W32/Conficker.A!worm

Release DateDec 05, 2008
Detection Availability
Active DatabaseExtended Database
FortiGatelowhigh
FortiClient
FortiMailN/A
Current Antivirus Definition Database Version: 11.587
Description

Visible Symptoms

  • The following file exists:
    • %System%/[5-8 random lowercase characters].dll
  • Access to security-related websites is hindered

    • Detailed Analysis

    W32/Conficker.A!worm is a Network Worm. Beyond spreading to as many systems as possible, its ultimate goal is to connect to command and control servers operated by cybercriminals (aka "phoning home"), and to execute commands issued by the latter via the servers.

    As of writing, the command and control servers have not been reported to be operational yet, therefore the intention of the cybercriminals behind this worm are unknown.

    The main features of this worm are the following:
    • Spreads in the local network by exploiting a flaw in Microsoft Windows (Microsoft Server Service Vulnerability)
    • Attempts to download and execute additional components from pre-determined servers (the command and control servers evoked above -- offline as of writing).


    Technical Details

    Upon execution on the victim's system, the worm takes the following actions:

  • Deletes itself from the current directory.

  • Injects codes into the   process.

  • Stops the Internet connection sharing service.

  • Resets the System Restore point in Windows.

  • Creates the following file:
    • %System%/[5-8 random lowercase characters].dll
  • Adds the following registry:
    • key: HKLM\SYSTEM\CurrentControlSet\Services\[random characters]
    • values:
      DisplayName=[blank]
      Type=0x00000020
      Start=0x00000002
      ErrorControl=0x00000000
      ImagePath = %systemRoot%\system32\svchost.exe –k netsvcs
      ObjectName = LocalSystem
    • key: HKLM\SYSTEM\ControlSet001\Services\[random characters]\Parameters
    • value: ServiceDll=%SYSTEM%\[5-8 random lowercase characters].dll
  • Exploits Microsoft Server Service Vulnerability to propagate:
    • To do this, it first queries the following websites to get the external IP Address of the machine it currently sits in:

      • http://www.getmyip.org
      • http://getmyip.co.uk
      • http://checkup.dyndns.org

    • It then creates an HTTP server on a random port:

      • http://{External IP Address of Current Machine}:{random port}

    • Finally, it sends the attack packets to the targeted machine. Upon successful exploitation, the remote machine downloads a copy of the worm from the HTTP server created above, and saves it as a file with a JPEG extension.

    • Attempts to download a file from the URL hxxp://www.maxmind.com/download/geoip/database/
  • Has a time-triggered payload.
    • The payload is triggered if the system time is after Nov 25, 2008.

      • Tries to access one of the following websites to get the current date:

        • baidu.com
        • google.com
        • yahoo.com
        • msn.com
        • ask.com
        • w3.org

    • Based on the date retrieved above, the worm uses an algorithm to construct 250 domain names with the following format:

      • {8-11 lower case characters}.com
      • {8-11 lower case characters}.net
      • {8-11 lower case characters}.org
      • {8-11 lower case characters}.info
      • {8-11 lower case characters}.biz

    • For each of the above, a URL with the following format is contructed and accessed:

      • http://{domain name}/search?q=0&aq=7

    • If the system time is after Dec 1st, 2008, it will download the loadavd.exe  file from http://trafficconverter.biz to the Temporary folder and then execute it.
  • Broadcasts the following SNMP message on the network:
    M-SEARCH * HTTP/1.1
    HOST: 239.255.255.250:1900
    ST: urn:schemas-upnp-org:device:InternetGatewayDevice:1
    MAN: "ssdp:discover"
    MX: 3
    Any device (router, modem, switch, etc...) with UPNP enabled and the urn:schemas-upnp-org:device:InternetGatewayDevice:1  service, will respond to the SNMP message.

    The worm then retrieves the following information from the response message:
    • URLBase
    • serviceType
    • controlURL
    • eventSubURL
    • SCPDURL
    It then tries to find the following serviceType:
    • urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1
    • urn:schemas-upnp-org:service:WANIPConnection:1
    • urn:schemas-upnp-org:service:WANPPPConnection:1
    Once the above information is obtained, control of the UPNP device is taken. The following control message is sent to the UPNP device:
    GetStatusInfo NetUptime,NetConnectionStatus,NetLastConnectionError
    GetExternalIPAddress NewExternalIPAddress
    GetGenericPortMappingEntry NewRemoteHost,NewExternalPort,NewProtocol
    GetSpecificPortMappingEntry NewRemoteHost,NewExternalPort,NewProtocol
    AddPortMapping NewRemoteHost,NewExternalPort,NewProtocol,NewInternalPort,NewInternalClient,NewEnable,NewPortMappingDescription
    DeletePortMapping NewRemoteHost,NewExternalPort,NewProtocol
    Effectively, the above maps the external port 80 on the UPNP device to the "random" port of the HTPP server serving a copy of the worm on the infected machine. As of writing, the exact purpose of such is unclear.
    • Description Last Updated Date: Jun 08, 2009
    Reference: ID - 646559