mysecPremium
join:2005-11-29
kudos:4
2 edits | reply to art22gg
Re: Major Attack April Fools Day--Conficker "C" Wormsaid by art22gg:Conficker.C Worm - Major Attack targeted for April Fools Day
Conficker is certainly a welcome story for the media since it is much more sensational than a PDF exploit.
Only one of the first five links you post will open because the URLs are truncated, so I don't know which article has this quote:
QUOTE: Just when you might have thought it was safe to start using USB flash drives at work again, the third, and by all accounts, most fiendish version of the Conficker worm that's infected millions of PCs already is set to attack on April 1st, Ars Technica reports.
Evidently the author is not aware that this latest variant does not spread as the others do, rather, it is installed as an "update" on systems already infected with an earlier variant.
You cited this source, but left out this important point:
Conficker C Analysis
»mtc.sri.com/Conficker/addendumC/
The variant was brought to the attention of the Conficker Working Group when one member reported that a compromised Conficker B honeypot was updated with a new dynamically linked library (DLL).
Since that point, multiple members have reported upgrades of previously infected machines to this latest variant via HTTP-based Internet rendezvous points.
And Microsoft. Their numbering of the variants is different, for when B++ was identified, MS labeled it "C" so that the latest variant everyone is calling "C" is labeled "D" by MS:
Protect yourself from the Conficker computer worm
»www.microsoft.com/protect/comput···ker.mspx
•Win32/Conficker.A was reported to Microsoft on November 21, 2008.
•Win32/Conficker.B was reported to Microsoft on December 29, 2008.
•Win32/Conficker.C was reported to Microsoft on February 20, 2009.
•Win32/Conficker.D was reported to Microsoft on March 4, 2009.
Worm:Win32/Conficker.D
»www.microsoft.com/security/porta···ficker.D
Also Known As:
Win32/Conficker.worm.88064 (AhnLab)
Win32.Worm.Downadup.Gen (BitDefender)
Win32/Conficker.C (CA)
Win32/Conficker.X (ESET)
Trojan.Win32.Pakes.ngs (Kaspersky)
W32/Conficker.worm.gen.c (McAfee)
W32/Conficker.D.worm (Panda)
W32/Confick-G (Sophos)
W32.Downadup.C (Symantec) This variant does not spread to removable drives or shared folders across a network and is installed by previous variants of Win32/Conficker.
Other variants of Win32/Conficker infect computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE)... It may also spread via removable drives and weak administrator passwords.
Another quote you cite:
The Conficker worm is one of the most dangerous malware threats in years, especially for corporate users. A new "C" variant has been developed that's even more potent and stealthier than the two prior variants. It's imperative that Microsoft's MS08-067 patch be applied to all servers and workstations, while the worm is currently dormant.
Please take precautions now, as this one will be even more difficult than "B" was to clean.
Again, a misunderstanding about Variant C. If "B" has already been cleaned, then the system won't get "C" unless reinfected with "B" and is updated to "C"
Conficker timeline
2008 - 2009
»lastwatchdog.com/evolution-confi···ng-worm/
mid Jan. to early Feb. Conficker A and Conficker B population of machines explodes, grabbing news headlines.
Feb. Conficker B++ begins spreading; it adds new ways to spread, as well as new techniques to preserve infected PCs.
Mar. 5. Conficker C begins updating all PCs infected with Conficker B and B++.
Apr. 1. All PCs updated with Conficker C are scheduled to begin checking 500 rendezvous points randomly selected from 50,000 web addresses for further instructions.
________________________________________________________________
said by veunad:I found this quote to be interesting; as that is a doosey of a varient... Hate to see what else they may be working on. I'm in IT for a mid-sized organization and my job is tough enough...
I would think your job would be quite easy if you've installed the MS Patch, and your CEO let you disable AutoRun, and install robust execution prevention that would block the DLL from any attack vector. Variants "A" and "B" would fail to install. End of worries, job not so tough!
________________________________________________________________
For home users, this should have been a NO-THREAT from day one.
Using the time line above:
•Conficker.A attacked through open ports. A properly configured firewall would have prevented access, patch or no patch.
•Conficker.B attacked via USB using Autorun.inf. Did no one learn the lesson from the previous Digital Picture Frame exploits which used AutoRun.inf? Extensive threads in this and other forums covering AutoRun have provided much helpful information.
When conficker made the news, how many here contacted everyone they know to insure that the above protective measures were in place?
Finally, the payload itself: a DLL file, which is an executable file. With all of the many discussions on execution prevention, running as a basic User, Software Restriction Policies -- there are so many ways of stopping this payload, which copies itself to %System%.
Will your protection block an unauthorized DLL from loading? I created a simple test using a macro in a MSWord document to load the hmmapi.dll which launches Windows Live. On my WinXP workstation, I used the Win2K version of the DLL which is not White Listed:
Without prevention against unauthorized executables, the DLL loads and launches IExpore.exe:
With such protection the DLL is blocked from loading:
You can use an Autorun.inf file with this command, which you can test yourself:
shellexecute=Rundll32.exe hmmapi.dll,MailToProtocolHandler %1
Download a version of this DLL which is different from yours and put it on your USB drive with the autorun.inf file and see if it blocks:
If you are set up to block unauthorized executables then the executable payload fails to install no matter what.
Conficker has become a soap opera with everyone eagerly anticipating the next installment. The first episode should have never have made it to the screen in the first place.
----
rich |
