04/09/2009

Conficker / Downandup Active? Or...

Most everyone in Windows security is watching Conficker, not the least of which is Trend Micro, whose antivirus product we cover in our Trend Micro Antivirus Review.

Let's start with a look at what Trend says:

"Some interesting things (well at least in our perspective) found are:
  1. (Un)Trigger Date – May 3, 2009, it will stop running
  2. Runs in random file name and random service name
  3. Deletes this dropped component afterwards
  4. Propagates via MS08-067 to external IPs if Internet is available, if no connections, uses local IPs
  5. Opens port 5114 and serve as HTTP server, by broadcasting via SSDP request
  6. Connects to the following sites:
    • Myspace.com
    • msn.com
    • ebay.com
    • cnn.com
    • aol.com
It also does not leave a trace of itself in the host machine. It runs and deletes all traces, no files, no registries etc."


The question we (and everyone watching Conficker) has had is: why?

What plans do its creators have in store?

Well, it may be a ruse or just part of the picture, of course, but as we guessed earlier in covering Conficker, it looks like it might be for spamming. Here's what Paul Ferguson of Trend says,

"In the latest activity, we see infected Downad.KK/Conficker.C nodes pulling down new Waledac binaries (perhaps for spamming, as Waledac has been known to do)from a fast-flux domain infrastructure, but also now it is also installing Fake/Rogue AntiVirus (AV) malware, too."

Now there's a connection to Waledac? If true, it would sure lead us to believe Conficker might be a spam network. Imagine a network of say 10 million computers. Each of which would send just four or five spams a day. Now you're talking about 120,000,000 spams a month. 

That's an impressive number, and easy to do if they were all coming from one spamhaus (i.e. a known spammer or network friendly to spammers) but try blocking just four or five emails from 10 million different computers all in different parts of the world.

Good luck.

The Conficker story is just getting started to be sure, but for now at least we feel like we're beginning to understand it.

For instance, at the The IT Security Networks Blog (TITSSN for short), in their latest Conficker coverage they make mention that,

"..researchers are analyzing the code of the software that is being dropped onto infected computers and suspect that it is a keystroke logger or some other program designed to steal data from the machine."


Interesting. By the way, as for detecting the latest variants of Conficker, Trend Micro's Antivirus + AntiSpyware detects it as, WORM_DOWNAD_E.

04/06/2009

Neeris: Conficker Copycat or Conficker Inspired?

The UK Register's "Channel Register" brings word of updates to the "Neeris" worm that was originally spotted back in Mat 2005.

Apparently, either in cahoots with the Conficker folks or with them as inspiration, some modifications have been made, i.e. Neeris revisions, to modernize it and to add on some of the Conficker exploits to make it get new legs to possibly bring it back to life.

According to Microsoft researchers, Neeris has no connection to Conficker:

"It is interesting to note that this new variant of Neeris spiked on late March 31st and during April 1st. However it was not downloaded by any Conficker variant and there’s no evidence that it’s related to Conficker.D’s April 1 domain algorithm activation.

What we found interesting was that Neeris is being adapted to exploit the same holes in Windows that Conficker exploits, i.e. Autorun and the "Open folder to view files," but that it also uses a special driver to patch the built-in Windows XP's outgoing connection limits. 

This leads us to believe Neeris might be part of some sort of spam or DDoS network.

Whatever the case, it appears all major antivirus vendors have rolled out antivirus updates to catch this new malware, so as long as your antivirus signatures are up-to-date, you should be in the clear.

04/01/2009

Dealing with Conficker Infections

ZDNet brings word of at least one very high-profile Conficker infestation: The British Parliment.

At the very least, it has penetrated the entire Parliament IT system. Will the ministries be the next to turn up infected? The National Health Service hospital systems and Royal Navy Fleet have also been infected, according to ITWire.

What's got people in an uproar about this is that it's "an embarrassment" for the infection to've even happened given that Microsoft has had a patch out now for about six months.

I can't speculate as to the, "Why?" of how this happened there, i.e. "Why if a patch was available for months didn't a government agency marshall the resources to ensure the patch was deployed?" but rather what we will do is offer some of the advice quoted in the email sent to the users who're "directly connected to the Parliamentary Network,"

An additional characteristic of this virus is that for some types of files it can skip direct to the Network from a USB memory stick or other portable storage device (e.g. mp3 players) without hitting the virus checker software. We ask that for the time being you do not use memory sticks or any other portable storage devices on the Parliamentary Network.


The reason we bring this up is because while we haven't heard of any infections coming via MP3 players, that doesn't mean that such an attack vector isn't possible. MP3 players, phones, and other similar devices while small and user friendly give us all a very false sense of security because of their size and that we rely on them daily.

They're seemingly quite harmless. After all, it's just a cell phone, or it's just an iPod, but the reality is that they're little computers. Computers that are in many ways more powerful and more capable than most of us can ever imagine, and they're being used more and more by consumers and crackers alike in ways the designers and users alike never even imagined.

In fact, this brings to mind another similar recent attack vector: USB viruses in digital picture frames.

All-in-all, the best advice about protecting your computer and your network from infection are the same as always:

  1. Only plug things into your computer or network you know.
  2. Only open attachments you're expecting--even if ones you aren't expecting are from someone you know.
  3. Keep your computer Operating System patched.
  4. Keep your programs patched.
  5. Run the best antivirus and firewall software you can afford. Internet security software is an ideal choice for this.