Analysis of Conficker

Abstract

In my eight article I want to describe the Conficker trojan. It was in the news the last days, especially here in Austria because someone of the Krnten government and hospital infiltrate the IT system with a customized version of Conficker. It is considered as worm because it spreads itself over local network using already patched vulnerabilities in the Windows network services. The one sample appeared in Austria in several constitutions was Conficker.B, following the A version few months ago.

- Peter Kleissner, Software Engineer (14th January 2009)

Conficker

Conficker is a new trojan/worm. It spreads around the local network and tries to diffuse itself using already fixed vulnerabilities in RPC and using network shares. There are two versions: Conficker.A from November 2008 and Conficker.B from January 2008. Both are quite similar but not identical. The newer version, Conficker.B spreads itself also around using USB sticks and autorun.inf. The art of virus executable is very interesting, normally you would have an exe infector file and "normal" payload code, but Conficker comes with a single dll and autorun.inf file.

The interesting thing is that the infector is a single dll, and the infection is the same dll stored in the system32 directory. The dll will be executed by using ShellExecute in autorun.inf and rundll32. This means that you can not directly execute the infector, you have to use a loader. This technique is quite uncommon, because you can not directly execute the dll which prevents shipping as spam, direct links or such things. It is just intended to be executed when double clicking in explorer on the USB stick or on your mapped network share.

Autorun.inf

The autorun.inf file is very important for Conficker to be executed. It contains the necessary commands and parameters to execute the dll file. For information about the autorun.inf, when it's executed and its format read the the article Wikipedia "The autorun.inf file". The file itself is obfuscated, when opening it in text editor it first looks like a binary. This is becasue there are lots of unnecessary and special (control) characters in the file, but still valid as a text file. The evil thing is that even control characters are used to go few characters back and "rewrite" the string, also different line terminators are used. The binary characters will not be interpreted because they are part of a comment in the autorun.inf file (a line which starts with semicolon). Also to note the file is a Unicode text file (very unusual) and has a little endian Byte Order Mark at the beginning. The autorun.inf file looks at the beginning like:

;?LDfIJ?uRSGlErkXdOVjfzAL 
                 

       
        
;fb	
;NAoCTDKkA?PazATSxauerftJojP?aFfawuiRgHbemKSZHyFL
[	 TdkjJufXACQXwTrqdYPpjbSC]
                  
;KfZ
; ǐAerSKZDAroJUqHKemTivNaqCZIoglf?ceDlTc
ajzLmMmVuIndpuy	=lcH
 QPDdnsHCDPoyNqFrWqCPwdLwE=	

So, putting that together todays software will recognize it wrongly as binary. The file is 57,8 KB of size, but only few bytes of them are actually used for the real autorun contents. Even the real contents is obfuscated, and stored near by the end of the file (excerpt):

	shelLExECUte=RuNdLl32.EXE      .\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
;zDlplzcr?uDbyF?G

Autorun.inf is the config file for removable devices (such as USB sticks, flash drives, CD/DVD) and network shares to tell the system what program to execute automatically ("auto-run") and other various settings (like an icon to display).

Autorun.inf deobfuscated

I wrote a Conficker Autorun.inf deobfuscator. It parses the inf file like Windows and outputs just the real used data. It works through parsing the whole file for comments and stripping them out and interpreting control characters. Download the autorun.inf deobfuscator at http://www.viennacomputerproducts.com/downloads/Conficker Article/ASCII Parser Project.zip.

After deobfuscation, the most important section at the end of file is clearly visible:

[AUTorUN
icon=%syStEmrOot%\sySTEM32\sHELL32.Dll,4
shelLExECUte=RuNdLl32.EXE.\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
useAuTopLAY=1

You easily see there the command to execute (load) the dll, and to make use of autoplay on removable media devices such as CD and DVD. Also there is the command "icon=" to change the icon of the drive containing the autorun.inf. Note its not a mistake by me that the "]" of the Autorun tag is missing.

Thought that's everything?

Nah, well there is more than just these particular lines, like following encrypted section (one of many):

[jyFPhb]
JnAbQXPxdFGMQlA=hthUTgGdKclFvzZzTS
pwIoQiCkVDktrkgDApLXPy=QUNwLnjqXTJIVJpxHTSHaVCVi
tdqRWRUjTxrjk=wHAOFvaJCLBKKHtf
HlzdxIQsfh=YtIFTCFqOBOFtCgAwPL
iqSTxJiYHraLAWEdXMuJxQ=pcF

Startup

As mentioned above there is just the autorun.inf file and a dll (which is later also the executable stored on the computer). To get a specific export of the infector called, rundll is used in the autorun.inf file:

rundll.exe jwgkvsq.vmx,ahaezedrn

This command should execute the function "ahaezedrn" of the dll "jwgkvsq.vmx" (its a dll even with the extension). Should, because the dll does not export any function; but nevertheless the dll will still be loaded and thus DllMain() (the entry point of the dll) executed. The infector then copies itself into system32 and renames the dll to a random name and register it in registry. If the infector is started locally (not via USB stick or network share), it does not copy the infector but renames and hides it.

Conficker hides its own file in explorer by manipulating the registry to hide system files in explorer and by "locking" that option in Windows Explorer options (the option will be unavailable). Conficker also locks its own file, to prevent AVs to scan the file.

Conficker developed from the Rock Phish Group

Yet another product fromt the Rock Phish Group. Conficker appears to be developed from the same people as Sinowal, from the Rock Phish group (or at least there is a strong connection to them). I found a connection between Sinowal and Conficker in the registry startup method it uses:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost, netsvcs = %Previous data% and %Random%

..is one registry key that is modified by Conficker in order to be executed on startup. Now lets consider the registry key used by Sinowal to get executed:

Symantec Virus Bulletin 2008 white paper registry excerpt

The picture was taken out of a new currently non-public paper by Symantec (the white paper of the presentation at Virus Bulletin 2008). Next, there is not only the registry key the same but also domains that the virus is trying to connect to, and which are the same as in ZeuS (another trojan/Botnet by the Rock Phish Group):

www.getmyip.org
getmyip.co.uk
checkip.dyndns.org

Why accessing them? To get information where the infected computer geological is at. Why? To download a localized version of a fake AV I have heard. I don't know currently what "product" (fake AV) it download / is assigned to Rock Phish but I assume "Windows Antivirus 2008", "Windows XP Antivirus" or "Virus Protect". Also note that currently the Command & Control servers of Conficker are not up yet, so any payload it does is just speculation.

References