Here is the detailed summary of a computer worm named Conficker.B about how it spread itself to computers and the threats posted by it and also the measures to combat this malware.
Overview : The word Conficker is thought to be derived from two words – English word “configure” and a German word “Ficker”. Microsoft analyst Joshua Phillips gives an alternate interpretation of the name, describing it as a rearrangement of portions of the domain name trafficconverter.biz which was used by early versions of Conficker to download updates. This worm is capable of disabling security services and obstructing a user's access to security related websites. This restriction opens the infected system to more attacks on top of preventing the system from downloading any new security software or receiving any updates for current security software. The worm also attempts to prevent its removal by using the access control list to fasten its executable onto the infected system.
Exploited vulnerability : Conficker.B worm exploited a vulnerability in Windows Server Service (SVCHOST.EXE) which allowed remote execution of victim’s system when file sharing is enabled known as MS08-067. The worm saves a copy of its Dll form to a random filename in Windows System folder, then adds registry keys to have svchost.exe invoke that Dll as an invisible network service.
Methods of distribution : Although almost all of the advanced malware techniques used by conficker have been seen in the past but the worm’s combined use of so many techniques made it unusually difficult to eradicate. It uses various ways to get installed.
1. Via System - The worm saves a copy of its DLL form to a random filename in the Windows system folder, then adds registry keys to have svchost.exe invoke that DLL as an invisible network service. When executed, Win32/Conficker.B drops copies of itself in the following locations:
%program files%/movie maker/<random filename>.dll
%program files%/internet explorer/<random filename>.dll
%system%/random filename>.dll
%documents and settings%/<username>/application data/<random filename>.dll
%temp%/random filename>.dll
It is here noted that %system%program files%,%documents and settings% and %temp% are variable locations. The malware determines the locations of these folders by queying the operating system. Conficker.B drops the file “<random number>.tmp” in the %system% directory. It also creates a service with the following characteristics, to automatically execute on system start:
Service name:”<random filename>”
Path to executable: %system%svchost.exe –knetsvcs
And then adds the following registry entry:
HKLM/SYSTEM/Currentcontrolset/services/<random filename>/parameters/serviceDll=”%system%/<random filename>”
2. Via Removable Drives – Conficker.B spreads via removable drives by saving a hidden copy of its executable to “<drive>/RECYCLER/S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d/<random filename and extention>” in the root directory of the located drive where %d is a decimal number. It also creates the file”autorun.inf” which automatically runs the worm executable when the drive is next accessed.
3. Via Network Shares or propagating – Conficker.B also attempts to propagate via windows file sharing by gaining access to any available network share (IP/ADMIN$/system32) by attempting to guess the administrator’s password. It firstly drops a copy of itself in a target machine’s ADMIN$ share using the credentials of the currently logged-on user. It uses a series of combination of various usernames and passwords. If successful then it copies itself to an accessible ADMIN$ share as ADMIN$/system32/<random filename>.Dll.
No comments:
Post a Comment