Conficker.C – PLEASE ACT!
Vasudevan D
MS08-067 Vulnerability Details
A vulnerability in Microsoft Server Service can result in remote code execution. If a system receives a specially crafted Remote Procedure Call (RPC) request, this could result in obtaining full control over the target. On older versions of Windows it can be exploited without authentication by a user with network access.
RPC is a protocol that assists with interoperability by allowing a program to request a service from a program located on another computer within a network, without requiring the program using RPC to understand the network protocols that are supporting communication.
The Server service enables the sharing of local resources, such as files and printers within a network. It provides support for RPC and named pipe sharing over the network. By default the server service runs with SYSTEM privileges, so exploitation will allow such access rights to the attacker.
Vulnerable Operating Systems:
Microsoft Windows 2000
Service Pack 4
Windows XP Service Pack 2
Windows XP Service Pack 3
Windows XP Professional x64 Edition
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 1
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP1 for Itanium-based Systems
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista and Windows Vista Service Pack 1
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
Windows Server 2008 for 32-bit Systems
Windows Server 2008 for x64-based Systems
Windows Server 2008 for Itanium-based Systems
Malicious Code Details for Conficker.C
Downadup.C checks if the command line includes the string RUNDLL32.EXE. If it does, this worm assumes it is running as a scheduled task. Downadup.C then injects itself to the following legitimate processes:
· SVCHOST.EXE
· EXPLORER.EXE
Downadup.C is capable of exporting functions used by other malware. Downadup.C sets the creation time of the file similar to that of the creation time indicated in the legitimate Windows system directory\KERNEL32.DLL file. Downadup.C does this to prevent early detection as a newly added file on the affected system.
Once executed, Downadup.C creates a random mutex and then elevates system privileges. Downadup.C also creates a second mutex based on the computer name of the affected system.
If the system is running under Windows Vista, Downadup.C executes the following command to disable autotuning:
· netsh interface tcp set global autotuning=disabled
Downadup.C also injects itself to the process SVCHOST.EXE to hook NetpwPathCanonicalize and avoid reinfection of an affected system.
Downadup.C attempts to connect any of the following URLs to know the IP address of the affected computer:
· hxxp://www.whatismyip.org
· hxxp://checkip.dyndns.org
· hxxp://www.getmyip.org
· hxxp://www.whatsmyipaddress.com
Network worms generally spread over networks through brute force methods and or exploitation of vulnerabilities.
Exploitation of Vulnerability - Business Impact:
Successful exploitation can result in a Denial of Service (DoS) condition – meaning service is denied to legitimate users. This can typically mean users being unable to use their PC’s; access their shared drives over the network if a file server is infected; or a company’s externally facing web servers becoming unresponsive.
Exploitation can also result in a compromised system being ‘controlled’ by a remote malicious person; this can allow for the attacker to obtain information stored a local machine or network server. So sensitive company data, personally identifiable Information (PII), HR/Payroll/Financial documentation, internal company procedure and practice documents can all be exposed publicly if a server or workstation holding this information is infected.
Another feature introduced with Conficker.C is the ability to spread via the P2P protocol. This can result in the disclosure of local information on the system being mirrored or copied with minimal effort by an attacker. Please ensure P2P is not used in your envirtonment!
Activation of Trojan:
On April 1, 2009, Conficker.C will trigger a new domain generation algorithm 50,000 domains and 110 top-level domains (TLDs) will start. The malware will then communicate on a daily basis with these domains to upload information gathered, OR download other malware which will further compromise the system/network/infrastructure.
Currently there are multiple entities at work to unsure the limitation of the potential damage which can be caused, however in the mean time we strongly recommend proactive measures are taken by all to help limit the impact for HP and it’s Trade Customers.
Recommended Action
The following actions are strongly advised to help protect your own and customer environments:
1. Please ensure your systems have Microsoft patch KB958644 applied;
2. Please make sure your AV client is running up to date with the latest virus definitions released. Below is a list of the minimal requirement for virus definitions which will detect and remove this malware;
3. If you are using a centralized AV console, please make sure all systems connecting to it are secured. If the console is showing any systems which are unprotected, please take proactive measures to remove these systems from the network AND ONLY return them once they are secure
4. If you are running a decentralized AV environment, please take all necessary measures to ensure all systems are updated and those which fall below the required standard for detecting/removing Conficker.C are taken off the network until verified they are secure;
5. Please turn off the Auto Run feature on Windows machines and take steps to make sure removal USD drives are not connected to systems unless they are known to not be hosting any malware – this is a major cause of the spread of Conficker.C;
6. Please disable the P2P protocols in the network;
7. Please block ports 139 and 445 for external hosts on the perimeter firewall;
8. Please monitor your network activity on a regular basis and investigate all systems which show an increase in traffic coming/going on ports 139 and/or 445
9. Please make all users aware of the dangers of this malware and remind them of their duties to help prevent malicious traffic from further propagating;
Detection Methods by AV Providers
• Symantec - w32.downadup.c – Detected and Removed with Initial Rapid Release version March 6, 2009 revision 036
• McAfee - w32/conficker.worm.gen.c – Detected and Removed with 5550 (03/11/2009) running on Minimun Scan Engine 5.2.00
• Trend - Worm_downad.kk – Detected and Removed with Pattern file: 5.923.00 running on Minimum scan engine version needed: 8.911-1001
Additionally, all the Major AV vendors have released a removal tool to help detect and remove the worm; links to them are provided below.
Look for the following files that are used by Downadup.C:
[Windows System directory]\[Random file name].dll
(169,425 bytes)
[Windows directory]\System32\svchost.exe
[Application Data directory]\[Copy of Malwae filename]
[Default system directory]\[Copy of Malwae filename]
[Program Files directory]\Internet Explorer\[Copy of Malwae filename]
[Program Files directory]\Movie Maker\[Copy of Malwae filename]
[Windows Temporary directory]\[Copy of Malwae filename]
[Removable drive]\Recycler\S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d
directory]\AUTORUN.INF
Important Links:
- Microsoft
Malware Protection Center Article
- Symantec
Writeup Downadup.C
- McAfee Writeup for W32/Conficker.worm.gen.b
- Trend Micro writeup for WORM_DOWNAD.AD
- SRI International Conficker.C Analysis
- Sans Diary Article
- Maximum PC Article - Conficker.C to possibly
strike on April 1st
- CA Article for Conficker.C
The following removal tools have been advised by the SANS Institute:
- Symantec Removal Tool for Downadup Family
- Trend Micro Removal tool for WORM_DOWNAD.AD (.zip file)
- Bit Defender Removal Tool for Downadup family
- F-Secure Removal Tool - .zip file
Patch and original advisory: http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
Interesting reading: http://bits.blogs.nytimes.com/2009/03/19/the-conficker-worm-april-fools-joke-or-unthinkable-disaster/
Technical reading: http://mtc.sri.com/Conficker/addendumC/
--
Best Regards,
Vasu