security-related sites was disabled, the worm began scanning the machines on the local network for a known vulnerability in the Windows Server Service (MS08-067). The authors of the Conficker worm realized that patches are sometimes delayed for servers that are not reachable from the Internet due to the protections offered by corporate firewalls. Considering the infected machine is now within a corporation’s perimeter, the protection mechanisms offered by firewalls are completely bypassed.
In addition to scanning the local network for MS08-067, Conficker also took advantage of a seemingly low-risk behavior related to removable drives on Windows-based machines. By default, many Windows-based machines were configured to “autorun” content from removable drives that were physically connected to the machine. Normally, if an attacker has the ability to physically connect removable media to the target machine, little can be done to protect the machine, as the attacker would have gained physical access to the target machine. In this case, however, the Conficker worm took advantage of this behavior by writing itself (as a hidden file) to any removable media that was connected to the infected machine. The Conficker worm would also create an Autorun.inf file that pointed to the hidden Conficker executable. Visit http://msdn.microsoft.com/en-us/library/cc144200(VS.85).aspx for an excellent document describing the Autorun.inf file and its various options.
Windows systems automatically parse the Autorun.inf file when removable media is physically connected to a system. Here is an example of an Autorun.inf file: [autorun] open="Evil.exe" ShellExecute="Evil.exe" Shell\Open\command="Evil.exe"
The preceding example shows an Autorun.inf file that contains multiple commands that instruct Windows-based machines to automatically execute Evil.exe from the removable media. The commands within Autorun.inf will be executed as soon as the removable media is connected to a Windows machine. The Autorun.inf file created by the Conficker worm made use of the open command, specifying that Rundll32.exe open a DLL file planted on the removable media. In addition to using Autorun.inf files, the Conficker worm also abused another seemingly benign behavior to help maximize stealth while spreading. Conficker padded Autorun.inf with binary data to disguise the commands held within the file. Although the binary padding made it extremely difficult for a human to make sense of the Autorun.inf file, Windows systems ignored the binary padding and executed the hidden commands without any issues. Figure 4-11 shows an
116 | Chapter 4: Blended Threats: When Applications Exploit Each Other