There have been new developments in the Conficker arena within the past couple of days. We would like to inform those who are concerned that the MMPC is working to make sure you have the information you need, first to be protected from any threat; and second, to provide you with a full understanding of the threat itself.
There have been primarily two new binaries reported. We are pleased to inform that Microsoft products such as Windows Live OneCare, Windows Live OneCare safety scanner, and the Forefront family of products were able to detect both of these newly reported binaries with existing signatures, no update required as Worm:Win32/Conficker.D and Worm:Win32/Conficker.gen!A. Specific detections have been added for the new variants as Worm:Win32/Conficker.D and Worm:Win32/Conficker.E.
The first item (MD5: EB0787C5B388C685B406ED46AE077536/SHA1:4887AB470FF4E49BB5F7D01331F3DF16B2BB507B) was a minor change to the existing .D variant(s). Existing signatures report this variation as Worm:Win32/Conficker.D. Minor differences found in this variation include:
Additions to the list of programs which will not be able to run on infected systems, programs with these substrings:
In addition, the following domain substrings are blocked:
Of note are a number of security tools and sites that were prominent in the run up to April 1 that are no longer feasible if the prospective user is one who is infected by this version.
To reiterate however, no updates or changes in posture required by anyone who uses Microsoft tools.
The second newly discovered binary, one that is drawing attention in the media as .E (MD5: 677daa8bf951ecce8eae7d7ee0301780/SHA1: 879e553b472242f3ec5a7f9698bb44cad472ff3b), is still being dissected by our malware research lab (and why I can be spared to write this rather than them). Existing signatures report this variation as Worm:Win32/Conficker.gen!A.
At first glance, this variant was considered a variant of .A. And as fortune would have it, Microsoft products also were able to detect this new variant with existing signatures, no updates required. However, deeper analysis shows the following (reminder, we are continuing to research this, but the differences are significant enough that we will be designating this new variant as Conficker.E):
- Exploits MS08-067
- Contains code to spread via network shares
- Drops a driver similar to early variants, using the same mechanisms as Conficker.B.
- Opens a web listener on a pseudo-random port between 1024 and 9999 based on the volume serial number of the system drive.
- Appears to appends a stream of randomly generated garbage to itself before offering itself for further propagation. (This will result in untrustworthy file identification information like the ones I use above to inform other researchers as to the specific variant I am talking about; but our community can work its way around that.)
- Contains some of the same IP-filtering used in Conficker.D (Don’t go to certain IP ranges)
- Periodically connect to the following URLs to check for internet connectivity:
- Periodically connect to one of the following sites (at random) to determine its external IP address:
- Deletes itself on and after May 3rd 2009
- Uses SSDP to find Internet gateway devices (i.e. routers) and issues a SOAP command on the device to open an external TCP port and redirect it to an internal IP:port.
Does NOT appear to have the P2P protocol code.*Correction: drops a DLL component that contains P2P functionality
With all these differences, it is important to note a very key difference between the .E variant and previous A-D variants. The .E variant executes simultaneous to the existing Conficker.D already on that infected machine. So, for instance, not having the code to check URLs for updates is not significant as the machine is already doing that under Conficker.D’s guidance. Same for the last note about P2P protocol and other such things.
To keep abreast of developments regarding Conficker, please check http://www.microsoft.com/conficker. As we fill out the details on .E, you will be able to find it here [http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.E]. And if there is other significant or breaking news, we will be back with more information here, on our blog.
Lastly, the press is filling up with conjectures and theories on who and what else is associated with this activity. There are more layers yet to unravel. We would like to gather more evidence before commenting on those thoughts.
My thanks to Aaron Putnam, Vincent Tiu, and Cristian Craioveanu as they continue peeling apart the layers of this onion.
-- Jimmy Kuo
PS: My heart-felt wishes for everyone to have a good Friday.