Wednesday, April 01, 2009

Go Infect Yourself...with Conficker

I'd been wanting to do some testing with Conficker to see if my IDS rules were truly working and whether or not some of the new detection tools released Monday were accurate (DarkReading: "Conficker Detection...Let Me Count The Ways"). Knowing that just running an EXE wasn't all that easy based on some of the analysis from the Internet Storm Center (here and here), I started digging around for some good samples of Conficker and instructions. First, I grabbed a few samples from Offensive Computing's malware archive. Next, I went looking for some hints on the best way to load the samples and found a related thread on Offensive Computing where someone was looking for a Conficker.C sample.

So, here's the quick and dirty. We'll download the sample, rename it, copy it to system32 dir and edit a useless service to load it on startup.
  1. Grab the file here.
  2. Rename it to "booyah.dll"
  3. Copy "booyah.dll" to "C:\Windows\System32\"
  4. Open Regedit and navigate to \HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Nla\Parameters
  5. Right click on "ServiceDll", click "Modify", change the current DLL to point to "booyah.dll", and click OK
  6. Close Regedit and Reboot.
Now, your machine is infected. To verify, go to some sites like McAfee and SecureWorks that are blocked, or try out the Conficker Eye Chart.

What's next? If you've done malware analysis before, you know you should have been capturing ALL network traffic from this host. Continue sniffing and looking for interesting things. Capture all of the traffic to disk with tcpdump, tshark or daemonlogger. Then run it through Snort with the Emerging Threats ruleset or ngrep looking for interesting strings. The possibilities are endless.

Oh yeah, don't forget to put this behind some kind of firewall or filtering device so you can keep a handle on it. I've got mine sitting behind a Vyatta-based bridging firewall that is working quite well for this use. I'm also sniffing directly on the bridged interface.

7 comments:

Unknown said...

Did you work this out in the virtulmachine?
thanks!

John H. Sawyer said...

I didn't bother trying this out in a virtual machine since I had physical hardware handy. The infected machine, which is still infected, is on a small Dell desktop and the firewall is a tiny 1U server with dual NICs running Vyatta.

Anonymous said...

It's not working for me. i have tried this on a newly installed Vista Ultimate machine. I dont even have any anit-virus running on my machine. Any idea, why its not working?

-Bachi

John H. Sawyer said...

Hey Bachi,

This was done on a Windows XP system. I don't know if it works under Vista and I don't have a Vista system handy. You wouldn't happen to have XP available to test with, would you?

Anonymous said...

Hi John,

Thanks for the quick response. For the work i am doing, i have to test it with Vista only.

-Bachi

Anonymous said...

To be more specific, I am getting the error "Error 1114: A dynamic link library(DLL) initialization routine failed". Have u ever faced the same issue?

Anonymous said...

works like charm for me on a XP SP2 box. I can see the UDP traffic going out like crazy. Microsoft, Kapersky, Mcafee, Symantec are all blocked. Thanks !