Advisory n° 1: Detect and protect your network from conficker warm
Overview:
The conficker warm has infected several million Microsoft windows computers since it first started spreading in late 2008.
Conficker exploits the MS08-67 vulnerability to introduce and execute a shell code on affected windows systems, download a copy of itself, infect the host and continue spreading.
This advisory proposes ideas on how to identify, mitigate, and remove conficker bots.
Infection process:
Conficker is delivered as a Dynamic Link Library (DLL), so it cannot run as a standalone program and must be loaded by another application. A vulnerable Windows system is generally infected with the Conficker worm via the MS08067 vulnerability, using exploit shell code that injects the DLL into the running Windows server service.
Other possible infection vectors are accessing network shares or USB drives where the malicious DLL is started via the rundll32.exe application. Once infected, Conficker installs itself as a Windows service to survive reboots. It then computes domain names using a time seeded Random domain name generator and attempts to resolve these addresses. Each resolved address is contacted and a HTTP download is attempted. No successful HTTP download was witnessed until the middle of March 2009, at which point security experts observed nodes
that downloaded encrypted binaries from some of the randomly generated domains.
Impact:
Conficker itself does not contain malware functions but contains a routine to load such code after infection.
The worm’s main impact at this time is its ability to terminate, disable, reconfigure or blackhole native operating system and third-party security services (Porras, Saidi and Yegneswaran, April 2009). Conficker disables Windows systems security services as well as third-party firewalls and anti-virus products, leaving systems in a vulnerable state which can lead to more infection and infiltration. Furthermore, Conficker blocks access to security related sites such as Symantec or McAfee, thus preventing users from downloading tools to remove the infection.
Signs and Symptoms of Infection:
Conficker and all of its variants perform the following to an infected system:
• Modification of system settings
• Disabling of TCP/IP Tuning
• Termination\disablement of the following Windows services:
o Windows Security Service
o Windows Auto Update, Background Intelligent Transfer Service (BITS)
o Windows Defender
o Windows Error Reporting Service
• Termination\disablement of third-party security services/software that deal with system security (anti-virus, firewalls, etc)
• Resetting system restore points
• Deleting backup files
• Checking for internet connectivity and downloading arbitrary files
• Users will not be able to browse certain security-related Web sites with URLs containing specific key words and phrases.
• Increase in traffic on port 445
• Access to administrator shared files is denied
• Sluggish response due to increase in network traffic
Detection:
In NMap 4.85 BETA5, Conficker detection was added to the smb-check-vulns.nse script, With this new script functionality, you can to scan your network for Conficker with a simple NMap command.
For a quicker scan, run:
nmap -p139,445 --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args checkconficker=1,safe=1 -T4 [target networks]
For a more comprehensive scan, run:
nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns -p- --script-args checkall=1,safe=1 -T4 [target networks]
Removal:
There are several conficker removal tools available for download. Most Anti-Virus vendors have developed removal tools and/or provided instructions for removing conficker and links to some of these are listed below:
• Symantec
• SOPHOS
• Microsoft's Malicious Software Removal Tool
• Microsoft's manual procedure for removing the conficker worm
Prevention:
The Conficker worm serves as a great reminder to everyone to continually and consistently practice Defense-In-Depth and provide multiple layers of defense to protect consumer and business systems. The spread of the Conficker worm is a sign that all PC users are stubborn and continue to avoid keeping their Windows installations up to date with the latest security patches. The infection has spread to computers all over the world and includes home, business and government users. Methods of preventing this and other types of infections include the following:
• Keep security patches up to date. This includes not only patches for the operating system, but for all applications and plug-ins as well. Remember, Downadup/Conficker spread so widely because so many computers simply did not have a simple security patch, released months before the infections ever started, applied. ( Weafer ).
• Use a robust security software suite that has multiple layers of protection. Furthermore, make sure your security software is always on and up to date. Even patched systems are continuing to become infected with the .A and .B variants. In many instances, this is occurring because the worm is being passed on via infected removable media, such as USB thumb drives, that are essentially acting as host carriers. In nearly all cases, up-to-date security software will detect the threat before it has the chance to jump from the removable device to the computer ( Weafer ).
• Enable a firewall (Windows or Third-Party) on your computer and follow industry best practices on what should and should not be allowed through the firewall
• Limit user privileges on the computer. Provide access only to those who need it.(Need to Know)
• Use caution when opening attachments and accepting file transfers.
• Use caution when clicking on links to Web pages.
• Avoid downloading pirated software.
• Protect yourself against social engineering attacks.
• Use strong passwords.
References:
The Honeynet project Paper “Know Your Enemy: Containing Conficker”
http://honeynet.org/files/KYE-Conficker.pdf
SANS the conficker worm
http://www.sans.org/security-resources/malwarefaq/conficker-worm.php
SANS detecting Conficker with Nmap
http://www.sans.org/security-resources/idfaq/detecting-conficker-nmap.php