Conficker.C: The end of the world

The world ends on the 1st of April: tomorrow. I advise you to stay with your families waiting for this moment. Or at least this is what most of the world security media thinks. Tomorrow Conficker.C is going to wake up and destroy the world!! Like it’s said in some Conficker reports, this variant gets the system date through the function GetLocalTime (kernel32.dll) and checks if this is greater or equal than 1st of April 2009. If this condition is met, Conficker will generate a list of 50,000 domains. These domains are the result of the concatenation of one subdomain of 4 to 10 characters long – generated by an unknown algorithm – and one of the 116 TLD’s hardcoded in the Conficker code:

ac, ae, ag, am, as, at, be, bo, bz, ca, cd, ch, cl, cn,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,, cx, cz, dj, dk, dm, ec, es, fm, fr, gd, gr, gs, gy, hk, hn, ht, hu, ie, im, in, ir, is, kn, kz, la, lc, li, lu, lv, ly, md, me, mn, ms, mu, mw, my, nf, nl, no, pe, pk, pl, ps, ro, ru, sc, sg, sh, sk, su, tc, tj, tl, tn, to, tw, us, vc, vn

From this huge list of domains Conficker selects only 500 and tries to resolve them querying the DNS server. Once it has finished, our friend rests for 24 hours and restarts this cycle again. The following image shows some of the requests that Conficker.C will carry out from tomorrow on, and that we’ve simulated in our lab:

None of the domains has been resolved till now, so this is what most people will see tomorrow, until the malware authors register some domains and put some kind of update module (digitally signed in order to avoid the installation of code from third parts) with new functionalities. Till that moment, Conficker.C will stay asleep, even on the 1st of April, waiting for orders. Our e-crime unit will keep on monitoring to be ready to new movements.

Jose Miguel Esparza
S21sec e-crime

Deja un comentario