Know Your Worm

(conficker)

11/11/2009
FarudBump
Agenda

ØIntroduction – what is Conficker

ØHow Conficker infects & spreads around

ØHow Conficker hides itself

ØHow Conficker stays up to date

ØWhat does Conficker actually do?

ØHow to protect against Conficker

2
Conficker – quick facts

ØState-of-the-art malware
ØHighly multithreaded

ØApplies the latest encryption technologies

ØHides itself in the most sophisticated ways

ØVirtually unstoppable way of updating itself

ØTargets Widows machines

ØOriginated on November 21st 2008 – exploiting hole patched on

October 23rd 2008

Ø5 distinct versions “released” (with older versions automatically

being updated)
ØMost probably created by a group located in Ukraine

ØAt least 10 mln machines infected

ØMicrosoft offers $250K for information leading to the capture of

the creators of Conficker

3
 How Conficker spreads

m
o
a
x
r.c
)
.d
y rg
ip
h
e
k
c
,n
o
s
.otm
ip
y(g
er,
e
rv
s P
b
u
lic
Get its own public IP

exploit Win RPC Installing itself – some steps:

m
in
eh
a
c
vulnerability on files and 4 •“shuts the door” (fixes the vulnerability) to prevent others to enter

printer sharing port •Disables anti-virus programs

tdin
fe
c
e
k C
n
o
fic
r- 3 •Blocks DNS lookups to prevent visiting Symantec or Win

445
Port
Updates etc.
1 •Starts listening to ports

2
Generates random IPs (with the
5 exception of Ukraine)

(unless using Ukrainian

keyboard layout) Opens
reverse connection to
6
Creates a peer connection (for download the actual worm Repeats the step 1 (with its own
future updates propagation) from the attacker machine IP)
(using IP from the initial
packet)

5
4 5
4 5
4 5
4
P
o
rt P
o
rt P
o
rt P
o
rt

4
How Conficker hides

Ø DLL-based, compressed & encrypted

ØInjects itself into an existing instance of standard svchost.exe

ØIt tricks Windows to be invisible to DLL viewers

ØIt has a null string name when it registers as a process

ØIt incorporates extensive anti-debugging and anti-reverse-

engineering defenses
ØIt gives itself a random name in the Windows system32

directory and set its timestamp to the same as kernel32

ØMost importantly, it keeps quiet and patient (as opposed to

old-days worms which would clog the connection)

5
 How Conficker gets updates
Registers one of
the random
domains for future A
Generates pseudorandom
domains based on current Creates a new version/
date – 250 .com, .net, .org, payload /any new
instruction for Conficker
..info, and .biz domains B Digitally signs it with
private key (MD6)
m
in
eh
a
c C
tdin
fe
c 1 Hits several out of 250
generated to check if
e
k C
n
o
fic
r-
there’s anything new. Bingo! Hits the right
2 domain. Uploads the package
to the server

3
Downloads the payload.

Propagates the new 4

payload to all known 5 Verifies the payload
peers using known public
key and installs the
changes

As of April 2009,
Conficker switched to
probing 500 domains
from the list of 50.000
pseudo-randomly
generated domains 6
What Conficker does? What it can do?

ØUp to recently, Conficker was keeping low profile - sitting (mostly)

dormant, possibly awaiting further instructions
ØIt may change any moment (as a result of update)

ØStarting April 2009 downloads and installs malware payload:

ØWaledac spambot

ØSpyProtect 2009 scareware

ØThe future possibilities are limitless (DDoS, keylogging, click-

fraud etc.),
ØMost importantly - Conficker can avoid server-side fraud

detection mechanisms such as IP intelligence, whitelisting of

user machines etc.

7
 How to diagnose and protect

Always update your Windows!

Ø

ØCheck if Windows Update, Symantec, McAffe, AVG,

Kaspersky etc. are reachable*

ØUse online tools like

http://www.confickerworkinggroup.org/infection_test/cfeyechart.html*
ØRun malware removal tools – e.g. Microsoft Malicious

Software Removal [type MRT(.exe) in your command line]

* May stop being relevant method any moment

8