Security Alerts
Security Warning: New Variant
Conflicker Worm to Activate on April 1
3/20/2009
The Conflicker worm is the most prolific
malicious software
("malware") to appear since the SQL Slammer worm epidemic of
2003. Researchers claim that today 1 in every 16 PCs across
the world is affected by the Conflicker Worm [1]
and the worm had now
infected an estimated 12 million or more PCs worldwide.
A new variant (C) of the Conflicker worm was
discovered on March 6, 2009.
(The worm has an automatic update mechanism built in.)
It disables Windows Automatic Updates, shuts down
virus protection, and blocks access to security web sites.
Researchers
have found that the worm is set to take some action on April 1st, but
it is still not know what is the purpose of the worm. So far,
the
worm is spreading and building a botnet of infected computers turning
them into "zombies" that can be commanded to take some action by the
bothearder (botnet’s masters). Other than keeping the worm
alive
and spreading, the worm is not taking any damaging action.
One
concern is that, in trying to check in with the bothearder on April
1st, networks (especially DNS servers) could be overwhelmed and cause
massive congestion of the Internet.
Experts fear that Conflicker is unstoppable.
It
not only has a larger botnet of infected computers waiting for future
instructions, it’s now more powerful than the previous
version.
The worm can now bypass virus protection programs and even
Microsoft’s security update features [2].
Recently Microsoft
announced it would reward $250,000 to anyone providing information
leading to the capture of the Conficker author [3].
What Should You Do Now
Make sure that your computer is protected.
See "How
Do I Protect My Computer" below.
Make
sure that your computer is not infected (not part of the botnet).
See "How
Can I Tell If My Computer Is Infected" below.
If your computer is infected, clean it.
See "How Do
I Clean a Computer That is
Infected with Conflicker" below.
What is the Worm Knows As
Various security firms give different
names to the same virus, worm, or malware.
The Conflicker (Microsoft, McAfee, Sophos) worm
is also known as Downadup (Symantec, Trend Micro,
F-Secure)
and Kido (Kaspersky).
How Does It Spread
The worm attempts to propagate by multiple
methods. The original worm spread only by exploiting a
vulnerability in Windows file sharing. Variant B added the
ability
to spread via network shares using password guessing and spread via
removable drives.
It exploits a
vulnerability addressed in Microsoft Security Bulletin
MS08-067 [4].
See our previous security warning.
The
vulnerability in Windows file sharing can be
exploited remotely to an unpatched PC.
It can copy itself
to the ADMIN$ network share by brute-force
guessing passwords [5].
If the password is weak, it
may succeed.
The worm also tries to spread via removable media
(such as USB flash drives and cameras). It
copies a file, named "autorun.inf", to the root of any USB storage
devices that are connected to the compromised computer. The
autorun file will run the worm and infect the PC when the drive or
device is connected to a new PC. On Windows 7, there is a
social
engineering trick that makes the selection of the AutoPlay action look
like it is viewing a folder when it is actually running the
worm [6].
Even if the computer is patched, you can still get
infected if you access one of the infected USB drives or file shares.
How
Do I Protect My Computer
You need to take more than one defensive measure.
First, if you have not already, install the patch
in Microsoft Security Bulletin MS08-067 [4].
Always
keep your
system up-to-date with patches.
Turn off file sharing or admin shares if not
needed.
Make sure that you use complex passwords,
especially for Administrator user accounts. Enable security
event
logging (especially for failed logon attempts).
Consider disabling autorun/autoplay on removable
media (especially USB flash drives and cameras) [7],
[8]. In
a domain environment this can be done by a group policy.
Don’t use security scans that pop up on
some web sites. All too often these are fake, using
scare tactics to try to get you to purchase their “full” service.
In many cases these are actually infecting you while they run.
Install effective virus protection
software, keep the subscription current, keep the virus
signatures
up to date, and make sure that the real-time protection is not disabled
or stopped.
Do not log on with an account with
administrative rights for normal use of the computer.
What Does the Conflicker Worm Do to
Infected Computers
If the user of the computer that is being attacked is
not a member of the local Administrators group, the worm will
have a tough time infecting the computer.
The current variant:
- Disables system restore and deletes restore
points
- Blocks access to security web sites
- Attempts to download other malware
- Creates a backdoor to download updates
to the worm
- Attempts to spread via network shares and
removable media
- Disables Automatic Updates
- Disables Windows Security Alerts
- Kills virus protection or security
analysis tool
running processes
- Disables the viewing of hidden files
- Modifies the system's TCP settings to allow a
large number of simultaneous connections
On April 1st, the worm is set to check in with the creator for
updated instructions. What the worm will do after that is not
know.
What Is Going to Happen on April 1st
The worm currently checks with a shot list of
popular web sites to get the current date.
It uses
a mathematical algorithm to generate domain names where it will check
for updates and instructions. It currently checks 250 domain
names per day. Microsoft, Symantec, ICAN, and a
conglomeration of
security organizations called "Cabal" have been working to block the
domain name registration of names where the worm will check
for
updates [9].
On April 1, the worm will increase the number of
domain names where it checks for updates to 50,000. The
authors need to register only one of the domain
names to take control of the millions of zombie computers.
Ten million
zombie computers checking the domain name of 50,000 names could create
its own problems with congestion on the Internet, especially congestion
with the DNS server used to translate those domain names into an IP
address.
There is lots of speculation about what the bots
will be
commanded to do on or after April 1st, everything from an April Fools
joke to some thing much darker. It is all just speculation at
this point, but researchers have determined that variant C of the
worm can act both as a client and a server, sharing files in
both directions. The peer-to-peer design is also highly
distributed, making it more difficult for security teams to defeat the
system by disabling just the command-and-control center.
How
Can I Tell If My Computer Is
Infected
Symptoms of infection include:
- Network congestion (because network attack
starts from these PCs and checking for updates from botmaster)
- Account lockouts (as brute force password
guessing trips lockouts)
- Automatic Updates, Background Intelligent
Transfer Service (BITS), Windows Defender, and Error Reporting Services
are disabled.
- Various security-related Web sites
cannot be accessed
It is possible to detect and remove Conficker
using commercial anti-virus tools offered by many companies.
However, the most recent variant has a dramatically improved
capacity to disable commercial anti-virus software
and block them from getting updates. You might need to get a
tool
specifically for the Conflicker worm and might need to download it from
a computer that is not infected.
One such tool is the F-Secure F-Downadup
tool [10].
It is a command line tool with two options to run, (1) detect
(the default), (2) detect and
disinfect. If it detects an infection, see "How Do I Clean a
Computer That is Infected with Conflicker" below.
How
Do I Clean a Computer That is
Infected with Conflicker
Unfortunately, the worm is difficult to
remove because it
disabled virus protection and blocks access to security web sites.
If USB drives have been infected, they might reinfect
computers
that have been cleaned. If poor administrator passwords are
used,
systems might get reinfected over a local network.
The Romanian BitDefender claims to have a
solution [11]
that
uses a web domain that is not blocked by the worm,
but you might need to access the tool by IP address if the worm
eventually blocks access.
Other tools might have to be downloaded on a
computer that is not infected and then transported to the infected
computer. Be careful when trying to repair a computer that is
infected with Conflicker as it infects USB flash drives; then just
mounting the USB drive in another system could infect that system (if
autorun has not been disabled for USB drives).
Kaspersky has a removal tool named
kidokiller [12].
You'll probably have to download it from a computer that is
not infected.
The Microsoft Malicious Software Removal Tool
(MSRT) [13]
March 2009 version can fix variant B.
The F-Secure F-Downadup tool [10]
can disinfect.
Read the instructions included in the downloaded zip file
carefully before starting. Run the tool with the command line:
f-downadup.exe --disinfect
Of course, the patch for the underlying
vulnerability needs to be installed to prevent reinfection.
References
McAfee: W32/Conficker.worm
Microsoft: Worm:Win32/Conficker.C
Symantec: W32.Downadup.C
Kaspersky: Net-Worm.Win32.Kido
Symantec Blog: W32.Downadup.C Digs in Deeper
[1] ComputerWorld: Downadup worm
now infects 1 in every 16 PCs
[2]
SRI International Conflicker C Analysis
[3]
Microsoft $250,000 Reward for Conflicker Worm Authors
[4] Microsoft Security
Bulletin MS08-067
[5] Sophos Blog: Passwords used by
Conflicker
[6] ISC Handler Diary: Conficker's autorun
and
social engineering
[7] Symantec Blog: AutoPlay Worms
[8] Hackology Blog: Autorun.INF/AutoPlay
& Downadup USB Worm
[9] NY Times: Computer Experts Unite to Hunt
Worm (registration required)
[10] F-Secure: D-Downadup Tool
[11]
BitDefender: BDTOOLS.NET
Remove
Downadup (aka Conficker
or Kido)
[12] Kaspersky: kidokiller
[13]
Microsoft Malicious Software Removal
Tool
Managed Services
Based on the criticality, IT Professional Services
performed an emergency deployment of the update to protect
from the Conflicker worm to all systems under
managed care.
Professional Services
If you need assistance installing protection from
this worm, a security assessment, or disinfecting
computers, IT Professional Services can help. Call our
help desk.
Find
out more about our managed care service.
To find out how vulnerable your network is
schedule a free network security analysis today.
We at IT Professional Services (ITPS)
hope that the information in this bulletin is valuable to you. ITPS
believes the information provided herein is reliable. While care has
been taken to ensure accuracy, your use of the information contained in
this bulletin is at your sole risk. All information in this bulletin is
provided "as-is", without any warranty, whether express or implied, of
its accuracy, completeness, fitness for a particular purpose, title or
non-infringement, and none of the third-party products or information
mentioned in the bulletin are authored, recommended, supported or
guaranteed by ITPS. ITPS shall not be liable for any damages you may
sustain by using this information, whether direct, indirect, special,
incidental or consequential, even if it has been advised of the
possibility of such damages.
|
