Conficker…Am I missing something?

January 20, 2009

OK so it seems to spreading itself fairly rapidly…but I remember when a PAYLOAD actually was something to be concerned about. What the fuck is it that this Conficker does? Ooh, it blocks access to a handful of `security` websites, stops auto backups running and disables system restore  (erm, which most sensible people disable voluntarily because it’s just a vuln in itself which is exploited by other malicious code), and, erm, I think that’s about it. Wow.

So if that sounds scary, then reimage and patch. That’s it.

Calm  down. It’s possibly the most supergay `virus` ever. Just rebuild the box. You got backups anyway, right? ;)

Real viruses used to actually destroy entire O/S or delete files, kill MBR and completely fuck your PCs. This doesn’t.  

Worry more about the backdoors, rootkits and viruses which are NOT being talked about so much, which have very few if any clues as to their presence… www.rootkit.com 

Anyway, if you ARE concerned about Conficker, here’s the overview/details from NAI.

Overview –

This detection is for a worm that exploits the MS08-067 vulnerability as the main vehicle of infection. It also uses other common technique for spreading as underlined in the Method of infeciton section. It also download and execute various files onto the affected system.

Aliases

  • Worm:Win32/Conficker.A (Microsoft)
  • Crypt.AVL (AVG)
  • Mal/Conficker-A (Sophos)
  • Trojan.Win32.Pakes.lxf (F-Secure)
  • Trojan.Win32.Pakes.lxf (Kaspersky)
  • W32.Downadup (Symantec)
  • Worm:Win32/Conficker.B (Microsoft)
  • WORM_DOWNAD.A (Trend Micro)

 

Characteristics

Characteristics –

When executed, the worm copies itself using a random name to the %Sysdir% folder.

(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)

New variants have been observed dropping copies of themselfs aslo into:

  • %Program Files%\Internet Explorer\[Random].dll
  • %Program Files%\Movie Maker\[Random].dll
  • %All Users Application Data%\[Random].dll
  • %Temp%\[Random].dll
  • %System%\[Random].tmp
  • %Temp%\[Random].tmp

Where [random] is a 4 to 8 long letters only random name.

On NTFS filesystems the dropped files do have often modified access permissions. Access is completely removed on the file for all users and groups. This is done to make detection and cleaning more difficult.

It modifies the following registry key to create a randomly-named service on the affected syetem:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\”ServiceDll” = “Path to worm”

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\”ImagePath” = %SystemRoot%\system32\svchost.exe -k netsvcs

Several variants do remove access to the above registry key by changing the key ACLs. This also in an attempt to make detection and removal of the serive key more difficult. The service name is generated dinamically by associating words from an hardcoded list:

  • Boot
  • Center
  • Config
  • Driver
  • Helper
  • Image
  • Installer
  • Manager
  • Microsoft
  • Monitor
  • Network
  • Security
  • Server
  • Shell
  • Support
  • System
  • Task
  • Time
  • Universal
  • Update
  • Windows

It will inject intelf into various running processes. Different variant have been observer injecting into one or more of:

  • svchost.exe
  • explorer.exe
  • services.exe

Attempts connections to one or more of the following websites to obtain the public ip address of the affected computer.

  • hxxp://www.getmyip.org
  • hxxp://getmyip.co.uk
  • hxxp://checkip.dyndns.org
  • hxxp://whatsmyipaddress.com

Attempts to download a malware file from the remote website

hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe

New variants are connecting to various other hosts.

Starts a HTTP server on a random port on the infected machine to host a copy of the worm.

Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm. The http connection is performed on a random port and the file transferred will have an extension of

  • bmp
  • gif
  • jpeg
  • png

Later variants of w32/Conficker.worm do attempt to connect to remote hosts using the local credentials and a list of username retrieved from the target system and a long list of hardcoded passwords. In doing so it may lock down domain accounts where the policy is set to allow only a limited number of wrong passwords.

On succesfully exploited remote systems the worm drops a copy of itself in the $sysdir% folder and creates a scheduled tasks to execute it. It may olso create a copy in the remote “Recycle Bin” folder and an Autorun.inf file.

Using these techniques the worm may replicate on to non vulnerable systems or reinfect previously infected systems after they have been cleaned.

The worm hooks system APIs to prevent access to security websites. A list of some of the locked domains is:

  • ahnlab
  • arcabit
  • avas
  • avg
  • avira
  • avp
  • bit9
  • ca
  • castlecops
  • centralcommand
  • cert
  • clamav
  • comodo
  • computerassociates
  • cpsecure
  • drweb
  • emsisoft
  • esafe
  • eset
  • etrust
  • ewido
  • fortinet
  • f-prot
  • f-secure
  • gdata
  • grisoft
  • hacksoft
  • hauri
  • ikarus
  • jotti
  • k7computing
  • kaspersky
  • mcafee
  • microsoft
  • nai
  • networkassociates
  • nod32
  • norman
  • norton
  • panda
  • pctools
  • prevx
  • quickheal
  • rising
  • sans
  • securecomputing
  • sophos
  • spamhaus
  • sunbelt
  • symantec
  • threatexpert
  • trendmicro
  • vet
  • wilderssecurity
  • windowsupdate

Some security services may also be disabled by the infection.

 

Symptoms

Symptoms –

  • network portscan on port 445 as per the MS08-067 exploit.
  • Access to the above mentioned domain.
  • Domain accounts being locked due to maximum login attempts.
  • presence of the above mentioned files and registry keys in specific files and registry keys with empty permissions.
  • Scheduled tasks being created.
  • autorun.inf files being created.
  • Access to security related web sites is blocked.

 

Method of Infection

Method of Infection –

This worm exploits the MS08-067 Microsoft Windows Server Service vulnerability in order to propagate. Machines should be patched and rebooted to protect against this worm re-infecting the system after cleaning.

It also spread by brute forcing remote systems password and installing scheduled tasks and/or autorun.inf files on the victim.

 

Removal –

Removal –

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.  

Variants

Variants –

    N/A

Additional Windows ME/XP removal considerations

Posted by fortuzero
Filed in Uncategorized
Leave a Comment »

Leave a comment