Tribute to Conficker

Tribute to Conficker

Video about the Structure of Conficker.C
Watch the Video

######################################################################################################

Intrusion Detection Signatures

Conficker uses a hardcoded xor-key for encoding its shellcode. This creates static patterns, which allow to detect exploitation attempts and may be used to identify infected machines. The signature we have created for Conficker.A and .B are:

Conficker.A

Code:


alert tcp any any -> $HOME_NET 445 (msg:
"conficker.a shellcode"; content: "|e8 ff ff ff ff c1|^|8d|N|10
80|1|c4|Af|81|9EPu|f5 ae c6 9d a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c
cc|IrX|c4 c4 c4|,|ed c4 c4 c4 94|&<O8|92|\;|d3|WG|02 c3|,|dc c4
c4 c4 f7 16 96 96|O|08 a2 03 c5 bc ea 95|\;|b3 c0 96 96 95 92
96|\;|f3|\;|24|i| 95 92|QO|8f f8|O|88 cf bc c7 0f f7|2I|d0|w|c7 95
e4|O|d6 c7 17 f7 04 05 04 c3 f6 c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5
dc b6 1b|O|95 e0 c7 17 cb|s|d0 b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07
a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab aa c4|]|e7 99 1d ac b0 b0 b4 fe eb
eb|"; sid: 2000001; rev: 1;)

Conficker.B

Code:


alert tcp any any -> $HOME_NET 445 (msg: "conficker.b shellcode";
content: "|e8 ff ff ff ff c2|_|8d|O|10 80|1|c4|Af|81|9MSu|f5|8|ae c6 9d
a0|O|85 ea|O|84 c8|O|84 d8|O|c4|O|9c cc|Ise|c4 c4 c4|,|ed c4 c4 c4
94|&<O8|92|\;|d3|WG|02 c3|,|dc c4 c4 c4 f7 16 96 96|O|08 a2 03
c5 bc ea 95|\;|b3 c0 96 96 95 92 96|\;|f3|\;|24 |i|95 92|QO|8f f8|O|88
cf bc c7 0f f7|2I|d0|w|c7 95 e4|O|d6 c7 17 cb c4 04 cb|{|04 05 04 c3 f6
c6 86|D|fe c4 b1|1|ff 01 b0 c2 82 ff b5 dc b6 1f|O|95 e0 c7 17 cb|s|d0
b6|O|85 d8 c7 07|O|c0|T|c7 07 9a 9d 07 a4|fN|b2 e2|Dh|0c b1 b6 a8 a9 ab
aa c4|]|e7 99 1d ac b0 b0 b4 fe eb eb|"; sid: 2000002; rev: 1;)

######################################################################################################

Conficker.C Domain Collisions

Figure 1: Number of Conficker.C collisions with existing domains for April 2009.

Conficker.A and .B created 250 domains per day, from which they try to download updates. Conficker.C, unlike its predecessors, creates 50.000 domains per day. Furthermore, the length of Conficker.C domain names is only 4-9 instead of 8-11 characters as variants .A and .B. The large number and the shorter domain length results in a lot of collisions with real domain names.

We have pre-computed all domain names for April 2009 and looked up the domains in order to find collisions.
Figure 1 shows the number of collisions for each day.



Conficker .C will create about 150 - 200 collisions with existing domains per day. The large number of generated domains and the fact that not every domain will be contacted for a given day will probably prevent DDoS situations.

Figure 2 shows the number of conflicts each IP address generates. There are some IPs with a remarkable number of occurrences.


You may want more than just Conficker.C domains and probably more than just April. Just download our Downatool2 from above and generate the domains yourself. If you like the tools, tell us by sending an e-mail.

Statistics about future collisions will be published here. Just tune in again.



######################################################################################################

Background and Paper

All the tools and data found on this web-site are derived from reverse engineering and analyzing Conficker.
The description of our approaches and especially the extracted algorithms and relations are
described in our paper: Infos

Conficker Crew: Visit Crew

######################################################################################################

I hope u like it