Thursday, April 09, 2009

Is There a Conficker E? Waledac makes a move...

At UAB Computer Forensics, we have been tracking the spam bot, Waledac, since March 19th, by checking every so often (like 4 times a minute) all of the domain names that we now are being used to distribute Waledac. We've been making a list of the infected nodes, with the timestamp that we see them distributing Waledac, and offering that list to various network providers. (If you are a network provider/ISP, send me an email to get a pointer to the list, there are around 4,000 US-based IPs on it so far.)

This morning, Packet Ninja Dan Clemens gave me a call asking if I had seen Trend Micro's claim that Conficker was updating. I hadn't seen that, but I had seen emails on one of my secret squirrel mailing lists that Conficker was updating from "goodnewsdigital.com". That didn't make any sense at all to me! We've seen 2,821 IP addresses serving up "plain ole' Waledac" from GND, so far. (See https://info.cis.uab.edu/forensics/blog/gnd.list.txt)

Just to make sure, I went ahead and fetched the current Waledac binary from one of the GoodNewsDigital.com websites, and sure enough, it was Plain Ole Waledac.

MD5: 20ac8daf84c022ef10bc042128ccace6

Currently detected by only 9 of 40 products at VirusTotal

Here's the VirusTotal Link, but the details are here:

AntiVir - TR/Crypt.ZPACK.Gen
CAT-QuickHeal - DNAScan
F-Secure - Packed:W32/Waledac.gen!I
Fortinet - W32/PackWaledac.C
McAfee-GW-Edition - Trojan.Crypt.ZPACK.Gen
Microsoft - Trojan:Win32/Waledac.gen!A
NOD32 - Variant of Win32/Kryptic.LP
Panda - Suspicious file
Sophos - Mal/WaledPak-A

A sad statement of the current state of anti-virus, that a KNOWN MALWARE DISTRIBUTION POINT that has been serving up viruses since mid-March for a large spam botnet is still entirely undetected by 3/4ths of the AV products!

But it gets worse.

I went and read Trend Micro's assertions on their blog . . .

According to Trend Micro they saw new malware arrive on one of their conficker boxes, being dropped not via a website update, as we've all been expecting, but via a Peer 2 Peer connection from other Conficker machines. The new malware arrived via P2P on their box and began attempting to propagate in worm-like fashion looking for MS08-067 vulnerabilities (the same as previous versions of Conficker), as well as opening a webserver on port 5114, and making connections to Myspace, MSN, eBay, CNN, and AOL. After this, the machine downloaded a file from GoodNewsDigital.com, which is, as I mentioned above, a Waledac distribution point.

The file that it downloads though IS NOT THE PRIMARY WALEDAC MALWARE. We retrieved the same file in our labs at UAB (forgive me, but the file is named "fuck4.exe"), and scanned it with VirusTotal as well. This is NOT the file you receive if you visit the Waledac host, as we decribed above, via a normal spam-referred website visit.

Here's what we got from "fuck4.exe" at VirusTotal:

ZERO products detect this as malware. NONE of the 40 sites thought the 418kb executable file was a virus.

VirusTotal Report

Trend is calling the new variant WORM_DOWNAD.E (DownAdUp is an alias for Conficker).

The Trend article certainly has caused some deep thinking here this morning! Thanks to Ivan Macalintal at Trend, and because he thanks Joseph Cepe and Paul Ferguson, we thank them as well!

Wait, why are we thanking Paul Ferguson? I had to go find out. Its because of his excellent documentation on the Peer2Peer nature of Conficker in the Trend Blog on April 4th. While the entire world began watching on April 1st for Conficker to be updated via new malware that was placed on one of the 50,500 domain names that began to be searched on April 1, the bad guys have snuck in the back door and updated Conficker via P2P instead.

Paul got a head start on his Peer to Peer research from the excellent malware researchers at CERT-LEXI in their Blog at CERT-LEXSI.


We'll be contacting more Conficker researchers as the day goes on and trying to determine if ALL the Conficker nodes have just merged with Waledac, or if something else is occurring here.

No comments:

Post a Comment

Trying a new setting. After turning on comments, I got about 20-30 comments per day that were all link spam. Sorry to require login, but the spam was too much.