2009-02-19

Are you a Conficker Zombie?

With the advent of Conficker and to avoid becoming one of the estimated now 20 million or so zombie recruits of the botnet armies requires ongoing awareness. At least we need to be personally alert, to make it difficult for the cyber criminals. If you are reading this article on a MS widows based PC and you have not upgraded your XP or Vista operating system since October 2008, there is a reasonable chance you are a zombie, or rather your PC is.

Before we see the regular smirks and responses from Mac and Linux users, stressing how safe they are and it is all the fault of Microsoft. The now common place blended attacks, whose singular purpose is to add your PC to the zombie botnet armies, are designed to gain control regardless of operating system. MS Windows, Mac, Linux, iPhone, iPod, all have “Hosts files” which allow; you, webmasters, or network administrators to configure a direct link to a remote IP address. So if you can do this, guess who else could configure your host file, more about this below.

As a couple of examples of the sophistication of the latest blended attacks, and also acts as the latest clue for Conficker bounty hunters.

Fig 1 - Fig 1 - Conficker - (ref; Internetpol.fr)

Gone are the days when the simple diagnostic of an infected PC or Zombie was essentially the machine was overheating and a markedly drop in speed. The Conficker agents essentially check for the presence of the firewall and ask the firewall to open a backdoor to the Internet, once done it downloads the payload. Interestingly the early version checks if the target has a Ukrainian IP address also checked for a Ukraine keyboard and if either present stopped any infection. Once a PC is infected it will sleep solely to wake up every 3-4 hours to (quietly) call home for its latest instructions and IP addresses.

Another recent example which is called “Virux” (see PE_VIRUX variants - TrendMicro)

Fig 2 - Virux (TrendMicro)

Here Virux infects the PC via the browser and phones home via IRC (Internet Relay Chat) servers for botnet control instructions. Just to emphasize there is some dispute as to where Virux is another variant or from the same stable as Conficker, due to its similarity of attack vectors, or just an update of the older “Virut” exploit which gained fame back in November 2008 for utilizing a vulnerability in Adobe Reader . Either of these examples, both Conficker and Virux, block access to security websites and anti-virus downloads. Also using sophisticated Geo Location IP systems to gain further exploits for the appropriate location of the victim and more importantly this is for enhanced cyber criminal affiliate sales, for example resale and botnet rental of say just PCs on the US West Coast or Australia, etc.

Now for the good news, all the above should alarm the average reader, however most of this can and should be avoided. Either of these examples spreads through the use of; network sharing, weak passwords, and the bad guys making use of the autorun.inf files which are copied to USB drives and other removable media. Further if you have made use of the latest operating system updates, anti-virus, and upgraded to use Adobe Reader 9.0. Also why anyone whether and individual or company, would not use the free “OpenDNS” service which you can set to avoid phishing, adware, or many of these nuisances, is still surprising.

For a really simple check, how is your “Hosts file”? For more the wider details visit Tom Olzak’s excellent article here . For MS windows users it is really simple; using windows explorer go to c:\windows\system32\drivers\etc open the hosts file in Notepad, if you see anything else beyond the standard “127.0.0.1 localhost” then ask yourself why, or more worryingly you are already a botnet zombie.