Close
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Cybersecurity
  • Big Data and Analytics
  • Cloud
  • Mobile
  • Networking
  • Storage
  • Applications
  • IT Management
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • IT Management
    • Networking
    • Servers

    Conficker: What It Is, How to Stop It and Why You May Already Be Protected

    By
    Jason Brooks
    -
    March 31, 2009
    Share
    Facebook
    Twitter
    Linkedin

      Conficker is a work of malware that, in the form of multiple variants, has been worming its way through unpatched Windows desktop and server machines for the past four months.

      Conficker has garnered mainstream attention of late due to an April 1 trigger that researchers have identified in the most recent variant of the worm. On this date, it appears that Conficker-infected machines will change the way that they “phone home” to fetch new code and instructions from whoever holds the worm’s reins.

      In October 2008 Microsoft released a fix for the vulnerability that Conficker exploits, in a patch that Microsoft deemed critical enough to release outside of its typical Patch Tuesday schedule. Still, enough Windows machines have remained unpatched for Conficker to spread to what security researchers estimate to be millions of machines.

      Presumably, the goal of Conficker’s controllers involves the creation of a botnet that would carry out illegal machine-based activities by proxy, but there’s no telling exactly what the worm’s makers have in mind.

      The prescription for Conficker prevention is prompt system patching (particularly when Microsoft singles out a fix for out-of-band distribution), combined with client firewall and anti-virus software for blocking the worm’s activities and detecting and eliminating the malware where it surfaces.

      In addition, members of the security community have prepared a set of freely available tools to aid in Conficker detection and removal for infected systems on your network.

      More broadly, Conficker calls attention to the problems inherent in deploying client systems that offer up network-facing services to anonymous nodes, and highlights the importance of watching more closely the privileges granted to the system-level applications that run on mainstream operating systems.

      Moreover, because Windows Vista and Windows Server 2008 machines have proved to be significantly less vulnerable to Conficker than systems running Windows 2000, XP and Server 2003, the worm also highlights the very real consequences of stepping off the so-called operating system upgrade treadmill. For all its hardware refresh requirements, potentially unwanted feature adjustments and software incompatibility wrinkles, Vista includes security enhancements that blunted the effect of Conficker on unpatched systems.

      It’s up to companies to consider whether to interpret all of this as a call to approach Windows upgrades-and their associated costs-with greater alacrity, or to step up evaluation of OS alternatives, such as Linux, with less upgrade friction and a better defined road map around trusted OS technologies.

      How Does Conficker Work?

      Conficker’s primary means of propagation involves exploiting a buffer overflow vulnerability in Windows’ Server system service, which is responsible for, among other things, enabling the sharing of local resources, such as disks and printers, with other machines on a network.

      Conficker exploits this vulnerability to execute code on Windows systems, without requiring a system’s user to open any file or visit any particular Web site-and without regard to whether a user is running with administrative or limited privileges.

      Windows 2000, XP and Server 2003 are particularly vulnerable to Conficker because the affected Server service on these systems is configured to permit access from anonymous users. In October 2008, Microsoft provided information on removing the ACL (access control list) entry that permits this anonymous access, but since the ACL involved is hard-coded into the Windows DLL, this access modification would have had to be made after every boot.

      With Windows Vista, Windows Server 2008 and the development builds of Windows 7, the vulnerable service limits access to authenticated users by default, but enabling the no-password file-sharing option on these systems would restore anonymous access-and vulnerability to Conficker.

      Unpatched Windows XP SP2, Vista and Server 2008 machines shipped out of the box with Windows’ firewall enabled to block the vulnerable RPC (remote procedure call) interface, but the common firewall exception that enables file and print sharing opened the door to Conficker. Even with a firewall exception, however, Vista and Server 2008 machines would allow access to the vulnerable service only from other machines in the same network zone. For instance, sharing a resource on a private network would not permit access to Conficker-infected nodes.

      Firewall and service authentication requirements aside, Windows Vista and Server 2008 worked to mitigate Conficker infection with Address Space Layout Randomization, which, combined with the Data Execution Protection functionality introduced in XP SP2, makes it significantly more difficult to exploit buffer overflow vulnerabilities such as the one targeted by Conficker.

      Conficker: What Now?

      What Now?

      Beyond the RPC vulnerability that got Conficker cooking, later variants of the worm added the capability to propagate through network shares and over infected USB memory sticks by taking advantage of Windows’ Autorun functionality. Also, once Conficker has successfully rooted itself on a machine in your network, the malware will attempt to spread to other machines on the network by launching a dictionary-based attack to guess log-ins and passwords.

      As a result, even assuming that you’ve long ago applied the Microsoft patches to block the Windows service vulnerability, it’s important to keep watch for Conficker on your network.

      Most security suites are prepared to detect and remove instances of the worm, but it’s also worth checking out the set of six Conficker containment tools prepared by Felix Leder and Tillmann Werner of the Honeynet Project and available for free download at the Website of the University of Bonn.

      The tools include a utility for calculating the list of domains that Conficker generates for fetching further code and instructions from its controllers; a memory disinfector that terminates running Conficker processes on an infected system; and a utility for calculating the file names and registry keys under which Conficker hides itself on a particular system.

      Also available is a simple Python-based network scanner capable of detecting Conficker machines on a network. The scanner accepts as input either a range of IP addresses or a text file of addresses to scan, and returns a status of “clean,” infected” or “blocked” for systems it manages to reach on the network.

      Interestingly, the tool set also includes a Conficker vaccination tool that runs as a service on Windows systems and, if contacted by the worm, reports its status as up-to-date. This tool, while perhaps not appropriate for production use, is certainly an interesting take on approaching the Conficker conflict.

      Avatar
      Jason Brooks
      As Editor in Chief of eWEEK Labs, Jason Brooks manages the Labs team and is responsible for eWEEK's print edition. Brooks joined eWEEK in 1999, and has covered wireless networking, office productivity suites, mobile devices, Windows, virtualization, and desktops and notebooks. Jason's coverage is currently focused on Linux and Unix operating systems, open-source software and licensing, cloud computing and Software as a Service. Follow Jason on Twitter at jasonbrooks, or reach him by email at [email protected]

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more
      eWeek


      Contact Us | About | Sitemap

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Property of TechnologyAdvice.
      Terms of Service | Privacy Notice | Advertise | California - Do Not Sell My Information

      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×