In February, Microsoft announced a $250,000 bounty for anyone who came to them with information leading to the arrest of the author of the infamous Conficker worm. In just four months (starting in November 2008 to the time of the bounty: February) the worm was suspected to have infected upwards of ten million computers world-wide and doesn’t show signs of slowing down any time soon. With a reward on the author’s head that high, you know something must be special about this worm. Let’s take a look.
Graph of Computers Infected by Conficker Over Time
Nobody is really sure where the name “Conficker” comes from. (Well, other than the authors, but they sure as hell aren’t going to speak up.) However, some believe it is a mashup of the words “configure” and “ficken” – the German word for fuck. Joshua Phillips, an analyst working for Microsoft, believes Conficker is merely an anagram of pieces from the domain name trafficconverter.biz – which was one of the first domains to start spreading Conficker. Conficker is also known as Downadup, Downup, and Kido.
A big reason Conficker is still around is because it keeps changing. If it didn’t, it would be able to be automatically detected by all anti-viruses and deleted instantly. Microsoft released a patch to fix the vulnerability that is utilized for the worm to spread and gives instructions online on how to protect your computer from Conficker, but because each strand of the virus is different, it’s up to the user to remove it. And we all know how that goes: laziness is a virus author’s best friend. “This virus isn’t too bad.. I can still use my computer. I’m a busy person, I’m not going to spend ten hours trying to get rid of this thing!”
Conficker’s main way for looking for new instructions is by URL generation (as seen in my other article). Long story short, there’s an algorithm embedded deep in Conficker’s code that generates 250 URLs per day at seemingly random locations around the globe to look for more instructions from. At each server, the worm tries to log in and download files, modifications, instructions, and uploads results of recently infected computers. A huge panic around April 1st was generated; April 1st was the first day the worm started calling home to the generated server names to download new instructions. Every day afterwards, new domains are generated and it calls back again.
The Conficker Cabal is an organization led by Microsoft that includes ICANN, NeuStar, VeriSign, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, the Shadowserver Foundation, Arbor Networks and Support Intelligence. The Conficker Cabal, using the DNS companies that are part of the group, are working together to disable the domains targeted by Conficker in order to prevent it from updating, and therefore, make it easier to remove.
On April 1st, Conficker changed its algorithm for generating URLs. Suddenly, all the blocked domains from before meant nothing to the worm authors, and the Conficker Cabal scrambled to reverse engineer the new strand of Conficker to get the algorithm for generating new domains. Who knows, maybe Conficker will change again soon?
According to this analysis by SRI,
The exploit employs a specially crafted remote procedure call (RPC) over port 445/TCP, which can cause Windows 2000, XP, 2003 servers, and Vista to execute an arbitrary code segment without authentication. The exploit can affect systems with firewalls enabled, but which operate with print and file sharing enabled. The patch for this exploit was released by Microsoft on October 23 2008, and those Windows PCs that receive automated security updates have not been vulnerable to this exploit. Nevertheless, nearly a month later, in mid-November, Conficker would utilize this exploit to scan and infect millions of unpatched PCs worldwide.
Worried you might be infected with Conficker? This simple eye-chart can tell you immediately!
Mathematically speaking, here’s my breakdown of the rate and power of Conficker infections. In mid-November, there were no infections of Conficker. By the end of December, SRI estimated 6.2 million computers infected worldwide. By February, that number increased to around 10 million. Since April 1st, Symantec believes the worm is slowing down in spreading, and instead now taking steps to protect computers already infected from being disinfected. That means a graph of the computer infected over time could be graphed closely with the polygraphic line y=-0.4333x^2 + 5.9667x.
Symantec also believes that, as of April 1st, Conficker is now focusing on spreading new malicious code between already-infected servers. The time has come for them to farm credit card numbers, bank information, personal information, passwords, and everything else on their fifteen million infected computers. Many people are worried the 15 million infected might be turned into spam drones – which would rival the current leading spam botnet of all time: Storm.
By the estimate of 15 million computers infected by April 1st, we can have a bit more fun with math. IP addresses are made of four octets ranging from 0.0.0.0 to 255.255.255.255. There are just over 4 billion possible IP addresses (4,228,250,625 to be exact). Each of the 15 million infected computers are already calling home to the same 250 domains (pointing to IP addresses, obviously) per day. Now, here’s the crazy part: if each computer were to attempt to attack and infect 282 computers in one day, that would be enough to attack every single IP address combination available to computers today. Every computer that could be infected, would be infected. Now, we have to account for downtimes. Not every computer will be online every day. If just one-third of the 15,000,000 infected computers (5 million) were online a day, the same effect could be reached in three days. If a fourth was online per day (a valid estimate), it would take four days. A fifth? Five days. Need it faster? Conficker could just up the number of IPs being attacked each day.
That’s right. Conficker, if they so chose, could infect every single vulnerable computer in the world in under a week. Say hello to our new robot overlord.
