Saturday, April 18, 2009

Conficker worm spikes, infects 1.1 million PCs in <24 hours

The Conficker worm is back with a vengeance, infecting over one million systems in the past 24 hours. The refined version of this malware scans networks for weakly protected machines and actively attempts to spread itself via USB thumb drives. Neither feature was present in the original version, and so far, the attack is working.


It has been over a month since we heard much about Conficker, but the worm has reappeared with a vengeance over the past seven days. According to Finnish security company F-Secure, more than one million PCs have been infected with the worm (also known as Kido or Downadup) in the past 24 hours, with a total of 3.52 million machines infected worldwide. According to F-Secure, that 3.52 million is a conservative estimate.

The problem isn't so much with the older version of Conficker (now known as Conficker.A) but with a new flavor, dubbed Conficker.B. Ars spoke with Roger Halbheer, Chief Security Advisor of Microsoft's EMEA (Europe, Middle East, and Africa); he's been monitoring (and writing) about the current spread of infections. The skyrocketing infection rate is actually being caused by several factors; Roger describes Conficker.B as a "beast," and Microsoft has built the following diagram to demonstrate how the worm functions.

Once run or given access to an unprotected machine, Conficker.B begins searching for other systems or shares within the local network that it can infect. Shared systems, removable drives, or unpatched systems are all eligible targets, as are machines with weak passwords. This last bit is an important new feature of Conficker.B; a complete list of the passwords it checks for can be found here. If Conficker.B manages to successfully guess a password, it moves in and continues hunting for new targets. Microsoft summarizes the new strain as follows:

Worm:Win32/Conficker.B is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.

Roger confirmed that the Malicious Software Removal Tool (MSRT) has checked for and removed Conficker.B since December 29, 2008, but it's not possible to access any Microsoft website once Conficker.B has infected a system; the worm blocks access to multiple domains based on string identification. If you've got a system that's infected, you'll need to download the latest MSRT from Microsoft on a clean system and run it manually.

Not all AV scanners currently detect Conficker.B, even if they've been updated to detect Conficker.A—I don't have a list of specific solutions that can't currently catch the new worm, but all of Microsoft's antimalware/antivirus products—Forefront, OneCare, and the Online Safety Scanner—will find Conficker.B if it's present (and you somehow haven't noticed). If there's a scrap of good news in all this, it's that Conficker.B is not a subtle worm.

Roger has provided some additional coverage on the worm that may be useful. First and foremost, he recommends installing MS08-067—this will not remove an existing infection, but it will guard against attack from either version of the agent, provided you aren't using weak passwords.

When Conficker.A first appeared, we raised the question of whether or not Microsoft should force updates in certain situations, and what those situations might be. In this case, even unilaterally enforced updates wouldn't solve the problem of weak passwords, but it would have undoubtedly cut the number of new infections we are seeing today. The size of that reduction would be the point on which the value of forced updates would turn, and of course, that's the one thing we can't predict; there are holes in existing AV products that would allow Conficker.B through, and the worm will attack and infect machines using weak passwords. Depending on how you view the situation; this second strain could reinforce the need for mandatory updates or blow a hole in the argument.

Part of the reason for the problem, however, must inevitably come back upon the users, IT administrators, or managers that opted not to install the patch. As Roger writes: "If you decide not to roll out a security update which is so critical that we decide to go out of band, you play Russian Roulette with your network...The same is actually true if you do not run and maintain an appropriate Anti-Malware solution...Now, if we look at Conficker.B: This is really an ugly beast: You need just one infected machine in your network in order to have it spread across your network fast and aggressively. You can get it even through a USB-stick...it just needs one unpatched/infected machine."

Indeed. Based on the characteristics of a worm such as this, even mandatory updates would only be one facet of prevention.

Purpose of Conficker Worm Uncovered

Late yesterday, members of the Internet Information Security Consortium (I2SecC) working in conjunction with a cadre of white-hat hackers from around the globe were able to identify the purpose of the Conficker worm, which has been able to infect a large number of unprotected computers. Starting today, April 1, this network of compromised hosts will begin a massive denial-of-service attack on Web sites that do not pass validation as being fully standards compliant.

In order to ensure you do not fall victim to the worm’s botnet, I2SecC recommends immediate validation of the markup and supporting stylesheets for any Web site that you maintain and correcting any errors that are uncovered. As yet, it is unclear whether the worm will target sites that make use of non-standard DOM scripting; however, a message found by I2SecC researchers in an online forum believed to be from the worm’s creator or a close associate hints that it will: “your document.all are belong to us.”

Computer experts brace for ‘Conficker’ worm

Boston: A malicious software program that has infected millions of computers could enter a more menacing phase on Wednesday, from an outright attack to a quiet mutation that would further its spread.
Computer security experts who have analyzed the Conficker worm’s code say it is designed to begin a new phase on 1 April, and while it’s unclear whether it will unleash havoc or remain dormant, its stubborn presence is rattling businesses with multimillion-dollar budgets to fight cyber crime.
Conficker, believed to reside on 2 million to 12 million computers worldwide, is designed to turn an infected PC into a slave that responds to commands sent from a remote server that controls an army of slave computers known as a botnet.
“It can be used to attack as well as to spy. It can destroy files, it can connect to addresses on the Internet and it can forward your e-mail,” said Gadi Evron, an expert on botnets who helps governments protect against cyber crime.
But like many security experts, he doubts Wednesday will see a big attack.
The virus has been powerful enough to attack infected computers for months by exploiting weaknesses in Microsoft’s Windows operating system. Evron and several other analysts said Wednesday’s change could simply give Conficker enhanced functionality, possibly making it more dangerous.
“This is the electronic equivalent of being told there is a major storm that has a 20 percent chance of hitting,” said Mark Rasch, an executive at Secure IT Experts who spent 25 years prosecuting computer crimes at the U.S. Department of Justice.
“It’s not time to hide in the bunker. But it might be prudent to look out the window,” he added.
In February, Microsoft announced it was offering a $250,000 reward for information leading to the arrest and conviction of whoever is responsible for creating Conficker, saying the worm constituted a “criminal attack.”
FEARS OF ID THEFT
Botnets are a major worry because they can surreptitiously steal identities, log sensitive corporate information, credit card numbers, online banking passwords or other key data users of infected PCs type on their keyboards.
The information is often sold to criminal rings.
“Most malware we see in this day and age is very concerned with stealing information and making money for the author,” said Dave Marcus, a researcher with security-software maker McAfee Inc’s Avert Labs.
Experts said Conficker’s authors might gradually change the way it communicates to avoid attention and to prevent companies from putting in place safeguards such as those used to fight the worm since it first surfaced last year.
Microsoft released a patch to protect against the worm late last year, while anti-virus software companies offer software to sniff it out and destroy it. Such tools can be expensive.
Technology research firm Gartner Inc estimates businesses will spend $13.6 billion on security software this year excluding costs for related labor, services and hardware. While some consumer anti-virus software packages are available for free, others run as high as $80 each.
Security experts suspect Conficker originated in the Ukraine, based on its code. The FBI is working to shut it down but a spokesman declined to comment on its investigation.
“The public is once again reminded to employ strong security measures on their computers,” said Shawn Henry, assistant director of the Federal Bureau of Investigation’s cybercrimes division.
Independent security firms such as McAfee, Symantec Corp and Trend Micro Inc say they will closely monitor cyberspace on Wednesday to see how the worm mutates but will also watch closely over coming weeks as the hype fades.
“I don’t expect much to happen on April 1st. That’s the one day I would not do it. That’s the one day everybody is watching for something to drop,” said Joe Stewart, director of malware research at SecureWorks. “It’s just another small step in whatever the end game is.”

McAfee, Inc. speaks on Conficker worm

In response to growing concerns from the public and the media about the possible threat that may be unleashed by the Conficker worm on April 1st, McAfee, Inc. (NYSE: MFE), the leading Internet security company, today took steps to allay fears and offer some simple guidelines for consumers and businesses to ensure they are fully protected.

What is the Conficker worm?
Conficker first surfaced late last year, taking advantage of a security flaw in Microsoft’s Windows operating system to spread itself. Microsoft provided an emergency fix for the vulnerability last October with Security Update MS08-067. However, because many systems were not patched or properly protected with security software, Conficker has slithered onto as many as 12 million Windows computers, according to some estimates.

Some experts believe that one variant of the worm, Conficker.C, may activate on April 1 and start another assault on Windows computers. Computers infected with Conficker become part of an army of compromised computers and could be used to launch attacks on Web sites, distribute spam, host phishing Web sites or other criminal activities. Additionally, once it is on a computer, Conficker digs itself in by attempting to deactivate security software and sabotaging tools to remove it.

How do I know if I’m affected?
“One of the symptoms of this worm is that it blocks access to Web sites of Internet security companies,” says Dave Marcus, of McAfee Avert Labs. “A pretty good indication of whether your computer has been infected is to try and visit McAfee’s Web site: www.mcafee.com. If the site won’t load, you will need to clean your infected computer by searching for McAfee® Avert® Labs Stinger tool on the Internet. You should also install Microsoft’s patch to prevent the worm from reinstalling itself.”

As Conficker blocks popular security Web sites, including www.mcafee.com, users should search for “stinger virus removal” on the Internet, if they are unable to obtain it from McAfee’s Web site. Alternatively, users may transport the Stinger tool via a USB stick from an uninfected computer.

McAfee has released a free tool that will help assess multiple computers for the presence of Conficker. This new tool, termed ConTest, may be downloaded at no charge at http://www.mcafee.com/us/enterprise/confickertest.html.

Removing Conficker and preventing re-infection
Anti-malware solutions will clean the infection and use behavioral detections techniques like buffer overflow protection to prevent future infections. This is important because Conficker can propagate via portable media such as an infected USB drive. As the drive is accessed, the system processes autorun.inf and executes the attack. And finally, ensure all computers have Microsoft Security Update MS08-067 installed.

For more information on the Conficker worm and how users can protect themselves, visit http://www.mcafee.com/us/threat_center/conficker.html.

McAfee, Inc., headquartered in Santa Clara, California, is the world's largest dedicated security technology company. McAfee is relentlessly committed to tackling the world's toughest security challenges. The company delivers proactive and proven solutions and services that help secure systems and networks around the world, allowing users to safely connect to the Internet, browse and shop the web more securely. Backed by an award-winning research team, McAfee creates innovative products that empower home users, businesses, the public sector and service providers by enabling them to prove compliance with regulations, protect data, prevent disruptions, identify vulnerabilities, and continuously monitor and improve their security. http://www.mcafee.com

Friday, April 17, 2009

Conficker Domain Information

I wanted to follow up our recent Conficker post from last Friday where we posted new pages to consolidate our information on Conficker for enterprises and consumers. We’ve also made the easy-to-remember URL www.microsoft.com/conficker available that will take you directly to the Conficker page for enterprises.

We’ve shared some additional information today with our Microsoft Active Protections Program (MAPP) partners and our Microsoft Security Response Alliance (MSRA) partners. We believe that this information can be helpful for some of you as well, so we’re posting it here on the MSRC weblog as well.

We’ve seen that the Conficker worm will try every three hours to connect to specific domains over HTTP, a behavior sometimes referred to as “phoning home.” Conficker doesn’t carry a list of static domains, instead the domains that it connects to are generated by the malware through a specific algorithm. Because our Microsoft Malware Protection Center (MMPC) colleagues and others in the security community have successfully reverse-engineered this algorithm we can share what we’ve learned from that with you and others in the industry more broadly.

Most importantly, understanding this behavior and the algorithm gives us (and you) some additional options in combating Conficker.

First, it may be possible to identify infected hosts on your network if you’re able to log outbound traffic and then analyze those logs. If you see an entry in your logs for one of your systems connecting to one of these domains, that system may be infected by Conficker.

Second, you can also use this information that to block access to those domains at your network perimeter by adding these domains to any “block lists” you might have.

To help make it easier to use this domain information, we’ve gone ahead and made a list of domains available in a zipped text file available at the bottom of this post.

The text file is a list of domains that a system infected with Worm:Win32/Conficker.A or Worm:Win32/Conficker.B may try to contact. It is a list of comma-separated values (CSV) and lists out the specific Conficker variant that will try to use that domain, the date it will attempt to contact the domain, an arbitrary index number, and finally the domain itself.

As an example, here is an excerpt from the list of domains that Conficker may try to contact today, Feb. 12, 2009:

Variant, Date, Index, Hostname
A, 02/12/2009, 0, puxqy.net
A, 02/12/2009, 1, elvyodjjtao.net
A, 02/12/2009, 2, ltxbshpv.net
A, 02/12/2009, 3, ykjzaluthux.net
A, 02/12/2009, 4, lpiishmjlb.net
A, 02/12/2009, 5, arpsyp.com
A, 02/12/2009, 6, txkjngucnth.org
A, 02/12/2009, 7, vhslzulwn.org
A, 02/12/2009, 8, jcqavkkhg.net
A, 02/12/2009, 9, dmszsyfp.info
. . .

B, 02/12/2009, 0, tvxwoajfwad.info
B, 02/12/2009, 1, blojvbcbrwx.biz
B, 02/12/2009, 2, wimmugmq.biz
B, 02/12/2009, 3, fwnvlja.org
B, 02/12/2009, 4, umgrzaybbf.ws
B, 02/12/2009, 5, btgoyr.cc
B, 02/12/2009, 6, zboycplmkhc.cc
B, 02/12/2009, 7, qsqzphbn.biz
B, 02/12/2009, 8, xqdvmavs.cn
B, 02/12/2009, 9, wgrrrr.biz

So, if you have logging that includes the domain names being resolved externally, you can scan those logs for entries with these domain names in them.

Additionally, you can also look for log entries that match the following patterns. An example of entry from a system infected by Worm:Win32/Conficker.A where the domain ykjzaluthux.net resolves to 192.168.1.34 might look like:

http://192.168.1.34/search?q=1003&aq=7

and an example of entry from a system infected by Worm:Win32/Conficker.B where the domain qsqzphbn.biz resolves to 192.168.1.35 might look like:

http://192.168.1.35/search?q=328924

We hope you find this information helpful.

Christopher

*This posting is provided "AS IS" with no warranties, and confers no rights*

Updated 3/2/2009 to clarify how the domain list can be used to scan logs and the format for log entries for infected systems

Thursday, April 16, 2009

Protecting Yourself From Conficker

There are three crucial steps that you need to take to protect your computer from Conficker (and other viruses). The first step is to make sure that your Windows Operating System is fully patched. The second step is to disable Autoplay. The third is to make sure that you are running antivirus software that is up to date.
Patching your Windows Operating System
Microsoft has responded to some of Conficker's techniques for infecting computers by patching the Windows operating system. If you are completely up to date with all of your Windows Updates, then you have already put these protections in place. If you aren't up to date, you need to make sure that you have installed the patches discussed in KB958644 and KB967715. The easiest way to get all of the updates needed to stop Conficker is to visit http://update.microsoft.com and make sure that the latest updates have all been installed. For future updates, simply enabling Automatic Updates ensures that your computer stays patched.

Disabling Autoplay
Because the Conficker virus masks itself in the Autoplay window that appears when a new disk is inserted, disabling Autoplay also helps protect you from the Conficker virus. For this reason, CITES Security strongly recommends disabling the Autoplay feature in Windows.
For more information about how to disable Autoplay, see:
Vista instructions (simple)
XP instructions (simple)
Microsoft Knowledge Base (advanced, with patch links)

Running up-to-date Antivirus Software
Security companies that make antivirus software are doing their best to keep up with Conficker and its mutations. If your computer is acting oddly, or if you just want to double check that your computer is free from Conficker, you should download the latest antivirus update and then run a full scan of your computer.
Experts are warning that hackers have yet to activate the payload of the Conficker virus.
The worm is spreading through low security networks, memory sticks, and PCs without current security updates.
The malicious program - also known as Downadup or Kido - was first discovered in October 2008.
Although the spread of the worm appears to be levelling off, there are fears someone could easily take control of any and all of the 9.5m infected PCs.
Speaking to the BBC, F-Secure's chief research officer, Mikko Hypponen, said there was still a real risk to users.
"Total infections appear to be peaking. That said, a full count is hard, because we also don't know how many machines are being cleaned. But we estimate there are still more than 9m infected PCs world wide.
"It is scary thinking about how much control they [a hacker] could have over all these computers. They would have access to millions of machines with full administrator rights.
"But they haven't done that yet, maybe they're scared. That's good news. But there is also the scenario that someone else figures out how to activate this worm. That is a worrying prospect."
Experts say users should have up-to-date anti-virus software and install Microsoft's MS08-067 patch. The patch is known as KB958644.
Speaking to the BBC, Graham Cluley, senior technology consultant with anti-virus firm Sophos, said the outbreak was of a scale they had not seen for some time.
"Microsoft did a good job of updating people's home computers, but the virus continues to infect business who have ignored the patch update.
"A shortage of IT staff during the holiday break didn't help and rolling out a patch over a large number of computers isn't easy.
"What's more, if your users are using weak passwords - 12345, QWERTY, etc - then the virus can crack them in short order," he added.
"But as the virus can be spread with USB memory sticks, even having the Windows patch won't keep you safe. You need anti-virus software for that."
Method
According to Microsoft, the worm works by searching for a Windows executable file called "services.exe" and then becomes part of that code.
It then copies itself into the Windows system folder as a random file of a type known as a "dll". It gives itself a 5-8 character name, such as piftoc.dll, and then modifies the Registry, which lists key Windows settings, to run the infected dll file as a service.
Once the worm is up and running, it creates an HTTP server, resets a machine's System Restore point (making it far harder to recover the infected system) and then downloads files from the hacker's web site.
Most malware uses one of a handful of sites to download files from, making them fairly easy to locate, target, and shut down.
But Conficker does things differently.
Anti-virus firm F-Secure says that the worm uses a complicated algorithm to generate hundreds of different domain names every day, such as mphtfrxs.net, imctaef.cc, and hcweu.org. Only one of these will actually be the site used to download the hackers' files. On the face of it, tracing this one site is almost impossible.
Variant
Speaking to the BBC, Kaspersky Lab's security analyst Eddy Willems said that a new strain of the worm was complicating matters.
"There was a new variant released less than two weeks ago and that's the one causing most of the problems," said Mr Willems
"The replication methods are quite good. It's using multiple mechanisms, including USB sticks, so if someone got an infection from one company and then takes his USB stick to another firm, it could infect that network too. It also downloads lots of content and creating new variants though this mechanism.
"Of course, the real problem is that people haven't patched their software," he added.
Microsoft says that the malware has infected computers in many different parts of the world, with machines in China, Brazil, Russia, and India having the highest number of victims.
 
counter to blogger