Conficker Worm using Metasploit payload to spread

Recently we got some new samples of the W32/Conficker.Worm to analyze. While investigating we found that this worm has an exploit for the recent MS08-067 vulnerability and uses the exploitation method derived from the metasploit ms08_067_netapi module to spread itself. Below is the traffic packet capture snapshot sent by the worm:

As we can see from the image above, there are some random alphanumeric characters in the packet which seem to have been generated from Rex::Text.rand_text_alpha in ms08_067_netapi.rb. And if we do a byte order conversion of data in red box above, we get 3 addresses: 0×00020408, 0x6f8917c2, 0x6f88f807, which are the internal targets of the ms08_067_netapi.rb exploit as listed below (from metasploit):

# Metasploit's NX bypass for XP SP2/SP3
[ 'Windows XP SP3 English (NX)',
	{

                     'Ret'       => 0x6f88f807,
                     'DisableNX' => 0x6f8917c2,
                     'Scratch'   => 0x00020408
	}
], # JMP ESI ACGENRAL.DLL, NX/NX BYPASS ACGENRAL.DLL

The latest metasploit exploit, besides including Windows XP/2003 OS’s; also includes several targets for languages such as English, Arabic, Czech, Danish, German, Greek Spanish Finnish, French, Hebrew, Japanese, Chinese, etc. The exploit module of ms08_067_netapi in metasploit also provides the “smb_fingerprint()” function to detect the Windows version information, Service Pack information and also the language information of the target OS. This makes programming the worm much easier and can cause much bigger impact. By using the exploit from the metasploit module as the code base, a virus/worm programmer only needs to implement functions for automatic downloading and spreading. We believe that this can be accomplished by an average programmer who understands the basics of exploitation and has decent programming skills. After further analysis of the traffic capture, we found that only the functions for detecting OS version and Service Pack information were embedded into this worm. Hence without the remote OS language determination ‘feature’, this worm only targets the English OS versions at the time of writing the blog.

Here is a packet capture snippet used in this malware to detect the OS version and Service Pack information:

By sending SMB session setup and request, it can detect OS information of target machine. If the OS is Windows Server 2003, then the Service Pack information will also be returned.

Since there are a huge number of Windows XP systems it’s obvious that the worm writer did not want to miss out on this pool, hence this is why the worm determines what the Service Pack level is by accessing \SRVSVC named pipe, which is similar to the method used in metasploit smb_fingerprint() function :

if (os == 'Windows XP' and sp.length == 0)
            # SRVSVC was blocked in SP2
            begin
                         smb_create("\\SRVSVC")
                         sp = 'Service Pack 0 / 1'
            rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
                         if (e.error_code == 0xc0000022)
                                 sp = 'Service Pack 2+'
                         end
            end
end

So in this instance it’s obvious that malware/worm writers are abusing open source tools to their advantage to make their work easier.

For those who haven’t patched their machines, we suggest you install the MS08-067 patch ASAP! If you are a McAfee Host IPS or Network IPS user, we’ve verified that you are protected against this worm by our Signatures ID’s 3961 and 0x40709d00 respectively. For VirusScan users, the DAT update version 5444 has coverage to detect this worm.