This botnet exploit has gained a great deal of publicity mainly due to its sophistication in hiding itself and communicating with command/control sites. There have been reports in the media of an 'April 1' event involving the Conflicker exploit. Security researchers have not been able to determine the nature of the event (if there is one) other than a change to the bot's internal operation.
The exploit's main vector was through the Microsoft OS vulnerability MS08-067, announced and patch in October 2008. It also spreads via the autorun feature in Windows which activates on insertion of removable media. Once installed, the bot tries to communicate with a malicious command/control site by algorithmically generating random DNS names, a small number of which are registered.
Local Incident Response Activity
- Internet gateway port blocking of port 445, departmental and host-based firewalls are a good line of defense against propagation. ESP checking on wireless and residence networks should also ensure patch installation on user-owned equipment.
- The campus network vulnerability scans have already been run to detect the missing patch - results are available for network admins at:https://cns.utoronto.ca/cgi-bin/scanreports/report.cgi.
- Campus scans currently running using updated conficker detection tool - no conficker compromises were detected.
- DNS caching servers are being monitored for conficker-characteristic queries - nothing remarkable is being measured.
Recommendations for Network Admins
- install MS08-067 or ensure appropriate isolation from network.
- disable autorun feature for removable media in Windows.
- monitor network traffic for high to high port activity for randomly generated IP addresses.
- ensure antivirus maintenance - most products will detect the bot's presence
The central network scans reach computers that have TCP port 445 open to the Internet. Many computers may be configured to allow TCP port 445 open to the local subnet only - in order to detect conficker compromise in these computers, network admins should run their own scans from a source on the local subnet. Here are two recommended tools to do so:
Windows scan tool:
Note: The Windows host that runs this has to have Python or Microsoft Visual C++ 2008 Redistributable Package (x86).It's a small installation package available for free from Microsoft:
UNIX scan tool:
Please report conficker detections to: email@example.com
Recommendations for End Users
The following URL is an 'eyechart' test that can be used to detect a possible conficker compromise (thanks to Columbia University for hosting the site).
If you are not able to contact these sites, but can contact other common sites, you may have a conficker compromise. You should seek assistance immediately.
Microsoft End-user Security Information:
Microsoft Security Response blog: http://blogs.technet.com/msrc
Detailed Technical: http://mtc.sri.com/Conficker/
SANS Diary: http://isc.sans.org/diary.html?date=2009-03-29