The following page contains the tools and analysis results described in our "Know your Enemy" paper "Containing Conficker - To Tame a Malware". The paper is published by the Honeynet Project and can be downloaded here: todo
All tools are to be considered as proof of concepts. Even though most of them run stable, they are not meant for use in production. They don't come with any warranty.
All tools are available including source code and are licences using GPL.
If you enjoy our tools...we enjoy feedback. Just send us a mail. You can also send us a mail if you have improved the code or have a question
Conficker Domain Name Generation
Different Conficker variants are checking different domains for updates every day. Conficker.A and .B are already generating and checking 250 domains each per day. Conficker.C will start to check for 50.000 generated domain names on April 1st.
Downatool2
The domain names of different Conficker variants can be used to detect infected machines in a network. Inspired by the "downatool" from MHL and B. Enright, we have developed Downatool2. It can be used to generate domains for Downadup/Conficker.A, .B, and .C.
Download
downatool2.exe
90 K
downatool2.zip
4.9 K
Conficker.C Domain Collisions
Figure 1: Number of Conficker.C collisions with existing domains for April 2009.
Conficker.A and .B created 250 domains per day, from which they try to download updates. Conficker.C, unlike its predecessors, creates 50.000 domains per day. Furthermore, the length of Conficker.C domain names is only 4-9 characters, instead of 8-11 as variants .A and .B. The large number and the shorter domain length results in a lot of collisions with real domain names.
We have pre-computed all domain names for April 2009 and looked up the domains in order to find collisions. Figure 1 shows the number of collisions for each day.
The list of collisions as well as the list of Conficker.C domains for April can be downloaded here:
collisions_april.zip
60 K
c_domains_april2009.zip
9.2 M
Figure 2: Number of collisions for each IP address in April 2009
Conficker .C will create about 150 - 200 collisions with existing domains per day. The large number of generated domains and the fact that not every domain will be contacted for a given day, will likely prevent DDoS situations.
Figure 2 shows the number of conflicts, each IP address generates. There are some IPs with a remarkable number of occurrences.
You may want more than just Conficker.C domains and probably more than just April. Just download our Downatool2 from above and generate the domains yourself. If you like the tools, tell us by sending an email.
Statistics about future collisions will be published here. Just tune in again.
Memory Disinfector
It is hard to identify files containing Conficker because the executable are packed and encrypted. When Conficker runs in memory it is fully unpacked. Our memory disinfector scans the memory of every running process in the system and terminates Conficker threads without touching the process it runs in. This helps to keep the system services running.
The tool itself and the source code can be downloaded here:
conficker_mem_killer.exe
594 K
memscan.zip
8.4 K
Detecting Conficker Files and Registry
Despite other reports, the file names and registry keys Conficker.B and .C use are not random. They are calculated based on the hostname. We have developed a tool that you can run on your system to check for Conficker's Dlls. Unfortunately, Conficker.A really uses random names and can therefore not be found this way.
It is at a very early development stage but usable. We would be grateful to benefit from your changes if you develop it further.
Tool and source code are here:
regnfile.exe
599 K
conficker_names.zip
48 K
Network Scanner
Another option is to actively scan for Conficker machines. There is a way to distinguish infected machines from clean ones based on the error code for some specially crafted RPC messages. Conficker tries to filter out further exploitation attempts which results in uncommon responses. Our python script scs.py implements a simple scanner based on this observation. Here is a sample output:
./scs.py 127.43.16.76
Could not send SMB request to 127.43.16.76:445/tcp.
./scs.py 127.99.100.2
127.99.100.2 seems to be infected by Conficker.
./scs.py 127.36.15.80
127.36.15.80 seems to be clean.
The script can be downloaded here:
scs.zip
Simple Conficker Scanner (SCS) requires the installation of the "Impacket" python library
15.6 K
Intrusion Detection Signatures
Conficker uses a hardcoded xor-key for encoding its shellcode. This creates static patterns, which allow to detect exploitation attempts and may be used to identify infected machines. The signature we have created for Conficker.A and .B are:
Conficker.A
Conficker.A:y any -> $HOME_NET 445 (msg:
"conficker.a shellcode"; content: "|e8 ff ff ff ff c1|^|8d|N|10
80|1|c4|Af|81|9EPu|f5 ae c6 9d a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c
cc|IrX|c4 c4 c4|,|ed c4 c4 c4 94|&<O8|92|\;|d3|WG|02 c3|,|dc c4
c4 c4 f7 16 96 96|O|08 a2 03 c5 bc ea 95|\;|b3 c0 96 96 95 92
96|\;|f3|\;|24|i| 95 92|QO|8f f8|O|88 cf bc c7 0f f7|2I|d0|w|c7 95
e4|O|d6 c7 17 f7 04 05 04 c3 f6 c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5
dc b6 1b|O|95 e0 c7 17 cb|s|d0 b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07
a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab aa c4|]|e7 99 1d ac b0 b0 b4 fe eb
eb|"; sid: 2000001; rev: 1
Conficker.B
alert tcp any any -> $HOME_NET 445 (msg: "conficker.b shellcode";
content: "|e8 ff ff ff ff c2|_|8d|O|10 80|1|c4|Af|81|9MSu|f5|8|ae c6 9d
a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c cc|Ise|c4 c4 c4|,|ed c4 c4 c4
94|&<O8|92|\;|d3|WG|02 c3|,|dc c4 c4 c4 f7 16 96 96|O|08 a2 03
c5 bc ea 95|\;|b3 c0 96 96 95 92 96|\;|f3|\;|24 |i|95 92|QO|8f f8|O|88
cf bc c7 0f f7|2I|d0|w|c7 95 e4|O|d6 c7 17 cb c4 04 cb|{|04 05 04 c3 f6
c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5 dc b6 1f|O|95 e0 c7 17 cb|s|d0
b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07 a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab
aa c4|]|e7 99 1d ac b0 b0 b4 fe eb eb|"; sid: 2000002; rev: 1
Nonficker Vaxination Tool
Conficker uses different global and local mutexes to ensure that only to most up-to-date version is run on the system. This fact can be exploited to scan for and to prevent infections.
We have developed our Nonficker Vaxination dll that can be installed as a system service and pretends to be a running Conficker by registering all mutexes from version .A, .B, and .C (and possibly .D depending which naming scheme you refer to). A setup tool to install the dll as system service is provided as well.
Removal instructions:
Both tools and source code can be downloaded here:
nonficker.zip
547 K
nonficker_code.zip
64 K
Background and Paper
All the tools and data found on this web-site are derived from reverse engineering and analyzing Conficker. The description of our approaches and especially the extracted algorithms and relations are described in our paper:
Informatik IV: Containing Conficker
All tools are to be considered as proof of concepts. Even though most of them run stable, they are not meant for use in production. They don't come with any warranty.
All tools are available including source code and are licences using GPL.
If you enjoy our tools...we enjoy feedback. Just send us a mail. You can also send us a mail if you have improved the code or have a question
Conficker Domain Name Generation
Different Conficker variants are checking different domains for updates every day. Conficker.A and .B are already generating and checking 250 domains each per day. Conficker.C will start to check for 50.000 generated domain names on April 1st.
Downatool2
The domain names of different Conficker variants can be used to detect infected machines in a network. Inspired by the "downatool" from MHL and B. Enright, we have developed Downatool2. It can be used to generate domains for Downadup/Conficker.A, .B, and .C.
Download
downatool2.exe
90 K
downatool2.zip
4.9 K
Conficker.C Domain Collisions
Figure 1: Number of Conficker.C collisions with existing domains for April 2009.
Conficker.A and .B created 250 domains per day, from which they try to download updates. Conficker.C, unlike its predecessors, creates 50.000 domains per day. Furthermore, the length of Conficker.C domain names is only 4-9 characters, instead of 8-11 as variants .A and .B. The large number and the shorter domain length results in a lot of collisions with real domain names.
We have pre-computed all domain names for April 2009 and looked up the domains in order to find collisions. Figure 1 shows the number of collisions for each day.
The list of collisions as well as the list of Conficker.C domains for April can be downloaded here:
collisions_april.zip
60 K
c_domains_april2009.zip
9.2 M
Figure 2: Number of collisions for each IP address in April 2009
Conficker .C will create about 150 - 200 collisions with existing domains per day. The large number of generated domains and the fact that not every domain will be contacted for a given day, will likely prevent DDoS situations.
Figure 2 shows the number of conflicts, each IP address generates. There are some IPs with a remarkable number of occurrences.
You may want more than just Conficker.C domains and probably more than just April. Just download our Downatool2 from above and generate the domains yourself. If you like the tools, tell us by sending an email.
Statistics about future collisions will be published here. Just tune in again.
Memory Disinfector
It is hard to identify files containing Conficker because the executable are packed and encrypted. When Conficker runs in memory it is fully unpacked. Our memory disinfector scans the memory of every running process in the system and terminates Conficker threads without touching the process it runs in. This helps to keep the system services running.
The tool itself and the source code can be downloaded here:
conficker_mem_killer.exe
594 K
memscan.zip
8.4 K
Detecting Conficker Files and Registry
Despite other reports, the file names and registry keys Conficker.B and .C use are not random. They are calculated based on the hostname. We have developed a tool that you can run on your system to check for Conficker's Dlls. Unfortunately, Conficker.A really uses random names and can therefore not be found this way.
It is at a very early development stage but usable. We would be grateful to benefit from your changes if you develop it further.
Tool and source code are here:
regnfile.exe
599 K
conficker_names.zip
48 K
Network Scanner
Another option is to actively scan for Conficker machines. There is a way to distinguish infected machines from clean ones based on the error code for some specially crafted RPC messages. Conficker tries to filter out further exploitation attempts which results in uncommon responses. Our python script scs.py implements a simple scanner based on this observation. Here is a sample output:
./scs.py 127.43.16.76
Could not send SMB request to 127.43.16.76:445/tcp.
./scs.py 127.99.100.2
127.99.100.2 seems to be infected by Conficker.
./scs.py 127.36.15.80
127.36.15.80 seems to be clean.
The script can be downloaded here:
scs.zip
Simple Conficker Scanner (SCS) requires the installation of the "Impacket" python library
15.6 K
Intrusion Detection Signatures
Conficker uses a hardcoded xor-key for encoding its shellcode. This creates static patterns, which allow to detect exploitation attempts and may be used to identify infected machines. The signature we have created for Conficker.A and .B are:
Conficker.A
Conficker.A:y any -> $HOME_NET 445 (msg:
"conficker.a shellcode"; content: "|e8 ff ff ff ff c1|^|8d|N|10
80|1|c4|Af|81|9EPu|f5 ae c6 9d a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c
cc|IrX|c4 c4 c4|,|ed c4 c4 c4 94|&<O8|92|\;|d3|WG|02 c3|,|dc c4
c4 c4 f7 16 96 96|O|08 a2 03 c5 bc ea 95|\;|b3 c0 96 96 95 92
96|\;|f3|\;|24|i| 95 92|QO|8f f8|O|88 cf bc c7 0f f7|2I|d0|w|c7 95
e4|O|d6 c7 17 f7 04 05 04 c3 f6 c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5
dc b6 1b|O|95 e0 c7 17 cb|s|d0 b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07
a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab aa c4|]|e7 99 1d ac b0 b0 b4 fe eb
eb|"; sid: 2000001; rev: 1
Conficker.B
alert tcp any any -> $HOME_NET 445 (msg: "conficker.b shellcode";
content: "|e8 ff ff ff ff c2|_|8d|O|10 80|1|c4|Af|81|9MSu|f5|8|ae c6 9d
a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c cc|Ise|c4 c4 c4|,|ed c4 c4 c4
94|&<O8|92|\;|d3|WG|02 c3|,|dc c4 c4 c4 f7 16 96 96|O|08 a2 03
c5 bc ea 95|\;|b3 c0 96 96 95 92 96|\;|f3|\;|24 |i|95 92|QO|8f f8|O|88
cf bc c7 0f f7|2I|d0|w|c7 95 e4|O|d6 c7 17 cb c4 04 cb|{|04 05 04 c3 f6
c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5 dc b6 1f|O|95 e0 c7 17 cb|s|d0
b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07 a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab
aa c4|]|e7 99 1d ac b0 b0 b4 fe eb eb|"; sid: 2000002; rev: 1
Nonficker Vaxination Tool
Conficker uses different global and local mutexes to ensure that only to most up-to-date version is run on the system. This fact can be exploited to scan for and to prevent infections.
We have developed our Nonficker Vaxination dll that can be installed as a system service and pretends to be a running Conficker by registering all mutexes from version .A, .B, and .C (and possibly .D depending which naming scheme you refer to). A setup tool to install the dll as system service is provided as well.
Removal instructions:
- Open your favorite registry editor (e.g. Start->Run...->regedit.exe->ok)
- Go to registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
- Remove the "aaaaanonficker" from the "netsvcs" key
- Remove registry key and all sibling keys: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aaaaanonficker
Both tools and source code can be downloaded here:
nonficker.zip
547 K
nonficker_code.zip
64 K
Background and Paper
All the tools and data found on this web-site are derived from reverse engineering and analyzing Conficker. The description of our approaches and especially the extracted algorithms and relations are described in our paper:
Informatik IV: Containing Conficker