Video Screencast Help
Security Community Blog

“Conficker” - a security threat on Fool`s Day

Created: 30 Mar 2009 • 2 comments
HimalayanITGuy's picture
0 0 Votes
Login to vote

 

"Many have been worrying that the Conficker worm will somehow rise up and devastate the Internet on April 1. These fears are misplaced, security experts say. April 1 is what Conficker researchers are calling a trigger date, when the worm will switch the way it looks for software updates. But the worm has already had several such trigger dates, including Jan. 1, none of which had any direct impact on IT operations, according to Phil Porras, a program director with SRI International who has studied the worm. 'Technically, we will see a new capability, but it complements a capability that already exists,' Porras said." More from
SRI

"John Markoff has a story at the NY Times speculating about what will happen on April 1 when the Conficker worm is scheduled to activate. Already on an estimated 12 million machines, conjectures about Conficker's purpose ranges from the benign — an April Fool's Day prank — to far darker notions. Some say the program will be used in the 'rent-a-computer-crook' business, something that has been tried previously by the computer underground. 'The most intriguing clue about the purpose of Conficker lies in the intricate design of the peer-to-peer logic of the latest version of the program, which security researchers are still trying to completely decode,' writes Markoff. According to a paper by researchers at SRI International, in the Conficker C version of the program, infected computers can act both as clients and servers and share files in both directions. With these capabilities, Conficker's authors could be planning to create a scheme like Freenet, the peer-to-peer system that was intended to make Internet censorship of documents impossible. On a darker note, Stefan Savage, a computer scientist at the University of California at San Diego, has suggested the possibility of a 'Dark Google.' 'What if Conficker is intended to give the computer underworld the ability to search for data on all the infected computers around the globe and then sell the answers,' writes Markoff. 'That would be a dragnet — and a genuine horror story.'"

History- The worm exploited a critical Windows bug that Microsoft patched with an emergency fix in late October, and since then it's being used to build a fast-growing botnet, this was first detected by at Trend Micro Labs . Dubbed 'Downad.a' by Trend (and 'Conficker.a' by Microsoft and 'Downadup' by Symantec), the worm is a key component in a massive new botnet that a new criminal element, not associated with. At that time size of the new botnet was '500,000 a ballpark figure, 'That's not as large as some, such as [the] Kraken [botnet], or Storm earlier, but it had ... started to grow

Microsoft`s more detailed memo

"BitDefender has released what it claims is the first vaccination tool to remove the notorious Conficker virus that infected some 9 million Windows machines in about three months. The worm, also known as Downadup, exploits a bug in the Windows Server service used by Windows 2000, XP, Vista, Server 2003 and Server 2008. It spreads primarily through buffer overflow vulnerability in Windows Server Service where it disables the operating system update service, security center, including Windows Defender, and error reporting. The Romanian security vendor said its removal tool will delete all versions of Downadup and will not be detected by the virus.

Conficker/Downup/Downadup/Kido malware, according to Symantec 'is, to date, one of the most complex worms in the history of malicious code,' has been updated and this time for real. The new variant, dubbed W32.Downadup.C, adds new features to malware code and makes the threat even more dangerous and worrisome than before."

Removal using the W32.Downadup Removal Tool

"The CBC reported that the group managing Canada's .ca internet domain is working to foil an internet worm set to attack starting April Fool's Day. 'This is the first virus that's really focused on domain names as part of propagating the virus itself,' said Byron Holland, CEO of the Canadian Internet Registration Authority, a non-profit organization that represents those who hold a .ca domain. CIRA's strategy includes pre-emptively registering and isolating previously unregistered .ca domain names that Conficker C is expected to try and generate said a news release issued by the group. That would make those names unavailable for anyone to register in order to set up a website to host the worm's 'command and control' file. A list of the names has been predicted by security experts based on the worm's code. In addition, CIRA is investigating and monitoring activity at names on the list that have already been registered and will 'take appropriate action if suspicious activity is detected.'

Lastly a few tips:-

Conflicker is randomizing most of what it does fairly well. However, the one change that should be predictable is the removal of the SafeBoot registry key. Launch a check for this key on systems and then perform a test on machines that fail to see if they can nslookup windowsupdate.com and sans.org to confirm their status.

The registry key is here: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot The code for the key deletion in Conflicker looks like this: callSHDeleteKeyW(HKEY_LOCAL_MACHINE, "SYSTEM\\CurrentControlSet\\Control\\SafeBoot");

Be sure of what you`re browsing, and be sure of mouse clicks

The sites that were identified in the SRI report are these: 4shared.com, adobe.com, allegro.pl, ameblo.jp, answers.com, aweber.com, badongo.com, baidu.com. bbc.co.uk, blogfa.com, clicksor.com, comcast.net, cricinfo.com, disney.go.com, ebay.co.uk, facebook.com, fastclick.com, friendster.com, imdb.com, megaporn.com, megaupload.com, miniclip.com, mininova.org, ning.com, photobucket.com, rapidshare.com, reference.com, seznam.cz, soso.com, studiverzeichnis.com, tianya.cn, torrentz.com, tribalfusion.com, tube8.com, tuenti.com, typepad.com, ucoz.ru, veoh.com, vkontakte.ru,wikimedia.org, wordpress.com, xnxx.com, yahoo.com, and youtube.com.

While Symantec reported these sites for the date lookup: ask.com, baidu.com, facebook.com, google.com, imageshack.us, rapidshare.com, w3.org, yahoo.com

 

This worm is targeting antivirus software and security analysis tools with the aim of disabling them.

What can we do?

· Do a quick check of http://windowsupdate.microsoft.com from each PC. The ones that can't get to it are the ones that are infected. Alternatively, you could run a WMI command against each PC and see which

Ones are lacking updates. Those would be the ones to suspect.

· Ensure that web URL filtering capability is available if needed.

· Review NetBIOS and tcp port 445 at the firewall. If you use filesharing across internal borders, review those ACLs.

· You can use Logparser.exe from Microsoft to extract rogue login attempts from security event logs of representative workstations, from each subnet. You can do this also with Netflow or similar, if available, and watch for sources of traffic on TCP 445 should an infrastructure issue arise from any internal worm infections. Infected PCs will have Automatic Updates and BITS services disabled by the worm. They will not get any update.

· Look for client(s) that are trying to go to some of the public IP lookup sites like these:

* getmyip.org
* getmyip.co.uk
* checkip.dyndns.org
* whatsmyipaddress.com

 

 

Comments 2 CommentsJump to latest comment

Nel Ramos's picture

Nice topic.
We also prepared and braced for the effects of the April fool's day infection of the Conflicker.
It might be best to have a way to give/send reports on pending outbreaks before they happen like the one in your blog. The only question is who would be giving the info and would it be reliable.

Just my thoughts.

Nel Ramos

0
Login to vote
PraveenBhalla's picture

If you have any quires on doamin name registration and webhosting solution you can log on to the website to fix your problem here.

0
Login to vote