Solved

Conficker Virus

Posted on 2009-03-30
7
1,338 Views
Last Modified: 2013-11-22
Tomorrow the Conficker Virus starts querying 50,000 random domains.

If your computer is configured to use a proxy and you are not able to get access to the Internet directly e.g., you have to go through the proxy to reach port 80 or 443.

Will conficker be able to make a connection to the Internet via the proxy?  The analysis I have seen seems to indicate that the conficker code tries to make the connection itself, what is not clear is if the Microsoft API it uses to make the connection will automatically connect using the proxy details stored on the computer.

Thanks.

-Rowan
0
Comment
Question by:rowansmith
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 6

Accepted Solution

by:
IKZ earned 500 total points
ID: 24023912
From what I understand- it will connect whether you are using a proxy or not.  Have you read Microsoft Technet article on it yet?  If not, let me know and i'll link you to it.  It's pretty informative for everyone :)
0
 
LVL 11

Author Comment

by:rowansmith
ID: 24024121
I have not been able to find anything that says it will use a proxy or that it is capable of using a proxy if the computer is configured for one.

Thanks please send the article.
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 24024439
0
[Live Webinar] The Cloud Skills Gap

As Cloud technologies come of age, business leaders grapple with the impact it has on their team's skills and the gap associated with the use of a cloud platform.

Join experts from 451 Research and Concerto Cloud Services on July 27th where we will examine fact and fiction.

 
LVL 27

Expert Comment

by:Asta Cu
ID: 24024451
Brief cut/paste (synopsis) here then the source link for more, which I find extremely top notch in terms of information and options:
Effect - Upon infection, the worm saves a copy of its DLL form to a random filename in the Windows system folder, then arranges to load itself thereafter at boot as a system service with a randomly-generated name.
The worm then resets System Restore points and disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting.[12] Processes matching a predefined list of antiviral, diagnostic or system patching tools are watched for and terminated.[13]
[edit] Symptoms Account lockout policies being reset automatically. Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Error Reporting Services disabled. Domain controllers responding slowly to client requests. System network becoming unusually congested. Websites related to antivirus software becoming inaccessible.[14]
http://en.wikipedia.org/wiki/Conficker
Listening when time permits with best wishes - Asta
0
 
LVL 11

Author Comment

by:rowansmith
ID: 24024483
No reference in any of that as to wether it can use a proxy server to reach its Internet Rendezvous Points.
0
 
LVL 23

Expert Comment

by:Mohamed Osama
ID: 24026836
I believe if a proxy is in place , this will stop most of the payload of this variant , as there is also a  P2P connection between infected machines & they won't be able to communicate in this case, theoretically speaking you can pretty much wrap up or tunnel any traffic through a web proxy , but I do not believe the worm author(s) had those machines in mind when designing this worm, I would say it is an overkill , however due dilligence is due, updates should still be rolled out , Antivirus protection ,etc..
http://blogs.technet.com/mmpc/archive/2009/03/27/information-about-worm-win32-conficker-d.aspx

0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 24029787
W32/Conficker.worm.gen.b - from - Since the last McAfee® Avert® Labs Security Advisory (March 27), the following noteworthy events have taken place:
McAfee product coverage has been updated for W32/Conficker.worm.gen.b.
From this source - cut/paste here:
Symptoms -
File, registry, and network communication referenced in the characteristics section.
Access to admin shares denied
Scheduled tasks being created
Access to security related web sites is blocked.

Method of Infection Method of Infection -

This worm exploits the MS08-067 Microsoft Windows Server Service vulnerability in order to propagate.  Machines should be patched and rebooted to protect against this worm re-infecting the system after cleaning.  Upon detection of this worm the system should be rebooted to clean memory correctly. May require more that one reboot.  Scheduled tasks have been seen to be created on the system to re-activate the worm.
Removal - Removal -

Users infected by W32/Conficker.worm should perform an On Demand Scan to remove remnants of the worm in memory using the latest DATs.
Upon detection of W32/Conficker!mem and REBOOT, the W32/Conficker.worm malware components will be removed.
Overview -

-- Update February 26, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.infopackets.com/news/security/2009/20090225_new_conficker_b++_worm_discovered_more_stealth.htm 
-- Update February 26, 2009 --
A new variation of Conficker has been identified.  In addition to some minor code optimizations this variant (sometimes referred to as Conficker B++ or Win32/Conficker.c) includes an additional backdoor service as well as some minor changes to the netapi32.dll patch that is applied after infection.  The updated Conficker variant is detected by McAfee as W32/Conficker.worm.gen.b
This detection is for a worm that exploits the MS08-067 vulnerability that exists, in Microsoft Windows Server Service, which may allow for remote code execution. The flaw lies in the improper handling of specially-crafted (malicious) RPC requests.
Characteristics Characteristics -

When executed, the worm copies itself using a random name to the %Sysdir% folder.
(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)
It modifies the following registry key to create a randomly-named service on the affected syetem: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\
ServiceDll = "Path to worm"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\
ImagePath = %SystemRoot%\system32\svchost.exe -k netsvcs

Attempts connections to one or more of the following websites to obtain the public ip address of the affected computer. hxxp://www.getmyip.org
hxxp://getmyip.co.uk
hxxp://checkip.dyndns.org
hxxp://whatsmyipaddress.com

Attempts to download a malware file from the remote website: (Rogue Russian site is up but not serving file anymore) hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe

Adds an entry to the run key to load on system startup. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
rundll32.exe "%Malware Path%"/[Random]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
rundll32.exe "%Malware Path%"[Random]

Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.
Attempts to block access to various security related web sites in which the primary domains includes: ahnlab
arcabit
avas
avg
avira
avp
bit9
ca
castlecops
centralcommand
cert
clamav
comodo
computerassociates
cpsecure
drweb
emsisoft
esafe
eset
etrust
ewido
fortinet
f-prot
f-secure
gdata
grisoft
hacksoft
hauri
ikarus
jotti
k7computing
kaspersky
mcafee
microsoft
nai
networkassociates
nod32
norman
norton
panda
pctools
prevx
quickheal
rising
sans
securecomputing
sophos
spamhaus
sunbelt
symantec
threatexpert
trendmicro
vet
wilderssecurity
windowsupdate

Creates a Windows scheduled tasks to load itself using rundll32
Starts a HTTP server on a random port on the infected machine to host a copy of the worm.
 
Source for more - http://vil.nai.com/vil/content/v_153710.htm
 
0

Featured Post

Revamp Your Training Process

Drastically shorten your training time with WalkMe's advanced online training solution that Guides your trainees to action.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

UPDATE - 6/15/2011 Added support for Release Update 6 Maintenance Patch 2 Point Patch 1 (RU6 MP2 PP1). Fixed a defect in the username field that was hard-coded to look for a specific domain (left over code from testing). This release will be the …
Ransomware continues to be a growing problem for both personal and business users alike and Antivirus companies are still struggling to find a reliable way to protect you from this dangerous threat.
Established in 1997, Technology Architects has become one of the most reputable technology solutions companies in the country. TA have been providing businesses with cost effective state-of-the-art solutions and unparalleled service that is designed…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question