By Nguyen Tu Quang / Senior Malware Researcher – CEO, Bkis

According to Bkis’ survey, many computer users believe that May 3 will be the final part of Conficker story. This way of thinking drives their attention away from the potential threat which is still out there. There are still nearly one million computers infected with Conficker worldwide, even after May 3. That is an undeniable fact. 

On April 26, statistics were made by our researchers, using the same method we had used on April 1 (http://security.bkis.vn/?p=473). We registered some domain names among those 50,000 Conficker would call on April 26. (It is important to note that Conficker.C have been looking non-stop for updates via HTTP since April 1). (http://security.bkis.vn/?p=391)

The result was that 750,000 computers worldwide are still harboring Conficker.C and the botnet of 750,000 zombies would not stop calling home for instructions, even after May 3 (as users may believe that May 3 will be the final part of Conficker story).

The above analysis proves the fact that Conficker threat is still out there. 

Conficker Statistic on April 26 

Conficker Cabal (Working Group) are wasting their time and effort?

Bkis Radar System^(*), which has been functioning since April 1, found out that till today, Conficker Working Group has been trying everyday to register the domain names among 50,000 that Conficker can call. For instance, today April 28 the domain names registered by Conficker Working Group are .ae, .am, .as, .be, .ca, .cl, .co.il, .co.nz, .co.uk … However, they cannot control all 50,000 domain names each day. Hacker can register any domain not controlled by Conficker Working Group to send new instructions to the bots. The proof was that we could easily register some domain names in the calling list of Conficker on April 26 in order to count the number of Conficker zombies worldwide.

This forced us to think that Conficker Working Group are wasting their time and effort with what they are doing. It would be more advisable to send out alerts to nations with highest infection rates so that computer users in those countries see the need to keep their system clean of the worm. Almost all antivirus softwares now have updated new Conficker variants’ signatures and removal tools. Some countries with highest infection rates according to our statistics on April 26 are China, Russia and Brazil.

(*) How Bkis Radar works? 

We have developed a tool that simulates Conficker call-home module. Bkis Radar generates 50,000 domain names each day and queries those domains; the same way as what Conficker does. We thus will be notified whenever the domain is activated or the websites’ contents pointed to by those domain names are modified. Consequently, we know when Conficker spread via HTTP and we can make a list of domain names that Conficker Working Group have registered.

By Do Manh Dzung, Senior Malware Researcher – Bkis

On April 22 2009, Bkis Honeypot system discovered a new worm, which we named W32.Gaptcha.Worm. The worm automatically signs up and creates random Gmail accounts for spamming purposes. To do so, it must be able to break Google’s CAPTCHA first. Gaptcha continuously creates Gmail accounts and sends registered accounts to hackers until Gmail blocks the infected machine’s IP. It then removes itself from the system.

Once your computer gets infected with this worm, you will see IE windows automatically appear. You will then see the whole automatic Gmail accounts registering process by the worm. After that you will not be able to sign up for new Gmail account as your computer will have been blocked by Gmail.

Worm description:

Name: W32.Gaptcha.Worm

Size: 82 kb

Discovered date: April 22, 2009

Severity: Medium

The attack process by W32.Gaptcha.Worm:

1.     Connects to server clitcommander.110mb.com to check Internet connection and server connection. If it fails to connect to the server or if there is no Internet connection, moves to step 9.

2.    Runs IE by InternetExplorer.Application command, automatically connects to https://www.google.com/accounts/NewAccount?service=mail to create new account.

3.     Fill in the fields:

a.     FirstName: Randomly takes these following names: Emily, Isabella, etc.

b.    LastName: Randomly takes Smith, Johnson, etc.

4.     Looks for CAPTCHA, downloads to TEPM folder, sends to server: ac-service.info  for image processing then retrieves the information to bypass CAPTCHA.

5.     Finishes registration.

6.     Runs IE, logs on the Gmail account it has just created, changes setting Enable POP. Edits field: Forwart as Copy : u6j3y1iknj @my-private-email.biz.

7.     Sends information about the Gmail account it has just created to hacker at clitcommander.110mb.com.

8.     Repeats step 2.

9.     Creates .bat file to remove itself.

We have updated signature for removing W32.Gaptcha.Worm in our free tool: BkavHome. You can download BkavHome here. 

Today, April 18^th, Bkis has released Bkis Conficker Scanner which can detect Conficker infected PCs in a network. Network administrators can download the software :

Download here

How to use the software

Main program interface

In order to locate Conficker infected PCs, network administrators can flow these steps:

·         Step 1 : Identify the available IP ranges on the network.

·         Step 2 : Select one in two options

o    IP Range: If your system consists of single IP range (for instance: 192.168.10.1 – 192.168.15.255).

o    IP Custom: If your network consists of different IP ranges, or you want to scan a specific PC (for instance: 192.168.222.119;192.168.10.1-192.168.11.255;192.168.151.1-192.168.151.255).

·         Step 3 : Select Show infected Hosts only (by default) to view infected PCs only.

·         Step 4 : Click on Scan, the program will start scanning. When scanning is finished, the Message “Scanner finish” appears.

Scanning Result

Network scanning result will be displayed in the main interface as below:

Program interface after network scanning is finished

·         Active Hosts : Number of PCs in the network.

·         Infected Hosts  : Number of infected PCs.

·         Result : Show scanning result including IP Addresses and the names of infected PCs (Computer Name). If either “Check RPC” column or “Check Port” column displays the word “Infected”, then the PC is harboring Conficker.

·         Export : In order to save the scanning result, click on Export, choose then name the file and browse to expected folder. The file will be saved in *.cvs format.

Note : This version could run on Windows XP, Windows Server 2003.

 Bkis

By Bui Quang Minh & Hoang Xuan Minh

Conficker emerges as a hot topic recently. This is the most widespread virus since Code Red. The news has been talking so much about it that I decided to write an article too.

This article concerns the spreading technique used by this virus, particularly the way it exploits the MS08-067 security vulnerability in the Server Service of Windows.

MS08-067 Technical Details

I have actually had an article discussing about this flaw here (Vietnamese) when it was published but I will do it over again in more details now.

RPC protocol in Server Service supports a remote procedure converting any path (for instance, \\C\Program Files\..\Windows) to Canonicalization path (\\C\Windows). But Windows does not handle well overly long path, resulting in buffer overrun.

To concretize, Windows (svchost process) uses NetpwPathCanonicalize() function of netapi32.dll library to perform the above mentioned operation. The pseudo-code comes following:

func _NetpwPathCanonicalize(wchar_t* Path)

{    

      // check Path length

if( !_function_check_length(Path) )

      return;

      …    

      _CanonicalizePathName(Path);

      …

return;

}

func _CanonicalizePathName(wchar_t* Path)

{

      // protect stack with cookie – /GS

      _save_security_cookie();

      …    

      wchar _wcsBuffer[420h];

      …

      // this is the function causing the overrun

      wcscat(wcsBuffer,Path);

      …

      // converting function 

      _ConvertPathMacros(wcsBuffer);

      …

      return;

}

As we can see from the pseudo-code, NetpwPathCanonicalize() checks the length of the path before passing it into CanonicalizePathName() function. However, CanonicalizePathName() uses wcscat() to copy the path into a local variable (wcsBuffer). The consequence is that the function wouldn’t create a buffer-overflow in the first run but it would in the subsequents. For example, the contents of wcsBuffer after each call to this function would be:

    - Call 1 : wcsBuffer = “\\a\aaaaa\aaaa\..\..\a”                           

    - Call 2 : wcsBuffer = “\\a\aaaaa\aaaa\..\..\a\\a\aaaaa\aaaa\..\..\a”

    - Call 3 : wcsBuffer = “\\a\aaaaa\aaaa\..\..\a\\a\aaaaa\aaaa\..\..\a\\a\aaaaa\aaaa\..\..\a”                          

    - …

So we can definitely overflow Server Service with several calls to NetpwPathCanonicalize() function remotely providing appropriate path length. Up to this point, it seems as if the road had been cleared out.

But two other obstacles appear:

·         Cookie: The CanonicalizePathName() function was built with /GS option, which protects it with a cookie put before the return address. Whenever the return address is overwritten, so is the cookie and the system therefore knows that a buffer overflow has been encountered.

·         DEP: the process of Server Service (svchost.exe)  is protected with DEP by default. As a result, if Shellcode is put on stack, DEP won’t allow code execution.

What exploiting techniques were used by Conficker?

Now let’s draw our attention to a function used in CanonicalizePathName(), which is called ConvertPathMacros() by Microsoft. This function does not perform any check against the cookie and hence was taken advantage by Conficker to redirect control to Shellcode.

The article of Microsoft (here) also mentioned the ConvertPathMacros() function but did not describe its role in the exploitation correctly. More precisely, Microsoft pointed out that this function used a local variable to store the buffer and the exploitation would overflow it in order to overwritten the return address of ConvertPathMacros().

But in actuality, ConvertPathMacros() does not have any portion of code that directly copies and overflows such local buffer. It is made possible to overwrite the return address of this function owing to a weakness in its string processing algorithm. As a consequence, wcscpy() function, which is called within

ConvertPathMacros(), has its return address overwritten.

For DEP bypassing, Conficker makes use of ZwSetInformationProcess() function to disable DEP in runtime mode. After that, Conficker redirects control to Shellcode on stack.

Conficker uses instructions available in AcGenral.dll library, which is loaded by svchost, to overcome both previous protection mechanisms.

So with this method of exploiting, Conficker just needs to call NetpwPathCanonicalize() one time to successfully attack.

Spreading module of Conficker

Using above exploiting techniques, Conficker can exploit many different Windows versions (XP SP2/SP3, English, Italian,…). With a particular IP address, Conficker will try attacking with malicious code for one version of Windows. Here comes the pseudo-code:

func __Thread_Attack (IpAddress)

{    

      …

      // Create an Url for shellcode to download virus.

      url = Make_Url_Download();

      …

      While(1)

{    

            // If connection fails, abort.

if( ! IsConnect(IpAddress))   return;

            …

// A buffer for a particular Windows version will be created.

            buffer  = Make_Buffer(url, WinVersion);

            …

            // Attack

            Attack(IpAddress, buffer);

            // Wait 1 second, if successfully exploit, break from the loop.

            // if not, try the next exploiting buffer.

            if( WaitForSingleObject(1000) != WAIT_TIMEOUT ) break;

      }

}

Conficker Shellcode activity

- Decode (Xor with 0xC4)

- Get the addresses of necessary API functions: LoadLibraryA(), ExitThread().

- Load urlmon.dll library into the process.

- Get the address of URLDownloadToFileA() function in urlmon.dll

- Download virus from the attacking computer using http protocol.

- Source address used for download: http://<ip_attacker>:<rand_port>/<rand_string>

- Download and LoadLibraryA virus is saved under the name x.

- Kill the thread (ExitThread).

Which OS are susceptible to Conficker attack

After reversing Conficker, I found 51 Windows versions that could be attacked by Conficker (SP2 and SP3 are considered different versions). One interesting thing is that the addresses of the exploiting module for different versions of Windows used by Conficker are the same as those of metasploit exploit code (here). This shows high possibility that the virus creator take these addresses from metasploit. The following a list of operating system susceptible to Conficker.

Reference

[1] http://bkav.com.vn/tinh_hinh_an_ninh_mang/27/10/2008/6/1896/ (Vietnamese)

[2] http://blogs.technet.com/srd/archive/2009/03/16/gs-cookie-protection-effectiveness-and-limitations

[3] http://trac.metasploit.com/browser/framework3/trunk/modules/exploits/windows/smb/ms08_067_netapi

Bkis

By Nguyen Tu Quang – Senior Malware Researcher/CEO of Bkis

April 08, our Honeypot system collected some updates from goodnewsdigital(dot)com, which was claimed by TrendMicro to be connected to by the new variant of Conficker (http://blog.trendmicro.com/downadconficker-watch-new-variant-in-the-mix).

However we have analyzed all the malicious code collected from this source, including news.exe, main.exe, f*ck.exe, f*ck2.exe, f*ck3.exe, f*ck4.exe and contact.exe… and the analyzing result shows that all these patterns are Waledac Worm (also known as XmasStorm Worm – http://www.pcworld.com/businesscenter/article/156043/bogus_greetings_spread_ holiday_malware.html ).

We have also checked Bkis Conficker HTTP Honeypot and Bkis Conficker P2P Honeypot systems and have not found any worm update. Moreover, according to the Honeypot systems statistics, there are still 1.3 million computers infected with Conficker.C all over the world at the moment, the same as the amount we counted on April 1 (http://security.bkis.vn/?p=473). In other words, the number of computers infected by Conficker.C still remains the same and they haven’t been updated with a new variant.

For these reasons, we affirm that there hasn’t been any P2P update of Conficker yet.

We will continue to track and update information when there are new happenings.

 About Bkis

Bkis is known as Vietnamese Anti-virus company with Bkav, the most popular antivirus software in Vietnam, which has more than 10 million users.

Details of Bkis Honeypot diagrams:

(1): Infected computers worldwide calling home to 50,000 domain names on the Internet
(2): Bkis Honeypot Sensor – Six server system was set up to trap “calling home” worms
(3): Worm’s query logs
(4): Bkis Honeypot Analyzer – Logs analyzing system for statistics
(5): The precise number of Conficker infected computers worldwide and the respective rate of each country

Only 1.3 million computers left being infected by Conficker.C (April 2)

Up till now the whole world has gone through April 1, and it is possible to assure that the Conficker worm did not return as common beliefs. This also coincides with what our Radar system has recorded.

As mentioned in our previous blog entry (http://security.bkis.vn/?p=391), this worm may not necessarily come back in April 1, but it can return on any day after this Doom’s Day. Thus, one may come up with two questions.

Firstly, why did April 1 pass without any worm’s updates? Secondly, will Conficker come back, and if yes, when?

Why did April 1 pass without any worm’s updates?

It is preferable to have a look at the algorithm which the Conficker worm creator utilizes to assign the return day.

GetDateTime(Year, Month, Day);

IF (Year >= 2009) and (Month >= 4) and (Day >= 1) THEN SearchforUpdate();

IF UpdateFound THEN GetUpdateFromInternet() ELSE RepeatThisProcessDaily;

OR

This algorithm only indicates that on April 1 Conficker will start tracking the domain (among 50,000 randomly generated ones) from which it can update its new version. If it succeeds, it will download the version and update itself. If not, it will repeat this searching process each day.

What we all see is April 1 passed quietly with no shocking news about Conficker’s return. This was because the worm creator did not provide any new update on the Internet. And as long as the worm has not found any new instruction from its master, nothing happens.

Will Conficker come back, and if yes, on which day?

Conficker is thought to return on April 1. However, the aforementioned analyses point out that this day is not different from April 2, 3…The worm’s code also shows that the malware poses the same risk on the subsequent days. And the return day totally depends on Conficker creator.

So will the worm return? Yes, it can come back. And when will it return? It can return on any day.

“Best practice is to protect your computer with most recently updated tools and Microsoft’s patch other than waiting for the worm to return.” Said Quang Tu Nguyen, CEO of Bkis. “It is like you never know when the earthquake strikes, rule of thumb is to get yourself prepared with a specially designed house other than sitting still and trying to predict the day it comes.”

Finally, this is the latest update of globally infected computers which our Honeypot and Radar Systems have recorded on April 1.

The number of infected computers in the world amounts to 1,384,100 China has the most number of computers infected by Conficker.C with 13.68 percent, next comes Brazil with 10.44 percent.

In the previous mail we stated that Conficker might originate in China. We are currently making close monitoring over the daily generated domain names in order to find clue on whoever created the worm.

Statistics

Statistic of computers infected by Conficker.C

Conficker Global Monitoring System

Reported from Asia and Europe: Conficker hasn’t come back yet! Only 1.1 million computers left being infected by Conficker.C (April 2)

Yesterday, two systems supervising the activity of Conficker 24/24 are set up by Bkis. The first system is Honeypot to trap Conficker “call home” globally. And the second is Bkis Radar System to find the source of the distribution by scanning 50 thousand domain names that Conficker might use on April 1st.

“Because the time zones vary between countries around the world, while America has just started the day of April 1st, most countries in Asia and Europe have already experienced it. The statistic results collected by Bkis Radar and Honeypot Systems show that Conficker hasn’t shown any sign that it is returning in Asia and Europe. However, this doesn’t assure that the worm won’t return on April 1st as it still takes 16 hours more for America to pass this day.” said Nguyen Tu Quang, Bkis CEO.

The Honeypot of Bkis also reports that 1.1 million Conficker infected computers “called home” in 102 Asian and European countries have pass the first of April, among which China has the most number of computers infected by Conficker.C of 17.57 percent, next comes is Russia with 10.18 percent.

Statistic of computers infected by Conficker.C

Conficker Global Monitoring System

Our Honeypot has also recorded that the first call home was from Korea at 0:37 GMT. After 24 hours in Asian and European countries, most of the computers infected Conficker.C have called home. There has not been any new version of the worm updated yet.

So the number of computers infected by Conficker.C has decreased compared to the previous statistic of 10 million computers. This might be due to the fact that users have updated their Windows operating system with the MS08-067 security patch and scanned their system for viruses.

We will continue to track and update information when there are new happenings.

About Bkis

Vietnamese leading Internet Security Company in Asia – Pacific. Cofounder of APCERT – Asia Pacific Computer Emergency Response Teams. Bkis is known as an antivirus vendor with Bkav, the most popular antivirus software in Vietnam, which has more than 10 million users.

Recently, in September 2008, Bkis discovered the SaveAs Function vulnerability in Google Chrome and Face Recognition Algorithm in Asus, Lenovo and Toshiba laptops.

http://www.google.com/search?hl=en&num=100&q=bkis+chrome+flaw&btnG=Search

http://www.google.com/search?hl=en&num=100&q=bkis+face+recognition+fake+firm&btnG=Search