7:02 am (UTC-7) | by Paul Ferguson (Senior Threat Researcher)
Yes, we didn’t want to hear any more about this either, but this is actually interesting.
In the process of investigating the WORM_DOWNAD.KK peer-to-peer (P2P) protocol communications, Trend Micro threat researchers have discovered – with the assistance of some external resources – some interesting code which indicates that the basic code functionality has been borrowed from existing documentation going back to (at least) early 1997.
While reviewing documentation made available by CERT-LEXSI (French CERT), with assistance from the great analysis work already done by SRI International, on the WORM_DOWNAD.KK p2p mechanisms, we drew our attention to this particular code in the WORM_DOWNAD.KK P2P port generation routine:
Figure 1. WORM_DOWNAD.KK P2P port generation routine
Image source: CERT-LEXSI
Specifically, the value “15A4E35h” – this is a “hard-coded” seed for the random-number generation routine used by WORM_DOWNAD.KK.
While looking into this aspect a bit more, we discovered several interesting things.
First and foremost, this code is not new – in fact, it has been discussed previously back in early 1997 by “raZZia” in a discussion of key generation routines.
In fact, that code looks to be almost completely reproduced in WORM_DOWNAD.KK for exactly the same purpose – to use as a seed variable for it’s generation routine to determine which ports to use (and when) for its P2P communications with peers.
In fact, the WORM_DOWNAD.KK author(s) have completely re-purposed this existing code, but instead of using it for a key generation routine, it has been re-purposed for a seed generation & port randomization routine.
Figure 2. The “1997 raZZia” code
Note the same routine above, especially the seed value of “15a4e35h”. This is hard-coded in WORM_DOWNAD.KK as a seed variable.
Both the key-gen code and the WORM_DOWNAD.KK port selection code use a very similar logic. The WORM_DOWNAD.KK code has some new twists, but you can see the foundation below:
Figure 3. This illustrates that this code was completely reused from previous underground sources.
Secondly, and perhaps more mystically interesting, the value 15A4E35 – if the leading “15” removed becomes a Unicode character print-quotable – renders as this character in obscure Chinese Unicode:
Figure 4. Obscure Chinese Unicode.
If there is anything that we do know about sophisticated cyber criminals, is that they love little ironies.
Of course, this just fed us a bit of conspiracy theory – we have found a valid reason for this coincidence.
In fact, 15A4E35h is 22695477 in decimal format, and it is simply a recognized constant used in linear congruential generator algorithms using BC++.
So most likely, 15A4E35 has no special meaning for raZZia – he/she just used it for his algorithm, which in turn was used by the Conficker code creators.
Please understand, however, that we have seen purposeful joe-jobs to lead unwitting researchers to conclude that certain parties may be perpetrating these crimes. In other words, we have see Russkrainians (Russian/Ukrainian cyber criminals) use certain aspects of Chinese culture to falsely implicate Chinese involvement, and vice-versa. There is currently an especially disturbing trend of Russkrainian cyber criminals using Chinese assets (e.g. domain registrations in .CN, etc.) to implicate innocent parties.
We are still analyzing this code, but thought that this might be beneficial in investigative efforts.
In any event, this shows that there is code “reuse” in the cyber crime underworld, and it shows up in the most unexpected places.
While we continue to look at the various programming techniques, communications behavior, and other code contained in Conficker.C, we also urge others to do the same – we may find other pieces that have been “borrowed” from other existing sources which may lead to the perpetrators of this ongoing criminal activity.
Information also provided by Ben April and Ivan Macalintal.
Share this article