Individual Eleven - The World's Cyberbrain » conficker

US-CERT issues Conficker warning

Moto — Sat, 04 Apr 2009 01:54:53 +0000

Another memo, another bulletin has arrived. This time it is from United States Computer Emergency Readiness Team (US-CERT), our security department seems to be busy lately these memos are becoming more frequent. Regardless, it is all for the good, after all it is interesting to know what actions are being taken globally.

Their alert underlines what we already know, so it is not exactly a revelation to us. However, I find it interesting that the problem has escalated to such an extent that Homeland Security has been involved. Possibly, there is the feeling of an attack at national security, cyber terrorism anyone? I had a pleasurable evening last night with some friends, and we discussed whether the Chinese government engineered Conficker. I personally feel it is most likely an independent organisation or the Russian government. However, without going into a whirlwind of skulduggery and conspiracy, we were perhaps wrong on both counts and it is some 16-year-old code monkey, which just happens to be bored for the past year or so.

On a lighter note, I am now officially on holiday and I am visiting a friend of mine in Holland next week. I managed to achieve as much as I can at work, and I have locked away all pens and Post-It notes from the prying eyes of work colleagues. Call me possessive, but I would like my desk to be intact and to have all contents unmoved when I return. I am sure I will make some sporadic blog posts on my travels; I will be taking a British Airways flight, which means my first visitation of Terminal 5 at Heathrow airport. I hope that the baggage handlers are not on strike…

facebook twitter email

April 1st – Joke on Conficker.D?

Moto — Wed, 01 Apr 2009 17:24:25 +0000

I walked into work today, with an air of anticipation on the potential torrent of problems with our servers. Fortunately, it was all quiet on the western front with not a single incident of viral infection reported. It was so anti-climatic in a way, a similar feeling you get when you pay good money to watch a mediocre film, after reading the hyperbole that came with it.

Not that any complaints were issued, myself and many others were quite relieved but we pre-empted the problem early on and thankfully our security precautions were not put to the test. Perhaps the warning of impending doom was the April Fool’s joke in itself, maybe we will never know. Nevertheless, this is perhaps not the last we will hear of this and as ever, new security vulnerabilities appear every day.

If you were not so fortunate, then you may be interested in this. As part of our research, Sophos released a newer stand-alone Conficker clean-up tool. We have not needed to use it, but I thought it prudent to share if you are still fire fighting in your I.T environment. You will need to have a MySophos account to download the tool; you can create one on their site.

facebook twitter email

Conficker.D worm Doomsday – 1st April

Moto — Mon, 30 Mar 2009 20:39:17 +0000

Microsoft sent a bulletin to us at work, with some additional memos internally about this. In their bulletin, they mentioned a collective (Conficker Working Group) specifically created to combat this virus and a note about the $250,000 reward for the culprits. However, the main detail here is the possibility that 1st April will be the trigger date for the Conficker.D variant, to initiate contact with internet domains. Perhaps after contact, the instructions will be to redirect you to another URL that has the real payload. But I suppose we won’t know until it actually happens. Full blog entry by Microsoft can be read here.

As stated, this behaviour is the same as Conficker.B but introduces a wider scope in terms of which domains it will try to target. This will no doubt indicate that the virus writers want to spread this as widely as possible. If you were like me, then you would have been fully security patched by now across all affected platforms. The main thing here is to:

Update your systems with MS08-067
Keep your AV software up to date
Monitor port 445 traffic if possible

Taking precautions is the main thing, and if you are sensible, you will not encounter this virus at all. Given how this worm is still causing problems, mainly in enterprise environments, all system administrators should be fully up to speed with this. Our company policy of banning USB devices is still in place, and we have resorted to burning files onto CD/DVD R/W. However, in certain cases we have permitted usage of USB drives. We have separate “sheep-dip” machines, which are completely standalone, with McAfee VirusScan Enterprise 8.5 installed. It seems to do the trick, we scan the USB drives prior to usage, copy the files you need and then scan it again afterwards.

facebook twitter email

A mixed bag

Moto — Sat, 14 Feb 2009 02:42:34 +0000

Well this week has been catastrophic at work. Anything you could possibly imagine that could go wrong did go wrong. We’ve been given second hand server kit to build from, including the CPU which consequently gave up the ghost on first boot. My illustrious colleague had fun tackling that one and trying to convince Project Managers to source new kit, you know how that goes. The main source of cooling in the server room, the large AC at the back, spontaneously burst into flames. The smell of smoke and burning PCB was intoxicating; I had to make alternative routes to the kitchen so I could make tea. Also for the past two weeks, I have been trying to virtualise an Exchange cluster from physical boxes into ESX. The P2V worked fine, except I had no idea why this one particular server kept churning out Kerberos errors. I have tried everything, installed, uninstalled, netdom reset, went through the cluster installation documents over and over, perused over hundreds of knowledge base articles, checked Active Directory, evicted the node so many times to start afresh. System Attendant refused to start which means Exchange could be classed as dead. Suffice it to say, there was something fundamentally wrong that I had no time to troubleshoot… an executive decision was made and I am rebuilding the damn thing within ESX from OS up. Not to mention the strange weather we are having, Chicago was getting tons of rain while we were getting the snow. Shouldn’t it be the other way round?!

But I digress, there has been some interesting news this week that I will just put into one big hat. So here we go…

Square Enix buys Eidos
Are we going to see Lara Croft standing alongside the likes of Cloud and Squall? Or maybe she can come on as a Summon using her pistols of death. Either way, Eidos’ last iteration of the Tomb Raider series did horribly, as dictated by the sales figures. It’s a shame that this franchise has gone downhill so rapidly, but I’m sure the gods at Square Enix can turn things around with the licenses they have now acquired.

1,234,567,890 – Almost like a birthday
When the clocks hit 23.31:30 UTC, it was exactly 1234567890 seconds since January 1st 1970 when the Unix clock started ticking. This event is almost like witnessing a full eclipse, and there are going to be some geeky parties going on I’m sure.

Facebook is $65 million poorer
Oh woe is me. This is probably pocket change for Mark Zuckerberg, the founder of Facebook, whether he really did steal the idea from his ex Harvard pals or not remains to be seen. I’m sure that if Facebook was not was as successful as it is now, they wouldn’t be suing him. The problem is, just because you have an idea does not mean you can implement it into a viable business. So considering this, some credit is due to Mr Zuckerberg.

Microsoft issues bounty for Conficker culprits
It’s that old chestnut again, what seemed to be a rather harmless worm virus (after all, it doesn’t really do much if you take precautions and implement safeguards) has turned into something of a black plague in the enterprise world, including government institutions. The person or persons involved have been marked; watch out for wanted posters on a lamp post near you.

And finally…
It’s Valentine’s Day, so I hope you all have a wonderful time with your loved ones… perhaps you will get a surprise from an unexpected someone. However, if you feel all alone sobbing in a dark, damp corner somewhere then here is an ASCII heart just for you!

_________pork and____________pork and
______pork and bea_______pork and beansp
____pork and beanspor___pork and beanspork
___pork and beanspork and beanspo_______pork
__pork and beanspork and beanspo_________pork
_pork and beanspork and beanspork a_______pork
_pork and beanspork and beanspork and b______p
pork and beanspork and beanspork and bean__por
pork and beanspork and beanspork and beans_por
pork and beanspork and beanspork and beanspork
pork and beanspork and beanspork and beanspor
_pork and beanspork and beanspork and beansp
__pork and beanspork and beanspork and bean
____pork and beanspork and beanspork and b
______pork and beanspork and beanspork a
_________pork and beanspork and beans
____________pork and beanspork and
______________pork and beanspork
_________________pork and bean
___________________pork and
_____________________pork a
______________________pork
_______________________po

facebook twitter email

NOD32 – Conficker/downadup, variants abound

Moto — Sun, 18 Jan 2009 01:07:52 +0000

Someone asked me if NOD32 can successfully detect and remove Conficker. I was certain it can from what I have been told (as mentioned in my previous post), I use NOD32 at home but I have not been affected so could not say so myself. I decided to look it up anyway and scarily there seems to be ALOT of variations, judging by the different names ESET have given in their list of database updates. It was first mentioned in database version 3638 (25th November 2008) and goes from Win32/Conficker.A to .Z, they ran out of letters in the alphabet and started to name them Win32/Conficker.AA etc. This just demonstrates the polymorphic capabilities of this worm, if you haven’t security patched your machine by now then good luck to you.

The last mention on ESET’s database search is Win32/Conficker.AK, database update version 3772 released on 16th January 2009. I have used NOD32 for many years and I have to say it is one of the best AV products on the market, and the support for different OS platforms is a plus. You can look for viruses that are included in all their database releases on the ThreatSense Updates search.

facebook twitter email

Net-Worm.Win32.Kido.bt – Kaspersky’s alternative name for Conficker/downadup

Moto — Fri, 16 Jan 2009 23:39:52 +0000

After a bit of digging around, I finally found the Conficker worm being mentioned on Kaspersky’s website. It doesn’t help that they do not use the most common monickers for this but anyway. I am now beginning to understand why our copy of Kaspersky is not detecting the one we found on our network. Here is an excerpt of the description from their site. I have highlighted in bold/underline the problem:

—————————————————————————————————————–

This worm spreads via local networks and removable storage media. It is a PE DLL file. The components of the worm are between 155KB and 165KB in size. It is packed using UPX.

Installation

The worm copies its executable file to the Windows system directory as follows:

%System%\.dll is a string of random symbols

—————————————————————————————————————–

I hate to say this Kaspersky, but the infected file has varying permutations for the file extension. It is not just .DLL but it can be pretty much anything, from .txt to .png or .jpg. Basically, you cannot use the .DLL extension as the only method for detection and if this is the case, it is not going to find it. Perhaps the first variant “a” was originally a .DLL but not anymore and I believe the “b” version is much more widespread now. So how about taking a leaf out of Trend Micro’s book and look for behaviourial patterns instead of just by filename…

Kaspersky description for Net-Worm.Win32.Kido

Kaspersky method of removal. It may work on some versions of the virus

facebook twitter email

Update – Conficker, W32.downadup virus

Moto — Thu, 15 Jan 2009 23:36:32 +0000

This is spreading like wildfire, but from the tests we carried out using an infected USB stick the F-Secure tool to remove the virus does not work. It reports back to say that the virus is not detected, but during our tests when we do the same scan using the Trend Micro tool it gets picked up immediately. Until F-Secure amend their standalone scanner, I would not use it to combat this. More information on F-Secure’s tool is here. I am assuming that F-Secure are not including all variants and they need to update it.

Microsoft has also issued a new Malicious Software Removal Tool, KB article 890830, which is released regularly for removal of many viruses. However, the main one we are interested in is this:

You can deploy this quite easily across your organisation via group policy, Microsoft Systems Management Server (SMS) or any other third party software/update distribution solutions such as the one from Altiris. So far, the only products that I have encountered which can detect and delete the virus is still McAfee, NOD32 and eTrust. I am not sure about Symantec as I refuse to use a product that grinds your entire system to a halt. No news on Kaspersky either, our purchase of Kaspersky 2009 is redundant until they release a new definition file.

EDIT – McAfee VirusScan Enterprise

This gets better and better, McAfee VirusScan 7.1 DOES NOT detect conficker unfortunately, even with the latest DATs installed. We compared this to our other rig which uses VirusScan 8.5 and that detects and removes successfully. So I would suggest upgrading to the 8.5 version if you use McAfee in your organisation. The engine for 8.5 must have a better heuristic detection method.

Another thing to note is that there are (as far as I know) two versions of this worm, W32.downadup.a and W32.downadup.b. The “b” version has the added bonus of spreading via autorun.inf as described in my previous post, so whatever AV solution you use make sure that it covers both. Sophos will be investigated as a possible solution for some of our rigs, having such a large test environment at my disposal does mean I can test and roll back as many times as I want before we commit.

facebook twitter email

Conficker virus, aka W32.downadup

Moto — Sat, 10 Jan 2009 18:12:09 +0000

This little gem has been plagueing corporations all over the world, thanks to a Ukranian virus writer. Something to do for those cold winter nights I suppose when you have no gas.

It acts as a botnet of sorts and once infected the machine turns into a HTTP server to spread it further. Another method of transportation is via USB drives with autorun enabled. Signs of infection include hundreds of connections to port 445 (SMB), do a netstat -on at the command prompt. Also access to admin shares are lost and other file shares could be affected.

Removal
First thing is to patch your machine with this security patch from MS: Microsoft Security Bulletin MS08-067 – Critical (KB958644)

Secondly, update your anti-virus software with the latest definitions. For a standalone removal tool, go to Trend Micro and download with the latest definition files:
Sysclean scan and removal
Latest Control Pattern file
Spyware detection and cleanup
Run sysclean.com once all files are extracted, and it will scan the current machine.

Funnily enough, we decided to go to PCWorld and buy the latest Kaspersky 2009 AV software for our standalone PCs. To our surprise it did not detect the virus at all, forums suggest the Kaspersky ruskies are working on a solution for detection and removal. Also our AV for the corporate network, eTrust by Computer Associates also did not initially detect it until a policy update was applied. According to the techs at CA, it was classed as low risk and not critical. Obviously CA were caught napping when the bulletin was released in October. Nod32 by Eset finds it quite happily without creating too much fuss, same goes for McAfee if you have the latest dats.

Information on the virus worm by McAfee

Even though they have marked this as low risk, it can be very disruptive. Losing access to file servers containing critical data for everyday operations isn’t exactly productive. I have also found the hammering of port 445 will slow your network down to a crawl as it will do this on every subnet you are connected to and try to do this for external IP addresses also.

facebook twitter email