Skip navigation.
Home

Conficker! how to get infected?

|

I downloaded all currently available files that are labeled as conficker and cannot get infected.
setup: WinXP SP2 clean _physical_ server, not patched further than SP2
tried running as exe, tried renaming to dll and running from load_dll.exe
still no luck.

look at the traffic - and nothing changes.

can anybody recommend anything to get infected?

additional info

sorry, forgot to mention, the error I get is most of the times: "not a valid win32 application", in some cases "program too big for memory"

Me too! How can we solve?!

Me too! How can we solve?!

Here is what I did...

I had a lot of problems with this too. The easiest way that I found is to use Conficker.B, attach a _completely blank but formatted_ USB drive, and then try:

rundll32 conficker.b.file.renamed.to.dll,

It won't do anything, since the entry point will be invalid, but it will invoke Conficker enough to infect your USB drive. If you wait a few minutes and then do a dir /ah, you will see a randomly named directory under RECYCLER (which is also new). If you navigate this directory, you should see a randomly named .dll.

Remove the USB drive. Reinsert it. Start sniffing...in a few minutes, you should see the initial web requests to getmyip.org and the other external IP address discovery sites.

Now, all that said, my version has not updated to Conficker.C and up after having been alive for days. All it does is scan the lab net looking for hosts with ARP and then probes them to port 445. It has also not attempted to contact the random web rendezvous since the initial attempts.

Hope this helps,
Rob

Thanks, but it still not

Thanks, but it still not work.
What file did you downloaded?

I just noticed that the

I just noticed that the posting cropped something I had typed, the proper cmd for rundll32 should be:

rundll32 confickerb.dll , *random text*

Try that, make sure your USB drive is completely blank, including hidden files.

MD5 of the version I used: 6ee741c4e0d36d0dc9162a6e71943379
Link: http://offensivecomputing.net/download.php?id=1157785863&auth=ae024ee57ebdf7aff2fae9600640cdde

Also, I posted Conficker.B packet captures here:
https://www.openpacket.org/capture/grab/52

Yes! It works!! Thanks a

Yes! It works!! Thanks a lot!!

what will written on USB?

and what will written on USB?
if there will written main EXEcutable, can you upload it!?

On USB Conficker writes an

On USB Conficker writes an autorun.inf file and a file .vmx which is located into RECYCLER/%RANDOM%.
Then, try to load the vmx file calling it by rundll32.exe.
EG: rundll32 D:\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx

I wasn't able to find any

I wasn't able to find any exploit attempt and shellcode in PCAP file.

Do you have jwgkvsq.vmx file?

yes

I have the file, how do we unpack it (UPX1?) and analyze it ?

digitalpbk

oh, it's such a big hype,

oh, it's such a big hype, but ppl have no idea how to get infected.
funny. i heard a lot of domains were registered by AV companies cos of conficker wants them tomorrow.
So, just an idea,
if this is fake, who made the money?
I've never seen conficker.
Where is it? where?

##############################################
"Vernichte ihn! Er ist nur ein USER!" (MCP)
##############################################

Search for Conficker posts

Search for Conficker posts dated 03/31. I know there was a post on how to infect yourself.

If I remember correctly (using Conficker-C) I think there was a work around that involved naming the file to malware.dll and placing in system32. After that, the ServiceDLL needed to be modified to point to the malware.dll. This process would subsequently infect the box, however, most people still received errors.

I confirmed I was infected by seeing the malware.dll load under svchost.exe (I think that was the process) plus many security vendor sites were blocked. The Conficker Eye Chart also confirmed infection.... but I never received the updated payload so I'm not 100%.

HKLM/SYSTEM/CurrentControlSet/Services/NLA/Parameters - ServiceDLL - %SystemRoot%\System32\malware.dll