44
Conficker Analysis of an Internet Worm
| Date post: | 02-Jan-2016 |
| Category: |
Documents |
| Upload: | barrett-edwards |
| View: | 24 times |
| Download: | 1 times |
Conficker
Analysis of an Internet
Worm
cs490ns - cotter 2
Outline
• What’s in a Name?• What is it Trying to do?• What is its Timeline?• How does it Infect a Machine?• How does it Propagate itself?• How is it Controlled / Updated? • How Big is the Problem?• How can it be Detected & Removed?
cs490ns - cotter 3
What’s in a Name?
• Win32/Conficker.A (CA)• W32.Downadup (Symantec)• W32/Downadup.A (F-Secure)• Conficker.A (Panda)• Net-Worm.Win32.Kido.bt (Kaspersky)• W32/Conficker.worm (McAfee)• Win32.Worm.Downadup.Gen (BitDefender)• Win32:Confi (avast!)• WORM_DOWNAD (Trend Micro)• Worm.Downadup (ClamAV)• Downup, Kido, ?
cs490ns - cotter 4
What’s in a Name?• Richard Grigonis,IP Communications Group
– Conficker is constructed from the first five letters of “configuration,” while adding four letters to the end so as to end with “ficker”, a vulgar nominalized form of the German transitive verb ficken (2/13/09)
• Jordan Robertson, The Associated Press – The name Conficker comes from rearranging letters in the name of one
of the original sites the worm was connecting to. (3/31/09)• Joshua Phillips , Microsoft Malware Protection Center
– The name of this threat was derived by selecting fragments of the domain 'trafficconverter.biz', a string found in Worm:Win32/Conficker.A:
– (fic)(con)(er) => (con)(fic)(+k)(er) => conficker (viewed 04/07/09)• Wikipedia
– “The origin of the name “conficker” is not knows with certainty” (4/3/09)
cs490ns - cotter 5
Variants
• Classified by analyzing infected hosts and identifying significant differences in functionality
• Current primary variants– Conficker.A– Conficker.B– Conficker.B++– Conficker.C – Conficker.D– Conficker.E
cs490ns - cotter 6
Outline
• What’s in a Name?• What is it Trying to do?• What is its Timeline?• How does it Infect a Machine?• How does it Propagate itself?• How is it Controlled / Updated? • How Big is the Problem?• How can it be Detected & Removed?
cs490ns - cotter 7
Conficker Objectives
• … today the vast majority of malware has a monetary motivation. – (Eric Chien – Symantec Corp – 1/19/09)
• Original (Conficker.A) upload site trafficconverter.bz– Site used to spread fake anti-spyware.– When uploaded to a user’s site, it “finds” non-
existent virus infections and tries to convince users to pay for the software to clean their machines.
cs490ns - cotter 8
Conficker Objectives
• Other possible / likely objectives– Build a network of robot machines (botnet)– Use those machines to attack targets– Sell the use of those machines for questionable
services• Rent 100 machines to send out 10 million spam
messages• Rent machines to run hacking software• ?
• Take down the Internet?– Not likely
cs490ns - cotter 9
Objectives Update??
• April, 2009– Some machines that get infected with
Conficker (Downadup) are also being infected with trojan W32/Waledac.gen
– Trojan originally propagated through spam and social engineering.
– Harvests personal information, encrypts file and sends to one of a list (~100) sites.
cs490ns - cotter 10
Outline
• What’s in a Name?• What is it Trying to do?• What is its Timeline?• How does it Infect a Machine?• How does it Propagate itself?• How is it Controlled / Updated? • How Big is the Problem?• How can it be Detected & Removed?
cs490ns - cotter 11
Conflicker Timeline
• Microsoft issues patch for RPC vulnerability 10/23/08
• Early exploit – W32/Gimmiv.A – 10/23/08• Conficker.A – 11/21/08• Conficker.B – 12/29/08• Conficker.B++ - 2/17/09• Conficker.C – 2/20/09• Conficker.D – 3/4/09• Conficker.E – 4/9/09
cs490ns - cotter 12
Outline
• What’s in a Name?• What is it Trying to do?• What is its Timeline?• How does it Infect a Machine?• How does it Propagate itself?• How is it Controlled / Updated? • How Big is the Problem?• How can it be Detected & Removed?
cs490ns - cotter 13
Targeted OSs
• Windows XP – SP2, SP3• Windows XP Pro x64, SP2• Windows Server 2003, SP1, SP2• Windows Server 2003 x64, sp2• Windows Vista, SP1• Windows Vista x64, SP1• Windows Server 2008• Windows Server 2008 x64• Windows Server 2008 Itanium-based
cs490ns - cotter 14
Initial Attack – Conficker.A
• Exploit a vulnerability in MS RPC. – Send a specially crafted packet to either port
445 (or port 139) (used for file sharing) on a Windows machine not patched for vulnerability MS08-067.
– Vulnerability in NetpwPathCanonicalize() function inside netapi32.dll.
– This exploits a buffer “underflow” problem in the code which and allows attacker to execute arbitrary code on the target machine.
cs490ns - cotter 15
Initial attack
• Canonicalization– Reduce (a path) to its simplest form. – aaa\bbb\..\ccc aaa\ccc
• MS08-067 vulnerability– A specially crafted path can force the function
to move beyond the start of the stack buffer (and thus overwrite the function return address).
cs490ns - cotter 16
Once Inside - Conficker.A
• Check for Ukrainian keyboard (Quit if true)• Create mutex Global\xxx-7 (Quit if failed)• Check OS version• Attach to Service.exe• Create random file name (xxx.dll) in System32
dir– If fail, copy to program files\Movie Maker, or IE or …
cs490ns - cotter 17
Once Inside - Conficker.B
• Create Mutex
• “Patch” MS08-067– Objective is to avoid / control re-infection by
Conficker or other worms.
• Patch DNS access– Prevent connection to security sites (50+
strings)
• Attach to a running service
cs490ns - cotter 18
The Mutex
• Conficker.A– Global\xxx-7 (where xxx is a crc32 checksum of a buffer
containing the hostname) • Conficker.B
– First mutex is local to process and checks to see if another thread is running dll. Mutex derived from process ID.
– Second mutex to see if dll is running under a different process name (similar to Global\xxx-7 except that it uses a different CRC32 checksum function)
• Conficker.C– First mutex used to check for running Conficker thread.– Second mutex used to prevent backwards infection from B– Third mutex checks to see if dll is running under a different
process. If so, terminate and remove this version.
cs490ns - cotter 19
Why does it spread so fast?
• Although patch was available in 10/08, many Windows machines not automatically updated
• Major infections in countries that are suspected of having a large number of pirated versions of MS Windows.
cs490ns - cotter 20
Outline
• What’s in a Name?• What is it Trying to do?• What is its Timeline?• How does it Infect a Machine?• How does it Propagate itself?• How is it Controlled / Updated?• How Big is the Problem?• How can it be Detected & Removed?
cs490ns - cotter 21
Propagate through MS08-067Conficker.A
• Find current IP address– Getmyip.org– Getmyip.co.uk– Checkip.dyndns.org
• Enable backdoor through firewall using UPNP– Used for binary upload by other victims.– Creates small httpd to pass data
• Reset System Restore Point• Download GEO IP database
– Find other IP addresses to infect– www.maxmind.com ( GeoIP.dat.gz )
• Scan and infect• Sleep 30 minutes and repeat
cs490ns - cotter 22
Propagation in Conficker.B
• Defense: GeoIP file removed from website– Conficker added the file as appended data to threat
file (compressed RAR encrypted using RC4)
• Propagate through USB / network drives (autorun file)– Add random data (~60k) to hide real data– Attach dll to auto run– Add a new action to dialog box
cs490ns - cotter 23
Modified autorun dialog
cs490ns - cotter 24
Propagation in Conficker.B
• Attempt to log onto admin$ share using current user credentials
• Attack weak passwords on target machine or on local network.– Fixed list of perhaps 250 passwords– Number sequences - 12345, 11111, 22222, etc.– Admin, Admin, administrator, root, superuser, etc.– Key sequences - qwerty, qweasd, zxcxz, etc.– passwd, password, mypass, etc.– abc123, home123, work123, mypc123, etc.– Coffer, cookie,home, money, work, anything, etc.
cs490ns - cotter 25
Outline
• What’s in a Name?• What is it Trying to do?• What is its Timeline?• How does it Infect a Machine?• How does it Propagate itself?• How is it Controlled / Updated? • How Big is the Problem?• How can it be Detected & Removed?
cs490ns - cotter 26
Links to Update site - Conficker.A
• Get current UTC date• w3.org, ask.com, man.com, yahoo.com, google.com
• Use date as a seed for a random name generator• Name strings 5 to 11 lower case characters (8 ± 3)
• Create 250 domain names• Randomly assign TLD
• .com, .net, .org, .biz
• Randomly choose 32 names from the list• Contact the sites and download a binary payload
• Every 3 hours starting 11/26/08
• If date > 12/1/08– Attempt to download loadadv.exe from trafficconverter.biz
cs490ns - cotter 27
Links to Update site - Conficker.B
• Get current UTC date• w3.org, ask.com, man.com, yahoo.com, google.com
• Use date as a seed for a random name generator• Name strings 5 to 11 lower case characters (8 ± 3)
• Create 250 domain names• Randomly assign TLD
• .com, .net, .org, .biz
• Randomly choose 32 names from the list• Contact the sites and download a binary payload
• Every 3 hours starting 11/26/08
• Every 2 yours starting 1/1/09
cs490ns - cotter 28
Links to Update site - Conficker.C
• Get current UTC date• 3 additional sites ( facebook.com, imageshack.us, rapidshare.com)
• Use date as a seed for a random name generator• Name strings 4-9 lower case characters
• Create 50,000 domain names– ~150-200 collisions with valid domains /day
• Randomly assign TLD• 110 different TLDs used
• Randomly choose 500 names from the list• Contact the sites and download a binary payload
• Once a day after April 1, 2009
cs490ns - cotter 29
P2P Update – Conficker.C
• Secondary (?) update mechanism from an already updated host.
• Host opens up 4 P2P ports in listen mode– 2 TCP, 2 UDP – Numbers derived from host IP address.
• Host then attempts to contact neighboring machines on their open ports.
• Snort rules available to detect outgoing scans– Trigger on 10, 100, 1000, 10,000, 10,000, …– Test sites see 6-8 alarms / 4 hours
cs490ns - cotter 30
Binary File Validation
• One way to stop a virus /worm is to identify its update mechanism and then use that to kill it.
• Conficker.A – Update Server– SHA(512) hash of binary executable.– Encrypt bin.exe using RC4 (hash is key)– Sign encrypted package with RSA (1024) private key
• Mepriv mod N = signature
– Transmit encrypted package and signature
• Conficker.A Client– Decrypt package using public key, RC4, N
cs490ns - cotter 31
Binary File Validation
• Conficker.B, Conficker.C– Hash (512) of binary executable– Encrypt bin.exe, hash using RC4– Sign encrypted package with RSA (4096)
private key
cs490ns - cotter 32
Outline
• What’s in a Name?• What is it Trying to do?• What is its Timeline?• How does it Infect a Machine?• How does it Propagate itself?• How is it Controlled / Updated? • How Big is the Problem?• How can it be Detected & Removed?
cs490ns - cotter 33
Infection Estimates• F-secure.com (1/16/09)
– The number of Downadup infections are skyrocketing based on our calculations. From an estimated 2.4 million infected machines to over 8.9 million during the last four days.
• Gregg Keizer , Computerworld , 02/12/2009 – … rapidly-spreading "Downadup" worm, prompted by infection rates of nearly 2.2
million machines each day.• Robert McMillan , IDG News Service , 04/03/2009
– Experts had pegged Conficker infections in the 2 million to 4 million range, but IBM's numbers suggest that they may be much higher than that, perhaps in the tens of millions.
• SRI International Technical Report – 03/19/09– The total number of unique IP addresses observed by SRI is approximately 10.5
million. …our estimates of active Conficker drones on the internet range as much as an order of magnitude smaller.
• Ryan Sherstobitoff – Quoted in computerworld article 01/21/09– The 6% was of people coming to our site and opting in for the scans. That's
somewhat scary," said Sherstobitoff. "If we were actually to look at the [general] population, all the people who don't have antivirus -- or if they do, who haven't updated definitions -- the infection rate might be in the range of 20% to 30%."
cs490ns - cotter 34
How do we find Infected Hosts?
• Listen to rendezvous points and record calling IP addresses
• Rendezvous query includes the number of times each instance has infected a new machine– May be deflated by NAT– Only includes MS08-67 exploits– May be inflated by re-infections– May be inflated by DHCP– May not include attrition
• Scan sample machines on the Internet and extrapolate the numbers.
• Track users of test / disinfect tools
cs490ns - cotter 35
Top Countries Infected
• SRI observations as of ~ February, 2009
• China – 2.6 million – 25%• Brazil – 1.0 million – 10%• Russia – 835 K – 8%• India – 600 K – 6%• Argentina – 570 K – 5%• :• United States – 190 K – 2%
cs490ns - cotter 36
Top 10 Countries Infected
Symantec Corporation – January, 2009
cs490ns - cotter 37
Outline
• What’s in a Name?• What is it Trying to do?• What is its Timeline?• How does it Infect a Machine?• How does it Propagate itself?• How is it Controlled / Updated? • How Big is the Problem?• How can it be Detected & Removed?
cs490ns - cotter 38
Conficker Detection
• Scan for attacks against port 445– Look for predictable code patterns.
• Scan active processes for presence of RSA keys (different keys for .A, .B, .C)– If found, terminate threads that contain keys– Generate the appropriate mutexes to prevent
re-infection– Load a “nonficker Vaxination tool” that will
generate the mutex on boot
cs490ns - cotter 39
Conficker Detection
• Attempt to connect to a standard anti-virus site– If access is allowed to standard web sites, but
not to security sites, Conficker might be present.
cs490ns - cotter 40
Anti-virus programs
• All major anti-virus programs can remove the virus.
• May need to access security site through IP address, not domain name
• System automatic updates may be turned off.
cs490ns - cotter 41
Intrusion Detection Systems
• Snort rule developed– Match against shell code pattern of incoming
packet to port 445
• Nmap– Scan for vulnerability on open 445 port
cs490ns - cotter 42
Nonficker - Vaccination
• Objective:– Keep Conficker from running by tying up the
mutexes that it uses.
• Process– Extract mutex generation algorithms from
variants, and reproduce them in their own program
– Run the program at startup to register all of the needed mutexes
cs490ns - cotter 43
References
1. Alexander Sotirov – Decompiling the vulnerable function for MS08-067
http://www.phreedom.org/blog/2008/decompiling-ms08-067/
2. SRI International – Porras, Saidi, Yegneswaran– An Analysis of Conficker’s Logic and Rendezvous Points
http://mtc.sri.com/Conficker/
3. The Honeynet Project – Leder, Werner– Know Your Enemy: Containing Conficker
http://www.honeynet.org/papers/conficker
4. F_SECURE – “Toni”– Calculating the Size of the Downadup Outbreak http://www.f-secure.com/weblog/archives/00001584.html
cs490ns - cotter 44
Conclusion
• Conficker has been evolving, apparently in response to the security community’s actions to stop the worm.
• Virus function appears to change with versions. Original intent to infect as many machines as possible, while current versions are trying to hold onto infected machines.
• Primary infected areas appear to be in countries with significant pirated software
• Target (at this point) unclear, but may be to harvest personal information or to develop a significant botnet.
