This is No Joke: Conficker.C to Strike on April Fools' Day

Discussion in 'malware problems & news' started by Thankful, Mar 17, 2009.

Thread Status:
Not open for further replies.
  1. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,731
    Location:
    New York City
  2. Thankful

    Thankful Savings Monitor

    Joined:
    Feb 28, 2005
    Posts:
    3,731
    Location:
    New York City
    Last edited: Mar 17, 2009
  3. Mrkvonic

    Mrkvonic Linux Systems Expert

    Joined:
    May 9, 2005
    Posts:
    8,696
    Patch, firewall, disable autorun, how hard can it be?
    Mrk
     
  4. EASTER

    EASTER Registered Member

    Joined:
    Jul 28, 2007
    Posts:
    5,633
    Location:
    U.S.A. (South)
    Ah Yes

    Good ole Conficker. Server downtime coming again for some unlucky folks who aren't fully patched and sealed against this script kiddie connection. I used to make these silly launchers form alternate data streams with executables just to run automation functions on 98.

    Lord help the poor soul if they devise a way to inject VIRUT infector into the system's mainstream. Only recourse then had better be a recent backup image plan or all bets are off.

    Thanks for the heads up. I'm off to OC to see if any discussion is being raised over there to new variants of this.

    EASTER
     
  5. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Strange article. It begins,

    You might as well say,

    "Just when you might have thought it was safe to start using the internet at work again," (referring to the first variant of conficker)

    This comment following the article,

    The System Administrator in that school district needs to be replaced with someone clued into security.

    The potential for misuse of Autorun on removable media goes back to the days of Floppy Disks. Since many ways of preventing AutoRun in work and school environments have been used for years, including the sure-fire so-called @="@SYS: DoesNotExist" tweak which has been known for a year and a half now, the statements in this article and comments are ludicrous to say the least. Especially since prior exploits using the same attack vectors as conficker should have clued people into closing these entrance points. Some examples:

    • Slammer and Blaster worms: Ports 135,139,445

    • Digital Picture Frame exploiting AutoRun.inf
    In the school districts I'm familiar with, conficker in any of its guises has no chance to execute.

    Another quote from the article,

    Conficker has been a welcome arrival on the scene for web authors (I hesitate to use the word journalist), treating this as an on-going soap opera. Only one statement about prevention is given, and it requires the reader to dig back through previous articles linked from the page.

    ----
    rich
     
  6. axial

    axial Registered Member

    Joined:
    Jun 27, 2007
    Posts:
    477
    For those who may be wanting more info on @SYS: DoesNotExist tweak:

    http://nick.brown.free.fr/blog/2007/10/memory-stick-worms.html
     
  7. TechOutsider

    TechOutsider Registered Member

    Joined:
    Sep 26, 2008
    Posts:
    549
    Just a refinement over the original flavor. We will see how well generic signatures do.
     
  8. PROROOTECT

    PROROOTECT Registered Member

    Joined:
    May 5, 2008
    Posts:
    1,102
    Location:
    HERE ...Fort Lee, NJ
  9. Jtaylor83

    Jtaylor83 Registered Member

    Joined:
    Jun 26, 2008
    Posts:
    16
    No way to prevent this new variant. The PC is now dead. Time to buy a Mac.
     
  10. Searching_ _ _

    Searching_ _ _ Registered Member

    Joined:
    Jan 2, 2008
    Posts:
    1,988
    Location:
    iAnywhere
    Conficker.c isn't set to strike on 4/1/09.

    If your not infected, no problem. If you are, Enigma Software to remove, also Bitdefender has a tool.
     
  11. guest

    guest Guest

    Yeah sure...

    There is a LOT more security flaws on Mac OS X than you might think... But they are not exploited because there is not enough mac users...

    And, I don't hate macs... But I don't love them either... Same for windows... or any other operating system... I had some macs and I still manage some of them for people I know.
     
  12. GuybrushT

    GuybrushT Registered Member

    Joined:
    Mar 27, 2009
    Posts:
    3
    totally agree
     
  13. axial

    axial Registered Member

    Joined:
    Jun 27, 2007
    Posts:
    477
    http://www.crn.com/security/216401148

     
  14. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Another example of networks being overrun by a silly worm! Depending on whom you read, networks account for the largest segment of conficker infections. It's easy to accept this when you realize how fast this worm spreads with easy-to-guess Admin passwords throughout a network.

    A friend phoned last week. She predicts that the conficker fiasco will be remembered as the best example of security incompetence ever. It's hard to not agree with that.

    I kept a file on conficker, as I do with all exploits that surface in the wild.

    Actually, not all exploits. I disregard those such as the Virut family, Koobface, Storm, etc, since these are social engineering exploits which depend on the victim to install a Codec, update Flash, open an e-card which is really an executable file.

    In searching for information, I disregard articles that begin to appear following announcement of an exploit, that have headlines such as, "Five million computers infected with ___________" (fill in the blank). They offer nothing relevant to prevention.

    Analyses that describe what it does upon infection are also of no use. Hooking this, writing to the Registry, injecting a DLL -- this is useful for detection and removal for those in the Security Cleanup forums. But if you prevent the exploit from running, there is nothing to detect nor remove.

    Unfortunately, much of what is linked in forums are the sensational articles, most of which are irrelevant to prevention. People love to emphasize the gory details of malware attacks, such as how difficult it is to remove, how clever the malware hides itself, etc ad nauseum, how stupid people are, etc, how much it has spread, etc. How is this of any help for prevention?

    Finally, some information is just plain misleading at best, and wrong at worst. A good example is the April 1 day of reckoning with Conficker.C.

    A quick Quiz: What was supposed to happen on April 1?

    1. Conficker.C would infect more computers by propagating across networks and/or via USB.
    2. Conficker.C would call out for instructions as to delivering a payload
    3. Both of the above
    Not sure? Maybe these will help. First, from the article cited in the original post:

    http://www.maximumpc.com/article/news/this_no_joke_confickerc_strike_april_fools_day
    The implication is that a user can get infected with Conficker.C via USB.

    And from the Ars Technical report:

    http://arstechnica.com/security/news/2009/03/confickerc-primed-for-april-fools-activation.ars
    What does "hit the tubes" mean? Propagating as did the earlier variants? I was misled at first, until I came across these:

    http://mtc.sri.com/Conficker/addendumC/
    http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.D
    So you have to dig a little to find information that is helpful regarding prevention.

    Now, Microsoft above says Conficker.D. What's going on? Quick: How many variants are there? Can you name them? Answer to come later.

    From my conficker file with URLs and pertinent quotes, it is easy to create a time line, which I find instructive in following/analyzing the evolution of conficker, and understanding how easy it should have been to prevent its spreading.

    First, another quick Quiz: Which of the following Microsoft Bulletins/Patches was in response to Conficker?

    1. Microsoft Security Bulletin MS08-067 -- Vulnerability in Server Service - RPC
    2. Microsoft Security Bulletin MS08-068 -- Vulnerability in Microsoft Server Message Block (SMB) Protocol
    3. Both
    4. None
    If you chose None, congratulations! Because MS08-067, the vulnerability which conficker exploited, was patched 1 month prior to the emergence of Conficker. Conficker was the second malware to exploit this vulnerability.

    TimeLine

    October 23, 2008

    Microsoft Security Bulletin MS08-067 - Critical
    http://www.microsoft.com/technet/security/Bulletin/ms08-067.mspx

    Missing from Microsoft's bulletins is specific information about the attacks. I received an email from a friend, "Anything about the payload anywhere?" Nothing at this time. But we've got the ports covered, so no worry. Get the word out about the patch.

    Two days later:

    October 25 2008

    Microsoft Windows RPC Vulnerability MS08-067 (CVE-2008-4250) FAQ
    http://blogs.securiteam.com/index.php/archives/1150

    Until you know the payload, you don't know what you are protecting against. So, no threat for us, since we and those we help are protected against intrusion of unauthorized executables (trojan and worm), the patch notwithstanding.

    Continuing securiteam.com:

    November 11, 2008

    ms08-067 exploitation
    http://isc.sans.org/diary.html?storyid=5288
    November 11, 2008

    http://blog.metasploit.com/2008/11/ms08-067-metasploit-and-smb-relay.html
    It should be clear that those who installed the patch, and/or had a firewall correctly configured, or secure in their network protection (passwords, etc) would have been protected from the first variant of conficker, aka Downadup, to appear:

    November 25, 2008

    More MS08-067 Exploits
    http://blogs.technet.com/mmpc/archive/2008/11/25/more-ms08-067-exploits.aspx
    December 30, 2008

    W32.Downadup.B
    http://www.symantec.com/business/security_response/writeup.jsp?docid=2008-123015-3826-99&tabid=2
    For us, this was just another instance of exploiting the RPC vulnerability above, and since we and our other users were protected on three fronts: patch; firewall for the vulnerable ports; and protection against the payload anyway (an executable - DLL), we felt the threat was taken care of.

    Alas and alack:

    December 31, 2008

    MS08-067 Worm on the Loose
    http://isc.sans.org/diary.html?storyid=5596
    We didn't know it at the time, but this refers to the 4th variant of conficker to appear as an update of itselfwhich will do something on or after a later date - April 1, as we learned. Variant D, correct? Not so fast. All vendors protect their turf by assigning whatever name they want, thus effectively insuring confusion when anyone else wants to provide analysis. So rather than A - B - C - D, someone decided that C should really be B+ +or something, that B++ was not really new, so there should be just three variants. So we have this lineup of the 4th (or is it 3rd?) variant:

    Worm:Win32/Conficker.D
    http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm:Win32/Conficker.D
    Now, Symantec reports the payload as a DLL, and I'm curious how an exploit via a port gets a DLL into the system, so I asked the ISC Handler who authored the above Diary for an explanation:

    A later analysis will be more detailed, to include both Conficker.A and Conficker.B:

    An Analysis of Conficker's Logic
    Phillip Porras SRI International
    http://mtc.sri.com/Conficker/
    The payload being a binary executable, basic prevention is the same as in the original MS08-067 exploit.

    Continuing with SRI:

    Sans.org elaborated on the trickery:

    January 15, 2009

    Conficker's autorun and social engineering
    http://isc.sans.org/diary.html?storyid=5695
    Now we have the two principal attack vectors that Conficker uses.

    I wonder, Of all the security-minded people who frequent Wilders, how many contacted their family/friends to insure protection at these two attack points? Remember, the MS08-067 patch does not address the USB attack vector.

    Certainly everyone here benefitted from the digital frame USB AutoRun exploits to know how to protect against this attack vector.

    Again, the analysis revealed the same DLL payload, just triggered by AutoRun.inf instead of MS08-067. Same result, same prevention of unauthorized executables in any case.

    One more thing about companies and networks: a number of respected vendors provide effective enterprise solutions against the intrusion of malware. This one has interested me:

    http://blog.lumension.com/?p=681
    http://www.lumension.com/endpoint-security/application-whitelisting-software.jsp
    I'm happy to say that the several companies and educational institutions I contacted had protection in place besides the patch that would have thwarted conficker in any of its guises.

    ----
    rich
     
    Last edited: Apr 8, 2009
Loading...
Thread Status:
Not open for further replies.