Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

Best Practice for Downadup.B and Additional information on the same.

Created: 05 Oct 2009 • Updated: 19 Oct 2009 | 6 comments
Language Translations
Mithun Sanghavi's picture
+8 12 Votes
Login to vote

“Best practice”

for

Win32/Conficker.B [MS]

w32.downadup.B[SYM]

Infection/propagation  Method

-Flash drives/open shares/mapped drives  [autorun.inf]

-Admin$ - Random brute force password attack on the networked systems

-Exploit MS08-67 – RPC BO  vulnerability in netapi32.dll

How it works ?

Initial attack happens on one of the networked systems.

This initial  attack and execution can be achieved by visiting any malware hosting website [cracks/music /free download/hacked  etc.], plugging infected flash drive in the production network.

Mostly un-patched systems/Browsers are the initial victim of this attack.

Once executed it  Installs a service under

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\ netsvcs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BadServiceName

This service is most of the time a .dll file  [We need to submit this one if not already detected by SEP]

The service uses MS task scheduler to create multiple jobs 

These jobs executes a file  rundll32.exe random_name.random_ext  <args>  at random interval

These extensions are not always .dll it could be anything [i.e.  .ifs,. jpg, .tmp, .c]

In task manager we’ll see multiple rundll32.exe running

That file in most cases detected by SEP not we need to submit that file.

That’s the file which again may attack other systems or download other threats.

Multiple instance of this file continuously runs in the memory and attack other systems.

The threat tries to plant autorun.inf & random_name.exe file  in the mapped drives and open shares to execute itself across the network.

It also disables Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.

What’s the bad part ?

User account lockout policy. As known the threat tries to gain access different systems on the network by brute force password  attack.

Because of this activity multiple users accounts  get locked up. Apart from that the threat also may download multiple threats like w32.saility [a file infector] which would make the story even worst.

What is the PLAN OF ACTION  if I get a case  on w32.downadup.B

 

- Confirm in SEPM that all systems are with SEP up and running  and up to date  [with all the latest security updates from MS]

This step is very critical because we cannot afford to leave even 1 system in the network unprotected, and as observed it happens most of the time that some systems in the  network are without SEP and/or not up to date/not patched  and those machines are later found to be the source/attacking machines. We can simply check this in SEPM-clients tab and comparing the number with the total number of clients in the LAN.

- Get the exact number of systems infected and the threats names.

SEPM-Monitors-logs-risk logs would help

- Confirm if server is infected too

Find possible infection in Server..check scheduled tasks/autorun.inf in open shares/unknown services/disabled services [BITS/AU etc.] [analyzing ESUG log would be a good idea]

-Disable Auto play from GPO [across the domain] we can use application device control policy as well. [see the links in the bottom of this article]

-Disable Task Scheduler service  [If it’s not being used in the network]

-Back trace the “source systems”  from where the attack is being originated

This is one more critical steps to narrow down the network. We need to find  that from which systems actually the attack is being originated.

We can find this out by 3 ways ..

 

1-IPS logs [log only mode coz’ block mode will block the system for 600 secs which the customer may not like]

2-Event viewer-Security logs- Failure Audits  [We’ve to enable the Failure audits in  GPO if not enabled already]

3-Net logon debug log [see the links in the bottom of this article]

-Once we find the above information we can use Nlparse  from Microsoft account lockout tools  to analyze Netlogon.log [see the links in the bottom of this article]

-The above logs will give us an idea about the systems which are attacking other systems in the network.

-We need to  first target these machines and get the ESUG logs from them.

-We need to avoid logging in to the system as “domain administrator”  coz’ by doing this we would make the job of the threat more easy as it uses {impersonates}  the currently logged on account to access/infect other systems in the network. IF ‘isolating’ these systems is possible then that would certainly help us.

-We need to confirm the patch KB 958644/AV status /disabled services / registry entries on these systems. [ESUG]

-Once these systems are cleaned hopefully the situation would be under control.

For the MS specific steps[Editing GPO / enabling Netlogon log] we may consult MS tech support if the customer  has support contract with MS[To be on the safer side] If not then we can help him as a best effort support.

Links we Need

Below is our write up

http://www.symantec.com/security_response/writeup.jsp?docid=2008-123015-3826-99&tabid=2

here is an article by SRT on 01-09-2009 07:11 AM

https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/225

Here is another analysis by security Intel analysis team 

https://forums.symantec.com/t5/Malicious-Code/W32-Downadup-A-and-W32-Downadup-B-Statistics/ba-p/379940 

This is a  MS-KB  on the removal process/best practice of w32.downadup.B

http://support.microsoft.com/kb/962007

Enabling debug logging for the Net Logon service

http://support.microsoft.com/kb/109626

MS  Account Lockout Tools

http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

MS08-67 patch download [KB 958644]

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Disable Auto play  with GPO

http://support.microsoft.com/kb/953252

Disable Scheduled Tasks with GPO

http://support.microsoft.com/kb/310208

Enable Security Auditing with GPO

http://support.microsoft.com/kb/300549

NOTE: Updating the Systems to MS08-67 patch [KB 958644] is very important without which the threat would not be removed.

Yet another variant of Downadup a.k.a “W32.Downadup.C”

Symantec’s ongoing monitoring of Downadup (a.k.a. Conficker) has resulted in the observation of a completely new variant being pushed out to systems that are already infected with Downadup. After taking into account the hype surrounding some other recent reports of variants of Downadup, Symantec is calling this new variant W32.Downadup.C.  [discovered March 6th  2009 / updated March 8th 2009]

Note: Some vendors have detected W32.Downadup samples as Conficker.C or Downadup.B++. Symantec's W32.Downadup.C is a different detection and is not to be confused with these Conficker.C and Downadup.B++ detections

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-030614-5852-99&tabid=1

https://forums2.symantec.com/t5/Malicious-Code/A-New-Downadup-Variant/ba-p/391186

https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-C-Digs-in-Deeper/ba-p/393245#A249

https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/225

W32.Downadup.C is a modular component for machines currently infected with Downadup. This variant of Downadup, (a.k.a. Downadup.B++ or Conficker.C), is not attempting to self-replicate and appears to behave more like a Trojan than a worm, says Vincent Weafer, vice president of Symantec Security Response.  

“Think of it as an updated module that’s more aggressive, more robust in defending itself,” Weafer says. Earlier versions of Downadup did attempt to disable anti-virus software, but the third version represented in the Downadup.C module is designed mainly to provide more protective actions to infected Windows-based machines so they can better defend themselves from anti-virus software and other eradication methods. “It’s more aggressive, it has more services,” says Weafer.

Conficker Cabal

“Conficker Cabal” is the nickname for an ad hoc partnership, led by Microsoft, to fight the Conficker / Downadup virus.

Microsoft Corp. announced a partnership with technology industry leaders and academia to implement a coordinated, global response to the Conficker (aka Downadup) worm. Together with security researchers, Internet Corporation for Assigned Names and Numbers (ICANN) and operators within the Domain Name System, Microsoft coordinated a response designed to disable domains targeted by Conficker.

Microsoft also announced a $250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet.

Along with Microsoft, organizations involved in this collaborative effort include Symantec, ICANN, NeuStar, VeriSign, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, F-Secure, ISC, researchers from Georgia Tech, the Shadowserver Foundation, Arbor Networks and Support Intelligence

http://www.securityfocus.com/news/11546?ref=rss   

http://www.securityfocus.com/news/11546 

The Domain-generation algorithm

The worm seeks to update itself by using a long list of pseudo-randomly generated domain names to contact over HTTP and then grab new code. The algorithm for this domain name generation scheme has been cracked [Researchers at Symantec and other security companies were able to reverse-engineer the Downadup code and successfully crack the domain-generation algorithm.]and has been used to pre-compute the names for pre-registration to prevent hostile parties from using this update feature. This has been facilitated - greatly facilitated - by ICANN, TLD operators, and various registrars working together with Microsoft and others to identify the names and grab the ones they need to. These records can then be pointed at sinkholes to discover Conficker-infected hosts checking in.

That sinkhole data is being shared within the “cabal” and shared with customers: ISPs and their customers, enterprises, CERT teams, and others. This, in turn, is being used to try and clean up hosts with tools and information sheets with clear instructions. This is truly a global operation !!

In response to the security industry’s success in cracking the W32.Downadup.B domain-generation algorithm for communicating with the command & control server, the subsequent registration of these domain names for monitoring purposes, and the resulting publication of findings, the Downadup authors have now moved from a 250-a-day domain-generation algorithm to a new 50,000-a-day domain generation algorithm. The new domain generation algorithm also uses one of a possible 116 domain suffixes.

https://forums2.symantec.com/t5/Malicious-Code/Downadup-Small-Improvements-Yield-Big-Returns/ba-p/381717   

Yet, the Cabal viewed the efforts to block domains as a stop-gap measure, said Vincent Weafer, vice president of security response for security firm Symantec, which owns SecurityFocus.

"Buying the domains was meant to buy ourselves time," Weafer said. "It was never meant to be a long-term defensive strategy."

Symantec discovered the Conficker module on a honeypot system that the company uses to monitor the worm. Because the Cabal is blocking the domains that the Conficker worm uses to update infected systems, the module will likely not spread quickly, if at all. However, infected hosts on the same network share do update each using a peer-to-peer capability, Weafer said. So, if one infected system gets updated, all other infected computers on the same network will get the new code as well.

Conficker update attempts to foil Cabal
Published: 2009-03-09

http://www.securityfocus.com/brief/923 

The Plan of Action of the disinfection process would remain the same as we’ve discussed in the previous thread. [Track-Isolate-Clean]

Below is the Protection and VD details, as per the latest write up on w32.downadup.c  

 

  • Initial Rapid Release version March 6, 2009 revision 036
  • Latest Rapid Release version March 9, 2009 revision 021
  • Initial Daily Certified version March 6, 2009 revision 037
  • Latest Daily Certified version March 9, 2009 revision 025
  • Initial Weekly Certified release date March 11, 2009

NOTE: Updating the Systems to MS08-67 patch [KB 958644] is very important without which the threat would not be removed.

Additional reading:

Simple steps to protect yourself from the Conficker Worm

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/3aa5a06c7bf48bd988257589006cd1e1?OpenDocument

Security Tip: How to Determine if a Specific Microsoft Hotfix Has been Installed?

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/f0c710b73a421b1b802575c8004c50d1?OpenDocument

Best practices regarding Intrusion Prevention System technology

http://service1.symantec.com/support/ent-security.nsf/854fa02b4f5013678825731a007d06af/a4b2056057ad5362882576070077598e?OpenDocument

Symantec Security Response has been published a new blog article regarding the new sample, here:

https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/260

Washington Post

http://voices.washingtonpost.com/securityfix/2009/04/conficker_worm_strikes_militar.html?wprss=securityfix

ISC

http://isc.sans.org/diary.html?storyid=6103

BBC

http://news.bbc.co.uk/2/hi/technology/7976099.stm

Corporate external landing page

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009033012483648

Consumer external landing page

http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm

Downadup.C Threat Write-Up

http://www.symantec.com/security_response/writeup.jsp?docid=2009-030614-5852-99

Downadup.C Threat Write-Up

http://www.symantec.com/security_response/writeup.jsp?docid=2009-030614-5852-99

W32.Downadup.C Digs in Deeper

https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/249

A New Downadup Variant?

https://forums2.symantec.com/t5/Malicious-Code/A-New-Downadup-Variant/ba-p/391186

CNN - No joke in April Fool's Day computer worm

http://www.cnn.com/2009/TECH/03/24/conficker.computer.worm/index.html

Comments 6 CommentsJump to latest comment

shp's picture

Oooo.. Its very good collection of information about Downadup... Thanks Mithun......

Regards,
Srinivas H.P.
HCL Infosystems Ltd

0
Login to vote
Nel Ramos's picture

this article is great!
Thanks...

Nel Ramos

+1
Login to vote
amx150's picture

 this article is great!
Thanks...

+2
Login to vote
Mick2009's picture

An additional link that will be of interest:

The Downadup Codex, Edition 2.0
https://www-secure.symantec.com/connect/blogs/downadup-codex-edition-20

With thanks and best regards,

Mick

0
Login to vote
Mohan Babu's picture

Guys any update for W32.changeup

https://www-secure.symantec.com/connect/blogs/w32c...

its hitting badly....

Mohan Babu

moglie20@gmail.com

+91 9884382160

Your satisfaction is very important to us.If you find above information helpful or it has resolved your issue...please mark it accordingly :)

0
Login to vote