protect your server: Conficker-Antivirus 2009- Eastern Europe Threats

Go ahead and connect a fresh install of windows to the internet,  within an average of 5 minutes and in many cases less than 30 seconds, your computer will be taken over by a virus (malware). This virus may very likely be a version of the Trojan horse “Antivirus 2009” which poses as antivirus software to extort a person out of money or steal information.  Or you may get a version of the Confiker virus which uses brute force” password cracking technique to crack system passwords and buffer overflow attacks to spread to other machines.  Brute force techniques use advanced programs to guess a password using a massive “dictionary file”, a file of mind boggling proportions  containing billions of password variations.  Here is a list of passwords used by the worm. The program can guess thousands of passwords a second. the expected number of trials before the correct key is found is equal to half the size the passwords characters. For example, if there are 264 possible keys, a brute force attack would discover the key after approximately 263 trials. Cracking programs such as rainbow tables log the search by keeping tables or records of previous guesses.  Apple O.S and Linux are still basically safe from viruses without one major virus being discovered.  Microsoft is a huge target and has monitored over a 43 percent jump in malware removed from Windows computers in the past half year alone. spyware detection and removal

Hackers, many traced back to eastern European countries such as Russia or the Ukraine profit off of a massive underground economy of stolen banking information, fraud and other scams such. The sale of fake antivirus software alone in this black market totals an estimated $100 billion a year.  The success of antivirus 2009 made it one of the most infamous viruses around, the scale of the virus was due to many variations of the programs being created and used in “affiliate programs” if you will by people associated with the criminal gangs.  People using the software would get a cut of the money they made off computers they infected. Versions of Antivirus 2009 include those that scan I.P. blocks looking for vulnerable computers (such as the fresh install we plugged in earlier), as well as the original Zlob version of the Virus. A Zlob is a Trojan horse which masquerades as a needed video codec in the form of ActiveX when the user downloads the add on, they are infected. Antivirus 2009 had a version which would check to see if the user had a Ukrainian keyboard, if this was the case, the malware would not install, other viruses such as the Swizzor virus will not install if they detect a Russian layout. This is interesting to note and reinforces the knowledge that most of these viruses are of eastern European origin. The reason for this detection is that it is much easier to perform cyber crimes and terrorism in other countries across oceans and international borders. By only targeting computers countries apart, the “shadow servers” which are the servers behind the virus, and the “bot herder” the computer controlling the botnet, can remain elusive.   Back in October Microsoft shocked us all by releasing an emergency security update to inform users about a vulnerability known as MS08-067, this was the Confiker virus it spreading via network shares as well as removable drives, Confiker is building its own botnet of over an estimated 3.5 million computers. Confiker also checks for the Ukrainian keyboard layout.

What is The Risk?

There are about three different angles a virus can take to compromise your system; different variations of a virus may take a different route. They may install a “root kit” or an entry in the windows registry that turns your computer into a “zombie.” Meaning that there is a small program running on your computer at all times, connecting you to a network of millions of other infected zombie computers, which can all be controlled at any time.” This massive web of computers or botnet may be given instructions on call by the “bot herder”.  This massive number of computers commands tremendous power that can be used for malicious ends such as extortion attempts and DoS (denial of service) attacks. For example gambling site may get a call on the day of the indie 500 saying “it would be a shame for your server to go down on this most important day, for $100,000 we can assure you this will not happen.” It’s the old protection racket. The virus can also simply steal your banking information and other passwords for further fraud.  In the case of Antivirus 2009 the renegade software can pose as legitimate antivirus software, holding your computer hostage until you pay them for the “full version” upgrade of their You may want to remove the virus manually through checking registry entries, directories and the Autorun.ini file and or by running antivirus programs like malwarebytes, in extreme cases you may have to reimage your hard disk.  (Edit* When I advice using multiple antivirus software I do not mean to have them constantly running in the backround as this eats up memory, I only suggest you run multiple programs when you suspect you have a problem and then delete all but one when you are done running them.) The problem with most antivirus software is that it will not catch a large percentage of viruses out there, all a programmer needs to do is make a tiny alteration such as changing a number by one digit to create a completely new undetectable version of the virus, which is not flagged as a virus in the database of the antivirus company. This is why it is a good idea to install different free antivirus programs such as, Antivir, AVG and Avast, to thoroughly scan your machine from different angles.  Often it is the biggest names in Security which are targeted first by the virus writers to be undetectable by.

fake-google-tips

antivirus2009_fakescan

the fake antivirus software scans your computer and finds self created threats which it then charges you to get rid of

antivirus_2009

Microsoft team has built elaborate software tools including traps called “honeypots” that are used to detect malware and a system called the Botnet Monitoring and Analysis Tool. Detecting and disrupting botnets is a particularly delicate challenge that Microsoft will talk about only in vague terms. Their challenge parallels the traditional one of law enforcement’s placing informers inside criminal gangs. Botnets are becoming such a threat some are calling for them to be classified as electronic weapons of mass destruction.

Just as gangs will often force a recruit to commit a crime as a test of loyalty, in cyberspace, bot-herders will test recruits in an effort to weed out spies. Microsoft investigators do not comment on their solution to this problem, but say they avoid doing anything illegal with their software.

Variations of the Conficker virus differ, some infecting any computer regardless of the country such as the version Win32/Conficker.A.  The theme of not attacking certain countries is an interesting consistency that may allow for better tracking of the origins of different viruses.  Let’s look at this more closely to see how and why it behaves this way. The code below is written in the Microsoft .net framework, which is what most viruses are written in. The following is courtesy of Pierre-Marc Bureau

There are different techniques that can be used by a program to identify in which country it has been installed.  It can check for time zone information, public IP addresses or even domain names.  Lately, we have seen two different malware families trying to discover their geographic location in an effort to avoid infecting PCs in specific countries.

Here are some variants of the the Win32/TrojanDownloader.  Swizzor using the following code:

http://msdn.microsoft.com/en-us/library/ms905289.aspx

call    GetSystemDefaultLangID ; Indirect Call Near Procedure
[…]
mov     edi, eax
[…]
cmp     di, 419h
jz      end_function

This code calls the GetSystemDefaultLangID function and compares the result to a constant, 0×419.  Browsing through MSDN documentation reveals that this constant’s value translates to LANG_RUSSIAN.  It turns out that these variants of Win32/TrojanDownloader.Swizzor will exit before infecting a computer, if they find out that the default system language is Russian.

We have also identified the following code in the earliest variants of the Win32/Conficker malware:

push    edi             ; lpList
push    esi             ; nBuff
call    ebx ; GetKeyboardLayoutList
cmp     esi, eax
jnz     short list_not_found
dec     esi
cmp     word ptr [edi+esi*4], 422h
jz      short dont_install

Here, the malware tries to retrieve a list of keyboard layouts and works through   that list.  If a layout is found with the language identifier of 0×422, the routine terminates  and the malware is not installed.  This means that some variants of the Win32/Conficker family will not install on a computer that uses an Ukrainian keyboard layout.  Please note that this behavior is only present in W32/Conficker.A.   Later variants of this malware infect any PC they can access without checking the keyboard layout.
What we are seeing now is probably the beginning of a new trend.  Malware authors will try to avoid infecting PCs in specific countries to limit the risk of legal actions taken against them.  In most countries, there often needs to be a victim or complaint before law enforcement agencies take legal action against an offender in cases of malware infection.  In cases where an attacker only targets victims outside of his country, it is much harder for law enforcement agencies to take action.

Methods

Win32/Conficker.B has multiple propagation methods. These include the following:

  • Exploitation of the vulnerability that is patched by security update 958644 (MS08-067)
  • The use of network shares
  • The use of AutoPlay functionality

When executed, Win32/Conficker.A creates a copy of itself in the %System% directory with a random filename.

The worm injects its code into the “services.exe” process to keep itself memory resident and difficult to cleanup.

Win32/Conficker.A also creates a service with the following characteristics, to automatically execute on system start:

Service name: netsvcs

Path to executable: %System%\svchost.exe -k netsvcs

and adds the following registry entry:

HKLM\SYSTEM\CurrentControlSet\Services\<random filename>\Parameters\ServiceDll = “%System%\<random filename>”

confickera_services

Note: %System% is a variable location. The malware determines the location of the current System folder by querying the operating system. The defaul

t installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; for XP and Vista is C:\Windows\System32.

Removal

Patrik Runald of F-Secure’s chief security advisor stated that the worm is capable of obstructing a users access to Microsoft’s Websites and also disable the automatic update function. This may make it impossible to get online to get help, in which case you are reading this from another computer. So to install Microsofts fix for the virus Malicious Software Removal Tool (MSRT), you may need to transfer it onto your computer from a CD or a USB.  You may also try using the “Add/Remove Programs” to uninstall the virus. Or some of the other removal tools listed below. Conficker as well as other viruses may take over windows processes such as svchost.exe, explorer.exe and services.exe. so using process explorer to find out what these processes are really doing can be useful if you have it installed.

_4f94-malicious-software

Win32/Conficker.A Win32/Conficker.B, symptoms, (similar for Win32/Conficker.AA)

Symptoms: Win32/Conficker.A

  • Users locked out of directory
  • Denied access to admin shares
  • The creation of Scheduled tasks
  • Access to security related web sites is blocked.

Symptoms: Win32/Conficker.B

  • Tripped account lockout policies.
  • Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.
  • Slow responses from Domain controllers to client requests.
  • Congested network.
  • Blocked access to various security-related Web sites.

Precautions to exercise if you do not have this or any other noticeable virus (though you may be a zombie and not know it)

  1. First of all make sure your system has the most recent Windows updates, such as MS08-067, MS08-068 and MS09-001.
  2. Make sure you have automatic updates turned on in the security center and your firewall is turned ON.
  3. Avoid “free” online security scans as these are often maliciouse.
  4. Exercise caution when opening attatchments and running .exe’s.
  5. Turn the “autorun” feature off, it automatically runs programs found on memory sticks and USB devices, be aware of this when plugging in new usb sticks.
  6. Ensure that you utilize strong administrator passwords/passphrases, longer then 14 characters with a a combination of numbers and letters and upper and lowercase.

http://www.update.microsoft.com (http://www.update.microsoft.com)
http://support.microsoft.com/kb/890830

Here is a list of known infected directories (make sure you can see hidden folders under folder options in control panel)

%Documents and Settings%\All Users\Application Data\[Random Name].dll

%Program Files%\Internet Explorer\[Random Name].dll

%Program Files%\Movie Maker\[Random Name].dll

http://en.wikipedia.org/wiki/Conficker

%System32%\[Random Name].dll

%Temp%\[Random Name].dll

%Documents and Settings%\All Users\Application Data\[Random Name].dll

%Program Files%\Internet Explorer\[Random Name].dll

%Program Files%\Movie Maker\[Random Name].dll

%System32%\[Random Name].dll

%Temp%\[Random Name].dll

Registry entries

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BadServiceName

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run (the run folder is often the source of malware as it runs programs at start up)

If this does not fix it follow the manual removal instructions step by step here http://support.microsoft.com/kb/962007

http://www.spywareremove.com/removeWin32ConfickerAA.html

also try these tools, as often the bigger names such as Norton or AVG do not work because the virus was made with them in mind.

http://www.spywareremove.com/download/SpyHunter-Scanner101413p2s2.exe -Spyhunters malware scanner

http://www.regnow.com/trialware/download/Download_5.1.0.272f-5.1.0.272-sdregnow.exe?item=11719-1&affiliate=56878&linkid=fscconfic

Additional References

this thread from reddit on the subject

http://www.reddit.com/r/technology/comments/7wapy/hey_internet_can_we_please_find_and_make_life/

http://www.printthis.clickability.com/pt/cpt?action=cpt&title=eWMDs&expire=&urlID=32877260&fb=Y&url=http%3A%2F%2Fwww.hoover.org%2Fpublications%2Fpolicyreview%2F35543534.html&partnerID=162551

http://www.nytimes.com/2008/11/10/technology/internet/10attacks.html?fta=y

http://www.nytimes.com/2008/12/06/technology/internet/06security.html?_r=1&fta=y

Protect yourself with this software recommended by CNC staff security team.

Advertisements

10 thoughts on “protect your server: Conficker-Antivirus 2009- Eastern Europe Threats

  1. Thanks. What a great post. I have not experienced any security problems for a very long time on my MS vista laptop – but the tactics mentioned here send a chill down my spine. Must remain vigilant. Thanks again.

  2. As far as I can see, there is no way Linux systems can be infected, and the last viable infection was in 1995.

    So if you’re out there still using Microsoft Bugware, why not come over the the safe side of the wall and install Linux freeware.

    You’ll never have to patch again or run an anti-virus program.

    Ubuntu Intrepid Ibex is particularly easy to install and won’t cost a bean.

    Good post.

  3. “You’ll never have to patch again or run an anti-virus program.”

    As long as linux is still unpopular. All OS’s are hackable.

  4. just a quick point : you advise installing multiple antivirus programs in order to thoroughly protect a person’s PC. i would say this does more harm than good. Every antivirus program installed adds anywhere from 30%-1000% overhead to every file operation.. multiply that by the number of antivirus programs you have installed, and you have a PC brought to its knees by supposedly ‘helpful’ software. not to mention that the best antivirus programs have about a 20% success rate at detecting fresh malware. In many cases, you are better off going without AV protection from a productivity standpoint. The seconds you lose waiting on your slow PC to respond because of it’s 3 antivirus programs add up over time to much more than the hour or two you might have to spend removing a piece of malware. a much more effective tactic to reduce risk than using multiple AV programs is to STOP using internet explorer. use firefox or something else instead. the vast majority of infections begin with IE exploits and activeX controls. also, stop searching google for porn, screensavers, warez, cracks, and the like, and you further reduce your odds of infection. if you must have those things, use something like The Pirate Bay – read where people comment on the files to find out if they are virus laden. Use flash-based video porn sites like youporn, xtube, redtube, etc that don’t try to make you download activex controls. stop opening every attachment you get in your email without thinking, and stop clicking on links to e-cards and random websites. when installing new programs, READ the installer pages – it tells you if it will install 3rd party software or toolbars. if it doesn’t, you don’t want it.
    I have been without AV protection for 5 or so years now, and have never been infected with anything. I just follow those guidelines and use common sense.

  5. thank you i edited the article to better reflect what i mean. that you should run multiple programs when you suspect you have a problem, then delete the extras after they have done their work. this is when you are pretty sure you have a bug.

  6. “The sale of fake antivirus software alone in this black market totals an estimated $100 billion a year.”

    This represents one copy for every 3.35 people on the planet… was this an error, or do you have a reference for this?

  7. Rather wonderful post, genuinely helpful stuff. Never ever imagined I would obtain the tips I would like right here. I’ve been hunting all over the web for some time now and had been starting to get irritated. Thankfully, I came onto your blog and acquired precisely what I had been looking for.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s