Sekiur My Thoughts » ms08-067

Conficker Gets Ready To Strike

Jose Vicente Ortega — Tue, 31 Mar 2009 19:37:25 +0000

Without a doubt the whole security professional community have their eyes on the Conficker.C variant which is designed to do something on April 1st.

So what is that something? We’ll find out within 24 hours.

What we do know is that this variant of Conficker has become better at preventing removal and others from taking control of the network of worm infected computers.

The Conficker worm will begin to poll 500 different domain names every day looking for updates to download doubling its current rate.

Interestingly enough one of my most popular posts is on the removal of the Conficker worm from a network environment here and over the last couple of days visitors have exploded exponentially.

In my two other posts in which I talk about the Microsoft flaw and the Social Engineering components of the worm, I take a rather passive approach to the problem which is based on having contingency plans to prevent, contain and remove the worm from infected computers.

A more pro-active approach would be to look for infected machines without waiting for the symptons to appear by actively scanning the network for computers which have been infected.

Locating computers which have been infected with Conficker using a network scan has kept me up multiple nights, until the guys at Honeynet.org came up with the tool here. Thanks to DShield.org for linking to it in their article on locating Conficker.

http://blog.sekiur.com/2009/02/step-by-step-in-dealing-with-conficker/
http://blog.sekiur.com/2008/10/worm-takes-advantage-of-microsoft-flaw/
http://blog.sekiur.com/2009/01/worm-uses-social-engineering/

Your Quick Guide to the Conficker Worm (shankrila.com)
With global effort, a new type of worm is slowed (infoworld.com)
My Top Security and Maintenance Tools (idiomag.com)
New Information Pages on Conficker (blogs.technet.com)
Windows PC Worm Set to Activate on April 1st (littlegreenfootballs.com)

Step by Step In Dealing With Conficker

Jose Vicente Ortega — Tue, 03 Feb 2009 23:03:35 +0000

This will turn out to be a “trojan horse” literally if actions are not taken to prevent it from spreading within the corporate network.

Below are step by step instructions on mitigating the risk of the threat that “Conficker”/”Downandup” poses.

Symptoms

============

Symptoms to help you determine if you are infected

Account lockout policies are being tripped
Automatic Updates, Background Intelligent Transfer Service, Windows Defender and Error Reporting Server Services are disabled
Errors related to SVCHOST
Domain Controllers are slow to respond to client requests
Network congestion
Various security related websites are not accessible including Windows Update.

For further details see the Microsoft Malware Protection Center write up for Win32/Conficker.b. or the Sekiur writeup here.

Solution

=========

Ideally you want to not only automate the removal of the “Conficker”/”Downandup” worm from a large number of computers but also take steps to minimize the risk of them being infected again.

The following script will attempt to remove the “Conficker”/”Downandup” worm and prevent further infection by taking the following steps:

Install patch KB958644 for MS08-067 if not installed
Attempt to remove the “Conficker”/”Downandup” worm
Enable Hidden Setting
Delete all scheduled tasks
Stop and disable services. (lanmanserver, schedule)
Run MSRT – Malicious Software Removal Tool
Install Autorun hotfix if not installed
Install KB950582 for vulnerability MS08-038
Re-enable TCP Receive Window Auto-tuning on Windows Vista and Windows Server 2008
Remove Hidden Setting
Enable Automatic Updates, Background Intelligent Transfer and Error Reporting Services
Restart
Install patch KB958644 for MS08-067 and restart

You will need to download the following files and batch script and drop them into the NetLogon share.

Getver.exe – contained in ConfickerClean-v10.3.zip here ==> [Download not found] and script to remove “Conficker”/”Downandup” locally here ==> [Download not found].
SC.EXE – contained in ConfickerClean-v10.3.zip
REG.exe – contained in ConfickerClean-v10.3.zip
windows-kb890830-v2.6.exe – x86 version of MSRT, available here.
windows-kb890830-x64-v2.6.exe – x64 version of MSRT, available here.
sleep.exe – contained in ConfickerClean-v10.3.zip
Hotfix update for Windows 2000, Windows XP and Windows 2003, download all updates listed in http://support.microsoft.com/kb/953252, except the Itanium update as this script does not support Itanium.
Place all 3 updates in the Netlogon directory.
Security update MS08-038 for Windows Vista and Windows Server 2008 – http://www.microsoft.com/technet/security/Bulletin/MS08-038.mspx
This vulnerability is not being exploited, however, to disable Autorun properly this needs to be applied as it contains a fix related to autorun, same as the one listed above in KB953252.

Now you will proceed to create and push a Group Policy to the domain.

Edit the values in the script.
Rename it to .BAT and drop it in the \\%windir%\sysvol\sysvol\\scriptsfolder (aka, Netlogon share).
Create a Startup Script policy and reference this batch file. This needs to be a Startup Script and not a Logon script, so that the script runs under the machine account.
Link the GPO with the Startup Script to the OU and Groups where you want it to apply.

Note:

Its not recommend you use this on DC’s or critical servers, those should be cleaned manually so that the services disabled below do not need to be left disabled for an extended period of time.

FAQ:

Why disable the Server service?

This is due to Weak Passwords which the malware attempts to exploit. The password change will need to be accomplished via password policy for the domain, resetting any local and domain admin password to a complex password which includes at least 10 characters and contains, alpha-numeric characters and extended characters such as a question mark or exclamation point.

Why disable the Task Scheduler service?

This is because the malware creates several AT jobs that run every hour to reinfect the system.

Why install MS08-067?

This is the main attack vector of the malware.

Why disable Autorun?

This is because the malware drops a binary file called Autorun.inf on all removable drives.

Sources:

All credit to Microsoft Support Engineering

Worm Uses Social Engineering

Jose Vicente Ortega — Thu, 22 Jan 2009 19:27:27 +0000

A new worm has hit the Internet and its taking its toll on computers worldwide. It has been reported that over 9 million computers have already been infected.

The worm called “Downandup”, “Conficker” or “Kido” by different anti-virus vendors uses the Microsoft vulnerability which I blogged about here (Worm Takes Advantage Of Microsoft Flaw) and here (Microsoft Releases Emergency Patch).

The worm mostly spreads across networks, turning off the system restore and deleting the restore points, blocks access to security website, download additional malware from the author, attempts to infect other computers by scanning network shares and scheduled a task to re-infect the computer if removed.

What is interesting is that it can also spread by USB memory keys or devices making use of social engineering which makes it more dangerous to the untrained eye. When a USB drive is inserted it shows a modified AutoPlay screen seen below which will install the worm when the users inadvertently clicks on it.

According to SANS Internet Storm Center, one of the reasons the worm is infecting so many machines is that “Conficker” uses multiple infection vectors:

It exploits the MS08-067 vulnerability,
It brute forces Administrator passwords on local networks and spreads through ADMIN$ shares and finally
It infects removable devices and network shares by creating a special autorun.inf file and dropping its own DLL on the device.

Characteristics -

When executed, the worm copies itself using a random name to the %Sysdir% folder.

(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)

It modifies the following registry key to create a randomly-named service on the affected syetem:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\”ServiceDll” = “Path to worm”
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\”ImagePath” = %SystemRoot%\system32\svchost.exe -k netsvcs

Attempts connections to one or more of the following websites to obtain the public ip address of the affected computer.

hxxp://www.getmyip.org
hxxp://getmyip.co.uk
hxxp://checkip.dyndns.org
hxxp://whatsmyipaddress.com

Attempts to download a malware file from the remote website: (Rogue Russian site is up but not serving file anymore)

hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe

Starts a HTTP server on a random port on the infected machine to host a copy of the worm.

Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.

Later variants of w32/Conficker.worm are using scheduled tasks and Autorun.inf file to replicate on to non vulnerable systems or to reinfect previously infected systems after they have been cleaned.

Suggestions -

Disable AutoPlay in your environment.
Run a good security suite.
Keep your computer updated with the latest patches.
Be PROACTIVE and look for the worm in your environment.

Sources:

http://www.nai.com

http://www.symantec.com

http://www.f-secure.com

http://isc.sans.org

Worm Takes Advantage Of Microsoft Flaw

Jose Vicente Ortega — Fri, 24 Oct 2008 23:20:39 +0000

Just as I had predicted it would happen, there are already reports that a worm exploiting the hole in the “Server Service” has been seen in the wild. Microsoft released yesterday a critical “out-of-band” patch (MS08-067) release having known about the issue for a while.

Milw0rm, an exploit tracking Internet site has posted the exploit code required to overflow the stack. The code can be downloaded here.

Symantec is tracking an exploit “Bloodhound.Exploit.212″, via Bugtraq ID 31874 using this vulnerability, but they report it is still not widespread. Other reports points to a certain file “n2.exe” being downloaded to compromise computers, as McAfee has been tracking here.

The worm as already received several names including Gimmiv and Dropper. The guys over at Threat Expert Blog have a pretty detailed explanation of how the code works and what it does.

Both Symantec and McAfee said Friday that they had seen only a very small number of attacks based on this exploit, but Symantec says that, starting Thursday evening, they found a 25 percent jump in network scans looking for potentially vulnerable machines. That could be a sign that more attacks are coming.

It is not likely that large networks will have ports 139 and/or 445 open to the Internet and even most DSL/Cable modem router will not allow this kind of inbound traffic either, but I have no doubt this will cause a false sense of security among pseudo-system admins and as this worm evolves and becomes more sophisticated, it will transverse corporate perimeter firewall through malware and spyware and then spread within the network wreaking havoc.