Threat Research Blog

Conficker: Catch Me If You Can...

Unlike the previous Conficker variants which generated 250 random domains

per day, the new Conficker.C variant can generate up to 50,000 domains in a day.  This was in direct response to the actions the security community took to preregister the domains, much like FireEye did with Srizbi just a few months ago.  One can sense a 'catch me if you can' kind of attitude with this recent move.  Since its appearance in Nov of last year,  Conficker's author(s?) have been trying to introduce different tricks to make the hijacking of Conficker very difficult.

I find it very unlikely that the Conficker worm will be used as an active botnet in the near future. There are lots of differences in the way the normal botnets are run and how Conficker is being maintained by its authors.  Below I'll highlight a few of those differences.

 

Outside of the initial attempt to download software from Traffic Converter (of which Conficker is an anagram), there has been no attempt to monetize the could-be-botnet (It's not a botnet without a C&C).  The criminals we've seen developing malware and botnets have rarely shown this level of restraint. 

The creator of the worm has only been in direct competition with security researchers.  Due to the method of propagation, and the lack of a working dynamic update mechanism, the AV industry hasn't had a problem keeping up with the different binaries.  This means good protection, but if you do become infected, Conficker disables most AV updates.

Here are few Conficker samples which we uploaded to VirusTotal.  The AV detection rate is close to 100%.

http://www.virustotal.com/analisis/9efafec902ce5c916e1c7f71f4349509

http://www.virustotal.com/analisis/1b8557969145f32854ee8b4b04e6d64f

Modern malware and botnets like to be "low and slow"; they do not create suspense and drama using ticking time bomb techniques. Why would a botnet creator wait for April 1st to do something nasty when he could start making money right away?  That's tens or hundreds of thousands of dollars down the tubes!  It looks like an attempt to create global suspense and get media attention, perhaps to gain the old school street "cred" we used to see in the wide scale worm days.  Another thing to remember is that writing/developing a botnet and running a botnet are generally done by different groups, due to the different skill sets required for each.  It almost seems as though they are in it for fame - this is another reason this particular malware seems very different then the other currently active malware.

If readers are concerned that they're infected with Conficker, below is a simple test you can try.  Conficker disables access to different security vendors' websites by hooking DNS query related API calls like DnsQuery_W, DnsQuery_UTF8, DnsQuery_A, etc. Some of these blocked domains are http://www.microsoft.com and http://www.windowsupdate.com, while http://www.google.com is unblocked.  If you can browse to Google but not Microsoft, you're probably infected.

If you find yourself infected with Conficker there are plenty of free tools provided by different security vendors to resolve the issue.  The inherent problem with this is that Conficker blocks access to many of these pages.  To help readers solve that issue, we've mirrored a copy of the MSRT (Windows-kb890830-v2.8)

from Microsoft here on the FireEye blog.  Unfortunately, this tool only works reliably on the A and B variants (due to Conficker.C killing it off), so we have also provided the Symantec tool.

Also, if you are running a Snort network sensor, here are a few snort rules we developed which can detect Conficker traffic on your network.

#Conficker B
alert tcp any any -> any 445 (msg:"FEGenerated Conficker.b exploit_ms08-067"; content:"| e8 ff ff ff ff c2 5f 8d 4f 10 80 31 c4 41 66 81 |"; depth: 32; offset: 254; sid:77000001;)

#Conficker A
alert tcp any any -> any 445 (msg:"FEGenerated Conficker.a exploit_ms08-067"; content:"| e8 ff ff ff ff c1 5e 8d 4e 10 80 31 c4 41 66 81 |";  depth: 32; offset: 254;  sid:77000002;)

Below are some recent screenshots from my lab running a Conficker.C variant. At 00:00 GMT on April 1st (a few minutes ago), the sample in my lab started doing random DNS queries. As expected, I haven't seen any of these domains resolving to an IP.  Alex registered one of the names (hhfzka.com.tw), but was not able to push his NS record to the DNS authority.  It appears to be actively blocked by the ccTLD operator.  So, this whole Conficker.C episode, at least in the short term, appears to be an April fools' joke... on the news media who blew the story out of proportion. 

Here are some of the initial domains queried by Conficker.C:

Domains

Here is a traffic snippet of P2P communication, introduced as a new feature in Conficker.C:

P2p

Here is how it probes different web sites to find the current time. This is used to determine if it's April 1st or not.

Time_check

 

Atif Mushtaq @ FireEye Malware Intelligence Lab

Question/Comments : research SHIFT-2 fireeye DOT COM