Jump to content

Check out our Community Blogs

Register and join over 40,000 other developers!

Recent Status Updates

View All Updates

- - - - -

Conficker??? real or fake

  • This topic is locked This topic is locked
17 replies to this topic

#13 Pro


    CC Lurker

  • Just Joined
  • Pip
  • 6 posts

Posted 24 June 2009 - 12:54 PM



No, Conficker is real. Unless all this is just some made up by magic voodoo CIA/NSA agent controlling google to put out a fake worm that never existed. Also the magic voodoo CIA/NSA agent would have to pay off all of those reverse engineers, anti malware companies, and random bloggers / pod casters around the world reporting there findings. It's real, sorry.


This worm does do some revolutionary stuff when it comes to malware. Although it spreads using some "old methods" the way it authenticates is in my opinion beautiful. Not saying its new, but it's new to malware.

It's also unlikely that "they" wanted this attention. However "they" did prepare for it seeing how it wont target anything in Poland (if I recall correctly). Likely done to avoid getting arrested if found out.
  • 0

#14 Showstopper


    CC Addict

  • Advanced Member
  • PipPipPipPipPip
  • 145 posts

Posted 04 July 2009 - 07:33 AM

How Conficker makes use of MS08-067 ?

This article concerns the spreading technique used by this virus, particularly the way it exploits the MS08-
067 security vulnerability in the Server Service of Windows.

MS08-067 Technical Details.
RPC protocol in Server Service supports a remote procedure converting any path (for instance,
\\C\Program Files\..\Windows) to Canonicalization path (\\C\Windows). But Windows does not handle well
overly long path, resulting in buffer overrun.
To concretize, Windows (svchost process) uses NetpwPathCanonicalize() function of netapi32.dll library
to perform the above mentioned operation. The pseudo-code comes following:
func _NetpwPathCanonicalize(wchar_t* Path)
// check Path length
if( !_function_check_length(Path) )
func _CanonicalizePathName(wchar_t* Path)
// protect stack with cookie - /GS
wchar _wcsBuffer[420h];
// this is the function causing the overrun
// converting function
As we can see from the pseudo-code, NetpwPathCanonicalize() checks the length of the path before
passing it into CanonicalizePathName() function. However, CanonicalizePathName() uses wcscat() to
copy the path into a local variable (wcsBuffer). The consequence is that the function wouldn’t create a
buffer-overflow in the first run but it would in the subsequents. For example, the contents of wcsBuffer
after each call to this function would be:
- Call 1 : wcsBuffer = “\\a\aaaaa\aaaa\..\..\a”
- Call 2 : wcsBuffer = “\\a\aaaaa\aaaa\..\..\a\\a\aaaaa\aaaa\..\..\a”
- Call 3 : wcsBuffer = “\\a\aaaaa\aaaa\..\..\a\\a\aaaaa\aaaa\..\..\a\\a\aaaaa\aaaa\..\..\a”
So we can definitely overflow Server Service with several calls to NetpwPathCanonicalize() function
remotely providing appropriate path length. Up to this point, it seems as if the road had been cleared out.
But two other obstacles appear:
Cookie: The CanonicalizePathName() function was built with /GS option, which protects it with a
cookie put before the return address. Whenever the return address is overwritten, so is the cookie
and the system therefore knows that a buffer overflow has been encountered.
DEP: the process of Server Service (svchost.exe) is protected with DEP by default. As a result, if
Shellcode is put on stack, DEP won’t allow code execution.
What exploiting techniques were used by Conficker?
Now let’s draw our attention to a function used in CanonicalizePathName(), which is called
ConvertPathMacros() by Microsoft. This function does not perform any check against the cookie and
hence was taken advantage by Conficker to redirect control to Shellcode.
The article of Microsoft [2] also mentioned the ConvertPathMacros() function but did not describe its role
in the exploitation correctly. More precisely, Microsoft pointed out that this function used a local variable
to store the buffer and the exploitation would overflow it in order to overwritten the return address of
But in actuality, ConvertPathMacros() does not have any portion of code that directly copies and
overflows such local buffer. It is made possible to overwrite the return address of this function owing to a
weakness in its string processing algorithm. As a consequence, wcscpy() function, which is called within
ConvertPathMacros(), has its return address overwritten.
For DEP bypassing, Conficker makes use of ZwSetInformationProcess() function to disable DEP in
runtime mode. After that, Conficker redirects control to Shellcode on stack.
Conficker uses instructions available in AcGenral.dll library, which is loaded by svchost, to overcome both
previous protection mechanisms.
So with this method of exploiting, Conficker just needs to call NetpwPathCanonicalize() one time to
successfully attack.
Spreading module of Conficker
Using above exploiting techniques, Conficker can exploit many different Windows versions (XP SP2/SP3,
English, Italian,...). With a particular IP address, Conficker will try attacking with a lot of malicious code,
each for one version of Windows. This increases the rate of success. Here comes the pseudo-code:
func __Thread_Attack (IpAddress)
// Create an Url for shellcode to download virus.
url = Make_Url_Download();
// If connection fails, abort.
if( ! IsConnect(IpAddress)) return;
// Create attacking buffer, each time call Make_Buffer(),
// a buffer for a particular Windows version will be created.
buffer = Make_Buffer(url, buffer);
// Attack
Attack(IpAddress, buffer);
// Wait 1 second, if successfully exploit, break from the loop.
// if not, try the next exploiting buffer.
if( WaitForSingleObject(1000) != WAIT_TIMEOUT ) break;
Conficker Shellcode activity
- Decode (Xor with 0xC4).
- Get the addresses of necessary API functions: LoadLibrary(), ExitThread().
- Load urlmon.dll library into the process.
- Get the address of URLDownloadToFileA() function in urlmon.dll.
- Download virus from the attacking computer using http protocol.
- Source address used for download: http://xxxxxx:port/xxxxx
- Downloaded virus is saved under the name x.
- Kill the thread (ExitThread).

After reversing Conficker, I found 51 Windows versions that could be attacked by Conficker (SP1, SP2
SP3 and languages are considered different versions). One interesting thing is that the addresses of the
exploiting module for different versions of Windows used by Conficker are the same as those of
metasploit exploit code. This shows high possibility that the virus creator take these addresses from
metasploit. The following a list of operating system susceptible to Conficker.
1 Windows 2000.
2 Windows XP SP2/SP3 English.
3 Windows XP SP2/SP3 Arabic.
4 Windows XP SP2/SP3 Taiwan.
5 Windows XP SP2/SP3 Chinese.
6 Windows XP SP2/SP3 Czech.
7 Windows XP SP2/SP3 Danish.
8 Windows XP SP2/SP3 German.
9 Windows XP SP2/SP3 Greek.
10 Windows XP SP2/SP3 Spanish.
11 Windows XP SP2/SP3 Finnish.
12 Windows XP SP2/SP3 French.
13 Windows XP SP2/SP3 Hebrew.
14 Windows XP SP2/SP3 Hungarian.
15 Windows XP SP2/SP3 Italian.
16 Windows XP SP2/SP3 Japanese.
17 Windows XP SP2/SP3 Korean.
18 Windows XP SP2/SP3 Dutch.
19 Windows XP SP2/SP3 Norwegian.
20 Windows XP SP2/SP3 Polish.
21 Windows XP SP2/SP3 Brazilian.
22 Windows XP SP2/SP3 Portuguese.
23 Windows XP SP2/SP3 Russian.
24 Windows XP SP2/SP3 Swedish.
25 Windows XP SP2/SP3 Turkish.
26 Windows 2003 SP1/SP2 English.
  • 0

#15 dirkfirst


    CC Addict

  • Just Joined
  • PipPipPipPipPip
  • 351 posts

Posted 06 July 2009 - 05:51 AM

I heard a lot about this virus but I haven't heard of anyone becoming infected. Did anyone get this virus?
  • 0

#16 Showstopper


    CC Addict

  • Advanced Member
  • PipPipPipPipPip
  • 145 posts

Posted 06 July 2009 - 07:15 AM

I heard a lot about this virus but I haven't heard of anyone becoming infected. Did anyone get this virus?

Yeah there was an educated guess that the botnet had around 10million people. I dont know how they came up with that but I would disagree. I have analyzed HJT logs that had conficker.
  • 0

#17 tavichh


    CC Addict

  • Senior Member
  • PipPipPipPipPip
  • 399 posts
  • Location:Delaware
  • Programming Language:C#
  • Learning:C++, PHP, JavaScript

Posted 05 September 2013 - 02:32 AM

so it's a self sustaining c2c RAT virus.

  • 0
Send a like my way if I helped you or if you found my post useful or even just enjoyed reading my post.
Thank you :)

#18 dargueta


    I chown trolls.

  • Moderator
  • 4854 posts
  • Programming Language:C, Java, C++, PHP, Python, JavaScript, Perl, Assembly, Bash, Others
  • Learning:Objective-C

Posted 07 September 2013 - 07:41 PM

Please don't post on threads more than, say, about a month old unless it's a tutorial. This over four years old. :)

  • 1

sudo rm -rf / && echo $'Sanitize your inputs!'

Recommended from our users: Dynamic Network Monitoring from WhatsUp Gold from IPSwitch. Free Download