistrydata.the ERSRwouldalsobeanappropriateprocessforaneventwiththepotentialtocause atemporaryorlong termfailureofoneormoreofthecriticalfunctionsofagtld registryasdefinedinicann sgtldregistrycontinuityplan 26. Today,manyorganizationssupportavarietyofactivitiesthatareintendedto improveinternetsecurityawarenessandrespondtosecurityincidents.icann securitystaffhasstudiedincidentandemergencyresponseatnationaland internationallevelstounderstandhowtheseactivitiesmightbecoordinated, especiallyincircumstanceswherethednsiscentraltoglobalincidentsorwhere eventsthreatenthesecurity,stability,orresiliencyofdomainnameserviceata globallevel.withtheassistanceoftheseorganizations,icannhasdevelopedan operationalconceptplanandbusinesscaseforadns CERT 27. Asproposedintheconceptplan,theDNS CERTwouldactasasecuritycoordination centertoassistdnsoperatorsandsupportingorganizationsbyproviding information,expertiseorresourcestorespondtothreatstothesecurity,stability andresiliencyofthednsefficientlyandinatimelymanner.again,asproposed,the centralpurposesofthedns CERTwouldbetomaintainsituationalawareness, facilitateinformationsharing,improvecoordinationwithinthednsoperational community,andimprovecoordinationwiththebroadersecurityandotheraffected communities. Inadditiontotheseprograms,ICANN ssecurityteamisstudyinghowtoimprove andmaintainaccuratecontactinformationincooperationwiththesecurity communityandregistryoperators.staffwillalsostudywaystoimproveand formalizemonitoringresponsestoglobalincidentswhiletheyareinprogress(e.g., auditingandtracking),methodstochronicleincidentresponses,andwaysto coordinatepost incidentreviewandassessment.thesemaybeincorporatedinto thedns CERTprogramasitevolves,ortheyformbethebasesforotherinitiatives 15
ConfickerSummaryandReview instigatedbyotherorganizations.icannwillconsiderwhatifanyroleitshould performuponreviewoftheinitiatives. ConcludingRemarks Incertainrespects,thecollaborativeresponsetoConfickerwasasinglevolleyin whatisarguablyanearlybattleofalongcampaign.icannandothermembersof thecwgwillcontinuetoassistinremediationeffortsrelatedtotheconfickerworm. Individualorganizationswillnodoubtusetheirexperiencestohelpdefinerolesin futureglobalincidents.thednsandinternetsecuritycommunitiesmustalso considerhowtheytogethermightestablishmoreformalcollaborativeresponseto futureoccurrencesofconfickerandotherthreatstothednssecurity,stabilityand resiliencyofsimilarnatureandscale. 16
ConfickerSummaryandReview Appendix A. Table of Conficker Variants Variant & date Conficker.A 2008-11-21 Conficker.B 2008-12-29 SRI Conficker.C a.k.a. Conficker.D 2009-02-20 Conficker.E 2009-04-01 Bot Evolution Infects via MS08-67, anonymous shares Resets system restore point, disables security services HTTP callback to download files Infects via MS08-67, anonymous shares, shares with weak passwords, network maps, removable media Reset system restore point Disables security software and security updates via DNS filtering Infects via MS08-67, anonymous shares, shares with weak passwords, network maps, removable media Disables security software and security updates via DNS filtering Changes bot from HTTP C&C to P2P Sets 1 April 2009 as activation date for new DGA Initial exploit uses MS08-67 Only installs if prior Conficker variants present Disables security software and security updates via DNS filtering Resets system restore point Updates to pure P2P network Self-terminates on 3 May 2009: remove all Conficker executables except DLL DNS/Domain Abuse 250 pseudo-randomly generated domains registered in 5 TLDs 250 pseudo-randomly generated domains registered in 8 TLDs Tens of thousands of pseudo-randomly generated domains registered in 100+ TLDs 17
ConfickerSummaryandReview Citations 1Code Red (Computer Worm), http://en.wikipedia.org/wiki/code_red 2 Blaster worm, http://en.wikipedia.org/wiki/blaster_worm 3 Sasser (Computer Worm), http://en.wikipedia.org/wiki/sasser_worm 4SQLSlammer,http://en.wikipedia.org/wiki/SQL_slammer_(computer_worm) 5 Know Your Enemy: Containing Conficker, http://www.honeynet.org/papers/conficker 6ContainingConficker,http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/ 7TheDifferenceBetweenaComputerVirus,WormandTrojanHorse, http://www.webopedia.com/didyouknow/internet/2004/virus.asp 8 What is a Blended Threat? http://www.securityskeptic.com/blendedthreat.htm 9 Microsoft Security Bulletin MS08-067 - Critical, 23 October 2008, http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx 10HowtoRestoreWindowsXPtoapreviousstate, http://support.microsoft.com/kb/306084 11DisconnectingfromtheSrizbiBotnet, http://www.fireeye.com/securitycenter/srizbi_notify.html 12Microsoft Collaborates With Industry to Disrupt Conficker Worm, http://www.icann.org/en/announcements/announcement 2 12feb09 en.htm 13MS puts up $250K bounty for Conficker author, http://www.theregister.co.uk/2009/02/12/conficker_reward/ 14ConfickerCabal,http://www.confickercabal.com/ 15 Analysis of Conficker.C, http://mtc.sri.com/conficker/addendumc/ 16 Alert: April 1 "Conficker" Computer Worm, http://www.cbsnews.com/stories/2009/03/26/tech/cnettechnews/main4894856.shtml 17Conficker Researchers Counter April 1 Update With Detection Scan, http://www.crn.com/security/216401818 18MicrosoftMalwareProtectionCenter Win32/Conficker.E, http://www.microsoft.com/security/portal/entry.aspx?name=worm:win32/conficker.e 19ConfickerP2PProtocolandImplementationAnalysishttp://mtc.sri.com/Conficker/P2P/ 20ConfickerInfectionDistribution, http://www.confickerworkinggroup.org/wiki/pmwiki.php/any/infectiondistribution 21ShadowserverFoundationConfickerstatisticspage, http://www.shadowserver.org/wiki/pmwiki.php/stats/conficker 22ConfickerTimeline,http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/Timeline 23ShadowserverFoundationAnnouncesNewEffortToCombatConficker https://infosecurity.us/?p=6238 24ConfickerWorkingGroupInfectionTracking http://www.confickerworkinggroup.org/wiki/pmwiki.php/any/infectiontracking 25ExpeditedRegistrySecurityRequestProcess, http://icann.org/en/registries/ersr/ 26gTLDRegistryContinuityPlan,http://icann.org/en/registries/continuity/gtld registrycontinuity plan 25apr09 en.pdf 27GlobalDNS CERTBusinessCase, http://www.icann.org/en/topics/ssr/dns cert business case 10feb10 en.pdf 18