Aliases
Worm:Win32/Conficker.A (Microsoft)
Crypt.AVL (AVG)
Mal/Conficker-A (Sophos)
Trojan.Win32.Pakes.lxf (F-Secure)
Trojan.Win32.Pakes.lxf (Kaspersky)
W32.Downadup (Symantec)
Worm:Win32/Conficker.B (Microsoft)
WORM_DOWNAD.A (Trend Micro)
Characteristics -
----Update on March 10, 2009---
The risk assessment of this threat has been updated to Low-Profiled due to media attention at
http://www.thetechherald.com/article.php/200911/3157/Conficker-Worm-fighting-back-a-new-variant-discovered-disables-security-measures
A new variant of W32/Conficker.worm has been seen spreading. It copies itself to the following pathes:
%Sysdir%\[Random].dll
%Program Files%\Internet Explorer\[Random].dll
%Program Files%\Movie Maker\[Random].dll
%Program Files%\Windows Media Player\[Random].dll
%Program Files%\Windows NT\[Random].dll
It disables the following services:
WerSvc
ERSvc
BITS
wuauserv
WinDefend
wscsvc
It hooks the following functions in dnsapi.dll :
Query_Main
DnsQuery_W
DnsQuery_UTF8
DnsQuery_A
It hooks the following functions in ws2_32.dll:
sendto
The worm deletes the following registry key to disable restarting in safe mode:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
It deletes the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender
It terminates the processes that contains the following strings in name:
wireshark
unlocker
tcpview
sysclean
scct_
regmon
procmon
procexp
ms08-06
mrtstub
mrt.
mbsa.
klwk
kido
kb958
kb890
hotfix
gmer
filemon
downad
confick
avenger
autoruns
In order to block users access to security-related domains, prevents network access to any domains that contain the following strings:
windowsupdate
wilderssecurity
virus
virscan
trojan
trendmicro
threatexpert
threat
technet
symantec
sunbelt
spyware
spamhaus
sophos
secureworks
securecomputing
safety.live
rootkit
rising
removal
quickheal
ptsecurity
prevx
pctools
panda
onecare
norton
norman
nod32
networkassociates
mtc.sri
msmvps
msftncsi
mirage
microsoft
mcafee
malware
kaspersky
k7computing
jotti
ikarus
hauri
hacksoft
hackerwatch
grisoft
gdata
freeav
free-av
fortinet
f-secure
f-prot
ewido
etrust
eset
esafe
emsisoft
dslreports
drweb
defender
cyber-ta
cpsecure
conficker
computerassociates
comodo
clamav
centralcommand
ccollomb
castlecops
bothunter
avira
avgate
avast
arcabit
antivir
anti-
ahnlab
agnitum
The latest Conficker is known to generate 50,000 domain names using its own generator algorithm. The following is its disassembly snapshot.
The following suffixes are appended to any generated domains. It uses 116 different suffixes for example:
com.ve
com.uy
com.ua
com.tw
com.tt
com.tr
com.sv
com.py
com.pt
com.pr
com.pe
com.pa
com.ni
com.ng
com.mx
com.mt
com.lc
com.ki
com.jm
com.hn
com.gt
com.gl
com.gh
com.fj
com.do
com.co
com.bs
com.br
com.bo
com.ar
com.ai
com.ag
co.za
co.vi
co.uk
co.ug
co.nz
co.kr
co.ke
co.il
co.id
co.cr
-------------------------------------------------------------
When executed, the worm copies itself using a random name to the %Sysdir% folder.
(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)
It modifies the following registry key to create a randomly-named service on the affected syetem:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\"ServiceDll" = "Path to worm"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs
Attempts connections to one or more of the following websites to obtain the public ip address of the affected computer.
hxxp://www.getmyip.org
hxxp://getmyip.co.uk
hxxp://checkip.dyndns.org
hxxp://whatsmyipaddress.com
Attempts to download a malware file from the remote website: (Rogue Russian site is up but not serving file anymore)
hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe
Starts a HTTP server on a random port on the infected machine to host a copy of the worm.
Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.
Later variants of w32/Conficker.worm are using scheduled tasks and Autorun.inf file to replicate on to non vulnerable systems or to reinfect previously infected systems after they have been cleaned.
Symptoms -
This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.
Users being locked out of directory
Access to admin shares denied
Scheduled tasks being created
Access to security related web sites is blocked.
Method of Infection -
This worm exploits the MS08-067 Microsoft Windows Server Service vulnerability in order to propagate.
Machines should be patched and rebooted to protect against this worm re-infecting the system after cleaning.
Upon detection of this worm the system should be rebooted to clean memory correctly. May require more that one reboot.
Scheduled tasks have been seen to be created on the system to re-activate the worm.
Autorun.inf files have been seen to be used to re-activate the worm.
Removal -
Users infected by W32/Conficker.worm should perform an On Demand Scan to remove remnants of the worm in memory using the latest DATs.
Upon detection of W32/Conficker!mem and REBOOT, the W32/Conficker.worm malware components will be removed.
The Final Countdown
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment