Public Safety Canada
Symbol of the Government of Canada
Skip to content | Skip to institutional links

Common menu bar links | Liens de navigation communs

Skip Navigation Links Home > Programs > Emergency management > Response > CCIRC > Analytical releases 2010 > AL09-003: Conficker Worm

Institutional links

Conficker Worm

Number: AL09-003
Date: 25 March 2009

Purpose

The purpose of this alert is to raise awareness that a new variant of the Conficker worm (“Conficker.C”) has drawn a lot of attention recently. This worm is also known as Downanup. CCIRC is releasing this product to increase awareness of this new variant and provide detection and mitigation information.

Assessment

Overview of the new variant:
* The new variant will be activated on April 1st. Infected computers will show very little network activity before April 1st. However, configuration changes on infected computers will help detection prior to and after April 1st.

* The worm uses known vulnerabilities and techniques to infected computers.
   * MS08-067 Windows Server Service vulnerability
   * Removable Media using the Autorun/Autoplay feature
   * ADMIN$ Network Share protected by weak password The vulnerabilities have known fixes and many information products were released by the Canadian Cyber Incident Response Center (CCIRC) to raise awareness.

* Upon activation on April 1st, the worm will cause network activity driven by a new domain name generation routine and P2P functionality.

* The Conficker worm family is believed to have led to one of the largest Botnets currently active.

Suggested action

• PREVENTION

In order to prevent initial infection, CCIRC strongly recommends that System Administrators:

1. Verify that all Microsoft security updates are installed, especially MS08-067.
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
http://www.publicsafety.gc.ca/prg/em/ccirc/2008/av08-080-eng.aspx

2. Disable the autorun and autoplay feature on Windows computers http://www.publicsafety.gc.ca/prg/em/ccirc/2008/tr08-004-eng.aspx

3. Disable the Server and Computer Browser services as described in the Microsoft Security bulletin MS08-067 while you are cleaning the infection.
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

4. Verify that all anti-virus software and IDS/IPS have up to date signature files and are running.

5. Enforce policies to ensure passwords meet best current practices for strong passwords.

• DETECTION

Before April 1st
----------------

1. CCIRC recommends searching for any of these indicators in order to optimize the search for infected hosts:

Many anti-virus vendors have signatures for the .C variant. However, the worm will prevent communication to known online security services such as major anti-virus update sites, Windows Update or online analysis services.

This worm is known to disable security these services:
* Windows Security Center Service
* Windows Update Auto Update Service
* Background Intelligence Transfer Service
* Windows Defender
* Error Reporting Service
* Windows Error Reporting Service

Any computer not having the latest signature file or having these services disabled should be investigated further using step 2.

2. For suspected hosts, System Administrators can confirm infection using these indicators:

System Administrators should look for each service binaries
* Identify the timestamp for the kernel32.dll binary file in the %Systemroot%\System32 directory
* For all enabled services, look for the binary file that matches the same timestamp as kernel32.dll and having the delete and write privileges removed.
* Additionally, if the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot is not found, there is a high probability that this host id infected.

After April 1st
---------------

The new domain name generation algorithm will be activated on April 1st. This will result in increased NXDOMAIN DNS responses in the order of 400-500 daily responses per infected host. Increased NXDOMAINs would be a good indication of networks infected with Conficker.C. The queries will be spawned over 110 Top Level Domains(TLD). The cache on DNS servers should show an increase in cached country code TLDs (ccTLD) with no other sub entries other than NS.

Note to Readers

The Canadian Cyber Incident Response Centre (CCIRC) provides a focal point for Canada's cyber threat and vulnerability warning, analysis and response. CCIRC is responsible for assuring the resilience of national critical infrastructure through monitoring threats and coordinating a federal response to cyber security incidents of national interest. CCIRC operates in conjunction with the Government Operations Centre (GOC) within Public Safety Canada and is a key component of the government's all-hazards approach to emergency management and national security.

For general information, please contact Public Safety Canada's Public Affairs division at:

Telephone: 613-944-4875 or 1-800-830-3118
Fax: 613-998-9589
E-mail: communications@ps-sp.gc.ca

Date Modified: 2009-03-25
Top of Page
Top of Page
Important Notices