Conficker - From a Sparrow Cannon

    Conficker is a family of worm-related malware. Conficker is the name most often used in the press and formed by rearranging parts of the domain, which was accessed by the first version of the malware, according to another version, the name is derived from the English word configuration and the German word ficker (synonymous with English fucker). Among foreign antivirus companies, the name Downadup is used, as well as Kido in the classification of Kaspersky Lab. The first samples were discovered in November 2008. As of January 2009, about 9 million computers worldwide were affected. Such a large number is due to the use of the Microsoft Windows operating system MS08-067 for the vulnerability of the Server service for their automatic distribution. It should be noted, that at the time of distribution, Microsoft had already released a security update to address this vulnerability. However, the fact that ordinary users, as a rule, do not pay due attention to the mechanism of constant updating of the operating system (including due to the use of "pirated" copies), played an important role. Unfortunately, once again in practice, a neglect of computer security issues was demonstrated. In April 2009, the size of the botnet was estimated at 3.5 million. Once again, neglect of computer security issues was demonstrated in practice. In April 2009, the size of the botnet was estimated at 3.5 million. Once again, neglect of computer security issues was demonstrated in practice. In April 2009, the size of the botnet was estimated at 3.5 million.
    There are five major modifications to Conficker, denoted by the letters A (November 21, 2008), B (December 29, 2008), C (February 20, 2009), D (March 4, 2009), E (April 7, 2009). The terminology of some anti-virus companies uses the names A, B, B ++, C, D, respectively.


    The malware code is compiled as a Windows dynamic library (PE DLL file) and packaged using UPX. For its copies, it assigns the creation and change date taken from the kernel32.dll file to exclude the possibility of its detection by sorting by date. Depending on the version of the operating system, it uses different methods of automatic start at the next system start. If Windows 2000 is installed, the code is injected into the services.exe process. Otherwise, a service called netsvcs is created that runs through svchost.exe.
    This version contained only one distribution method - by exploiting a vulnerability in the Server service (MS08-067). To do this, Conficker starts the HTTP server on a random TCP port, which is then used to download itself to other computers. Conficker obtains a list of IP addresses of computers in a networked environment by scanning. To ensure fast network propagation, the worm increases the possible number of network connections in the system using a modification of the tcpip.sys system driver image loaded in memory, as well as changing the parameter
    'TcpNumConnections' = 'dword: 0x00FFFFFE' in the [HKLM \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters] registry branch. Next, it attacks the remote computers. To do this, a specially generated RPC request is sent, which causes a buffer overflow when the wcscpy_s function is called in the netapi32.dll library. As a result of this, control is transferred to the bootloader, which downloads Conficker from the infected computer and launches it for execution. To prevent reuse of the MS08-067 vulnerability (so that other malware could not infect the computer), Conficker sets a trap for calling the netapi32.dll library's NetpwPathCanonicalize function, preventing buffer overflows and thus implementing hotpatching technology (installing updates without rebooting,
    The name of the command center for management is not hard-coded; 250 domains are generated daily using a pseudo-random algorithm using prefixes of 5 top-level domains. Thus, the creators tried to protect themselves from entering the addresses of the command center on the black-list by anti-virus company employees and losing control. With them, Conficker tries to get commands to download and launch other malicious programs from the Internet. In addition, he turns to the domain, tries to download from it and execute a file with a fixed name loadadv.exe.
    To protect against the substitution of downloaded files, cryptographic algorithms were used using encryption and digital signature. A 512-bit SHA-1 hash was calculated for the downloaded file, which was then used as an encryption key using the RC4 algorithm, this hash was also used to digitally sign the RSA with a 1024-bit key. Unlike the following options, it did not contain the functions of self-defense.
    It has been suggested that Conficker was developed in Ukraine, as Conficker.A checks for the Ukrainian keyboard layout and self-destructed in this case. In addition, the GeoIP database is downloaded from and, when scanned, the Ukrainian addresses detected with its help are not infected. In future versions, this functionality has not been implemented.


    In this version, two more distribution mechanisms were added to expand the “habitat” - by using network resources (directories) with “weak” passwords and an algorithm for infecting USB-Flash media with launch through autorun.inf. Conficker tries to connect to the remote computer under the administrator account; for this, passwords are sequentially enumerated according to the list specified in the code. Upon successful selection, the worm file is copied to the remote computer and the Task Sheduler task is created to run it as a service using regsvr32. For autorun from USB-Flash media, an obfuscated autorun.inf file is created, the dll file itself is placed in the RECYCLER hidden directory under a random name with the vmx extension.
    The cryptographic protection mechanism of downloaded files from modification has undergone a change, the MD6 algorithm (the latest at that time, developed in 2008) was used as a hash algorithm , the RSA key length was increased to 4096 bits. The code clearly shows the authors ’desire to eliminate all potential opportunities to use a vulnerability such as“ buffer overflow ”or weaknesses in the implementation of cryptographic algorithms.
    In this version, self-defense functions were introduced. In particular, the following services were disabled: Windows Automatic Update Service; Background Intelligent Transfer Service;
    Windows Security Center Servic; Windows Defender Service; Windows Error Reporting Service. Thus, the operating system update mechanism was disabled, through which the installation of specialized removal tools from Microsoft could occur. Intercepts were set to call the following functions of the dnsrslvr.dll library: DNS_Query_A; DNS_Query_UTF8; DNS_Query_W; Query_Main SendTo; NetpwPathCanonicalize; InternetGetConnectedState. At the same time, the names of the resources requested through the DNS service were filtered to restrict access to a specific list of domains. Thus, user access to the main sites was blocked, where you can download anti-virus database updates or special malware removal utilities.


    The main change concerns only the domain generation mechanism, which is why some antivirus companies call this version of B ++. In response to the initiative of the Conficker Working Group to reserve domain names generated by Conficker using a pseudo-random algorithm, the developers increased their number from 250 to 50,000 per day, which nullified attempts to register them daily. For generation, prefixes of already 8 top-level domains were used (instead of 5), out of 50,000, 500 were selected, this meant daily connection of about 1% of all infected computers and, thus, reduced the load on the control center. For example, if you take the figure of 10 million, it means that the server was actually subjected to a DDOS attack from 100,000 computers.


    The number of prefixes used for generating domains increased from 8 to 110. An error in the implementation of MD6 type “buffer overflow”, made by the algorithm developer Ronald Rivest and published on February 19, 2009, was fixed. The self-defense system was improved - the ability to boot in "safe mode" was turned off and an attempt was made to terminate the processes of programs whose names contain specified lines (anti-virus programs).
    The mechanisms of self-propagation have been completely removed. The peer-to-peer mechanism for updating has been introduced. To receive information from other copies of the worm, two “server” streams are created, one runs over TCP, the other over UDP. An interesting feature of the p2p implementation is the rejection of the original peer list. This list is usually either specified inside the executable code, or hosted on public servers. Conficker finds its peers by scanning IP addresses. For each IP address found, it was checked whether Conficker was functioning on it. If so, a “client” thread was created to communicate with the remote copy. During the scan, the IP was checked for the black list of the addresses of anti-virus companies, they are not accessed. Server streams never add the addresses of connected clients to the peer list. Addresses are added only by client threads if the current version of the worm matches the remote version. In the case of different versions, the latest one is downloaded either by the client from the server or by the server from the client. The p2p mechanism provides two types of distribution, in the mode of saving the downloaded file for subsequent "distribution", or in startup mode in the address space as a stream. This allows you to replace the executable code on the fly without saving it as a file. At the same time, files downloaded by the generated domains are launched and work regardless of the running Conficker. in the save mode of the downloaded file for subsequent "distribution", or in startup mode in the address space as a stream. This allows you to replace the executable code on the fly without saving it as a file. At the same time, files downloaded by the generated domains are launched and work regardless of the running Conficker. in the save mode of the downloaded file for subsequent "distribution", or in startup mode in the address space as a stream. This allows you to replace the executable code on the fly without saving it as a file. At the same time, files downloaded by the generated domains are launched and work regardless of the running Conficker.


    Once again, several innovations were introduced. For example, the procedure for scanning available IPs for infection and transmitting updates (through the P2P mechanism) estimates the channel width on the Internet and, according to this assessment, controls its distribution and scanning activity. This is done so as not to attract the attention of LAN administrators. Another feature is the change in network infrastructure for its distribution. The infection algorithm requires that the infected host initiates a connection (after the exploit MS08-067 has been successfully triggered) with the infected host in order to download the Conficker code. Firewalls installed in modems and routers typically block this activity. In addition, infected computers are most likely located behind NAT. Therefore, Conficker pre-discovers gateways in the local network. To do this, it runs its own SSDP server, which broadcasts messages throughout the network. A network device that supports SSDP sends a response. Having discovered the gateway in this way, the worm reconfigures the equipment through the UPnP mechanism to organize a channel for itself that the gateway will pass in the opposite direction (from the external network into the inside) and will infect other computers using this channel.
    The infection procedure was returned by exploiting vulnerability MS08-067.
    Conficker.E deleted itself if the current date was May 3, 2009 or later, but left its previous version on the computer.
    Finally, “profit monetization” began with this version; two types of malware were downloaded for this. The first is the fake Spyware Protect 2009 antivirus, downloaded from servers located in Ukraine. Having started, it periodically displays messages about viruses detected in the system and offers to buy its paid full version with the possibility of treatment. The second is the Waledac Trojan, also known as Iksma, according to the classification of Kaspersky Lab, discovered in January 2009. The main functionality of Waledac is identity theft and spamming. In February 2010, the Virginia Federal Court granted a lawsuit to Microsoft and allowed it to suspend 277 domains associated with the Waledac botnet management system. All of these domains were registered in the .com zone, operated by VeriSign, an American company.


    Conficker analysis evokes highly conflicting feelings. On the one hand - an extremely high level of thought. On the other hand, the “payload”, which is widespread in the end, does not at all fit with the fact that the attackers had very great opportunities to install an arbitrarily large number of malware in the target computers, including for stealing payment system accounts. That is - from the gun on the sparrows. It seems that the developers mainly pursued research goals. It is still not clear whether Ukraine is the birthplace of this malware. Some researchers note that a working exploit for vulnerability MS08-067 first appeared in China, and its code is almost completely reproduced in Conficker. Vietnamese computer security company BKIS claims that Conficker was created in China. BKIS experts concluded that the Conficker worm came from China after analyzing its code, which has much in common with the Nimda worm, the culprit of the 2001 epidemic. It is assumed that Nimda was developed in China, as the code was found indications of this country. Officially, these data have not been confirmed.


    Symantec analytic report “The Downadup Codex” , edition 2.0 (eng, pdf);
    analysis of the functioning of versions A, B, B ++ © from SRI International An Analysis of Conficker's Logic and Rendezvous Points (eng, htm);
    functional analysis of version C (D) from SRI International Conficker C Analysis (eng, htm);
    description of the peer-to-peer mechanism from SRI International Conficker C P2P Reverse Engineering Report (eng, htm).

    Also popular now: