31 March 2009, 10:54

Conficker demystified

Today, Felix Leder and Tillmann Werner of Bonn University are presenting the results of their analysis of the Conficker worm. In a paper in the Honeynet Project "Know Your Enemy" series, they not only describe the worm's modus operandi, but also provide a number of tools to immunise against the worm, detect its presence, and remove it cleanly. They have also discovered a problem in Conficker that apparently allows it to be directly attacked.

If proof were still required that Conficker is not the work of beginners, Leder and Werner's analysis now provides it. For example, the worm contains a very intelligent self-updating method: it intercepts the vulnerable function calls for canonicalising a relative path (such as \a\..\b into \b). If a function call arrives that attempts to exploit the security hole, then Conficker decodes the contained shellcode. Typically the shellcode tries to download the worm code, but if Conficker is already present it extracts the URL used for that purpose from the shellcode and loads a fresh version of the worm program itself.

However, Conficker checks very precisely whether this is a more up-to-date version than itself, by verifying the digital signature that has to be created with a secret RSA key of the worm's author. It's more or less hopeless to try to foist something on Conficker this way, because its developers have implemented a decentralised self-updating mechanism for the worm that the researchers consider practically uncrackable.

The scanner examines each process for the characteristic RSA key. Nevertheless, Leder and Werner's results can be used purposefully against the worm. By scanning the main memory for the unmistakable RSA keys used to verify the digital signatures, the worm's threads can be specifically detected and terminated. They have also investigated and copied the algorithms used by Conficker for pseudo-random number generation and their respective initialisation vectors. They provide tools that can compute the pseudo-randomly generated domain names that Conficker contacts at a specific time. The file names and registry entries can be copied with a tool. They have also written a program that can set certain mutexes (mutual exclusions) in the system whose presence makes Conficker believe the system is already infected, thus preventing reinfection. Yesterday, the pair presented a scanner that detects Conficker remotely by looking at the values returned by specific function calls.

Last of all, the Honeynet experts have discovered a vulnerability in Conficker. By agreement with the Conficker Working Group, however, they don't yet want to reveal the details. In their published paper, they only say that the original version described a vulnerability that can be exploited. When asked by heise Security whether remote cleaning might be possible this way, the two mentioned an agreement with the Conficker Working Group that prevents their commenting on the matter.

At the time of the Storm worm, researchers refrained from taking action against infected zombies themselves because of legal and moral considerations. At that time, however, the Storm worm network had already been drastically reduced and was no longer a genuine threat. It's a different situation with Conficker, which has now infected several million computers, stimulating the international security industry to form the Conficker Working Group in order to combat the worm. It has already registered thousands of domain names in order to prevent an update of Conficker.A/B to version C, and is offering a $250,000 reward for information leading to the capture of the persons behind the worm. We'd like to know whether this time they will also consider specific measures to turn the worm off.

See also: