580 likes | 928 Views
Conficker. Analysis of an Internet Worm. Outline. What’s in a Name? What is it Trying to do? What is its Timeline? How does it Infect a Machine? How does it Propagate itself? How is it Controlled / Updated? How Big is the Problem? How can it be Detected & Removed?. What’s in a Name?.
E N D
Conficker Analysis of an Internet Worm
Outline • What’s in a Name? • What is it Trying to do? • What is its Timeline? • How does it Infect a Machine? • How does it Propagate itself? • How is it Controlled / Updated? • How Big is the Problem? • How can it be Detected & Removed?
What’s in a Name? • Win32/Conficker.A (CA) • W32.Downadup (Symantec) • W32/Downadup.A (F-Secure) • Conficker.A (Panda) • Net-Worm.Win32.Kido.bt (Kaspersky) • W32/Conficker.worm (McAfee) • Win32.Worm.Downadup.Gen (BitDefender) • Win32:Confi (avast!) • WORM_DOWNAD (Trend Micro) • Worm.Downadup (ClamAV) • Downup, Kido, ?
What’s in a Name? • Richard Grigonis,IP Communications Group • Conficker is constructed from the first five letters of “configuration,” while adding four letters to the end so as to end with “ficker”, a vulgar nominalized form of the German transitive verb ficken (2/13/09) • Jordan Robertson, The Associated Press • The name Conficker comes from rearranging letters in the name of one of the original sites the worm was connecting to. (3/31/09) • Joshua Phillips , Microsoft Malware Protection Center • The name of this threat was derived by selecting fragments of the domain 'trafficconverter.biz', a string found in Worm:Win32/Conficker.A: • (fic)(con)(er) => (con)(fic)(+k)(er) => conficker (viewed 04/07/09) • Wikipedia • “The origin of the name “conficker” is not knows with certainty” (4/3/09)
Variants • Classified by analyzing infected hosts and identifying significant differences in functionality • Current primary variants • Conficker.A • Conficker.B • Conficker.B++ • Conficker.C • Conficker.D • Conficker.E
Outline • What’s in a Name? • What is it Trying to do? • What is its Timeline? • How does it Infect a Machine? • How does it Propagate itself? • How is it Controlled / Updated? • How Big is the Problem? • How can it be Detected & Removed?
Conficker Objectives • … today the vast majority of malware has a monetary motivation. • (Eric Chien – Symantec Corp – 1/19/09) • Original (Conficker.A) upload site trafficconverter.bz • Site used to spread fake anti-spyware. • When uploaded to a user’s site, it “finds” non-existent virus infections and tries to convince users to pay for the software to clean their machines.
Conficker Objectives • Other possible / likely objectives • Build a network of robot machines (botnet) • Use those machines to attack targets • Sell the use of those machines for questionable services • Rent 100 machines to send out 10 million spam messages • Rent machines to run hacking software • ? • Take down the Internet? • Not likely
Objectives Update?? • April, 2009 • Some machines that get infected with Conficker (Downadup) are also being infected with trojan W32/Waledac.gen • Trojan originally propagated through spam and social engineering. • Harvests personal information, encrypts file and sends to one of a list (~100) sites.
Outline • What’s in a Name? • What is it Trying to do? • What is its Timeline? • How does it Infect a Machine? • How does it Propagate itself? • How is it Controlled / Updated? • How Big is the Problem? • How can it be Detected & Removed?
Conflicker Timeline • Microsoft issues patch for RPC vulnerability 10/23/08 • Early exploit – W32/Gimmiv.A – 10/23/08 • Conficker.A – 11/21/08 • Conficker.B – 12/29/08 • Conficker.B++ - 2/17/09 • Conficker.C – 2/20/09 • Conficker.D – 3/4/09 • Conficker.E – 4/9/09
Outline • What’s in a Name? • What is it Trying to do? • What is its Timeline? • How does it Infect a Machine? • How does it Propagate itself? • How is it Controlled / Updated? • How Big is the Problem? • How can it be Detected & Removed?
Targeted OSs • Windows XP – SP2, SP3 • Windows XP Pro x64, SP2 • Windows Server 2003, SP1, SP2 • Windows Server 2003 x64, sp2 • Windows Vista, SP1 • Windows Vista x64, SP1 • Windows Server 2008 • Windows Server 2008 x64 • Windows Server 2008 Itanium-based
Initial Attack – Conficker.A • Exploit a vulnerability in MS RPC. • Send a specially crafted packet to either port 445 (or port 139) (used for file sharing) on a Windows machine not patched for vulnerability MS08-067. • Vulnerability in NetpwPathCanonicalize() function inside netapi32.dll. • This exploits a buffer “underflow” problem in the code which and allows attacker to execute arbitrary code on the target machine.
Initial attack • Canonicalization • Reduce (a path) to its simplest form. • aaa\bbb\..\ccc aaa\ccc • MS08-067 vulnerability • A specially crafted path can force the function to move beyond the start of the stack buffer (and thus overwrite the function return address).
Once Inside - Conficker.A • Check for Ukrainian keyboard (Quit if true) • Create mutex Global\xxx-7 (Quit if failed) • Check OS version • Attach to Service.exe • Create random file name (xxx.dll) in System32 dir • If fail, copy to program files\Movie Maker, or IE or …
Once Inside - Conficker.B • Create Mutex • “Patch” MS08-067 • Objective is to avoid / control re-infection by Conficker or other worms. • Patch DNS access • Prevent connection to security sites (50+ strings) • Attach to a running service
The Mutex • Conficker.A • Global\xxx-7 (where xxx is a crc32 checksum of a buffer containing the hostname) • Conficker.B • First mutex is local to process and checks to see if another thread is running dll. Mutex derived from process ID. • Second mutex to see if dll is running under a different process name (similar to Global\xxx-7 except that it uses a different CRC32 checksum function) • Conficker.C • First mutex used to check for running Conficker thread. • Second mutex used to prevent backwards infection from B • Third mutex checks to see if dll is running under a different process. If so, terminate and remove this version.
Why does it spread so fast? • Although patch was available in 10/08, many Windows machines not automatically updated • Major infections in countries that are suspected of having a large number of pirated versions of MS Windows.
Outline • What’s in a Name? • What is it Trying to do? • What is its Timeline? • How does it Infect a Machine? • How does it Propagate itself? • How is it Controlled / Updated? • How Big is the Problem? • How can it be Detected & Removed?
Propagate through MS08-067Conficker.A • Find current IP address • Getmyip.org • Getmyip.co.uk • Checkip.dyndns.org • Enable backdoor through firewall using UPNP • Used for binary upload by other victims. • Creates small httpd to pass data • Reset System Restore Point • Download GEO IP database • Find other IP addresses to infect • www.maxmind.com ( GeoIP.dat.gz ) • Scan and infect • Sleep 30 minutes and repeat
Propagation in Conficker.B • Defense: GeoIP file removed from website • Conficker added the file as appended data to threat file (compressed RAR encrypted using RC4) • Propagate through USB / network drives (autorun file) • Add random data (~60k) to hide real data • Attach dll to auto run • Add a new action to dialog box
Propagation in Conficker.B • Attempt to log onto admin$ share using current user credentials • Attack weak passwords on target machine or on local network. • Fixed list of perhaps 250 passwords • Number sequences - 12345, 11111, 22222, etc. • Admin, Admin, administrator, root, superuser, etc. • Key sequences - qwerty, qweasd, zxcxz, etc. • passwd, password, mypass, etc. • abc123, home123, work123, mypc123, etc. • Coffer, cookie,home, money, work, anything, etc.
Outline • What’s in a Name? • What is it Trying to do? • What is its Timeline? • How does it Infect a Machine? • How does it Propagate itself? • How is it Controlled / Updated? • How Big is the Problem? • How can it be Detected & Removed?
Links to Update site - Conficker.A • Get current UTC date • w3.org, ask.com, man.com, yahoo.com, google.com • Use date as a seed for a random name generator • Name strings 5 to 11 lower case characters (8 ± 3) • Create 250 domain names • Randomly assign TLD • .com, .net, .org, .biz • Randomly choose 32 names from the list • Contact the sites and download a binary payload • Every 3 hours starting 11/26/08 • If date > 12/1/08 • Attempt to download loadadv.exe from trafficconverter.biz
Links to Update site - Conficker.B • Get current UTC date • w3.org, ask.com, man.com, yahoo.com, google.com • Use date as a seed for a random name generator • Name strings 5 to 11 lower case characters (8 ± 3) • Create 250 domain names • Randomly assign TLD • .com, .net, .org, .biz • Randomly choose 32 names from the list • Contact the sites and download a binary payload • Every 3 hours starting 11/26/08 • Every 2 yours starting 1/1/09
Links to Update site - Conficker.C • Get current UTC date • 3 additional sites ( facebook.com, imageshack.us, rapidshare.com) • Use date as a seed for a random name generator • Name strings 4-9 lower case characters • Create 50,000 domain names • ~150-200 collisions with valid domains /day • Randomly assign TLD • 110 different TLDs used • Randomly choose 500 names from the list • Contact the sites and download a binary payload • Once a day after April 1, 2009
P2P Update – Conficker.C • Secondary (?) update mechanism from an already updated host. • Host opens up 4 P2P ports in listen mode • 2 TCP, 2 UDP • Numbers derived from host IP address. • Host then attempts to contact neighboring machines on their open ports. • Snort rules available to detect outgoing scans • Trigger on 10, 100, 1000, 10,000, 10,000, … • Test sites see 6-8 alarms / 4 hours
Binary File Validation • One way to stop a virus /worm is to identify its update mechanism and then use that to kill it. • Conficker.A – Update Server • SHA(512) hash of binary executable. • Encrypt bin.exe using RC4 (hash is key) • Sign encrypted package with RSA (1024) private key • Mepriv mod N = signature • Transmit encrypted package and signature • Conficker.A Client • Decrypt package using public key, RC4, N
Binary File Validation • Conficker.B, Conficker.C • Hash (512) of binary executable • Encrypt bin.exe, hash using RC4 • Sign encrypted package with RSA (4096) private key
Outline • What’s in a Name? • What is it Trying to do? • What is its Timeline? • How does it Infect a Machine? • How does it Propagate itself? • How is it Controlled / Updated? • How Big is the Problem? • How can it be Detected & Removed?
Infection Estimates • F-secure.com (1/16/09) • The number of Downadup infections are skyrocketing based on our calculations. From an estimated 2.4 million infected machines to over 8.9 million during the last four days. • Gregg Keizer , Computerworld , 02/12/2009 • … rapidly-spreading "Downadup" worm, prompted by infection rates of nearly 2.2 million machines each day. • Robert McMillan , IDG News Service , 04/03/2009 • Experts had pegged Conficker infections in the 2 million to 4 million range, but IBM's numbers suggest that they may be much higher than that, perhaps in the tens of millions. • SRI International Technical Report – 03/19/09 • The total number of unique IP addresses observed by SRI is approximately 10.5 million. …our estimates of active Conficker drones on the internet range as much as an order of magnitude smaller. • Ryan Sherstobitoff – Quoted in computerworld article 01/21/09 • The 6% was of people coming to our site and opting in for the scans. That's somewhat scary," said Sherstobitoff. "If we were actually to look at the [general] population, all the people who don't have antivirus -- or if they do, who haven't updated definitions -- the infection rate might be in the range of 20% to 30%."
How do we find Infected Hosts? • Listen to rendezvous points and record calling IP addresses • Rendezvous query includes the number of times each instance has infected a new machine • May be deflated by NAT • Only includes MS08-67 exploits • May be inflated by re-infections • May be inflated by DHCP • May not include attrition • Scan sample machines on the Internet and extrapolate the numbers. • Track users of test / disinfect tools
Top Countries Infected • SRI observations as of ~ February, 2009 • China – 2.6 million – 25% • Brazil – 1.0 million – 10% • Russia – 835 K – 8% • India – 600 K – 6% • Argentina – 570 K – 5% • : • United States – 190 K – 2%
Top 10 Countries Infected Symantec Corporation – January, 2009
Outline • What’s in a Name? • What is it Trying to do? • What is its Timeline? • How does it Infect a Machine? • How does it Propagate itself? • How is it Controlled / Updated? • How Big is the Problem? • How can it be Detected & Removed?
Conficker Detection • Scan for attacks against port 445 • Look for predictable code patterns. • Scan active processes for presence of RSA keys (different keys for .A, .B, .C) • If found, terminate threads that contain keys • Generate the appropriate mutexes to prevent re-infection • Load a “nonficker Vaxination tool” that will generate the mutex on boot
Conficker Detection • Attempt to connect to a standard anti-virus site • If access is allowed to standard web sites, but not to security sites, Conficker might be present.
Anti-virus programs • All major anti-virus programs can remove the virus. • May need to access security site through IP address, not domain name • System automatic updates may be turned off.
Intrusion Detection Systems • Snort rule developed • Match against shell code pattern of incoming packet to port 445 • Nmap • Scan for vulnerability on open 445 port
Nonficker - Vaccination • Objective: • Keep Conficker from running by tying up the mutexes that it uses. • Process • Extract mutex generation algorithms from variants, and reproduce them in their own program • Run the program at startup to register all of the needed mutexes
References • Alexander Sotirov • Decompiling the vulnerable function for MS08-067http://www.phreedom.org/blog/2008/decompiling-ms08-067/ • SRI International – Porras, Saidi, Yegneswaran • An Analysis of Conficker’s Logic and Rendezvous Points http://mtc.sri.com/Conficker/ • The Honeynet Project – Leder, Werner • Know Your Enemy: Containing Conficker http://www.honeynet.org/papers/conficker • F_SECURE – “Toni” • Calculating the Size of the Downadup Outbreak http://www.f-secure.com/weblog/archives/00001584.html
Conclusion • Conficker has been evolving, apparently in response to the security community’s actions to stop the worm. • Virus function appears to change with versions. Original intent to infect as many machines as possible, while current versions are trying to hold onto infected machines. • Primary infected areas appear to be in countries with significant pirated software • Target (at this point) unclear, but may be to harvest personal information or to develop a significant botnet.