Conficker - from the gun on the sparrows
Conficker is a family of malicious software belonging to the category of worms. Conficker is the name most often used in the press and formed by rearranging parts of the trafficconverter.biz domain that the first version of the malware used, according to another version the name is derived from the English word configuration and the German word ficker (English synonym fucker). Among foreign antivirus companies, the name Downadup is used, as well as Kido in the classification of Kaspersky Lab. The first samples were discovered in November 2008. As of January 2009, approximately 9 million computers worldwide were affected. Such a large number is due to the use of the Microsoft Windows operating system MS08-067 for its automatic propagation of the Server service vulnerability. It should be noted that at the time of distribution, Microsoft has already released a security update that addresses this vulnerability. However, the fact that ordinary users, as a rule, do not pay enough attention to the mechanism of constant updating of the operating system (including due to the use of pirated copies), played an important role. Unfortunately, disregard for computer security issues was once again demonstrated in practice. In April 2009, the size of the botnet was estimated at 3.5 million.
There are five major modifications of Conficker, denoted by the letters A (November 21, 2008), B (December 29, 2008), C (February 20, 2009), D (March 4, 2009), E (April 7, 2009). The terminology of some antivirus companies uses the names A, B, B ++, C, D, respectively.
Conficker.A
The VPO code is compiled as a Windows dynamic library (PE DLL file) and packaged with UPX. For its copies, it assigns the creation and modification date taken from the kernel32.dll file to exclude the possibility of its detection by sorting by date. Depending on the version of the operating system, it uses different methods of automatic launch at the next system startup. If Windows 2000 is installed, the code is embedded in the services.exe process. Otherwise, a service called netsvcs is created, launched via svchost.exe.
This version contained only one distribution method - through the exploitation of a vulnerability in the Server service (MS08-067). To do this, Conficker starts the HTTP server on a random TCP port, which is then used to upload itself to other computers. Conficker retrieves a list of IP addresses of computers located in the network environment by scanning. To ensure rapid propagation in the network, the worm increases the possible number of network connections in the system using a modification of the tcpip.sys system driver image loaded in memory, as well as changing the parameter
'TcpNumConnections' = 'dword: 0x00FFFFFE' in the [HKLM \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters] registry key. Further makes attack of remote computers. For this purpose, a specially generated RPC request is sent, which causes a buffer overflow when the wcscpy_s function is called in the netapi32.dll library. As a result, control is transferred to the loader, which downloads Conficker from the infected computer and launches it for execution. To prevent the reuse of the MS08-067 vulnerability (so that the computer could not infect other malicious programs), Conficker sets a trap to the netapi32.dll library's NetpwPathCanonicalize function call, preventing buffer overflow and implementing hotpatching technology (installing updates without rebooting, although in fact, no patch is installed).
The name of the command center for management is not strictly defined, 250 domains are generated daily using a pseudo-random algorithm using the prefixes of 5 top-level domains. Thus, the creators tried to protect themselves from the addresses of the command center in the black-list by employees of anti-virus companies and loss of management. Conficker attempts to get commands to download and launch other malware from the Internet. In addition, it accesses the domain trafficconverter.biz, tries to load from it and execute the file with the fixed name loadadv.exe.
To protect against the substitution of downloadable files, cryptographic algorithms were used using encryption and digital signatures. For the file being downloaded, the SHA-1 hash of 512 bits was calculated, which was then used as the encryption key using the RC4 algorithm; this hash was also used to digitally sign the RSA with the 1024-bit key. In contrast to the subsequent options did not contain the functions of self-defense.
It has been suggested that Conficker was developed in Ukraine, since Conficker.A checks for the presence of a Ukrainian keyboard layout and self-destroys in this case. In addition, the GeoIP database is downloaded from the maxmind.com website and, while scanning, the Ukrainian addresses detected with its help are not infected. In the next versions this functionality was no longer implemented.
Conficker.B
')
In this version, two more distribution mechanisms were added to expand the “habitat” - by using network resources (directories) with “weak” passwords and the algorithm for infecting USB-Flash media launching via autorun.inf. Conficker tries to connect to a remote computer as an administrator, for this purpose, passwords are sequentially searched according to the list specified in the code. If the selection is successful, the worm file is copied to the remote computer and a Task Sheduler task is created to start it as a service using regsvr32. For autorun from USB-Flash media, an obfuscated autorun.inf file is created, the dll file itself is placed in the hidden RECYCLER directory under a random name with the vmx extension.
The mechanism of cryptographic protection of downloaded files from modification has undergone a change, the MD6 algorithm was used as the hashing algorithm (the latest at that time, developed in 2008), the RSA key length was increased to 4096 bits. The code clearly shows the desire of the authors to eliminate all potential opportunities to exploit a “buffer overflow” vulnerability or weakness in the implementation of cryptoalgorithms.
This version introduced self-defense features. In particular, the following services have been disabled: Windows Automatic Update Service; Background Intelligent Transfer Service;
Windows Security Center Servic; Windows Defender Service; Windows Error Reporting Service. Thus, the operating system update mechanism was disabled, through which the installation of specialized removal tools from Microsoft could occur. The following functions of the dnsrslvr.dll library were installed: DNS_Query_A; DNS_Query_UTF8; DNS_Query_W; Query_Main; SendTo; NetpwPathCanonicalize; InternetGetConnectedState. In this case, the names of resources requested through the DNS service were filtered in order to prohibit access to a specific list of domains. Thus, the user's access to the main sites was blocked, where you can download antivirus database updates or special malware removal utilities.
Conficker.C
The main change concerns only the domain generation mechanism, which is why some antivirus companies call this version of B ++. As a response to the initiative of the Conficker Working Group on reserving domain names generated by Conficker using a pseudo-random algorithm, the developers increased their number from 250 to 50,000 per day, which negated the attempts of their daily registration. For the generation, prefixes of 8 top-level domains were used (instead of 5), 500 out of 50,000 were chosen, which meant connecting about 1% of all infected computers daily and thus reducing the load on the control center. For example, if you take the figure of 10 million, it means that the server was actually subjected to a DDOS attack from 100,000 computers.
Conficker.D
The number of prefixes used to generate domains increased from 8 to 110. An error in the implementation of MD6 of the “buffer overflow” type, made by algorithm developer Ronald Rivest and made public on February 19, 2009, was fixed. The self-defense system was improved - the ability to boot in “safe mode” was turned off and an attempt was made to terminate the processes of programs whose names contain the specified strings (antivirus programs).
Fully removed mechanisms of their own distribution. A peer-to-peer update mechanism has been introduced. To receive information from other copies of the worm, two “server” streams are created, one working using the TCP protocol and the other using the UDP protocol. An interesting feature of the p2p implementation is the rejection of the original peer list. This list is usually either set inside executable code, or hosted on public servers. Conficker also finds its peers by scanning IP addresses. For each IP address found, Conficker is running on it. If yes, a “client” stream was created to communicate with the remote copy. When scanning, the presence of IP in the black list of addresses of anti-virus companies was checked, they are not addressed. “Server” streams never add addresses of connected clients to the list of peers. Addresses are added only by “client” threads in case the current version of the worm matches the remote version. In the case of different versions, the latest one is loaded either by the client from the server or by the server from the client. The p2p mechanism provides for two types of distribution, in the mode of saving the downloaded file for subsequent “distribution”, or in the launch mode in the address space as a stream. This allows you to replace the executable code "on the fly" without saving it as a file. At the same time, files loaded by the generated domains are launched and operate independently of the running Conficker.
Conficker.E
Once again, several innovations were introduced. For example, the procedure for scanning available IPs for infecting and transmitting updates (via the P2P mechanism) evaluates the width of the channel to the Internet and, according to this estimate, regulates its distribution and scanning activity. This is done in order not to attract the attention of LAN administrators. Another feature is the change in network infrastructure for its distribution. The infection algorithm requires the infected host to initiate a connection (after successfully triggering the MS08-067 exploit) with the infecting host to download the Conficker code. Firewalls installed in modems and routers usually block such activity. In addition, infected computers are likely to be located behind NAT. Therefore, Conficker pre-detects gateways on the local network. To do this, run your own SSDP server, which broadcasts broadcast messages across the network. A network device that supports SSDP sends a response. Having found the gateway in this way, the worm reconfigures the equipment via the UPnP mechanism to arrange for itself a channel that the gateway will pass in the opposite direction (from the external network to the inside) and already using this channel infects other computers.
An infection procedure was returned by exploiting vulnerability MS08-067.
Conficker.E deleted itself if the current date was May 3, 2009 or later, but left its previous version on the computer.
Finally, the monetization of profits began with this version; two types of malicious programs were downloaded for this. The first is a fake antivirus Spyware Protect 2009, downloaded from servers located in Ukraine. When launched, it periodically displays messages about viruses found in the system and offers to buy its paid full version with the possibility of treatment. The second is the Waledac Trojan, also known as Iksma, according to the classification of Kaspersky Lab, discovered in January 2009. The main functionality of Waledac is identity theft and spamming. In February 2010, the Virginia Federal Court upheld a lawsuit from Microsoft and authorized the suspension of the maintenance of 277 domains associated with the Waledac botnet management system. All of these domains were registered in the .com zone, which is operated by the American company VeriSign.
Afterword
Conficker analysis is extremely controversial. On the one hand - an extremely high level of forethought. On the other - a common, ultimately, “payload” doesn’t fit in with the fact that attackers had very great opportunities to install an arbitrarily large number of malware on target computers, including to steal payment system accounts. That is - from the cannon on the sparrows. It seems that the developers, basically, pursued research goals. It is still not clear whether Ukraine is the birthplace of this malicious program. Some researchers note that a working exploit to the MS08-067 vulnerability first appeared in China, and its code is almost completely reproduced in Conficker. Vietnamese computer security company BKIS claims that Conficker was created in China. BKIS experts concluded that the Chinese origin of the Conficker worm after analyzing its code, which has much in common with the Nimda worm, who was responsible for the 2001 epidemic. It is assumed that Nimda was developed in China, since the code found references to this country. Officially, this data has not been confirmed.
References:
Symantec research report “The Downadup Codex” , edition 2.0 (eng, pdf);
analysis of the functioning of versions A, B, B ++ © by SRI International “An Analysis of Conficker's Logic and Rendezvous Points” (eng, htm);
functional analysis of version C (D) from the company SRI International "Conficker C Analysis" (eng, htm);
description of the peer-to-peer mechanism from the company Conficker C P2P Reverse Engineering Report from SRI International (eng, htm).
There are five major modifications of Conficker, denoted by the letters A (November 21, 2008), B (December 29, 2008), C (February 20, 2009), D (March 4, 2009), E (April 7, 2009). The terminology of some antivirus companies uses the names A, B, B ++, C, D, respectively.
Conficker.A
The VPO code is compiled as a Windows dynamic library (PE DLL file) and packaged with UPX. For its copies, it assigns the creation and modification date taken from the kernel32.dll file to exclude the possibility of its detection by sorting by date. Depending on the version of the operating system, it uses different methods of automatic launch at the next system startup. If Windows 2000 is installed, the code is embedded in the services.exe process. Otherwise, a service called netsvcs is created, launched via svchost.exe.
This version contained only one distribution method - through the exploitation of a vulnerability in the Server service (MS08-067). To do this, Conficker starts the HTTP server on a random TCP port, which is then used to upload itself to other computers. Conficker retrieves a list of IP addresses of computers located in the network environment by scanning. To ensure rapid propagation in the network, the worm increases the possible number of network connections in the system using a modification of the tcpip.sys system driver image loaded in memory, as well as changing the parameter
'TcpNumConnections' = 'dword: 0x00FFFFFE' in the [HKLM \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters] registry key. Further makes attack of remote computers. For this purpose, a specially generated RPC request is sent, which causes a buffer overflow when the wcscpy_s function is called in the netapi32.dll library. As a result, control is transferred to the loader, which downloads Conficker from the infected computer and launches it for execution. To prevent the reuse of the MS08-067 vulnerability (so that the computer could not infect other malicious programs), Conficker sets a trap to the netapi32.dll library's NetpwPathCanonicalize function call, preventing buffer overflow and implementing hotpatching technology (installing updates without rebooting, although in fact, no patch is installed).
The name of the command center for management is not strictly defined, 250 domains are generated daily using a pseudo-random algorithm using the prefixes of 5 top-level domains. Thus, the creators tried to protect themselves from the addresses of the command center in the black-list by employees of anti-virus companies and loss of management. Conficker attempts to get commands to download and launch other malware from the Internet. In addition, it accesses the domain trafficconverter.biz, tries to load from it and execute the file with the fixed name loadadv.exe.
To protect against the substitution of downloadable files, cryptographic algorithms were used using encryption and digital signatures. For the file being downloaded, the SHA-1 hash of 512 bits was calculated, which was then used as the encryption key using the RC4 algorithm; this hash was also used to digitally sign the RSA with the 1024-bit key. In contrast to the subsequent options did not contain the functions of self-defense.
It has been suggested that Conficker was developed in Ukraine, since Conficker.A checks for the presence of a Ukrainian keyboard layout and self-destroys in this case. In addition, the GeoIP database is downloaded from the maxmind.com website and, while scanning, the Ukrainian addresses detected with its help are not infected. In the next versions this functionality was no longer implemented.
Conficker.B
')
In this version, two more distribution mechanisms were added to expand the “habitat” - by using network resources (directories) with “weak” passwords and the algorithm for infecting USB-Flash media launching via autorun.inf. Conficker tries to connect to a remote computer as an administrator, for this purpose, passwords are sequentially searched according to the list specified in the code. If the selection is successful, the worm file is copied to the remote computer and a Task Sheduler task is created to start it as a service using regsvr32. For autorun from USB-Flash media, an obfuscated autorun.inf file is created, the dll file itself is placed in the hidden RECYCLER directory under a random name with the vmx extension.
The mechanism of cryptographic protection of downloaded files from modification has undergone a change, the MD6 algorithm was used as the hashing algorithm (the latest at that time, developed in 2008), the RSA key length was increased to 4096 bits. The code clearly shows the desire of the authors to eliminate all potential opportunities to exploit a “buffer overflow” vulnerability or weakness in the implementation of cryptoalgorithms.
This version introduced self-defense features. In particular, the following services have been disabled: Windows Automatic Update Service; Background Intelligent Transfer Service;
Windows Security Center Servic; Windows Defender Service; Windows Error Reporting Service. Thus, the operating system update mechanism was disabled, through which the installation of specialized removal tools from Microsoft could occur. The following functions of the dnsrslvr.dll library were installed: DNS_Query_A; DNS_Query_UTF8; DNS_Query_W; Query_Main; SendTo; NetpwPathCanonicalize; InternetGetConnectedState. In this case, the names of resources requested through the DNS service were filtered in order to prohibit access to a specific list of domains. Thus, the user's access to the main sites was blocked, where you can download antivirus database updates or special malware removal utilities.
Conficker.C
The main change concerns only the domain generation mechanism, which is why some antivirus companies call this version of B ++. As a response to the initiative of the Conficker Working Group on reserving domain names generated by Conficker using a pseudo-random algorithm, the developers increased their number from 250 to 50,000 per day, which negated the attempts of their daily registration. For the generation, prefixes of 8 top-level domains were used (instead of 5), 500 out of 50,000 were chosen, which meant connecting about 1% of all infected computers daily and thus reducing the load on the control center. For example, if you take the figure of 10 million, it means that the server was actually subjected to a DDOS attack from 100,000 computers.
Conficker.D
The number of prefixes used to generate domains increased from 8 to 110. An error in the implementation of MD6 of the “buffer overflow” type, made by algorithm developer Ronald Rivest and made public on February 19, 2009, was fixed. The self-defense system was improved - the ability to boot in “safe mode” was turned off and an attempt was made to terminate the processes of programs whose names contain the specified strings (antivirus programs).
Fully removed mechanisms of their own distribution. A peer-to-peer update mechanism has been introduced. To receive information from other copies of the worm, two “server” streams are created, one working using the TCP protocol and the other using the UDP protocol. An interesting feature of the p2p implementation is the rejection of the original peer list. This list is usually either set inside executable code, or hosted on public servers. Conficker also finds its peers by scanning IP addresses. For each IP address found, Conficker is running on it. If yes, a “client” stream was created to communicate with the remote copy. When scanning, the presence of IP in the black list of addresses of anti-virus companies was checked, they are not addressed. “Server” streams never add addresses of connected clients to the list of peers. Addresses are added only by “client” threads in case the current version of the worm matches the remote version. In the case of different versions, the latest one is loaded either by the client from the server or by the server from the client. The p2p mechanism provides for two types of distribution, in the mode of saving the downloaded file for subsequent “distribution”, or in the launch mode in the address space as a stream. This allows you to replace the executable code "on the fly" without saving it as a file. At the same time, files loaded by the generated domains are launched and operate independently of the running Conficker.
Conficker.E
Once again, several innovations were introduced. For example, the procedure for scanning available IPs for infecting and transmitting updates (via the P2P mechanism) evaluates the width of the channel to the Internet and, according to this estimate, regulates its distribution and scanning activity. This is done in order not to attract the attention of LAN administrators. Another feature is the change in network infrastructure for its distribution. The infection algorithm requires the infected host to initiate a connection (after successfully triggering the MS08-067 exploit) with the infecting host to download the Conficker code. Firewalls installed in modems and routers usually block such activity. In addition, infected computers are likely to be located behind NAT. Therefore, Conficker pre-detects gateways on the local network. To do this, run your own SSDP server, which broadcasts broadcast messages across the network. A network device that supports SSDP sends a response. Having found the gateway in this way, the worm reconfigures the equipment via the UPnP mechanism to arrange for itself a channel that the gateway will pass in the opposite direction (from the external network to the inside) and already using this channel infects other computers.
An infection procedure was returned by exploiting vulnerability MS08-067.
Conficker.E deleted itself if the current date was May 3, 2009 or later, but left its previous version on the computer.
Finally, the monetization of profits began with this version; two types of malicious programs were downloaded for this. The first is a fake antivirus Spyware Protect 2009, downloaded from servers located in Ukraine. When launched, it periodically displays messages about viruses found in the system and offers to buy its paid full version with the possibility of treatment. The second is the Waledac Trojan, also known as Iksma, according to the classification of Kaspersky Lab, discovered in January 2009. The main functionality of Waledac is identity theft and spamming. In February 2010, the Virginia Federal Court upheld a lawsuit from Microsoft and authorized the suspension of the maintenance of 277 domains associated with the Waledac botnet management system. All of these domains were registered in the .com zone, which is operated by the American company VeriSign.
Afterword
Conficker analysis is extremely controversial. On the one hand - an extremely high level of forethought. On the other - a common, ultimately, “payload” doesn’t fit in with the fact that attackers had very great opportunities to install an arbitrarily large number of malware on target computers, including to steal payment system accounts. That is - from the cannon on the sparrows. It seems that the developers, basically, pursued research goals. It is still not clear whether Ukraine is the birthplace of this malicious program. Some researchers note that a working exploit to the MS08-067 vulnerability first appeared in China, and its code is almost completely reproduced in Conficker. Vietnamese computer security company BKIS claims that Conficker was created in China. BKIS experts concluded that the Chinese origin of the Conficker worm after analyzing its code, which has much in common with the Nimda worm, who was responsible for the 2001 epidemic. It is assumed that Nimda was developed in China, since the code found references to this country. Officially, this data has not been confirmed.
References:
Symantec research report “The Downadup Codex” , edition 2.0 (eng, pdf);
analysis of the functioning of versions A, B, B ++ © by SRI International “An Analysis of Conficker's Logic and Rendezvous Points” (eng, htm);
functional analysis of version C (D) from the company SRI International "Conficker C Analysis" (eng, htm);
description of the peer-to-peer mechanism from the company Conficker C P2P Reverse Engineering Report from SRI International (eng, htm).
Source: https://habr.com/ru/post/159069/
All Articles