Wednesday, April 8, 2009

DOWNAD/Conficker Watch: New Variant in The Mix?

| Brett D. Arion |
DOWNAD/Conficker Watch: New Variant in The Mix?


TrendLabs is following Conficker as it "Wakes UP" and begins transferring an encrypted payload via P2P sharing between infected nodes. The fact that the data is encrypted is slowing down the analysis. Keep up to date at the TrendLabs Maleware blog:

"Days after the April 1st activation date of Conficker, nothing interesting was seen so far in our Downad/Conficker monitoring system except the continuous checking of dates and times via Internet sites, checking of updates via HTTP, and the increasing P2P communications from the Conficker peer nodes.

Well that was until last night when we saw a new file (119,296 bytes) in the Windows Temp folder. Checking on the file properties reveals that the file was created exactly on April 7, 2009 at 07:41:21.

Checking also on traffic captures show that there was no HTTP download that occurred somewhere around that time frame, which was from April 7, 2009 at 07:40:00 up to April 7, 2009 at 07:42:00. However, we noticed a huge encrypted TCP response (134,880 bytes) from a known Conficker P2P IP node (verified by other independent sources), which was hosted somewhere in Korea.

The size of the encrypted TCP blob pretty much matches the size of the binary that got created in the aforementioned folder. There are some additional bytes, which could be the headers and keys that Conficker/Downadup has been known to use.
Trend now detects this new Conficker variant as WORM_DOWNAD.E. Some interesting things (well at least in our perspective) found are:

  1. (Un)Trigger Date – May 3, 2009, it will stop running
  2. Runs in random file name and random service name
  3. Deletes this dropped component afterwards
  4. Propagates via MS08-067 to external IPs if Internet is available, if no connections, uses local IPs
  5. Opens port 5114 and serve as HTTP server, by broadcasting via SSDP request
  6. Connects to the following sites:
    • Myspace.com
    • msn.com
    • ebay.com
    • cnn.com
    • aol.com

It also does not leave a trace of itself in the host machine. It runs and deletes all traces, no files, no registries etc.

Another interesting thing we also noticed was that the Downad/Conficker box was trying to access a known Waledac domain (goodnewsdigital(dot)com) and download yet another encrypted file. This coincidentally happened just after the creation of the new Downad/Conficker binary described below (07:41:23):

IP download file

The domain resolves currently to an IP that is hosting a known Waledac ploy in HTML to download print.exe, which has been verified to be a new Waledac binary.

Two things can be summed up from the events that transpired:

  1. As expected, the P2P communications of the Downad/Conficker botnet may have just been used to serve an update, and not via HTTP. The Conficker/Downad P2P communications is now running in full swing!
  2. Conficker-Waledac connection? Possible, but we still have to dig deeper into this…

Research and collaboration is currently ongoing in our own labs as well as within the Conficker Working Group, and will update this blog post for new findings.

Thanks to Joseph Cepe and Paul Ferguson for working on additional information for this entry.

© Copyright 2009 Trend Micro Inc. All rights reserved. Legal Notice"

Free Security Magazines