Are you a Conficker Zombie?

With the advent of Conficker and to avoid becoming one of the estimated now 20 million or so zombie recruits of the botnet armies requires ongoing awareness. At least we need to be personally alert, to make it difficult for the cyber criminals. If you are reading this article on a MS widows based PC and you have not upgraded your XP or Vista operating system since October 2008, there is a reasonable chance you are a zombie, or rather your PC is.

Before we see the regular smirks and responses from Mac and Linux users, stressing how safe they are and it is all the fault of Microsoft. The now common place blended attacks, whose singular purpose is to add your PC to the zombie botnet armies, are designed to gain control regardless of operating system. MS Windows, Mac, Linux, iPhone, iPod, all have “Hosts files” which allow; you, webmasters, or network administrators to configure a direct link to a remote IP address. So if you can do this, guess who else could configure your host file, more about this below.

As a couple of examples of the sophistication of the latest blended attacks, and also acts as the latest clue for Conficker bounty hunters.

Fig 1 - Fig 1 - Conficker - (ref; Internetpol.fr)

Gone are the days when the simple diagnostic of an infected PC or Zombie was essentially the machine was overheating and a markedly drop in speed. The Conficker agents essentially check for the presence of the firewall and ask the firewall to open a backdoor to the Internet, once done it downloads the payload. Interestingly the early version checks if the target has a Ukrainian IP address also checked for a Ukraine keyboard and if either present stopped any infection. Once a PC is infected it will sleep solely to wake up every 3-4 hours to (quietly) call home for its latest instructions and IP addresses.

Another recent example which is called “Virux” (see PE_VIRUX variants - TrendMicro)

Fig 2 - Virux (TrendMicro)

Here Virux infects the PC via the browser and phones home via IRC (Internet Relay Chat) servers for botnet control instructions. Just to emphasize there is some dispute as to where Virux is another variant or from the same stable as Conficker, due to its similarity of attack vectors, or just an update of the older “Virut” exploit which gained fame back in November 2008 for utilizing a vulnerability in Adobe Reader . Either of these examples, both Conficker and Virux, block access to security websites and anti-virus downloads. Also using sophisticated Geo Location IP systems to gain further exploits for the appropriate location of the victim and more importantly this is for enhanced cyber criminal affiliate sales, for example resale and botnet rental of say just PCs on the US West Coast or Australia, etc.

Now for the good news, all the above should alarm the average reader, however most of this can and should be avoided. Either of these examples spreads through the use of; network sharing, weak passwords, and the bad guys making use of the autorun.inf files which are copied to USB drives and other removable media. Further if you have made use of the latest operating system updates, anti-virus, and upgraded to use Adobe Reader 9.0. Also why anyone whether and individual or company, would not use the free “OpenDNS” service which you can set to avoid phishing, adware, or many of these nuisances, is still surprising.

For a really simple check, how is your “Hosts file”? For more the wider details visit Tom Olzak’s excellent article here . For MS windows users it is really simple; using windows explorer go to c:\windows\system32\drivers\etc open the hosts file in Notepad, if you see anything else beyond the standard “ localhost” then ask yourself why, or more worryingly you are already a botnet zombie.


Conficker; A Bounty Hunter’s Guide

You know things are serious when Microsoft Corp. ponies up a $250,000 bounty. The software vendor is offering the cash in exchange for information leading to the arrest and conviction of the Conficker worm creator(s).

It's part of an unprecedented and coordinated response with ICANN and security researchers from Afilias, AOL LLC , Arbor Networks Inc. , CNNIC, F-Secure Corp. , Georgia Tech, Global Domains International Inc., Internet Storm Center (ISC) , M1D Global, NeuStar Inc. (NYSE: NSR), Public Internet Registry, Shadowserver Foundation, Support Intelligence, Symantec Corp. (Nasdaq: SYMC), and VeriSign Inc. (Nasdaq: VRSN) to disable the hosting and distribution of the worm.

Obviously no one's out to justify or encourage the "Wild West" ethics where this reward's concerned, and it's not the first time Microsoft has gone this route. In 2005, the vendor offered $250,000 for the identity of the creator of Netsky, a.k.a. the Sasser worm, leading to the unmasking of German student Sven Jaschan. But for the interested, the curious, and the bounty-minded, what follows is a starter guide and roadmap to help this latest industry-wide effort along.

What is Conficker?

First, do not get blindsided by the linguistics, and its plethora of names. Conficker.A is what CA Inc. (Nasdaq: CA) calls it, but it also goes by Conficker.worm (McAfee Inc. (NYSE: MFE)); Downadup (Symantec); and Kido and Net-Worm.win32.kido.bt (Kaspersky Lab ). They are all the same thing. It spreads through the use of network shares and weak passwords. Additionally, it uses Windows AutoRun functionality, wherein autorun.inf files are copied to USB drives and other removable media.

When Conficker takes control of the user’s PC

• Injects its code into the address space of one of the “svchost.exe” system processes.

• Disables system restore

• Blocks any addresses which contain the following strings:

indowsupdate / wilderssecurity / threatexpert / castlecops / Spamhaus / cpsecure / arcabit / emsisoft / sunbelt / securecomputing / rising / prevx / pctools / norman / k7computing / ikarus /hauri / hacksoft / gdata / fortinet / ewido / clamav / comodo / quickheal / avira / avast / esafe / ahnlab / centralcommand / drweb / grisoft / eset nod32 / f-prot / jotti / Kaspersky / f-secure / computerassociates / networkassociates / etrust /panda / Sophos / trendmicro / mcafee / Norton Symantec / Microsoft defender / rootkit / malware / spyware / virus

Each day, the worm generates a fresh list of about 250 random domain names such as abfhhibxci.cn. It then checks those domains for new instructions, verifying their cryptographic signature to ensure that they were created by Conficker's author. It should be stressed that this malware is infecting PCs but has not yet been switched on via command and control functions to act as a botnet.

From whence did Conficker spring?

Conficker was first reported to Microsoft as a remote code execution vulnerability in Windows 2000, 2003, 2008, XP, and Vista server service in October 2008; a security update was released on Oct. 23. Estimates vary as to the extent of infection: F-Secure reported on Jan. 16 that Conficker had infected 9 million PCs worldwide with 353,495 unique IP addresses; 10 days later, this was revised to 15 million infected PCs.

Where are the major infection centers?

Panda Security reported on Jan. 21 Conficker in 83 countries, and an estimated 6 percent of the entire world’s PCs were infected, say, 18 million. It further estimated the countries with the highest rates of virulence were the U.S., China, Spain, Taiwan, and Brazil. Press reports have circulated that American military systems were infected by USB drives, and that U.K. Royal Navy warship and submarine systems were infected and rendered unusable; French fighter planes were also reportedly being grounded. Symantec is monitoring 450,000 IP addresses (PCs) with the original infection, with another 1.7 million PCs infected per day.

Who created Conficker?

In this case, the $250,000 question could take a dozen pages of explanation. One simple form of analysis for the potential bounty hunter is to follow the rabbit. But you'll need some Russian language skills. If we examine Kaspersky’s Virus List of Jan. 2, the Conficker worm was originally downloading from trafficconverter.biz, so that's a good starting place. A little examination shows this domain was originally registered via the now defunct EstDomains in December 2008. Even better, some additional Googling gives us a clue to the origin: In Russian hacker forums, we can see earlier offerings from trafficconverter.biz providing excellent reseller margins of $30 a pop to hackers for ensuring downloads of infectious, rogue, anti-virus software.

Not resolving - trafficconverter. biz

Resolving – trafficconverter2.biz

Sister site – RX-Partners.biz

Given the limited space and time, see what conclusions you can draw. You should end up with a combination of hosts, each with a questionable, cybercriminal reputation: AS43816 Centralux (a.k.a. WebAlta, Russia); AS28753 NetDirect (Germany); and AS41867 Geonic (Ukraine). Whether this gets you any closer to Microsoft's reward will depend on which rabbit hole you go down. But safe to say that this sort of incentive will flush out Conficker's writer(s)... The only remaining question is just how long that will take.

Happy hunting!


Cloning Security

Coming to a PC near you very soon is an innovative and possibly deadly combination of well known exploitation techniques, emerging from the dark side of the Internet. What makes this new attack so innovative are the targets: Internet security information and research Web sites. Hackers in the last week have been creating exact clones of Internet security Websites using proxies, DNS (domain name server) spoofing or redirection, and dedicated denial-of-service (DDoS) attacks.

It should not surprise anyone to realize Internet security research, forums, and information Websites are attacked on a regular or even daily basis. Mostly it is nuisance spam, bogus log-in attempts, or hack attempts to gain entry to the administrator side, and in more intense cases, DDoS.

But this cloning approach emerged from investigation only in the last week. To begin with, there was the discovery purely by accident, of an exact clone of the HostExploit Website. After further investigation, it was discovered this was not an isolated case, with one server hosting clones of security sites like avertlabs.com (McAfee), isc.sans.org, milw0rm.com, nmap.org, packetstormsecurity.org, secunia.com, securiteam.com, securityfocus.com, securityreason.com, thedarkvisitor.com, www-935.ibm.com (IBM), and xforce.iss.net (IBM).

In itself this was a worrying discovery, if simply viewed from content theft, hijacked traffic, click through, SSL forgery, PayPal information, and RSS links etc., of relatively high-traffic security sites. However, in parallel to the emergence of these clones commencing on Friday and over the weekend, several of the real sites listed as clones and a few others -- Metasploit, Zone-H, and Kaspersky -- were under hacker or DDoS attack, and in some cases a mixture of the two. For a while a couple sites were completely unavailable for a day or so, and one or two are still under a continuous DDoS attack.

Working off limited data from server logs and network traffic, at least a couple of the attacks originated from Poland (AS5617 TPNET); Romania (AS 9050 Romtelecom, AS39650 VIANET); Russia (JSC servers funneled via RTcomm, and Rostelecom via AS9002 RETN); and Turkey (AS9121 TTNet, AS8386 KOCNET). Many of these servers appear regularly on lists of the worst European offenders for hosting spam and exploits, according to the German-based anti-spam service UCEprotect.

I must emphasize here that there's no proven link between the appearances of the clones and this weekend's attacks. This could be a simple coincidence, but as Edmund Burke said. "Better be despised for too anxious apprehensions, than ruined by too confident security." It does leave the open question, if by hacking and DDoS, the real security Websites were offline the only source available could be the clones. It is by a simple step to include by DNS redirection, cookie plants, and other exploits, to ensure visitors went to and continued to visit the false, cloned sites.

Consider the mayhem that could be caused by providing bad file downloads and misinformation using these sorts of exploits, botnets, and spam, or even distorting the core news and advisories this sector, its enterprise customers and the press depend upon. Worst of all, even without any changes from the real sites, the data gathered from all those misdirected, security-minded visitors would be hugely valuable.

Obviously the intended outcome of the attacks and the clones is to damage reputations, create distrust, and ultimately make it easier for cyber-criminals to operate. The good news is thanks to swift action, these discovered clones and the hacker site serving them are offline. This is certainly not the last we will see of this approach.