Conficker contains a piece of code that has been object of speculation: It does not infect boxes located in the Ukraine. Before sending an exploit, it performs a lookup against Maxmind’s GeoIP database, which is freely available, and skips the host if the returned country code is UA. While the B variant comes with a copy of the database embedded, the A variant downloads the file from Maxmind’s server. A couple of days ago Felix had the idea to deliver a specially crafted database that maps every IP address to the Ukrain. The database format is actually quite simple, and he managed to create a valid database that places the whole Internet around Kiev.

Many people have asked us, how Conficker looks like. That’s a tough question for something that’s hidden and tries to be as stealthy as possible. The last time somebody asked me: “Can you show me Conficker?”, I decided to visualize Conficker. Here is a little video that shows the evil core of Conficker.C.

The video is a 3D animation of the functions inside Conficker.C and their functional relationships. Yellow balls are functions found inside Conficker. Green loops are functions imported from Dlls and red boxes are jump holes into other functions. The video shows the way our tools analyze Conficker and the derivation of dependencies among the control flow graph.

Today we released version 2 of our Simple Conficker Scanner (SCSv2). It contains a new scanning method which allows for detection of machines infected with the recent Conficker version (D or E, depending on the naming scheme - the tool calls it D). Although the patch to the vulnerable function NetpwPathCanonicalize() was updated in the new variant, the RPC response codes for specially crafted requests are still different for infected machines. This enabled us to write a network scanner to distinguish Conficker zombies from clean hosts. The scanning results look like this:

Joe Stewart from the Conficker Working Group has created an eye chart that allows for online identification of Conficker B and C infections. The idea of trying to load content from sites that are blocked by Conficker is really smart. We wrote our own page based on their method with the goal to make the results as clear as possible (note this only requires a substring match on a pattern in Conficker’s blacklist, rather than a complete domain name match). This detection method should be more reliable than network scanning based tests. Happy scanning!

The Honeynet Project is very excited to announce a new scanning tool for detecting Conficker and an upcoming Know Your Enemy paper detailing how to contain Conficker.  Both the paper and the tool have been developed by Honeynet Project members Tillmann Werner and Felix Leder.  The tool was developed over the weekend, in co-ordination with Dan Kamisnky, and this tool is now publicly available and is in the process of being integrated into most major vulnerability scanning tools, including Nmap.  The Know Your Enemy paper describing in far greater detail how to contain Conficker and the tool itself, will be released in the next forty-eight hours.  Both the scanning tool and the paper have been developed and coordinated with the efforts of the Conficker Working Group. We would like to thank them for their tremendous support, guidance and input on this research.

As you know, bad things are going to happen on April 1st: people will be sending out emails to their friends, telling silly jokes and putting MTAs under a higher load. Besides that (but not quite that bad), Conficker will activate its domain name generation routine to contact command-and-control servers. We have been researching this piece of malware recently, with a focus on how to detect Conficker-infected machines. Felix and I had a discussion with Dan Kaminsky about the possibilities to actively detect Conficker and wrote a scanner for this task. Our proof-of-concept code is publicly available and can be downloaded from here. The output looks like this:

The Honeynet Project is excited to announce the release of Know Your Enemy: Containing Conficker.    In this paper we present several potential methods to contain Conficker. The approaches presented take advantage of the way Conficker patches infected systems, which can be used to remotelydetect a compromised system. Furthermore, we demonstrate various methods to detect and remove Conficker locally and a potential vaccination tool is presented. Finally, the domain name generation mechanism for all three Conficker variants is discussed in detail and anoverview of the potential for upcoming domain collisions in version .C is provided. Tools for all the ideas presented  are freely available for download including source code.  This paper was authored by Tillmann Werner and Felix Leder.