Backgrounder: The Conficker worm

Conficker is a two-stage Internet worm
Conficker, also known as Downadup, is a form of malicious Internet software program known as a worm. Worms are designed to infect computers and then spread to other computers. Conficker is a two-stage worm. The first stage infects a computer and makes it part of a network of host machines, then waits for instructions from the second stage of the worm.

Such a network is known as a botnet, with the infected computers that are part of it are known as zombies. All the infected systems within a botnet can be controlled by a so-called “bot-herder” and used for unlawful activities such as spamming, fraud and identity theft.

The initial response to Conficker from the international security community focused on combating the first stage, which is believed to have infected several million computers worldwide. At present, three variants of Conficker are known to exist, A, B and C. The first variant, Conficker A, appeared to attempt to download and install fraudulent antivirus software as its second stage, without much apparent success. At present, it is not known what action the most recent variant is intended to take.

Conficker first appeared in October
The first variant of Conficker, Conficker A, was detected in October 2008, taking advantage of previously unknown vulnerability in a Microsoft operating system that has subsequently been patched. Internet security experts worked to understand how the worm spread and took other actions to impede its ability to propagate.

Conficker is evolving
The authors of Conficker quickly responded to these efforts with a stronger and more robust second variant, Conficker B. The authors of this worm have gone to great lengths to engineer a threat that is both technically sophisticated and versatile by arming it with a number of different modes of attack and defence. Security experts have been dealing with variations of these assorted tricks for years, but what makes Conficker unique is the number of tricks that have been incorporated into its design and the degree to which it has been able to spread.

The worm also possesses the ability to update itself and receive additional files related to execution of its second stage. Again, this is nothing new. When the second stage of Conficker B activated, it generated a random list of 250 new Internet domains to connect to every day, any number of which could be infected with the command and control file that provides Conficker with the instructions it needs to perform malicious actions.

Conficker C expected to activate April 1
In early March, a third variant, Conficker C, appeared. Whereas Conficker B generated a daily list of 250 new domains to connect to in search of a command and control file, this latest variant will begin on April 1 generating a daily list of 50,000 country-code domains in which these files could be hidden. These names are drawn from 110 country-code domains, including the Canadian extension dot-ca.

Without a clear idea of the motive behind the creation of the worm and its variants, or the actions the botnet will take, Conficker is being regarded as a potential threat to Internet infrastructure around the world.

An international coalition is combating Conficker
A coalition of affected parties, including software companies, registry operators, security vendors, private security researchers and academic groups from around the world have banded together to offer a coordinated response to the Conficker threat and provide removal and repair tools for the worm. This coalition is being led by Microsoft, which has offered a $250,000 reward for information leading to an arrest and conviction in this matter.

The coalition has been working to identify where the worm resides throughout the world wide web and mitigate its effects before the second stage of Conficker C begins activating on April 1.

Other members of the coalition include ICANN, NeuStar, VeriSign, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, the Shadowserver Foundation, Arbor Networks and Support Intelligence.

Canada’s response is part of international effort
Because the dot-ca domain-name registry has been targeted by Conficker C, the Canadian Internet Registration Authority, or CIRA, has put in place a plan to counter potential misuse of the dot-ca registry and to maintain its integrity as one of the most secure and robust domain registries in the world.

CIRA’s efforts include pre-emptively registering and isolating previously unregistered dot-ca domain names expected to be generated over the next 12 months by Conficker C. This move, which covers the vast majority of affected names during that period, will prevent registration of those domains by undesirable actors. In the small number of cases where the domain name has already been registered, CIRA will actively investigate and monitor activities at those domains and take appropriate action if suspicious activity is detected. For security reasons, CIRA is not willing to provide further details.

-30-

For more information or to arrange an interview, media may contact:
Julie Lépine
Marketing and Communications Specialist
Tel: 613-237-5335 ext. 229
Email: julie.lepine@cira.ca