Looking through how Conficker works, I realized their function for looking for instructions from a master is brilliant. Most trojans and worms that report back to a main server or something similar usually hard-code either the actual server into the code (NO NO!) or an algorithm to generate the server into the code (almost as bad). What Conficker does basically prevents shutdowns of the main server and prevents anyone from really knowing what the server is.
So, this article will be quick – just explaining the concept of what Conficker does.
Basically, it generates a large number of URLs from an algorithm based on the day. Not only does this create a huge list of unique URLs that Conficker could use at any time, but it hides which one it actually uses because it attempts to connect to them all. It also hides what day the payload will drop at, which is another common problem in worms that activate later on.
If you’re not following, here’s exactly what would happen if you did the same thing:
1. Your script runs and gets the date, for this example, we’ll say April 3rd.
2. An algorithm in your script generates an array of one thousand URLs based off the date.
For example, jgIF2jK.info, jfs82KjII.com, jfe820FDS.org, j8f303tgs.info, and so on.
3. The script tries to connect to each url and waits for a response.
4. If a response comes from the URL, it is checked to make sure it came from the author of the malware via password or something similar.
5. If the URL responds with the correct password, instructions for what the worm is supposed to do next will follow. These instructions could be to spread more, stop spreading, drop the payload, or anything else.
The downfall of this technique, as outlined here, would be hijacking. If someone were to reverse engineer the virus to determine the algorithm for generating URLs and the password for each URL, they would be able to purchase a scheduled domain and masquerade as the virus author. They could then tell the worm what to do – which might not be in the worm’s best interest. This downfall could be overcome by limiting the functions that the worm can perform from domains. Obviously, a “remove all traces from the computer” function that could be invoked remotely like that is a bad idea.
