Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Conficker

Overview

Threat Risk MEDIUM MEDIUM
Destructivity Unknown UNKNOWN
Payload Downloads additional trojan components.
Detection files published
Description created 07 Jan 2009 03:42:00
Description updated 01 Apr 2009 05:45:00
Malware type UNKNOWN
Alias W32.Downadup
W32/Conficker.worm
Net-Worm.Win32.Kido
Spreading mechanism NETWORK
OTHER
Summary

W32/Conficker

Spreading

File system changesThe worm copies itself to:
[System]\randomname (preferred location) or

[Program Files]\Internet Explorer\randomname or
[Program Files]\Movie Maker\randomname (50% chance of each), or

[Application Data]\randomname, or

[Temp]\randomname
It will attemp to install as a service, but if it can't it will install as a regular application from bootup.
The worm also copies itself to removable and remote drives as mentioned below.
Exploit spreadThe worm generates random IP addresses, using the rand function, which it attempts to infect. These are heavily filtered - f.ex. the IP address ranges below are not attempted infected:
11.*.*.* (US Department of Defense)
127.*.*.* (Loopback)
169.254.*.* (Link Local)
172.16.*.* - 172.32.*.* (Private use networks)
192.*.*.* (Reserved, and private use networks)
198.18.*.* - 198.19.*.* (Network Interconnect Device Benchmark Testing)
224.*.*.* - 255.*.*.* (Multicast, and reserved address space)

In addition, the worm contains an address list of no less than 396 additional IP address ranges it does not attempt to infect, and does not allow an infected machine to spread to. These IP address ranges typically belong to antivirus companies.

It opens a HTTP server on a random port on the local machine, and then attacks the remote computer by sending a specially crafted packet to it. This causes vulnerable machines to connect back and download and execute a copy of the worm. If the download request does not match what the worm expects (f.ex. if the download client is wget, or reported operating system is Linux, or downloading IP is in one of the blocked address ranges), the data sent will not be the worm but randomly generated text.
It randomly connects to the following web sites in order to get its own IP address:
http://checkip.dyndns.org
http://www.whatismyip.org
http://www.whatsmyipaddress.com
http://www.getmyip.org
 
It randomly connects to the following web sites in order to calculate the network speed before infection attempts:
aol.com
cnn.com
ebay.com
msn.com
myspace.com
 
Network spreadThe virus spreads over the local area network. It sets up a thread which every 5 minutes enumerates the network using NetServerEnum, and attempts to create a connection to the IPC share on visible servers using
- default user and password (with impersonation)
- remote (alternatively local) list of users, where password equals %username%
- remote (alternatively local) list of users, where password equals %username%username%
- remote (alternatively local) list of users, where password equals %emanresu%
- remote (alternatively local) list of users, where password is any one in the list below:

123
1234
12345
123456
1234567
12345678
123456789
1234567890
123123
12321
123321
123abc
123qwe
123asd
1234abcd
1234qwer
1q2w3e
a1b2c3
admin
Admin
administrator
nimda
qwewq
qweewq
qwerty
qweasd
asdsa
asddsa
asdzxc
asdfgh
qweasdzxc
q1w2e3
qazwsx
qazwsxedc
zxcxz
zxccxz
zxcvb
zxcvbn
passwd
password
Password
login
Login
pass
mypass
mypassword
adminadmin
root
rootroot
test
testtest
temp
temptemp
foofoo
foobar
default
password1
password12
password123
admin1
admin12
admin123
pass1
pass12
pass123
root123
pw123
abc123
qwe123
test123
temp123
mypc123
home123
work123
boss123
love123
sample
example
internet
Internet
nopass
nopassword
nothing
ihavenopass
temporary
manager
business
oracle
lotus
database
backup
owner
computer
server
secret
super
share
superuser
supervisor
office
shadow
system
public
secure
security
desktop
changeme
codename
codeword
nobody
cluster
customer
exchange
explorer
campus
money
access
domain
letmein
letitbe
anything
unknown
monitor
windows
files
academia
account
student
freedom
forever
cookie
coffee
market
private
games
killer
controller
intranet
work
home
job
foo
web
file
sql
aaa
aaaa
aaaaa
qqq
qqqq
qqqqq
xxx
xxxx
xxxxx
zzz
zzzz
zzzzz
fuck
12
21
321
4321
54321
654321
7654321
87654321
987654321
0987654321
0
00
000
0000
00000
00000
0000000
00000000
1
11
111
1111
11111
111111
1111111
11111111
2
22
222
2222
22222
222222
2222222
22222222
3
33
333
3333
33333
333333
3333333
33333333
4
44
444
4444
44444
444444
4444444
44444444
5
55
555
5555
55555
555555
5555555
55555555
6
66
666
6666
66666
666666
6666666
66666666
7
77
777
7777
77777
777777
7777777
77777777
8
88
888
8888
88888
888888
8888888
88888888
9
99
999
9999
99999
999999
9999999
99999999
If successful, the worm copies itself into the [\\[servername]\ADMIN$\System32] folder of the remote computer using a random name. It then attempts to create a remote daily scheduled task, setting the worm up to be executed on the next whole hour.The task is defined as RUNDLL32.EXE [randomwormname],[randomchars]
 Spreading to removable and remote drivesThe worm scans logical drives and copies itself to writable remote and removable drives (ex. USB sticks). It creates new folders on the drive(s) on the form
[drive]:\RECYCLER\S-X-X-XX-XXXXXXXXXX-XXXXXXXXXX-XXXXXXXXX-XXXX\[filename].[ext] where X means a random digit (number of digits may also vary). This variation is selected 15 out of 16 times.
or
[drive]:\[random]\[random]\[filename].[ext]. This variation is used one out of 16 times.
A file named autorun.inf is created on the root folder of the drive in order to autoload the worm in many circumstances, typically when an infected removable drive is inserted and browsed to.
 
Registry changesAdds the keys 
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets "dl"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets "ds"

Installation of service:
HKLM\System\CurrentControlSet\Services\[randomname]
"DisplayName"=[composite name]
"Type"= 0x20
"Start"= 0x2
"ErrorControl"= 0
"ImagePath"="%SystemRoot%\system32\svchost.exe -k netsvcs"
"ObjectName"="LocalSystem"
"Description"=[random service name]
[composite name] is a name composed of two words picked from the list of names below separated by [space], f.ex. "Time Task". Identical words can not be picked:
Windows
Updated
Universal
Time
Task
System
Support
Shell
Server
Security
Network
Monitor
Microsoft
Manager
Installer
Image
Helper
Driver
Config
Center
Boot

HKLM\System\CurrentControlSet\Services\[randomname]\Parameters "ServiceDll"= Path to worm executable.
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost" "netsvcs"= list of installed services + [randomname]
If unable to install as service, it installs in run keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run = rundll32.exe malwarepath randomchars
HKLM\Software\Microsoft\Windows\CurrentVersion\Run = rundll32.exe malwarepath randomchars
 
Differences from B to the C variantThe C variant is a major rewrite of the worm. The spreading via USB sticks and shares has been removed, and instead it has more advanced anti-antivirus capabilities and download functions. See Destructivity.
 

Payload Details

The worm attempts to contact remote machines and download and execute files. Hostnames to contact are generated semi-randomly from the date; every day a new set of 250 possible hostnames are generated from the domains ".cc",  ".cn", ".ws", ".com", ".net", ".org", ".info", and  ".biz".
Most of the time these domains are non-existant, but the worm author can at any time set up a download server that will work for a day.
In addition it hooks the API's sendto (from ws2_32.dll) and DnsQuery_A, DnsQuery_UTF8, DnsQuery_W and Query_Main (from dnsapi.dll) in order to stop connections to sites containing the following strings:
virus
spyware
malware
rootkit
defender
microsoft
symantec
norton
mcafee
trendmicro
sophos
panda
etrust
networkassociates
computerassociates
f-secure
kaspersky
jotti
f-prot
nod32
eset
grisoft
drweb
centralcommand
ahnlab
esafe
avast
avira
quickheal
comodo
clamav
ewido
fortinet
gdata
hacksoft
hauri
ikarus
k7computing
norman
pctools
prevx
rising
securecomputing
sunbelt
emsisoft
arcabit
cpsecure
spamhaus
castlecops
threatexpert
wilderssecurity
windowsupdate
nai.
ca.
avp.
avg.
vet.
bit9.
sans.
cert.

Differences from B to the C variantThe C variant has increased the number of random domains from 250 each day to 50000 each day, where the worm attempts to connect to a random subset of 500 of these. The domain names are also more variable, with country domains also included in the name generation.
A wholly new peer-to-peer (P2P) technology was added in the C variant, which enables the worm to communicate with and get updates from other infected machines.
 

Analysis

n/a

Removal

This worm was first detected by Lumension antivirus products Nov 27th 2008. Later variants have been continuously added. To remove the worm and its malicious components completely, it it recommended to use Lumension Malware Cleaner. How to stay protected Users of Lumension Antivirus & Antispyware are fully protected from all known versions of Conficker / Kido / Downadup. Click here to buy.


Last Updated: 12 Nov 2015 11:06:12