|
Page 2 of 2
Technical InformationWin32/Conficker is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. Depending on the specific variant, it may also spread via removable drives and by exploiting weak passwords. It disables several important system services and security products and downloads arbitrary files. InstallationConficker installs itself in different ways according to variant. However, both variants attempt to copy themselves to the Windows system folder as a hidden DLL file using a random name. They modify the registry in order to run this copy at each Windows start, for example:
Adds value: "<random string>"
With data: "rundll32.exe <system folder>\<malware file name>.dll,<malware parameters>"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Spreads Via…Exploit
Worm:Win32/Conficker spreads to systems that are not yet patched against a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, the worm instructs the target computer to download a copy of the worm from the host computer via HTTP protocol using the random port between 1024 and 10000 opened by the worm. The vulnerability is documented in Microsoft Security Bulletin MS08-067. Network Shares with Weak Passwords Worm:Win32/Conficker.B attempts to infect machines within the network. It first attempts to drop a copy of itself in a target machine's ADMIN$ share using the credentials of the currently logged-on user. If this method is unsuccessful, for example, the current user does not have the necessary rights, then it instead obtains a list of user accounts on the target machine. It then attempts to connect to the target machine using each user name and the following weak passwords: 123
1234
12345
123456
1234567
12345678
123456789
1234567890
123123
12321
123321
123abc
123qwe
123asd
1234abcd
1234qwer
1q2w3e
a1b2c3
admin
Admin
administrator
nimda
qwewq
qweewq
qwerty
qweasd
asdsa
asddsa
asdzxc
asdfgh
qweasdzxc
q1w2e3
qazwsx
qazwsxedc
zxcxz
zxccxz
zxcvb
zxcvbn
passwd
password
Password
login
Login
pass
mypass
mypassword
adminadmin
root
rootroot
test
testtest
temp
temptemp
foofoo
foobar
default
password1
password12
password123
admin1
admin12
admin123
pass1
pass12
pass123
root123
pw123
abc123
qwe123
test123
temp123
mypc123
home123
work123
boss123
love123
sample
example
internet
Internet
nopass
nopassword
nothing
ihavenopass
temporary
manager
business
oracle
lotus
database
backup
owner
computer
server
secret
super
share
superuser
supervisor
office
shadow
system
public
secure
security
desktop
changeme
codename
codeword
nobody
cluster
customer
exchange
explorer
campus
money
access
domain
letmein
letitbe
anything
unknown
monitor
windows
files
academia
account
student
freedom
forever
cookie
coffee
market
private
games
killer
controller
intranet
work
home
job
foo
web
file
sql
aaa
aaaa
aaaaa
qqq
qqqq
qqqqq
xxx
xxxx
xxxxx
zzz
zzzz
zzzzz
fuck
12
21
321
4321
54321
654321
7654321
87654321
987654321
0987654321
0
00
000
0000
00000
00000
0000000
00000000
1
11
111
1111
11111
111111
1111111
11111111
2
22
222
2222
22222
222222
2222222
22222222
3
33
333
3333
33333
333333
3333333
33333333
4
44
444
4444
44444
444444
4444444
44444444
5
55
555
5555
55555
555555
5555555
55555555
6
66
666
6666
66666
666666
6666666
66666666
7
77
777
7777
77777
777777
7777777
77777777
8
88
888
8888
88888
888888
8888888
88888888
9
99
999
9999
99999
999999
9999999
99999999 If Win32/Conficker successfully accesses the target machine, for example, if a combination of any of the obtained user names and one of the above passwords allows write privileges to the machine, then it copies itself to an accessible admin share as ADMIN$\System32\<random letters>.dll. Creates Remote Scheduled Job After compromising a machine remotely, Win32/Conficker.B creates a remote schedule job with the command “rundll32.exe <malware file name>.dll,<malware parameters>" to activate the copy, as shown in the images below:  Mapped and Removable Drives Win32/Conficker may drop a copy of itself in all mapped and removable drives using a random file name. The worm creates a folder in the root of these drives named 'RECYCLER' (in Windows XP and previous versions, the folder "RECYCLER" references the "Recycle Bin"). Next, the worm copies itself as the following: <drive:>\RECYCLER\S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d\<random letters>.dll Where %d is a randomly chosen letter. The worm also drops a corresponding autorun.inf file, which enables the worm copy to execute if the drive is accessed and Autoplay is enabled. The image below illustrates how a user could potentially launch the worm when accessing an infected share: Note that the language in the first option suggests the user could 'open folder to view files' however the option is under 'Install or run program', an indication that opening the folder will actually execute an application. Another hint that the action is to execute the worm is the text 'Publisher not specified'. The highlighted choice under 'General options' in the image above would allow a user to view the share and not execute the worm copy. PayloadDownloads Arbitrary Files
Win32/Conficker may construct a URL, according to the following pattern, to download files from: http://<pseudo-random generated URL>/search?q=%d
The generated URL is based on the current system date. It uses one of the following top level domains:
.cc
.cn
.ws
.com
.net
.org
.info
.biz
For example, aaovt.com or aasmlhzbpqe.com.
Resets System Restore Point
The worm may call an API function to reset the computer's system restore point, potentially defeating recovery using system restore. Conficker.B performs the following additional payloads: Modifies System Settings
Worm:Win32/Conficker.B changes system settings so that the user cannot view hidden files. It does this by modifying the following registry entry:
Adds value: "CheckedValue"
With data: "0"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
It also modifies the system's TCP settings to allow a large number of simultaneous connections, where 0x00FFFFFE is hexadecimal and equals 16,777,214 decimal value:
Adds value: "TcpNumConnections"
With data: "0x00FFFFFE"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
The worm drops a temp file to aid restarting the TCP/IP service for the modification to take effect. The dropped file is detected as Trojan:WinNT/Conficker.B.
Disables TCP/IP Tuning, Terminates and Disables Services Win32/Conficker.B disables Windows Vista TCP/IP auto-tuning by executing the following command: netsh interface tcp set global autotuning=disabled
This worm terminates several important system services, such as the following: Win32/Conficker.B deletes the registry key for Windows Defender, disabling it from running when the system starts. Deletes value: "Windows Defender" In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run It also disables any process that has a module name containing any of the following strings from sending network traffic or data (note that most of these strings are related to antivirus and security software, thus effectively disabling the products from acquiring signature updates, and possibly preventing users from accessing websites with these strings in the URL):
virus
spyware
malware
rootkit
defender
Microsoft
Symantec
Norton
mcafee
trendmicro
sophos
panda
etrust
networkassociates
computerassociates
f-secure
kaspersky
jotti
f-prot
nod32
eset
grisoft
drweb
centralcommand
ahnlab
esafe
avast
avira
quickheal
comodo
clamav
ewido
fortinet
gdata
hacksoft
hauri
ikarus
k7computing
norman
pctools
prevx
rising
securecomputing
sunbelt
emsisoft
arcabit
cpsecure
spamhaus
castlecops
threatexpert
wilderssecurity
windowsupdate Win32/Conficker may contact one or more of the following remote sites for various purposes (including checking the affected machine’s geographic location and to verify that the system date is accurate):
getmyip.org
getmyip.co.uk
checkip.dyndns.org
baidu.com
google.com
yahoo.com
msn.com
ask.com
w3.org
Additional InformationThe name of this threat was derived by selecting fragments of the domain 'trafficconverter.biz', a string found in Worm:Win32/Conficker.A: (fic)(con)(er) => (con)(fic)(+k)(er) => conficker For more specific information regarding these worms, please see the following detailed variant descriptions elsewhere in our encyclopedia:
<< Start < Prev 1 2 Next > End >>
|
