Jump to content


Photo

MS08-067 exploit in the wild


  • Please log in to reply
24 replies to this topic

#1 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 31 December 2008 - 10:56 AM

FYI...

- http://isc.sans.org/...ml?storyid=5596
Last Updated: 2008-12-31 14:26:41 UTC - "Symantec has identified W32.Downadup.B as a new worm that is spreading by taking advantage of the RPC vulnerability from MS08-067*. It does various things to install and hide itself on the infected computer. It removes any System Restore points that the user has set and disables the Windows Update Service. It looks for ADMIN$ shares on the local network and tries to brute force the share passwords with a built-in dictionary. At this point in time, the worm's purpose appears to be simply to spread and infect as many computers as possible. After January 1, 2009, it will try to reach out to a variety of web sites to pull down an updated copy of itself. You can find examples of the domain names in the Symantec W32.Downadup.B writeup**..."

Vulnerability in Server Service Could Allow Remote Code Execution (958644)
* http://www.microsoft...n/ms08-067.mspx

** http://www.symantec...._...-99&tabid=2

> http://web.nvd.nist....d=CVE-2008-4250

- http://secunia.com/advisories/32326
Last Update: 2008-10-24
Critical: Highly critical...

MS08-067 out-of-band netapi32.dll security update
- http://blogs.technet...t-MS08-067.aspx

- http://support.micro...om/?kbid=958644

- http://www.us-cert.g.../TA08-297A.html

:ph34r:

Edited by apluswebmaster, 31 December 2008 - 04:11 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#2 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 01 January 2009 - 06:17 AM

FYI...

- http://blog.trendmic...om/top-8-in-08/
Dec. 30, 2008 - "...A .DLL worm, WORM_DOWNAD.A, which exploits the MS08-067 vulnerability, and exhibited routines that led security analysts to postulate that it is a key component in the development of a new botnet. More than 500,000 unique hosts spread across different countries have since been discovered to have fallen victim to this threat..."

:ph34r: :grrr:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#3 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 02 January 2009 - 05:58 AM

FYI...

- http://asert.arborne...-few-sentences/
December 31st, 2008 - "... appears to be affecting a lot of entreprises who STILL didn’t apply MS08-067. Who knows why they haven’t, they’ve had nearly 2 months for a very obviously critical out of cycle patch..."

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#4 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 06 January 2009 - 10:44 PM

FYI...

- http://preview.tinyurl.com/7jxs8z
01-06-2009 (Symantec blogs) - "... the most commonly infected systems appear to be Windows XP SP1 and earlier. Over 500,000 of the infected computers that contacted our server were running these operating system versions. Close behind was Windows XP SP2 and later systems. Windows 2000 and Windows 2003 had smaller shares. We believe that the W32.Downadup.A propagation routine has been very aggressive. It will continue to infect computers in the near future and receive updates via the aforementioned mechanism. Symantec discovered a new variant of this worm on December 30, 2008, dubbed W32.Downadup.B. This updated version contains additional propagation routines and what appears to be an altered domain generation routine. It's not currently known if this new version was seeded to W32.Downadup.A infections or has independently spread through its own propagation routines.
We strongly encourage all users to ensure that the patches available in MS08-067 have been applied and that antivirus products are fully up-to-date to ensure that this threat does not find its way onto computers."
(Charts available at the URL above.)

:ph34r: :grrr: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#5 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 07 January 2009 - 07:07 AM

FYI...

- http://www.f-secure....s/00001574.html
January 6, 2009 - "Over the last (few) days, we've received reports of corporate networks getting infected with variants of MS08-067 worms. These are mostly Downadup/Conficker variants. The malware uses server-side polymorphism and ACL modification to make network disinfection particularly difficult. A sign of infection is that user accounts become locked out of an Active Directory domain as the worm attempts to crack account passwords using a built-in dictionary. When it fails, it leads to those accounts being locked. We have detailed information about the malware functionality in our Downadup.AL description*. We also have a separate tool available to assist in disinfecting. The tool is available from here**. We also recommend system administrators block access to web sites used by the worm..." (Long list available at the URL above.)

* http://www.f-secure....wnadup_al.shtml

** ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip

- http://web.nvd.nist....d=CVE-2008-4250
Last revised: 11/21/2008
CVSS v2 Base Score: 10.0 (HIGH)

:ph34r: :!:

Edited by apluswebmaster, 08 January 2009 - 10:05 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#6 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 09 January 2009 - 01:16 PM

FYI...

Downadup Blocklist
- http://www.f-secure....s/00001577.html
January 9, 2009 - "Our post on Tuesday included a list of domains used by the Downadup worm. Today's list includes 1,500 additional sites used by the worm*."
* http://www.f-secure....n_blocklist.txt

:!:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#7 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 09 January 2009 - 06:59 PM

More...

New variants of W32.Downadup.B find new ways to propagate
- http://preview.tinyurl.com/ay432s
01-09-2009 Symantec Security Response Blog - "Symantec has observed an increase in infections relating to W32.Downadup over the holiday period and is urging organizations to apply the patch for Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability (MS08-067) as soon as possible. A new variant of this threat, called W32.Downadup.B, appeared on December 30th and can not only propagate by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability, but can also spread through corporate networks by infecting USB sticks and accessing weak passwords... W32.Downadup.B creates an autorun.inf file on all mapped drives so that the threat automatically executes when the drive is accessed. The threat then monitors for drives that are connected to the compromised computer in order to create an autorun.inf file as soon as the drive becomes accessible. The worm also monitors DNS requests to domains containing certain strings and blocks access to those domains so that it will appear that the network request timed out. This means infected users may not be able to update their security software from those websites. This can be problematic as worm authors generally dish out new variants constantly... Click here** to obtain more information about how to prevent a threat from spreading using the "AutoRun" feature... more detail on the evolution and infection statistics of this threat, check out the earlier Security Response blog posting*..."
W32.Downadup Infection Statistics
* http://preview.tinyurl.com/7jxs8z
01-06-2009 - "...graph shows the statistics, over a 72-hour period, of unique IP addresses versus unique IP address and user-agent pairs..."

** http://service1.syma...008032111570648

:ph34r: :ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#8 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 13 January 2009 - 06:30 AM

FYI...

Preemptive Downadup Domain Blocklist, Jan. 13-16
- http://www.f-secure....s/00001578.html
January 12, 2009 - "Downadup variants use algorithmically determined URLs to report back to the bad guys. Reverse engineering the worm's code provides us with the method to predict which domains may be used in the future. Today's preemptive blocklist* includes an additional 1,000 URLs that WILL BE used by the Downadup from the 13th to the 16th. Network administrators can use this list as a preventive measure."
* http://www.f-secure....klist_13_16.txt

- http://isc.sans.org/...ml?storyid=5671
Last Updated: 2009-01-12 22:43:54 UTC

- http://www.fortiguar...-Conficker.html
(MS08-067 exploit activity from October 2008 to January 2009...) graphic

:!: :ph34r:

Edited by apluswebmaster, 13 January 2009 - 09:42 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#9 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 13 January 2009 - 01:04 PM

FYI...

MSRT - Jan.2009 additions...
- http://support.micro...om/?kbid=890830
Malicious software family Tool version Current severity rating
Win32/Banload - January 2009 (V 2.6) Moderate
Win32/Conficker* - January 2009 (V 2.6) High ...
* http://www.microsoft.....n32/Conficker
(aka - Downadup)

Download:
- http://preview.tinyurl.com/6bb67
File Name: windows-kb890830-v2.6.exe
Version: 2.6
Date Published: 1/13/2009
___

- http://www.f-secure....s/00001579.html
January 13, 2009 11:21 GMT - "... final count is: 2,395,963 infections worldwide. This figure is conservative; the real number is certainly higher."
- http://www.f-secure....s/00001580.html
January 14, 2009 - "...worldwide Downadup infection count... Today's total infection count is an estimated 3,521,230 infections worldwide. That's over one million new infections since yesterday (and we still consider this to be a conservative estimate)."

:!:

Edited by apluswebmaster, 14 January 2009 - 09:13 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#10 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 15 January 2009 - 05:07 PM

FYI...

- http://preview.tinyurl.com/9fc4ze
January 15, 2009 (Computerworld) - "The worm that has infected several million Windows PCs is causing havoc because nearly a third of all systems remain unpatched 80 days after Microsoft Corp. rolled out an emergency fix, a security expert said today. Based on scans of several hundred thousand customer-owned Windows PCs, Qualys Inc.* concluded that about 30% of the machines have not yet been patched with the "out of cycle" fix Microsoft provided Oct. 23 as security update MS08-067..."
* http://www.qualys.co....php/2008-10-23

- http://preview.tinyurl.com/8tr9fg
January 15, 2009 Avertlabs - "...While investigating we found that this worm has an exploit for the recent MS08-067 vulnerability and uses the exploitation method derived from the metasploit ms08_067_netapi module to spread itself..."

NOTES:
1. It appears that this could, in part, be due to an MS Update site problem of a sort. MS08-067 was NOT offered on an XPSP2 system during the monthly update for Nov'08, nor during both of the Dec'08 runs (including the check/update for the IE 0-day fix). MS08-067 appears to have been installed during an XPSP3 update from the MS Update site just before year-end. YMMV.
2. A second XPSP2 machine - checked ReportingEvents.log located in %windir%\SoftwareDistribution ... found MS08-067 (KB958644) installed 10.23.2008, but dates shown in >Control Panel >Add/Remove programs show KB958644 install date occurred when XPSP3 was installed at year-end. WTF.

:ph34r: :hmmm:

Edited by apluswebmaster, 16 January 2009 - 04:36 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#11 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 16 January 2009 - 11:20 AM

FYI...

- http://www.f-secure....s/00001584.html
January 16, 2009 - "The number of Downadup infections are skyrocketing based on our calculations. From an estimated 2.4 million infected machines to over 8.9 million during the last four days. That's just amazing. We've received a number of queries on just how exactly we're producing our estimates. There's been interest from Internet operators, CERTs, and fellow antivirus researchers. There's also been several posts to our blog comments, doubting our numbers... So let us explain how we are generating the numbers. There are several different variants of Downadup out there. The algorithm to create the domain names vary a bit between the variants. We've been tracking the variant we believe to be most common. It creates 250 possible domains each day. We've registered some selected domains out of this pool and are monitoring the connections being made to them... We first tried to count unique User-Agent headers per IP address, but the results weren't very good as in a standardized corporate network, most machines have identical User-Agents. So, with a little digging we discovered that in the /search/q=NUMBER query, the number is not random. It's basically a global variable in the code, getting incremented (thread-safely through InterlockedIncrement) every time the malware has successfully exploited a machine via MS08-067*. The incrementation is done in the httpd thread of the malware, after it has exploited a machine successfully. So this number tells us how many other computers this machine has exploited since it was last restarted... We wrote a program that parses the logs, extracting the highest "q" value for the IP/User-Agent pairs. These are then added together to get our figures. As you can see now, they are very conservative. And they are showing more than 8 million infected machines right now. The situation with Downadup is not getting better. It's getting worse."
(Complete detail shown at the F-secure URL above.)

* http://www.microsoft...n/ms08-067.mspx

:!:

Edited by apluswebmaster, 17 January 2009 - 07:29 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#12 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 20 January 2009 - 10:13 AM

FYI...

- http://blog.trendmic...is-worm_downad/
Jan. 20, 2009 - "The North American region has the most number of infected PCs, with users from the United States being hit the most. Japan, China, and Taiwan are also major DOWNAD-affected countries. In Europe, Italy and Spain had the most infections however other countries have also been affected. Users observe the following symptoms when they are infected with WORM_DOWNAD.AD:
• Blocked access to antivirus-related sites
• Disabled services such as Windows Automatic Update Service
• High traffic on affected system's port 445
• Hidden files even after changes in Folder Options
• Inability to log in using Windows credentials because they are locked out
A .DLL file with random file names and autorun.inf also appear in all mapped drives, and in Internet Explorer and Movie Maker folders under the Program Files directory. The worm locks its dropped copy to prevent users from reading, writing, and deleting the malicious file. It also makes several registry changes to allow simultaneous network connections. By re-infecting machines, this worm manages to keep its malicious activities going on... Patching systems and programs as soon as fixes are made available and disabling autorun* are two of the most important actions required to reduce the risk of infection, infection propagation or reinfection with variant updates..."
(Global map of infections available at the URL above.)

NoDriveTypeAutoRun
* http://www.microsoft...2.mspx?mfr=true

:ph34r:

Edited by apluswebmaster, 20 January 2009 - 12:18 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#13 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 23 January 2009 - 10:12 AM

FYI...

MS patch needs to be installed manually to disable -Autorun- on W2K, XP, and W2K3.
- http://preview.tinyurl.com/ck79cs
January 22, 2009 (Computerworld) - "...US-CERT said that most Windows users would have to manually go to Microsoft's Web site to grab the KB953252* update. "Note that this fix has been released via [Windows] Update to Windows Vista and Server 2008 systems as part of the MS08-038 Security Bulletin," said the security organization, talking about a July 2008 patch. "Windows 2000, XP and Server 2003 users must install the update manually." Microsoft has -not- issued the KB953252 update to Windows 2000, XP or Server 2003 systems via Windows Update or the corporate-oriented Windows Server Update Services (WSUS). US-CERT confirmed that the KB653252 update -does- fix the bug it had pointed out the day before**. "Our testing has shown that installing this update -and- setting the NoDriveTypeAutoRun registry value to 0xFF -will- disable Autorun," said US-CERT..."

* http://support.microsoft.com/kb/953252

** http://www.us-cert.g.../TA09-020A.html
Last revised: January 21, 2009: Added reference and details for Microsoft KB953252

- http://www.securewor...wnadup-removal/
"...F-Secure also has a removal tool available, however the f-secure.com domain is in the blocked list of domain names (per infection)... Using an IP address instead of the hostname will bypass the worm's blocking routines, so that tool could be downloaded by infected systems at this URL: ftp://193.110.109.53/anti-virus/tools/beta/f-downadup.zip ..."

- http://web.nvd.nist....d=CVE-2009-0243
Last revised:01/22/2009
CVSS v2 Base Score:7.2 (HIGH)

:( :ph34r:

Edited by apluswebmaster, 27 January 2009 - 09:16 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#14 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 30 January 2009 - 11:01 AM

FYI...

Preemptive Downadup blocklist for February 2009
- http://www.f-secure....s/00001593.html
January 30, 2009 - "... new list of potential domains for the month of February*. The list reflects what we think to be the most common variant of Downadup in-the-wild..."
* http://www.f-secure....st_February.txt

:ph34r: :grrr: :!:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#15 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 02 February 2009 - 08:41 AM

FYI...

Two Weeks of Conficker Data and 12 Million Nodes
- http://asert.arborne...onflicker-data/
January 30, 2009 - "I got access to some sinkhole logs for Conficker to do some processing. The logs are so big (this is one big sinkhole) that processing them took a few days. I only wanted to focus on the worm's biggest growth period in early January, so I took a two week section and had a look at it. The worm grew explosively in this time period. The number of unique IPs hitting the sinkhole per day tripled... it's a ballpark: many millions... The worm is thought to have originated in the Ukraine*..."
* http://www.cybersmar...om/news/view/30
"...While no one knows for sure specifically who is behind this threat, the thinking goes that it is authored by Ukrainian criminal mobsters. The giveaway is that Conflicker looks to see if the infected computer uses a Ukrainian keyboard layout, and if it does, then it will not infect that computer... "they want to keep the local police authorities off their backs"..."

(Charted - see the Arbor Networks URL above.)

:!:

Edited by apluswebmaster, 02 February 2009 - 08:47 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#16 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 07 February 2009 - 01:46 AM

FYI...

Protect Your Network from Conficker
- http://technet.micro...y/dd452420.aspx
February 6, 2009 - "This page aims to help customers by providing consolidated information about Conficker that customers can use to protect their systems and with which to recover systems that have been infected..."

("Related Links" also available at the URL above.)

:!:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#17 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 08 February 2009 - 06:25 AM

FYI...

OpenDNS to roll out Conficker tracking - blocking
- http://www.theregist...ker_protection/
7 February 2009 21:32 GMT - "With an estimated 10 million PCs infected by the stealthy worm known as Conficker, it's a good bet that plenty of administrators are blissfully unaware that their networks are playing host to the pest. Now, a free service called OpenDNS* is offering a new feature designed to alert administrators to the damage and help them contain it.
The company on Monday plans to introduce an addition to its offerings that makes it easy for admins to know if even a single machine has been infected by Conficker. The service will also automatically protect infected machines by preventing them from connecting to rogue servers controlled by the malware authors... Without the service, admins would have to manually block 1,750 domains each week, or 91,250 each year. The service will also help network admins to quickly pinpoint any infected machines by checking their OpenDNS Dashboard. Starting Monday, any networks with PCs that try to connect to the Conficker addresses will be flagged on an admin's private statistics page. The service is available for free to both businesses and home users... The service is first offered under a new botnet protection service being rolled out by OpenDNS... The list of blocked domains is being provided by anti-virus provider Kaspersky, which reverse-engineered Conficker so it could preemptively predict the new sites that will be used each day."
* https://www.opendns....enetwork/start/

- http://blog.opendns....-and-conficker/
Feb 9th, 2009

- http://www.shadowser...Stats.Sinkholes
February 16, 2009

:!:

Edited by apluswebmaster, 01 March 2009 - 09:18 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#18 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 20 February 2009 - 04:30 AM

FYI...

- http://mtc.sri.com/C...ker/#fig-libemu
Last Update: 21 February 2009 - "...the Conficker authors have released a variant of Conficker B, which significantly upgrades their ability to flash Conficker drones with Win32 binaries from any address on the Internet. Here, we refer to this variant as Conficker B++... On Feb 16, 2009, we received a new variant of Conficker. At a quick glance, this variant resembles Conficker B. In particular, it is distributed as a Windows DLL file and is packed similarly. Furthermore, dynamic analysis revealed that this domain generation algorithm was identical to that of Conficker B. Hence, we initially dismissed this as another packaging of Conficker B. However, deeper static analysis revealed some interesting differences. Overall, when we performed a comparative binary logic analysis (see Appendix 2 - Horizontal Malware Analysis) comparing Conficker B with Conficker B++, we obtained a similarity score of 86.4%. In particular, we found that out of 297 subroutines in Conficker B, only 3 were modified in Conficker B++ and around 39 new subroutines were added..."

Appendix I: Conficker Census
- http://mtc.sri.com/C...ker/#appendix-1

Appendix 2 - Horizontal Malware Analysis
- http://mtc.sri.com/C.../HMA/index.html

- http://blogs.technet...ctionality.aspx
February 20, 2009 - "... Future versions of the MSRT will detect this sample as Worm:Win32/Conficker.C* while the MSRT which was released earlier this month detects it as Worm:Win32/Conficker.B. The new sample has modifications which introduce new backdoor functionality. Previous versions of Conficker patched netapi32.dll in memory to prevent further exploitation of the vulnerability addressed by bulletin MS08-067. We’ve discovered that the new variant no longer patches netapi32.dll against all attempts to exploit it. Instead it now checks for a specific pattern in the incoming shellcode and for a URL to an updated payload. The payload only executes if it is successfully validated by the malware. However, there doesn’t appear to be an easy way for the authors to upgrade the existing Conficker network to the new variant. This change may allow the author to distribute malware to machines infected with this new variant. This might be a response to the fact that they no longer have the ability to register many of the Conficker domains... note that this is a polymorphic threat..."
* http://www.microsoft.....2/Conficker.C

:!: :ph34r: :grrr:

Edited by apluswebmaster, 24 February 2009 - 07:59 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#19 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 20 March 2009 - 05:41 AM

FYI...

Conficker C Analysis
- http://mtc.sri.com/C...cker/addendumC/
Last Update: 19 March 2009 - "...One major implication from the Conficker B and C variants, as well as other now recently emerging malware families, is the sophistication with which they are able to terminate, disable, reconfigure, or blackhole native operating system (OS) and third-party security services. We provide an in-depth analysis of Conficker's Security Product Disablement logic* ... Those responsible for this outbreak have demonstrated Internet-wide programming skills, advanced cryptographic skills, custom dual-layer code packing and code obfuscation skills, and in-depth knowledge of Windows internals and security products. They are among the first to introduce the Internet rendezvous point scheme, and have now integrated a sophisticated P2P protocol that does not require an embedded peer list. They have continually seeded the Internet with new MD5 variants, and have adapted their code base to address the latest attempts to thwart Conficker. They have infiltrated government sites, military networks, home PCs, critical infrastructure, small networks, and universities, around the world... C then installs several in-memory patches to DLLs, and embeds other mechanisms to thwart security applications that would otherwise detect its presence. C modifies the host domain name service (DNS) APIs to block various security-related network connections (Domain Lookup Prevention), and installs a pseudo-patch to repair the 445/TCP vulnerability, while maintaining a backdoor for reinfection (Local Host Patch Logic). This pseudo patch protects the host from buffer overflows by sources other than those performed by the Conficker authors or their infected peers. Like Conficker B, C incorporates logic to defend itself from security products that would otherwise attempt to detect and remove it. C spawns a security product disablement thread. This thread disables critical host security services, such as Windows defender, as well as Windows services that deliver security patches and software updates. These changes effectively prevent the victim host from receiving automated software updates. The thread disables security update notifications and deactivates safeboot mode as a future reboot option. This first thread then spawns a new security process termination thread, which continually monitors for and kills processes whose names match a blacklisted set of 23 security products, hot fixes, and security diagnosis tools..."
* http://mtc.sri.com/C...ductDisablement

:!:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#20 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 22 March 2009 - 02:45 PM

FYI...

Third party information on Conficker
- http://isc.sans.org/...ml?storyid=5860
Last Updated: 2009-03-30 18:34:41 UTC ...(Version: 4)
(See "Removal Tools")

:!:

Edited by apluswebmaster, 31 March 2009 - 04:07 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#21 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 29 March 2009 - 11:31 AM

FYI... a few updates on Conficker. Currently, some AV's are "Scanning for 1,328,914 virus strains and unwanted programs...". Conficker is just a few of them.

- http://www.securewor...ril-fools-hype/
March 27, 2009 - "... If you’re reading this, you’re probably not infected with Conficker.C. If you were already infected, you wouldn’t be able to access any page on secureworks.com, due to the worm author’s apparent dislike for the removal instructions we posted for earlier Conficker variants..."

- http://blogs.technet...onficker-d.aspx
March 27, 2009

- http://www.f-secure....s/00001636.html
March 26, 2009

:ph34r:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#22 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 30 March 2009 - 01:35 PM

FYI...

- http://windowssecret...p/090330#story1
2009-03-30 - "... Conficker.C interferes with access to sites containing the following strings (as well as scores of other strings not shown here) in any portion of the URL:
antivir ca. cert. conficker f-secure kaspersky mcafee
microsoft msdn. msft. norton panda safety.live sans.
symantec technet trendmicro windowsupdate

... the only people who can access the Conficker removal tools these writers recommend are people whose PCs are -not- infected with Conficker.C... BitDefender has set up a new domain from which users can download free Conficker disinfectant utilities..."
- http://www.bdtools.n...ve-downadup.php

:ph34r:

Edited by apluswebmaster, 30 March 2009 - 08:54 PM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#23 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 01 April 2009 - 10:57 AM

FYI...

Third party information on conficker
- http://www.dshield.o...ml?storyid=5860
Last Updated: 2009-04-01 15:46:20 UTC ...(Version: 8)
"... Please use the URL: " http://www.dshield.org/conficker " to link to this page..."

- http://www.f-secure....s/00001644.html
April 1, 2009 @ 04:51 GMT - "So it's been April 1st for almost 18 hours now in New Zealand and it's the early hours of April 1st on the east coast of the United States. So what's going on? So far — nothing..."

Conficker Eye Chart
- http://www.conficker...cfeyechart.html
04.01.2009 - (See: "Explanation" at bottom of page there)

.

Edited by apluswebmaster, 02 April 2009 - 03:52 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#24 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 06 April 2009 - 04:16 AM

FYI...

New exploit of MS08-067
- http://blogs.technet...identified.aspx
April 03, 2009 - "... We have found a new exploit of MS08-067 other than Conficker. We also discovered that we already detected and protected users against this new malware... Neeris is a worm that has been active for a few years. Some of its variants used to exploit MS06-040 which addressed a vulnerability in the same Server service as MS08-067. However it looks like the authors of Neeris have been taking notes from Conficker. A new variant of the Neeris worm has been launched this week. It has some interesting similarities to Conficker:
• The new variant of Neeris has been updated to exploit MS08-067. Also, after the successful exploitation, the victim machine downloads a copy of the worm from the attacking machine using HTTP.
• Neeris spreads via autorun. The new Neeris variant even adds the same ‘Open folder to view files’ AutoPlay option that Conficker does.
• Neeris uses a driver to patch the TCP/IP layer of the system in order to remove the outgoing connection limits from XPSP2 ...
The file names that this malware uses are deceptive. Most commonly we saw it using the name “Netmon.exe” but it sometimes masquerades itself as a SCR file with names that follow the pattern <two digits.scr>. It also drops a copy of itself using the file name smartkey.exe. Even its image time stamp is bogus: 6/19/1992 10:22:17 PM. The malware adds itself to start every time Windows starts and even adds itself to the Safe Boot configuration.
Due to the similarities to Conficker, most of the mitigations that were mentioned also apply here: make sure to install MS08-067 if you haven’t done so yet and be careful to use only AutoPlay options you’re familiar with or consider disabling the Autorun altogether. Other mitigations and information are available in our write up at Worm:Win32/Neeris.gen!C *..."
* http://www.microsoft.com/security/portal/E...eeris.gen!C

:!:
.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.

#25 AplusWebMaster

AplusWebMaster

    AplusWebMaster

  • SWI Friend
  • PipPipPipPipPip
  • 11,104 posts

Posted 09 April 2009 - 10:38 AM

FYI...

- http://preview.tinyurl.com/dl3pz9
04-08-2009 Symantec Security Response Blog - "We have come across a system infected with W32.Downadup.C that has provided some interesting information. We discovered some similarly named files, 484528750.exe and 484471375.exe, which had shown up in the \Windows\temp folder within one minute of each other. These files turned out to be W32.Waledac and a modified W32.Downadup variant, respectively..."

- http://www.viruslist...logid=208187654
April 09, 2009 Kaspersky blog - "The computers infected with Trojan-Downloader.Win32.Kido (aka Conficker.c) contacted each other over P2P, telling infected machines to download new malicious files... once again it’s a worm, and it’s only functional until 3rd May... One of the files is a rogue antivirus app... The first version of Kido, detected back in November 2008, also downloaded fake antivirus to the infected machine. And once again, six months later, we’ve got unknown cybercriminals using the same trick. The rogue software, SpywareProtect2009, can be found on spy-protect-2009 .com., spywrprotect-2009 .com, spywareprotector-2009 .com... Once it’s run, you see the app interface, which naturally asks if you want to remove the threats it’s “detected”. Of course, this service comes at a price - $49.95... At the moment, the rogue antivirus comes from sites located in Ukraine (131-3.elaninet .com.78.26.179.107) although Kido is downloading it from other sites. The latest version of Kido also downloads Email-Worm.Win32.Iksmas.atz to infected systems. This email worm is also known as Waledac, and is able to steal data and send spam... Both Kido and Iksmas are now present on infected machines and part of the gigantic botnet designed to conduct spam mailings..."
(Screenshots available at the viruslist/Kaspersky URL above.)

- http://www.f-secure....s/00001652.html
April 9, 2009

- http://asert.arborne...t-the-internet/
April 9, 2009

- http://atlas.arbor.n...index#431367604
April 10, 2009

:ph34r: :ph34r:

Edited by apluswebmaster, 11 April 2009 - 08:36 AM.

.The machine has no brain.
 ......... Use your own.
Browser check for updates here.
YOU need to defend against -all- vulnerabilities.
Hacks only need to find -1- to get in...
.




Member of UNITE
Support SpywareInfo Forum - click the button