ConfickerSummaryandReview

1

ConfickerSummaryandReviewDavePiscitello,ICANNSeniorSecurityTechnologist 7May2010

AbstractThisreportprovidesachronologyofeventsrelatedtothecontainmentoftheConfickerworm.Itprovidesanintroductionandbriefdescriptionofthewormanditsevolution,butitsprimaryfocusistopiecetogetherthepost‐discoveryand‐analysisevents,describethecontainmentmeasureschronologically,anddescribethecollaborativeefforttocontainthespreadoftheworm.TheauthorcaptureslessonslearnedduringacontainmentperiodspanningnearlyayearanddescribesrecentactivitiesthatattempttoapplythelessonslearnedsothatthesecurityandDNScommunitiescanbebetterpreparedforfutureattacksthatexploittheglobalDNS.Thisreportrepresentstheworkoftheauthor,onbehalfoftheICANNSecurityTeam.Theauthorisresponsibleforerrorsoromissions.WhilemembersoftheConfickerWorkingGroup,ICANNSSAC,individualsecurityresearchers,andcertainICANNregistrieswereinvitedtocommentorreviewthereport,noneoftheseorganizationswereaskedtoformallyendorsethisworkproduct.

IntroductionTheConfickerwormfirstappearedinOctober2008andquicklyearnedasmuchnotorietyasCodeRed1,Blaster2,Sasser3andSQLSlammer4.Theinfectionisfoundinbothhomeandbusinessnetworks,includinglargemulti‐nationalenterprisenetworks.AttemptstoestimatethepopulationsofConfickerinfectedhostsatanygiventimehavevariedwidely,butallestimatesexceedmillionsofpersonalcomputers.TheoperationalresponsetoConfickerisperhapsaslandmarkaneventasthewormitself.Internetsecurityresearchers,operatingsystemandantivirussoftwarevendorsdiscoveredtheworminlate2008.ThesepartiesaswellaslawenforcementformedanadhoceffortwithICANN,TopLevelDomain(TLD)registriesandregistrarsaroundtheworldtocontainthethreatbypreventingConfickermalwarewritersfromusingtensofthousandsofdomainnamesalgorithmically‐generateddailybytheConfickerinfection.ConfickermalwarewritersmadeuseofdomainnamesratherthanIPaddressestomaketheirattacknetworksresilientagainstdetectionandtakedown.Initialcountermeasures–sinkholingorpreemptiveregistrationsofdomainsusedtoidentifyConficker’scommandandcontrol(C&C)hosts–preventedthemalwarewritersfromcommunicatingwithConficker‐infectedsystemsandthus,presumably

ConfickerSummaryandReview

2

preventedthewritersfrominstructingthebottedhoststoconductattacksortoreceiveupdates.TheConfickermalwarewritersrespondedtothismeasurebyintroducingvariantstotheoriginalinfectionthatincreasedthenumberofalgorithmicallygenerateddomainnamesanddistributedthenamesmorewidelyacrossTLDs.Torespondtothisescalation,partiesinvolvedincontainingConfickercontactedmorethan100TLDsaroundtheworldtoparticipateinthecontainmenteffort.Thecombinedeffortsofallpartiesinvolvedinthecollaborativeresponseshouldbemeasuredbymorecriteriathanmitigationalone.Thecontainmentmeasuresdidnoteradicatethewormordismantlethebotnetentirely.Still,thecoordinatedoperationalresponsemeritsattentionbecausethemeasuresdisruptedbotnetcommandandcontrolcommunicationsandcausedConfickermalwarewriterstochangetheirbehavior.ThecollaborativeeffortalsodemonstratedthatsecuritycommunitiesarewillingandabletojoinforcesinresponsetoincidentsthatthreatenthesecurityandstabilityoftheDNSanddomainregistrationsystemsonaglobalscale.

ConfickerSummaryandReview

3

ConfickerBackgroundThissectiondrawsheavilyfromanexcellentpaperontheConfickerwormpublishedattheHoneynetProjectbyauthorsFelixLederandTillmannWerner5.ThedescriptionherelargelytracksanddistinguishesamongConfickervariantswhenchangesaffectedtheworm’suseoftheDNS.Itdiscussesthewormingeneralterms.ThoseinterestedinaverytechnicalanalysisofConficker’sinfection–armoringandupdateprocesses,variantsofthedomainnamegenerationalgorithms,signaturesthatcanbeusedbyintrusiondetectionsystemstodetectConficker,anddisinfectionissues–areencouragedtoreadthefullpaper.LederandTillmannhavealsoproducedashortvideoonthestructureofConfickerandmaintainalistofdisinfectantsandscannersattheContainingConfickerwebpage6.ListsofdomainnamesgeneratedbyConfickervariantsmaybeofparticularinteresttothedomainnamecommunityandcanbeobtainedthereaswell.AnothersourceforthissummaryisanSRITechnicalReportbyPhillipPorras,HassenSaidi,andVinodYegneswaran,whichanalyzestheConfickerpackage,processing,andprotocolinconsiderabledetail.Confickeriscalledawormbecausethefirstdiscoveredvariantattachedtoaprogram(executable),wasself‐replicating,and(importantly)usedanetworkasthedeliverymechanism.Thiscombinationofcharacteristicsdistinguisheswormsfromviruses7.Confickerisactuallyablendedthreat8becauseitcanbedeliveredvianetworkfileshares,mappeddrivesandremovablemediaaswell.TheConfickerinfectionisatypeofsoftwarecalledaDynamicLinkLibrary(DLL).ADLLcannotexecutealonebutmustbeloadedbyorintoarunningapplication.TheConfickerDLLlauncheswithrundllonWindows,whichletsitrunasastandaloneprocess.AConfickerinstallerloadsitsDLLintoaWindowsapplicationbyexploitingtheMS08‐067vulnerabilityintheWindowsOperatingSystem9.ThisvulnerabilityallowsConfickermalwarewriterstousewhatiscalledabufferoverflowto“inject”codeintotheWindowsServerService.Abufferoverflowisamethodofexploitingsoftwareprogrammingthatfailstocheckboundariesbeforewritinginformationintomemory.Theattackerdiscoversthataprogramisvulnerabletoabufferoverflowbyattemptingtowritemoreinformationintomemorythantheprogrammerhadallocatedtostoreinformation.Specifically,theattackerseekstowriteinformationintomemorythatisadjacenttothememoryheoverruns.Thisadjacentmemorymaycontaindataoritmaycontainexecutablecode;ineithercase,theattackedapplicationwillnotoperateasanticipatedwhenitencountersthemaliciouscodetheattackerinjected.InthecaseofConficker,theattackerinjectedexecutablecodethatgivestheattackerremotecontrolovertheinfectedcomputerandinparticular,remotecodeexecutionprivileges.Usingtheinjectedcode,theattackercanaddorchangecodetomaketheinfectedhostcomputerdowhateveritchooses.

ConfickerSummaryandReview

4

Topreventdetection,certainwormsembedthemselvesinabenignmannerontheinfectedcomputer,i.e.,intoaprogramorsoftwarethatisexpectedtorunonacomputerrunningtheWindowsoperatingsystem.Thewormthenattemptstodisablesoftwarethatcoulddetectorremovetheinfection.ConfickervariantsdisableWindowsAutomaticUpdate,WindowsSecurityCenter,WindowsDefenderandWindowsErrorReporting.LatervariantsalsousedDNSfilteringtoblockantimalwareprogramsfromobtainingupdates(e.g.,virussignaturesthatwouldallowtheresidentAVsoftwaretodetectandremoveConfickerrelatedmalware).ConfickermalwarealsoresetstheWindowsSystemRestorepoint10,whichcontainsinformationthatcouldbeusedtoremoveConfickermalwarebyrestoringtheinfectedcomputer’sfilesystemandregistrytoversionssavedpriortotheinfection.EarlyvariantsoftheConfickermalwareenlistedaninfectedmachineintoaConfickerbotnet.Onceenlisted,themalwarerunningoninfectedcomputersusesadomaingenerationalgorithm(DGA)tocreateadailylistofdomainnames.TheConfickermalwarewritersusedthesamealgorithmtogenerateanidenticallist.ThewritersthenregisteredasmallnumberofthesedomainsandsetupnameresolutionservicefortheselectedsubsetofdomainssothatthedomainnamesassignedtoInternetrendezvouslogicpointsicanberesolvedtoIPaddressesbyDNSresolvers.TheConfickermalwarewritersdidnotappeartousethegenerateddomainnamesroutinely,presumablybecausetheydeterminedthenameshadbeenblocked.Alatervariantshiftedthebotnetfromemployingrendezvouslogicpointstoapeer‐to‐peernetwork.Malwareoperatingoninfectedhostsdiscoverotherbotsbydetectingattacksfromanotherinfectedhosts,confirmingthecodetheattackinghostsattempttoinjectisthesameasitsowncode,andconnectingbacktotheattackerusingHTTPsothathostswithmatchedinfectionscansharefilesdirectly.TheConficker‐infectedcomputersattempttoconnecttoHTTPserversoperatingonrendezvouslogicpointsbycontactingdomainsfromthedaily‐generatedlistofdomainnames.IftheyareabletoresolveadomainnameandconnecttoanHTTPserver,thebottedmachinesareabletoreceiveadditionalmalwareorinstructionstoperformcertainactionsusingalready‐presentexecutables.Thewormusesstrongcryptographictechniques(RSAandMD6)tocontrolwhatcodecanbeloadedontoaninfectedbox.Allcode"loads"mustbecorrectlysignedortheywillberejected.Presumably,onlytheConfickermalwarewriterhastheprivatesigningkeyforupdates.Insomecases,theConfickerbotwillbetoldtotryvariousmeansofinfectingotherhosts(e.g.,throughanonymousnetworkshares).Inothercases,theConfickerbotscanbecomeanarmythatcanbedirectedatwillbyrendezvouspointstosupportawiderangeofmaliciousorcriminalactivities.Botnetsareextremelydifficulttodismantle.Botnetscanremainoperational–andwillcontinuetoserveasplatformsfornumerousattacks­foraslongasthebottediArendezvouslogicpointisaserverthatisfunctionallysimilartoacommandandcontrol(C&C)server.

ConfickerSummaryandReview

5

computersremaininfectedandaslongasthebotscanremotelycommunicatewiththerendezvouspoint(s).Thefollowingsectionoffersachronologyofeventsthatdescribehowthesecurity,intelligenceandDNScommunitieswereabletodisruptcommunicationsbetweenConfickerinfectedhostsandrendezvouslogicpoints.

OriginandEvolutionoftheConfickerWorkingGroupPriortotheformationoftheConfickerWorkingGroup,operatingsystemandsecuritysoftwarevendors(Microsoft,Symantec,F‐Secure),othersecurityresearchorganizations(ShadowserverFoundation,TeamCYMRU)andtheintelligencecommunity(USFederalBureauofInvestigation,USSecretServiceandtheUSDepartmentofDefense)hadmonitoredandanalyzedConfickerandhadcooperatedtocontainthethreat.F‐Securehadbegun“spot”sinkholingiidomainnamesthatConfickerbotswereattemptingtocontacttoestimatethesizeofthebotnet.SeveraloperatorsoftheTopLevelDomainsinwhichConfickermalwarewriterswereregisteringdomains(VeriSign,Afilias,NeuStar,PIR,andWS)werealreadyinvolvedatthispoint,andICANNstaffassistedthesecurityresearchersincontactingCNNICtoadvisethemofthethreatandaskfortheirparticipationinthecontainmenteffort.TosupporteffortstomonitorConfickertraffic,analyzetheinfection,identifyinfectedhostsandestimatethesizeofthebotnet,SupportIntelligencewasregistering500domainnamesidentifiedasConfickeralgorithmicallygenerateddomainsperdayacrossasmallnumberoftopleveldomains,throughanICANNaccreditedregistrar,Alice’sRegistry,Inc.Aspartofthepreemptiveregistrationaction,SupportIntelligenceconfigurednameserverstoresolvetoIPaddressesofsinkholinghostsunderthecontrolofsecurityresearchersandmalwareanalysts.PreemptivedomainregistrationshadpreviouslybeenappliedwithsomesuccessbyFireEyeMalwareDetectionLabstothwarttheSrizbibotnetinearlyNovember11andsecurityresearcherswerehopingforsimilarsuccessbyapplyingthesametechnique.InthecaseofConficker,preemptiveregistrationwastoservetwopurposes:preventConfickerinfectedhostsfromcommunicatingwithC&CanddirecttraffictosinkholehostswheretheConfickerbottrafficcouldbefurthermonitoredandanalyzed.On28January2009,asecurityresearcheratSupportIntelligencecontactedICANNstaffregardingtheConfickerthreat.SupportIntelligence’sblockingactivitieswereself‐fundedandtheorganizationwasseekingsupportfromICANNtoobtainfinancialrelieforreimbursementfromregistriesforthedomainsithadandwascontinuingtoregister.iiThe“verb”sinkholereferstoanactivitywheretrafficsuspectedtobeassociatedwithabotnetisredirectedtoacomputer(s)operatedbysecurityresearchersorlawenforcementforobservationortodivertanattackawayfromanintendedtarget.

ConfickerSummaryandReview

6

DiscussionsrelatingtheongoingConfickerresponseactivitiesappearedonseveralsecuritylistsinparallelwiththeseactivities,whichincreasedawarenessoftheglobalnatureandscaleofthethreat.Forexample,personnelatregistryoperatorAfiliaswerediscussingConfickermonitoring,blocking,andfundingissueswithseveralrelevantpartiespriortoSupportIntelligencecontactingICANN.CERT‐CCstaffhadcontactedstaffatdomainnameregistryoperatorNeuStartoaskwhetherNeustarmightarrangeforsomeassistancefromtheBIZregistrytohelpcontainConficker.On31January2009,NeustarreceivedbriefingsdescribingSupportIntelligence’spreemptiveregistrationinitiativefromMicrosoftstaffandothersecurityresearchersviaprivatecorrespondence.Combined,thesedialogswereessentialinengagingresourcestocontainConficker,buttheywerelooselycoordinatedinthesensethatnotallpartieswerekeptinformedatalltimes,informationsharedwasnotuniform,andthatdisseminationofinformationreliedheavilyonindividualwebsoftrust.Bythistime,severalorganizations(Symantec/Kaspersky,eNom)hadbeguncontributingfundstoassistwithpaymentofthefeesSupportIntelligencewasincurringtocontainConficker.ThisfinancialaidhelpedpayfororrecoverregistrationfeestoCCTLDs.Recognizingthatthecurrentmethodofpreemptiveregistrationwas“fundamentallyunsustainable”evenwithMicrosoft’scontributionsandthattheoperationalresponseimposedanunreasonableandprecariousburdenonasingleindividual,NeustarcontactedICANN’sChiefInternetSecurityAdvisorandthechairmanofICANN’sSecurityandStabilityAdvisoryCommittee(SSAC).On3February2009,whileattendinganICANNDNSSSRretreat,severalpartiesalreadyinvolvedinthecontainmenteffortmetinAtlantatoconductabriefingforseniormanagementfromICANNandgTLDregistries.Participatingwere:

• ICANNseniormanagement,generalcounsel,andsecuritystaff,• Lawenforcement(FBI/NCFTA),• Securityresearchers(Microsoft,SupportIntelligence,ISC),and• GTLDregistryoperators(VeriSign,Afilias,NeuStar)

ParticipantsreviewedhowConfickerhadbeenhandledtodate(seeabove),anddiscussedhowtosustaintheeffortthroughFebruaryandMarchandhowtomanagepublicdisclosure.Theoperatorsoftheaffectedregistries–initially,BIZ,COM,INFO,NET,andORG–volunteeredtheirparticipationandsetaboutblockingdomainnames.TheparticipantsdiscussedwaysthatICANNmightassistinthepreemptiveregistrationeffort.ICANN’ssecuritystaffagreedtocoordinatepreemptiveregistrationswithCCTLDsandtofacilitateongoingcommunicationsamongtheparticipants.ICANNseniormanagementandgeneralcounselagreedtoconsiderdeclaringtheConfickerresponsetobeaspecialcircumstance(exceptioncase)andtomanagecontractualwaiveraspectsoftheresponsesothattheGTLDregistriescouldcontinuetheirpreemptiveregistrationactivitiesthrough1April2009.Theparticipantsagreedtocontinuetoconferenceregularlytoreportstatusandtoexploremechanismstocontainormitigatefuture,similarthreats.

ConfickerSummaryandReview

7

BasedontrafficanalysisandintelligencegatheredrelatedtoConfickeravailableatthetimeofthemeeting,participantsagreedthattheoperationalresponseplanputintoactioninAtlantawouldhavetocontinueforseveralmonthsandaworkflowemerged:researcherswouldgeneratethedailylistsandcontactthetargetedregistries,whowouldthentakemeasurestoblockConfickerbotnetoperatorsfromregisteringthedomainnames.On12February,Microsoftpublishedapressreleaseannouncing“partnershipwithtechnologyindustryleadersandacademiatoimplementacoordinated,globalresponsetotheConficker(a.k.a.Downadup)worm”12andofferinga$250,000rewardforinformationleadingtothearrestandconvictionofConficker’swriters13.TheannouncementacknowledgedtheparticipationandcooperationofICANN,registryoperators(NeuStar,VeriSign,CNNIC,Afilias,PublicInternetRegistry)aswellasGlobalDomainsInternationalInc.,M1DGlobal,AOL,Symantec,F‐Secure,ISC,researchersfromGeorgiaInstituteofTechnology,theShadowserverFoundation,ArborNetworksandSupportIntelligence.Atthispoint,ArborNetworksjoinedtocomplementsinkholeoperations.Followingthisannouncement,thepressbeganreferringtotheadhocpartnershipastheConfickerCabal14.ThepartnershiplaterpreferredandcontinuestousethenameConfickerWorkingGroup.FromearlyFebruarythroughmid‐April,thestafffromICANNsecurity,services,complianceandlegaldepartmentscoordinatedaseriesofcallswithpartieswhoagreedtocollaborateasaDNSoperationalresponseteam.Theteam,consistingofinvolvedgTLDregistryandregistrarrepresentatives,mettocontinuetoshareinformationandtodiscussongoingeffortstocontainConficker.ThegroupwasexplicitlyavoluntarycollaborationthatfocusedspecificallyontheConfickersituation,establishedmechanismsforvettingadditionalmemberstoensuretrustinthoseinvolvedandmadenodeterminationsrelatedtoanycontractualmatters.ManyofthesepartieswerealsoengagedinthebroadersecuritycommunityConfickerworkinggroup.BythispointtheCWGhadmultiplefunctioningsubgroups,includingsinkholeoperators,malwareanalyzers,DNSoperators,remediationtoolproducers,etc.On20February,MicrosoftreceivedreportsofaConficker.Cvariantiii.Securityresearchersdeterminedbyexamininginfectionsamplesthatthisvarianthadamoreaggressivedomaingenerationalgorithm.Cognizantthatthesecurityanddomainnamecommunitieswereblockingregistrations,theConfickermalwarewritersseemedintenttotestthelevelofcommitmentoftheConfickerWorkingGroup.InAnalysisofConficker.C15,Parras,Saidi,andYegneswarandescribeConficker.Cas“adirectretorttotheactionoftheConfickerCabal,whichrecentlyblockedalldomain

iiiThelabelingofConfickervariantsbecomesconfusingatthispoint.OnesecurityresearcheratSRIobtainedavirussampleandlabeleditB++whereasotheranalystslabeledthevariantC.The8March2009SRIanalysisofConficker.CthusdescribesthevariantothersinthecommunitylabeledD.Somemembersofthesecuritycommunitynowrefertothe1April2009variantasConficker.C/D.AtablecomparingcertainfeaturesoftheConfickervariantsappearsinAppendixA.

ConfickerSummaryandReview

8

registrationsassociatedwiththeAandBstrains.”TheConficker.Cvariantintroducedtwofunctionalchanges.ThefirstalteredthecontrolchannelcommunicationsfromaC&Ctoapeer‐to‐peermodel.Conficker.Calsochangedthedomainnamegenerationalgorithmandrendezvouslogicpointselectionmethod:“Conficker.Cnowselectsitsrendezvouspointsfromapoolofover50,000randomlygenerateddomainnamecandidateseachday.Conficker.CfurtherincreasesConficker'stop‐leveldomain(TLD)spreadfromfiveTLDsinConfickerA,toeightTLDsinB,to110TLDsthatmustnowbeinvolvedincoordinationeffortstotrackandblockConficker.C'spotentialDNSqueries.Withthislatestescalationindomainnamemanipulation,Conficker.Cposedasignificantchallengetothosehopingtotrackitscensusandcontainthethreatitposed.TheConficker.Cvariantalsohighlightedtheweaknessofblockingnameregistrationsasacountermeasure.Themeasuredoesnotscale.ByintroducingincreasinglylargenumbersofpossibleregistrationsandspreadingtheseacrossalargenumberofTLDregistries,theConfickerwritersincreasedthelikelihoodofoversightorerror,andalsoincreasethenumberoforganizationsthathadtocollaborate.LederandWermannoteintheirreportthatthenewConfickervariantimprovedthedomaingenerationalgorithmmeasurably,butatthesametimerevealedinformationthatthewritersshouldhavetakencaretohide:“Conficker.Ccontainscodethatwillstarttolookforupdatesafter1April2009localtime...ItisthishardcodeddatevaluewithinthecodethathasgeneratedsuchahighdegreeofpressspeculationaboutwhattheConfickerbotnetwillormorelikelywon'thappenonAprilFoolsday.”HardcodingthedateintotheConficker.Cvariantwasnotverycleverandinfact,showsthateveninthevirusworldthosewhofailtostudyhistoryaredoomedtorepeatit:hardcodingIPaddressesofinfectioncodehadearlierprovidedsecurityresearcherswiththemeanstoblockcommunicationsbetweenbotsandC&Cs.Atthispoint,theCWGfacedseveraluncertaintiesandchallenges.CWGmembersandothershadmadeseveralrepairandremovaltoolsavailable,butthegroupcouldnotenforceremediationordeterminehowmanyhostsinfectedbypriorConfickervariantsremainedinfectedandhadbeenupgradedbytheConfickermalwarewritersfromtheoriginalAvariant(andthuscouldbefurtherupgradedtoConficker.Considerableeffortstomakethepublicawareofthethreatwereunderway,buttheCWGhadtoanticipatethatConficker.Cwouldinfectadditional(new)hosts.TheCWGfocusedcertainofitsmonitoringactivitiesondeterminingwhetheranyofthealgorithmicallygenerateddomainsduplicatednamesalreadyregisteredinaTLDandothereffortstocontinuetoidentifythedomainnamesConfickergeneratedandmaketheseavailabletoTLDssothattheycouldbeblocked.ICANNsecuritystaffandICANNregionalliaisonscontactedthelistofCCTLDoperatorsthatsecurityresearchershadidentifiedastargetsforConfickerregistrations,suppliedeachoperatorwithatailoredlistofnamesConficker

ConfickerSummaryandReview

9

malwarewriterswouldattempttoregister,andadvisedthemtojoinsecuritymailinglistswhereDNSresponseissuesrelatedtotheConfickerwormsarediscussed;however,certainCCTLDoperatorswouldnotblockthenamesonthelistwithoutacourtorder.ICANNstaffalsocontactedtheChairoftheccNSOandthemanagersoftheRegionalccTLDgroups(CENTR,APTLD,AFTLD,LACTLD)toassistincallingattentiontotheanticipatedevent.TheanticipatedApril1updateeventreceivedconsiderablepublicattention16.TheConfickerWorkingGroup,complementednowbyanumberofCCTLDs,preparedfortheevent.ICANNsecuritystaffandConfickerWorkingGroupmembersrecognizedthat100%awarenessortimelyparticipationacrosssuchalargenumberofregistryoperatorswasdoubtful.Cooperationamongthevariousregistriesoperators,althoughunlikelytofullystopConficker,wouldenabletheanti‐viruscommunityandthoseinvolvedtobettertrackandunderstandthespreadofthewormandthentousethatinformationtohelpdisinfectsystems.By30March2009,securityresearchersinvolvedinTheHoneynetProjecthadsufficientlyanalyzedConficker.Ctopositivelyidentifytheinfection17.Detectionsignaturesweremadeavailableandquicklyincludedinfreeandfor‐feenetworkscanners(NMAP,TenableSecurity’sNessus,McAfeeFoundstoneEnterprise,andQualys).Giventhenumberofsystemsthatremainedinfectedandnotpatched,securityresearchersconcededthatthatnumberofsystemsstillinfectedwithearlierConfickervariantsandstillnotpatchedtomitigatetheMS08‐67wouldbeupdatedon1April2009withtheConficker.Evariantandthattheextentandsuccessoftheupdatecouldnotbepredicted.TheintentoftheConficker.EvariantwastoremoveallbutthecoremalwarefunctionalityandupgradecontactedhostswiththenewP2Pcommunicationsability.AccordingtoMicrosoftMalwareProtectionCenter18,theConficker.Evariant“executesaself‐terminationroutinewhenthedateisMay32009.Thewormdeletesitsmainexecutablecomponentonthisdate.HowevertheDLLpayloadcomponent(detectedasWorm:Win32/Conficker.E.dll)remainstocontinueparticipatinginP2Pcommunicationamonginfectedpeers.”On21September2009,SRIreleasedaConfickerP2PProtocolandImplementationAnalysis19.Inthereport,theauthorsdescribethenewP2Pscan‐baseddiscoverymethodConfickermalwarewriterswouldnowusetojoinaninfectedhostintotheConfickerP2Pnetwork,themeansbywhichpeerssharemalwareexecutables,andmore.

OngoingConfickerWorkingGroupActivity EffortscontinuetoblockregistrationofConfickerdomains.TrafficanalysiseffortshavebeenhelpfulindevelopingabetterunderstandingofthedistributionofthewormandintendedapplicationsoftheConfickerbotnet20.Microsoftandsecurityvendorscontinuetostudymethodsfordetectionandremovalofknownvariants.

ConfickerSummaryandReview

10

SecurityresearcherscontinuetopublishanddistributeConfickerscanners,signaturesforintrusionsystems,andgeneralinformation.Effortstotargetoutreachtoparticularlyinfestednetworkscontinue.TheConfickerinfectionrateremainshighforBandCvariantsbutdecliningforC/E.Remediationcontinuestoposechallenges.SecurityresearcherscontinuetotrackConficker.AnOctober2009snapshotbytheShadowserverFoundationestimatesthenumberofsystemsinfectedwithConfickerA/B/Cvariantsatapproximatelysevenmillion21.TheConfickerWorkingGroupmaintainsvisualtimelineandchronologyofConfickerat[22]totrackhistorical,currentandfutureevents.ActivitiestodetectConfickervariantsandremediateConficker‐infectedhostswillundoubtedlycontinueforsometime.Thisisinevitablegiventhemillionsofinfectedcomputersandhistoricallymarginalsuccessinremediatingmalware.LessonslearnedduringtheConfickercontainmentperiodarediscussedinalatersectionofthispaper.SecurityandDNScommunitiesareworkingtodeviselong‐termandsustainableapproachesfordealingwithnotonlyConfickerbutalsofuture,similarthreats.These,too,arediscussedinalatersectionofthispaper.

TheImportanceofRolesinConfickerWorkingGroupAlltheactionsrelatedtomitigatingtheConfickerwormwerenotdirectlynorentirelywithintheremitofanyindividualCWGparticipant.ThroughoutthechronologyofConfickerevents,allthecollaboratingpartiesperformedrolesthatwereappropriatetotheirorganizations’corecompetencies:malwareresearchersreverseengineeredthedropper/installer,trafficanalysisengineersidentifiedthelociofinfestations,ICANNfacilitatedcommunicationsbetweenregistriesandpartieswhocompiledtheC&Cdomainlists,andregistryoperatorsblockedregistrationsofConfickerdomains.Thecollaboratingpartiestriedtoadheretothebestpracticesofpublicdisclosureofsecurityincidentsandeventsbymaintainingalowprofile,protectingsensitiveinformation,andsharingonlyinformationthattheadhocpartnershipagreedtoshare.SeveralCWGmemberspubliclyexpressedtheirsurpriseandgratitudeformemberwillingnesstoengageintheConfickercontainment23.ManysecurityandregistryorganizationshadnotencounteredcircumstancessuchasthoseConfickerposedandthusdidnothavecommunicationschannelsinplacetocoordinatecontainmentefforts.CWGmembersindicatedthatICANN’sabilitytofacilitateandexpeditecommunicationswithTLDregistriesacceleratedprocessesthatwouldunderothercircumstanceshavechallengingifnotimpossibletoobtainduringthewindowsofopportunityConfickeraffordedthem.ICANNsecuritystaffandregionalliaisonsinitiallyfilledthisgapbyrelayinginformationgatheredbysecurityresearcherstoTLDoperatorsandlaterbyintroducingcollaboratorsandprovidingdirectcontactinformation.RegistryoperatorsblockedConfickerdomainsandadvisedICANN

ConfickerSummaryandReview

11

counselandseniormanagementofthemeasurestheytooktopreventtheregistrationofauto‐generateddomainsbytheConfickermiscreants.Theseadhocmethodsprovidedsomeinsightintohowcertainformalconstructsmightprovebeneficialinfutureresponseefforts.

ConfickerTodayInfectiontrackingbytheCWGshowsthatConficker.CpopulationshavediminishedoverthepastyearbutthatnumberofcomputersinfectedConfickerA+Bisstilllarge(graphscourtesyofConfickerWorkingGroup24).

Overthepastyear,theShadowserverFoundationhastrackedtheConfickerpopulations(A+B,C,andaggregate),whichremaininthemillions.

ConfickerSummaryandReview

12

LessonsLearnedSeverallessonsmaybelearnedfromthechronologyandeventsrelatedtocontainingtheConfickerworm.PerhapsthemostpositivelessonlearnedisthatDNS,security,andlawenforcementcancollaboratewhenanincidentofglobalproportionisidentified.Apositiveresultfromtheadhocresponsewasthattheparticipantsdisruptedthebotnetcommunicationsandthuspreventedopportunitiestoputthebotnettomisuse.Thecontainment,however,wastemporary,andtheConfickermalwarewriterscounteredbymakingthecontainmentmeasureincreasinglydifficulttocoordinateandsustain.TheConfickercollaborativeresponsesreliedlargelyonvolunteereffortsandgoodwill,informalcommunicationschannels,interventionaloperationalpractices,informalagreements,andassumptionsthatresponsewouldbeuniformandunilateral.Eachofthesedependenciesexposedcertainweaknesses:Adhoccollaborativeresponsemaynotbescalableorsustainable.Intheabsenceof(complementary)formalstructuresorcommitments,certainproblemsthatencumberedorconfoundedtheConfickerresponsewillpersist.TheConfickerresponsewasahighlydistributedeffortthatleveragedmanyvolunteersaswellasfulltimestaffacrossmultipleorganizationstogetthejobdone.WeneedtoconsiderthefactthatwecannotrelyonhavingsufficientresourcesofthecaliberthatwereengagedforConfickertobeavailableatamoment’snoticeasarealthreat.AswestudythreatstotheDNS,weneedtoalsoconsiderthatwehavenotyetencounteredasituationwhereresourcesmightbeneededformultiple,simultaneousincidentsinvolvingtheglobalDNS.

ConfickerSummaryandReview

13

Likeothermalwarewriters,worm/botnetwriterswilladapttocountermeasuresdeployedtodetectorcontainthem.However,westillseeevidencethatwhilebotnetwritershaveadaptedtothecontainment,theystillappeartopreferDNStohard‐encodedIPaddressesandstillusesecondlevellabelsacrossmultipleTLDs.TheDNSislikelytocontinuetobepartofmalwarewritertoolkits.Itisthusappropriatetoconsiderwaystobuildonthesuccessfulelementsofthisincidentresponseandimprovethoseaspectsthatwerenotsosuccessful.Informalcommunicationsmaynotbesufficientforallglobalincidentresponseefforts,especiallyinsituationswherethereiszerotoleranceforerrororomission.Confickerdemandedconstantattentionfromresponders.Confickervariantsgeneratednewdomainlistsdaily.Securityresearchersmonitoredtrafficandanalyzedcodesamplescontinuouslyinanticipationofnewvariants.DuringthemonthsofefforttocontainConficker,communicationsamongresponderscouldbecharacterizedashavingspikes,lags,anddormantperiodswheresomepartieswereunabletorespondorunresponsive.Incertaincases,contactinformationavailabletopartieswasnotaccurate,orwasnotsufficienttoreachapartywithauthoritytoactonbehalfofthecontactedorganization.Inothercases,ICANNstaffdeterminedthatsomeregistrycontactinformationmaintainedbyIANAwasnotaccurateorwasnotthecontactataregistrywithauthoritytoparticipateinincidentresponse.Formalchannelswithagreed‐uponormandatoryexchangesandexchangefrequenciesshouldbeconsideredforfutureresponseefforts.Maintainingconsistency,completenessandaccuracyofinformationduringthecourseofalongincidentresponseeffortischallenging.DuringtheConfickerresponse,partiesinitiallyusedavailableratherthanformalcommunicationschannels(e.g.,securitymaillists,teleconferences,privateemail,etc.)andreliedoncontactinformationathandorpassedhandtohand.TheConfickerWorkingGroupestablishedcommunicationschannelsasthecontainmenteffortgrew,butsensitiveinformationwasnotconsistentlyclassified,encryptedorsigned.Thenatureandlevelofdetailcommunicatedamongtheparticipantswasunintentionallybutpredictablynotuniform.Theadhocnatureofthesecommunicationsalsoresultedindifferentpartiesreceivinginformationatdifferenttimes,whichmadeitdifficulttomaintainbroadsituationalawareness.Noindividualororganizationperformedformalactiontrackingorauditing,andthuschroniclingtheincidentresponseforpost‐incidentreviewandanalysishasbeendifficult.Inparticular,informationthatispotentiallyvaluableinimprovingresponsetofutureglobalincidentsmaybelostorasyetundisclosed.Scalingtrustishard.Volunteereffortsrelyonpersonalwebsoftrust.MostparticipantsintheConfickerresponseknewsomeorseveralotherparticipantsbutitisunlikelythatanyonekneweveryoneandunlikelierstillthatanyonecouldproduceanaccurateaccountingofallpartiestoallinformationsharingduringthecourseofthecontainmenteffort.

ConfickerSummaryandReview

14

Operationalprocessesthatrelyonblocklistsataregistrylevelarenotscalable.Themostobviousreasonisthatpreemptiveblockingscalespoorly:inresponsetotheblockingefforts,Conficker’swritersincreasedthenumbersofalgorithmicallygenerateddomainsandthenumbersofTLDs.Theoperationalburdentoblockdomainsincreasesinseveralways;forexample,distributionofnamesacrosslargernumbersofTLDs,removalofthenamesfromavailablepoolscanbecomeexpensive,non‐compensatedcostsforregistryoperators.Registriesalsofiltereddomainstoassurethatall“collisions”betweenConficker’sDGAdomainsanddomainsthatarealreadyregisteredinTLDswerenotadverselyaffected.CertainactivitiesrelatedtoincidentresponseraisecontractualissuesforICANN,registries,andregistrars.InthecaseofConficker,ICANNandGTLDregistrieswereabletoresolvemattersrelatingtodomainfeesquickly.Thecommunitycannotrelyonallcontractualmatterstobesoeasilyhandledforallfutureincidents.RegardingtheeasebywhichConficker‐relatedcontractualmatterswereresolve,onesecurityexpertobserved(anonymously)that,“inthefirstexampleofbreakingtherules,you’regivensomeleeway.Thesecondtime,thestakesarehigher,andyouhavetobewarethatasinglemistakewillbedisproportionatelyhighlighted.”CertaincountermeasuresorpreemptiveactionscannotbeimplementedunilaterallybyallTLDoperators.Someregistryoperatorsrequirecourtordersbeforetheytakeaparticularactioninresponsetoaglobalincident.InascenariolikeConficker,wherelistsofmaliciousdomainsaregenerateddaily,evenaonedaydelaytoprocessacourtordercaninhibittheresponse.Weshouldrefrainfromconcludingfromtheselessonslearnedthatformalstructuresmustreplacevoluntaryones.Forexample,establishingformalstructuresdoesnotaddresstheissuethatsomeTLDswillnotbewillingtoparticipateortocontinuetoparticipateincertainkindsofresponseindefinitely.Relyingentirelyonformalstructuresmayexcludeparticipationbycertainindividualsforarangeofpolitical,legal,orpersonalreasons.Rather,weshouldbearinmindthatresponseswithinadequateresourceswillbemorepronetoerrororomissionthanthosegivenadequateresources.Effectiveresponsewillinevitablyandultimatelydependuponthesupportandparticipationofrelevantstakeholders,notablythosewhohavedelegatedresponsibilityforthevariousassetsinvolved.Inotherwords,whilecertainformalstructurescancomplementandrenderadhocresponsesmoreeffective,bothmaybenecessarytodealwithfutureeventsoftheConfickerkind.

WayForwardBaseonthelessonslearnedfromthecollaborativeresponsetoConficker,oneelementofawayforwardistoformalizerelationshipsamongpartiesthatbecomeinvolvedwhensecurityeventsofaglobalnatureoccur.ICANN(theentityandcommunity)hasestablishedcertainformalrelationshipsandstructuresandisworkinginconcertwithotherorganizationsonothers.

ConfickerSummaryandReview

15

WithinthespecificcontextofglobalsecurityeventsinvolvingabuseoftheDNSanddomainregistrationservices,andusingConfickerasalearningexperience,ICANNandthegTLDregistrieshavedevelopedanExpeditedRegistrySecurityRequestProcess(ERSR)25.Throughthisprocess,gTLDregistriescannowinformICANNofapresentorimminentsecuritythreatagainsttheregistryortheDNSinfrastructureandrequestacontractualwaiverforactionstheregistrymighttakeorhastakentomitigateoreliminatethethreat.ThecontractualwaiverwouldprovideexemptionfromcompliancewithaspecificprovisionoftheRegistryAgreementforthetimeperiodnecessarytorespondtothethreat.TheERSRallowsaregistrytomaintainoperationalsecurityduringanincidentwhilekeepingrelevantparties(e.g.,ICANN,otheraffectedproviders,etc.)informedasappropriate.

TheERSRisintendedtohelpregistriesdealwithmaliciousactivityinvolvingtheDNSofscaleandseveritythatthreatenssystematicsecurity,stabilityandresiliencyofaTLDortheDNS.Itcanalsobeusedincircumstanceswherearegistrydiscoversunauthorizeddisclosure,alteration,insertionordestructionofregistrydata.TheERSRwouldalsobeanappropriateprocessforaneventwiththepotentialtocauseatemporaryorlong‐termfailureofoneormoreofthecriticalfunctionsofagTLDregistryasdefinedinICANN’sgTLDRegistryContinuityPlan26.

Today,manyorganizationssupportavarietyofactivitiesthatareintendedtoimproveInternetsecurityawarenessandrespondtosecurityincidents.ICANNsecuritystaffhasstudiedincidentandemergencyresponseatnationalandinternationallevelstounderstandhowtheseactivitiesmightbecoordinated,especiallyincircumstanceswheretheDNSiscentraltoglobalincidentsorwhereeventsthreatenthesecurity,stability,orresiliencyofdomainnameserviceatagloballevel.Withtheassistanceoftheseorganizations,ICANNhasdevelopedanoperationalconceptplanandbusinesscaseforaDNS‐CERT27.Asproposedintheconceptplan,theDNS‐CERTwouldactasasecuritycoordinationcentertoassistDNSoperatorsandsupportingorganizationsbyprovidinginformation,expertiseorresourcestorespondtothreatstothesecurity,stabilityandresiliencyoftheDNSefficientlyandinatimelymanner.Again,asproposed,thecentralpurposesoftheDNS‐CERTwouldbetomaintainsituationalawareness,facilitateinformationsharing,improvecoordinationwithintheDNSoperationalcommunity,andimprovecoordinationwiththebroadersecurityandotheraffectedcommunities.Inadditiontotheseprograms,ICANN’ssecurityteamisstudyinghowtoimproveandmaintainaccuratecontactinformationincooperationwiththesecuritycommunityandregistryoperators.Staffwillalsostudywaystoimproveandformalizemonitoringresponsestoglobalincidentswhiletheyareinprogress(e.g.,auditingandtracking),methodstochronicleincidentresponses,andwaystocoordinatepost‐incidentreviewandassessment.ThesemaybeincorporatedintotheDNS‐CERTprogramasitevolves,ortheyformbethebasesforotherinitiatives

ConfickerSummaryandReview

16

instigatedbyotherorganizations.ICANNwillconsiderwhatifanyroleitshouldperformuponreviewoftheinitiatives.

ConcludingRemarksIncertainrespects,thecollaborativeresponsetoConfickerwasasinglevolleyinwhatisarguablyanearlybattleofalongcampaign.ICANNandothermembersoftheCWGwillcontinuetoassistinremediationeffortsrelatedtotheConfickerworm.Individualorganizationswillnodoubtusetheirexperiencestohelpdefinerolesinfutureglobalincidents.TheDNSandInternetsecuritycommunitiesmustalsoconsiderhowtheytogethermightestablishmoreformalcollaborativeresponsetofutureoccurrencesofConfickerandotherthreatstotheDNSsecurity,stabilityandresiliencyofsimilarnatureandscale.

ConfickerSummaryandReview

17

Appendix A. Table of Conficker Variants

Variant & date

Bot Evolution DNS/Domain Abuse

Conficker.A 2008-11-21

• Infects via MS08-67, anonymous shares

• Resets system restore point, disables security services

• HTTP callback to download files

250 pseudo-randomly generated domains registered in 5 TLDs

Conficker.B 2008-12-29

• Infects via MS08-67, anonymous shares, shares with weak passwords, network maps, removable media

• Reset system restore point • Disables security software and

security updates via DNS filtering

250 pseudo-randomly generated domains registered in 8 TLDs

SRI Conficker.C a.k.a. Conficker.D 2009-02-20

• Infects via MS08-67, anonymous shares, shares with weak passwords, network maps, removable media

• Disables security software and security updates via DNS filtering

• Changes bot from HTTP C&C to P2P

• Sets 1 April 2009 as activation date for new DGA

Tens of thousands of pseudo-randomly generated domains registered in 100+ TLDs

Conficker.E 2009-04-01

• Initial exploit uses MS08-67 • Only installs if prior Conficker

variants present • Disables security software and security updates via DNS filtering

• Resets system restore point • Updates to pure P2P network • Self-terminates on 3 May 2009: remove all Conficker executables except DLL

…

ConfickerSummaryandReview

18

Citations1Code Red (Computer Worm), http://en.wikipedia.org/wiki/Code_Red 2 Blaster worm, http://en.wikipedia.org/wiki/Blaster_Worm 3 Sasser (Computer Worm), http://en.wikipedia.org/wiki/Sasser_worm 4SQLSlammer,http://en.wikipedia.org/wiki/SQL_slammer_(computer_worm)5 Know Your Enemy: Containing Conficker, http://www.honeynet.org/papers/conficker 6ContainingConficker,http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/7TheDifferenceBetweenaComputerVirus,WormandTrojanHorse,http://www.webopedia.com/didyouknow/internet/2004/virus.asp

8 What is a Blended Threat? http://www.securityskeptic.com/blendedthreat.htm 9 Microsoft Security Bulletin MS08-067 - Critical, 23 October 2008,

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 10HowtoRestoreWindowsXPtoapreviousstate,http://support.microsoft.com/kb/306084

11DisconnectingfromtheSrizbiBotnet,http://www.fireeye.com/securitycenter/srizbi_notify.html

12Microsoft Collaborates With Industry to Disrupt Conficker Worm, http://www.icann.org/en/announcements/announcement‐2‐12feb09‐en.htm

13MS puts up $250K bounty for Conficker author, http://www.theregister.co.uk/2009/02/12/conficker_reward/

14ConfickerCabal,http://www.confickercabal.com/ 15Analysis of Conficker.C, http://mtc.sri.com/Conficker/addendumC/16 Alert: April 1 "Conficker" Computer Worm,

http://www.cbsnews.com/stories/2009/03/26/tech/cnettechnews/main4894856.shtml17Conficker Researchers Counter April 1 Update With Detection Scan,

http://www.crn.com/security/21640181818MicrosoftMalwareProtectionCenter‐Win32/Conficker.E,

http://www.microsoft.com/security/portal/Entry.aspx?name=worm:Win32/Conficker.e19ConfickerP2PProtocolandImplementationAnalysishttp://mtc.sri.com/Conficker/P2P/20ConfickerInfectionDistribution,http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionDistribution

21ShadowserverFoundationConfickerstatisticspage, http://www.shadowserver.org/wiki/pmwiki.php/Stats/Conficker22ConfickerTimeline,http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/Timeline 23ShadowserverFoundationAnnouncesNewEffortToCombatConfickerhttps://infosecurity.us/?p=623824ConfickerWorkingGroupInfectionTrackinghttp://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionTracking

25ExpeditedRegistrySecurityRequestProcess,http://icann.org/en/registries/ersr/

26gTLDRegistryContinuityPlan,http://icann.org/en/registries/continuity/gtld‐registry‐continuity‐plan‐25apr09‐en.pdf

27GlobalDNS‐CERTBusinessCase,http://www.icann.org/en/topics/ssr/dns‐cert‐business‐case‐10feb10‐en.pdf