This blog post puts together Trend Micro’s own DOWNAD research as well as collaborative input from the Conficker Working Group. It includes the collected reports regarding DOWNAD as well as analysis of binaries in one coherent timeline of events to shed some light in the continuing DOWNAD/Conficker Jigsaw Puzzle.
SETTING THE STAGE
In a span of just four months (November last year to February this year, where DOWNAD infection counts were at their peak), WORM_DOWNAD.A has infected around 500,000 PCs. WORM_DOWNAD.AD, an improved variant first detected last December, equaled the infection count of the earlier variant in just three months.
These numbers – a little more than a million – are based on Trend Micro’s World Virus Tracking Center (WTC) numbers alone, which scans only infections detected by HouseCall and other Trend Micro products. Total global estimates were believed to have reached as high as nine million in February this year. The DOWNAD infection base, specifically through the AD variant, was thus set.
On March 4, several WORM_DOWNAD.AD infected nodes got an updated variant, which was eventually detected as WORM_DOWNAD.KK. This new DOWNAD is notable for the following functionalities:
- The malware communicates with peers using Peer-to-Peer (P2P) chatter.
- Its routines include Internet time checking and updating through Internet rendezvous.
- It has an April 1st activation date.
The activation date had researchers scrambling for answers before April 1. Other than the expected changes in network behavior, no significant developments or updates in the DOWNAD/Conficker botnet on the said date itself. At least not yet. The botnet eventually awoke several days later.
BOTNET COMES ALIVE
The uneventful days during and after the April 1st DOWNAD/Conficker hype were brought to a halt when an update in the DOWNAD botnet, through WORM_DOWNAD.KK, occurred on April 7 and 8. There were many subsequent reports of new binaries (some of them encrypted) in infected systems, as well as the discovery of DOWNAD’s connections with Waledac (another notorious botnet) and with a FakeAV variant called Spyware Protector 2009.
WORM_DOWNAD.KK infected nodes received, via P2P TCP, an encrypted and digitally-signed “blob”, 134,880 bytes. In Trend Micro’s case, we received the TCP response from 126.96.36.199, which is simply another DOWNAD-infected node located in Korea. Shown in Figure 1 is a snapshot of the captured TCP response.
WORM_DOWNAD.KK decrypts this blob to generate TROJ_DOWNDAC.A. Trend Micro Advanced Threats Researcher Joseph Cepe says this forms one of the two main functions of the KK variant, the other is to install HTTP and to look for exploitable machines. The name DOWNDAC is a combination of DOWNAD and Waledac, for reasons which will become clearer later. This Trojan then drops another DOWNAD worm detected WORM_DOWNAD.E.
The .EXE component of WORM_DOWNAD.E, unlike the earlier KK variant, has no P2P mechanism of its own. It creates an HTTP server, and uses the MS08-067 exploit, like WORM_DOWNAD.AD to infect other PCs. It also infects via network shares. Interestingly, it has a deactivation date of May 3, 2009. This remains an open question right now.
WORM_DOWNAD.E also starts a Web server on a pseudo-random port between 1024 and 9999 based on the system drive’s volume serial number
It drops and creates a temporary .SYS file which Trend Micro detects as TROJ_DOWNAD.E. Trend Micro Advanced Threats Researcher Edgardo Diaz says that the Trojan is dropped as a component to increase the maximum number of TCP connections in an infected PC. This same .SYS file was also verified to be dropped by WORM_DOWNAD.AD, and is the one responsible for patching the TCP half-connection attempts.
It also creates and stores an encoded binary blob in the Windows Registry. Decrypting the blob reveals a .DLL, which then drops a TMP file (also a .DLL). Apparently, this DLL file is the one that also gets sent as the payload blob via HTTP, if there is successful exploitation by WORM_DOWNAD.E. The snapshot in Figure 3 makes this clear.
The hex blob in the yellow box is the data block that was created in the Windows Registry by WORM_DOWNAD.E, while the one in the red box is the blob that was sent via HTTP, again, if exploitation was successful.
The payload (URL download and .DLL loading) of the exploit is verified to be working. What is still another open question is the part that one part of the malware function somehow fails to reflect the decryption of the embedded .DLL. Without modifying any parameters, the function proceeds with decryption in memory but somehow does not store the changes/pointers to the already decrypted .DLL.
The shell-code used is found to be similar to the previous shell-codes of the earlier DOWNAD/Conficker variants that used the MS08-067 exploit as their propagation routine.
Now what about this .DLL itself? This dropped file is much more complex than the original WORM_DOWNAD.E, and has the following routines similar to the KK variant:
- The HTTP download routine is removed.
- The Peer-to-Peer IP-to-port algorithm remains unchanged.
- Modifications are also discovered in URL and process termination lists.
With the botnet seemingly secure in its position, the motives of the DOWNAD gang remain unclear. At least until crucial links between the notorious FakeAV gang and with another huge botnet were discovered.
TRIPLE THREAT: DOWNAD, Waledac, and FakeAV
All the dirty work for what ends? Further analysis on one DOWNAD component reveals that again, the answer is cyber crime. The said component, TROJ_DOWNDAC.A, connects to a malicious URL and downloads an encrypted file. This file is decrypted by the Trojan, and is set to run automatically by a registry entry also created by TROJ_DOWNDAC.A.
This file, stored in the Windows Temp folder, is a Waledac variant Trend Micro detects as WORM_WALEDAC.ED. Shown in Figure 4 is a snapshot of the binary dump of this WALEDAC variant, with some tell-tale clues about the page where it was downloaded.
Waledac is an immensely popular botnet thanks to its association with another bot giant, Storm. It is this Waledac worm that downloads the FakeAV program Spyware Protect 2009.
To conceal the download, users are made to believe that the program is a .JPG file (a popular extension for images). It comes with an attached executable, however. We detect this FakeAV variant as TROJ_FAKEAV.FXF.
TROJ_FAKEAV.FXF then downloads and executes a TIBS variant detected as TROJ_TIBS.AYD from another malicious URL. This Trojan sends TCP SYN packets to two IP addresses. It also downloads another FakeAV variant, TROJ_FAKEAV.AXD.
Shown in Figure 5 is a snapshot of Spyware Protector 2009, the FakeAV being deployed in this DOWNAD-Waledac-FakeAV trifecta.
So far, evidence and facts point to the notion that while the DOWNAD/Conficker binaries have no malicious payloads found in its code, the botnet has been used to spread Waledac and FakeAV binaries, both of which are known to have codes and behaviors that constitute what we call malicious payloads.
Waledac is a notorious spammer, and is also known for injecting information-stealer codes. FakeAV, meanwhile scares users into buying their “security” products by faking infection symptoms, and lately, by employing crimeware routines as well.
Stay tuned — the DOWNAD/Conficker story is obviosuly not over yet, and we will be posting updates to the blog as issues reveal themselves.
In the meantime, rest assured that the technologies behind the Trend Micro Smart Protection Network are working overtime to provide protection to our customers.