Over the past several months, Microsoft has received reports on 4 different variants of the Conficker worm, the latest being Worm:Win32/Conficker.D (also known as Downadup.C, and the subject of a number of recent press articles labeling this variant as Conficker.C; see Win32/Conficker for a chart distinguishing the variants).  In response to the previous variants of Conficker (A/B/C), the industry has collaborated to organize a community-based effort to help mitigate and provide relief to the threat posed by Conficker, known as the Conficker Working Group.

One of the initiatives employed by the Working Group (WG) was to prevent machines infected by Conficker from downloading additional malware.  This was done by blocking access to around 500 domain names per day (250 for Conficker.A and 250 for Conficker.B/C) that these Conficker variants were programmed to monitor to download executable binaries.  This effort helps to control the potential impact of the infected machines to cause further damage as the malware author pleases.

On March 4, 2009, Conficker.D became the newest member of the Conficker family of threats.  It modified its “phoning-home” mechanism to randomly pick 500 out of a pool of 50,000 domain names per day to try and communicate with the malware author.  In addition to this, a peer-to-peer (P2P) mechanism was also added enabling it to distribute and receive commands from other Conficker.D-infected machines.  This “phoning-home” mechanism is programmed to start on April 1, 2009.

We now see that the mechanism to command and control Conficker.D-infected machines is a two-step process:

  1. By registering just a single domain name out of the 50,000 generated per day, roughly 1% of the total number of Conficker.D-infected machines will be able to receive commands from the malware author.
  2. Using its P2P mechanism, these machines will be able to distribute the original commands to other Conficker.D-infected peers.

The shift to the P2P scheme opens up a new channel for Conficker.D to receive and distribute additional malware from the worm author.  This additional code complexity, programmed to be less dependent on contacting domain names for communication, may have been forced onto the malware author to combat the effort that the industry has taken against the worm.

The following timeline illustrates the major events surrounding the Conficker worm so far:

Nov 21 2008 – Worm:Win32/Conficker.A was discovered.  Notable behavior includes:

  • MS08-067 vulnerability exploitation.
  • DNS hooking to prevent access to popular security sites.
  • Connects to 250 pseudo-randomly generated hosts/day to communicate with worm author.
  • MD5 hashing with 1024-bit RSA digital certification.

Dec 29 2008 – Worm:Win32/Conficker.B was discovered (38 days after Conficker.A).  Notable differences with Conficker.A includes:

  • Network share infection via TCP/445.
  • Removable drive propagation.
  • Connects to a different set of 250 pseudo-randomly generated hosts/day.
  • MD6 hashing with 4096-bit RSA digital certification.

Jan 13 2009 – MSRT supports removal of Worm:Win32/Conficker.A and B

Feb 12 2009 – Microsoft Collaborates with Industry to Disrupt Conficker Worm

Feb 20 2009 – Worm:Win32/Conficker.C was discovered (53 days since Conficker.B).  Notable differences with Conficker.B includes:

  • Peer-to-peer communication using the MS08-067 vulnerability.

A mere 8 days after the formation of the industry alliance against Conficker, a new variant emerged containing a different way for the malware to be able to receive commands in addition to connecting to pseudo-randomly generated hostnames.  Worm:Win32/Conficker.C has the ability to recognize incoming  MS08-067 vulnerability attempts from other Conficker-infected machines and receive commands from them via a URL download link.  This variant marks the start of Conficker’s shift from a C&C-based communication to a more resilient P2P (peer-to-peer) mechanism.

Mar 4 2009 – Worm:Win32/Conficker.D was discovered (65 days since Conficker.B).  Notable behavior includes:

Connects to 500 hostnames randomly chosen from 50,000 pseudo-randomly generated hostnames starting April 1, 2009.

Peer-to-peer communication with other Conficker.D-infected machines.

Apr 1 2009 – Conficker.D "phone home" mechanism becomes active.

So what can we expect on April 1, 2009?  Based on the relatively small number of Conficker.D-infected machines, we believe it’s doubtful that we might experience anything out of the ordinary on April 1.  We will however, just as we normally do, take action on anything unusual that might arise from this.  To remain protected, please ensure that your systems are patched with MS08-067, keep your security software signatures updated, and clean any systems you identify that are infected with any variant of Conficker.

For more information about the Conficker worm including protection and disinfection, please read the Win32/Conficker page in our encyclopedia.

Thanks to Jimmy Kuo, Ziv Mador, Jeremy Croy and fellow researchers Aaron Putnam and Cristian Craioveanu.

 -- Vincent Tiu