30 March 2009

MA-145.012009: MyCERT Special Alert - Worm:Win32/Conficker.B

Original Issue 7.00pm, 9th January 2009
2nd Revision : 8.30pm, 9th January 2009
3rd Revision : 12th January 2009
4th Revision : 14th January 2009
5th Revision : 19th January 2009

1.0 INTRODUCTION

MyCERT has received reports from various sources about a malware that has been spreading actively within internal networks by exploiting unpatched Microsoft Windows Operating sytems. The malware, known as Conficker, Downadup or Kido is exploiting the Microsoft's MS08-067 vulnerability. Relevant patches, however, has been available to help protect against this malware since October 2008 [1].

Worm:Win32/Conficker.B is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). It is a standalone malicious program which uses computer or network resources to make complete copies of itself. It may include code or other malware to damage both the system and the network. The malicious is also known by other names, please refer

Users may check whether their machine has been infected if user's Windows Directory contains randomize, garbage dll filename:

eg: C:\Windows\bsdkdf.dll

2.0 AFFECTED SYSTEMS

This virus affects the following Microsoft Windows operating systems:

  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Server
  • Microsoft Windows Server 2003 Datacenter Edition
  • Microsoft Windows Server 2003 Enterprise Edition
  • Microsoft Windows Server 2003 Standard Edition
  • Microsoft Windows Server 2003 Web Edition
  • Microsoft Windows Server 2008
  • Microsoft Windows Storage Server 2003
  • Microsoft Windows Vista
  • Microsoft Windows XP Home Edition
  • Microsoft Windows XP Professional

3.0 TECHNICAL ANALYSIS

Based on our lab analysis, method of infection is not only by exploiting the vulnerability over the network, but also via the 'autorun' feature in Microsoft Windows OS which allows execution of the malware via USB drive.

The following are the activities of the malware we observed, as soon as it has been executed:

a. Modification of Registry Value:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\"dl" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\"dl" = "0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\"ds" = "0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Applets\"ds" = "0"

b. Modification of File System:

  • %ProgramFiles%\Internet Explorer\[RANDOM FILE NAME].dll
  • %ProgramFiles%\Movie Maker\[RANDOM FILE NAME].dll
  • %System%\[RANDOM FILE NAME].dll
  • %Temp%\[RANDOM FILE NAME].dll
  • C:\Documents and Settings\All Users\Application Data \[RANDOM FILE NAME].dll

c. Modification System Services:

  • Service name: [PATH TO WORM]
  • Display name: [WORM GENERATED SERVICE NAME]
  • Startup Type: Automatic

The malware will generate a new registry key to allow created services to be loaded during starting Windows OS. Here is the list of modified registry keys:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\Parameters\"ServiceDll" = "[PATH TO WORM]"

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\"ImagePath" = %SystemRoot%\system32\svchost.exe -k netsvcs

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\"Type" = "4"

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\"Start" = "4"

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\[WORM GENERATED SERVICE NAME]\"ErrorControl" = "4"

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\"[RANDOM NAME]" = "rundll32.exe "[RANDOM FILE NAME].dll", ydmmgvos"

4.0 IMPACT

If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products including Microsoft Windows Updates and blocked access to most anti virus websites.

5.0 Mitigation

1. You must ensure that you have applied the required patches referred to in Security Bulletin MS08-067 as mentioned in our advisory earlier in order to prevent infection [1].

2. Microsoft has released the Microsoft Windows Malicious Software Removal Tool to help you remove specific, prevalent malicious software from a computer. Details can be accessed at :

3. Alternatively, if the machine has been infected, you may consider manually downloading the relevant removal tool from your anti-virus provider. The following is a removal tool provided by Kaspersky.

4. Update anti virus software to the latest pattern signature and perform thorough scanning of the system.

5. Ensure that your network passwords are strong to prevent this worm from spreading via weak administrator passwords. More information is available here:

6. Preventive measure for infection via USB is to disable autorun feature for removable drive:

a. start -> run -> gpedit.msc


b. run -> gpedit.msc


c. Select Computer Configuration -> Administrative Templates -> System ->


d. Inside Setting tab, there is an entry for TURN OFF AUTOPLAY. Right click on the entry and select properties and you will be presenting with below option.


e. Please click APPLY and click OK to save the setting.

f. Restart the computer to make immediate affect to the changes.

7. If your organization uses an intrusion detection system that can make use of SNORT rules, below is the signature produce by Emerging Threat group to detect any activities from ConflickerB worm.

alert tcp $HOME_NET any -> 67.15.94.80 $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Downadup/Conficker-A Worm Activity"; flow:to_server,established; uricontent:"/GeoIP.dat.gz"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A; reference:url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml; sid:2008802; rev:2;)

alert tcp $HOME_NET any -> [75.126.138.202,72.249.118.38,208.78.69.70,204.13.249.70,208.78.68.70] $HTTP_PORTS (msg:"ET CURRENT_EVENTS Possible Downadup/Conficker-A Infection Checking Geographical Location"; flow:to_server; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A; reference:url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml; threshold:type both, count 5, seconds 60, track by_src; sid:2008803; rev:2;)

alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"ET CURRENT_EVENTS Downadup/Conficker-A Worm Download Attempt From Dates 25/11-01/12 2008"; flow:to_server,established; uricontent:"/search?q="; uricontent:"&aq=7"; classtype:trojan-activity; reference:url,www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.A;reference:url,www.f-secure.com/v-descs/worm_w32_downadup_a.shtml; sid:2008804; rev:4;

5.0 REFERENCES

Original Issue 7.00pm, 9th January 2009
2nd Revision : 8.30pm, 9th January 2009
3rd Revision : 12th January 2009
4th Revision : 14th January 2009
5th Revision : 19th January 2009

http://www.mycert.org.my/en/services/advisories/mycert/2009/main/detail/626/index.html

Related Posts Plugin for WordPress, Blogger...