Conficker.E - all grown up...

Filed Under: SophosLabs

Having done some more digging into the recent Conficker update, dubbed "Conficker.E", I have been able to flesh out a number of the key points from our initial analysis when the update first came out.

In particular, the dropped DLL component looks simply like a recompilation of the Conficker.C DLL component. It has much of the same functionality as the previous variant; the startup, installation process, and armor techniques are as we analyzed them in our technical analysis, and the peer-to-peer logic is all present. While the samples are not identical, there are merely a few metamorphic assembly level changes and the jmp offsets to obfuscate the p2p code are different, but the overall program flow is the same between the two.

It follows naturally from this that Sophos detects both Conficker.C and Conficker.E DLL components as Mal/Conficker-B.

There are a few key logic changes however between the C and E variants. One striking difference between the two -- the rendezvous domain monitoring code is absent. Machines infected with the new Conficker.E will no longer make the 500 lookups to pseudo-randomly generated domains each day.

As such, Conficker.E nodes rely entirely on the peer-to-peer capabilities for an updating mechanism. Keep in mind that this is not at all a reduction in flexibility -- the p2p mechanisms are able to share digitally signed arbitrary content between other Conficker nodes, and the Conficker authors can easily bootstrap a connection into the p2p network by seeding one of their own machines with an updated binary.

Another key change involves the hook to NetpwPathCanonicalize -- this now appears to be a patched version of the original call in netapi32.dll, presumably repairing the vulnerability and, more importantly, restoring the expected functionality of a normal (i.e. non-Conficker infected) Windows machine. This appears to be a direct response to make Conficker.E immune to the online scanners that rely on the unique Conficker-only behavior of the NetpwPathCanonicalize function to determine if your machine is infected with a variant of Conficker.

Indeed, as we speculated, the Conficker Workgroup confirms the scanners "no longer work" on Conficker.E in their recently published Conficker timeline. Though there are indeed slight behavior changes in this latest hook, they do not facilitate remote detection.

For example, Conficker.E's patched NetpwPathCanonicalize returns ERROR_INVALID_NAME when it fails to dynamically import the original NetpwPathType (used to implement the patched function as it normally behaves in netapi32.dll).

As is now quite obvious, the hook's behavior was never a robust detection strategy to begin with. However, along these lines, a notable similarity between Conficker.C and Conficker.E is the p2p port number calculation. Both variants use the same calculation to bootstrap connectivity into the Conficker p2p network, which is a deterministic mapping of an IP address to port numbers using a weekly time seed.

Looking for these open port numbers would be a much more robust strategy for detection Conficker.C or .E nodes -- keying on information the network actually relies on for its operation. And with the rough probability of a machine having all four Conficker ports open being (1/2^16)^4 =
5.4210108624275222e-020
, it seems quite unlikely to false-pos.

And determining if your machine is infected is important -- the Conficker p2p network is actively sharing malicious content. In addition to Conficker's link to Waled, our honeypots have turned up with rootkit, fake AV and, just in today, Troj/Virtum-Gen samples.

So... with no more calling home, getting mixed up with "the wrong people", and a stronger affinity for its peers than its parents, Conficker.E may be into its adolescent rebellion.

As such, I am currently considering a detection to flag the following suspicious behaviors on your machine; back-talk, listening to loud intolerable music, piercings in new and strange places, and binge drinking.

Please send us a sample if you notice your machine exhibiting any of these or other generally defiant behaviors.

You might like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s