Containing Conficker

Tools and Infos

 

Felix Leder and Tillmann Werner

The following page contains the tools and analysis results described in our "Know your Enemy" paper "Containing Conficker - To Tame a Malware". The paper is published by the Honeynet Project and can be downloaded here: https://www.honeynet.org/papers/conficker

All tools are to be considered as proof of concepts. Even though most of them run stable, they are not meant for use in production. They don't come with any warranty.
All tools are available including source code and are licences using GPL.

If you enjoy our tools...we enjoy feedback. Just send us a mail. You can also send us a mail if you have improved the code or have a question

Conficker Domain Name Generation

Different Conficker variants are checking different domains for updates every day. Conficker.A and .B are already generating and checking 250 domains each per day. Conficker.C will start to check for 50.000 generated domain names on April 1st.

 

Downatool2

The domain names of different Conficker variants can be used to detect infected machines in a network. Inspired by the "downatool" from MHL and B. Enright, we have developed Downatool2. It can be used to generate domains for Downadup/Conficker.A, .B, and .C.

Download

downatool2.exe	90 K
downatool2.zip	4.9 K

Conficker.C Domain Collisions

Conficker.A and .B created 250 domains per day, from which they try to download updates. Conficker.C, unlike its predecessors, creates 50.000 domains per day. Furthermore, the length of Conficker.C domain names is only 4-9 characters, instead of 8-11 as variants .A and .B. The large number and the shorter domain length results in a lot of collisions with real domain names.

We have pre-computed all domain names for April 2009 and looked up the domains in order to find collisions. Figure 1 shows the number of collisions for each day.

The list of collisions as well as the list of Conficker.C domains for April can be downloaded here:

 

collisions_april.zip	60 K
c_domains_april2009.zip	9.2 M

Conficker .C will create about 150 - 200 collisions with existing domains per day. The large number of generated domains and the fact that not every domain will be contacted for a given day, will likely prevent DDoS situations.

Figure 2 shows the number of conflicts, each IP address generates. There are some IPs with a remarkable number of occurrences.

 
You may want more than just Conficker.C domains and probably more than just April. Just download our Downatool2 from above and generate the domains yourself. If you like the tools, tell us by sending an email.

Statistics about future collisions will be published here. Just tune in again.

Memory Disinfector

It is hard to identify files containing Conficker because the executable are packed and encrypted. When Conficker runs in memory it is fully unpacked. Our memory disinfector scans the memory of every running process in the system and terminates Conficker threads without touching the process it runs in. This helps to keep the system services running.

The tool itself and the source code can be downloaded here:

conficker_mem_killer.exe	594 K
memscan.zip	8.4 K

Detecting Conficker Files and Registry

Despite other reports, the file names and registry keys Conficker.B and .C use are not random. They are calculated based on the hostname. We have developed a tool that you can run on your system to check for Conficker's Dlls. Unfortunately, Conficker.A really uses random names and can therefore not be found this way.

It is at a very early development stage but usable. We would be grateful to benefit from your changes if you develop it further.

Tool and source code are here:

regnfile.exe	599 K
conficker_names.zip	48 K

Network Scanner

Another option is to actively scan for Conficker machines. There is a way to distinguish infected machines from clean ones based on the error code for some specially crafted RPC messages. Conficker tries to filter out further exploitation attempts which results in uncommon responses. Our python script scs.py implements a simple scanner based on this observation. Here is a sample output:

./scs.py 127.43.16.76
Could not send SMB request to 127.43.16.76:445/tcp.

./scs.py 127.99.100.2
127.99.100.2 seems to be infected by Conficker.

./scs.py 127.36.15.80
127.36.15.80 seems to be clean.

The script can be downloaded here (incl. a compiled .exe-package by Dan Kaminsky):

scs_exe.zip Simple Conficker Scanner (SCS) requires the installation of the "Impacket" python library	3.3 M
scs.zip	15.6 K

Intrusion Detection Signatures

Conficker uses a hardcoded xor-key for encoding its shellcode. This creates static patterns, which allow to detect exploitation attempts and may be used to identify infected machines. The signature we have created for Conficker.A and .B are:

Conficker.A

alert tcp any any -> $HOME_NET 445 (msg:
"conficker.a shellcode"; content: "|e8 ff ff ff ff c1|^|8d|N|10
80|1|c4|Af|81|9EPu|f5 ae c6 9d a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c
cc|IrX|c4 c4 c4|,|ed c4 c4 c4 94|&<O8|92|\;|d3|WG|02 c3|,|dc c4
c4 c4 f7 16 96 96|O|08 a2 03 c5 bc ea 95|\;|b3 c0 96 96 95 92
96|\;|f3|\;|24|i| 95 92|QO|8f f8|O|88 cf bc c7 0f f7|2I|d0|w|c7 95
e4|O|d6 c7 17 f7 04 05 04 c3 f6 c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5
dc b6 1b|O|95 e0 c7 17 cb|s|d0 b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07
a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab aa c4|]|e7 99 1d ac b0 b0 b4 fe eb
eb|"; sid: 2000001; rev: 1;)

Conficker.B

alert tcp any any -> $HOME_NET 445 (msg: "conficker.b shellcode";
content: "|e8 ff ff ff ff c2|_|8d|O|10 80|1|c4|Af|81|9MSu|f5|8|ae c6 9d
a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c cc|Ise|c4 c4 c4|,|ed c4 c4 c4
94|&<O8|92|\;|d3|WG|02 c3|,|dc c4 c4 c4 f7 16 96 96|O|08 a2 03
c5 bc ea 95|\;|b3 c0 96 96 95 92 96|\;|f3|\;|24 |i|95 92|QO|8f f8|O|88
cf bc c7 0f f7|2I|d0|w|c7 95 e4|O|d6 c7 17 cb c4 04 cb|{|04 05 04 c3 f6
c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5 dc b6 1f|O|95 e0 c7 17 cb|s|d0
b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07 a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab
aa c4|]|e7 99 1d ac b0 b0 b4 fe eb eb|"; sid: 2000002; rev: 1;)

Nonficker Vaxination Tool

Conficker uses different global and local mutexes to ensure that only to most up-to-date version is run on the system. This fact can be exploited to scan for and to prevent infections.

We have developed our Nonficker Vaxination dll that can be installed as a system service and pretends to be a running Conficker by registering all mutexes from version .A, .B, and .C (and possibly .D depending which naming scheme you refer to). A setup tool to install the dll as system service is provided as well.

Removal instructions:

• Open your favorite registry editor (e.g. Start->Run...->regedit.exe->ok)
• Go to registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
• Remove the "aaaaanonficker" from the "netsvcs" key
• Remove registry key and all sibling keys: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aaaaanonficker

Besides vaccination, the mutexes can be used to scan for local infections. We have developed a small mutex scanner that tells you if you are infected.

Both tools and source code can be downloaded here:

nonficker.zip	547 K
nonficker_code.zip	64 K

Background and Paper

All the tools and data found on this web-site are derived from reverse engineering and analyzing Conficker. The description of our approaches and especially the extracted algorithms and relations are described in our paper:

 

 

Google apps.

I have been using Google apps for a year now. The company I work for was having trouble with the email system in the remote offices.

Due to the nature of the line of business, International development, we have projects (offices), in many underdeveloped countries, such as Uganda, Sudan, Liberia, Afghanistan and others.

ISPs there are crappy or inexistent so we use VSATs (internet through satellite), use to hate them but now I like them better, because with the VSATs you know what to expect and you get a service according to what you pay. But when it comes to use a local ISP, that in many cases is state own, the service is expensive, bad and unreliable.

We use Microsoft Exchange for our email service here in Washington DC HQ office, but it proved to be overkill for the offices abroad.

But that was not the only reason, there were cases that the ISP situation produced a catch 22 situation that made communications almost impossible. Example – ISP blocks the port 25 SMTP server (out going server), so we had to configure Outlook to use the local ISP SMTP server. But the server was totally unreliable and emails took in some cases a couple of days to be delivered.