CERT-MU :Information Security News

Home | Search | FAQ | Site Map | Contact Us

|| Hotline : 800 2378 || To contact CERT-MU send e-mail on --> info[at]cert-mu.gov.mu || To report incident e-mail on --> incident[at]cert-mu.gov.mu || To report Vulnerabilities send e-mail on --> Vulnerability[at]cert-mu.gov.mu ||

Charter & Mission

CERT-MU Services

Constituency

Authority

Incident Reporting

Vulnerability Reporting

Incident Statistics Forms

Vol. 2, Feb 2012

Vol. 1, Oct 2011

World CERTs

Security Sites

Security Tools

Antivirus Resources

Email Abuse

Network Abuse

Anti-Spam Initiative

Cyber Security Portal

Safer Internet Day

Computer Security Day

National Computer Board

Authorized to use CERT(TM) - CERT is a mark owned by Carnegie Mellon University

Home | Information Security News

Worm Conficker/Downadup/Kido widely propagating

Date: January 22, 2009

Updated: February 09, 2009; February 18, 2009; February 23, 2009; March 19, 2009; March 31, 2009; April 15, 2009; May 13, 2009

It has been observed that worm Win32/Conficker/Downadup/kido is spreading widely by exploiting a previously reported Server Service vulnerability described in CERT-In vulnerability note CIVN-2008-170 and Microsoft Security Bulletin MS08-067.

Apart from exploiting the said vulnerability, the attack vectors include network shares (ADMINI$ shares with a long list of hard-coded passwords), removable drives (drops a hidden autorun.inf file), scareware (fake security alerts to frighten consumers into purchasing bogus computer security software) and most recently Metasploit payload (the exploitation method derived from the metasploit ms08_067_netapi module to spread itself).

It is reported that this worm is actively infecting Windows systems with specific language operating systems such as English, Chinese, Arabic, Portugese.

It has also been reported that a list of malicious domains (randomly generated by the worm) are hosting the copy of the worm and are requested for further downloading from the infected machine.

The worm can act as a HTTP server listening to a random port between 1024 and 10000 and if the remote machine is exploited successfully, the victim will connect back to the http server and download a variant of the worm.

A new variant, Conficker B++ or C implements a new backdoor with "auto-update" functionality, allowing machines compromised by the new variant to have additional malicious code installed on them. Conficker.C uses robust P2P to distribute cryptographically signed updates to other computers infected with conficker.This P2P functionality contains a UDP P2P discovery routine that sends UDP traffic to lists of generated IPs and ports.

A new polymorphic variant, Conficker.D infects the local computer, terminates services and blocks access to numerous Web sites. This variant does not spread to removable drives or shared folders across a network. Win32/Conficker.D may build 50,000 URLs per day to download files and only visits 500 of the generated URLs within a 24-hour period. After a successful download/execution from a generated URL, Win32/Conficker.D lays dormant for four days before resuming URL monitoring again.

Conficker-E is the latest version of the Conficker worm which ultimately drops conficker.C in the victim system.it downloads W32.Waledac trojan and it may also download rogue security tool Spyware Protect 2009.It Opens port 5114 and serve as HTTP server, by broadcasting via SSDP request. Conficker-E is set to delete itself on the May 3, 2009.

When infected the following symptoms can be observed in the affected machine:

Blocked access to antivirus-related sites.
Disabled services such as Windows Automatic Update Service, Windows Security Center, Windows Defender and Windows Error Reporting and Internet connection sharing service.
Resets System Restore Point.
High traffic on port 445 in the affected network.
Hidden files even after changing the ‘Folder Options’.
Inability to log in using Windows credentials because they are locked out

Note: Users are advised to download Conficker Removal Tools only from the genuine Antivirus Websites. This is because man websites having names related to "Conficker" are being used to serve Conficker Worm in place of genuine Conficker Removal Tools.

A list of possible malicious domains are given here

Countermeasures:

Apply appropriate patches as mentioned in CERT-In vulnerability Note CIVN-2008-170.
Block access to the sites mentioned here at the perimeter.
Disable autoplay/autorun features on all drives and devices.
Refer the following articles for relevant steps and patches:
http://support.microsoft.com/kb/967715
http://www.us-cert.gov/cas/techalerts/TA09-020A.html
Block ports 139 and 445 at the perimeter.
Install and maintain updated anti-virus software at gateway and desktop level.
Install and maintain Desktop Firewall and block the ports which are not required.
Be cautious while opening attachments and accepting file transfers.
Refer the following Guidance articles from Microsoft for protection against Conficker worm.
http://technet.microsoft.com/en-us/security/dd452420.aspx
http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx
Scanning Tools to detect the presence of Conficker worm can be found in the below given links:
http://www.doxpara.com/?p=1285
http://honeynet.org/node/388
http://www.mcafee.com/us/enterprise/confickertest.html
http://www.skullsecurity.org/blog/?p=230