Conficker: April's fool new worm

[xtremer]

The Conficker worm is scheduled to activate on April 1 2009, and the unanswered question is: Will it prove to be the world’s biggest April Fool’s joke or is it the information age equivalent of Herman Kahn’s legendary 1962 treatise about nuclear war, “Thinking About the Unthinkable”?

Conficker is a program that is spread by exploiting several weaknesses in Microsoft’s Windows operating system. Various versions of the software have spread widely around the globe since October, mostly outside the United States because there are more computers overseas running unpatched, pirated Windows. (The program does not infect Macintosh or Linux-based computers.)

For more details about this worm, please check: http://en.wikipedia.org/wiki/Conficker

[Neoxter]

if it is that serious, then we turn off our pc on april 1st, and we wont get infected is this right ?

[Justin]

long live MAC operating systems

[Tawa]

I Think That The Purpose Of This Article Is To Make You Turn It On On April's Fool And Get Fooled That Easy

[Google]

I'll be waiting... I would like to RE this worm...
But the challenge is to make something that exploits Windows and Linux at the same time! I might dedicate some time for this... I don't know if someone have done this before... I'm too lazy to search Google about it.

[Google]

After reading some articles about Conficker I was really impressed by this worm. I do believe that one day, a worm will shutdown the internet!

... Let's get back on topic, I don't want to talk about reasons, facts, stories statistics, rumors, news or whatever... Let's speak technically (At least this is what a VXer would like to hear).

Conficker uses an exploits that employs a specially crafted remote procedure call (RPC) over port 445/TCP , which can cause Windows 2000, XP, 2003 servers, and Vista to execute an arbitrary code segment without authentication. The exploit can affect systems with firewall enabled, provided they have print and file sharing enabled. Microsoft released a patch for this exploit on October 23 2008. Conficker would utilize this exploit to scan and infect millions of unpatched PCs worldwide. (Windows PCs that receive automated security updates have not been vulnerable to this exploit).

Conficker is propagated as a dynamically linked library (DLL), which has been packed using the UPX packer + an additional layer of packing. We can use IDA Pro to remove this second layer of obfuscation and dump the original code from memory (run the Conficker service, snapshot the core Conficker library as a memory image, and from this code segment reconstruct a complete Windows executable program). The program (.exe) requires a PE-header template, so we ca compute an entry point that allows the program to enter Conficker's code segment!

There are 2 variants of Conficker (A and B). In both cases, the worm works a as a dynamic linked library where its base code has been compiled as a DLL. The agent code proceeds first by checking the Windows version, and based on this result it creates a remote thread in processes such as svchost.exeby invoking LoadLibrary, where the copy of the DLL is passed as an argument. The malicious library then copies itself in the system root directory under a random file name. After initiating the use of Winsock DLL, the bulk of the malicious code logic is executed.


Conficker agent A checks for the existence of a firewall. If a firewall exists, the worm sends a UPNP message to open a local random high-order port. It opens the same port on its local host then it uploads a backdoor. This backdoor is used during propagation to allow newly infected victims to retrieve the Conficker binary. It proceeds to one of the following sites to obtain its external-facing IP address: www.getmyip.org, getmyip.co.uk, checkip.dyndns.org.

It then attempts to download the GeoIP database from maxmind.com. It randomly generates IP addresses to search for additional victims, filtering Ukraine IPs based on the GeoIP database! ( 3abashtak ya 2okrane ya mal3oun! ). The GeoIP information is also used as part of the Microsoft exploit process (mentioned above). Conficker A then sleeps for 30 minutes before starting a thread that attempts to contact http://trafficconverter.biz/4vir/antispyware/ to download a file called loadadv.exe (This thread cycles every 5 minutes).

Next, Conficker A enters an infinite loop within which it generates a list of 250 domains (rendezvous points) each 3 hours (8 times per day). The name-generation function is based on a randomizing function that seeds with the current UTC system date, which means that all Conficker clients, with system clocks that are at minimum synchronized to the current UTC date, will compute and attempt to contact the same set of domains.


When contacting a domain for which a valid IP address has been registered, Conficker clients send a URL request to TCP port 80 of the target IP, and if a Windows binary is returned, it will be validated via a locally stored public key, stored on the victim host, and executed. If the computer is not connected to the Internet, then the malicious code will check for connectivity every 60 seconds. When the computer is connected, each time Conficker A will generates 250 name and contact every registered domain of these set to inquire if an executable is available for download.


Conficker B is the same as A but with some minor differences. First, it does not include keyboard language check (Ukraine-avoidance). B also uses different mutex strings and patches a number of Windows APIs and attempts to disable its victim's local security defenses by terminating the execution of a predefined set of antivirus products it finds on the machine. It has significantly more suicide logic embedded in its code, and employs anti-debugging features to avoid reverse engineering attempts.

Conficker B uses a different set of sites to query its external-facing IP address: www.getmyip.org, www.whatsmyipaddress.com, www.whatismyip.org, checkip.dyndns.org. It does not download the fraudware Antivirus XP software that version A attempts to download.

Conficker B proceeds to generate a daily list of domains to probe for the download of an additional payload. Conficker B builds its candidate set of rendezvous points every 2 hours, using a similar algorithm that Conficker A uses. However, it uses different seeds and also appends three additional top-level domains. The result is that the daily domain lists generated by A and B do not overlap!!!

Although many groups have been able to break the domain generation algorithm and registered rendezvous points, Conficker's authors have taken care to ensure that other groups cannot upload arbitrary binaries to its infected drones. WHAT DID THEY DO?

Both Conficker A and B clients incorporate a binary validation mechanism to ensure that a downloaded binary has been signed by the Conficker authors. The procedure of this algorithm begins with:

1. Conficker's authors computing a 512-bit hash M of the Windows binary that will be downloaded to the client.
2. The binary is then encrypted using the symmetric stream cipher RC4 algorithm with password M.
3. Next, the authors compute a digital signature using an RSA encryption scheme, as follows: M^epriv mod N = Sig (N is a public modulus embedded in all Conficker client binaries)
4. Sig is then appended to the encrypted binary, and together they can be pushed to all infected Conficker clients that connect to the appropriate rendezvous points.

Once received:

1. The client removes the digital signature and recovers M using N and the public exponent epub, which is also embedded in the Conficker client binary (M is recovered as follows: M = Sig^epubmod N).
2. The client then decrypts the binary using password M , and confirms its integrity by comparing its hash (originally computed by the Conficker authors) to M .

If the hash integrity check succeeds, the binary is then stored and executed via Windows shellexec(). Otherwise the binary is discarded. A and B use equivalent hash and encryption protocols, except that B uses an expanded 4092-bit modulus, whereas A uses a 1024-bit modulus.

I think it's enough for now. I won't enter in further analysis of this piece of art. Additional information is available on google.

I know many companies preparing themselves for tomorrow. BE CAREFULL!!!
It might be a joke, but April Fool’s joke is human made!

Maybe it's the last time that you see me writing here on Vcoderz! Since I don't have an anti-virus installed on my PC, and my Vista is somehow old and not patched... I have three choices: Either I stay running Vista and get infected by this worm OR I run one of my Linux OSs and enjoy watching the world burning OR I run my Test Lab (Windows XP) virtual machine and feel like playing a game where I have put the infinite health cheat!

Questions???