Some tricks from Conficker's bag

Some tricks from Conficker's bag
There have been a lot of discussions about various aspects of Conficker, definitely the most prevalent worm in last couple of years. Symantec posted a nice series of articles about how Conficker is innovative in various things. One of those innovative things is the use of the autorun.inf file on USB removable media which I described at http://isc.sans.org/diary.html?storyid=5695. This time I will write about couple of features of this worm that haven't been mentioned much (or at all – or I missed them :). So, let's get busy. First thing you will notice when reverse engineering Conficker is that it checks whether it has been executed by rundll32.exe (remote infection through the Windows domain or from a USB stick) or if it was started inside the netsvcs service. Similarly to other malware, Conficker will "inject" itself into a remote process. Usually malware authors copy the whole body, but Conficker uses something different. So, when Conficker identifies the netsvcs process, it retrieves the full path to its DLL (i.e. full path to the USB device it was started from). This path is then copied to the target process in freshly allocated memory. Finally, Conficker calls the LoadLibrary() function in the remote process with the argument pointing to copied data, meaning itself. This results in LoadLibrary() loading the worm and executing it in the netsvcs service as a new thread. Cool trick – below you can see OllyDbg's screenshot when Conficker copies path to itself into the target process. The second interesting thing is related to the MS08-067 vulnerability. As you probably know by now, Conficker exploits this vulnerability in order to infect new machines. However, it does a very interesting thing once a machine gets infected. On infected machines Conficker will actually patch this vulnerability in memory! This is probably done to prevent other attackers from exploiting the same vulnerability (it will not get double-infected because Conficker uses a global mutex to stop other worms from running). Conficker will patch the NetpwPathCanonicalize() function from netapi32.dll by adding a jump to the patched function in its own body. This fact is especially important when cleaning machines – if you just remove the Conficker worm your machine will become vulnerable again unless you patched it. The machine might even get infected after you remove the worm and while you're patching it so make sure that you patch it before. Finally, to end this diary which is getting a bit long (but I hope you found it interesting), we'll analyze another action Conficker performs on infected machines: it will delete all System Restore points so the user will not be able to "just" revert back to a previous System Restore. Conficker does this by calling the srclient.dll library, ResetSR() function which is badly documented by Microsoft as well. This obviously didn't scare or stop the bad guys … Depending on time and feedback I might do more diaries about Conficker – it's certainly an interesting piece of malware with some (a lot?) of innovative features. Thanks to h4z4rd for sharing ideas and discussing Conficker with me. -- Bojan	Bojan 392 Posts ISC Handler Feb 9th 2009
Subscribe	Feb 9th 2009 1 decade ago
So, any clever way to make a \"hidden\", protected or spare copy of a system restore point? Or just stick with some other backup utility?	Anonymous
Quote	Feb 10th 2009 1 decade ago
Mike, I'd suggest using a third party backup utility, if you depend on such types of backup. Any System Restore point created by Windows can be easily removed by the worm - as far as I know there is no way of creating a hidden SR point.	Bojan 392 Posts ISC Handler
Quote	Feb 13th 2009 1 decade ago
Actually, I do not see it removing all restore points - in fact I see a number of removal tools -missing- Conficker C+ infections in the restore points. It does, however, disable safe mode quite effectively.	hacks4pancakes 48 Posts
Quote	Aug 12th 2009 1 decade ago

There have been a lot of discussions about various aspects of Conficker, definitely the most prevalent worm in last couple of years. Symantec posted a nice series of articles about how Conficker is innovative in various things. One of those innovative things is the use of the autorun.inf file on USB removable media which I described at http://isc.sans.org/diary.html?storyid=5695.

This time I will write about couple of features of this worm that haven't been mentioned much (or at all – or I missed them :). So, let's get busy.

First thing you will notice when reverse engineering Conficker is that it checks whether it has been executed by rundll32.exe (remote infection through the Windows domain or from a USB stick) or if it was started inside the netsvcs service. Similarly to other malware, Conficker will "inject" itself into a remote process. Usually malware authors copy the whole body, but Conficker uses something different. So, when Conficker identifies the netsvcs process, it retrieves the full path to its DLL (i.e. full path to the USB device it was started from). This path is then copied to the target process in freshly allocated memory. Finally, Conficker calls the LoadLibrary() function in the remote process with the argument pointing to copied data, meaning itself. This results in LoadLibrary() loading the worm and executing it in the netsvcs service as a new thread. Cool trick – below you can see OllyDbg's screenshot when Conficker copies path to itself into the target process.

OllyDbg

The second interesting thing is related to the MS08-067 vulnerability. As you probably know by now, Conficker exploits this vulnerability in order to infect new machines. However, it does a very interesting thing once a machine gets infected. On infected machines Conficker will actually patch this vulnerability in memory! This is probably done to prevent other attackers from exploiting the same vulnerability (it will not get double-infected because Conficker uses a global mutex to stop other worms from running). Conficker will patch the NetpwPathCanonicalize() function from netapi32.dll by adding a jump to the patched function in its own body.

This fact is especially important when cleaning machines – if you just remove the Conficker worm your machine will become vulnerable again unless you patched it. The machine might even get infected after you remove the worm and while you're patching it so make sure that you patch it before.

Finally, to end this diary which is getting a bit long (but I hope you found it interesting), we'll analyze another action Conficker performs on infected machines: it will delete all System Restore points so the user will not be able to "just" revert back to a previous System Restore. Conficker does this by calling the srclient.dll library, ResetSR() function which is badly documented by Microsoft as well. This obviously didn't scare or stop the bad guys …

Depending on time and feedback I might do more diaries about Conficker – it's certainly an interesting piece of malware with some (a lot?) of innovative features.

Thanks to h4z4rd for sharing ideas and discussing Conficker with me.

--
Bojan

Bojan

392 Posts
ISC Handler

Feb 9th 2009

So, any clever way to make a \"hidden\", protected or spare copy of a system restore point? Or just stick with some other backup utility?

Anonymous

Mike, I'd suggest using a third party backup utility, if you depend on such types of backup. Any System Restore point created by Windows can be easily removed by the worm - as far as I know there is no way of creating a hidden SR point.

Bojan

392 Posts
ISC Handler

Actually, I do not see it removing all restore points - in fact I see a number of removal tools -missing- Conficker C+ infections in the restore points. It does, however, disable safe mode quite effectively.

hacks4pancakes

48 Posts