“Best practice”
for
Win32/Conficker.B [MS]
w32.downadup.B[SYM]
Infection/propagation Method
-Flash drives/open shares/mapped drives [autorun.inf]
-Admin$ - Random brute force password attack on the networked systems
-Exploit MS08-67 – RPC BO vulnerability in netapi32.dll
How it works ?
Initial attack happens on one of the networked systems.
This initial attack and execution can be achieved by visiting any malware hosting website [cracks/music /free download/hacked etc.], plugging infected flash drive in the production network.
Mostly un-patched systems/Browsers are the initial victim of this attack.
Once executed it Installs a service under
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\ netsvcs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BadServiceName
This service is most of the time a .dll file [We need to submit this one if not already detected by SEP]
The service uses MS task scheduler to create multiple jobs
These jobs executes a file rundll32.exe random_name.random_ext <args> at random interval
These extensions are not always .dll it could be anything [i.e. .ifs,. jpg, .tmp, .c]
In task manager we’ll see multiple rundll32.exe running
That file in most cases detected by SEP not we need to submit that file.
That’s the file which again may attack other systems or download other threats.
Multiple instance of this file continuously runs in the memory and attack other systems.
The threat tries to plant autorun.inf & random_name.exe file in the mapped drives and open shares to execute itself across the network.
It also disables Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.
What’s the bad part ?
User account lockout policy. As known the threat tries to gain access different systems on the network by brute force password attack.
Because of this activity multiple users accounts get locked up. Apart from that the threat also may download multiple threats like w32.saility [a file infector] which would make the story even worst.
What is the PLAN OF ACTION if I get a case on w32.downadup.B
- Confirm in SEPM that all systems are with SEP up and running and up to date [with all the latest security updates from MS]
This step is very critical because we cannot afford to leave even 1 system in the network unprotected, and as observed it happens most of the time that some systems in the network are without SEP and/or not up to date/not patched and those machines are later found to be the source/attacking machines. We can simply check this in SEPM-clients tab and comparing the number with the total number of clients in the LAN.
- Get the exact number of systems infected and the threats names.
SEPM-Monitors-logs-risk logs would help
- Confirm if server is infected too
Find possible infection in Server..check scheduled tasks/autorun.inf in open shares/unknown services/disabled services [BITS/AU etc.] [analyzing ESUG log would be a good idea]
-Disable Auto play from GPO [across the domain] we can use application device control policy as well. [see the links in the bottom of this article]
-Disable Task Scheduler service [If it’s not being used in the network]
-Back trace the “source systems” from where the attack is being originated
This is one more critical steps to narrow down the network. We need to find that from which systems actually the attack is being originated.
We can find this out by 3 ways ..
1-IPS logs [log only mode coz’ block mode will block the system for 600 secs which the customer may not like]
2-Event viewer-Security logs- Failure Audits [We’ve to enable the Failure audits in GPO if not enabled already]
3-Net logon debug log [see the links in the bottom of this article]
-Once we find the above information we can use Nlparse from Microsoft account lockout tools to analyze Netlogon.log [see the links in the bottom of this article]
-The above logs will give us an idea about the systems which are attacking other systems in the network.
-We need to first target these machines and get the ESUG logs from them.
-We need to avoid logging in to the system as “domain administrator” coz’ by doing this we would make the job of the threat more easy as it uses {impersonates} the currently logged on account to access/infect other systems in the network. IF ‘isolating’ these systems is possible then that would certainly help us.
-We need to confirm the patch KB 958644/AV status /disabled services / registry entries on these systems. [ESUG]
-Once these systems are cleaned hopefully the situation would be under control.
For the MS specific steps[Editing GPO / enabling Netlogon log] we may consult MS tech support if the customer has support contract with MS[To be on the safer side] If not then we can help him as a best effort support.
Links we Need
Below is our write up
http://www.symantec.com/security_response/writeup.jsp?docid=2008-123015-3826-99&tabid=2
here is an article by SRT on 01-09-2009 07:11 AM
https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/225
Here is another analysis by security Intel analysis team
https://forums.symantec.com/t5/Malicious-Code/W32-Downadup-A-and-W32-Downadup-B-Statistics/ba-p/379940
This is a MS-KB on the removal process/best practice of w32.downadup.B
http://support.microsoft.com/kb/962007
Enabling debug logging for the Net Logon service
http://support.microsoft.com/kb/109626
MS Account Lockout Tools
http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en
MS08-67 patch download [KB 958644]
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx
Disable Auto play with GPO
http://support.microsoft.com/kb/953252
Disable Scheduled Tasks with GPO
http://support.microsoft.com/kb/310208
Enable Security Auditing with GPO
http://support.microsoft.com/kb/300549
NOTE: Updating the Systems to MS08-67 patch [KB 958644] is very important without which the threat would not be removed.
Yet another variant of Downadup a.k.a “W32.Downadup.C”
Symantec’s ongoing monitoring of Downadup (a.k.a. Conficker) has resulted in the observation of a completely new variant being pushed out to systems that are already infected with Downadup. After taking into account the hype surrounding some other recent reports of variants of Downadup, Symantec is calling this new variant W32.Downadup.C. [discovered March 6th 2009 / updated March 8th 2009]
Note: Some vendors have detected W32.Downadup samples as Conficker.C or Downadup.B++. Symantec's W32.Downadup.C is a different detection and is not to be confused with these Conficker.C and Downadup.B++ detections
http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-030614-5852-99&tabid=1
https://forums2.symantec.com/t5/Malicious-Code/A-New-Downadup-Variant/ba-p/391186
https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-C-Digs-in-Deeper/ba-p/393245#A249
https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/225
W32.Downadup.C is a modular component for machines currently infected with Downadup. This variant of Downadup, (a.k.a. Downadup.B++ or Conficker.C), is not attempting to self-replicate and appears to behave more like a Trojan than a worm, says Vincent Weafer, vice president of Symantec Security Response.
“Think of it as an updated module that’s more aggressive, more robust in defending itself,” Weafer says. Earlier versions of Downadup did attempt to disable anti-virus software, but the third version represented in the Downadup.C module is designed mainly to provide more protective actions to infected Windows-based machines so they can better defend themselves from anti-virus software and other eradication methods. “It’s more aggressive, it has more services,” says Weafer.
Conficker Cabal
“Conficker Cabal” is the nickname for an ad hoc partnership, led by Microsoft, to fight the Conficker / Downadup virus.
Microsoft Corp. announced a partnership with technology industry leaders and academia to implement a coordinated, global response to the Conficker (aka Downadup) worm. Together with security researchers, Internet Corporation for Assigned Names and Numbers (ICANN) and operators within the Domain Name System, Microsoft coordinated a response designed to disable domains targeted by Conficker.
Microsoft also announced a $250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet.
Along with Microsoft, organizations involved in this collaborative effort include Symantec, ICANN, NeuStar, VeriSign, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, F-Secure, ISC, researchers from Georgia Tech, the Shadowserver Foundation, Arbor Networks and Support Intelligence
http://www.securityfocus.com/news/11546?ref=rss
http://www.securityfocus.com/news/11546
The Domain-generation algorithm
The worm seeks to update itself by using a long list of pseudo-randomly generated domain names to contact over HTTP and then grab new code. The algorithm for this domain name generation scheme has been cracked [Researchers at Symantec and other security companies were able to reverse-engineer the Downadup code and successfully crack the domain-generation algorithm.]and has been used to pre-compute the names for pre-registration to prevent hostile parties from using this update feature. This has been facilitated - greatly facilitated - by ICANN, TLD operators, and various registrars working together with Microsoft and others to identify the names and grab the ones they need to. These records can then be pointed at sinkholes to discover Conficker-infected hosts checking in.
That sinkhole data is being shared within the “cabal” and shared with customers: ISPs and their customers, enterprises, CERT teams, and others. This, in turn, is being used to try and clean up hosts with tools and information sheets with clear instructions. This is truly a global operation !!
In response to the security industry’s success in cracking the W32.Downadup.B domain-generation algorithm for communicating with the command & control server, the subsequent registration of these domain names for monitoring purposes, and the resulting publication of findings, the Downadup authors have now moved from a 250-a-day domain-generation algorithm to a new 50,000-a-day domain generation algorithm. The new domain generation algorithm also uses one of a possible 116 domain suffixes.
https://forums2.symantec.com/t5/Malicious-Code/Downadup-Small-Improvements-Yield-Big-Returns/ba-p/381717
Yet, the Cabal viewed the efforts to block domains as a stop-gap measure, said Vincent Weafer, vice president of security response for security firm Symantec, which owns SecurityFocus.
"Buying the domains was meant to buy ourselves time," Weafer said. "It was never meant to be a long-term defensive strategy."
Symantec discovered the Conficker module on a honeypot system that the company uses to monitor the worm. Because the Cabal is blocking the domains that the Conficker worm uses to update infected systems, the module will likely not spread quickly, if at all. However, infected hosts on the same network share do update each using a peer-to-peer capability, Weafer said. So, if one infected system gets updated, all other infected computers on the same network will get the new code as well.
Conficker update attempts to foil Cabal
Published: 2009-03-09
http://www.securityfocus.com/brief/923
The Plan of Action of the disinfection process would remain the same as we’ve discussed in the previous thread. [Track-Isolate-Clean]
Below is the Protection and VD details, as per the latest write up on w32.downadup.c
- Initial Rapid Release version March 6, 2009 revision 036
- Latest Rapid Release version March 9, 2009 revision 021
- Initial Daily Certified version March 6, 2009 revision 037
- Latest Daily Certified version March 9, 2009 revision 025
- Initial Weekly Certified release date March 11, 2009
NOTE: Updating the Systems to MS08-67 patch [KB 958644] is very important without which the threat would not be removed.
Additional reading:
Symantec Security Response has been published a new blog article regarding the new sample, here:
https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/260
Washington Post
http://voices.washingtonpost.com/securityfix/2009/04/conficker_worm_strikes_militar.html?wprss=securityfix
ISC
http://isc.sans.org/diary.html?storyid=6103
BBC
http://news.bbc.co.uk/2/hi/technology/7976099.stm
Corporate external landing page
http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2009033012483648
Consumer external landing page
http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm
Downadup.C Threat Write-Up
http://www.symantec.com/security_response/writeup.jsp?docid=2009-030614-5852-99
Downadup.C Threat Write-Up
http://www.symantec.com/security_response/writeup.jsp?docid=2009-030614-5852-99
W32.Downadup.C Digs in Deeper
https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/249
A New Downadup Variant?
https://forums2.symantec.com/t5/Malicious-Code/A-New-Downadup-Variant/ba-p/391186
CNN - No joke in April Fool's Day computer worm
http://www.cnn.com/2009/TECH/03/24/conficker.computer.worm/index.html