Downadup/Conficker Worm Removal

• Date: January 21, 2009
• Author: Joe Stewart, Director of Malware Research, SecureWorks

If you've been seeing this message in your web browser lately, you are not alone:

  Microsoft Not Found

Millions of other people are also finding that they can't reach microsoft.com or can't load antivirus websites. The reason is they are infected by the Downadup worm.

Downadup (also called Downad, Kido, Conficker or Conflicker) is a Windows worm that spreads by exploiting weak administrator passwords, use of autorun on removable and network drives, and the MS08-067 exploit.

Once installed, the worm does the following things:

• Copies itself to the system directory as a randomly-named DLL file
• Adds itself as a randomly-named system service for persistence after reboot
• Disables certain Windows services that might aid in cleanup or detection of the worm
• Deletes existing system restore points
• Disables access to multiple websites related to antivirus and security, most notably Microsoft and Windows Update.
• Spreads through the local Microsoft network using password brute-forcing or MS08-067 exploit
• Adds itself to any removable/network drives using an autorun.inf file
• Adjusts the Windows TCP/IP settings to allow a greater number of simultaneous connections in order to facilitate the spread of the wrom
• Waits three hours, then attempts to download additional code by generating 250 different domain names and connecting to each via HTTP. Each day a new set of 250 domain names will be generated.

To date SecureWorks has not witnessed any successful downloads of second-stage code, however, it is believed the intention of the worm may be to install rogue anti-virus software in an attempt to scare payment out of infected users.

Despite using fairly old and well-known spreading vectors, and a patch being available for MS08-067 for months now, the worm is having fairly good success at spreading to networks worldwide. Estimates are currently around 10M infected machines, although it is possible that machines are being counted multiple times by some entities. Whatever the real number of infected machines, it is certainly possible that it has infected millions of machines around the world based on the sheer number of IP addresses hitting sinkhole servers that have been set up for observation.

Key indicators of an infection are:

• Network drives/USB drives with hidden autorun.inf files, especially ones that are larger than 512 bytes.
• Network logins being locked out for too many failed attempts.
• Workstations no longer able to access microsoft.com or other security/AV related websites.

The problem of Conficker/Downadup cleanup is exacerbated by the fact that the worm blocks the download of potential removal tools, including Microsoft's own Malicious Software Removal Tool (MSRT) which has been updated to remove Conficker/Downadup. It does this by hooking the system DNS and networking APIs and blocking DNS lookups where certain strings are present in the domain name.

The complete list of strings blocked in DNS requests is below:

Obviously not being able to reach any of these domains makes it difficult for an infected party to find information on or cleanup tools for the worm. However, the worm does not prevent use of a proxy server to reach the same websites, so in organizations where a proxy server is already in use for web traffic, removal may be easier.

Conficker/Downadup Removal:

• Use a proxy server to download Microsoft's Malicious Software Removal Tool (MSRT) from the following URL:

  http://www.microsoft.com/security/malwareremove/default.mspx

• Or, if no proxy is available, a workaround is needed. One can use a direct link to the MSRT on Microsoft's content delivery network server. Since this is a third party hosting company, their domain name is not on the blocked list, so one can substitute "mscom-dlcecn.vo.llnwd.net" for "download.microsoft.com" in the MSRT URL. The URL would then be:

  http://mscom-dlcecn.vo.llnwd.net/download/4/A/A/4AA524C6-
  239D-47FF-860B-5B397199CBF8/windows-kb890830-v2.6.exe.

• Or, F-Secure also has a removal tool available, however the f-secure.com domain is in the blocked list of domain names above. Using an IP address instead of the hostname will bypass the worm's blocking routines, so that tool could be downloaded by infected systems at this URL:

  ftp://193.110.109.53/anti-virus/tools/beta/f-downadup.zip.

• Run the automated removal tool to eliminate Conficker/Downadup