Conficker worm (W32/Confick-A, W32/Confick-B, W32/Confick-C, W32/Confick-D, W32/Confick-E), aka Downadup, aka Kido (W32.Downadup, W32.Downadup.B) is going around and is capable of spreading very fast on Windows XP/Vista machines. This worm exploits1 a remote code execution vulnerability in the Server service responsible for file/printer sharing functionalities. The vulnerability is apparently because of a buffer overrun bug in netapi32.dll call NetpwPathCanonicalize.
The Server service (which lives in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer) is an svchost based service and lives in the netsvcs service group. All svchost services in the same group share a svchost process. The service name of the service is LanmanServer and that is how it will appear in tasklist /svc output. It is generally set to start automatically on every boot. You will notice that netsvcs service group is a big one and lot of other services are hosted in the same process.
Since Server service is running in the system account, this effectively gives the worm privileged access to the compromised machine.3 On some infected machines, the worm may run as a svchost service in the netsvcs group.4 The name of the dll in which the service is hosted as well as the service name are chosen random and may be rootkitted.5
After compromising the vulnerable Server service, the worm may download a copy of itself onto system directory. On other machines you can find traces of this worm in the browser cache as a <random>[1].png file. That is an infection where soon-to-be infected machine downloaded a copy of the worm from another infected machine when the infected machine set up a random port HTTP server that hosts the worm bits and instructs the soon-to-be infected machine to download the same.6
The worm blocks access to major security sites (symantec, mcafee) and microsoft.com URLs, making it hard for the machine to be patched by Windows Update7, downloading removal tools from security sites or updating definitions of antivirus/antispyware software. This is done by hooking dnsapi.dll functions DnsQuery_A, DnsQuery_W, DnsQuery_UTF8, Query_Main. The worm removes Windows Defender registry Run entry so system does not auto start Defender.
The worm is capable of infecting USB disks/sticks by copying an autorun.inf that executes random dll file in a random path under Recycler sub-directory that it creates at the drive root. Every time the drive root is accessed, machines will get infected henceforth.8 The worm also tries passwords on logon accounts including domain accounts with a set of weak passwords and in most work environments ends up locking out accounts. Some variants of the worm convinces users to buy a fake antivirus software Spyware Protect 2009 in order to cleanup the machine for $49.95.
You can go here to see links to bunch of removal tools for Conficker9. An analysis of Conficker’s auto-update mechanism is here. You can also use Microsoft’s Malicious Software Removal Tool (mrt) which has been updated with signatures for Conficker. 10
Here are some of the things that can help reduce risk of Conficker or similar worms infecting a machine.
a) Keep Windows, Defender and your antivirus/antispyware product up-to-date. Take update failures seriously.
b) Run as a regular user not as admin. Use runas, Vista elevation, right click->Run as etc. to switch to admin access when you need to.
c) Run entire system with Data Execution Prevention (DEP) on.
d) Run a firewall with very limited exceptions. Do not trust your LAN.
e) Run on 64-bit OS if your hardware is 64-bit capable. Much of malware is 32-bit.
f) Run on Server OSes such as Server 2008. Server OSes tend to be much more locked down by default compared to client OSes like Vista or XP. Respect the defaults and learn to work with them.
g) Keep removable media in regular use clean and turn off autoplay.
1Proof of concept code to exploit MS08-067 by Polymorphours
2If a machine is not sharing file(s) and/or printer(s) and Browser service is not an absolute necessity, the Server service can be safely disabled. This service is the server side code for Workstation service which lets one access shares on other machines. When Server service is not running you may see error 2114 (NERR_ServerNotStarted) while attempting to access shares.
3A remotely exploitable privilege escalation, such as this, is of the worst kind of vulnerability an OS can have. On some Windows XP Service Pack 3 machines, the worm crashes the svchost process hosting the Server service.
4The worm service is a dll that is loaded in svchost and reported as a service. Typically third-party services do not choose to run along with Microsoft svchost services because (a) the means to pull that off is not documented or encouraged (b) it may affect system stability ie. if the third party service crashes, it will take out all the other system services hosted along with it in the process. Those are not considerations for malware. Malware see it as an opportunity to further complicate removal by staying loaded in svchost processes. Conficker chooses an svchost process that hosts the most number of services on the system.
5The service dll may not be visible in Windows Explorer. The registry entries for the random service under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services may not be visible in registry editor. GMER is able to quickly detect rootkitted registry and file entries on some but not all infected machines. The registry rootkitting is not perfect however. On some infected machines, the random service name is visible by looking at netsvcs REG_MULTI_SZ value under HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost key.
6The HTTP server process may be rootkitted as well, making it invisible in task manager. On some infected Windows XP machines, this is seen to be using Microsoft’s telnet server executable (tlntsvr.exe) and rootkitting the process. Telnet bits are not installed by default on Vista machines.
7Windows Update may be further maimed by disabling Windows Update service and BITS service both of which are needed for Windows Update to work.
8If your USB device has a switch to make it read-only use it before plugging it into any machine. Also make sure to sweep all removable media for infection.
9I put most faith on Trend Micro’s cleaning after booting in Safe Mode using sysclean.com.
10Give your machine a thorough scan even if you think it is not infected. Some machines do not exhibit any symptoms but may be infected.
