• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1346
  • Last Modified:

Conficker Virus

Tomorrow the Conficker Virus starts querying 50,000 random domains.

If your computer is configured to use a proxy and you are not able to get access to the Internet directly e.g., you have to go through the proxy to reach port 80 or 443.

Will conficker be able to make a connection to the Internet via the proxy?  The analysis I have seen seems to indicate that the conficker code tries to make the connection itself, what is not clear is if the Microsoft API it uses to make the connection will automatically connect using the proxy details stored on the computer.

Thanks.

-Rowan
0
rowansmith
Asked:
rowansmith
1 Solution
 
IKZCommented:
From what I understand- it will connect whether you are using a proxy or not.  Have you read Microsoft Technet article on it yet?  If not, let me know and i'll link you to it.  It's pretty informative for everyone :)
0
 
rowansmithAuthor Commented:
I have not been able to find anything that says it will use a proxy or that it is capable of using a proxy if the computer is configured for one.

Thanks please send the article.
0
 
Asta CuTechnical consultant & graphic designCommented:
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
Asta CuTechnical consultant & graphic designCommented:
Brief cut/paste (synopsis) here then the source link for more, which I find extremely top notch in terms of information and options:
Effect - Upon infection, the worm saves a copy of its DLL form to a random filename in the Windows system folder, then arranges to load itself thereafter at boot as a system service with a randomly-generated name.
The worm then resets System Restore points and disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting.[12] Processes matching a predefined list of antiviral, diagnostic or system patching tools are watched for and terminated.[13]
[edit] Symptoms Account lockout policies being reset automatically. Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Error Reporting Services disabled. Domain controllers responding slowly to client requests. System network becoming unusually congested. Websites related to antivirus software becoming inaccessible.[14]
http://en.wikipedia.org/wiki/Conficker
Listening when time permits with best wishes - Asta
0
 
rowansmithAuthor Commented:
No reference in any of that as to wether it can use a proxy server to reach its Internet Rendezvous Points.
0
 
Mohamed OsamaSenior IT ConsultantCommented:
I believe if a proxy is in place , this will stop most of the payload of this variant , as there is also a  P2P connection between infected machines & they won't be able to communicate in this case, theoretically speaking you can pretty much wrap up or tunnel any traffic through a web proxy , but I do not believe the worm author(s) had those machines in mind when designing this worm, I would say it is an overkill , however due dilligence is due, updates should still be rolled out , Antivirus protection ,etc..
http://blogs.technet.com/mmpc/archive/2009/03/27/information-about-worm-win32-conficker-d.aspx

0
 
Asta CuTechnical consultant & graphic designCommented:
W32/Conficker.worm.gen.b - from - Since the last McAfee® Avert® Labs Security Advisory (March 27), the following noteworthy events have taken place:
McAfee product coverage has been updated for W32/Conficker.worm.gen.b.
From this source - cut/paste here:
Symptoms -
File, registry, and network communication referenced in the characteristics section.
Access to admin shares denied
Scheduled tasks being created
Access to security related web sites is blocked.

Method of Infection Method of Infection -

This worm exploits the MS08-067 Microsoft Windows Server Service vulnerability in order to propagate.  Machines should be patched and rebooted to protect against this worm re-infecting the system after cleaning.  Upon detection of this worm the system should be rebooted to clean memory correctly. May require more that one reboot.  Scheduled tasks have been seen to be created on the system to re-activate the worm.
Removal - Removal -

Users infected by W32/Conficker.worm should perform an On Demand Scan to remove remnants of the worm in memory using the latest DATs.
Upon detection of W32/Conficker!mem and REBOOT, the W32/Conficker.worm malware components will be removed.
Overview -

-- Update February 26, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.infopackets.com/news/security/2009/20090225_new_conficker_b++_worm_discovered_more_stealth.htm 
-- Update February 26, 2009 --
A new variation of Conficker has been identified.  In addition to some minor code optimizations this variant (sometimes referred to as Conficker B++ or Win32/Conficker.c) includes an additional backdoor service as well as some minor changes to the netapi32.dll patch that is applied after infection.  The updated Conficker variant is detected by McAfee as W32/Conficker.worm.gen.b
This detection is for a worm that exploits the MS08-067 vulnerability that exists, in Microsoft Windows Server Service, which may allow for remote code execution. The flaw lies in the improper handling of specially-crafted (malicious) RPC requests.
Characteristics Characteristics -

When executed, the worm copies itself using a random name to the %Sysdir% folder.
(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)
It modifies the following registry key to create a randomly-named service on the affected syetem: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\
ServiceDll = "Path to worm"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\
ImagePath = %SystemRoot%\system32\svchost.exe -k netsvcs

Attempts connections to one or more of the following websites to obtain the public ip address of the affected computer. hxxp://www.getmyip.org
hxxp://getmyip.co.uk
hxxp://checkip.dyndns.org
hxxp://whatsmyipaddress.com

Attempts to download a malware file from the remote website: (Rogue Russian site is up but not serving file anymore) hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe

Adds an entry to the run key to load on system startup. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
rundll32.exe "%Malware Path%"/[Random]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
rundll32.exe "%Malware Path%"[Random]

Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.
Attempts to block access to various security related web sites in which the primary domains includes: ahnlab
arcabit
avas
avg
avira
avp
bit9
ca
castlecops
centralcommand
cert
clamav
comodo
computerassociates
cpsecure
drweb
emsisoft
esafe
eset
etrust
ewido
fortinet
f-prot
f-secure
gdata
grisoft
hacksoft
hauri
ikarus
jotti
k7computing
kaspersky
mcafee
microsoft
nai
networkassociates
nod32
norman
norton
panda
pctools
prevx
quickheal
rising
sans
securecomputing
sophos
spamhaus
sunbelt
symantec
threatexpert
trendmicro
vet
wilderssecurity
windowsupdate

Creates a Windows scheduled tasks to load itself using rundll32
Starts a HTTP server on a random port on the infected machine to host a copy of the worm.
 
Source for more - http://vil.nai.com/vil/content/v_153710.htm
 
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Cloud Class® Course: Microsoft Exchange Server

The MCTS: Microsoft Exchange Server 2010 certification validates your skills in supporting the maintenance and administration of the Exchange servers in an enterprise environment. Learn everything you need to know with this course.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now