Transcript Conficker

Conficker
Analysis of
an Internet
Worm
Outline
•
•
•
•
•
•
•
•
What’s in a Name?
What is it Trying to do?
What is its Timeline?
How does it Infect a Machine?
How does it Propagate itself?
How is it Controlled / Updated?
How Big is the Problem?
How can it be Detected & Removed?
cs490ns - cotter
2
What’s in a Name?
•
•
•
•
•
•
•
•
•
•
•
Win32/Conficker.A (CA)
W32.Downadup (Symantec)
W32/Downadup.A (F-Secure)
Conficker.A (Panda)
Net-Worm.Win32.Kido.bt (Kaspersky)
W32/Conficker.worm (McAfee)
Win32.Worm.Downadup.Gen (BitDefender)
Win32:Confi (avast!)
WORM_DOWNAD (Trend Micro)
Worm.Downadup (ClamAV)
Downup, Kido, ?
cs490ns - cotter
3
What’s in a Name?
• Richard Grigonis,IP Communications Group
– Conficker is constructed from the first five letters of “configuration,” while
adding four letters to the end so as to end with “ficker”, a vulgar
nominalized form of the German transitive verb ficken (2/13/09)
• Jordan Robertson, The Associated Press
– The name Conficker comes from rearranging letters in the name of one
of the original sites the worm was connecting to. (3/31/09)
• Joshua Phillips , Microsoft Malware Protection Center
– The name of this threat was derived by selecting fragments of the
domain 'trafficconverter.biz', a string found in Worm:Win32/Conficker.A:
– (fic)(con)(er) => (con)(fic)(+k)(er) => conficker (viewed 04/07/09)
• Wikipedia
– “The origin of the name “conficker” is not knows with certainty” (4/3/09)
cs490ns - cotter
4
Variants
• Classified by analyzing infected hosts and
identifying significant differences in functionality
• Current primary variants
–
–
–
–
–
–
Conficker.A
Conficker.B
Conficker.B++
Conficker.C
Conficker.D
Conficker.E
cs490ns - cotter
5
Outline
•
•
•
•
•
•
•
•
What’s in a Name?
What is it Trying to do?
What is its Timeline?
How does it Infect a Machine?
How does it Propagate itself?
How is it Controlled / Updated?
How Big is the Problem?
How can it be Detected & Removed?
cs490ns - cotter
6
Conficker Objectives
• … today the vast majority of malware has a
monetary motivation.
– (Eric Chien – Symantec Corp – 1/19/09)
• Original (Conficker.A) upload site
trafficconverter.bz
– Site used to spread fake anti-spyware.
– When uploaded to a user’s site, it “finds” nonexistent virus infections and tries to convince users
to pay for the software to clean their machines.
cs490ns - cotter
7
Conficker Objectives
• Other possible / likely objectives
– Build a network of robot machines (botnet)
– Use those machines to attack targets
– Sell the use of those machines for
questionable services
• Rent 100 machines to send out 10 million spam
messages
• Rent machines to run hacking software
•?
• Take down the Internet?
– Not likely
cs490ns - cotter
8
Objectives Update??
• April, 2009
– Some machines that get infected with
Conficker (Downadup) are also being infected
with trojan W32/Waledac.gen
– Trojan originally propagated through spam
and social engineering.
– Harvests personal information, encrypts file
and sends to one of a list (~100) sites.
cs490ns - cotter
9
Outline
•
•
•
•
•
•
•
•
What’s in a Name?
What is it Trying to do?
What is its Timeline?
How does it Infect a Machine?
How does it Propagate itself?
How is it Controlled / Updated?
How Big is the Problem?
How can it be Detected & Removed?
cs490ns - cotter
10
Conflicker Timeline
• Microsoft issues patch for RPC vulnerability
10/23/08
• Early exploit – W32/Gimmiv.A – 10/23/08
• Conficker.A – 11/21/08
• Conficker.B – 12/29/08
• Conficker.B++ - 2/17/09
• Conficker.C – 2/20/09
• Conficker.D – 3/4/09
• Conficker.E – 4/9/09
cs490ns - cotter
11
Outline
•
•
•
•
•
•
•
•
What’s in a Name?
What is it Trying to do?
What is its Timeline?
How does it Infect a Machine?
How does it Propagate itself?
How is it Controlled / Updated?
How Big is the Problem?
How can it be Detected & Removed?
cs490ns - cotter
12
Targeted OSs
•
•
•
•
•
•
•
•
•
Windows XP – SP2, SP3
Windows XP Pro x64, SP2
Windows Server 2003, SP1, SP2
Windows Server 2003 x64, sp2
Windows Vista, SP1
Windows Vista x64, SP1
Windows Server 2008
Windows Server 2008 x64
Windows Server 2008 Itanium-based
cs490ns - cotter
13
Initial Attack – Conficker.A
• Exploit a vulnerability in MS RPC.
– Send a specially crafted packet to either port
445 (or port 139) (used for file sharing) on a
Windows machine not patched for
vulnerability MS08-067.
– Vulnerability in NetpwPathCanonicalize()
function inside netapi32.dll.
– This exploits a buffer “underflow” problem in
the code which and allows attacker to execute
arbitrary code on the target machine.
cs490ns - cotter
14
Initial attack
• Canonicalization
– Reduce (a path) to its simplest form.
– aaa\bbb\..\ccc  aaa\ccc
• MS08-067 vulnerability
– A specially crafted path can force the function
to move beyond the start of the stack buffer
(and thus overwrite the function return
address).
cs490ns - cotter
15
Once Inside - Conficker.A
•
•
•
•
•
Check for Ukrainian keyboard (Quit if true)
Create mutex Global\xxx-7 (Quit if failed)
Check OS version
Attach to Service.exe
Create random file name (xxx.dll) in System32
dir
– If fail, copy to program files\Movie Maker, or IE or …
cs490ns - cotter
16
Once Inside - Conficker.B
• Create Mutex
• “Patch” MS08-067
– Objective is to avoid / control re-infection by
Conficker or other worms.
• Patch DNS access
– Prevent connection to security sites (50+
strings)
• Attach to a running service
cs490ns - cotter
17
The Mutex
• Conficker.A
– Global\xxx-7 (where xxx is a crc32 checksum of a buffer
containing the hostname)
• Conficker.B
– First mutex is local to process and checks to see if another
thread is running dll. Mutex derived from process ID.
– Second mutex to see if dll is running under a different process
name (similar to Global\xxx-7 except that it uses a different
CRC32 checksum function)
• Conficker.C
– First mutex used to check for running Conficker thread.
– Second mutex used to prevent backwards infection from B
– Third mutex checks to see if dll is running under a different
process. If so, terminate and remove this version.
cs490ns - cotter
18
Why does it spread so fast?
• Although patch was available in 10/08,
many Windows machines not
automatically updated
• Major infections in countries that are
suspected of having a large number of
pirated versions of MS Windows.
cs490ns - cotter
19
Outline
•
•
•
•
•
•
•
•
What’s in a Name?
What is it Trying to do?
What is its Timeline?
How does it Infect a Machine?
How does it Propagate itself?
How is it Controlled / Updated?
How Big is the Problem?
How can it be Detected & Removed?
cs490ns - cotter
20
Propagate through MS08-067
Conficker.A
• Find current IP address
– Getmyip.org
– Getmyip.co.uk
– Checkip.dyndns.org
• Enable backdoor through firewall using UPNP
– Used for binary upload by other victims.
– Creates small httpd to pass data
• Reset System Restore Point
• Download GEO IP database
– Find other IP addresses to infect
– www.maxmind.com ( GeoIP.dat.gz )
• Scan and infect
• Sleep 30 minutes and repeat
cs490ns - cotter
21
Propagation in Conficker.B
• Defense: GeoIP file removed from website
– Conficker added the file as appended data to threat
file (compressed RAR encrypted using RC4)
• Propagate through USB / network drives
(autorun file)
– Add random data (~60k) to hide real data
– Attach dll to auto run
– Add a new action to dialog box
cs490ns - cotter
22
Modified autorun dialog
cs490ns - cotter
23
Propagation in Conficker.B
• Attempt to log onto admin$ share using current
user credentials
• Attack weak passwords on target machine or
on local network.
–
–
–
–
–
–
–
Fixed list of perhaps 250 passwords
Number sequences - 12345, 11111, 22222, etc.
Admin, Admin, administrator, root, superuser, etc.
Key sequences - qwerty, qweasd, zxcxz, etc.
passwd, password, mypass, etc.
abc123, home123, work123, mypc123, etc.
Coffer, cookie,home, money, work, anything, etc.
cs490ns - cotter
24
Outline
•
•
•
•
•
•
•
•
What’s in a Name?
What is it Trying to do?
What is its Timeline?
How does it Infect a Machine?
How does it Propagate itself?
How is it Controlled / Updated?
How Big is the Problem?
How can it be Detected & Removed?
cs490ns - cotter
25
Links to Update site Conficker.A
• Get current UTC date
• w3.org, ask.com, man.com, yahoo.com, google.com
• Use date as a seed for a random name generator
• Name strings 5 to 11 lower case characters (8 ± 3)
• Create 250 domain names
• Randomly assign TLD
• .com, .net, .org, .biz
• Randomly choose 32 names from the list
• Contact the sites and download a binary payload
• Every 3 hours starting 11/26/08
• If date > 12/1/08
– Attempt to download loadadv.exe from trafficconverter.biz
cs490ns - cotter
26
Links to Update site Conficker.B
• Get current UTC date
• w3.org, ask.com, man.com, yahoo.com, google.com
• Use date as a seed for a random name generator
• Name strings 5 to 11 lower case characters (8 ± 3)
• Create 250 domain names
• Randomly assign TLD
• .com, .net, .org, .biz
• Randomly choose 32 names from the list
• Contact the sites and download a binary payload
• Every 3 hours starting 11/26/08
• Every 2 yours starting 1/1/09
cs490ns - cotter
27
Links to Update site Conficker.C
• Get current UTC date
• 3 additional sites ( facebook.com, imageshack.us, rapidshare.com)
• Use date as a seed for a random name generator
• Name strings 4-9 lower case characters
• Create 50,000 domain names
– ~150-200 collisions with valid domains /day
• Randomly assign TLD
• 110 different TLDs used
• Randomly choose 500 names from the list
• Contact the sites and download a binary payload
• Once a day after April 1, 2009
cs490ns - cotter
28
P2P Update – Conficker.C
• Secondary (?) update mechanism from an
already updated host.
• Host opens up 4 P2P ports in listen mode
– 2 TCP, 2 UDP
– Numbers derived from host IP address.
• Host then attempts to contact neighboring
machines on their open ports.
• Snort rules available to detect outgoing scans
– Trigger on 10, 100, 1000, 10,000, 10,000, …
– Test sites see 6-8 alarms / 4 hours
cs490ns - cotter
29
Binary File Validation
• One way to stop a virus /worm is to identify its
update mechanism and then use that to kill it.
• Conficker.A – Update Server
– SHA(512) hash of binary executable.
– Encrypt bin.exe using RC4 (hash is key)
– Sign encrypted package with RSA (1024) private key
• Mepriv mod N = signature
– Transmit encrypted package and signature
• Conficker.A Client
– Decrypt package using public key, RC4, N
cs490ns - cotter
30
Binary File Validation
• Conficker.B, Conficker.C
– Hash (512) of binary executable
– Encrypt bin.exe, hash using RC4
– Sign encrypted package with RSA (4096)
private key
cs490ns - cotter
31
Outline
•
•
•
•
•
•
•
•
What’s in a Name?
What is it Trying to do?
What is its Timeline?
How does it Infect a Machine?
How does it Propagate itself?
How is it Controlled / Updated?
How Big is the Problem?
How can it be Detected & Removed?
cs490ns - cotter
32
Infection Estimates
•
F-secure.com (1/16/09)
– The number of Downadup infections are skyrocketing based on our calculations. From
an estimated 2.4 million infected machines to over 8.9 million during the last four
days.
•
Gregg Keizer , Computerworld , 02/12/2009
– … rapidly-spreading "Downadup" worm, prompted by infection rates of nearly 2.2
million machines each day.
•
Robert McMillan , IDG News Service , 04/03/2009
– Experts had pegged Conficker infections in the 2 million to 4 million range, but IBM's
numbers suggest that they may be much higher than that, perhaps in the tens of
millions.
•
SRI International Technical Report – 03/19/09
– The total number of unique IP addresses observed by SRI is approximately 10.5
million. …our estimates of active Conficker drones on the internet range as much as
an order of magnitude smaller.
•
Ryan Sherstobitoff – Quoted in computerworld article 01/21/09
– The 6% was of people coming to our site and opting in for the scans. That's
somewhat scary," said Sherstobitoff. "If we were actually to look at the
[general] population, all the people who don't have antivirus -- or if they do,
who haven't updated definitions -- the infection rate might be in the range
of 20% to 30%."
cs490ns - cotter
33
How do we find Infected Hosts?
• Listen to rendezvous points and record calling IP
addresses
• Rendezvous query includes the number of times each
instance has infected a new machine
–
–
–
–
–
May be deflated by NAT
Only includes MS08-67 exploits
May be inflated by re-infections
May be inflated by DHCP
May not include attrition
• Scan sample machines on the Internet and extrapolate
the numbers.
• Track users of test / disinfect tools
cs490ns - cotter
34
Top Countries Infected
• SRI observations as of ~ February, 2009
•
•
•
•
•
•
•
China – 2.6 million – 25%
Brazil – 1.0 million – 10%
Russia – 835 K – 8%
India – 600 K – 6%
Argentina – 570 K – 5%
:
United States – 190 K – 2%
cs490ns - cotter
35
Top 10 Countries Infected
cs490ns - cotter
Symantec Corporation – January, 2009
36
Outline
•
•
•
•
•
•
•
•
What’s in a Name?
What is it Trying to do?
What is its Timeline?
How does it Infect a Machine?
How does it Propagate itself?
How is it Controlled / Updated?
How Big is the Problem?
How can it be Detected & Removed?
cs490ns - cotter
37
Conficker Detection
• Scan for attacks against port 445
– Look for predictable code patterns.
• Scan active processes for presence of
RSA keys (different keys for .A, .B, .C)
– If found, terminate threads that contain keys
– Generate the appropriate mutexes to prevent
re-infection
– Load a “nonficker Vaxination tool” that will
generate the mutex on boot
cs490ns - cotter
38
Conficker Detection
• Attempt to connect to a standard anti-virus
site
– If access is allowed to standard web sites, but
not to security sites, Conficker might be
present.
cs490ns - cotter
39
Anti-virus programs
• All major anti-virus programs can remove
the virus.
• May need to access security site through
IP address, not domain name
• System automatic updates may be turned
off.
cs490ns - cotter
40
Intrusion Detection Systems
• Snort rule developed
– Match against shell code pattern of incoming
packet to port 445
• Nmap
– Scan for vulnerability on open 445 port
cs490ns - cotter
41
Nonficker - Vaccination
• Objective:
– Keep Conficker from running by tying up the
mutexes that it uses.
• Process
– Extract mutex generation algorithms from
variants, and reproduce them in their own
program
– Run the program at startup to register all of
the needed mutexes
cs490ns - cotter
42
References
1. Alexander Sotirov
–
Decompiling the vulnerable function for MS08-067
http://www.phreedom.org/blog/2008/decompiling-ms08-067/
2. SRI International – Porras, Saidi, Yegneswaran
–
An Analysis of Conficker’s Logic and Rendezvous Points
http://mtc.sri.com/Conficker/
3. The Honeynet Project – Leder, Werner
–
Know Your Enemy: Containing Conficker
http://www.honeynet.org/papers/conficker
4. F_SECURE – “Toni”
–
Calculating the Size of the Downadup Outbreak
http://www.f-secure.com/weblog/archives/00001584.html
cs490ns - cotter
43
Conclusion
• Conficker has been evolving, apparently in response to
the security community’s actions to stop the worm.
• Virus function appears to change with versions. Original
intent to infect as many machines as possible, while
current versions are trying to hold onto infected
machines.
• Primary infected areas appear to be in countries with
significant pirated software
• Target (at this point) unclear, but may be to harvest
personal information or to develop a significant botnet.
cs490ns - cotter
44