Sunday, January 18, 2009

Millions of infections exploiting MS08-067

A malware is spreading everywhere, if you are following the basic general security recommendations, you should not be concerned, however the infection numbers are showing that people are still doing the same old mistakes. if you company is infected, it is an indication of a poor security policy.....

The estimated number of infected hosts is several millions worldwide, and it is getting worse.
Downadup or Conficker worm designed to call back home, and receive further instructions.
http://www.f-secure.com/weblog/archives/00001584.html

the worm has other names:
Win32/Conficker.A (CA)
Mal/Conficker-A (Sophos)
Trojan.Win32.Agent.bccs (Kaspersky)
W32.Downadup.B (Symantec)

Propagation vector:
Like other worms, the infected machine will scan the network looking for vulnerable machines, but the worm has other ways of propagation, it will scan the company network trying to guess passwords using hundreds of common words, then infect these machines. It will also try to infect your removable USB stick and propagate using the autorun.inf

Once infected, the worm will disable many security services on the victim machine and will block access to some sites such as Microsoft and most Anti-Virus sites.

MS advisories:
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
http://blogs.technet.com/mmpc/archive/2009/01/13/msrt-released-today-addressing-conficker-and-banload.aspx

F-Secure Advisory:
http://www.f-secure.com/v-descs/worm_w32_downadup_al.shtml

TrendMicro Analysis:
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_DOWNAD.AD&VSect=T

Obfuscated autorun.ini file analysis:
http://www.sophos.com/security/blog/2009/01/2628.html?_log_from=rss

Mcafee Analysts discovered that the exploit used in this worm was made using Metasploit, which raise a concern about the security tools being used by the bad guys.
http://www.avertlabs.com/research/blog/index.php/2009/01/15/conficker-worm-using-metasploit-payload-to-spread/

In the early releases of the worm, the worm will expose the machine to a fake security software, earning 30$ per sale
http://blogs.zdnet.com/security/?p=2388

The way the worm is calling home is a new technique. by using a complicated algorithm that is changing on daily basis, the worm will generate many possible domain names everyday and will try to connect to. It impossible to shut down all possible domains, because many of them are never registered, this gives the guys who are controlling the worm the ability to select the time and domain they want to use to get control of the infected machines. F-Secure manged to play the same game and predict un-registered domain name, and used it to control the worm.
http://www.f-secure.com/weblog/archives/00001579.html

CNN Coverage:
http://edition.cnn.com/2009/TECH/ptech/01/16/virus.downadup/index.html

Protection:
- Patch your systems with MS08-067, the patch was released late October 2008
- Use long difficult passwords
- MS Malicious Software Removal Kit is able to detect and clean the worm
- Disable the autorun feature:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/regentry/93502.mspx?mfr=true

F-Secure disinfection tool:
ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip

My blog entry about the early worm:
http://okamalo.blogspot.com/2008/11/worm-exploiting-ms08-067-in-wild.html

Updated
In-depth analysis on memory injection, and how conflicker is injected into rundll32.dll to bypass the firewall and HIPS.
http://blog.threatexpert.com/2009/01/confickerdownadup-memory-injection.html

And here is a tool to detect a list of C&C domain names:

No comments: