|
Installation
Once executed, it will drop a copy of itself as:
%System%\%random%.dll
(Where %System% refers to the Windows system folder. On Windows XP and 2003, the Windows system folder is usually C:\Windows\System32, on Windows 2000 it is usually C:\WINNT\System32 and on Windows 95, 98 and ME it is usually C:\Windows\System. Where %random% refers a random string)
If the malcode failed to drop a copy of itself in the %System% folder, it will attempt to drop itself in any of following directories instead:
• %ProgramFiles%\Movie Maker
• %ProgramFiles%\Internet Explorer
• %AppData%
• %Temp%
(Where %ProgramFiles% refers to the Program Files folder, a typical path is C:\Program Files. The variable %AppData% refers to the folder that serves as a common repository for application-specific data, a typical path is C:\Documents and Settings\username\Application Data. Where %Temp% refers to the temporary files folder).
The malcode then sets the file time of its dropped copy with the file time of “%System%\kernel32.dll”.
Next, it creates a service so that the dropped DLL will be loaded when the system is started. The following registry entries are created when the service is created:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%key%
Description = (harvested description from other services)
DisplayName = %DisplayName%
ErrorControl = 0x00000000
ImagePath = %SystemRoot%\system32\svchost.exe -k netsvcs
ObjectName = LocalSystem
Start = 0x00000002
Type = 0x00000020
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\%key%
\Parameters
Parameters = (Name of dropped DLL)
Note: %DisplayName% is consists of two strings separated by a space. The said strings are selected from the following list:
• Audit
• Backup
• Boot
• Browser
• Center
• Component
• Config
• Control
• Discovery
• Driver
• Event
• Framework
• Hardware
• Helper
• Image
• Installer
• Logon
• Machine
• Management
• Manager
• Microsoft
• Monitor
• Network
• Notify
• Policy
• Power
• Security
• Server
• Shell
• Storage
• Support
• System
• Task
• Time
• Trusted
• Universal
• Update
• Windows
%key% is a randomly generated string or has the form “%string1%%string2%, where %string1% is selected from the following list:
• App
• Audio
• DM
• ER
• Event
• help
• Ias
• Ir
• Lanman
• Net
• Ntms
• Ras
• Remote
• Sec
• SR
• Tapi
• Trk
• W32
• win
• Wmdm
• Wmi
• wsc
• wuau
• xml
And %string2% is selected from the following list:
• access
• agent
• auto
• logon
• man
• mgmt
• mon
• prov
• serv
• Server
• Service
• srv
• svc
• System
• Time
The malcode may also modify the following registry entry to add the created service to the netsvcs service group:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion
\Svchost\netsvcs
If the malcode failed to create the service, it will create the following autostart registry entries instead:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
%random% = rundll32.exe “(Name of dropped DLL)”,%random%
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
%random% = rundll32.exe (Name of dropped DLL)”,%random%
The malcode also has the capability to inject itself into the following processes:
• svchost.exe
• explorer.exe
• services.exe
The malcode also sets the following registry entry:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
\explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue = 0
The malcode also stops and disables the following services:
• wuauserv – “Automatic Updates”
• BITS – “Background Intelligent Transfer Service”
• WinDefend – “Windows Defender”
• wscsvc – “Security Center”
• ERSvc – “Error Reporting Service”
• WerSvc – “Windows Error Reporting Service”
It also deletes the following registry keys/entries:
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\Run\Windows Defender
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
• HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
\explorer\ShellS erviceObjects"
\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}
And clears the System Restore restore points.
Propagation via exploiting the Windows Server Service Vulnerability (MS08-067)
The malcode spreads by both scanning for target machines in the network and generating IP addresses and then attempting to exploit the Windows Server Service Vulnerability (MS08-067) against these target machines. On a successful exploitation, the target machine will download a copy of the malcode from the affected machine via its built-in HTTP server functionality.
Propagation via network shares
Additionally, the malcode attempts to propagate by dropping a copy of itself into network shares with weak passwords. It does this by enumerating machines in the network and then attempting to connect to them (using a pre-defined list of passwords in addition to generating passwords from the user names of accounts in the target machine ) and then dropping a copy of itself in the following folder:
\\(target machine)\ADMIN$\System32\%random%.%random%
Next, the malcode schedules a job on the target machine so that its dropped copy will be executed.
Propagation via network and removable drives
The malcode is also capable of spreading into network and removable drives.
Whereas, it drops a copy of itself as “%drive%:\RECYCLER\S-%d-%d-%d-%d-%d-%d-%d\%random%.%random%” and then creates the file “%drive%:\autorun.inf” so that its dropped copy will automatically be executed when the drive is accessed. These created files and directories are set hidden by the malcode by setting their file attribute.
(Where %drive% refers to the target drive and %d refers to a random number)
Prevents Access to Antivirus and Security Websites
The malcode prevents access to antivirus and security websites by blocking DNS query requests for domain names with the following strings:
• activescan
• adware
• agnitum
• ahnlab
• anti-
• antivir
• arcabit
• av-sc
• avast
• avg.
• avgate
• avira
• avp.
• bdtools
• bit9.
• bothunter
• ca.
• castlecops
• ccollomb
• centralcommand
• cert.
• clamav
• comodo
• computerassociates
• conficker
• cpsecure
• cyber-ta
• defender
• downad
• drweb
• dslreports
• emsisoft
• enigma
• esafe
• eset
• etrust
• ewido
• f-prot
• f-secure
• fortinet
• free-av
• freeav
• gdata
• gmer.
• grisoft
• hackerwatch
• hacksoft
• hauri
• ikarus
• jotti
• k7computing
• kaspersky
• kav.
• kido
• llnw.
• llnwd.
• malware
• mcafee
• microsoft
• mirage
• mitre.
• ms-mvp
• msdn.
• msft.
• msftncsi
• msmvps
• mtc.sri
• nai.
• networkassociates
• nod32
• norman
• norton
• onecare
• panda
• pctools
• precisesecurity
• prevx
• ptsecurity
• quickheal
• removal
• rising
• rootkit
• safety.live
• sans.
• securecomputing
• secureworks
• sophos
• spamhaus
• spyware
• sunbelt
• symantec
• technet
• threat
• threatexpert
• trendmicro
• trojan
• vet.
• virscan
• virus
• wilderssecurity
• windowsupdate
This is done by the malcode by patching the following dnsapi.dll functions: DnsQuery_A(), DnsQuery_UTF8(), DnsQuery_W(), Query_Main() and the following ws2_32.dll function: sendto(). The patching is performed by the malcode while injected inside the service process which handles DNS query requests.
Termination of Security/Monitoring Tools and Malcode Cleanup Utilities
The malcode attempts to terminate security/monitoring tools and malcode cleanup utilities by regularly checking for and terminating processes with the following strings in their name:
• autoruns
• avenger
• bd_rem
• cfremo
• confick
• downad
• filemon
• gmer
• hotfix
• kb890
• kb958
• kido
• kill
• klwk
• mbsa.
• mrt.
• mrtstub
• ms08-06
• procexp
• procmon
• regmon
• scct_
• stinger
• sysclean
• tcpview
• unlocker
• wireshark
Prevents Re-infection By Patching netapi32!NetpwPathCanonicalize()
To prevent re-infection of an affected machine thru the exploitation of the Windows Server Service vulnerability, the malcode patches the function NetpwPathCanonicalize() function of netapi32.dll in memory.
Downloading Capability
The malcode has the capability to download and execute an arbitrary file. Before downloading the file, it will check if the date is January 1, 2009 and above, if it is, it will generate 250 domain names with the following form:
%name%.%TLD%
Where %name% is generated by the malcode and %TLD% is selected from any the following:
• cc
• cn
• ws
• com
• net
• org
• info
• biz
Next, it will generate a URL with the following form:
http://(Resolved IP address of generated domain name)/search?q=%number%
And then download a file from the generated URL and execute it afterwards.
Newer variants discovered on March 2009 checks if the date is April 1, 2009 and above, if it is, it will generate 50,000 domain names where %TLD% is selected from the following list:
• ac
• ae
• ag
• am
• as
• at
• be
• bo
• bz
• ca
• cd
• ch
• cl
• cn
• co.cr
• co.id
• co.il
• co.ke
• co.kr
• co.nz
• co.ug
• co.uk
• co.vi
• co.za
• com.ag
• com.ai
• com.ar
• com.bo
• com.br
• com.bs
• com.co
• com.do
• com.fj
• com.gh
• com.gl
• com.gt
• com.hn
• com.jm
• com.ki
• com.lc
• com.mt
• com.mx
• com.ng
• com.ni
• com.pa
• com.pe
• com.pr
• com.pt
• com.py
• com.sv
• com.tr
• com.tt
• com.tw
• com.ua
• com.uy
• com.ve
• cx
• cz
• dj
• dk
• dm
• ec
• es
• fm
• fr
• gd
• gr
• gs
• gy
• hk
• hn
• ht
• hu
• ie
• im
• in
• ir
• is
• kn
• kz
• la
• lc
• li
• lu
• lv
• ly
• md
• me
• mn
• ms
• mu
• mw
• my
• nf
• nl
• no
• pe
• pk
• pl
• ps
• ro
• ru
• sc
• sg
• sh
• sk
• su
• tc
• tj
• tl
• tn
• to
• tw
• us
• vc
• vn
500 of the 50,000 generated domain names will be randomly selected by the malcode and then use them to download the file. The download URL it generates has the following form:
http://(Resolved IP address of generated domain name)
If the resolved domain IP address is within the range of any of the preconfigured blacklisted IP address blocks, the malcode will not attempt to perform the download.
The malcode connects to the following URLs to retrieve the current date which it uses to generate the domain names:
• http://www.google.com
• http://www.yahoo.com
• http://www.ask.com
• http://www.w3.org
• http://www.facebook.com
• http://www.imageshack.us
• http://www.rapidshare.com
P2P Capability
Newer variants discovered on March 2009 included a P2P capability. This capability allows Conficker to communicate with other infected machines.
To facilitate the P2P capability, it spawns several threads which will contact peer machines via UDP and TCP ports. It then listens on two TCP and UDP ports and modifies the Windows Firewall configuration so that incoming connection on these TCP and UDP ports will be allowed. These open ports will receive P2P messages from peer machines.
The P2P messages are encrypted and contains a message code which identifies what is the payload of the P2P messages is, the payload itself and the checksum of the P2P message. One of the types of payloads carried by these P2P messages can be an arbitrary executable code which is to be executed on the peer machine which received the P2P message.
The following registry entries are created by the P2P routine to store its internal state:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
\CurrentVersion\Explorer\{%d-%d-%d-%d-%d}\%string%
HKEY_CURRENT_USER\Software\Microsoft\Windows
\CurrentVersion\Explorer\{%d-%d-%d-%d-%d}\%string%
Where %d is a hex digit and %string% is a combination of any of the following strings:
• 64
• Adobe
• Agent
• App
• Assemblies
• assembly
• Boot
• Build
• Calendar
• Collaboration
• Common
• Components
• Cursors
• Debug
• Defender
• Definitions
• Digital
• Distribution
• Documents
• Downloaded
• en
• Explorer
• Files
• Fonts
• Gallery
• Games
• Globalization
• Google
• Help
• IME
• inf
• Installer
• Intel
• Inter
• Internet
• Java
• Journal
• Kernel
• L2S
• Live
• Logs
• Mail
• Maker
• Media
• Microsoft
• Mobile
• Modem
• Movie
• MS
• msdownld
• NET
• New
• Office
• Offline
• Options
• Packages
• Pages
• Patch
• Performance
• Photo
• PLA
• Player
• Policy
• Prefetch
• Profiles
• Program
• Publish
• Reference
• Registered
• registration
• Reports
• Resources
• schemas
• Security
• Service
• Setup
• Shell
• Software
• Speech
• System
• Tasks
• Temp
• tmp
• tracing
• twain
• US
• Video
• Visual
• Web
• winsxs
• Works
These strings are also used as the exception rule name in the Windows Firewall configuration for the TCP and UDP ports used by the malcode:
Others
The malcode creates a mutex with a random name, it also creates another mutex having the following name “Global\%s-7”, newer variants also creates a mutex with the following name “Global\%s-99” in which %s refers to a machine ID generated based from the machine name.
The malcode also attempts to detect if it is running a virtual machine, if it does, it will attempt delete itself or pause execution.
The malcode also connects to the following URL in order to retrieve the external IP address of the affected machine:
• http://checkip.dyndns.org
• http://www.whatismyip.org
• http://www.whatsmyipaddress.com
• http://www.getmyip.org | 
