| Alias/es | Net-Worm.Win32.Kido.cg(KAV), Worm:W32/Downadup.AL(F-Secure), W32.Downadup.B(Symantec), Worm:Win32/Conficker.B(Microsoft) |
| Release Date | Jan 02, 2009 |
| Detection Availability | Current Antivirus Definition Database Version: 12.202 | | CVE | 2008-4250 |
| Description | Visible SymptomsThe following files exist:
- %System%\{random lower case characters}.dll
- %Program Files%\Internet Explorer\{random lower case characters}.dll
- %Program Files%\Movie Maker\{random lower case characters}.dll
- %Documents and Settings%\All Users\Application Data\{random lower case characters}.dll
- %Temp%\{random lower case characters}.dll
- %Temp%\{random}.tmp
Access to security-related websites is hinderedDetailed AnalysisW32/Conficker.B!worm is a Network Worm. Beyond spreading to as many systems as possible, its ultimate goal is to connect to command and control servers operated by cybercriminals (aka "phoning home"), and to execute commands issued by the latter via the servers.
As of writing, the command and control servers have not been reported to be operational yet, therefore the intention of the cybercriminals behind this worm are unknown.
The main features of this worm are the following:
- Spreads in the local network by bruteforcing users' passwords
- Spreads in the local network by exploiting a flaw in Microsoft Windows (MS08-067)
- Spreads via USB keys
- Disables access to security-related sites and Windows updates
- Attempts to download and execute additional components from pre-determined servers (the command and control servers evoked above -- offline as of writing).
Upon execution on the victim's system, the worm takes the following actions:
Deletes itself from the current folder when the system restarts.
Creates the following files:
- %System%\{random lower case characters}.dll
- %Program Files%\Internet Explorer\{random lower case characters}.dll
- %Program Files%\Movie Maker\{random lower case characters}.dll
- %Documents and Settings%\All Users\Application Data\{random lower case characters}.dll
- %Temp%\{random lower case characters}.dll
- %Temp%\{random}.tmp
Creates the following memory mutexes:
- Global\{random namber depends on computer name}-7(eg: Global\240211711-7)
- {10-17 random lower case characters}(eg: dqkdilelpiy)
If the OS version is Vista or Server 2008, it runs the following command to disable TCP auto-runing:
- netsh interface tcp set global autotuning=disabled
Disables the following services:
- Windows Security Center Service (wscsvc)
- Windows Update AutoUpdate Service (wuauserv)
- Background Intelligent Transfer Service (BITS)
- Windows Defender Service (WinDefend)
- Windows Error Reporting Service (ERSvc or WerSvc)
Deletes the following registry entries:
- key: HKLM\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}
- value: wscsvc
- key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- value: Windows Defender
Adds the following registry entries:
- key: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
- value: TcpNumConnections
- data: 0xFFFFFE
- key: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets
- value: gip
- data: 0
- key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets
- value: gip
- data: 0
- key: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
- value: CheckedValue
- data: 0
- key: HKLM\SYSTEM\CurrentControlSet\Services\{5-8 random lower case characters}
- value: DisplayName
- data: %DisplayName%
- value: Type
- data: 0x20
- value: Start
- data: 2
- value: ErrorControl
- data: 0
- value: ImagePath
- data: %SystemRoot%\system32\svchost.exe -k netsvcs
- value: ObjectName
- data: LocalSystem
- value: Description
- data: %Description%
- key: HKLM\SYSTEM\CurrentControlSet\Services\{5-8 random lower case characters}\Parameters
- value: ServiceDll
- data: %system%\{5-8 random lower case characters}.dll
- key: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
- value: %Description%
- data: rundll32.exe %system%\{5-8 random lower case characters}.dll,{6-8 random lower case characters}
%DisplayName% is one of the following strings:
- Boot
- Center
- Config
- Driver
- Helper
- Image
- Installer
- Manager
- Microsoft
- Monitor
- Network
- Security
- Server
- Shell
- Support
- System
- Task
- Time
- Universal
- Update
- Windows
%Description% is one of the system service descriptions looked up by the malware in the local machine.
Attaches itself to following running processes:
- services.exe
- svchost.exe
- explorer.exe
Creates the following files on the root folder of removable media such as floppy drives, thumb drives, or flash card readers. Note the attempt to "hide" them in a RECYCLER folder.
- %root%\RECYCLER\S-{0-9}-{0-9}-{0-99}-{0-9999}{0-9999}{0-99}-{0-9999}{0-9999}{0-99}-{0-9999}{0-9999}{0-9}-{0-9999}\{5-8 random lower case characters}.{3 random lower case characters(excluding dll)} (eg: H:\RECYCLER\S-3-5-92-8027190021-4738333367-789012472-607\dxjkll.uvy)
- %root%\autorun.inf
If the system date is later than Jan 1, 2009:
- Tries to access one of the following websites and get the current date:
- baidu.com
- google.com
- yahoo.com
- msn.com
- ask.com
- w3.org
- aol.com
- cnn.com
- ebay.com
- myspace.com
- Based on the date retrieved above, uses an algorithm to construct 250 domain names with the following format:
- {8-11 lower case characters}.cc
- {8-11 lower case characters}.cn
- {8-11 lower case characters}.ws
- {8-11 lower case characters}.com
- {8-11 lower case characters}.net
- {8-11 lower case characters}.org
- {8-11 lower case characters}.info
- {8-11 lower case characters}.biz
- For each of the above, a URL with the following format is contructed and accessed:
- http://{domain name}/search?q={number}
To likely avoid further exploitation of the infected system by concurrent worms, it patches the following APIs:
- NetpwPathCanonicalize
- NtQueryInformationProcess
- Query_Main
- DnsQuery_W
- DnsQuery_UTF8
- DnsQuery_A
- sendto
Blocks user access to domains which include one of the following strings:
- virus
- spyware
- malware
- rootkit
- defender
- microsoft
- symantec
- norton
- mcafee
- trendmicro
- sophos
- panda
- etrust
- networkassociates
- computerassociates
- f-secure
- kaspersky
- jotti
- f-prot
- nod32
- eset
- grisoft
- drweb
- centralcommand
- ahnlab
- esafe
- avast
- avira
- quickheal
- comodo
- clamav
- ewido
- fortinet
- gdata
- hacksoft
- hauri
- ikarus
- k7computing
- norman
- pctools
- prevx
- rising
- securecomputing
- sunbelt
- emsisoft
- arcabit
- cpsecure
- spamhaus
- castlecops
- threatexpert
- wilderssecurity
- windowsupdate
- nai.
- ca.
- avp.
- avg.
- vet.
- bit9.
- sans.
- cert.
Enumerates all other systems visible in the Windows Domain the infected system belongs to, and tries to access their shares in the following way:
- First, it tries to connect to \\System Name\IPC$.
- Then, it tries user accounts retrieved from the Backup Domain Controller (BDC) and one of following passwords to log on to the targeted machine:
- 123
- 1234
- 12345
- 123456
- 1234567
- 12345678
- 123456789
- 1234567890
- 123123
- 12321
- 123321
- 123abc
- 123qwe
- 123asd
- 1234abcd
- 1234qwer
- 1q2w3e
- a1b2c3
- admin
- Admin
- administrator
- nimda
- qwewq
- qweewq
- qwerty
- qweasd
- asdsa
- asddsa
- asdzxc
- asdfgh
- qweasdzxc
- q1w2e3
- qazwsx
- qazwsxedc
- zxcxz
- zxccxz
- zxcvb
- zxcvbn
- passwd
- password
- Password
- login
- Login
- pass
- mypass
- mypassword
- adminadmin
- root
- rootroot
- test
- testtest
- temp
- temptemp
- foofoo
- foobar
- default
- password1
- password12
- password123
- admin1
- admin12
- admin123
- pass1
- pass12
- pass123
- root123
- pw123
- abc123
- qwe123
- test123
- temp123
- mypc123
- home123
- work123
- boss123
- love123
- sample
- example
- internet
- Internet
- nopass
- nopassword
- nothing
- ihavenopass
- temporary
- manager
- business
- oracle
- lotus
- database
- backup
- owner
- computer
- server
- secret
- super
- share
- superuser
- supervisor
- office
- shadow
- system
- public
- secure
- security
- desktop
- changeme
- codename
- codeword
- nobody
- cluster
- customer
- exchange
- explorer
- campus
- money
- access
- domain
- letmein
- letitbe
- anything
- unknown
- monitor
- windows
- files
- academia
- account
- student
- freedom
- forever
- cookie
- coffee
- market
- private
- games
- killer
- controller
- intranet
- work
- home
- job
- foo
- web
- file
- sql
- aaa
- aaaa
- aaaaa
- qqq
- qqqq
- qqqqq
- xxx
- xxxx
- xxxxx
- zzz
- zzzz
- zzzzz
- fuck
- 12
- 21
- 321
- 4321
- 54321
- 654321
- 7654321
- 87654321
- 987654321
- 0987654321
- 00
- 000
- 0000
- 00000
- 00000
- 0000000
- 00000000
- 11
- 111
- 1111
- 11111
- 111111
- 1111111
- 11111111
- 22
- 222
- 2222
- 22222
- 222222
- 2222222
- 22222222
- 33
- 333
- 3333
- 33333
- 333333
- 3333333
- 33333333
- 44
- 444
- 4444
- 44444
- 444444
- 4444444
- 44444444
- 55
- 555
- 5555
- 55555
- 555555
- 5555555
- 55555555
- 66
- 666
- 6666
- 66666
- 666666
- 6666666
- 66666666
- 77
- 777
- 7777
- 77777
- 777777
- 7777777
- 77777777
- 88
- 888
- 8888
- 88888
- 888888
- 8888888
- 88888888
- 99
- 999
- 9999
- 99999
- 999999
- 9999999
- 99999999
- Upon success, it drops a copy of itself as the following:
- \\Server Name\ADMIN$\System32\{5-8 random lower case characters}.{3 random lower case characters(exclude dll)}
- Lastly, it adds a scheduled job on the targeted system, in order to execute the dropped copy:
- rundll32.exe {5-8 random lower case characters}.{3 random lower case characters(exclude dll)},{5-8 random lower case characters}
Exploits Server Service Vulnerability to propagate:
- To do this, it first queries the following websites to get the external IP Address of the machine it currently sits in:
- http://checkip.dyndns.org
- http://www.whatismyip.org
- http://www.whatsmyipaddress.com
- http://www.getmyip.org
- Then it creates an HTTP server on a random port:
- http://{External IP Address of Current Machine}:{random port}
- Finally, it sends the attack packets to the targeted machine. Upon successful exploitation, the remote machine downloads a copy of the worm from the HTTP server created above, and saves it with one of the following extensions:
Broadcasts the following SNMP message on the network:
M-SEARCH * HTTP/1.1
HOST: 239.255.255.250:1900
ST: urn:schemas-upnp-org:device:InternetGatewayDevice:1
MAN: "ssdp:discover"
MX: 3
|
Any device (router, modem, switch, etc...) with UPNP enabled and the “urn:schemas-upnp-org:device:InternetGatewayDevice:1” service, will respond to the SNMP message.
The worm then retrieves the following information from the response message:
URLBase
serviceType
controlURL
eventSubURL
SCPDURL
Then tries to find the following serviceType:
urn:schemas-upnp-org:service:WANCommonInterfaceConfig:1
urn:schemas-upnp-org:service:WANIPConnection:1
urn:schemas-upnp-org:service:WANPPPConnection:1
Once the above information is obtained, control of the UPNP device is taken. The following control message is sent to the UPNP device:
GetStatusInfo
NetUptime,NetConnectionStatus,NetLastConnectionError
GetExternalIPAddress
NewExternalIPAddress
GetGenericPortMappingEntry
NewRemoteHost,NewExternalPort,NewProtocol
GetSpecificPortMappingEntry
NewRemoteHost,NewExternalPort,NewProtocol
AddPortMapping NewRemoteHost,NewExternalPort,NewProtocol,NewInternalPort,NewInternalClient,NewEnable,NewPortMappingDescription
DeletePortMapping
NewRemoteHost,NewExternalPort,NewProtocol
|
Effectively, the above maps the external port 80 on the UPNP device to the "random" port of the HTPP server serving a copy of the worm on the infected machine. As of writing, the exact purpose of such is unclear.
|
Description Last Updated Date: Jun 09, 2009
Reference: ID - 673611
|