Conficker Call-home Protocol v2

As they say — no rest for the wicked — the Conficker worm has been updated again and comes with a new rendezvous protocol that generates a massive 50,000 potential call-home domains per day. Though, there is no need to panic about DNS floods bringing down your network or legitimate domains suffering collateral damage by making it on Conficker’s `hit list’ (original article here). The latest variant, which Sophos detects as Mal/Conficker-B (aka Conficker.c), demonstrates a paradigm shift in the worms behavior, moving away from overt spreading techniques to more stealthy operations.

Although Mal/Conficker-B will generate 50,000 domains per day, the worm will randomly choose only 500 of those domains to attempt to rendezvous with that day. Furthermore, it only tries to resolve each of those 500 domains once per day. This is in stark contrast to the previous Mal/Conficker-A scheme, which generated 250 potential call-home domains and repeatedly queried all 250 domains once every 2 hours. Thus, even though the new scheme generates many more call-home domains, its use of said domains result in far fewer DNS queries than that of prior variants (only 500 per day vs. 3,000).

And that’s not the only change to make the rendezvous protocol more stealthy. Prior variants issued a small number of DNS queries in parallel at a fixed 5 second intervals — fairly predictable. This update however issues DNS queries in series and separates each query with a random interval between 10 and 50 seconds. This is clearly an effort to avoid triggering anomaly detection systems that can pick up spikes or fixed patterns in network activity.

Interestingly, upon a successful rendezvous (i.e. the worm successfully resolves a call-home domain, downloads an executable and cryptographically verifies its signature… using a different RSA key pair from prior variants of course) no further call-home activity is done for the next 3 days. Perhaps the Conficker mastermind plans to rent out these machines for malicious deeds in 72-hour chunks…

Here’s a condensed breakdown of the differences described above between the two call-home protocols.

Version 1 Version 2
Domains / day 250 50,000
Used / day 250 500
Query interval Every 5 seconds Random interval in [10,50] seconds
Process repeats Every 2 hours Once per day
Total DNS queries / day 3,000 500
Enabled on Jan 1, 2009 Apr 1, 2009

Granted that the new scheme is more stealthy, what about the success rate? With only 500 randomly selected call-homes of 50,000 contacted, a single rendezvous point only has the potential to directly update roughly 1% of infected machines. While a 1% return seems pretty low, it is greater than zero, which is the success rate for the original call-home protocol — at least as long as the Conficker Cabal research group continues to snarf up all 250 domains each day. And this seems to be precisely why the worm adopted this new tactic — it will be significantly more difficult to neuter 50,000 domains per day. Thus, the author has accepted the trade-off of a less-deterministic success rate for greater longevity.

This 1% hit rate is also why this new version will not generate the same level of collateral damage to a legitimate site that ends up generated by Mal/Conficker-B’s pseudo-random algorithm. With the estimated number of worldwide Conficker infections sitting around 3 million, each unique call-home domain will only be contacted by approximately 30,000 infected machines — which breaks down to an addition of roughly 21 requests per minute (spread across the entire day). If your site cannot handle that level of additional traffic, you might be in the wrong business. Though, out of interest, I did update my tool to generate the Conficker call-home domains with the algorithm in Mal/Conficker-B and checked if any of the 1,500,000 domains for April (the first month the protocol becomes active) match with any of the Alexa top 1 million sites — but found no hits.

All that being said, the DOS threat to legitimate sites from the original call-home protocol still remains, though this threat will diminish proportionally as the worm updates and Mal/Conficker-A numbers decrease. I will continue to monitor the situation closely… there’s sure to be more.