Dicas Sobre o Vírus Conficker

     
   Worm:Win32/Conficker.B  

Encyclopedia entry
Updated: Oct 30, 2009  |  Published: Dec 30, 2008

Aliases

  •  

TA08-297A (other)

  • CVE-2008-4250 (other)
  • VU827267 (other)
  • Win32/Conficker.A (CA)
  • Mal/Conficker-A (Sophos)
  • Trojan.Win32.Agent.bccs (Kaspersky)
  • W32.Downadup.B (Symantec)
  • Confickr (other)

Alert Level (?)

Severe

Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.

Detection last updated:
Definition: 1.57.62.0
Released: Apr 21, 2009
  Detection initially created:
Definition: 1.49.1183.0
Released: Dec 30, 2008

Summary

Worm:Win32/Conficker.B is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.

Microsoft strongly recommends that users apply the update referred to in  Security Bulletin MS08-067 immediately.

Microsoft also recommends that users ensure that their network passwords are strong to prevent this worm from spreading via weak administrator passwords. More information is available here.

Microsoft also recommends that users apply an update that changes the AutoPlay functionality in Windows to prevent this worm from spreading via USB drives. More information is available in the Microsoft Knowledgebase Article KB971029 .

Top


 

Symptoms

System Changes

The following system changes may indicate the presence of this malware:

  • The following services are disabled or fail to run:

Windows Update Service
Background Intelligent Transfer Service
Windows Defender
Windows Error Reporting Services

  • Some accounts may be locked out due to the following registry modification, which may flood the network with connections:

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
“TcpNumConnections” = “0x00FFFFFE”

  • Users may not be able to connect to websites or online services that contain the following strings:

virus
spyware
malware
rootkit
defender
microsoft
symantec
norton
mcafee
trendmicro
sophos
panda
etrust
networkassociates
computerassociates
f-secure
kaspersky
jotti
f-prot
nod32
eset
grisoft
drweb
centralcommand
ahnlab
esafe
avast
avira
quickheal
comodo
clamav
ewido
fortinet
gdata
hacksoft
hauri
ikarus
k7computing
norman
pctools
prevx
rising
securecomputing
sunbelt
emsisoft
arcabit
cpsecure
spamhaus
castlecops
threatexpert
wilderssecurity
windowsupdate

Top


 

Technical Information (Analysis)

Worm:Win32/Conficker.B is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.

Installation

Worm:Win32/Conficker.B attempts to copy itself in the Windows system folder as a hidden DLL file using a random name. If the attempt fails, it may then attempt to copy itself with the same parameters in the following folders:

%ProgramFiles%\Internet Explorer
%ProgramFiles%\Movie Maker

It creates the following registry entry to ensure that its dropped copy is run every time Windows starts:

Adds value: “<random string>”
With data: “rundll32.exe <system folder>\<malware file name>.dll,<malware parameters>”
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run

It may also load itself as a service that is launched when the netsvcs group is loaded by the system file svchost.exe.

It may also load itself as a fake service by registering itself under the following key:
HKLM\SYSTEM\CurrentControlSet\Services

It may use a display name that is created by combining two of the following strings:

Boot
Center
Config
Driver
Helper
Image
Installer
Manager
Microsoft
Monitor
Network
Security
Server
Shell
Support
System
Task
Time
Universal
Update
Windows

It may also combine random characters to create the display name.

Spreads Via…

Network Shares with Weak Passwords

Worm:Win32/Conficker.B attempts to infect machines within the network.

It first attempts to drop a copy of itself in a target machine’s ADMIN$ share using the credentials of the currently logged-on user.

If this method is unsuccessful, for example, the current user does not have the necessary rights, then it instead obtains a list of user accounts on the target machine. It then attempts to connect to the target machine using each user name and the following weak passwords:

123
1234
12345
123456
1234567
12345678
123456789
1234567890
123123
12321
123321
123abc
123qwe
123asd
1234abcd
1234qwer
1q2w3e
a1b2c3
admin
Admin
administrator
nimda
qwewq
qweewq
qwerty
qweasd
asdsa
asddsa
asdzxc
asdfgh
qweasdzxc
q1w2e3
qazwsx
qazwsxedc
zxcxz
zxccxz
zxcvb
zxcvbn
passwd
password
Password
login
Login
pass
mypass
mypassword
adminadmin
root
rootroot
test
testtest
temp
temptemp
foofoo
foobar
default
password1
password12
password123
admin1
admin12
admin123
pass1
pass12
pass123
root123
pw123
abc123
qwe123
test123
temp123
mypc123
home123
work123
boss123
love123
sample
example
internet
Internet
nopass
nopassword
nothing
ihavenopass
temporary
manager
business
oracle
lotus
database
backup
owner
computer
server
secret
super
share
superuser
supervisor
office
shadow
system
public
secure
security
desktop
changeme
codename
codeword
nobody
cluster
customer
exchange
explorer
campus
money
access
domain
letmein
letitbe
anything
unknown
monitor
windows
files
academia
account
student
freedom
forever
cookie
coffee
market
private
games
killer
controller
intranet
work
home
job
foo
web
file
sql
aaa
aaaa
aaaaa
qqq
qqqq
qqqqq
xxx
xxxx
xxxxx
zzz
zzzz
zzzzz
fuck
12
21
321
4321
54321
654321
7654321
87654321
987654321
0987654321
0
00
000
0000
00000
00000
0000000
00000000
1
11
111
1111
11111
111111
1111111
11111111
2
22
222
2222
22222
222222
2222222
22222222
3
33
333
3333
33333
333333
3333333
33333333
4
44
444
4444
44444
444444
4444444
44444444
5
55
555
5555
55555
555555
5555555
55555555
6
66
666
6666
66666
666666
6666666
66666666
7
77
777
7777
77777
777777
7777777
77777777
8
88
888
8888
88888
888888
8888888
88888888
9
99
999
9999
99999
999999
9999999
99999999

If Win32/Conficker.B successfully accesses the target machine, for example, if a combination of any of the obtained user names and one of the above passwords allows write privileges to the machine, then it copies itself to an accessible admin share as ADMIN$\System32\<random letters>.dll.

Creates Remote Scheduled Job

After compromising a machine remotely, Win32/Conficker.B creates a remote schedule job with the command “rundll32.exe <malware file name>.dll,<malware parameters>” to activate the copy, as shown in the images below:

Mapped and Removable Drives

Worm:Win32/Conficker.B may drop a copy of itself in all mapped and removable drives using a random file name. The worm creates a folder in the root of these drives named ‘RECYCLER’ (in Windows XP and previous versions, the folder “RECYCLER” references the “Recycle Bin”). Next, the worm copies itself as the following:

<drive:>\RECYCLER\S-%d-%d-%d-%d%d%d-%d%d%d-%d%d%d-%d\<random letters>.dll

Where %d is a randomly chosen letter. The worm also drops a corresponding autorun.inf file, which enables the worm copy to execute if the drive is accessed and Autoplay is enabled. This autorun.inf file is detected as Worm:Win32/Conficker.B!inf.

The image below illustrates how a user could potentially launch the worm when accessing an infected share:

Note that the language in the first option suggests the user could ‘open folder to view files’ however the option is under ‘Install or run program’, an indication that opening the folder will actually execute an application. Another hint that the action is to execute the worm is the text ‘Publisher not specified’. The highlighted choice under ‘General options’ in the image above would allow a user to view the share and not execute the worm copy.

MS08-067 HTTP ‘call back’

Worm:Win32/Conficker.B spreads to systems that are not yet patched against a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, the worm instructs the target computer to download a copy of the worm from the host computer via HTTP protocol using the random port between 1024 and 10000 opened by the worm. The vulnerability is documented in Microsoft Security Bulletin MS08-067.

Payload

Modifies System Settings

Worm:Win32/Conficker.B changes system settings so that the user cannot view hidden files. It does this by modifying the following registry entry:

Adds value: “CheckedValue”
With data: “0”
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL

It also modifies the system’s TCP settings to allow a large number of simultaneous connections, where 0x00FFFFFE is hexadecimal and equals 16,777,214 decimal value:

Adds value: “TcpNumConnections”
With data: “0x00FFFFFE”
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

The worm drops a temp file to aid restarting the TCP/IP service for the modification to take effect. The dropped file is detected as Trojan:WinNT/Conficker.B.

Disables TCP/IP Tuning, Terminates and Disables Services

Win32/Conficker.B disables Windows Vista TCP/IP auto-tuning by executing the following command:

netsh interface tcp set global autotuning=disabled

This worm terminates several important system services, such as the following:

  • Windows Security Center Service (wscsvc) – notifies users of security settings (e.g. Windows update, Firewall and AntiVirus)
  • Windows Update Auto Update Service (wuauserv)
  • Background Intelligence Transfer Service (BITS) – used by Windows Update to download updates using idle network bandwidth
  • Windows Defender (WinDefend)
  • Error Reporting Service (ersvc) – sends error reports to Microsoft to help improve user experience
  • Windows Error Reporting Service (wersvc)

 

Win32/Conficker.B deletes the registry key for Windows Defender, disabling it from running when the system starts.

Deletes value: “Windows Defender”

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run

It also disables any process that has a module name containing any of the following strings from sending network traffic or data (note that most of these strings are related to antivirus and security software, thus effectively disabling the products from acquiring signature updates, and possibly preventing users from accessing websites with these strings in the URL):

virus
spyware
malware
rootkit
defender
microsoft
symantec
norton
mcafee
trendmicro
sophos
panda
etrust
networkassociates
computerassociates
f-secure
kaspersky
jotti
f-prot
nod32
eset
grisoft
drweb
centralcommand
ahnlab
esafe
avast
avira
quickheal
comodo
clamav
ewido
fortinet
gdata
hacksoft
hauri
ikarus
k7computing
norman
pctools
prevx
rising
securecomputing
sunbelt
emsisoft
arcabit
cpsecure
spamhaus
castlecops
threatexpert
wilderssecurity
windowsupdate

Resets System Restore Point

Win32/Conficker.B may reset the computer’s system restore point, potentially defeating recovery using System Restore.

Checks for Internet Connectivity

Win32/Conficker.B checks if the system has an Internet connection by attempting to connect to the following websites:

aol.com

cnn.com

ebay.com

msn.com

myspace.com

Downloads Arbitrary Files

Depending on the system date, Win32/Conficker.B may build a URL to download files starting on January 1, 2009. The generated URL has a domain name that is based on the current system date. It uses one of the following top level domains:

.cc

.cn

.ws

.com

.net

.org

.info

.biz

For example, ‘aaovt.com’ or ‘aasmlhzbpqe.com’.

The generated domain name is first converted to the dot notation, for example, ‘aaovt.com’ may be converted to ‘192.168.16.0’. This generated IP address is then used for the URL, according to the following pattern:

http://<pseudo-random generated IP>/search?q=%d

Some examples of the constructed URLs are as follows:

aaovt.com
aasmlhzbpqe.com
addgv.com
ajsxarj.org
apwzjq.ws
aradfkyqv.org
arztiwbeh.cc
baixumxhmks.ws
bfwtjrto.org
bfwvzxd.info
bmaeqlhulq.cc
byiiureq.cn
cbizghsq.cc
cbkenfa.org
ciabjhmosz.cc
cruutiitz.com
ctnlczp.org
ctohyudfbm.cn
dcopyoojw.com
djdgnrbacwt.ws
dmwemynbrmz.org
dofmrfqvis.cn
doxkknuq.org
dozjritemv.info
dyjsialozl.ws
eaieijqcqlv.org
eewxsvtkyn.net
eidqdorgmbr.net
eiqzepxacyb.cn
ejdmzbzzaos.biz
ejmxd.com
ejzrcqqw.net
ekusgwp.cc
eprhdsudnnh.biz
evmwgi.ws
falru.net
fctkztzhyr.org
fdkjan.net
fhfntt.org
fhspuip.biz
fjpzgrf.net
fkzdr.cn
ftjggny.com
fuimrawg.info
ghdokt.cn
glbmkbmdax.biz
gmhkdp.org
gocpopuklm.org
grwemw.biz
gtzaick.cc
gxzlgsoa.info
gypqfjho.info
hduyjkrouop.info
hfgxlzjbfka.biz
hkgzoi.com
hliteqmjyb.net
hmdtv.ws
hoyolhmnzbs.net
hprfux.cc
hqbttlqr.org
hueminaii.org
hvogkfiq.info
ifylodtv.ws
iivsjpfumd.ws
ilksbuv.cn
imuez.biz
izxvu.biz
jaumgubte.biz
jhbeiiizlfk.cn
jrdzx.cc
jshkqnnkeao.biz
judhei.com
jxfiysai.cc
jzoowlbehqn.info
karhhse.com
kbyjkjkbb.info
kjsxokxg.org
krudjhvk.org
kuiwtbfa.org
lauowjef.cn
lhirjymcod.net
liugwg.net
lksvlouw.ws
llgkuclk.info
lnpsesbcm.cn
lssvxqkqfmf.org
lygskbx.cc
mafwkeat.cn
mgqrrsxhnj.com
mhklpsbuh.cc
mknuzwq.cc
mqjkzbov.net
myfhc.com
navjrj.org
nbpykcdsoms.com
ncbeaucjxd.org
npfxmztnaw.cn
nuiptipwjj.cc
nvpmfnlsh.ws
oagwongs.ws
odvsz.net
okkpuzqck.ws
oqolfrjq.cn
orduhippw.cn
orpngykld.com
orxfq.ws
othobnrx.org
otnqqaclsgx.info
otukeesevg.biz
pbfhhhvzkp.cc
pbpigz.cn
pcnpxbg.cc
pdfrbmxh.biz
pfdthjxs.cc
phaems.cc
phetxwmjqsj.cc
pmanbkyshj.ws
pnjlx.cc
ppzwqcdc.cc
psabcdq.cc
ptdlwsi.cn
pvowgkgjmu.biz
pwsjbdkdewv.info
qbuic.com
qdteltj.org
qeotxrp.com
qfeqsagbjs.biz
qfhqgciz.org
qfogch.com
qijztpxaxk.cn
qlqrgqordj.ws
qpiivu.cn
qpuowsw.cc
qqbbg.cc
qrrzna.net
qvrgznvvwz.ws
qwdervbq.org
qwnydyb.cc
qzbpqbhzmp.com
rkfdx.org
rpphv.org
rskvraofl.info
ryruatsot.biz
sdkhznqj.info
sezpo.org
sfozmwybm.com
skwmyjq.org
solmpem.com
sqmsrvnjits.cc
stlgegbye.net
syryb.org
tdwrkv.ws
tfpazwas.cc
tigeseo.org
tjyhrcfxuc.cn
tkbyxr.ws
tlmncy.cn
tmlwmvv.ws
tnerivsvs.net
tomxoa.org
trpkeyqapp.net
tyjtkayz.com
uazlwwiv.org
ucgqvyjgpk.cn
uixvflbyoyi.biz
ujawdcoqgs.org
upxva.net
uuvjh.biz
uzugvbnvs.cn
vgmkhtux.ws
vjllpcucnp.cn
vkgxgxto.com
vwiualt.com
waxggypgu.org
wccckyfrtf.net
wfdnvlrcb.org
whjworuc.com
wmiwxt.biz
wohms.biz
wqqfbutswyf.info
wsdlzmpbwhj.net
xiclytmeger.cc
xkjdzqbxg.cn
xldbmaztfu.biz
xlwcv.cn
xqbovbdzjz.info
xwbubjmhinr.info
yfpdcquil.info
yfybk.ws
yhrpqjhp.biz
yoblqeruib.org
yoyze.cc
yshpve.cc
ysrixiwyd.com
ytfvksowgul.org
ywsrtetv.org
yzymygez.biz
zcwjkxynr.com
zfgufbxi.net
zkimm.info
zmoeuxuh.ws
zokxy.net
zqrsbqzhh.cc
zttykt.info
zutykstmrxq.ws

It checks the system date if it is January 1, 2009 or later. It also checks the following websites for the date, presumably for verification:

baidu.com
google.com
yahoo.com
msn.com
ask.com
w3.org

Additional Information

The name of this threat was derived by selecting fragments of the domain ‘trafficconverter.biz’, a string found in Worm:Win32/Conficker.A:

(fic)(con)(er) => (con)(fic)(+k)(er) => conficker

Analysis by Jireh Sanico

Top


 

Prevention

Take the following steps to help prevent infection on your system:

  • Enable a firewall on your computer.
  • Get the latest computer updates for all your installed software, including Security Bulletin MS08-067.
  • Use up-to-date antivirus software.
  • Use caution when opening attachments and accepting file transfers.
  • Use caution when clicking on links to web pages.
  • Protect yourself against social engineering attacks.

Enable a firewall on your computer

Use a third-party firewall product or turn on the Microsoft Windows Internet Connection Firewall.

To turn on the Windows Firewall in Windows Vista

  1. Click Start, and click Control Panel.
  2. Click Security.
  3. Click Turn Windows Firewall on or off.
  4. Select On.
  5. Click OK.

To turn on the Internet Connection Firewall in Windows XP

  1. Click Start, and click Control Panel.
  2. Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
  3. Click Change Windows Firewall Settings.
  4. Select On.
  5. Click OK.

Get the latest computer updates

Updates help protect your computer from viruses, worms, and other threats as they are discovered. It is important to install updates for all the software that is installed in your computer. These are usually available from vendor websites.

You can use the Automatic Updates feature in Windows to automatically download future Microsoft security updates while your computer is on and connected to the Internet.

To turn on Automatic Updates in Windows Vista

  1. Click Start, and click Control Panel
  2. Click System and Maintainance.
  3. Click Windows Updates.
  4. Select a setting. Microsoft recommends selecting Install updates automatically and choose a time that is convenient for you. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.

To turn on Automatic Updates in Windows XP

  1. Click Start, and click Control Panel
  2. Click System.
  3. Click Automatic Updates.
  4. Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.

Use Strong Administrator Passwords

Microsoft also recommends that users ensure that their network passwords are strong to prevent this worm from spreading via weak administrator passwords. More information is available here.

Use up-to-date antivirus software

Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/protect/computer/viruses/vista.mspx.

Use caution when opening attachments and accepting file transfers

Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources.  Use extreme caution when accepting file transfers from known or unknown sources.

Use caution when clicking on links to web pages

Exercise caution with links to web pages that you receive from unknown sources, especially if the links are to a web page that you are not familiar with or are suspicious of. Malicious software may be installed in your system simply by visiting a web page with harmful content.

Avoid downloading pirated software

Threats may also be bundled with software and files that are available for download on various torrent sites. Downloading “cracked” or “pirated” software from these sites carries not only the risk of being infected with malware, but is also illegal. For more information. please see our article ‘The risks of obtaining and using pirated software‘.

Protect yourself from social engineering attacks

While attackers may attempt to exploit vulnerabilities in hardware or software in order to compromise a system, they also attempt to exploit vulnerabilities in human behavior in order to do the same. When an attacker attempts to take advantage of human behavior in order to persuade the affected user to perform an action of the attacker’s choice, it is known as ‘social engineering’. Essentially, social engineering is an attack against the human interface of the targeted system. For more information, please see our article ‘What is social engineering?‘.

Top


 

Recovery

Microsoft strongly recommends that users apply the update referred to in  Security Bulletin MS08-067 immediately.

Microsoft also recommends that users ensure that their network passwords are strong to prevent this worm from spreading via weak administrator passwords. More information is available here .

Microsoft also recommends that users apply an update that changes the AutoPlay functionality in Windows to prevent this worm from spreading via USB drives. More information is available in the Microsoft Knowledgebase Article KB971029 .

To detect and remove this threat and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as Microsoft Security Essentials, or the Windows Live OneCare safety scanner. For more information about using antivirus software, see http://www.microsoft.com/security/antivirus/av.aspx.

Note: Computers infected by Conficker may be unable to connect to web sites related to security applications and services that may otherwise assist in the removal of this worm (for example, downloading antivirus updates may fail). In this case users will need to use an uninfected computer in order to download any appropriate updates or tools and then transfer these to the infected computer.

Microsoft Help and Support have provided a detailed guide to removing a Conficker.B infection from an affected computer, either manually or by using the MSRT (Malicious Software Removal Tool).

For detailed instructions on how to manually remove Conficker.B, view the following article using an uninfected computer:

http://support.microsoft.com/kb/962007 – Virus alert for Win32/Conficker.B and manual removal instructions

Additional information on deploying MSRT in an enterprise environment can be found here:

http://support.microsoft.com/kb/891716 – Deployment of MSRT in an enterprise environment

 
Anúncios

Publicado em novembro 16, 2009, em Vírus. Adicione o link aos favoritos. Deixe um comentário.

Deixe seu Comentário

Preencha os seus dados abaixo ou clique em um ícone para log in:

Logotipo do WordPress.com

Você está comentando utilizando sua conta WordPress.com. Sair / Alterar )

Imagem do Twitter

Você está comentando utilizando sua conta Twitter. Sair / Alterar )

Foto do Facebook

Você está comentando utilizando sua conta Facebook. Sair / Alterar )

Foto do Google+

Você está comentando utilizando sua conta Google+. Sair / Alterar )

Conectando a %s

%d blogueiros gostam disto: