Friday, August 21, 2009

W32/conficker A General Analysis [Updated]

Few months ago my computer was infected with Conficker worm. There are approx. 5 variants of Conficker worm. My computer was infected with one of them. But in this post I mixed all of it's variants characteristics.

Damage:-
By January 2009, the estimated number of infected computers ranged from almost 9 million to 15 million.The worm uses a combination of advanced malware techniques which has made it difficult to counter, and has since spread rapidly into what is now believed to be the largest computer worm infection since the 2003 SQL Slammer.
After the infection I observed different things lets discuss those.

Aliases
* Worm:Win32/Conficker.A (Microsoft)
* Crypt.AVL (AVG)
* Mal/Conficker-A (Sophos)
* Trojan.Win32.Pakes.lxf (F-Secure)
* Trojan.Win32.Pakes.lxf (Kaspersky)
* W32.Downadup (Symantec)
* Worm:Win32/Conficker.B (Microsoft)
* WORM_DOWNAD.A (Trend Micro)

Symptoms of Conficker infection include the following:
  • Access to security-related sites is blocked
  • Users are locked out of the directory
  • Traffic is sent through port 445 on non-Directory Service (DS) servers
  • Access to administrator shared drives is denied
  • Autorun.inf files are placed in the recycled directory, or trash bin.
Observations:














  • First thing interesting i observed about Conficker that it restrict the access to security sites without modifying hosts file.
  • It inject it's self in SVCHOST.exe a running process so terminating and deleting this file is very difficult for users.
  • The autourn.inf file structure used by Conficker worm was very different from traditional autorun.inf because lot of garbage code was added.
















  • The option "Open Folder to view Files" -- Publisher not Specified was added by the worm. This windows open when ever the PenDrive is Injected.
























  • The extension i observed of the file was vmx. Click the image to see clearly.
















  • If your pen drive is infected with Conficker, it will infect your PC by simple injecting your pen drive before starting your PC. It my personal experience, because my computer was infecting again and again after cleaning the worm as my pen drive is always remain injected to my PC. Then i formatted my Pen drive and rescanned my whole PC, Then problem get solved.
  • It's isolate it's self in these type of locations on each drive I:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665 to make detection difficult by the user.
  • First variant of Conficker worm downloads a GeoIP file from a third party website in order to determine the language of the operating system. when the owner of the website removed that file, the worm had much tougher time to determining the OS. But in the second variant which was seen in 28 December of 2008, to solve the problem of GeoIP file the author of the worm embedded the data in to this new variant.








  • It's change setting of PC so PC wouldn't show hidden files. It opened a port in firewall and disable auto updates.
  • During a deep scan of the worm file following things are found that in which language it is programmed.[Results of File Scan]

    File Name: jwgkvsq.vmx
    Number of Matching Signatures: 7
    Deep Scan: Yes
    Best Match: Microsoft Visual C++ 6.0 DLL

    All Matches:
    Signature: Microsoft Visual C++ 6.0 DLL
    Matches: 63
    Signature: Microsoft Visual C++ 6.0
    Matches: 18
    Signature: Microsoft Visual C++ 6.0 DLL (Debug)
    Matches: 18
    Signature: Armadillo v1.xx - v2.xx
    Matches: 17
    Signature: Microsoft Visual C++ v6.0 DLL
    Matches: 11
  • On the source computer, the worm runs an HTTP server on a port between 1024 and 10000; the target shell code connects back to this HTTP server to download a copy of the worm in DLLsvchost.exe form, which it then attaches to svchost.exe
  • Heuristically identified capability of spreading across the following weakly restricted network shares.
ADMIN$
C$
D$
E$
IPC$

  • The network replication uses a dictionary attack by probing credentials from the following list.
00000
000000
00000000
111111
11111111
123123
12345
123456
1234567
12345678
123456789
1234qwer
123abc
123asd
123qwe
54321
654321
88888888
abc123
academia
admin
admin$
admin123
administrator
admins
america
anchor
anything
april
arrow
artist
asdfgh
basic
changeme
cluster
codeword
coffee
compaq
cookie
country
dirty
discovery
drive
edition
email
england
english
forever
france
freedom
french
ghost
guest
ihavenopass
india
input
japan
julie
killer
letmein
logout
macintosh
master
modem
monday
mouse
mypass
mypc123
network
nobody
pass123
password1
password123
phone
phrase
printer
private
pw123
record
right
saturday
script
simple
slave
student
superuser
switch
target
temp123
test123
thailand
user1
video
virus
xxxxx
xxxxxx
xxxxxxxx
xxxxxxxxx

  • It terminates the processes that contains the following strings in name:
* wireshark
* unlocker
* tcpview
* sysclean
* scct_
* regmon
* procmon
* procexp
* ms08-06
* mrtstub
* mrt.
* mbsa.
* klwk
* kido
* kb958
* kb890
* hotfix
* gmer
* filemon
* downad
* confick
* avenger
* autoruns
  • In order to block users access to security-related domains, prevents network access to any domains that contain the following strings:
* windowsupdate
* wilderssecurity
* virus
* virscan
* trojan
* trendmicro
* threatexpert
* threat
* technet
* symantec
* sunbelt
* spyware
* spamhaus
* sophos
* secureworks
* securecomputing
* safety.live
* rootkit
* rising
* removal
* quickheal
* ptsecurity
* prevx
* pctools
* panda
* onecare
* norton
* norman
* nod32
* networkassociates
* mtc.sri
* msmvps
* msftncsi
* mirage
* microsoft
* mcafee
* malware
* kaspersky
* k7computing
* jotti
* ikarus
* hauri
* hacksoft
* hackerwatch
* grisoft
* gdata
* freeav
* free-av
* fortinet
* f-secure
* f-prot
* ewido
* etrust
* eset
* esafe
* emsisoft
* dslreports
* drweb
* defender
* cyber-ta
* cpsecure
* conficker
* computerassociates
* comodo
* clamav
* centralcommand
* ccollomb
* castlecops
* bothunter
* avira
* avgate
* avast
* arcabit
* antivir
* anti-
* ahnlab
* agnitum
  • Scheduled tasks have been seen to be created on the system to re-activate the worm.
  • Message during decompiling with ollyDbg 1.10


















Removal:-
Thanks to Microsoft Removal Tools who solved that problem. For further info see my post "Malware removal tools"
-----
ExtremeVoltages
"We start from there, where other ends."