Security and Penetration Testing Portal | The Conflicker Worm

Login

Donate

Hosting, research and development cost money. Help us keep this portal alive.

Donate:

Monthly

Twitter Status

Photocopiers.... a Security Risk ? http://www.arcanesecurity.net/security-videos.html?task=videodirectlink&id=228
Escape the PDF : http://blog.didierstevens.com/2010/03/29/escape-from-pdf/
Stop Pretenses! Secure your Company from Corporate Identity Theft http://ow.ly/1qtpPq
RT @ArcaneSecurity Security and Penetration Testing Portal | A Web Hacking Odyssey - Top Ten Hacks.. http://bit.ly/cQkFNM
RT @ArcaneSecurity Security and Penetration Testing Portal | Advance Web Hacking | ArcaneSecurity.n.. http://ow.ly/1qtflO
Follow On Twitter

available files

3G Security Overview
File Icon

GPRS Security Issues and Solutions
File Icon

The WebSite Attack Guide
File Icon

Ettercap Guide
File Icon

Nessus Manual

Headlines

Featured Videos

development by joommaster team.

The Conflicker Worm

Blog Articles - Articles

Written by mel bel

Monday, 02 March 2009 00:00

Bookmark with:

The Conflicker Worm, which is also known as Downup, Downadup, or Kido was first appeared on October 2008. The worm targets systems
which run the Microsoft Windows operating system (e.g. Windows 2000/2003, Windows XP, Windows Vista and Windows 2008). Scientists
believe that Conflicker was able to propagate through the Internet and infect more that 10 millions connected systems. The worm was
programmed to communicate with its Bot servers on the 1st April 2008.

Although the original worm , namely Conflicker A, propagated through the Internet by exploiting the MS08-067 vulnerability
(http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx), at least fine different variations ot it were discovered.
These variations had different characteristics, something that caused headache to security vendors and administrators. The Worm can affect
systems which use a firewall but have the file and print sharing services enabled.

The other versions of Conflicker was first discovered on later dates. These variations use the same MS vulnerability
to propagate but had also the ability to perform dictionary attacks on the local Administrator Account password. One extra feature that
was used by the variations of Conflicker was DLL based auto run trojan that was used to infect removal media. In reality each conflicker
version , can update itself to the newer version using a systems Internet Connection. The first version of Conflickerr incorporates a
Ukraine-avoidance routine that causes the process to suicide if the keyboard language layout has been set to Ukrainian. Other versions
of Conflicker does not include this keyboard check

Conlicker exploits a vulnerability in the Server Service on Windows computers, in which an already-infected source
computer uses a specially-crafted RPC request to force a buffer overflow and execute shellcode on the target computer. After succefull
exploitation conflicker runs an HTTP server on the infected host, on a port in the range of 1024 and 10000. The harckers shellcode used
connects to this HTTP server to download a copy of the worm in DLL form, which it then attaches to svchost.exe. Variants B and later may
attach itself to the services.exe or the Windows Explorer process. Althoug most worms use just a number of Internet sites, where the worms connects
to download additional tools (e.g. and thus are easy to discover and shutdown), conflicker uses a very big number of psudo domains. Communication
between the Conflicker agent, and the servers is always encypted to avoid interception.

Some versions of Conflicker (B, C, D ) search for NetBIOS visible computers and remotely executes the worm code thgrouth the ADMIN$ Share.
If the shares are password protected Conflicker uses dictionary attacks to discover the required shares password.

To ensure that Conflicker is going to be able to communicate, even if the user has blocked DNS lookups and Auto Updates, Conflicker D patches
the DNSAPI.DLL in order to block communication to anti-malware websites. Other tricks that are used by Conflicker D to protect itself are
disabling safe mode operation and kill services that are executed by anti-malware software.

A very nice technical analysis of Conflicker can be found on http://mtc.sri.com/Conficker/

For protection advice please follow the link :http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

Comments

Please login to post comments or replies.

< Prev		Next >

Last Updated on Friday, 19 June 2009 16:09