Conficker.C: The end of the world

The world ends on the 1st of April: tomorrow. I advise you to stay with your families waiting for this moment. Or at least this is what most of the world security media thinks. Tomorrow Conficker.C is going to wake up and destroy the world!! Like it's said in some Conficker reports, this variant gets the system date through the function GetLocalTime (kernel32.dll) and checks if this is greater or equal than 1st of April 2009. If this condition is met, Conficker will generate a list of 50,000 domains. These domains are the result of the concatenation of one subdomain of 4 to 10 characters long - generated by an unknown algorithm - and one of the 116 TLD's hardcoded in the Conficker code:

ac, ae, ag, am, as, at, be, bo, bz, ca, cd, ch, cl, cn, co.cr, co.id, co.il, co.ke, co.kr, co.nz, co.ug, co.uk, co.vi, co.za, com.ag, com.ai, com.ar, com.bo, com.br, com.bs, com.co, com.do, com.fj, com.gh, com.gl, com.gt, com.hn, com.jm, com.ki, com.lc, com.mt, com.mx, com.ng, com.ni, com.pa, com.pe, com.pr, com.pt, com.py, com.sv, com.tr, com.tt, com.tw, com.ua, com.uy, com.ve, cx, cz, dj, dk, dm, ec, es, fm, fr, gd, gr, gs, gy, hk, hn, ht, hu, ie, im, in, ir, is, kn, kz, la, lc, li, lu, lv, ly, md, me, mn, ms, mu, mw, my, nf, nl, no, pe, pk, pl, ps, ro, ru, sc, sg, sh, sk, su, tc, tj, tl, tn, to, tw, us, vc, vn

From this huge list of domains Conficker selects only 500 and tries to resolve them querying the DNS server. Once it has finished, our friend rests for 24 hours and restarts this cycle again. The following image shows some of the requests that Conficker.C will carry out from tomorrow on, and that we've simulated in our lab:

None of the domains has been resolved till now, so this is what most people will see tomorrow, until the malware authors register some domains and put some kind of update module (digitally signed in order to avoid the installation of code from third parts) with new functionalities. Till that moment, Conficker.C will stay asleep, even on the 1st of April, waiting for orders. Our e-crime unit will keep on monitoring to be ready to new movements.

Jose Miguel Esparza
S21sec e-crime

IPv6 Security II

The last blog about IPv6 security introduced the most significant feature from the new communication protocol - the enlarged address space. Before concentrating on what is mostly referred as IPsec this post will give some information about the main features coming with IPv6.

Simplified Header
The basic IPv6 header has a fixed length of 40bytes and contains less information than in IPv4. Additional information can be added in a chain of next headers which are processed optionally. This reduces the load on routers and is mainly an improvement to gain speed.

Stateless Address/Router Configuration
Especially administrators will like the automatic address and router configuration of IPv6. Hosts generate their own (EUI-64) address without the need of DHCP, automatically ask for a router in the local network and receive DNS information to have full connectivity. This is really done by ICMPv6 which owns much more responsibility than its parent ICMPv4.

Multicast/Anycast
Multicast is a mandatory and integrated part of IPv6 - handled by ICMPv6. It is also a replacement for Broadcast which doesn't exist in IPv6 anymore.
Anycast is introduced as a load balancing and redundancy mechanism. It stands like Multicast for a group of hosts which can be reached at one address - the difference is that only the first host from the Anycast group will answer (seen from the routing hierarchy).

Mobile IPv6
The idea behind Mobile IPv6 is that you can be in any part of the world (which means a reconfiguration of your network settings), but your existing connections will be maintained automatically. This is done by extra features of IPv6/ICMPv6 which need additional configuration.

Jumbograms
Jumbograms are introduced to allow payloads bigger than 64k in one packet. This is surely an adaption to the increase of traffic/bandwidth in the Internet and also to improve speed and response times.

Before diving into the main security features coming with the new protocol ; the next post will show how the security of IPv6 is affected by these main improvements.

IPv6 info from wikipedia

Clemens Kurtenbach
S21sec e-crime