Description
First, it attacks a vulnerability in the Microsoft Server service. Computers without the October patch can be remotely attacked and taken over.
Second, Conficker can attempt to guess or 'brute force' Administrator passwords used by local networks and spread through network shares.
And third, the worm infects removable devices and network shares with an autorun file that executes as soon as a USB drive or other infected device is connected to a victim PC.
Conficker and other worms are typically of most concern to businesses that don't regularly update the desktops and servers in their networks. Once one computer in a network is infected, it often has ready access to other vulnerable computers in that network and can spread rapidly.
Home computers, on the other hand, are usually protected by a firewall and are less at risk. However, a home network can suffer as well. For example, a laptop might pick up the worm from a company network and launch attacks at home.
Kido worm also known as Downadup, Downup and Conficker is continuing to spread more rapidly than ever, even though its already several months since it was first spotted. More than 9 million PC’s have been infected and Panda Security reporting infection rates of 6% in two million computers scanned via their website. China (the probable country of origin) is the most infected.
Downadup or Kido is remarkable in it’s sophistication. It can infect computers even if Autoplay feature is disabled for USB devices, by pretending to be a folder. It spreads via network as well as usb devices (pen drives, mp3 players etc). It resets your system restore points, disables Windows update, Windows Defender, Windows Security Center and even manipulates certain TCP settings to block access to security websites. It is also known to change access permissions. New variants even disable Firewall and may interface with Antivirus scans.
As soon as any removable drive is interted it creates a file called autorun.inf and a folder RECYCLED (commonly used by the system to store Recycle Bin files). It then goes on to create another file {SID<....>}RANDOM_NAME.vmx inside the RECYCLED folder. Most antivirus softwares would be able to detect this *.vmx file, but once a system is infected won’t be properly able to eliminate the worm (thus you would end up with new detection everytime you insert a USB device).
Like most worms once Kido infects a machine it calls home and may download malicious files to the infected computer. What is really interesting is that, Kido uses a complicated algorithm to create a large list of new domain names everyday. The script to be downloaded may be hosted on any one of these domain names, thus making things even harder for the good guys. Kido also launches a brute force dictionary attack in order to guess the administrator password. Hence, it would be a good idea to change your administrator password to a non-dictionary word right now.
Kido worm has been dubbed as an epidemic and is the biggest worm epidemic in recent years. And it’s still evolving. Kaspersky is reporting that new variants have been spotted which further enhance the original worm’s funtionality. The new variants generate as many as 50,000 domain names everyday (compared to 250 in the older variants) from which it can download updates.
How to Check Your system is infected?
Go to http://update.microsoft.com/microsoftupdate to verify your settings and check for updates.
if you can't access try any antivirus site
for example
http://www.symantec.com
or
http://www.kaspersky.com
if you are not able to access above sites where your net is running smooth with yahoo and orkut then your system may be effected with Conficker Kido Virus..
Technical Details of Conficker is :
Installation
Upon execution, Downadup creates copies of itself in:
• %System%\[Random].dll
• %Program Files%\Internet Explorer\[Random].dll
• %Program Files%\Movie Maker\[Random].dll
• %All Users Application Data%\[Random].dll
• %Temp%\[Random].dll
• %System%\[Random].tmp
• %Temp%\[Random].tmp
* Note: [Random] represents a randomly generated name.
Each file's timestamp is amended to match the timestamp of the %System%\kernel32.dll file. The worm then creates autorun entries in the registry, which ensure that a copy of the worm is executed at every system startup.
The worm then attach itself to the following processes:
• svchost.exe
• explorer.exe
• services.exe
Effects
Conficker.C is designed to spread by exploiting a vulnerability in the Windows Server Service which allows remote code execution. It is the vulnerability MS08-067.
Additionally, Conficker.C carries out the following actions:
* It checks the system date in the following web addresses:
Ask.com
Google.com
Baidu.com
Yahoo.com
W3.org
and if the system date is after January 1, 2009, it will attempt to connect to a website in order to download a malicious executable file. The website to which it connects varies depending on the system date.
* It disables the following services:
- Windows update, disabling the Windows updates.
- BITS (Background Intelligent Transfer Service), which is a service to transfer Windows files.
- Error reporting service, which allows to send Microsoft information about errors occurring in the operating system, Windows components and programs.
* It prevents the user and the computer from connecting to the websites that contain any of the following text strings:
ahnlab
arcabit
avast
avg
avira
avp
bit9
ca
castlecops
centralcommand
cert
clamav
comodo
computerassociates
cpsecure
defender
drweb
emsisoft
esafe
eset
etrust
ewido
fortinet
f-prot
f-secure
gdata
grisoft
hacksoft
hauri
ikarus
jotti
k7computing
kaspersky
malware
mcafee
microsoft
nai
networkassociates
nod32
norman
norton
panda
pctools
prevx
quickheal
rising
rootkit
sans
securecomputing
sophos
spamhaus
spyware
sunbelt
symantec
threatexpert
trendmicro
vet
virus
wilderssecurity
windowsupdate
As they are security related websites, the antivirus programs could not be updated and the user could not access the information of these pages.
* It modifies the security policies of the user accounts. In order to access the user accounts, it uses the following weak passwords:
0123456789
00000, 0000000, 00000000, 0987654321, 11111, 111111, 1111111, 11111111, 123123, 12321, 123321, 12345, 123456, 1234567, 12345678, 123456789, 1234567890, 1234abcd, 1234qwer, 123abc, 123asd, 123qwe, 1q2w3e, 22222, 222222, 2222222, 22222222, 33333, 333333, 3333333, 33333333, 44444, 444444, 4444444, 44444444, 54321, 55555, 555555, 5555555, 55555555, 654321, 66666, 666666, 6666666, 66666666, 7654321, 77777, 777777, 7777777, 77777777, 87654321, 88888, 888888, 8888888, 88888888, 987654321, 99999, 999999, 9999999, 99999999.
A
a1b2c3, aaaaa, abc123, academia, access, account, Admin, admin, admin1, admin12, admin123, adminadmin, administrator, anything, asddsa, asdfgh, asdsa, asdzxc.
B
backup, boss123, business.
C
campus, changeme, cluster, codename, codeword, coffee, computer, controller, cookie, customer.
D
database, default, desktop, domain.
E
example, exchange, explorer.
F
files, foobar, foofoo, forever, freedom.
G
games.
H
home123.
I
ihavenopass, Internet, internet, intranet.
K
killer.
L
letitbe, letmein, Login, login, lotus, love123.
M
manager, market, money, monitor, mypass, mypassword, mypc123.
N
nimda, nobody, nopass, nopassword, nothing.
O
office, oracle, owner.
P
pass1, pass12, pass123, passwd, Password, password, password1, password12, password123, private, public, pw123.
Q
q1w2e3, qazwsx, qazwsxedc, qqqqq, qwe123, qweasd, qweasdzxc, qweewq, qwerty, qwewq.
R
root123, rootroot.
S
sample, secret, secure, security, server, shadow, share, student, super, superuser, supervisor, system.
T
temp123, temporary, temptemp, test123, testtest.
U
unknown.
W
windows, work123.
X
xxxxx.
Z
zxccxz, zxcvb, zxcvbn, zxcxz, zzzzz.
Infection strategy
Conficker.C creates a random DLL in the Windows system directory. This file is created with system, read-only and hidden attributes.
It also creates a file with random name and VMX extension in the folder RECYCLER\%random name% of all the shared and removable drives of the computer. It is copied with system, read-only and hidden attributes. Additionally, it creates an AUTORUN.INF file in these drives. This way, it is run whenever any of them is accessed.
On the other hand, it creates a scheduled task in the folder Tasks of the Windows directory in order to start its execution periodically.
Conficker.C creates the following entries in the Windows Registry:
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
%random name% = rundll32.exe %letra unidad%\RECYCLER\%random name%\%random filename.vmx
By creating this entry, Conficker.C ensures that it is run whenever Windows is started.
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
TcpNumConnections = 0x00FFFFFE
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\netsvcs
Image Path = %sysdir%\svchost.exe -k netsvcs
* HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\netsvcs\Parameters
ServiceDll = %name of the drive%\RECYCLER\%random name%\%random filename%.vmx
By creating these two entries, it is registered as a service.
Conficker.C modifies the following entries from the Windows Registry in order to make its detection more difficult:
* HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue = 1
It changes this entry to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\explorer\Advanced\Folder\Hidden\SHOWALL
CheckedValue = 0
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SuperHidden = 1
It changes this entry to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
SuperHidden = 0
* HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden = 1
It changes this entry to:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden = 0
It hides the files and folders with hidden attribute.
Means of transmission
Conficker.C spreads by exploiting the vulnerability called MS08-067, which is a vulnerability in the Windows server service. In order to do so, it sends malformed RPC requests to other computers. If any of them is vulnerable, it will download a copy of the worm to the system.
Additionally, Conficker.C also spreads through the system drives, both shared and removable, making copies of itself in them. It also creates an AUTORUN.INF file in order to be run whenever any of them is accessed.
Here is Symantec, Panda and Mcafee Report
Discovered: November 21, 2008
Updated: July 9, 2010 9:15:40 AM
Also Known As: Win32/Conficker.A [Computer Associates], W32/Downadup.A [F-Secure], Conficker.A [Panda Software], Net-Worm.Win32.Kido.bt [Kaspersky], WORM_DOWNAD.AP [Trend], W32/Conficker [Norman]
Type: Worm
Infection Length: Varies
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP
W32.Downadup, also known as Conficker by some news agencies and antivirus vendors, is an extremely interesting piece of malicious code and one of the most prolific worms in recent years. It has an extremely large infection base – estimated to be upwards of 3 million computers - that have the potential to do a lot of damage. This is largely attributed to the fact that it is capable of exploiting computers that are running unpatched Windows XP SP2 and Windows 2003 SP1 systems. Other worms released over the past few years have largely targeted older system versions, which have an ever decreasing distribution.
Infection
W32.Downadup spreads primarily by exploiting the Microsoft Windows Server Service RPC Handling Remote Code Execution Vulnerability, which was first discovered in late-October of 2008. It scans the network for vulnerable hosts, but instead of flooding it with traffic, it selectively queries various computers in an attempt to mask its traffic instead. It also takes advantage of Universal Plug and Play to pass through routers and gateways.
It also attempts to spread to network shares by brute-forcing commonly used network passwords and by copying itself to removable drives.
Functionality
It has the ability to update itself or receive additional files for execution. It does this by generating a large number of new domains to connect to every day. The worm may also receive and execute files through a peer-to-peer mechanism by communicating with other compromised computers, which are seeded into the botnet by the malware author.
The worm blocks access to predetermined security-related websites so that it appears that the network request timed out. Furthermore, it deletes registry entries to disable certain security-related software, prevent access to Safe Mode, and to disable Windows Security Alert notifications.
PANDA Antivirus says :
Common name: Conficker.C
Technical name: W32/Conficker.C.worm
Threat level: High
Alias: W32.Downadup,Net-Worm.Win32.Kido.cn,WORM_DOWNAD.AD,
Type: Worm
Effects:
It exploits the vulnerability MS08-067 in the Windows Server Service in order to spread itself. It also spreads through shared and removable drives. It reduces considerably the protection level of the computer, modifies the security policies of the user accounts and attempts to download another type of malware to the affected computer.
Affected platforms:
Windows 2003/XP/2000/NT/ME/98/95
First detected on: Dec. 31, 2008
Detection updated on: Dec. 22, 2010
Statistics Yes
Proactive protection: Yes, using TruPrevent Technologies
Protection
The most critical and obvious protection is to make sure the Microsoft patch is applied. Network administrators can also use a blocklist provided by F-Secure to try and stop the worm's attempts to connect to Web sites.
First and foremost thing is self care about the system
Downadup copies itself to removable drives as a random file name and also copies an autorun.inf file to the drive so that it runs every time the drive is inserted into a computer. It also uses a social engineering technique to trick the user into running the file. The malware author makes the executable worm file look like an innocent folder. Unsuspecting users will then double click on the folder icon thinking that it indeed is a folder, rather than the executable file that it is.
Most users just double click on the pop-up box that appears when they insert a removable drive into a computer without reading the pop-up box carefully. But even those that are savvy computer uses and read the pop-up box carefully may still be mislead into thinking that they are opening a folder instead of actually running a file.
so be sure that you don't click on any autorun file. or better you disable autorun on your system for all drives. check out the link if you don't know how to do that..
http://techtalkindia.blogspot.com/2011/02/disable-autorun-file-protect-your.html
If your computer does not have an up-to-date antivirus solution, or does not have an antivirus solution at all, you can either use a special removal tool (which can be found here or follow the instructions below:
Delete the following system registry key:
[HKLM\SYSTEM\CurrentControlSet\Services\netsvcs]
Delete “%System%\.dll” from the system registry key value shown below:
[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost]
"netsvcs"
Reboot the computer.
Delete the original worm file (the location will depend on how the program originally penetrated the victim machine).
Delete copies of the worm:
%System%\dir.dll
%Program Files%\Internet Explorer\.dll
%Program Files%\Movie Maker\.dll
%All Users Application Data%\.dll
%Temp%\.dll
%System%\tmp
%Temp%\.tmp
is a random string of symbols.
Delete the files shown below from all removable storage media:
:\autorun.inf
:\RECYCLER\S-<%d%>-<%d%>-%d%>-%d%>-%d%>-%d%>-%d%>\.vmx,
To remove conficker with a conficker remover, check out the following urls to Download downadup/conficker remover tools:
Symantec W32.Downadup Removal Tool
http://www.symantec.com/content/en/us/global/removal_tool/threat_writeups/FixDownadup.exeF-SECURE Malware Removal Tool:
ftp://ftp.f-secure.com/anti-virus/tools/beta/f-downadup.zip
Microsoft’s Malicious Software Removal tool:
http://www.microsoft.com/downloads/details.aspx?FamilyId=AD724AE0-E72D-4F54-9AB3-75B8EB148356&displaylang=en
Remover conficker applications may be regularly updated to make conflicker virus removal efficient in removing new variants of this worm. Make sure to check out the respective developers’ site of these virus conficker removal tools.
Courtesy :
Above information was collected from almost 100s of sites.. so can't type each link here.. Mostly information from microsoft, symantec, f-secure, mcafee, panda, experts-exchange.com. cnet, pcworld and also few blogs.
No comments:
Post a Comment