Conficker

Notification Type: IBM Internet Security Systems Protection Alert
Notification Date: January 22, 2009
Notification Version: 1.8
   
Name: Conficker
Aliases: Downadup, Kido
Classification(s): worm, bot
CVE: CVE-2008-4250
Description:

The Conficker worm is building a bot framework that might be used for spam or stealing confidential information from endpoints.

Analysis provided by: Mark Yason, IBM X-Force

 

ISS Coverage

Product Content Version
Proventia Network IDS
Proventia Network IPS
Proventia Network MFS
Proventia Server (Linux)
RealSecure Network
RealSecure Server Sensor
28.160
29.031
Proventia Desktop
Proventia Server IPS (Windows)
2300
2376
Propagation Techniques ISS Protection Available

remote exploit
 

Malware/file copy via USB or network share

 

MSRPC_Srvsvc_Bo
MSRPC_Srvsvc_Path_Bo

Proventia Desktop:
Malcode-AssumedRat3
Win32.Worm.Agent,
Win32.Worm.Downadup, & Win32.Worm.Downadup.Gen

Proventia Multifunction:
W32/Confick & W32/ConfDr-Gen

Aug 8, 2006*
Oct 27, 2008

 
Dec 2007

                                           

* Pre-emptive coverage for this issue was provided by MSRPC_Srvsvc_Bo (released Aug. 2006).  MSRPC_Srvsvc_Path_Bo will identify attacks against this new vulnerability versus older vulnerabilities covered by the pre-emptive signature, MSRPC_Srvsvc_Bo.
Detection Techniques ISS Protection Available

peer-to-peer communications
(Conficker C & D/E)
 
 

remote exploits (Conficker A and B)
 
 
 

remote exploits (Conficker C)
 
 

Network scan

Conficker_P2P_Detected*
Conficker_P2P_Protection*
Conficker_P2P_Data_Transfer*
Conficker_P2P_Exec_Transfer*

SMB_Empty_Password_Failed
SMB_Auth_Failed
MSRPC_Pipe_SAMR
Windows_Access_Error

SMB_System32_FileWritten
TCP_Service_Sweep
UDP_Service_Sweep

ConfickerWorm

Mar 26, 2009
Mar 26, 2009
Apr 20, 2009
May 12, 2009

base product
 
 
 

base product
 
 

Apr 2, 2009 (A/B)
Apr 22, 2009 (C, D/E)

* For additional information related to monitoring and tuning these signatures, contact customer
   support and ask for KBA 5394.

Detailed Description

Business Impact:

Endpoints are the target of this malware.  Although the botnet is not currently active in terms of malicious activity, an update planned on April 1 may result in the incorporation a spam or information-stealing behaviors. Infection means complete compromise of the target system, which may lead to exposure of confidential information, loss of productivity, and further network compromise.

Affected Platforms:

Conficker appears to be built for prevalent Microsoft platforms:

  • Microsoft Windows 2000
  • Microsoft Windows XP
  • Microsoft Windows Server 2003 
Propagation methods:

This Conficker A and B propagate by one or more of the following mechanisms:

  • Exploiting the Windows Server Service Vulnerability (MS08-067)
  • Dropping a copy of itself into network and removable drives
  • Dropping a copy of itself in network shares with weak passwords
General Description:

Conficker A and B were network worms that spread using multiple propagation methods.  Conficker C appears to be focused on maintaining its position on the infected host rather than spreading to new hosts.

Conficker C updated the domain name generation algorithm so that it generates a large number of domain names, making it difficult to block the malcode from downloading files. This new variant also contains a routine that attempts to disable security/monitoring tools and malcode cleanup utilities. Additionally, this new variant includes a P2P capability which allows it to communicate with other infected machines and enables it to send/receive and execute arbitrary and possibly malicious executable code.

Consequences: • Propagation of the malcode into other machines via exploitation
• Propagation of the malcode into network and removable drives
• Propagation of the malcode into network shares with weak passwords
• Increased UDP traffic to multiple IP address via different UDP
Technical Description:

Installation

Once executed, it will drop a copy of itself as:

%System%\%random%.dll

(Where %System% refers to the Windows system folder. On Windows XP and 2003, the Windows system folder is usually C:\Windows\System32, on Windows 2000 it is usually C:\WINNT\System32 and on Windows 95, 98 and ME it is usually C:\Windows\System. Where %random% refers a random string)

If the malcode failed to drop a copy of itself in the %System% folder, it will attempt to drop itself in any of following directories instead:

• %ProgramFiles%\Movie Maker
• %ProgramFiles%\Internet Explorer
• %AppData%
• %Temp%

(Where %ProgramFiles% refers to the Program Files folder, a typical path is C:\Program Files. The variable %AppData% refers to the folder that serves as a common repository for application-specific data, a typical path is C:\Documents and Settings\username\Application Data. Where %Temp% refers to the temporary files folder).

The malcode then sets the file time of its dropped copy with the file time of “%System%\kernel32.dll”.

Next, it creates a service so that the dropped DLL will be loaded when the system is started. The following registry entries are created when the service is created:

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%key%
  Description = (harvested description from other services)
  DisplayName = %DisplayName%
  ErrorControl = 0x00000000
  ImagePath = %SystemRoot%\system32\svchost.exe -k netsvcs
  ObjectName = LocalSystem
  Start = 0x00000002
  Type = 0x00000020

 HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%key%
 \Parameters

  Parameters = (Name of dropped DLL)

Note: %DisplayName% is consists of two strings separated by a space. The said strings are selected from the following list:

• Audit
• Backup
• Boot
• Browser
• Center  
• Component
• Config  
• Control
• Discovery
• Driver  
• Event
• Framework
• Hardware
• Helper  
• Image   
• Installer
• Logon
• Machine
• Management
• Manager
• Microsoft
• Monitor
• Network
• Notify
• Policy
• Power
• Security
• Server
• Shell
• Storage
• Support
• System
• Task
• Time
• Trusted
• Universal
• Update
• Windows

%key% is a randomly generated string or has the form “%string1%%string2%, where %string1% is selected from the following list:
• App
• Audio
• DM
• ER
• Event
• help
• Ias
• Ir
• Lanman
• Net
• Ntms
• Ras
• Remote
• Sec
• SR
• Tapi
• Trk
• W32
• win
• Wmdm
• Wmi
• wsc
• wuau
• xml

And %string2% is selected from the following list:
• access
• agent
• auto
• logon
• man
• mgmt
• mon
• prov
• serv
• Server
• Service
• srv
• svc
• System
• Time

The malcode may also modify the following registry entry to add the created service to the netsvcs service group:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion
\Svchost\netsvcs

If the malcode failed to create the service, it will create the following autostart registry entries instead:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
 %random% = rundll32.exe “(Name of dropped DLL)”,%random%

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
 %random% = rundll32.exe (Name of dropped DLL)”,%random%

The malcode also has the capability to inject itself into the following processes:

• svchost.exe
• explorer.exe
• services.exe

The malcode also sets the following registry entry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\explorer\Advanced\Folder\Hidden\SHOWALL
 CheckedValue = 0

The malcode also stops and disables the following services:

• wuauserv – “Automatic Updates”
• BITS – “Background Intelligent Transfer Service”
• WinDefend – “Windows Defender”
• wscsvc – “Security Center”
• ERSvc – “Error Reporting Service”
• WerSvc – “Windows Error Reporting Service”

It also deletes the following registry keys/entries:

• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  \Run\Windows Defender
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
  \explorer\ShellS erviceObjects"
  \{FD6905CE-952F-41F1-9A6F-135D9C6622CC}

And clears the System Restore restore points.

 

Propagation via exploiting the Windows Server Service Vulnerability (MS08-067)

The malcode spreads by both scanning for target machines in the network and generating IP addresses and then attempting to exploit the Windows Server Service Vulnerability (MS08-067) against these target machines. On a successful exploitation, the target machine will download a copy of the malcode from the affected machine via its built-in HTTP server functionality.

 

Propagation via network shares

Additionally, the malcode attempts to propagate by dropping a copy of itself into network shares with weak passwords. It does this by enumerating machines in the network and then attempting to connect to them (using a pre-defined list of passwords in addition to generating passwords from the user names of accounts in the target machine ) and then dropping a copy of itself in the following folder:
\\(target machine)\ADMIN$\System32\%random%.%random%

Next, the malcode schedules a job on the target machine so that its dropped copy will be executed.

 

Propagation via network and removable drives

The malcode is also capable of spreading into network and removable drives.
Whereas, it drops a copy of itself as “%drive%:\RECYCLER\S-%d-%d-%d-%d-%d-%d-%d\%random%.%random%” and then creates the file “%drive%:\autorun.inf” so that its dropped copy will automatically be executed when the drive is accessed. These created files and directories are set hidden by the malcode by setting their file attribute.
(Where %drive% refers to the target drive and %d refers to a random number)

 

Prevents Access to Antivirus and Security Websites

The malcode prevents access to antivirus and security websites by blocking DNS query requests for domain names with the following strings:

• activescan
• adware
• agnitum
• ahnlab
• anti-
• antivir
• arcabit
• av-sc
• avast
• avg.
• avgate
• avira
• avp.
• bdtools
• bit9.
• bothunter
• ca.
• castlecops
• ccollomb
• centralcommand
• cert.
• clamav
• comodo
• computerassociates
• conficker
• cpsecure
• cyber-ta
• defender
• downad
• drweb
• dslreports
• emsisoft
• enigma
• esafe
• eset
• etrust
• ewido
• f-prot
• f-secure
• fortinet
• free-av
• freeav
• gdata
• gmer.
• grisoft
• hackerwatch
• hacksoft
• hauri
• ikarus
• jotti
• k7computing
• kaspersky
• kav.
• kido
• llnw.
• llnwd.
• malware
• mcafee
• microsoft
• mirage
• mitre.
• ms-mvp
• msdn.
• msft.
• msftncsi
• msmvps
• mtc.sri
• nai.
• networkassociates
• nod32
• norman
• norton
• onecare
• panda
• pctools
• precisesecurity
• prevx
• ptsecurity
• quickheal
• removal
• rising
• rootkit
• safety.live
• sans.
• securecomputing
• secureworks
• sophos
• spamhaus
• spyware
• sunbelt
• symantec
• technet
• threat
• threatexpert
• trendmicro
• trojan
• vet.
• virscan
• virus
• wilderssecurity
• windowsupdate

This is done by the malcode by patching the following dnsapi.dll functions: DnsQuery_A(), DnsQuery_UTF8(), DnsQuery_W(), Query_Main() and the following ws2_32.dll function: sendto(). The patching is performed by the malcode while injected inside the service process which handles DNS query requests.

 

Termination of  Security/Monitoring Tools and Malcode Cleanup Utilities

The malcode attempts to terminate security/monitoring tools and malcode cleanup utilities by regularly checking for and terminating processes with the following strings in their name:

• autoruns
• avenger
• bd_rem
• cfremo
• confick
• downad
• filemon
• gmer
• hotfix
• kb890
• kb958
• kido
• kill
• klwk
• mbsa.
• mrt.
• mrtstub
• ms08-06
• procexp
• procmon
• regmon
• scct_
• stinger
• sysclean
• tcpview
• unlocker
• wireshark

 

Prevents Re-infection By Patching netapi32!NetpwPathCanonicalize()

To prevent re-infection of an affected machine thru the exploitation of the Windows Server Service vulnerability, the malcode patches the function NetpwPathCanonicalize() function of netapi32.dll in memory.

 

Downloading Capability

The malcode has the capability to download and execute an arbitrary file. Before downloading the file, it will check if the date is January 1, 2009 and above, if it is, it will generate 250 domain names with the following form:

%name%.%TLD%

Where %name% is generated by the malcode and %TLD% is selected from any the following:

• cc
• cn
• ws
• com
• net
• org
• info
• biz

Next, it will generate a URL with the following form:

http://(Resolved IP address of generated domain name)/search?q=%number%

And then download a file from the generated URL and execute it afterwards.
Newer variants discovered on March 2009 checks if the date is April 1, 2009 and above, if it is, it will generate 50,000 domain names where %TLD% is selected from the following list:

• ac
• ae
• ag
• am
• as
• at
• be
• bo
• bz
• ca
• cd
• ch
• cl
• cn
• co.cr
• co.id
• co.il
• co.ke
• co.kr
• co.nz
• co.ug
• co.uk
• co.vi
• co.za
• com.ag
• com.ai
• com.ar
• com.bo
• com.br
• com.bs
• com.co
• com.do
• com.fj
• com.gh
• com.gl
• com.gt
• com.hn
• com.jm
• com.ki
• com.lc
• com.mt
• com.mx
• com.ng
• com.ni
• com.pa
• com.pe
• com.pr
• com.pt
• com.py
• com.sv
• com.tr
• com.tt
• com.tw
• com.ua
• com.uy
• com.ve
• cx
• cz
• dj
• dk
• dm
• ec
• es
• fm
• fr
• gd
• gr
• gs
• gy
• hk
• hn
• ht
• hu
• ie
• im
• in
• ir
• is
• kn
• kz
• la
• lc
• li
• lu
• lv
• ly
• md
• me
• mn
• ms
• mu
• mw
• my
• nf
• nl
• no
• pe
• pk
• pl
• ps
• ro
• ru
• sc
• sg
• sh
• sk
• su
• tc
• tj
• tl
• tn
• to
• tw
• us
• vc
• vn

500 of the 50,000 generated domain names will be randomly selected by the malcode and then use them to download the file. The download URL it generates has the following form:
 
http://(Resolved IP address of generated domain name)

If the resolved domain IP address is within the range of any of the preconfigured blacklisted IP address blocks, the malcode will not attempt to perform the download.

The malcode connects to the following URLs to retrieve the current date which it uses to generate the domain names:

• http://www.google.com
• http://www.yahoo.com
• http://www.ask.com
• http://www.w3.org
• http://www.facebook.com
• http://www.imageshack.us
• http://www.rapidshare.com

 

P2P Capability

Newer variants discovered on March 2009 included a P2P capability. This capability allows Conficker to communicate with other infected machines.

To facilitate the P2P capability, it spawns several threads which will contact peer machines via UDP and TCP ports. It then listens on two TCP and UDP ports and modifies the Windows Firewall configuration so that incoming connection on these TCP and UDP ports will be allowed. These open ports will receive P2P messages from peer machines.

The P2P messages are encrypted and contains a message code which identifies what is the payload of the P2P messages is, the payload itself and the checksum of the P2P message. One of the types of payloads carried by these P2P messages can be an arbitrary executable code which is to be executed on the peer machine which received the P2P message.

The following registry entries are created by the P2P routine to store its internal state:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Explorer\{%d-%d-%d-%d-%d}\%string%

HKEY_CURRENT_USER\Software\Microsoft\Windows
\CurrentVersion\Explorer\{%d-%d-%d-%d-%d}\%string%

Where %d is a hex digit and %string% is a combination of any of the following strings:
• 64
• Adobe
• Agent
• App
• Assemblies
• assembly
• Boot
• Build
• Calendar
• Collaboration
• Common
• Components
• Cursors
• Debug
• Defender
• Definitions
• Digital
• Distribution
• Documents
• Downloaded
• en
• Explorer
• Files
• Fonts
• Gallery
• Games
• Globalization
• Google
• Help
• IME
• inf
• Installer
• Intel
• Inter
• Internet
• Java
• Journal
• Kernel
• L2S
• Live
• Logs
• Mail
• Maker
• Media
• Microsoft
• Mobile
• Modem
• Movie
• MS
• msdownld
• NET
• New
• Office
• Offline
• Options
• Packages
• Pages
• Patch
• Performance
• Photo
• PLA
• Player
• Policy
• Prefetch
• Profiles
• Program
• Publish
• Reference
• Registered
• registration
• Reports
• Resources
• schemas
• Security
• Service
• Setup
• Shell
• Software
• Speech
• System
• Tasks
• Temp
• tmp
• tracing
• twain
• US
• Video
• Visual
• Web
• winsxs
• Works

These strings are also used as the exception rule name in the Windows Firewall configuration for the TCP and UDP ports used by the malcode:

 

Others

The malcode creates a mutex with a random name, it also creates another mutex having the following name “Global\%s-7”, newer variants also creates a mutex with the following name “Global\%s-99” in which %s refers to a machine ID generated based from the machine name.

The malcode also attempts to detect if it is running a virtual machine, if it does, it will attempt delete itself or pause execution.

The malcode also connects to the following URL in order to retrieve the external IP address of the affected machine:

• http://checkip.dyndns.org
• http://www.whatismyip.org
• http://www.whatsmyipaddress.com
• http://www.getmyip.org

References

X-Force Alert: http://www.iss.net/threats/306.html
SRI: http://mtc.sri.com/Conficker/
FrequencyX Blog:

http://blogs.iss.net
see posts from late March through April 2009

Revision History

1.0 Initial publication.
1.1 Added information about downloading functionality.
1.2 Fixed the CVE reference.
1.3 Added information about a more recent variant of conficker.
1.4 Corrected Proventia Server & Desktop content update versions.
1.5 Added scanner coverage.
1.6 Added new conficker signature to coverage information.
1.7 Added information about Conficker D/E to the coverage information.
1.8 Added new signature planned for release on May 12, 2009.

* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

About IBM Security Systems

IBM Security Systems include an extensive portfolio of hardware, software solutions, professional and managed services offerings covering the spectrum of IT and business security risks: people and identity, data and information, application and process, network, server and endpoint and physical infrastructure, empowering clients to innovate and operate their businesses on the most secure infrastructure platforms. Through world-class solutions that address risk across the enterprise, IBM helps organizations build a strong security posture that helps reduce costs, improve service, and manage risk. IBM X-Force(R) Research and Development is one of the most renowned commercial security research and development groups in the world. For more information on how to address today's biggest risks, please visit us at ibm.com/security.