Conficker Information - Techist - Tech Forum

Go Back   Techist - Tech Forum > Security | Computer, Devices, Software and Systems > Viruses, Spyware and Malware
Click Here to Login
Closed Thread
 
Thread Tools Display Modes
 
Old 03-30-2009, 09:00 AM   #1 (permalink)
Techie Beyond Description
 
Osiris's Avatar
 
Join Date: Jan 2005
Location: Kentucky
Posts: 36,817
Send a message via ICQ to Osiris Send a message via AIM to Osiris Send a message via MSN to Osiris Send a message via Yahoo to Osiris
Exclamation Conficker Information

The following page contains the tools and analysis results described in our "Know your Enemy" paper "Containing Conficker - To Tame a Malware". The paper is published by the Honeynet Project and can be downloaded here: todo

All tools are to be considered as proof of concepts. Even though most of them run stable, they are not meant for use in production. They don't come with any warranty.
All tools are available including source code and are licences using GPL.
If you enjoy our tools...we enjoy feedback. Just send us a mail. You can also send us a mail if you have improved the code or have a question
Conficker Domain Name Generation

Different Conficker variants are checking different domains for updates every day. Conficker.A and .B are already generating and checking 250 domains each per day. Conficker.C will start to check for 50.000 generated domain names on April 1st.

Downatool2

The domain names of different Conficker variants can be used to detect infected machines in a network. Inspired by the "downatool" from MHL and B. Enright, we have developed Downatool2. It can be used to generate domains for Downadup/Conficker.A, .B, and .C.
Download

downatool2.exe
90 K
downatool2.zip
4.9 K

Conficker.C Domain Collisions

Figure 1: Number of Conficker.C collisions with existing domains for April 2009.
Conficker.A and .B created 250 domains per day, from which they try to download updates. Conficker.C, unlike its predecessors, creates 50.000 domains per day. Furthermore, the length of Conficker.C domain names is only 4-9 characters, instead of 8-11 as variants .A and .B. The large number and the shorter domain length results in a lot of collisions with real domain names.

We have pre-computed all domain names for April 2009 and looked up the domains in order to find collisions. Figure 1 shows the number of collisions for each day.
The list of collisions as well as the list of Conficker.C domains for April can be downloaded here:



collisions_april.zip
60 K
c_domains_april2009.zip
9.2 M

Figure 2: Number of collisions for each IP address in April 2009
Conficker .C will create about 150 - 200 collisions with existing domains per day. The large number of generated domains and the fact that not every domain will be contacted for a given day, will likely prevent DDoS situations.
Figure 2 shows the number of conflicts, each IP address generates. There are some IPs with a remarkable number of occurrences.

You may want more than just Conficker.C domains and probably more than just April. Just download our Downatool2 from above and generate the domains yourself. If you like the tools, tell us by sending an email.
Statistics about future collisions will be published here. Just tune in again.




Memory Disinfector

It is hard to identify files containing Conficker because the executable are packed and encrypted. When Conficker runs in memory it is fully unpacked. Our memory disinfector scans the memory of every running process in the system and terminates Conficker threads without touching the process it runs in. This helps to keep the system services running.
The tool itself and the source code can be downloaded here:

conficker_mem_killer.exe
594 K
memscan.zip
8.4 K

Detecting Conficker Files and Registry

Despite other reports, the file names and registry keys Conficker.B and .C use are not random. They are calculated based on the hostname. We have developed a tool that you can run on your system to check for Conficker's Dlls. Unfortunately, Conficker.A really uses random names and can therefore not be found this way.
It is at a very early development stage but usable. We would be grateful to benefit from your changes if you develop it further.
Tool and source code are here:
regnfile.exe
599 K
conficker_names.zip
48 K

Network Scanner

Another option is to actively scan for Conficker machines. There is a way to distinguish infected machines from clean ones based on the error code for some specially crafted RPC messages. Conficker tries to filter out further exploitation attempts which results in uncommon responses. Our python script scs.py implements a simple scanner based on this observation. Here is a sample output:
./scs.py 127.43.16.76
Could not send SMB request to 127.43.16.76:445/tcp.

./scs.py 127.99.100.2
127.99.100.2 seems to be infected by Conficker.

./scs.py 127.36.15.80
127.36.15.80 seems to be clean.
The script can be downloaded here:
scs.zip
Simple Conficker Scanner (SCS) requires the installation of the "Impacket" python library
15.6 K

Intrusion Detection Signatures

Conficker uses a hardcoded xor-key for encoding its shellcode. This creates static patterns, which allow to detect exploitation attempts and may be used to identify infected machines. The signature we have created for Conficker.A and .B are:
Conficker.A
Conficker.A:y any -> $HOME_NET 445 (msg:
"conficker.a shellcode"; content: "|e8 ff ff ff ff c1|^|8d|N|10
80|1|c4|Af|81|9EPu|f5 ae c6 9d a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c
cc|IrX|c4 c4 c4|,|ed c4 c4 c4 94|&<O8|92|\;|d3|WG|02 c3|,|dc c4
c4 c4 f7 16 96 96|O|08 a2 03 c5 bc ea 95|\;|b3 c0 96 96 95 92
96|\;|f3|\;|24|i| 95 92|QO|8f f8|O|88 cf bc c7 0f f7|2I|d0|w|c7 95
e4|O|d6 c7 17 f7 04 05 04 c3 f6 c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5
dc b6 1b|O|95 e0 c7 17 cb|s|d0 b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07
a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab aa c4|]|e7 99 1d ac b0 b0 b4 fe eb
eb|"; sid: 2000001; rev: 1
Conficker.B
alert tcp any any -> $HOME_NET 445 (msg: "conficker.b shellcode";
content: "|e8 ff ff ff ff c2|_|8d|O|10 80|1|c4|Af|81|9MSu|f5|8|ae c6 9d
a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c cc|Ise|c4 c4 c4|,|ed c4 c4 c4
94|&<O8|92|\;|d3|WG|02 c3|,|dc c4 c4 c4 f7 16 96 96|O|08 a2 03
c5 bc ea 95|\;|b3 c0 96 96 95 92 96|\;|f3|\;|24 |i|95 92|QO|8f f8|O|88
cf bc c7 0f f7|2I|d0|w|c7 95 e4|O|d6 c7 17 cb c4 04 cb|{|04 05 04 c3 f6
c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5 dc b6 1f|O|95 e0 c7 17 cb|s|d0
b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07 a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab
aa c4|]|e7 99 1d ac b0 b0 b4 fe eb eb|"; sid: 2000002; rev: 1
Nonficker Vaxination Tool

Conficker uses different global and local mutexes to ensure that only to most up-to-date version is run on the system. This fact can be exploited to scan for and to prevent infections.
We have developed our Nonficker Vaxination dll that can be installed as a system service and pretends to be a running Conficker by registering all mutexes from version .A, .B, and .C (and possibly .D depending which naming scheme you refer to). A setup tool to install the dll as system service is provided as well.


Removal instructions:
  • Open your favorite registry editor (e.g. Start->Run...->regedit.exe->ok)
  • Go to registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
  • Remove the "aaaaanonficker" from the "netsvcs" key
  • Remove registry key and all sibling keys: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Servic es\aaaaanonficker
Besides vaccination, the mutexes can be used to scan for local infections. We have developed a small mutex scanner that tells you if you are infected.
Both tools and source code can be downloaded here:
nonficker.zip
547 K
nonficker_code.zip
64 K

Background and Paper

All the tools and data found on this web-site are derived from reverse engineering and analyzing Conficker. The description of our approaches and especially the extracted algorithms and relations are described in our paper:


Informatik IV: Containing Conficker
__________________

__________________
Osiris is offline  
Old 03-30-2009, 09:08 AM   #2 (permalink)
Call me Mak or K
Mod Emeritus
 
KSoD's Avatar
 
Join Date: Sep 2004
Location: C:\
Posts: 35,645
Default Re: Containing Conficker

Just a heads up, your download links dont work. I had to go to the source to get them.
__________________

__________________
I do not accept support questions via EMail, PM, IM or my G+ page!

Phone: LG Optimus G Pro
Running: Stock JB from LG with Nova Launcher

KSoD is offline  
Old 03-30-2009, 09:47 AM   #3 (permalink)
Techie Beyond Description
 
Osiris's Avatar
 
Join Date: Jan 2005
Location: Kentucky
Posts: 36,817
Send a message via ICQ to Osiris Send a message via AIM to Osiris Send a message via MSN to Osiris Send a message via Yahoo to Osiris
Default Re: Containing Conficker

Well the link is at the bottom if they need it
__________________
Osiris is offline  
Old 03-31-2009, 12:03 AM   #4 (permalink)
Techie Beyond Description
 
Osiris's Avatar
 
Join Date: Jan 2005
Location: Kentucky
Posts: 36,817
Send a message via ICQ to Osiris Send a message via AIM to Osiris Send a message via MSN to Osiris Send a message via Yahoo to Osiris
Default Conficker Information

As long as there are people trying to help, there will always be criminals and malcontents attempting to taking advantage of others. The following is a list of sites that may claim to be assisting in helping resolve conficker related infections and issues, but are not. None of the listed sites are affiliated with the conficker working group. Please use caution when visiting these sites.
If you are not visiting one of the suggested vendor sites for assistance, avoid any conficker related site that suggests it might be able to help you or detect if you are infected. Because in most cases if you are not infected, you most likely will be with something before you depart that site.
If you find any others please let us know at conficker-news@shadowserver.org and we'll update the list. If you ended up on our list and disagree with your status reach out and let us know why.

List of Possible Malicious Web Sites
  • hxxp://conficker.biz/
  • hxxp://confickerc.com/
  • hxxp://conficker-cleaner.com
  • hxxp://confickerc.net/
  • hxxp://conficker.com/
  • hxxp://confickerc.org/
  • hxxp://conficker.co.uk/
  • hxxp://confickercvirus.com
  • hxxp://confickercvirus.info
  • hxxp://confickercvirus.net
  • hxxp://confickercvirus.org
  • hxxp://conficker.de/
  • hxxp://conficker.info/
  • hxxp://conficker.net/
  • hxxp://conficker.org/
  • hxxp://conficker-removal.info
  • hxxp://conficker-removal-tool.com
  • hxxp://confickerremover.blogspot.com/
  • hxxp://conficker.us/
  • hxxp://confickervirus.com/
  • hxxp://confickervirus.info/
  • hxxp://confickervirusremoval.com
  • hxxp://conficker-wg.com/
  • hxxp://confickerwg.com/
  • hxxp://conficker-worm.com
  • hxxp://confickerworm.com/
  • hxxp://conficker-worm.net
  • hxxp://conficker-worm.org
  • hxxp://conficker-worm-removal.com
  • hxxp://confickerwormremoval.com/
  • hxxp://conflicker-worm-removal.com
  • hxxp://downadupc.com/
  • hxxp://downadup.com/
  • hxxp://downadup.co.uk/
  • hxxp://downadup.de/
  • hxxp://downadup.info/
  • hxxp://downadup.net/
  • hxxp://downadup.org/
  • hxxp://downadupvirus.com/
  • hxxp://downadupworm.com/
  • hxxp://removeconficker.net
  • hxxp://removeconficker.org
  • hxxp://remove-conficker.org - Actively serving malware
  • hxxp://stopconficker.com/
  • hxxp://w32downadupc.com/
  • hxxp://www.confickercabal.com/
  • hxxp://www.confickerwormremoval.com/
  • hxxp://www.downadup.com/
Related Malicious Domains and Web Sites
  • hxxp://advanced-care-free.com
  • hxxp://anti-malware-free.com
  • hxxp://antivirus360remover.com
  • hxxp://av360removaltool.com
  • hxxp://bytescan.org
  • hxxp://combofixtool.com
  • hxxp://combofixtool.org
  • hxxp://fix-download.com
  • hxxp://hijacktool.com
  • hxxp://hijacktool.org
  • hxxp://malwarebot.org
  • hxxp://malware.com.tw
  • hxxp://malwaree.com
  • hxxp://malwaree.org
  • hxxp://malware-malware.com
  • hxxp://malware.ms
  • hxxp://malware.org.in
  • hxxp://malware.org.uk
  • hxxp://remove-a360.com
  • hxxp://remove-antivirus-2009.com
  • hxxp://Remove-AntiVirus-360.com
  • hxxp://remove-av360.com
  • hxxp://remove-conficker.org
  • hxxp://remove-ie-security.com
  • hxxp://remove-malware-defender.com
  • hxxp://remove-ms-antispyware.com
  • hxxp://remove-personal-defender.com
  • hxxp://remove-spyware-guard.com
  • hxxp://remove-spyware-protect-2009.com
  • hxxp://remove-spyware-protect.com
  • hxxp://remove-system-guard.com
  • hxxp://remove-total-security.com
  • hxxp://remove-ultra-antivir-2009.com
  • hxxp://remove-ultra-antivirus-2009.com
  • hxxp://remove-virus-alarm.com
  • hxxp://remove-virus-melt.com
  • hxxp://remove-winpc-defender.com
  • hxxp://smitfraudfixtool.com
  • hxxp://vundofix.org
  • hxxp://vundofixtool.com
  • hxxp://zlobremovaltool.com

Conficker Work Group - MAL - MaliciousSites
__________________
Osiris is offline  
Old 03-31-2009, 12:04 AM   #5 (permalink)
Techie Beyond Description
 
Osiris's Avatar
 
Join Date: Jan 2005
Location: Kentucky
Posts: 36,817
Send a message via ICQ to Osiris Send a message via AIM to Osiris Send a message via MSN to Osiris Send a message via Yahoo to Osiris
Default Re: Conficker Information

Introduction

The following list are the sanctioned repair and detection tools that are supported and given out by the appropriate and direct vendors of tools. Note that if you cannot get to one or more of these, you might be infected with conficker or any of the other many malicious programs out there. Try another, at the time of this writing, not all of these are blocked by conficker and any of them will work.

Conficker Working Group's "Custodian of the Tools"

The Internet Storm Center/DSHIELD has stepped forward to keep track of all the tools. The list below is a copy from that list, hosted here:
Tools List
Conficker Work Group - ANY - RepairTools
__________________
Osiris is offline  
Old 03-31-2009, 08:16 AM   #6 (permalink)
Techie Beyond Description
 
Osiris's Avatar
 
Join Date: Jan 2005
Location: Kentucky
Posts: 36,817
Send a message via ICQ to Osiris Send a message via AIM to Osiris Send a message via MSN to Osiris Send a message via Yahoo to Osiris
Default Re: Conficker Information

Source: Conficker Worm Detection And Removal

By now you might have heard about the latest worm that is plaguing Internet users world wide. It goes by the name of Conficker (or Downadup)and comes in the variants A,B and C with c being the most evolved variant. To put it simple: Conficker uses a Windows vulnerability that was discovered in September 2008 and a patch was released by Microsoft that fixed it. The first worm that used the vulnerability was discovered in November 2008.
Conficker C will initiate a number of processes on infected host systems including opening a random port which is being used in the distribution process of the worm. The worm will then patch the security hole on the computer system that allowed it to attack the system in first place. This prevents other viruses from exploiting the vulnerability while keeping a backdoor open for newer variants of the Conficker worm. The worm will block certain strings from being accessed on the Internet. Domain names making use of those strings cannot be accessed unless the IP is used to do so. Among the strings are various security companies like microsoft, panda or symantec but also generic strings like defender, conficker or anti-. This is to prevent users from accessing websites that contain information and removal instructions about the worm.
While this is surely a nuisance for the user it does mean that the worm itself is not harming the user system in any way other than the methods described above. The real danger comes from the updating mechanism of Conficker C. The worm will try to retrieve new instructions on April 1, 2009. A very sophisticated updating mechanism has been implemented by the author. The worm will generate a list of 50K domain names and append a list of 116 top level domains to them. It will then select 500 randomly from the list and try to connect to them. If new instructions are found on one of the urls it will download them and execute them on the computer system. This process will be repeated every 24 hours.
The easiest way of detection is by accessing a site like microsoft.com or symantec.com and comparing the results with accessing the site using the IP addresses (207.46.197.32 and 206.204.52.31). While this usually gives a good indication it is better to check the computer system with tools that have been specifically designed to detect and remove the Conficker variants.

A few tools that can be used to detect and remove Conficker variants are ESET Conficker Removal Tool, Downadup from F-Secure or KidoKiller by Kaspersky.
Excellent information about Conficker detection and removal instructions are available at Sans.org.
__________________
Osiris is offline  
Old 03-31-2009, 10:18 AM   #7 (permalink)
Banned
 
Join Date: Feb 2009
Location: Guantanomo Bay, Cuba
Posts: 546
Default Re: Conficker Information

The following is the warning my company most recently received from us-cert.gov

I like how they say "unauthenticated attacker could run arbitrary code..." - basically "anything they want"!

Quote:
National Cyber Alert System

Technical Cyber Security Alert TA09-088A


Conficker Worm Targets Microsoft Windows Systems

Original release date: March 29, 2009
Last revised: March 30, 2009
Source: US-CERT


Systems Affected

* Microsoft Windows


Overview

US-CERT is aware of public reports indicating a widespread
infection of the Conficker/Downadup worm, which can infect a
Microsoft Windows system from a thumb drive, a network share, or
directly across a corporate network, if the network servers are not
patched with the MS08-067 patch from Microsoft.


I. Description

Home users can apply a simple test for the presence of a
Conficker/Downadup infection on their home computers. The presence
of a Conficker/Downadup infection may be detected if a user is
unable to surf to their security solution website or if they are
unable to connect to the websites, by downloading detection/removal
tools available free from those sites:

* Conficker - April 1st Virus - April Fools Virus - W32.Downadup Worm | The Conficker C Worm
* http://www.microsoft.com/protect/com...conficker.mspx
* McAfee-Antivirus Software and Intrusion Prevention Solutions

If a user is unable to reach any of these websites, it may indicate
a Conficker/Downadup infection. The most recent variant of
Conficker/Downadup interferes with queries for these sites,
preventing a user from visiting them. If a Conficker/Downadup
infection is suspected, the system or computer should be removed
from the network or unplugged from the Internet - in the case for
home users.


II. Impact

A remote, unauthenticated attacker could execute arbitrary code on
a vulnerable system.


III. Solution

Instructions, support and more information on how to manually
remove a Conficker/Downadup infection from a system have been
published by major security vendors. Please see below for a few of
those sites. Each of these vendors offers free tools that can
verify the presence of a Conficker/Downadup infection and remove
the worm:

Symantec:
W32.Downadup Removal Tool | Symantec

Microsoft:
Virus alert about the Win32&#47;Conficker.B worm

http://www.microsoft.com/protect/com...conficker.mspx

Microsoft PC Safety hotline at 1-866-PCSAFETY, for assistance.

US-CERT encourages users to prevent a Conficker/Downadup infection by
ensuring all systems have the MS08-067 patch (see
Microsoft Security Bulletin MS08-067 – Critical: Vulnerability in Server Service Could Allow Remote Code Execution (958644)),
disabling AutoRun functionality (see
US-CERT Technical Cyber Security Alert TA09-020A -- Microsoft Windows Does Not Disable AutoRun Properly), and
maintaining up-to-date anti-virus software.


IV. References

* Microsoft Windows Does Not Disable AutoRun Properly -
<http://www.us-cert.gov/cas/techalerts/TA09-020A.html>

* Virus alert about the Win32/Conficker.B worm -
<http://support.microsoft.com/kb/962007>

* Microsoft Security Bulletin MS08-067 - Critical -
<http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx>

* MS08-067: Vulnerability in Server service could allow remote code
execution -
<http://support.microsoft.com/kb/958644>

* The Conficker Worm -
<http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm>

* W32/Conficker.worm -
<http://us.mcafee.com/root/campaign.asp?cid=54857>

* W32.Downadup Removal Tool -
<http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-011316-0247-99>

__________________________________________________ __________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA09-088A.html>
__________________
SparkMonkeyHellion is offline  
Old 03-31-2009, 09:50 PM   #8 (permalink)
Grandfather of Techist

¯\_(ツ)_/¯
 
Trotter's Avatar
 
Join Date: Jan 2005
Location: The South
Posts: 31,670
Default Re: Conficker Information

Short and simple help for home users:
|MG| Sophos Conficker Clean-up Tool 1.3
__________________

__________________
Cooler Master Mastercase H500 / Antec EA650 650W / Zotac GTX 1660 AMP
AMD Ryzen 5 1600 w/ Wraith MAX RGB / MSI B350 Gaming Plus / 4x8GB XPG Specrix RGB 3200MHz
Samsung 970 EVO 250GB M.2 SSD / Hyundai Sapphire 480GB SSD / WD Black 750GB HDD / WD Green 1TB HDD
Win10 Pro x64 / Razer Mamaba Wireless / Tecware 87 Key Mechanical

R.I.P. Father Trotter ... 14 Nov 1945 - 4 Sept 2009
Trotter is offline  
Closed Thread

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Conficker worm back with a vengeance Osiris Viruses, Spyware and Malware 6 04-01-2009 12:20 AM
MS puts up $250K bounty for Conficker author Osiris Viruses, Spyware and Malware 3 02-14-2009 07:44 PM
French Military Confounded by Conficker Osiris Viruses, Spyware and Malware 1 02-09-2009 03:17 AM
Conficker Spreads as Waledec Delivers Mal-entine Osiris Viruses, Spyware and Malware 0 01-30-2009 08:18 AM
F-Secure Says Conficker Worm is Widespread Osiris Viruses, Spyware and Malware 1 01-16-2009 10:54 PM



Copyright 2002- Social Knowledge, LLC All Rights Reserved.

All times are GMT -5. The time now is 07:50 AM.


Powered by vBulletin® Version 3.8.8 Beta 1
Copyright ©2000 - 2019, vBulletin Solutions, Inc.