Conficker; A Bounty Hunter’s Guide

You know things are serious when Microsoft Corp. ponies up a $250,000 bounty. The software vendor is offering the cash in exchange for information leading to the arrest and conviction of the Conficker worm creator(s).

It's part of an unprecedented and coordinated response with ICANN and security researchers from Afilias, AOL LLC , Arbor Networks Inc. , CNNIC, F-Secure Corp. , Georgia Tech, Global Domains International Inc., Internet Storm Center (ISC) , M1D Global, NeuStar Inc. (NYSE: NSR), Public Internet Registry, Shadowserver Foundation, Support Intelligence, Symantec Corp. (Nasdaq: SYMC), and VeriSign Inc. (Nasdaq: VRSN) to disable the hosting and distribution of the worm.

Obviously no one's out to justify or encourage the "Wild West" ethics where this reward's concerned, and it's not the first time Microsoft has gone this route. In 2005, the vendor offered $250,000 for the identity of the creator of Netsky, a.k.a. the Sasser worm, leading to the unmasking of German student Sven Jaschan. But for the interested, the curious, and the bounty-minded, what follows is a starter guide and roadmap to help this latest industry-wide effort along.

What is Conficker?

First, do not get blindsided by the linguistics, and its plethora of names. Conficker.A is what CA Inc. (Nasdaq: CA) calls it, but it also goes by Conficker.worm (McAfee Inc. (NYSE: MFE)); Downadup (Symantec); and Kido and Net-Worm.win32.kido.bt (Kaspersky Lab ). They are all the same thing. It spreads through the use of network shares and weak passwords. Additionally, it uses Windows AutoRun functionality, wherein autorun.inf files are copied to USB drives and other removable media.

When Conficker takes control of the user’s PC

• Injects its code into the address space of one of the “svchost.exe” system processes.

• Disables system restore

• Blocks any addresses which contain the following strings:

indowsupdate / wilderssecurity / threatexpert / castlecops / Spamhaus / cpsecure / arcabit / emsisoft / sunbelt / securecomputing / rising / prevx / pctools / norman / k7computing / ikarus /hauri / hacksoft / gdata / fortinet / ewido / clamav / comodo / quickheal / avira / avast / esafe / ahnlab / centralcommand / drweb / grisoft / eset nod32 / f-prot / jotti / Kaspersky / f-secure / computerassociates / networkassociates / etrust /panda / Sophos / trendmicro / mcafee / Norton Symantec / Microsoft defender / rootkit / malware / spyware / virus

Each day, the worm generates a fresh list of about 250 random domain names such as abfhhibxci.cn. It then checks those domains for new instructions, verifying their cryptographic signature to ensure that they were created by Conficker's author. It should be stressed that this malware is infecting PCs but has not yet been switched on via command and control functions to act as a botnet.

From whence did Conficker spring?

Conficker was first reported to Microsoft as a remote code execution vulnerability in Windows 2000, 2003, 2008, XP, and Vista server service in October 2008; a security update was released on Oct. 23. Estimates vary as to the extent of infection: F-Secure reported on Jan. 16 that Conficker had infected 9 million PCs worldwide with 353,495 unique IP addresses; 10 days later, this was revised to 15 million infected PCs.

Where are the major infection centers?

Panda Security reported on Jan. 21 Conficker in 83 countries, and an estimated 6 percent of the entire world’s PCs were infected, say, 18 million. It further estimated the countries with the highest rates of virulence were the U.S., China, Spain, Taiwan, and Brazil. Press reports have circulated that American military systems were infected by USB drives, and that U.K. Royal Navy warship and submarine systems were infected and rendered unusable; French fighter planes were also reportedly being grounded. Symantec is monitoring 450,000 IP addresses (PCs) with the original infection, with another 1.7 million PCs infected per day.

Who created Conficker?

In this case, the $250,000 question could take a dozen pages of explanation. One simple form of analysis for the potential bounty hunter is to follow the rabbit. But you'll need some Russian language skills. If we examine Kaspersky’s Virus List of Jan. 2, the Conficker worm was originally downloading from trafficconverter.biz, so that's a good starting place. A little examination shows this domain was originally registered via the now defunct EstDomains in December 2008. Even better, some additional Googling gives us a clue to the origin: In Russian hacker forums, we can see earlier offerings from trafficconverter.biz providing excellent reseller margins of $30 a pop to hackers for ensuring downloads of infectious, rogue, anti-virus software.

Not resolving - trafficconverter. biz

Resolving – trafficconverter2.biz

Sister site – RX-Partners.biz

Given the limited space and time, see what conclusions you can draw. You should end up with a combination of hosts, each with a questionable, cybercriminal reputation: AS43816 Centralux (a.k.a. WebAlta, Russia); AS28753 NetDirect (Germany); and AS41867 Geonic (Ukraine). Whether this gets you any closer to Microsoft's reward will depend on which rabbit hole you go down. But safe to say that this sort of incentive will flush out Conficker's writer(s)... The only remaining question is just how long that will take.

Happy hunting!