Containing Conficker

Tools and Infos

 

Felix Leder and Tillmann Werner

The following page contains the tools and analysis results described in our "Know your Enemy" paper "Containing Conficker - To Tame a Malware". The paper is published by the undefinedHoneynet Project and can be downloaded here: undefinedhttps://www.honeynet.org/papers/conficker

All tools are to be considered as proof of concepts. Even though most of them run stable, they are not meant for use in production. They do not come with any warranty. All tools are available including source code and are licences using GPL.

If you enjoy our tools...we enjoy feedback. Just send us an E-mail. You can also send us an E-mail if you have improved the code or have a question

More information about Conficker is available from the undefinedConficker Working Group.

Online Conficker Test

Conficker.B and .C infections can be detected simply by surfing a web-page. Conficker.A infections cannot be detected this way. Click below to check your system (for .B or later):

Update: Conficker.D/.E: Newest version from April 8th can be detected, now.

undefinedConficker Online Check

The Structure of Conficker

video.avi   

Have you every wondered, how the structure of worms and virii looks like. We have created a little video that displays the functions inside Conficker and their relations. The video has been recorded during one of our analysis steps.

Network Scanner

Another option is to actively scan for Conficker machines. There is a way to distinguish infected machines from clean ones based on the error code for some specially crafted RPC messages. Conficker tries to filter out further exploitation attempts which results in uncommon responses. Our python script scs2.py implements a simple scanner based on this observation. Here is a sample output:

$ ./scs2.py 10.0.0.1 10.0.0.5

Simple Conficker Scanner v2.1 -- (C) Felix Leder, Tillmann Werner 2009, 2010

[UNKNOWN] 10.0.0.1: No response from port 445/tcp.
[UNKNOWN] 10.0.0.2: Unable to run NetpwPathCanonicalize.
[CLEAN] 10.0.0.3: Windows Server 2003 R2 3790 Service Pack 2 [Windows Server 2003 R2 5.2]: Seems to be clean.
[INFECTED] 10.0.0.4: Windows 5.1 [Windows 2000 LAN Manager]: Seems to be infected by Conficker D.
[INFECTED] 10.0.0.5: Windows 5.1 [Windows 2000 LAN Manager]: Seems to be infected by Conficker B or C.
done

Update: Version 2 of our Simple Conficker Scanner is now capable of detecting machines infected with the newest variant (also called version E). Here is the MD5 checksum of the ZIP archive:

    fd67e35f41e35f9e2de4af913af4e29f  scs2.2.zip

 

Update: Version 2.1 and 2.2 support scanning for infections on other ports than 445/tcp (e.g., 139/tcp). However, you have to call the scanner script directly (the second argument is the port number):

scanner21.py localhost 139

Simple Conficker Scanner v2.2 requires the installation of the impacket python library.

Nonficker Vaxination Tool

Conficker uses different global and local mutexes to ensure that only the most up-to-date version is run on the system. This fact can be exploited to scan for and to prevent infections.

We have developed our Nonficker Vaccination dll that can be installed as a system service and pretends to be a running Conficker by registering all mutexes from version .A, .B, and .C (and possibly .D depending which naming scheme you refer to). A setup tool to install the dll as system service is provided as well.

Removal instructions:

  • Open your favorite registry editor (e.g. Start->Run...->regedit.exe->ok)
  • Go to registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost
  • Remove the "aaaaanonficker" from the "netsvcs" key
  • Remove registry key and all sibling keys: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\aaaaanonficker

Besides vaccination, the mutexes can be used to scan for local infections. We have developed a small mutex scanner that tells you if you are infected.

Update: Infections with Conficker.D/.E (from April 8th) were already prevented by the previous Nonficker Vaxination.

Both tools and source code can be downloaded here:

Memory Disinfector

It is hard to identify files containing Conficker, because the executables are packed and encrypted. When Conficker runs in memory, it is fully unpacked. Our memory disinfector scans the memory of every running process in the system and terminates Conficker threads without touching the process it runs in. This helps to keep the system services running.

Update: Conficker.D/.E (from 8th April) can be detected and removed, too. We had to change the name since applications that have "killer" or "conficker" in their names are killed by conficker itself.

The tool itself and the source code can be downloaded here:

Detecting Conficker Files and Registry

Despite other reports, the file names and registry keys Conficker.B and .C use are not random. They are calculated on the basis of the hostname. We have developed a tool that you can run on your system to check for Conficker's Dlls. Unfortunately, Conficker.A really uses random names and can therefore not be found this way.

It is at a very early development stage, but usable. We would be grateful to benefit from your changes if you develop it further.

Tool and source code are here:

    Intrusion Detection Signatures

    Conficker uses a hardcoded xor-key for encoding its shellcode. This creates static patterns, which allow to detect exploitation attempts and may be used to identify infected machines. The signature we have created for Conficker.A and .B are:

    Conficker.A

    alert tcp any any -> $HOME_NET 445 (msg:
    "conficker.a shellcode"; content: "|e8 ff ff ff ff c1|^|8d|N|10
    80|1|c4|Af|81|9EPu|f5 ae c6 9d a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c
    cc|IrX|c4 c4 c4|,|ed c4 c4 c4 94|&<O8|92|\;|d3|WG|02 c3|,|dc c4
    c4 c4 f7 16 96 96|O|08 a2 03 c5 bc ea 95|\;|b3 c0 96 96 95 92
    96|\;|f3|\;|24|i| 95 92|QO|8f f8|O|88 cf bc c7 0f f7|2I|d0|w|c7 95
    e4|O|d6 c7 17 f7 04 05 04 c3 f6 c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5
    dc b6 1b|O|95 e0 c7 17 cb|s|d0 b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07
    a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab aa c4|]|e7 99 1d ac b0 b0 b4 fe eb
    eb|"; sid: 2000001; rev: 1;)

    Conficker.B

    alert tcp any any -> $HOME_NET 445 (msg: "conficker.b shellcode";
    content: "|e8 ff ff ff ff c2|_|8d|O|10 80|1|c4|Af|81|9MSu|f5|8|ae c6 9d
    a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c cc|Ise|c4 c4 c4|,|ed c4 c4 c4
    94|&<O8|92|\;|d3|WG|02 c3|,|dc c4 c4 c4 f7 16 96 96|O|08 a2 03
    c5 bc ea 95|\;|b3 c0 96 96 95 92 96|\;|f3|\;|24 |i|95 92|QO|8f f8|O|88
    cf bc c7 0f f7|2I|d0|w|c7 95 e4|O|d6 c7 17 cb c4 04 cb|{|04 05 04 c3 f6
    c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5 dc b6 1f|O|95 e0 c7 17 cb|s|d0
    b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07 a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab
    aa c4|]|e7 99 1d ac b0 b0 b4 fe eb eb|"; sid: 2000002; rev: 1;)

    Conficker Domain Name Generation

    Different Conficker variants are checking different domains for updates every day. Conficker.A and .B already generate and check 250 domains each per day. Conficker.C will start checking for 50.000 generated domain names on April 1st.

     

    Downatool2

    The domain names of different Conficker variants can be used to detect infected machines in a network. Inspired by the "downatool" from MHL and B. Enright, we have developed Downatool2. It can be used to generate domains for Downadup/Conficker.A, .B, and .C.

    Conficker.C Domain Collisions

    Figure 1: Number of Conficker.C collisions with existing domains for April 2009.

    Conficker.A and .B created 250 domains per day, from which they try to download updates. Conficker.C, unlike its predecessors, creates 50.000 domains per day. Furthermore, the length of Conficker.C domain names is only 4-9 instead of 8-11 characters as variants .A and .B. The large number and the shorter domain length results in a lot of collisions with real domain names.

    We have pre-computed all domain names for April 2009 and looked up the domains in order to find collisions. Figure 1 shows the number of collisions for each day.

    The list of collisions as well as the list of Conficker.C domains for April can be downloaded here:

     

    Figure 2: Number of collisions for each IP address in April 2009

    Conficker .C will create about 150 - 200 collisions with existing domains per day. The large number of generated domains and the fact that not every domain will be contacted for a given day will probably prevent DDoS situations.

    Figure 2 shows the number of conflicts each IP address generates. There are some IPs with a remarkable number of occurrences.

     
    You may want more than just Conficker.C domains and probably more than just April. Just download our Downatool2 from above and generate the domains yourself. If you like the tools, tell us by sending an e-mail.

    Statistics about future collisions will be published here. Just tune in again.

    Background and Paper

    All the tools and data found on this web-site are derived from reverse engineering and analyzing Conficker. The description of our approaches and especially the extracted algorithms and relations are described in our paper:

    undefinedContaining Conficker - To Tame a Malware