Since the time Microsoft released security update MS08-067, we have released information about MS08-067 exploits and specifically about the Conficker worm in our malware encyclopedia and in multiple blog posts for example here. This blog provides a summary of the available information Microsoft has provided on the Conficker worm and the vulnerability it exploits, which Microsoft addressed with MS08-067.

First, we outline the various attack vectors because it’s important for customers to understand that the Conficker worm utilizes a variety of attack vectors to infect machines. Based on this analysis we follow up with guidance for what customers can do to protect themselves. The first and most important piece of guidance is to immediately deploy the security update associated with Microsoft Security Bulletin MS08-067, if you haven’t already. However, because this worm utilizes a number of additional vectors of attack we provide additional information and guidance to help you build a defense in depth approach. Finally, we close with information and pointers to how to clean up your machine using the Microsoft Malicious Software Removal Tool.

Let’s examine again the ways this worm spreads. So far, only two variants of the worm have been discovered in the wild. The first one, Worm:Win32/Conficker.A, was first reported Nov. 21, 2008 and propagates only by exploiting the vulnerability addressed by security update MS08-067. This variant avoids infecting computers that use Ukrainian keyboard layout and that raised the suspicion that the malware developer is located in Ukraine. Worm:Win32/Conficker.B, the second variant, was reported Dec. 29, 2008. This variant uses multiple propagation methods:

1. It attempts to infect other computers on the network by exploiting MS08-067. This method will give the worm a foothold in environments that have not completed their roll out of this security update on all their Windows computers.

2. It attempts to copy itself to the ADMIN$ share of the target machine, which is the Windows folder by default. First it tries using the credentials of the currently logged on user. This method would work well in environments where the same user account is used for different computers on the network, and as long as that account has administrative rights. If it fails, it tries a different method: It obtains a list of user accounts on the target machine and attempts to connect using each user name and a list of weak passwords (examples: ‘1234’, ‘password’, or ‘student’). If one of these combinations work and that account has write permissions, it copies itself to the ADMIN$ folder.

3. It copies itself to removable media such as USB drives and other portable storage. It adds an INF file so that when the removable media is used, the AutoPlay dialog will show one additional option. In the screen shot below the option “Open folder to view files – Publisher not specified” is the one which was added by the worm while the highlighted option “Open folder to view files – using Windows Explorer” is the one that Windows provides. If the user selects the first option, the worm executes.

Conficker Autorun

Conficker also makes several configuration changes so that it runs every time Windows starts. Specifically it adds itself as a service and also adds a registry value under HKCU\Software\Microsoft\Windows\CurrentVersion\Run. It also terminates various services which should be re-enabled and more information is available here. Similarly, Worm:Win32/Conficker.B attempts to terminate any process which has a name which seems to indicate that it is an antivirus program or other security software. It also blocks access to the web sites of many antivirus and security vendors and to Windows Update. This worm takes some additional steps and our encyclopedia entry includes more details.

Given all these propagation methods, customers need to take multiple measures to minimize the risk of getting infected with the worm:

  • Fully Install the MS08-067 update on all Windows computers in your environment. Because 100 percent deployment can be challenging in diverse enterprises, the next defense-in-depth steps can help minimize the risk too.
  • Use an antivirus product that has solid detection of Conficker. Such an antivirus program should be able to block the worm from copying itself to other machines. For example, Microsoft Forefront Client Security and Windows Live OneCare can detect and block this worm from the very first day of its discovery.
  • Use strong passwords both for any user account and also for any file share in your environment.
  • Make the choice that works best for you regarding AutoPlay options. Some customers may prefer to disable it.

If you have a network which has been infected by this threat, use the steps above to harden your environment. Then disinfect it using the step by step instructions for clean up using the MSRT from KB 962007.

Here are a few useful links:

Ziv Mador
Microsoft Malware Protection Center