30 March 2009

MA-145.012009: MyCERT Special Alert - Worm:Win32/Conficker.B

Original Issue 7.00pm, 9th January 2009
2nd Revision : 8.30pm, 9th January 2009
3rd Revision : 12th January 2009
4th Revision : 14th January 2009
5th Revision : 19th January 2009

1.0 INTRODUCTION

MyCERT has received reports from various sources about a malware that has been spreading actively within internal networks by exploiting unpatched Microsoft Windows Operating sytems. The malware, known as Conficker, Downadup or Kido is exploiting the Microsoft's MS08-067 vulnerability. Relevant patches, however, has been available to help protect against this malware since October 2008 [1].

Worm:Win32/Conficker.B is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). It is a standalone malicious program which uses computer or network resources to make complete copies of itself. It may include code or other malware to damage both the system and the network. The malicious is also known by other names, please refer

Users may check whether their machine has been infected if user's Windows Directory contains randomize, garbage dll filename:

eg: C:\Windows\bsdkdf.dll

2.0 AFFECTED SYSTEMS

This virus affects the following Microsoft Windows operating systems:

  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows Server 2003 Datacenter Edition
  • Microsoft Windows Server 2003 Enterprise Edition
  • Microsoft Windows Server 2003 Standard Edition
  • Microsoft Windows Server 2003 Web Edition
  • Microsoft Windows Server 2008
  • Microsoft Windows Storage Server 2003
  • Microsoft Windows Vista
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Professional

3.0 TECHNICAL ANALYSIS

Based on our lab analysis, method of infection is not only by exploiting the vulnerability over the network, but also via the 'autorun' feature in Microsoft Windows OS which allows execution of the malware via USB drive.

The following are the activities of the malware we observed, as soon as it has been executed:

a. Modification of Registry Value:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\"dl" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\"dl" = "0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\"ds" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\"ds" = "0"

b. Modification of File System:

  • %ProgramFiles%\Internet Explorer\[RANDOM FILE NAME].dll
  • %ProgramFiles%\Movie Maker\[RANDOM FILE NAME].dll
  • %System%\[RANDOM FILE NAME].dll
  • %Temp%\[RANDOM FILE NAME].dll
  • C:\Documents and Settings\All Users\Application Data \[RANDOM FILE NAME].dll

c. Modification System Services:

  • Service name: [PATH TO WORM]
  • Display name: [WORM GENERATED SERVICE NAME]
  • Startup Type: Automatic

The malware will generate a new registry key to allow created services to be loaded during starting Windows OS. Here is the list of modified registry keys:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\Parameters\"ServiceDll" = "[PATH TO WORM]"

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\"Type" = "4"

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\"Start" = "4"

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\"ErrorControl" = "4"

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM NAME]" = "rundll32.exe "[RANDOM FILE NAME].dll", ydmmgvos"

4.0 IMPACT

If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products including Microsoft Windows Updates and blocked access to most anti virus websites.

5.0 Mitigation

1. You must ensure that you have applied the required patches referred to in Security Bulletin MS08-067 as mentioned in our advisory earlier in order to prevent infection [1].

2. Microsoft has released the Microsoft Windows Malicious Software Removal Tool to help you remove specific, prevalent malicious software from a computer. Details can be accessed at :

3. Alternatively, if the machine has been infected, you may consider manually downloading the relevant removal tool from your anti-virus provider. The following is a removal tool provided by Kaspersky.

4. Update anti virus software to the latest pattern signature and perform thorough scanning of the system.

5. Ensure that your network passwords are strong to prevent this worm from spreading via weak administrator passwords. More information is available here:

6. Preventive measure for infection via USB is to disable autorun feature for removable drive:

a. start -> run -> gpedit.msc


b. run -> gpedit.msc


c. Select Computer Configuration -> Administrative Templates -> System ->


d. Inside Setting tab, there is an entry for TURN OFF AUTOPLAY. Right click on the entry and select properties and you will be presenting with below option.


e. Please click APPLY and click OK to save the setting.

f. Restart the computer to make immediate affect to the changes.

7. If your organization uses an intrusion detection system that can make use of SNORT rules, below is the signature produce by Emerging Threat group to detect any activities from ConflickerB worm.

alert tcp $HOME_NET any -> 67.15.94.80 $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Downadup/Conficker-A Worm Activity"; flow:to_server,established; uricontent:"/GeoIP.dat.gz"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A; reference:url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml; sid:2008802; rev:2;)

alert tcp $HOME_NET any -> [75.126.138.202,72.249.118.38,208.78.69.70,204.13.249.70,208.78.68.70] $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Downadup/Conficker-A Infection Checking Geographical Location"; flow:to_server; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A; reference:url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml; threshold:type both, count 5, seconds 60, track by_src; sid:2008803; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Downadup/Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008"; flow:to_server,established; uricontent:"/search?q="; uricontent:"&aq=7"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A;reference:url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml; sid:2008804; rev:4;

5.0 REFERENCES

Original Issue 7.00pm, 9th January 2009
2nd Revision : 8.30pm, 9th January 2009
3rd Revision : 12th January 2009
4th Revision : 14th January 2009
5th Revision : 19th January 2009

http://www.mycert.org.my/en/services/advisories/mycert/2009/main/detail/626/index.html

23 March 2009

Pekerjaan paling berbahaya...!!ade jugak....


Ingatkan Pendekar Bujang Lapok saje je buat citer.. rupanya mmg ada jawatan tu.... hehehehe

Earth Hour Malaysia Desktop Calender

21 March 2009

The Legend Water Chalets, Port Dickson



Kursus Pengurusan Projek

Kursus Pengurusan Projek :
Aplikasi Perisian Microsoft Project dalam penyediaan program kerja dan pengawalan kemajuan kerja
Tarikh : 20 - 22 Mac 2009
Tempat : The Legend Water Chalets, Port Dickson

18 March 2009

Earth Hour 2009

At 8.30pm on 28 March 2009, cities and towns across the world will turn off their lights for one hour – Earth Hour – sending a powerful global message that it’s possible to take action on global warming.
Taking the first step is as easy as turning off a light. By encouraging entire cities to perform this simple act, for just one hour, a powerful message is delivered to the world about the urgent need to address climate change, and shows that it is possible for everyone to make a difference.
Earth Hour 2009 will be a major call to action for every individual, government and business to take responsibility and play a part in ensuring a sustainable future. Iconic buildings and landmarks across Europe, Asia-Pacific, the Middle East and The Americas will go dark. People will join together to celebrate and create a conversation about the future of our planet.
Earth Hour is a message of hope and action. Imagine what we can do if we act together.
Join us for Earth Hour 2009.
more info

14 March 2009

Lucky - Jason Mraz ft. Colbie Caillat

Jason Mraz
Do you hear me,
I'm talking to you
Across the water across the deep blue ocean
Under the open sky, oh my, baby I'm trying
Colbie Caillat
Boy I hear you in my dreams
I feel your whisper across the sea
I keep you with me in my heart
You make it easier when life gets hard
Duet : Jason Mraz and Colbie Caillat
I'm lucky I'm in love with my best friend
Lucky to have been where I have been
Lucky to be coming home again
Ooohh ooooh oooh oooh ooh ooh
They don't know how long it takes
Waiting for a love like this
Every time we say goodbye
I wish we had one more kiss
I'll wait for you I promise you, I will
I'm lucky I'm in love with my best friend
Lucky to have been where I have been
Lucky to be coming home again
Lucky we're in love every way
Lucky to have stayed where we have stayed
Lucky to be coming home someday
Jason Mraz
And so I'm sailing through the sea
To an island where we'll meet
You'll hear the music fill the air
I'll put a flower in your hair
Colbie Caillat
Though the breezes through trees
Move so pretty you're all I see
As the world keeps spinning round
You hold me right here right now
Jason Mraz and Colbie Caillat
I'm lucky I'm in love with my best friend
Lucky to have been where I have been
Lucky to be coming home again
I'm lucky we're in love every way
Lucky to have stayed where we have stayed
Lucky to be coming home someday
Ooohh ooooh oooh oooh ooh ooh ooh ooh
Ooooh ooooh oooh oooh ooh ooh ooh ooh

07 March 2009

Aizat - Hanya Kau Yang Mampu

Ku cuba redakan relung hati
Bayangamu yg berlalu pergi
Terlukis di dalam kenangan
Bebas bermain di hatiku

Cerita tentang masa lalu
Cerita tentang kau dan aku
Kini tinggal hanya kenangan
Kau abadi di dalam hatiku

Harusnya takkan ku biarkan engkau pergi
Membuat ku terpuruk rasa ingin mati

Derita yang mendera kapan akan berakhir
Hanya engkau yang mampu taklukkan hatiku

Cerita tentang masa lalu
Cerita tentang kau dan aku
Kini tinggal hanya kenangan
Kau abadi di dalam hatiku

Harusnya takkan ku biarkan engkau pergi
[ Hanya Kau Yang Mampu ]
Membuat ku terpuruk rasa ingin mati
Derita yang mendera kapan akan berakhir
Hanya engkau yang mampu taklukkan hatiku
Aku cinta oooohhhhhh….
Aku cinta ooooooo…..
Aku cinta oooohhhhhh….
Aku cinta ooooooo…..
Harusnya takkan ku biarkan engkau pergi
Membuat ku terpuruk rasa ingin mati
Derita yang mendera kapan akan berakhir
Hanya engkau yang mampu taklukkan hatiku
Aku cinta oooohhhhhh….
Aku cinta ooooooo…..
Aku cinta oooohhhhhh….
Aku cinta ooooooo…..
Hanya engkau yang mampu taklukkan hatiku
Oooooooooo….

05 March 2009

www.khaiza.com

02 March 2009

Round Tour Melaka

Program asal ke Melaka nie bersama-sama ex-officemate KTAK. Tapi nak buat macamana... last minit masing-masing tak dapat pergi. Sebelum nie memang plan nak bawak family gi jalan-jalan ke Melaka, cuba minggu nie ada kesempatan. Mula-mula sampai cari hotel. Kira main redah jer ... . Cadang nak stay kat Seri Malaysia tapi dah fully book. Mungkin sebab Jom Heboh kot ... Kalau tak dapat kira one day trip ke Melaka, past tu balik Shah Alam. Sebelum nie dah survey kat website mana-mana hotel kat Melaka. Cuma tak call jer... Namun dah rezeki, masih ada bilik lagi kat Naza Hotel. Harga boleh laa tahan ...
Dah check in, xpdc pong bermula. Tapi nak ke mana yer .. Lokasi pertama kitaorang sampai ialah Melaka River Cruise kat Taman Rempah .. Menyusuri Sungai Melaka dengan bot. Satu kepala RM10.00 kira-kira 45 minit ...

XPDC diteruskan lagi. Sasaran Dataran Pahlawan! Rupa-rupanya kat sini ada Menara Taming Sari. MZA beria-ia nak naik. Apa-apa pong pergi makan dulu. Dari tengahari perut tak berisi. Lepas makan carik tiket. Kena tunggu 8.00 malam baru mula. Alang-alang sampai kena laa tunggu. Sementara tu, berjalan-jalan sekitar A-Famosa dan sementara menunggu malam. Dari Menara Taming Sari dapatlah melihat pemandangan sekitar Melaka pada waktu malam. Dah naik kira-kira 80 meter. Rasa gayat jugak .. Lebih kurang 15 minit 'pusing-pusing di atas'... Satu kepala RM20.00. Tapi kalau ada myKAD dapat diskaun 50%. Jadik RM10.00.



Habis kat Menara Taming Sari, XPDC diteruskan ke Muara Ikan Bakar Pernu untuk makan malam. Sorry laa, gambar tak sempat ambil. nanti ada yang terliur melihat keenakan ikan siakap 3 rasa, sotong tepung, udang sambal dsb. Hehehehe
Hari kedua ... last day! Pagi kat ke mana-mana. Lepas check out XPDC hari ini diteruskan ke Ayer Keroh. Apa-apa kena isi perut dulu. Singgah kat Medan Selera R&R Ayer Keroh. Makan kat gerai No.6 Asam Pedas Melaka. Sasaran pertama singgah kat Jom Heboh. Laluan ke MITC dah sesak. Kira-kira kitaorang antara ribuan yang bersesak-sesak datang. Panas tak payah cakap.
XPDC diakhiri dengan ke Taman Buaya Melaka. Nampak sangat kawasan nie dah 'uzur'. Cuma yang ada tarikan lain, ada taman air.

Related Posts Plugin for WordPress, Blogger...