| Malware Name | File Type | SHA256 |
|---|---|---|
| Conficker | x32 dll | a30b63e1ed900d3f223277b1d3b09b045abc85600da0d3102fa61fb2bfc2ff99 |
Almost 15 years old ago, a worm named Conficker did a LOT of trouble. to this day, there are some Windows environments (mainly XP based networks) which are still infected with this piece of code (brilliant code for 2008).
With millions of infections all over the world, 5 variations, and a lot of damage, some say this is the most remarkable worm that was ever made.
So i took it for a ride in my lab.
I first encountered that worm when i received a Disk On Key with an autorun.inf file and weird file with suspicious extension jwgkvsq.vmx which both were super infected in AV engines.
Any time an infected DOK inserted into a computer, it pops up this window:
This is a very nice social engineering trick, the autorun.inf is disguised as the explorer icon and caption (look at the duplicated explorer actions, one under "Install or run a program" - which invoking the autorun.inf, and the other under "General options" - the benigh one).
Observing the autorun file:
We see a lot of shity unclear randomness which not clear if this is obfuscation or a binary. By scrolling down (how down? line 1227) some few strings are exposed inside this sea of garbage:
Cleaning it up:
The first line bind the autorun.inf to explorer icon.
The second line executes the other file using Rundll32.exe which invokes a gibberish export function (actually, this method isn't even exist in
jwgkvsq.vmx dll. before validating the export name - DllMain is called).
Opening jwgkvsq.vmx in Pestudio:
First stage is packed by UPX. unpacking:
For my convenience, here i converted the dll to exe (the tool just changed a single bit in PE header):
Entropy is 8 so the file is still packed:
We will try to unpack it later, for now let's run the file under Procmon to get a general idea of the file operations. The file is very noisy and many operation were seen.
The file persists itself in a run key:
Deletes Windows Defender from run key:
Resets the TCP receive window using Netsh.exe (not sure exactly why, but it's part of the setup for the upcoming Brute Force).
Probes for live hosts in the internal network by trying to connect to their SMB share:
In this part i started to debug the file under debugger in order to unpack it.
Even though this is an old malware and fair to think that it is lacking protections, it's not true. it contains polymorphism, obfuscation and anti-analysis tricks. after some struggling with it and at least 5 VirtualAlloc, I saw a PE file that was written to a newly allocated memory:
The file was in its mapped format (reference), and for some reason i was unable to unmap it to its raw format, trying various methods. i suspect that the reason is because the PE headers were corrupted in some way. So in some point i gave up the unmapping, and moved on to the very JUICY strings armed with my prior knowledge on Conficker actions.
First were the autorun.inf strings which were written to every Disk on Key that inserted to an infected machine:
Then there are a big list of security producs and related names, which will compared against each DNS lookup the host makes, and if the DNS request contains any of these words, the request will be blocked! that is done by hooking the DNS library in every process!!
It also has the ability to retrieve the external IP address of the machine by quering each of those sites:
And there is the password list (part of it, it's longer):
The worm spreads itself by 3 mechanisms:
- By Brute Forcing SMB shares using the password list. when it guesses the right password, it writes the payload to the remote share and runs it by creating a remote service.
- By Infecting DOKs and removable drives.
- By ms08-067, which is being exploited heavily by it. for that, the worm creates a local HTTP server on the infected machine, which serves the payload for any host that is exploited successfuly.
- The worm contains a DGA algorithm (explained here).
- The worm changes TCP settings, like the allowed current TCP connections, in order to optimize the Brute Force process.
- The worm shuts down system services, like
Windows DefenderandBackground Intelligent Transfer Serviceto disrupt automatic updates and protections. - The worm injects itself to system services like
Explorer.exeandSvchost.exe. - The worm deletes the System Restore Points.
- The worm contains anti-analysis, anti-sandbox and anti-vm capabilities, and a lot of obfuscation and "spaghetti code".
Conficker is a sophisticated, contagious, brutal and noisy Windows worm. In this writeup i discussed only a small part of Conficker whole story, there is a comprehensive article about it as well.
Hope you enjoyed :)