|
Alert Level Severe Introduction CERT-SA came to know that there is an increasing trend of a security threat. It is a worm called Conficker.C on the internet, that will trigger on the coming 1st of April. CERT-SA is working with various parties local and abroad to mitigate and reduce the risk Audience: Any Vulnerable Systems All unpatched Microsoft Windows XP and Vista for advisory MS08-067 Description Conficker represents the third major revision of the Conficker malware family, which first appeared on the Internet on 20 November 2008. C distinguishes itself as a significant revision to Conficker B. It is clear that the Conficker authors are well informed and are tracking efforts to eliminate the previous Conficker epidemics at the host and Internet governance level. In Conficker C, they have now responded with many of their own countermeasures to thwart these latest defenses. Some of the major enhancements are: Domain Generation Algorithm - Conficker.C will select 500 domains out of a randomized pool of 50,000. Peer to peer logic - This new coordination strategy employs a P2P protocol, and the Conficker authors have taken some care to hinder its analysis through code obfuscation. Local host patch logic - This is to protect its host from other malware that would attempt to reexploit the MS08-067 buffer overflow, while still allowing re-infection from other Conficker hosts. Security product disablement - Most antivirus and security software domain lookup will be prevented, important MS Windows security service will be disabled, security products process termination, obfuscating its installation and presence as well as MS Windows firewall disablement.
Once installed, Conficker.C implements a variety of nasty behaviors. The worm will attempt to disable Windows Automatic Update and stop access to the Windows Security Center, can detect and kill SysInternals' Process Explorer program, and will interfere with the operation of a number of other search-and-destroy programs including WireShark and SysClean. It will also reset and delete system restore points, disable various services (including WinDefend, BITS (Background Intelligent Transfer Service) ERSvc (Error Reporting Service) and WerSvc (Windows Error Reporting Service, Vista-only). In a final fit of pique, Conficker.C will prevent any attempt to connect to a variety of antivirus software services or websites. Impact 1. Impact to machines previsouly infected by Conficker A & B
Machines which are infected by Conficker.A or Conficker.B but has not yet been cleaned up, will attempts to upgrade to Conficker.C via HTTP. Conficker.C worm has better defense features and is much harder to remove. 2. Traffic impact arising from Conficker.C worm
There is a side effect of the new domain generation mechanism. The pseudo-random domain generation mechanism may cover some legitimate domains. From 1-Apr-2009 onwards Conficker.C worms will try to connect the generated domains, causing a DDoS attack to the web server of the legitimate domains. The flooding of traffic will affect the website owner, as well the related ISP network. 3. Potential hack attack by Conficker.C authors
Conficker.C authors may also try to exploit servers of legitimate domains which are on the list of domain generation algorithm, to prepare these servers as the rendezvous points. Infection symptoms When infected the following symptoms can be observed in the affected machine: Blocked access to antivirus-related sites. Disabled services such as Windows Automatic Update Service, Windows Security Center, Windows Defender and Windows Error Reporting and Internet connection sharing service. Resets System Restore Point. High traffic on port 445 in the affected network. Hidden files even after changing the ‘Folder Options’. Inability to log in using Windows credentials because they are locked out
Solutions and mitigations Generally doing the following shall mitigate infection and spread of conficker Prevention 1. Patch Windows PC with MS08-067 which was issued in October 24, 2008 2. Install antivirus software and keep updated virus signature file 3. Install and enable firewall. Users directly connected to Internet, e.g. mobile Internet users and users who do not have a firewall router should have firewall software enabled. 4. Browse the Internet with least privilege user to limit the execution of the malicious file. Use strong passwords in for user account and file shares 5. Disable AutoRun and AutoPlay features for removable devices, if possible 6. For corporate with web proxy server (e.g. Squid), IDS, or content filtering software, monitor the HTTP get string in incoming and outgoing traffic
- http://{domainname}/search?q=n \&aq=7} (for Conficker A)
- http://{domainname}/search?q=n (for Conficker B) Detection Check machines which failed to connect to security vendor sites or download security updates. They may be infected machines. For corporation: using Active Directory, check if there is a number of AD account intrusion lockout every day. This may be a sign of malware trying to brute force password attack. The network may have infected machines. You have to run it on windows system from the command line. You need to provide the range that you want to scan as an argument for the tool. E.g: scs.exe 10.1.1.1 10.1.1.254 You will get the following statement next to the infected IP: “seems to be infected by Conficker.”
Removing “Conficker” For machines infected by Conficker, download the below Coficker worm removal tools to clean up the machines.
Run one of the available removal tools to clean the infected system. There are multiple tools provided from security vendors. The following are URL’s to some tools:
Update your operating system and antivirus. Make sure that you have a firewall on your machine that blocks communication to ports “139” and “445”. Disable autoplay/autorun features on all drives and devices.
Response Related Links |
