Click here to load reader
Upload
losalamos
View
574
Download
1
Embed Size (px)
DESCRIPTION
A paper released today by ICANN provides a chronology of events related to the containment of the Conficker worm. The report, "Conficker Summary and Review (PDF)," is authored by Dave Piscitello, ICANN's Senior Security Technologist on behalf of the organization's security team. Below is the introduction excerpt from the paper:The Conficker worm first appeared in October 2008 and quickly earned as much notoriety as Code Red, Blaster, Sasser and SQL Slammer. The infection is found in both home and business networks, including large multi‐national enterprise networks. Attempts to estimate the populations of Conficker infected hosts at any given time have varied widely, but all estimates exceed millions of personal computers.
Citation preview
ConfickerSummaryandReview
1
ConfickerSummaryandReviewDavePiscitello,ICANNSeniorSecurityTechnologist 7May2010
AbstractThisreportprovidesachronologyofeventsrelatedtothecontainmentoftheConfickerworm.Itprovidesanintroductionandbriefdescriptionofthewormanditsevolution,butitsprimaryfocusistopiecetogetherthepost‐discoveryand‐analysisevents,describethecontainmentmeasureschronologically,anddescribethecollaborativeefforttocontainthespreadoftheworm.TheauthorcaptureslessonslearnedduringacontainmentperiodspanningnearlyayearanddescribesrecentactivitiesthatattempttoapplythelessonslearnedsothatthesecurityandDNScommunitiescanbebetterpreparedforfutureattacksthatexploittheglobalDNS.Thisreportrepresentstheworkoftheauthor,onbehalfoftheICANNSecurityTeam.Theauthorisresponsibleforerrorsoromissions.WhilemembersoftheConfickerWorkingGroup,ICANNSSAC,individualsecurityresearchers,andcertainICANNregistrieswereinvitedtocommentorreviewthereport,noneoftheseorganizationswereaskedtoformallyendorsethisworkproduct.
IntroductionTheConfickerwormfirstappearedinOctober2008andquicklyearnedasmuchnotorietyasCodeRed1,Blaster2,Sasser3andSQLSlammer4.Theinfectionisfoundinbothhomeandbusinessnetworks,includinglargemulti‐nationalenterprisenetworks.AttemptstoestimatethepopulationsofConfickerinfectedhostsatanygiventimehavevariedwidely,butallestimatesexceedmillionsofpersonalcomputers.TheoperationalresponsetoConfickerisperhapsaslandmarkaneventasthewormitself.Internetsecurityresearchers,operatingsystemandantivirussoftwarevendorsdiscoveredtheworminlate2008.ThesepartiesaswellaslawenforcementformedanadhoceffortwithICANN,TopLevelDomain(TLD)registriesandregistrarsaroundtheworldtocontainthethreatbypreventingConfickermalwarewritersfromusingtensofthousandsofdomainnamesalgorithmically‐generateddailybytheConfickerinfection.ConfickermalwarewritersmadeuseofdomainnamesratherthanIPaddressestomaketheirattacknetworksresilientagainstdetectionandtakedown.Initialcountermeasures–sinkholingorpreemptiveregistrationsofdomainsusedtoidentifyConficker’scommandandcontrol(C&C)hosts–preventedthemalwarewritersfromcommunicatingwithConficker‐infectedsystemsandthus,presumably
ConfickerSummaryandReview
2
preventedthewritersfrominstructingthebottedhoststoconductattacksortoreceiveupdates.TheConfickermalwarewritersrespondedtothismeasurebyintroducingvariantstotheoriginalinfectionthatincreasedthenumberofalgorithmicallygenerateddomainnamesanddistributedthenamesmorewidelyacrossTLDs.Torespondtothisescalation,partiesinvolvedincontainingConfickercontactedmorethan100TLDsaroundtheworldtoparticipateinthecontainmenteffort.Thecombinedeffortsofallpartiesinvolvedinthecollaborativeresponseshouldbemeasuredbymorecriteriathanmitigationalone.Thecontainmentmeasuresdidnoteradicatethewormordismantlethebotnetentirely.Still,thecoordinatedoperationalresponsemeritsattentionbecausethemeasuresdisruptedbotnetcommandandcontrolcommunicationsandcausedConfickermalwarewriterstochangetheirbehavior.ThecollaborativeeffortalsodemonstratedthatsecuritycommunitiesarewillingandabletojoinforcesinresponsetoincidentsthatthreatenthesecurityandstabilityoftheDNSanddomainregistrationsystemsonaglobalscale.
ConfickerSummaryandReview
3
ConfickerBackgroundThissectiondrawsheavilyfromanexcellentpaperontheConfickerwormpublishedattheHoneynetProjectbyauthorsFelixLederandTillmannWerner5.ThedescriptionherelargelytracksanddistinguishesamongConfickervariantswhenchangesaffectedtheworm’suseoftheDNS.Itdiscussesthewormingeneralterms.ThoseinterestedinaverytechnicalanalysisofConficker’sinfection–armoringandupdateprocesses,variantsofthedomainnamegenerationalgorithms,signaturesthatcanbeusedbyintrusiondetectionsystemstodetectConficker,anddisinfectionissues–areencouragedtoreadthefullpaper.LederandTillmannhavealsoproducedashortvideoonthestructureofConfickerandmaintainalistofdisinfectantsandscannersattheContainingConfickerwebpage6.ListsofdomainnamesgeneratedbyConfickervariantsmaybeofparticularinteresttothedomainnamecommunityandcanbeobtainedthereaswell.AnothersourceforthissummaryisanSRITechnicalReportbyPhillipPorras,HassenSaidi,andVinodYegneswaran,whichanalyzestheConfickerpackage,processing,andprotocolinconsiderabledetail.Confickeriscalledawormbecausethefirstdiscoveredvariantattachedtoaprogram(executable),wasself‐replicating,and(importantly)usedanetworkasthedeliverymechanism.Thiscombinationofcharacteristicsdistinguisheswormsfromviruses7.Confickerisactuallyablendedthreat8becauseitcanbedeliveredvianetworkfileshares,mappeddrivesandremovablemediaaswell.TheConfickerinfectionisatypeofsoftwarecalledaDynamicLinkLibrary(DLL).ADLLcannotexecutealonebutmustbeloadedbyorintoarunningapplication.TheConfickerDLLlauncheswithrundllonWindows,whichletsitrunasastandaloneprocess.AConfickerinstallerloadsitsDLLintoaWindowsapplicationbyexploitingtheMS08‐067vulnerabilityintheWindowsOperatingSystem9.ThisvulnerabilityallowsConfickermalwarewriterstousewhatiscalledabufferoverflowto“inject”codeintotheWindowsServerService.Abufferoverflowisamethodofexploitingsoftwareprogrammingthatfailstocheckboundariesbeforewritinginformationintomemory.Theattackerdiscoversthataprogramisvulnerabletoabufferoverflowbyattemptingtowritemoreinformationintomemorythantheprogrammerhadallocatedtostoreinformation.Specifically,theattackerseekstowriteinformationintomemorythatisadjacenttothememoryheoverruns.Thisadjacentmemorymaycontaindataoritmaycontainexecutablecode;ineithercase,theattackedapplicationwillnotoperateasanticipatedwhenitencountersthemaliciouscodetheattackerinjected.InthecaseofConficker,theattackerinjectedexecutablecodethatgivestheattackerremotecontrolovertheinfectedcomputerandinparticular,remotecodeexecutionprivileges.Usingtheinjectedcode,theattackercanaddorchangecodetomaketheinfectedhostcomputerdowhateveritchooses.
ConfickerSummaryandReview
4
Topreventdetection,certainwormsembedthemselvesinabenignmannerontheinfectedcomputer,i.e.,intoaprogramorsoftwarethatisexpectedtorunonacomputerrunningtheWindowsoperatingsystem.Thewormthenattemptstodisablesoftwarethatcoulddetectorremovetheinfection.ConfickervariantsdisableWindowsAutomaticUpdate,WindowsSecurityCenter,WindowsDefenderandWindowsErrorReporting.LatervariantsalsousedDNSfilteringtoblockantimalwareprogramsfromobtainingupdates(e.g.,virussignaturesthatwouldallowtheresidentAVsoftwaretodetectandremoveConfickerrelatedmalware).ConfickermalwarealsoresetstheWindowsSystemRestorepoint10,whichcontainsinformationthatcouldbeusedtoremoveConfickermalwarebyrestoringtheinfectedcomputer’sfilesystemandregistrytoversionssavedpriortotheinfection.EarlyvariantsoftheConfickermalwareenlistedaninfectedmachineintoaConfickerbotnet.Onceenlisted,themalwarerunningoninfectedcomputersusesadomaingenerationalgorithm(DGA)tocreateadailylistofdomainnames.TheConfickermalwarewritersusedthesamealgorithmtogenerateanidenticallist.ThewritersthenregisteredasmallnumberofthesedomainsandsetupnameresolutionservicefortheselectedsubsetofdomainssothatthedomainnamesassignedtoInternetrendezvouslogicpointsicanberesolvedtoIPaddressesbyDNSresolvers.TheConfickermalwarewritersdidnotappeartousethegenerateddomainnamesroutinely,presumablybecausetheydeterminedthenameshadbeenblocked.Alatervariantshiftedthebotnetfromemployingrendezvouslogicpointstoapeer‐to‐peernetwork.Malwareoperatingoninfectedhostsdiscoverotherbotsbydetectingattacksfromanotherinfectedhosts,confirmingthecodetheattackinghostsattempttoinjectisthesameasitsowncode,andconnectingbacktotheattackerusingHTTPsothathostswithmatchedinfectionscansharefilesdirectly.TheConficker‐infectedcomputersattempttoconnecttoHTTPserversoperatingonrendezvouslogicpointsbycontactingdomainsfromthedaily‐generatedlistofdomainnames.IftheyareabletoresolveadomainnameandconnecttoanHTTPserver,thebottedmachinesareabletoreceiveadditionalmalwareorinstructionstoperformcertainactionsusingalready‐presentexecutables.Thewormusesstrongcryptographictechniques(RSAandMD6)tocontrolwhatcodecanbeloadedontoaninfectedbox.Allcode"loads"mustbecorrectlysignedortheywillberejected.Presumably,onlytheConfickermalwarewriterhastheprivatesigningkeyforupdates.Insomecases,theConfickerbotwillbetoldtotryvariousmeansofinfectingotherhosts(e.g.,throughanonymousnetworkshares).Inothercases,theConfickerbotscanbecomeanarmythatcanbedirectedatwillbyrendezvouspointstosupportawiderangeofmaliciousorcriminalactivities.Botnetsareextremelydifficulttodismantle.Botnetscanremainoperational–andwillcontinuetoserveasplatformsfornumerousattacksforaslongasthebottediArendezvouslogicpointisaserverthatisfunctionallysimilartoacommandandcontrol(C&C)server.
ConfickerSummaryandReview
5
computersremaininfectedandaslongasthebotscanremotelycommunicatewiththerendezvouspoint(s).Thefollowingsectionoffersachronologyofeventsthatdescribehowthesecurity,intelligenceandDNScommunitieswereabletodisruptcommunicationsbetweenConfickerinfectedhostsandrendezvouslogicpoints.
OriginandEvolutionoftheConfickerWorkingGroupPriortotheformationoftheConfickerWorkingGroup,operatingsystemandsecuritysoftwarevendors(Microsoft,Symantec,F‐Secure),othersecurityresearchorganizations(ShadowserverFoundation,TeamCYMRU)andtheintelligencecommunity(USFederalBureauofInvestigation,USSecretServiceandtheUSDepartmentofDefense)hadmonitoredandanalyzedConfickerandhadcooperatedtocontainthethreat.F‐Securehadbegun“spot”sinkholingiidomainnamesthatConfickerbotswereattemptingtocontacttoestimatethesizeofthebotnet.SeveraloperatorsoftheTopLevelDomainsinwhichConfickermalwarewriterswereregisteringdomains(VeriSign,Afilias,NeuStar,PIR,andWS)werealreadyinvolvedatthispoint,andICANNstaffassistedthesecurityresearchersincontactingCNNICtoadvisethemofthethreatandaskfortheirparticipationinthecontainmenteffort.TosupporteffortstomonitorConfickertraffic,analyzetheinfection,identifyinfectedhostsandestimatethesizeofthebotnet,SupportIntelligencewasregistering500domainnamesidentifiedasConfickeralgorithmicallygenerateddomainsperdayacrossasmallnumberoftopleveldomains,throughanICANNaccreditedregistrar,Alice’sRegistry,Inc.Aspartofthepreemptiveregistrationaction,SupportIntelligenceconfigurednameserverstoresolvetoIPaddressesofsinkholinghostsunderthecontrolofsecurityresearchersandmalwareanalysts.PreemptivedomainregistrationshadpreviouslybeenappliedwithsomesuccessbyFireEyeMalwareDetectionLabstothwarttheSrizbibotnetinearlyNovember11andsecurityresearcherswerehopingforsimilarsuccessbyapplyingthesametechnique.InthecaseofConficker,preemptiveregistrationwastoservetwopurposes:preventConfickerinfectedhostsfromcommunicatingwithC&CanddirecttraffictosinkholehostswheretheConfickerbottrafficcouldbefurthermonitoredandanalyzed.On28January2009,asecurityresearcheratSupportIntelligencecontactedICANNstaffregardingtheConfickerthreat.SupportIntelligence’sblockingactivitieswereself‐fundedandtheorganizationwasseekingsupportfromICANNtoobtainfinancialrelieforreimbursementfromregistriesforthedomainsithadandwascontinuingtoregister.iiThe“verb”sinkholereferstoanactivitywheretrafficsuspectedtobeassociatedwithabotnetisredirectedtoacomputer(s)operatedbysecurityresearchersorlawenforcementforobservationortodivertanattackawayfromanintendedtarget.
ConfickerSummaryandReview
6
DiscussionsrelatingtheongoingConfickerresponseactivitiesappearedonseveralsecuritylistsinparallelwiththeseactivities,whichincreasedawarenessoftheglobalnatureandscaleofthethreat.Forexample,personnelatregistryoperatorAfiliaswerediscussingConfickermonitoring,blocking,andfundingissueswithseveralrelevantpartiespriortoSupportIntelligencecontactingICANN.CERT‐CCstaffhadcontactedstaffatdomainnameregistryoperatorNeuStartoaskwhetherNeustarmightarrangeforsomeassistancefromtheBIZregistrytohelpcontainConficker.On31January2009,NeustarreceivedbriefingsdescribingSupportIntelligence’spreemptiveregistrationinitiativefromMicrosoftstaffandothersecurityresearchersviaprivatecorrespondence.Combined,thesedialogswereessentialinengagingresourcestocontainConficker,buttheywerelooselycoordinatedinthesensethatnotallpartieswerekeptinformedatalltimes,informationsharedwasnotuniform,andthatdisseminationofinformationreliedheavilyonindividualwebsoftrust.Bythistime,severalorganizations(Symantec/Kaspersky,eNom)hadbeguncontributingfundstoassistwithpaymentofthefeesSupportIntelligencewasincurringtocontainConficker.ThisfinancialaidhelpedpayfororrecoverregistrationfeestoCCTLDs.Recognizingthatthecurrentmethodofpreemptiveregistrationwas“fundamentallyunsustainable”evenwithMicrosoft’scontributionsandthattheoperationalresponseimposedanunreasonableandprecariousburdenonasingleindividual,NeustarcontactedICANN’sChiefInternetSecurityAdvisorandthechairmanofICANN’sSecurityandStabilityAdvisoryCommittee(SSAC).On3February2009,whileattendinganICANNDNSSSRretreat,severalpartiesalreadyinvolvedinthecontainmenteffortmetinAtlantatoconductabriefingforseniormanagementfromICANNandgTLDregistries.Participatingwere:
• ICANNseniormanagement,generalcounsel,andsecuritystaff,• Lawenforcement(FBI/NCFTA),• Securityresearchers(Microsoft,SupportIntelligence,ISC),and• GTLDregistryoperators(VeriSign,Afilias,NeuStar)
ParticipantsreviewedhowConfickerhadbeenhandledtodate(seeabove),anddiscussedhowtosustaintheeffortthroughFebruaryandMarchandhowtomanagepublicdisclosure.Theoperatorsoftheaffectedregistries–initially,BIZ,COM,INFO,NET,andORG–volunteeredtheirparticipationandsetaboutblockingdomainnames.TheparticipantsdiscussedwaysthatICANNmightassistinthepreemptiveregistrationeffort.ICANN’ssecuritystaffagreedtocoordinatepreemptiveregistrationswithCCTLDsandtofacilitateongoingcommunicationsamongtheparticipants.ICANNseniormanagementandgeneralcounselagreedtoconsiderdeclaringtheConfickerresponsetobeaspecialcircumstance(exceptioncase)andtomanagecontractualwaiveraspectsoftheresponsesothattheGTLDregistriescouldcontinuetheirpreemptiveregistrationactivitiesthrough1April2009.Theparticipantsagreedtocontinuetoconferenceregularlytoreportstatusandtoexploremechanismstocontainormitigatefuture,similarthreats.
ConfickerSummaryandReview
7
BasedontrafficanalysisandintelligencegatheredrelatedtoConfickeravailableatthetimeofthemeeting,participantsagreedthattheoperationalresponseplanputintoactioninAtlantawouldhavetocontinueforseveralmonthsandaworkflowemerged:researcherswouldgeneratethedailylistsandcontactthetargetedregistries,whowouldthentakemeasurestoblockConfickerbotnetoperatorsfromregisteringthedomainnames.On12February,Microsoftpublishedapressreleaseannouncing“partnershipwithtechnologyindustryleadersandacademiatoimplementacoordinated,globalresponsetotheConficker(a.k.a.Downadup)worm”12andofferinga$250,000rewardforinformationleadingtothearrestandconvictionofConficker’swriters13.TheannouncementacknowledgedtheparticipationandcooperationofICANN,registryoperators(NeuStar,VeriSign,CNNIC,Afilias,PublicInternetRegistry)aswellasGlobalDomainsInternationalInc.,M1DGlobal,AOL,Symantec,F‐Secure,ISC,researchersfromGeorgiaInstituteofTechnology,theShadowserverFoundation,ArborNetworksandSupportIntelligence.Atthispoint,ArborNetworksjoinedtocomplementsinkholeoperations.Followingthisannouncement,thepressbeganreferringtotheadhocpartnershipastheConfickerCabal14.ThepartnershiplaterpreferredandcontinuestousethenameConfickerWorkingGroup.FromearlyFebruarythroughmid‐April,thestafffromICANNsecurity,services,complianceandlegaldepartmentscoordinatedaseriesofcallswithpartieswhoagreedtocollaborateasaDNSoperationalresponseteam.Theteam,consistingofinvolvedgTLDregistryandregistrarrepresentatives,mettocontinuetoshareinformationandtodiscussongoingeffortstocontainConficker.ThegroupwasexplicitlyavoluntarycollaborationthatfocusedspecificallyontheConfickersituation,establishedmechanismsforvettingadditionalmemberstoensuretrustinthoseinvolvedandmadenodeterminationsrelatedtoanycontractualmatters.ManyofthesepartieswerealsoengagedinthebroadersecuritycommunityConfickerworkinggroup.BythispointtheCWGhadmultiplefunctioningsubgroups,includingsinkholeoperators,malwareanalyzers,DNSoperators,remediationtoolproducers,etc.On20February,MicrosoftreceivedreportsofaConficker.Cvariantiii.Securityresearchersdeterminedbyexamininginfectionsamplesthatthisvarianthadamoreaggressivedomaingenerationalgorithm.Cognizantthatthesecurityanddomainnamecommunitieswereblockingregistrations,theConfickermalwarewritersseemedintenttotestthelevelofcommitmentoftheConfickerWorkingGroup.InAnalysisofConficker.C15,Parras,Saidi,andYegneswarandescribeConficker.Cas“adirectretorttotheactionoftheConfickerCabal,whichrecentlyblockedalldomain
iiiThelabelingofConfickervariantsbecomesconfusingatthispoint.OnesecurityresearcheratSRIobtainedavirussampleandlabeleditB++whereasotheranalystslabeledthevariantC.The8March2009SRIanalysisofConficker.CthusdescribesthevariantothersinthecommunitylabeledD.Somemembersofthesecuritycommunitynowrefertothe1April2009variantasConficker.C/D.AtablecomparingcertainfeaturesoftheConfickervariantsappearsinAppendixA.
ConfickerSummaryandReview
8
registrationsassociatedwiththeAandBstrains.”TheConficker.Cvariantintroducedtwofunctionalchanges.ThefirstalteredthecontrolchannelcommunicationsfromaC&Ctoapeer‐to‐peermodel.Conficker.Calsochangedthedomainnamegenerationalgorithmandrendezvouslogicpointselectionmethod:“Conficker.Cnowselectsitsrendezvouspointsfromapoolofover50,000randomlygenerateddomainnamecandidateseachday.Conficker.CfurtherincreasesConficker'stop‐leveldomain(TLD)spreadfromfiveTLDsinConfickerA,toeightTLDsinB,to110TLDsthatmustnowbeinvolvedincoordinationeffortstotrackandblockConficker.C'spotentialDNSqueries.Withthislatestescalationindomainnamemanipulation,Conficker.Cposedasignificantchallengetothosehopingtotrackitscensusandcontainthethreatitposed.TheConficker.Cvariantalsohighlightedtheweaknessofblockingnameregistrationsasacountermeasure.Themeasuredoesnotscale.ByintroducingincreasinglylargenumbersofpossibleregistrationsandspreadingtheseacrossalargenumberofTLDregistries,theConfickerwritersincreasedthelikelihoodofoversightorerror,andalsoincreasethenumberoforganizationsthathadtocollaborate.LederandWermannoteintheirreportthatthenewConfickervariantimprovedthedomaingenerationalgorithmmeasurably,butatthesametimerevealedinformationthatthewritersshouldhavetakencaretohide:“Conficker.Ccontainscodethatwillstarttolookforupdatesafter1April2009localtime...ItisthishardcodeddatevaluewithinthecodethathasgeneratedsuchahighdegreeofpressspeculationaboutwhattheConfickerbotnetwillormorelikelywon'thappenonAprilFoolsday.”HardcodingthedateintotheConficker.Cvariantwasnotverycleverandinfact,showsthateveninthevirusworldthosewhofailtostudyhistoryaredoomedtorepeatit:hardcodingIPaddressesofinfectioncodehadearlierprovidedsecurityresearcherswiththemeanstoblockcommunicationsbetweenbotsandC&Cs.Atthispoint,theCWGfacedseveraluncertaintiesandchallenges.CWGmembersandothershadmadeseveralrepairandremovaltoolsavailable,butthegroupcouldnotenforceremediationordeterminehowmanyhostsinfectedbypriorConfickervariantsremainedinfectedandhadbeenupgradedbytheConfickermalwarewritersfromtheoriginalAvariant(andthuscouldbefurtherupgradedtoConficker.Considerableeffortstomakethepublicawareofthethreatwereunderway,buttheCWGhadtoanticipatethatConficker.Cwouldinfectadditional(new)hosts.TheCWGfocusedcertainofitsmonitoringactivitiesondeterminingwhetheranyofthealgorithmicallygenerateddomainsduplicatednamesalreadyregisteredinaTLDandothereffortstocontinuetoidentifythedomainnamesConfickergeneratedandmaketheseavailabletoTLDssothattheycouldbeblocked.ICANNsecuritystaffandICANNregionalliaisonscontactedthelistofCCTLDoperatorsthatsecurityresearchershadidentifiedastargetsforConfickerregistrations,suppliedeachoperatorwithatailoredlistofnamesConficker
ConfickerSummaryandReview
9
malwarewriterswouldattempttoregister,andadvisedthemtojoinsecuritymailinglistswhereDNSresponseissuesrelatedtotheConfickerwormsarediscussed;however,certainCCTLDoperatorswouldnotblockthenamesonthelistwithoutacourtorder.ICANNstaffalsocontactedtheChairoftheccNSOandthemanagersoftheRegionalccTLDgroups(CENTR,APTLD,AFTLD,LACTLD)toassistincallingattentiontotheanticipatedevent.TheanticipatedApril1updateeventreceivedconsiderablepublicattention16.TheConfickerWorkingGroup,complementednowbyanumberofCCTLDs,preparedfortheevent.ICANNsecuritystaffandConfickerWorkingGroupmembersrecognizedthat100%awarenessortimelyparticipationacrosssuchalargenumberofregistryoperatorswasdoubtful.Cooperationamongthevariousregistriesoperators,althoughunlikelytofullystopConficker,wouldenabletheanti‐viruscommunityandthoseinvolvedtobettertrackandunderstandthespreadofthewormandthentousethatinformationtohelpdisinfectsystems.By30March2009,securityresearchersinvolvedinTheHoneynetProjecthadsufficientlyanalyzedConficker.Ctopositivelyidentifytheinfection17.Detectionsignaturesweremadeavailableandquicklyincludedinfreeandfor‐feenetworkscanners(NMAP,TenableSecurity’sNessus,McAfeeFoundstoneEnterprise,andQualys).Giventhenumberofsystemsthatremainedinfectedandnotpatched,securityresearchersconcededthatthatnumberofsystemsstillinfectedwithearlierConfickervariantsandstillnotpatchedtomitigatetheMS08‐67wouldbeupdatedon1April2009withtheConficker.Evariantandthattheextentandsuccessoftheupdatecouldnotbepredicted.TheintentoftheConficker.EvariantwastoremoveallbutthecoremalwarefunctionalityandupgradecontactedhostswiththenewP2Pcommunicationsability.AccordingtoMicrosoftMalwareProtectionCenter18,theConficker.Evariant“executesaself‐terminationroutinewhenthedateisMay32009.Thewormdeletesitsmainexecutablecomponentonthisdate.HowevertheDLLpayloadcomponent(detectedasWorm:Win32/Conficker.E.dll)remainstocontinueparticipatinginP2Pcommunicationamonginfectedpeers.”On21September2009,SRIreleasedaConfickerP2PProtocolandImplementationAnalysis19.Inthereport,theauthorsdescribethenewP2Pscan‐baseddiscoverymethodConfickermalwarewriterswouldnowusetojoinaninfectedhostintotheConfickerP2Pnetwork,themeansbywhichpeerssharemalwareexecutables,andmore.
OngoingConfickerWorkingGroupActivity EffortscontinuetoblockregistrationofConfickerdomains.TrafficanalysiseffortshavebeenhelpfulindevelopingabetterunderstandingofthedistributionofthewormandintendedapplicationsoftheConfickerbotnet20.Microsoftandsecurityvendorscontinuetostudymethodsfordetectionandremovalofknownvariants.
ConfickerSummaryandReview
10
SecurityresearcherscontinuetopublishanddistributeConfickerscanners,signaturesforintrusionsystems,andgeneralinformation.Effortstotargetoutreachtoparticularlyinfestednetworkscontinue.TheConfickerinfectionrateremainshighforBandCvariantsbutdecliningforC/E.Remediationcontinuestoposechallenges.SecurityresearcherscontinuetotrackConficker.AnOctober2009snapshotbytheShadowserverFoundationestimatesthenumberofsystemsinfectedwithConfickerA/B/Cvariantsatapproximatelysevenmillion21.TheConfickerWorkingGroupmaintainsvisualtimelineandchronologyofConfickerat[22]totrackhistorical,currentandfutureevents.ActivitiestodetectConfickervariantsandremediateConficker‐infectedhostswillundoubtedlycontinueforsometime.Thisisinevitablegiventhemillionsofinfectedcomputersandhistoricallymarginalsuccessinremediatingmalware.LessonslearnedduringtheConfickercontainmentperiodarediscussedinalatersectionofthispaper.SecurityandDNScommunitiesareworkingtodeviselong‐termandsustainableapproachesfordealingwithnotonlyConfickerbutalsofuture,similarthreats.These,too,arediscussedinalatersectionofthispaper.
TheImportanceofRolesinConfickerWorkingGroupAlltheactionsrelatedtomitigatingtheConfickerwormwerenotdirectlynorentirelywithintheremitofanyindividualCWGparticipant.ThroughoutthechronologyofConfickerevents,allthecollaboratingpartiesperformedrolesthatwereappropriatetotheirorganizations’corecompetencies:malwareresearchersreverseengineeredthedropper/installer,trafficanalysisengineersidentifiedthelociofinfestations,ICANNfacilitatedcommunicationsbetweenregistriesandpartieswhocompiledtheC&Cdomainlists,andregistryoperatorsblockedregistrationsofConfickerdomains.Thecollaboratingpartiestriedtoadheretothebestpracticesofpublicdisclosureofsecurityincidentsandeventsbymaintainingalowprofile,protectingsensitiveinformation,andsharingonlyinformationthattheadhocpartnershipagreedtoshare.SeveralCWGmemberspubliclyexpressedtheirsurpriseandgratitudeformemberwillingnesstoengageintheConfickercontainment23.ManysecurityandregistryorganizationshadnotencounteredcircumstancessuchasthoseConfickerposedandthusdidnothavecommunicationschannelsinplacetocoordinatecontainmentefforts.CWGmembersindicatedthatICANN’sabilitytofacilitateandexpeditecommunicationswithTLDregistriesacceleratedprocessesthatwouldunderothercircumstanceshavechallengingifnotimpossibletoobtainduringthewindowsofopportunityConfickeraffordedthem.ICANNsecuritystaffandregionalliaisonsinitiallyfilledthisgapbyrelayinginformationgatheredbysecurityresearcherstoTLDoperatorsandlaterbyintroducingcollaboratorsandprovidingdirectcontactinformation.RegistryoperatorsblockedConfickerdomainsandadvisedICANN
ConfickerSummaryandReview
11
counselandseniormanagementofthemeasurestheytooktopreventtheregistrationofauto‐generateddomainsbytheConfickermiscreants.Theseadhocmethodsprovidedsomeinsightintohowcertainformalconstructsmightprovebeneficialinfutureresponseefforts.
ConfickerTodayInfectiontrackingbytheCWGshowsthatConficker.CpopulationshavediminishedoverthepastyearbutthatnumberofcomputersinfectedConfickerA+Bisstilllarge(graphscourtesyofConfickerWorkingGroup24).
Overthepastyear,theShadowserverFoundationhastrackedtheConfickerpopulations(A+B,C,andaggregate),whichremaininthemillions.
ConfickerSummaryandReview
12
LessonsLearnedSeverallessonsmaybelearnedfromthechronologyandeventsrelatedtocontainingtheConfickerworm.PerhapsthemostpositivelessonlearnedisthatDNS,security,andlawenforcementcancollaboratewhenanincidentofglobalproportionisidentified.Apositiveresultfromtheadhocresponsewasthattheparticipantsdisruptedthebotnetcommunicationsandthuspreventedopportunitiestoputthebotnettomisuse.Thecontainment,however,wastemporary,andtheConfickermalwarewriterscounteredbymakingthecontainmentmeasureincreasinglydifficulttocoordinateandsustain.TheConfickercollaborativeresponsesreliedlargelyonvolunteereffortsandgoodwill,informalcommunicationschannels,interventionaloperationalpractices,informalagreements,andassumptionsthatresponsewouldbeuniformandunilateral.Eachofthesedependenciesexposedcertainweaknesses:Adhoccollaborativeresponsemaynotbescalableorsustainable.Intheabsenceof(complementary)formalstructuresorcommitments,certainproblemsthatencumberedorconfoundedtheConfickerresponsewillpersist.TheConfickerresponsewasahighlydistributedeffortthatleveragedmanyvolunteersaswellasfulltimestaffacrossmultipleorganizationstogetthejobdone.WeneedtoconsiderthefactthatwecannotrelyonhavingsufficientresourcesofthecaliberthatwereengagedforConfickertobeavailableatamoment’snoticeasarealthreat.AswestudythreatstotheDNS,weneedtoalsoconsiderthatwehavenotyetencounteredasituationwhereresourcesmightbeneededformultiple,simultaneousincidentsinvolvingtheglobalDNS.
ConfickerSummaryandReview
13
Likeothermalwarewriters,worm/botnetwriterswilladapttocountermeasuresdeployedtodetectorcontainthem.However,westillseeevidencethatwhilebotnetwritershaveadaptedtothecontainment,theystillappeartopreferDNStohard‐encodedIPaddressesandstillusesecondlevellabelsacrossmultipleTLDs.TheDNSislikelytocontinuetobepartofmalwarewritertoolkits.Itisthusappropriatetoconsiderwaystobuildonthesuccessfulelementsofthisincidentresponseandimprovethoseaspectsthatwerenotsosuccessful.Informalcommunicationsmaynotbesufficientforallglobalincidentresponseefforts,especiallyinsituationswherethereiszerotoleranceforerrororomission.Confickerdemandedconstantattentionfromresponders.Confickervariantsgeneratednewdomainlistsdaily.Securityresearchersmonitoredtrafficandanalyzedcodesamplescontinuouslyinanticipationofnewvariants.DuringthemonthsofefforttocontainConficker,communicationsamongresponderscouldbecharacterizedashavingspikes,lags,anddormantperiodswheresomepartieswereunabletorespondorunresponsive.Incertaincases,contactinformationavailabletopartieswasnotaccurate,orwasnotsufficienttoreachapartywithauthoritytoactonbehalfofthecontactedorganization.Inothercases,ICANNstaffdeterminedthatsomeregistrycontactinformationmaintainedbyIANAwasnotaccurateorwasnotthecontactataregistrywithauthoritytoparticipateinincidentresponse.Formalchannelswithagreed‐uponormandatoryexchangesandexchangefrequenciesshouldbeconsideredforfutureresponseefforts.Maintainingconsistency,completenessandaccuracyofinformationduringthecourseofalongincidentresponseeffortischallenging.DuringtheConfickerresponse,partiesinitiallyusedavailableratherthanformalcommunicationschannels(e.g.,securitymaillists,teleconferences,privateemail,etc.)andreliedoncontactinformationathandorpassedhandtohand.TheConfickerWorkingGroupestablishedcommunicationschannelsasthecontainmenteffortgrew,butsensitiveinformationwasnotconsistentlyclassified,encryptedorsigned.Thenatureandlevelofdetailcommunicatedamongtheparticipantswasunintentionallybutpredictablynotuniform.Theadhocnatureofthesecommunicationsalsoresultedindifferentpartiesreceivinginformationatdifferenttimes,whichmadeitdifficulttomaintainbroadsituationalawareness.Noindividualororganizationperformedformalactiontrackingorauditing,andthuschroniclingtheincidentresponseforpost‐incidentreviewandanalysishasbeendifficult.Inparticular,informationthatispotentiallyvaluableinimprovingresponsetofutureglobalincidentsmaybelostorasyetundisclosed.Scalingtrustishard.Volunteereffortsrelyonpersonalwebsoftrust.MostparticipantsintheConfickerresponseknewsomeorseveralotherparticipantsbutitisunlikelythatanyonekneweveryoneandunlikelierstillthatanyonecouldproduceanaccurateaccountingofallpartiestoallinformationsharingduringthecourseofthecontainmenteffort.
ConfickerSummaryandReview
14
Operationalprocessesthatrelyonblocklistsataregistrylevelarenotscalable.Themostobviousreasonisthatpreemptiveblockingscalespoorly:inresponsetotheblockingefforts,Conficker’swritersincreasedthenumbersofalgorithmicallygenerateddomainsandthenumbersofTLDs.Theoperationalburdentoblockdomainsincreasesinseveralways;forexample,distributionofnamesacrosslargernumbersofTLDs,removalofthenamesfromavailablepoolscanbecomeexpensive,non‐compensatedcostsforregistryoperators.Registriesalsofiltereddomainstoassurethatall“collisions”betweenConficker’sDGAdomainsanddomainsthatarealreadyregisteredinTLDswerenotadverselyaffected.CertainactivitiesrelatedtoincidentresponseraisecontractualissuesforICANN,registries,andregistrars.InthecaseofConficker,ICANNandGTLDregistrieswereabletoresolvemattersrelatingtodomainfeesquickly.Thecommunitycannotrelyonallcontractualmatterstobesoeasilyhandledforallfutureincidents.RegardingtheeasebywhichConficker‐relatedcontractualmatterswereresolve,onesecurityexpertobserved(anonymously)that,“inthefirstexampleofbreakingtherules,you’regivensomeleeway.Thesecondtime,thestakesarehigher,andyouhavetobewarethatasinglemistakewillbedisproportionatelyhighlighted.”CertaincountermeasuresorpreemptiveactionscannotbeimplementedunilaterallybyallTLDoperators.Someregistryoperatorsrequirecourtordersbeforetheytakeaparticularactioninresponsetoaglobalincident.InascenariolikeConficker,wherelistsofmaliciousdomainsaregenerateddaily,evenaonedaydelaytoprocessacourtordercaninhibittheresponse.Weshouldrefrainfromconcludingfromtheselessonslearnedthatformalstructuresmustreplacevoluntaryones.Forexample,establishingformalstructuresdoesnotaddresstheissuethatsomeTLDswillnotbewillingtoparticipateortocontinuetoparticipateincertainkindsofresponseindefinitely.Relyingentirelyonformalstructuresmayexcludeparticipationbycertainindividualsforarangeofpolitical,legal,orpersonalreasons.Rather,weshouldbearinmindthatresponseswithinadequateresourceswillbemorepronetoerrororomissionthanthosegivenadequateresources.Effectiveresponsewillinevitablyandultimatelydependuponthesupportandparticipationofrelevantstakeholders,notablythosewhohavedelegatedresponsibilityforthevariousassetsinvolved.Inotherwords,whilecertainformalstructurescancomplementandrenderadhocresponsesmoreeffective,bothmaybenecessarytodealwithfutureeventsoftheConfickerkind.
WayForwardBaseonthelessonslearnedfromthecollaborativeresponsetoConficker,oneelementofawayforwardistoformalizerelationshipsamongpartiesthatbecomeinvolvedwhensecurityeventsofaglobalnatureoccur.ICANN(theentityandcommunity)hasestablishedcertainformalrelationshipsandstructuresandisworkinginconcertwithotherorganizationsonothers.
ConfickerSummaryandReview
15
WithinthespecificcontextofglobalsecurityeventsinvolvingabuseoftheDNSanddomainregistrationservices,andusingConfickerasalearningexperience,ICANNandthegTLDregistrieshavedevelopedanExpeditedRegistrySecurityRequestProcess(ERSR)25.Throughthisprocess,gTLDregistriescannowinformICANNofapresentorimminentsecuritythreatagainsttheregistryortheDNSinfrastructureandrequestacontractualwaiverforactionstheregistrymighttakeorhastakentomitigateoreliminatethethreat.ThecontractualwaiverwouldprovideexemptionfromcompliancewithaspecificprovisionoftheRegistryAgreementforthetimeperiodnecessarytorespondtothethreat.TheERSRallowsaregistrytomaintainoperationalsecurityduringanincidentwhilekeepingrelevantparties(e.g.,ICANN,otheraffectedproviders,etc.)informedasappropriate.
TheERSRisintendedtohelpregistriesdealwithmaliciousactivityinvolvingtheDNSofscaleandseveritythatthreatenssystematicsecurity,stabilityandresiliencyofaTLDortheDNS.Itcanalsobeusedincircumstanceswherearegistrydiscoversunauthorizeddisclosure,alteration,insertionordestructionofregistrydata.TheERSRwouldalsobeanappropriateprocessforaneventwiththepotentialtocauseatemporaryorlong‐termfailureofoneormoreofthecriticalfunctionsofagTLDregistryasdefinedinICANN’sgTLDRegistryContinuityPlan26.
Today,manyorganizationssupportavarietyofactivitiesthatareintendedtoimproveInternetsecurityawarenessandrespondtosecurityincidents.ICANNsecuritystaffhasstudiedincidentandemergencyresponseatnationalandinternationallevelstounderstandhowtheseactivitiesmightbecoordinated,especiallyincircumstanceswheretheDNSiscentraltoglobalincidentsorwhereeventsthreatenthesecurity,stability,orresiliencyofdomainnameserviceatagloballevel.Withtheassistanceoftheseorganizations,ICANNhasdevelopedanoperationalconceptplanandbusinesscaseforaDNS‐CERT27.Asproposedintheconceptplan,theDNS‐CERTwouldactasasecuritycoordinationcentertoassistDNSoperatorsandsupportingorganizationsbyprovidinginformation,expertiseorresourcestorespondtothreatstothesecurity,stabilityandresiliencyoftheDNSefficientlyandinatimelymanner.Again,asproposed,thecentralpurposesoftheDNS‐CERTwouldbetomaintainsituationalawareness,facilitateinformationsharing,improvecoordinationwithintheDNSoperationalcommunity,andimprovecoordinationwiththebroadersecurityandotheraffectedcommunities.Inadditiontotheseprograms,ICANN’ssecurityteamisstudyinghowtoimproveandmaintainaccuratecontactinformationincooperationwiththesecuritycommunityandregistryoperators.Staffwillalsostudywaystoimproveandformalizemonitoringresponsestoglobalincidentswhiletheyareinprogress(e.g.,auditingandtracking),methodstochronicleincidentresponses,andwaystocoordinatepost‐incidentreviewandassessment.ThesemaybeincorporatedintotheDNS‐CERTprogramasitevolves,ortheyformbethebasesforotherinitiatives
ConfickerSummaryandReview
16
instigatedbyotherorganizations.ICANNwillconsiderwhatifanyroleitshouldperformuponreviewoftheinitiatives.
ConcludingRemarksIncertainrespects,thecollaborativeresponsetoConfickerwasasinglevolleyinwhatisarguablyanearlybattleofalongcampaign.ICANNandothermembersoftheCWGwillcontinuetoassistinremediationeffortsrelatedtotheConfickerworm.Individualorganizationswillnodoubtusetheirexperiencestohelpdefinerolesinfutureglobalincidents.TheDNSandInternetsecuritycommunitiesmustalsoconsiderhowtheytogethermightestablishmoreformalcollaborativeresponsetofutureoccurrencesofConfickerandotherthreatstotheDNSsecurity,stabilityandresiliencyofsimilarnatureandscale.
ConfickerSummaryandReview
17
Appendix A. Table of Conficker Variants
Variant & date
Bot Evolution DNS/Domain Abuse
Conficker.A 2008-11-21
• Infects via MS08-67, anonymous shares
• Resets system restore point, disables security services
• HTTP callback to download files
250 pseudo-randomly generated domains registered in 5 TLDs
Conficker.B 2008-12-29
• Infects via MS08-67, anonymous shares, shares with weak passwords, network maps, removable media
• Reset system restore point • Disables security software and
security updates via DNS filtering
250 pseudo-randomly generated domains registered in 8 TLDs
SRI Conficker.C a.k.a. Conficker.D 2009-02-20
• Infects via MS08-67, anonymous shares, shares with weak passwords, network maps, removable media
• Disables security software and security updates via DNS filtering
• Changes bot from HTTP C&C to P2P
• Sets 1 April 2009 as activation date for new DGA
Tens of thousands of pseudo-randomly generated domains registered in 100+ TLDs
Conficker.E 2009-04-01
• Initial exploit uses MS08-67 • Only installs if prior Conficker
variants present • Disables security software and security updates via DNS filtering
• Resets system restore point • Updates to pure P2P network • Self-terminates on 3 May 2009: remove all Conficker executables except DLL
…
ConfickerSummaryandReview
18
Citations1Code Red (Computer Worm), http://en.wikipedia.org/wiki/Code_Red 2 Blaster worm, http://en.wikipedia.org/wiki/Blaster_Worm 3 Sasser (Computer Worm), http://en.wikipedia.org/wiki/Sasser_worm 4SQLSlammer,http://en.wikipedia.org/wiki/SQL_slammer_(computer_worm)5 Know Your Enemy: Containing Conficker, http://www.honeynet.org/papers/conficker 6ContainingConficker,http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/7TheDifferenceBetweenaComputerVirus,WormandTrojanHorse,http://www.webopedia.com/didyouknow/internet/2004/virus.asp
8 What is a Blended Threat? http://www.securityskeptic.com/blendedthreat.htm 9 Microsoft Security Bulletin MS08-067 - Critical, 23 October 2008,
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx 10HowtoRestoreWindowsXPtoapreviousstate,http://support.microsoft.com/kb/306084
11DisconnectingfromtheSrizbiBotnet,http://www.fireeye.com/securitycenter/srizbi_notify.html
12Microsoft Collaborates With Industry to Disrupt Conficker Worm, http://www.icann.org/en/announcements/announcement‐2‐12feb09‐en.htm
13MS puts up $250K bounty for Conficker author, http://www.theregister.co.uk/2009/02/12/conficker_reward/
14ConfickerCabal,http://www.confickercabal.com/ 15Analysis of Conficker.C, http://mtc.sri.com/Conficker/addendumC/16 Alert: April 1 "Conficker" Computer Worm,
http://www.cbsnews.com/stories/2009/03/26/tech/cnettechnews/main4894856.shtml17Conficker Researchers Counter April 1 Update With Detection Scan,
http://www.crn.com/security/21640181818MicrosoftMalwareProtectionCenter‐Win32/Conficker.E,
http://www.microsoft.com/security/portal/Entry.aspx?name=worm:Win32/Conficker.e19ConfickerP2PProtocolandImplementationAnalysishttp://mtc.sri.com/Conficker/P2P/20ConfickerInfectionDistribution,http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionDistribution
21ShadowserverFoundationConfickerstatisticspage, http://www.shadowserver.org/wiki/pmwiki.php/Stats/Conficker22ConfickerTimeline,http://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/Timeline 23ShadowserverFoundationAnnouncesNewEffortToCombatConfickerhttps://infosecurity.us/?p=623824ConfickerWorkingGroupInfectionTrackinghttp://www.confickerworkinggroup.org/wiki/pmwiki.php/ANY/InfectionTracking
25ExpeditedRegistrySecurityRequestProcess,http://icann.org/en/registries/ersr/
26gTLDRegistryContinuityPlan,http://icann.org/en/registries/continuity/gtld‐registry‐continuity‐plan‐25apr09‐en.pdf
27GlobalDNS‐CERTBusinessCase,http://www.icann.org/en/topics/ssr/dns‐cert‐business‐case‐10feb10‐en.pdf