Home / malwarePDF  

Worm:Win32/Conficker.C


First posted on 27 March 2009.
Source: SecurityHome

Aliases :

Worm:Win32/Conficker.C is also known as Also Known As:TA08-297A (other), CVE-2008-4250 (other), VU827267 (other), Conficker B++ (other).

Explanation :

Win32/Conficker.C is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products. Microsoft strongly recommends that users apply the update referred to in Security Bulletin MS08-067 immediately. Microsoft also recommends that users ensure that their network passwords are strong to prevent this worm from spreading via weak administrator passwords. More information is available here.

Symptoms
System ChangesThe following system changes may indicate the presence of this malware:

  • The following services are disabled or fail to run:
    • Windows Update Service
    Background Intelligent Transfer Service
    Windows Defender
    Windows Error Reporting Services
  • Some accounts may be locked out due to the following registry modification, which may flood the network with connections:
    • HKLMSYSTEMCurrentControlSetServicesTcpipParameters
    "TcpNumConnections" = "0x00FFFFFE"
  • Users may not be able to connect to websites or online services that contain the following strings:
    • virus
    spyware
    malware
    rootkit
    defender
    microsoft
    symantec
    norton
    mcafee
    trendmicro
    sophos
    panda
    etrust
    networkassociates
    computerassociates
    f-secure
    kaspersky
    jotti
    f-prot
    nod32
    eset
    grisoft
    drweb
    centralcommand
    ahnlab
    esafe
    avast
    avira
    quickheal
    comodo
    clamav
    ewido
    fortinet
    gdata
    hacksoft
    hauri
    ikarus
    k7computing
    norman
    pctools
    prevx
    rising
    securecomputing
    sunbelt
    emsisoft
    arcabit
    cpsecure
    spamhaus
    castlecops
    threatexpert
    wilderssecurity
    windowsupdate

    Win32/Conficker.C is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.

    Installation
    Win32/Conficker.C attempts to copy itself in the Windows system folder as a hidden DLL file using a random name. If the attempt fails, it may then attempt to copy itself with the same parameters in the following folders: %ProgramFiles%Internet Explorer
    %ProgramFiles%Movie Maker It creates the following registry entry to ensure that its dropped copy is run every time Windows starts: Adds value: "<random string>"
    With data: "rundll32.exe <system folder><malware file name>.dll,<malware parameters>"
    To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun It may also load itself as a service that is launched when the netsvcs group is loaded by the system file svchost.exe. It may also load itself as a fake service by registering itself under the following key:
    HKLMSYSTEMCurrentControlSetServices It may use a display name that is created by combining two of the following strings: Boot
    Center
    Config
    Driver
    Helper
    Image
    Installer
    Manager
    Microsoft
    Monitor
    Network
    Security
    Server
    Shell
    Support
    System
    Task
    Time
    Universal
    Update
    WindowsIt may also combine random characters to create the display name. Win32/Conficker patches 'NETAPI32.DLL' in memory to prevent re-infection and further exploitation of the vulnerability addressed by Microsoft Security Bulletin MS08-067. Spreads Via...Network Shares with Weak PasswordsWin32/Conficker.C attempts to infect machines within the network. It first attempts to drop a copy of itself in a target machine's ADMIN$ share using the credentials of the currently logged-on user. If this method is unsuccessful, for example, the current user does not have the necessary rights, then it instead obtains a list of user accounts on the target machine. It then attempts to connect to the target machine using each user name and the following weak passwords: 123
    1234
    12345
    123456
    1234567
    12345678
    123456789
    1234567890
    123123
    12321
    123321
    123abc
    123qwe
    123asd
    1234abcd
    1234qwer
    1q2w3e
    a1b2c3
    admin
    Admin
    administrator
    nimda
    qwewq
    qweewq
    qwerty
    qweasd
    asdsa
    asddsa
    asdzxc
    asdfgh
    qweasdzxc
    q1w2e3
    qazwsx
    qazwsxedc
    zxcxz
    zxccxz
    zxcvb
    zxcvbn
    passwd
    password
    Password
    login
    Login
    pass
    mypass
    mypassword
    adminadmin
    root
    rootroot
    test
    testtest
    temp
    temptemp
    foofoo
    foobar
    default
    password1
    password12
    password123
    admin1
    admin12
    admin123
    pass1
    pass12
    pass123
    root123
    pw123
    abc123
    qwe123
    test123
    temp123
    mypc123
    home123
    work123
    boss123
    love123
    sample
    example
    internet
    Internet
    nopass
    nopassword
    nothing
    ihavenopass
    temporary
    manager
    business
    oracle
    lotus
    database
    backup
    owner
    computer
    server
    secret
    super
    share
    superuser
    supervisor
    office
    shadow
    system
    public
    secure
    security
    desktop
    changeme
    codename
    codeword
    nobody
    cluster
    customer
    exchange
    explorer
    campus
    money
    access
    domain
    letmein
    letitbe
    anything
    unknown
    monitor
    windows
    files
    academia
    account
    student
    freedom
    forever
    cookie
    coffee
    market
    private
    games
    killer
    controller
    intranet
    work
    home
    job
    foo
    web
    file
    sql
    aaa
    aaaa
    aaaaa
    qqq
    qqqq
    qqqqq
    xxx
    xxxx
    xxxxx
    zzz
    zzzz
    zzzzz
    fuck
    12
    21
    321
    4321
    54321
    654321
    7654321
    87654321
    987654321
    0987654321
    0
    00
    000
    0000
    00000
    00000
    0000000
    00000000
    1
    11
    111
    1111
    11111
    111111
    1111111
    11111111
    2
    22
    222
    2222
    22222
    222222
    2222222
    22222222
    3
    33
    333
    3333
    33333
    333333
    3333333
    33333333
    4
    44
    444
    4444
    44444
    444444
    4444444
    44444444
    5
    55
    555
    5555
    55555
    555555
    5555555
    55555555
    6
    66
    666
    6666
    66666
    666666
    6666666
    66666666
    7
    77
    777
    7777
    77777
    777777
    7777777
    77777777
    8
    88
    888
    8888
    88888
    888888
    8888888
    88888888
    9
    99
    999
    9999
    99999
    999999
    9999999
    99999999 If Win32/Conficker.C successfully accesses the target machine, for example, if a combination of any of the obtained user names and one of the above passwords allows write privileges to the machine, then it copies itself to an accessible admin share as ADMIN$System32<random letters>.dll. After copying itself to a remote machine, Win32/Conficker.C creates a remote schedule job with the command “rundll32.exe <malware file name>.dll,<malware parameters>" to activate the copy, as shown in the images below: Mapped and Removable DrivesWin32/Conficker.C may drop a copy of itself in all mapped and removable drives using a random file name. The worm creates a folder in the root of these drives named 'RECYCLER' (in Windows XP and previous versions, the folder "RECYCLER" references the "Recycle Bin"). Next, the worm copies itself as the following: <drive:>RECYCLERS-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d<random letters>.dll Where %d is a randomly chosen letter. The worm also drops a corresponding autorun.inf file, which enables the worm copy to execute if the drive is accessed and Autoplay is enabled. This autorun.inf file is detected as Worm:Win32/Conficker.B!inf. The image below illustrates how a user could potentially launch the worm when accessing an infected share: Note that the language in the first option suggests the user could 'open folder to view files' however the option is under 'Install or run program', an indication that opening the folder will actually execute an application. Another hint that the action is to execute the worm is the text 'Publisher not specified'. The highlighted choice under 'General options' in the image above would allow a user to view the share and not execute the worm copy. Exploit - MS08-067 Win32/Conficker.C spreads to systems that are not yet patched against a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, the worm instructs the target computer to download a copy of the worm from the host computer via HTTP protocol using the random port between 1024 and 10000 opened by the worm. The vulnerability is documented in Microsoft Security Bulletin MS08-067.

    Payload
    Downloads and Executes Arbitrary Authenticated FilesWin32/Conficker.C checks for a specific pattern in incoming shellcode (to identify if the origin is valid) and a URL to download an updated payload from. The payload only executes if it is successfully validated by the malware. For non-Windows 2000 machines, the worm creates a thread that downloads the file, and executes it if it passes authentication. Win32/Conficker.C creates a named pipe on Windows 2000 machines having the following name:
    \.pipeSystem_<computer name>7 The worm creates a thread that continuously accepts URLs from the pipe to download from, authenticate, and execute. Modifies System SettingsWin32/Conficker.C changes system settings so that the user cannot view hidden files. It does this by modifying the following registry entry: Adds value: "CheckedValue"
    With data: "0"
    To subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionexplorerAdvancedFolderHiddenSHOWALL It also modifies the system's TCP settings to allow a large number of simultaneous connections, where 0x00FFFFFE is hexadecimal and equals 16,777,214 decimal value: Adds value: "TcpNumConnections"
    With data: "0x00FFFFFE"
    To subkey: HKLMSYSTEMCurrentControlSetServicesTcpipParameters The worm drops a temp file to aid restarting the TCP/IP service for the modification to take effect. The dropped file is detected as Trojan:WinNT/Conficker.B. Disables TCP/IP Tuning, Terminates and Disables ServicesWin32/Conficker.C disables Windows Vista TCP/IP auto-tuning by executing the following command: netsh interface tcp set global autotuning=disabled
    This worm terminates several important system services, such as the following:
  • Windows Security Center Service (wscsvc) – notifies users of security settings (e.g. Windows update, Firewall and AntiVirus)
  • Windows Update Auto Update Service (wuauserv)
  • Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth
  • Windows Defender (WinDefend)
  • Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience
  • Windows Error Reporting Service (wersvc)
    • Win32/Conficker.C deletes the registry key for Windows Defender, disabling it from running when the system starts. Deletes value: "Windows Defender"In subkey: HKLMSoftwareMicrosoftWindowsCurrentVersionRun It also disables any process that has a module name containing any of the following strings from sending network traffic or data. (Note that most of these strings are related to antivirus and security software, thus effectively disabling the products from acquiring signature updates, and possibly preventing users from accessing websites with these strings in the URL): virus
    spyware
    malware
    rootkit
    defender
    microsoft
    symantec
    norton
    mcafee
    trendmicro
    sophos
    panda
    etrust
    networkassociates
    computerassociates
    f-secure
    kaspersky
    jotti
    f-prot
    nod32
    eset
    grisoft
    drweb
    centralcommand
    ahnlab
    esafe
    avast
    avira
    quickheal
    comodo
    clamav
    ewido
    fortinet
    gdata
    hacksoft
    hauri
    ikarus
    k7computing
    norman
    pctools
    prevx
    rising
    securecomputing
    sunbelt
    emsisoft
    arcabit
    cpsecure
    spamhaus
    castlecops
    threatexpert
    wilderssecurity
    windowsupdate Resets System Restore PointWin32/Conficker.C may reset the computer's system restore point, potentially defeating recovery using System Restore. Downloads Arbitrary Files - Date Based TriggerDepending on the system date, Win32/Conficker.C may build a URL to download files from starting on January 1, 2009. The generated URL has a domain name that is based on the current system date. It uses one of the following top level domains:
    .cc.cn.ws.com.net.org.info.biz For example, 'aaovt.com' or 'aasmlhzbpqe.com'. The generated domain name is first converted to the dot notation, for example, 'aaovt.com' may be converted to '192.168.16.0'. This generated IP address is then used for the URL, according to the following pattern: http://<pseudo-random generated IP>/search?q=%d Some examples of the constructed URLs are as follows:aaovt.com
    aasmlhzbpqe.com
    addgv.com
    ajsxarj.org
    apwzjq.ws
    aradfkyqv.org
    arztiwbeh.cc
    baixumxhmks.ws
    bfwtjrto.org
    bfwvzxd.info
    bmaeqlhulq.cc
    byiiureq.cn
    cbizghsq.cc
    cbkenfa.org
    ciabjhmosz.cc
    cruutiitz.com
    ctnlczp.org
    ctohyudfbm.cn
    dcopyoojw.com
    djdgnrbacwt.ws
    dmwemynbrmz.org
    dofmrfqvis.cn
    doxkknuq.org
    dozjritemv.info
    dyjsialozl.ws
    eaieijqcqlv.org
    eewxsvtkyn.net
    eidqdorgmbr.net
    eiqzepxacyb.cn
    ejdmzbzzaos.biz
    ejmxd.com
    ejzrcqqw.net
    ekusgwp.cc
    eprhdsudnnh.biz
    evmwgi.ws
    falru.net
    fctkztzhyr.org
    fdkjan.net
    fhfntt.org
    fhspuip.biz
    fjpzgrf.net
    fkzdr.cn
    ftjggny.com
    fuimrawg.info
    ghdokt.cn
    glbmkbmdax.biz
    gmhkdp.org
    gocpopuklm.org
    grwemw.biz
    gtzaick.cc
    gxzlgsoa.info
    gypqfjho.info
    hduyjkrouop.info
    hfgxlzjbfka.biz
    hkgzoi.com
    hliteqmjyb.net
    hmdtv.ws
    hoyolhmnzbs.net
    hprfux.cc
    hqbttlqr.org
    hueminaii.org
    hvogkfiq.info
    ifylodtv.ws
    iivsjpfumd.ws
    ilksbuv.cn
    imuez.biz
    izxvu.biz
    jaumgubte.biz
    jhbeiiizlfk.cn
    jrdzx.cc
    jshkqnnkeao.biz
    judhei.com
    jxfiysai.cc
    jzoowlbehqn.info
    karhhse.com
    kbyjkjkbb.info
    kjsxokxg.org
    krudjhvk.org
    kuiwtbfa.org
    lauowjef.cn
    lhirjymcod.net
    liugwg.net
    lksvlouw.ws
    llgkuclk.info
    lnpsesbcm.cn
    lssvxqkqfmf.org
    lygskbx.cc
    mafwkeat.cn
    mgqrrsxhnj.com
    mhklpsbuh.cc
    mknuzwq.cc
    mqjkzbov.net
    myfhc.com
    navjrj.org
    nbpykcdsoms.com
    ncbeaucjxd.org
    npfxmztnaw.cn
    nuiptipwjj.cc
    nvpmfnlsh.ws
    oagwongs.ws
    odvsz.net
    okkpuzqck.ws
    oqolfrjq.cn
    orduhippw.cn
    orpngykld.com
    orxfq.ws
    othobnrx.org
    otnqqaclsgx.info
    otukeesevg.biz
    pbfhhhvzkp.cc
    pbpigz.cn
    pcnpxbg.cc
    pdfrbmxh.biz
    pfdthjxs.cc
    phaems.cc
    phetxwmjqsj.cc
    pmanbkyshj.ws
    pnjlx.cc
    ppzwqcdc.cc
    psabcdq.cc
    ptdlwsi.cn
    pvowgkgjmu.biz
    pwsjbdkdewv.info
    qbuic.com
    qdteltj.org
    qeotxrp.com
    qfeqsagbjs.biz
    qfhqgciz.org
    qfogch.com
    qijztpxaxk.cn
    qlqrgqordj.ws
    qpiivu.cn
    qpuowsw.cc
    qqbbg.cc
    qrrzna.net
    qvrgznvvwz.ws
    qwdervbq.org
    qwnydyb.cc
    qzbpqbhzmp.com
    rkfdx.org
    rpphv.org
    rskvraofl.info
    ryruatsot.biz
    sdkhznqj.info
    sezpo.org
    sfozmwybm.com
    skwmyjq.org
    solmpem.com
    sqmsrvnjits.cc
    stlgegbye.net
    syryb.org
    tdwrkv.ws
    tfpazwas.cc
    tigeseo.org
    tjyhrcfxuc.cn
    tkbyxr.ws
    tlmncy.cn
    tmlwmvv.ws
    tnerivsvs.net
    tomxoa.org
    trpkeyqapp.net
    tyjtkayz.com
    uazlwwiv.org
    ucgqvyjgpk.cn
    uixvflbyoyi.biz
    ujawdcoqgs.org
    upxva.net
    uuvjh.biz
    uzugvbnvs.cn
    vgmkhtux.ws
    vjllpcucnp.cn
    vkgxgxto.com
    vwiualt.com
    waxggypgu.org
    wccckyfrtf.net
    wfdnvlrcb.org
    whjworuc.com
    wmiwxt.biz
    wohms.biz
    wqqfbutswyf.info
    wsdlzmpbwhj.net
    xiclytmeger.cc
    xkjdzqbxg.cn
    xldbmaztfu.biz
    xlwcv.cn
    xqbovbdzjz.info
    xwbubjmhinr.info
    yfpdcquil.info
    yfybk.ws
    yhrpqjhp.biz
    yoblqeruib.org
    yoyze.cc
    yshpve.cc
    ysrixiwyd.com
    ytfvksowgul.org
    ywsrtetv.org
    yzymygez.biz
    zcwjkxynr.com
    zfgufbxi.net
    zkimm.info
    zmoeuxuh.ws
    zokxy.net
    zqrsbqzhh.cc
    zttykt.info
    zutykstmrxq.ws It checks the system date if it is January 1, 2009 or later. It also checks the following websites for the date, presumably for verification:baidu.com
    google.com
    yahoo.com
    msn.com
    ask.com
    w3.orgAdditional InformationWin32/Conficker.C checks if the system has an Internet connection by attempting to connect to the following websites: aol.comcnn.comebay.commsn.commyspace.com

    Analysis by Jireh Sanico

    Last update 27 March 2009

     

    TOP

    Malware :

    Family: