Tuesday, April 28, 2009

conficker.e analysis (.exe component) - part 0.8 - "3rd command" reversing

From the previous post it was show that the are always three valid command expected by the worm for its business. The more meaning command during the dissecting is the "3rd command".

When the worm receive the correct command syntax, it send a dump of the registry value "ds" referenced by the registry path:
HKLM\Software\Microsoft\Windows\CurrentVersion\Applets

The following screenshot shown the behaviour.

Some note: in this case the "3rd command" expected is:

get /mkmxzbr http/


The first screenshot show the Wireshark dump:


The red is the request sent from a putty (raw mode) client, while the blue zone is the response.

This second one show the code zone where the "3rd command" is handled:


And the the last screen shot show the registry value that match with the dump posted above:

Monday, April 27, 2009

conficker.e analysis (.exe component) - part 0.7 - listen port generation


IMHO this screen shot show how conficker.e generate the listen port.


In EDI the port. The code zone for this value is the following:

The ports space is not so wide!.

TCPView sayd:


Sunday, April 26, 2009

conficker.e analysis (.exe component) - part 0.6 - commands smart analysis

On test system, where were dissected conficker.e, are been identified three handled commands which follow this syntax reported in previous post. Specifically:

get /vulubmqa http/
get /npms http/
get /wvmvcnrb http/

Each random string change after a random (maybe) time, so it's very difficult follow the behaviour. A good choice may be change at runtime the timer with a slow time for a better dissecting. The following screenshot shown the code zone where they was seen.. just "created" by the worm.





During the test, it was seen that one command generate a png image content http response while another one generate a binary stream http response. A better investigation is progress. If possible will be published raw data provided by conficker.e as http response.

Wednesday, April 22, 2009

conficker.e analysis (.exe component) - part 0.5 - command syntax

The following screenshot shown the command syntax expected by conficker.e on TCP port 1382:

As shown the syntax is /get wdomfknm http/ or /get random string http/

conficker.e analysis (.exe component) - part 0.4 - hnetcfg.dll - getCurrentProfile

how conficker.e it's interested to Microsoft fw policies:

conficker.e analysis (.exe component) - part 0.3 - service loader

After read tcpip.sys, conficker.e exe component generates a tmp file with random name in the following path: c:\windows\system32\.tmp, then through, the API used for interfacing with ServiceManager, conficker.e try to load the previous tmp file name as a service.


The service name is a random string. In this case:


conficker.e analysis (.exe component) - part 0.2 - 3rd of may checker

conficker.e date checker routine. Check for the 3rd of May.


Fitted view and zoomed view for the date checking routine

Some historical events for the 3rd of may: http://en.wikipedia.org/wiki/May_3

Sunday, April 19, 2009

conficker.e analysis (.exe component) - part 0.1

Finally I have obtained the correctly dump from upx source (md5: 0x677daa8bf951ecce8eae7d7ee0301780) with the right OEP and IAT (Import Address Table) .
Tools: LordPE,ImpRec,Ollydbg 2.0. With IDA the obtained exe file it's loaded correctly.



Before the dump. After the dump with correct OEP:


Some strings:


The following screenshots show something of interesting:


tcpip.sys conficker.e point of view ;):


Feedback are welcome. Regards.

Friday, April 17, 2009

conficker.e analysis (.exe component) - part 0

This post is intended to present an attempt at unpacking and analyze conficker.e. The md5 of the file analysis is reported from most sources (antivirus vendors lab and so on): 0x677daa8bf951ecce8eae7d7ee0301780

The first runtime screenshot shown a zone of the decompressed binary with some stuff related to uPNP devicesa also It's showsomething about SSDP (Simple Service Discovery Protocol). The background picture (with Irfanview logo) is a first shot with ollydbg oep zone and IDA smart graph view related to conficker.e(?) Microsoft service pack checker. For dumps it was used LordPE. Since conficker.e use also SSDP as propagation vector, I think this binary as downadup.e/conficker.e but I'm not sure at 100%.

Feedback are welcome

Regards

Friday, April 10, 2009

W32.downadup.e and rogue AV

I was looking for info about Downadup.E (conficker.c updated release) and I used one of the easiest keyword that probably may be used for make some research with Google:


The result of this simple query it was the following:


Google show up some interesting URL in the top ranking result and in ad space:


The red points (shown in the pictures) show you warning level generated by WOT Addons for Firefox that informs for suspicious content or malicious web site. In this case a downadup.e remover web site is marked as potentially dangerous. So, to assess the response offered by WOT it's better try to do a more deeply investigation. Let's to start analyze the suspicious URL (hosted by hZZp://www.precisesecurity.com) that is reported in pictures above. From the Netcraft point of view are obtained this details:


While from the perspective of robtex.com for "autonomous system addicted people":



The IP address obtained from robtex is founded in some black list provider such as http://www.malwaredomains.com/, where is marked as a place where are hosted scam and malware spreading web site. In particular in this case the website spread a rogue antivirus. Is very important note that the second site suggested by Google (the second pictures of this post) is a not so good web site. The following screenshot show the WOT forum where is reported this rogue antivirus spreading web site:


WOT Addon

Regards

w32.downadup.e

Info about new Downadup.E

MD5 related:
677daa8bf951ecce8eae7d7ee0301780

Online malware reports:
VirusTotal report

Threatexpert

Blog and technical details:
[incidents.org] - Conficker update with payload
[Symantec] - W32.Downadup.E
[Garwarner] - Is There a Conficker E? Waledac makes a move...
[TrendMicro] - DOWNAD/Conficker Watch: New Variant in The Mix?
[MMPC] - Win32/Conficker Variants Update

Thursday, April 2, 2009

conficker.c - ccTLD attractor

This is my smart analysis about the first 20days of April 2009 ccTLD (country code top level domain) generated by the algorithm used by worm for pseudo random domain name generation. The data used for this report are taken from http://mtc.sri.com/Conficker/addendumC/

The following table show the frequency for each ccTLD. As you can see there is a sort of attractor for some ccTLD such as AG, BO, LC, HN,PE, and TW. A singular point is for DJ ccTLD domain


Some note about this results: I have used only ccTLD. So in certain cases like "xxxx.com.bo" i have decide to count ".bo" as usefull data. Since I saw that if we think in terms of ".com.bo is different from .bo" we have a uniform distribution that is not so usefull for generate a signature or a evidence parameter for my goals.

I have decide to call the green cell "not so well come ccTLD" and for the orange cells the term "well come ccTLD".
As the final result I decide to generate the following graph view :


"it's like a virus"

Why this chart may be so usefull ? Immagine you as a DNS server admin and you have need for a smart trigger that show you an indicator of possible conficker.c propagation inside your corporate or company network. During your investigations may use your data (dns queries for example) and check matches with this graph. Obviously this is only a possible additional parameter for evaluate a possible conficker.c activity. Countermeasures to this approach ? occlusion attack.

Thanks to 0xff for the following
signature based on regular expression for ISS SiteProtector that has generated for him some great evidence of conficker.c spreading inside his corporate network:

RegEX DNS_Query_Conficker.C_TopTLD_attractor
\.(hn|lc|pe|bo|ag|tw|dj)$

Some note: In some case is better don't evaluate .tw ccTLD for false positive and other side effects

Feedback are welcome.