Comments on: The art of unpacking Conficker worm

By: Computer Repair

Computer Repair — Thu, 17 Sep 2009 09:47:09 +0000

Over the past two years, rarely did a worm get as much attention that Conficker (aka Downadup) is getting now. Its last variant, the infamous W32/Conficker.C, which surfaced in early March and is set to time-bomb on April 1, is literally all over the media. Of course, its features are well known and documented and some papers (such as SRI’s excellent analysis and a blog post from Sourcefire) even give interesting insights on the reverse engineering process. Indeed, while understanding the behavior of the malware is important to most people, learning how to understand it is even more important to some. Does the fable of the fisherman who gives the hungry man a fishing rod rather than a fish sound familiar?

By: Daniele Salatti

Daniele Salatti — Thu, 07 May 2009 12:56:08 +0000

Hi Rex,
I’m trying to use this guide to unpack a variant of Conficker/Downadup that infected my work computer. This version uses rundll32 to run (rundll32.exe virus.ql,random_string).
While I haven’t still removed it from the system (we can’t find the process that creates At1, At2,…Atn scheduled tasks on the computer), I have got a copy of the dll (I also deleted it, but it comes back again after a while).
Then I have tryed to unpack it…
This version isn’t packed with UPX, so I have edited it with CFF Ecplorer and loaded it into OllyDbg and IDA (the free version).
The problem is, I wasn’t able to skip all those bad branches. Ok, it was night and I was tyred. Today I’ll try again. I want to learn how to do those kind of analysis. Thank you for this post!

By: Rex

Rex — Thu, 23 Apr 2009 02:22:34 +0000

Hi John,

You can also check AV websites for detailed analysis of Conficker/Downadup variants.
SRI also has very detailed information about reversing Conficker.
Its important to understand the overall behavior of the worm before tracing the code, because not all the code will be passed on every execution (there are some conditional checks before running other functionalities)
Some variants work by using rundll32 as: rundll32.exe virus.dll,randomstring
while other would need to play around the value of dwReason to continue the execution.
Also watch out for the antidebug/anti VM codes.

AV companies usually have copies of this worm, so check your contacts.
Or maybe you should try other malware source, like offensivecomputing or
malwaredomainlist, etc.

Good luck.

-Rex

By: Rex

Rex — Thu, 23 Apr 2009 02:20:39 +0000

Hi John,

You can also check AV websites for detailed analysis of Conficker/Downadup variants.
SRI also has very detailed information about reversing Conficker.
Its important to understand the overall behavior of the worm before tracing the code, because not all the code will be passed on every execution (there are some conditional checks before running other functionalities)
Some variants work by using rundll32 as: rundll32.exe virus.dll,
while other would need to play around the value of dwReason to continue the execution.
Also watch out for the antidebug/anti VM codes.

AV companies usually have copies of this worm, so check your contacts.
Or maybe you should try other malware source, like offensivecomputing or
malwaredomainlist, etc.

Good luck.

-Rex

By: John

John — Mon, 20 Apr 2009 19:15:04 +0000

Hey Rex ,
Thanks for this artical,
I am doing a study on these Conficker A,B,C,D variants which is really creating problem now. My research is on Reverse Engineering these variants possibly produce some prevention ideas. can you please tell me how to get infected in secured environment and where can I get these variants (A,B,C,D) for my study and reverse eng. If you have any links related to these , please let me know.

By: digitalpbk

digitalpbk — Sun, 12 Apr 2009 07:03:36 +0000

Thank you for a good article,
how do we reverse engineer the code ?

By: 10 things to learn on March 28th

10 things to learn on March 28th — Sat, 28 Mar 2009 03:01:01 +0000

[...] The art of unpacking Conficker worm | Fortinet FortiGuard Blog Over the past two years, rarely did a worm get as much attention that Conficker (aka Downadup) is getting now. Its last variant, the infamous W32/Conficker.C, which surfaced in early March and is set to time-bomb on April 1, is literally all over the media. Of course, its features are well known and documented and some papers (such as SRI’s excellent analysis and a blog post from Sourcefire) even give interesting insights on the reverse engineering process. Indeed, while understanding the behavior of the malware is important to most people, learning how to understand it is even more important to some. [...]

By: March Threatscape Report: Virut, Conficker and social engineering | Fortinet FortiGuard Blog

Fri, 27 Mar 2009 21:31:23 +0000

[...] simply becomes active on that date and will remain active afterwards. Given the amount of attention Conficker has received, it is likely the authors will attempt any sort of strike at a later date when it is less [...]

By: Paulo Raponi

Paulo Raponi — Fri, 27 Mar 2009 19:37:18 +0000

Great article! Congratulation Fortinet Team!

regards,

Paulo Raponi
FCNSA, FCNSP

By: InformationSecurity

InformationSecurity — Fri, 27 Mar 2009 07:06:09 +0000

Thanks for sharing tips; we just tweeted this on Twitter under {Technical} category for readers interested in learning about reverse engineering in general (and Conficker, Downadup, Kido specifically). Keep up the good work. @SecurityQ