HOME > VIRUS ALERTS


VIRUS ALERTS

Worm:Win32/Conficker

Original issue date: November 28, 2008
Updated: January 07, 2009; January 12, 2009; January 21, 2009;
              February 02, 2009; February 09, 2009; February 18, 2009;
              February 23, 2009; March 19, 2009; March 31, 2009; April
              15, 2009; May 13, 2009

Win32/Confickeris a worm that spreads by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability ( CVE-2008-4250 / CIVN-2008-170 ). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled.

Once installed and active, the worm opens and listens for connection attempts on a randomly chosen port between 1024 and 10000 and bypasses Windows firewall using APIs. The worm instructs the target computer to download a copy of the worm from the host computer via HTTP protocol using the random port opened by the worm. Once a machine has been infected the worm will patch the exploited function via a simple code hook in order to prevent re-infecting a machine it has already compromised.

Win32/Conficker disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting and Internet connection sharing service.
Conficker.C uses robust P2P to distribute cryptographically signed updates to other computers infected with conficker.This P2P functionality contains a UDP P2P discovery routine that sends UDP traffic to lists of generated IPs and ports.

A new polymorphic variant, Conficker.D infects the local computer, terminates services and blocks access to numerous Web sites. This variant does not spread to removable drives or shared folders across a network. Win32/Conficker.D may build 50,000 URLs per day to download files and only visits 500 of the generated URLs within a 24-hour period. After a successful download/execution from a generated URL, Win32/Conficker.D lays dormant for four days before resuming URL monitoring again.

Conficker-E is the latest version of the Conficker worm which ultimately drops conficker.C in the victim system.It downloads W32.Waledac trojan and it may also download rogue security tool Spyware Protect 2009.It Opens port 5114 and serve as HTTP server, by broadcasting via SSDP request. Conficker-E is set to delete itself on the May 3, 2009.

Some of the variants can also spread through corporate networks by infecting USB sticks and accessing weak passwords.

It propogates by creating an autorun.inf file on all mapped drives so that it automatically executed as soon as the drive becomes accessible.

Screenshot of the autorun.inf file is pictured below(source :SANS)

Up on execution the autoplay window will pop up as given below

The first part, "Install or run program" is there because the autorun.inf file containing the shellexecute keyword. However, the text comes from the Action keyword and the icon is extracted from shell32.dll (the 4th icon in the file) which is the standard folder icon which will run the worm

The worm also monitors DNS requests to domains containing certain strings and blocks access to those domains so that it will appear that the network request timed out thereby restricting users from updating their security software from those websites.

A new variant, Conficker B++ or C implements a new backdoor with "auto-update" functionality, allowing machines compromised by the new variant to have additional malicious code installed on them.

Aliases

W32.Downadup (Symantec)
W32/Downadup.A (F-Secure)
Conficker.A (Panda Software)
I-Worm.Kido(quick heal)

Upon execution the Worm :

  • copies itself as the following file:
    %System%\[RANDOM FILE NAME].dll

  • drops itself in any of following directories instead, if failed to drop a copy of itself in the %System% folder.
    • %ProgramFiles%\Movie Maker
    • %ProgramFiles%\Internet Explorer
    • %AppData%
    • %Temp%

  • deletes any user-created System Restore points

  • searches for the Windows executable 'services.exe' and will inject itself into it

  • Creates the service “netsvcs “ with ImagePath: %SystemRoot%\\system32\\svchost.exe -k netsvcs

  • It may use a display name that is created by combining two of the following strings:

    Boot, Center, Config, Driver, Helper, Image, Installer, Manager, Microsoft, Monitor, Network, Security, Server, Shell, Support, System, Task, Time, Universal, Update, Windows

  • adjusts the file time of the dropped DLL worm copy to the same as the system's kernel32.dll file time to mask forensic evidence of infection time

  • Modify the registry to execute the dropped DLL worm copy as a service
    • HKLM\SYSTEM\CurrentControlSet\Services\vcdrlxeu\
      "DisplayName"=0
    • HKLM\SYSTEM\ControlSet001\Services\vcdrlxeu\
      Parameters\"ServiceDll"="<system folder>\nxyme.dll"

  • creates the following autostart registry entries if failed to create the service
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
      CurrentVersion\Run%random% = rundll32.exe
      “(Name of dropped DLL)”,%random%
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\
      CurrentVersion\Run%random% = rundll32.exe
      (Name of dropped DLL)”,%random%

  • Capable to inject itself into the following processes:
    • svchost.exe
    • explorer.exe
    • services.exe

  • Generate a hostname with the form %name%.%TLD% and select the TLD from any of the following TLD's cc,cn,ws,com,net,org,info,biz

  • Generate a URL with the form : http://(Resolved IP address of generated host name)/search?q=%number% and download a file from the generated URL and execute it.

  • Attempts to delete itself or pause execution if it detects running in a virtual machine

  • Spreads through network shares by dropping a copy of itself in “ %drive%:\RECYCLER\ S-%d-%d-%d-%d-%d-%d-%d\%random%.%random%”(%drive % refers to removable drive and %d refers to a random number )and then creates the file “%drive%:\autorun.inf” that its dropped copy will automatically be executed when the drive is accessed.

  • Disables Windows Vista TCP/IP auto-tuning by executing the following command:

    netsh interface tcp set global autotuning=disabled

  • Deletes registry values for Windows Defender, Windows Security Center (WSC) and the Windows safe mode services list.
    • HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
      Windows to disable Windows Defender from when the
      system starts.
    • HKLM\Software\Microsoft\Windows\CurrentVersion\
      explorer\ShellServiceObjects\
      {FD6905CE-952F-41F1-9A6F-135D9C6622CC} to prevents
      WSC notifications or alerts from being displayed if the
      firewall or security programs are disabled.
    • HKLM\SYSTEM\CurrentControlSet\Control\ SafeBoot
      to remove the list of services that execute if Windows
      is started in safe mode.

  • Prevents users from connection to security sites or online services that contain the following strings in the url by hooking to DNSAPI.dll

    virus, spyware, malware, rootkit, defender, Microsoft,
    Symantec, Norton, mcafee, trendmicro, sophos, panda,
    etrust, networkassociates, computerassociates, f-secure,
    kaspersky, jotti,f-prot, nod32, eset, grisoft, drweb,
    centralcommand, ahnlab, esafe, avast, avira, quickheal,
    comodo, clamav, ewido, fortinet, gdata, hacksoft, hauri,
    ikarus, k7computing, Norman, pctools, prevx, rising,
    securecomputing, sunbelt, emsisoft, arcabit, cpsecure,
    spamhaus, castlecops, threatexpert, wilderssecurity,
    windowsupdate, activescan,adware,av-sc,bdtools,mitre., ms-mvp,precisesecurity

  • Win32/Conficker.D polls the process list every 1 second for these strings and terminates them:

    avenger - kernel-mode security utility
    bd_rem-bd_rem - "bd_rem_tool_console.exe"
    & "bd_rem_tool_gui.exe" programs
    confick - 'Conficker'
    cfremo-Enigma Software "cfremover.exe"
    program
    downad - 'Conficker' alias 'Downadup'
    filemon - utility "File Monitor"
    gmer - rootkit detection utility
    hotfix - security update
    kb890 - Microsoft KB article, includes MSRT
    kb958 - Microsoft KB article, includes MS08-067
    kido - 'Conficker' alias 'Kido'
    kill - utility used to terminate other processes
    klwk - Kaspersky utility
    mbsa. - utility "Microsoft Baseline Security Analyzer"
    mrt. - utility "Microsoft Malicious Software Removal Tool"
    mrtstub - utility "Microsoft Malicious Software Removal Tool"
    ms08-06 - Microsoft Security Update MS08-067
    procexp - utility "Process Explorer"
    procmon - utility "Process Monitor"
    regmon - utility "Registry Monitor"
    scct_ - Sophos Conficker Cleanup utility
    stinger - McAfee tool
    sysclean - Trend Micro utility
    tcpview - utility to view TCP connection and traffic
    unlocker - utility to un-lock locked files or folders
    wireshark - network protocol analyzer utility


  • Queries following URLs to determine the computer's geographic location:
    • getmyip.org
    • getmyip.co.uk
    • checkip.dyndns.org
    • www.myipaddress.com
    • www.findmyipaddress.com
    • www.ipaddressworld.com
    • www.findmyip.com
    • www.ipdragon.com
    • www.whatsmyipaddress.com

  • Connects to a UPnP router and opens the http port and attempts to locate the network device registered as the Internet gateway on the network and opens the previously mentioned [RANDOM PORT] in order to allow access to the compromised computer from external networks.

  • Attempts to download a data file from the following URL:
    [http://]www.maxmind.com/download/geoip/database/
    GeoIP.[REMOVED]

  • attempts to contact the following sites to obtain the current date:
    • http://www.w3.org
    • http://www.ask.com
    • http://www.msn.com
    • http://www.yahoo.com
    • http://www.google.com
    • http://www.baidu.com

  • It uses the date information to generate a list of domain names and contacts these domains in an attempt to download additional files onto the compromised computer.

  • Conficker.E modifies the following registry entry:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
    Services\Tcpip\Parameters\"TcpNumConnections" = "00FFFFFE

  • Conficker.E periodically contacts the following sites
    to check the speed of the current Internet connection:
    http://myspace.com
    http://msn.com
    http://ebay.com
    http://cnn.com
    http://aol.com

  • Conficker.E patches the TCP/IP driver
    'tcpip.sys' in memory to increase and maximize
    the number of connections allowed (connection limit)
    on the infected computer

  • Creates Remote Scheduled Job with command “rundll32.exe < malware file name >.dll,< malware parameters >" to activate the copy, as shown in the images below:

A list of possible malicious domains are given here

Note: Users are advised to download Conficker Removal Tools
         only from the genuine Antivirus Websites. This is because many
         websites having names related to "Conficker" are being used to
         serve Conficker Worm in place of genuine Conficker Removal          Tools.

In view of rapid propagation of the Conficker Worm, users are advised to implement the following countermeasures :

Free Removal Tools:

http://support.microsoft.com/kb/962007
ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip
http://www.symantec.com/security_response/writeup.jsp?
docid=2009-011316-0247-99
 http://vil.nai.com/vil/stinger/default.aspx
data2.kaspersky-labs.com:8080/special/KidoKiller_v3.1.zip
www.trendmicro.com/ftp/products/pattern/spyware/fixtool/
SysClean-WORM_DOWNAD.zip

References

http://www.microsoft.com/security/portal/Entry.aspx?
Name=Worm%3aWin32%2fConficker.A
http://www.threatexpert.com/reports.aspx?find=W32.
Downadup+&x=0&y=0
http://blogs.technet.com/mmpc/archive/2008/11/25/
more-ms08-067-exploits.aspx
http://www.cert-in.org.in/vulnerability/civn-2008-170.htm
http://www.cert-in.org.in/currentacts/currentact.htm#TGAM
http://www.ca.com/securityadvisor/virusinfo/virus.aspx?id=75911
http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
http://www.f-secure.com/weblog/archives/00001574.html
http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml
https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/
malicious_code/article-id/224
https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/
malicious_code/article-id/225
http://www.quickheal.co.in/alerts-I-Worm-Kido.asp
http://www.winvistaclub.com/s26.html
http://isc.sans.org/diary.html?storyid=5695
http://www.cnn.com/2009/TECH/ptech/01/16/virus.downadup/
index.html
http://support.microsoft.com/kb/962007
http://mtc.sri.com/Conficker
http://www.microsoft.com/security/portal/Entry.aspx?Name=
Worm%3aWin32%2fConficker.C
http://www.us-cert.gov/current/index.html#
new_variant_of_conficker_downadup
http://blogs.technet.com/mmpc/archive/2009/
02/20/updated-conficker-functionality.aspx
http://www.microsoft.com/security/portal/Entry.aspx?
Name=Worm%3aWin32%2fConficker.D
http://www.doxpara.com/?p=1285
http://www.skullsecurity.org/blog/?p=209
http://seclists.org/nmap-dev/2009/q1/0869.html
http://honeynet.org/node/388
http://www.mcafee.com/us/threat_center/conficker.html http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003