Payload Propagation
The virus has several mechanisms for pushing or pulling executable payloads over the network. These payloads are used by the virus to update itself to newer variants, and to install additional malware.
- Variant A generates a list of 250 domain names every day across five TLDs. The domain names are generated from a pseudo-random number generator (PRNG) seeded with the current date to ensure that every copy of the virus generates the same names each day. The virus then attempts an HTTP connection to each domain name in turn, expecting from any of them a signed payload.
- Variant B increases the number of TLDs to eight, and has a generator tweaked to produce domain names disjoint from those of A.
- To counter the virus' use of pseudorandom domain names, Internet Corporation for Assigned Names and Numbers (ICANN) and several TLD registries began in February 2009 a coordinated barring of transfers and registrations for these domains. Variant D counters this by generating daily a pool of 50,000 domains across 110 TLDs, from which it randomly chooses 500 to attempt for that day. The generated domain names were also shortened from 8-11 to 4-9 characters to make them more difficult to detect with heuristics. This new pull mechanism (which was disabled until April 1) is unlikely to propagate payloads to more than 1% of infected hosts per day, but is expected to function as a seeding mechanism for the virus' peer-to-peer network. The shorter generated names, however, are expected to collide with 150-200 existing domains per day, potentially causing a distributed denial-of-service attack (DDoS) on sites serving those domains.
- Variant C creates a named pipe, over which it can push URLs for downloadable payloads to other infected hosts on a local area network.
- Variants B, C and E perform in-memory patches to NetBIOS-related DLLs to close MS08-067 and watch for re-infection attempts through the same vulnerability. Re-infection from more recent versions of Conficker are allowed through, effectively turning the vulnerability into a propagation backdoor.
- Variants D and E create an ad-hoc peer-to-peer network to push and pull payloads over the wider Internet. This aspect of the virus is heavily obfuscated in code and not fully understood, but has been observed to use large-scale UDP scanning to build up a peer list of infected hosts and TCP for subsequent transfers of signed payloads. To make analysis more difficult, port numbers for connections are hashed from the IP address of each peer.