Solved

Conficker Virus

Posted on 2009-03-30
7
1,324 Views
Last Modified: 2013-11-22
Tomorrow the Conficker Virus starts querying 50,000 random domains.

If your computer is configured to use a proxy and you are not able to get access to the Internet directly e.g., you have to go through the proxy to reach port 80 or 443.

Will conficker be able to make a connection to the Internet via the proxy?  The analysis I have seen seems to indicate that the conficker code tries to make the connection itself, what is not clear is if the Microsoft API it uses to make the connection will automatically connect using the proxy details stored on the computer.

Thanks.

-Rowan
0
Comment
Question by:rowansmith
7 Comments
 
LVL 6

Accepted Solution

by:
IKZ earned 500 total points
ID: 24023912
From what I understand- it will connect whether you are using a proxy or not.  Have you read Microsoft Technet article on it yet?  If not, let me know and i'll link you to it.  It's pretty informative for everyone :)
0
 
LVL 11

Author Comment

by:rowansmith
ID: 24024121
I have not been able to find anything that says it will use a proxy or that it is capable of using a proxy if the computer is configured for one.

Thanks please send the article.
0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 24024439
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 27

Expert Comment

by:Asta Cu
ID: 24024451
Brief cut/paste (synopsis) here then the source link for more, which I find extremely top notch in terms of information and options:
Effect - Upon infection, the worm saves a copy of its DLL form to a random filename in the Windows system folder, then arranges to load itself thereafter at boot as a system service with a randomly-generated name.
The worm then resets System Restore points and disables a number of system services such as Windows Automatic Update, Windows Security Center, Windows Defender and Windows Error Reporting.[12] Processes matching a predefined list of antiviral, diagnostic or system patching tools are watched for and terminated.[13]
[edit] Symptoms Account lockout policies being reset automatically. Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Error Reporting Services disabled. Domain controllers responding slowly to client requests. System network becoming unusually congested. Websites related to antivirus software becoming inaccessible.[14]
http://en.wikipedia.org/wiki/Conficker
Listening when time permits with best wishes - Asta
0
 
LVL 11

Author Comment

by:rowansmith
ID: 24024483
No reference in any of that as to wether it can use a proxy server to reach its Internet Rendezvous Points.
0
 
LVL 23

Expert Comment

by:Admin3k
ID: 24026836
I believe if a proxy is in place , this will stop most of the payload of this variant , as there is also a  P2P connection between infected machines & they won't be able to communicate in this case, theoretically speaking you can pretty much wrap up or tunnel any traffic through a web proxy , but I do not believe the worm author(s) had those machines in mind when designing this worm, I would say it is an overkill , however due dilligence is due, updates should still be rolled out , Antivirus protection ,etc..
http://blogs.technet.com/mmpc/archive/2009/03/27/information-about-worm-win32-conficker-d.aspx

0
 
LVL 27

Expert Comment

by:Asta Cu
ID: 24029787
W32/Conficker.worm.gen.b - from - Since the last McAfee® Avert® Labs Security Advisory (March 27), the following noteworthy events have taken place:
McAfee product coverage has been updated for W32/Conficker.worm.gen.b.
From this source - cut/paste here:
Symptoms -
File, registry, and network communication referenced in the characteristics section.
Access to admin shares denied
Scheduled tasks being created
Access to security related web sites is blocked.

Method of Infection Method of Infection -

This worm exploits the MS08-067 Microsoft Windows Server Service vulnerability in order to propagate.  Machines should be patched and rebooted to protect against this worm re-infecting the system after cleaning.  Upon detection of this worm the system should be rebooted to clean memory correctly. May require more that one reboot.  Scheduled tasks have been seen to be created on the system to re-activate the worm.
Removal - Removal -

Users infected by W32/Conficker.worm should perform an On Demand Scan to remove remnants of the worm in memory using the latest DATs.
Upon detection of W32/Conficker!mem and REBOOT, the W32/Conficker.worm malware components will be removed.
Overview -

-- Update February 26, 2009 --
The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.infopackets.com/news/security/2009/20090225_new_conficker_b++_worm_discovered_more_stealth.htm
-- Update February 26, 2009 --
A new variation of Conficker has been identified.  In addition to some minor code optimizations this variant (sometimes referred to as Conficker B++ or Win32/Conficker.c) includes an additional backdoor service as well as some minor changes to the netapi32.dll patch that is applied after infection.  The updated Conficker variant is detected by McAfee as W32/Conficker.worm.gen.b
This detection is for a worm that exploits the MS08-067 vulnerability that exists, in Microsoft Windows Server Service, which may allow for remote code execution. The flaw lies in the improper handling of specially-crafted (malicious) RPC requests.
Characteristics Characteristics -

When executed, the worm copies itself using a random name to the %Sysdir% folder.
(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)
It modifies the following registry key to create a randomly-named service on the affected syetem: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\
ServiceDll = "Path to worm"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\
ImagePath = %SystemRoot%\system32\svchost.exe -k netsvcs

Attempts connections to one or more of the following websites to obtain the public ip address of the affected computer. hxxp://www.getmyip.org
hxxp://getmyip.co.uk
hxxp://checkip.dyndns.org
hxxp://whatsmyipaddress.com

Attempts to download a malware file from the remote website: (Rogue Russian site is up but not serving file anymore) hxxp://trafficconverter.biz/[Removed]antispyware/[Removed].exe

Adds an entry to the run key to load on system startup. HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
rundll32.exe "%Malware Path%"/[Random]
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
rundll32.exe "%Malware Path%"[Random]

Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.
Attempts to block access to various security related web sites in which the primary domains includes: ahnlab
arcabit
avas
avg
avira
avp
bit9
ca
castlecops
centralcommand
cert
clamav
comodo
computerassociates
cpsecure
drweb
emsisoft
esafe
eset
etrust
ewido
fortinet
f-prot
f-secure
gdata
grisoft
hacksoft
hauri
ikarus
jotti
k7computing
kaspersky
mcafee
microsoft
nai
networkassociates
nod32
norman
norton
panda
pctools
prevx
quickheal
rising
sans
securecomputing
sophos
spamhaus
sunbelt
symantec
threatexpert
trendmicro
vet
wilderssecurity
windowsupdate

Creates a Windows scheduled tasks to load itself using rundll32
Starts a HTTP server on a random port on the infected machine to host a copy of the worm.
 
Source for more - http://vil.nai.com/vil/content/v_153710.htm
 
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Some site administrators might be considering how to filter incoming traffic to a site by identifying the domains or networks of the traffic source, in the same way that a spam filter does on an email server, such as blocking all emails sent from th…
By the time you finish reading this article, you may have already lost all your money because you don't know the simple steps to securing your BitCoin wallet. BitCoin is an incredible invention. It is a decentralized currency system, which is the…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now