Conficker Worm: Characteristics(contd.)
When executed, the worm copies itself using a random name to the %Sysdir% folder.
(Where %Sysdir% is the Windows system folder; e.g. C:\Windows\System32)
It modifies the following registry key to create a randomly-named service on the affected syetem:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\Parameters\”ServiceDll” = “Path to worm”
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\{random}\”ImagePath” = %SystemRoot%\system32\svchost.exe -k netsvcs
Attempts connections to one or more of the following websites to obtain the public ip address of the affected computer.
Starts a HTTP server on a random port on the infected machine to host a copy of the worm.
Continuously scans the subnet of the infected host for vulnerable machines and executes the exploit. If the exploit is successful, the remote computer will then connect back to the http server and download a copy of the worm.
Later variants of w32/Conficker.worm are using scheduled tasks and Autorun.inf file to replicate on to non vulnerable systems or to reinfect previously infected systems after they have been cleaned.
Conficker Worm: Characteristics
It copies itself to the following patches:
- %Sysdir%\[Random].dll
- %Program Files%\Internet Explorer\[Random].dll
- %Program Files%\Movie Maker\[Random].dll
- %Program Files%\Windows Media Player\[Random].dll
- %Program Files%\Windows NT\[Random].dll
It disables the following services:
- WerSvc , ERSvc , BITS , wuauserv , WinDefend , wscsvc
It hooks the following functions in dnsapi.dll :
- Query_Main , DnsQuery_W , DnsQuery_UTF8 , DnsQuery_A
It hooks the following functions in ws2_32.dll:
- sendto
The worm deletes the following registry key to disable restarting in safe mode:
- HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot
It deletes the following registry keys:
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\ShellServiceObjects\{FD6905CE-952F-41F1-9A6F-135D9C6622CC}
- HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\Windows Defender
It terminates the processes that contains the following strings in name:
- wireshark / unlocker / tcpview / sysclean / scct_ / regmon / procmon / procexp / ms08-06 / mrtstub / mrt. / mbsa. / klwk / kido / kb958 / kb890 / hotfix / gmer / filemon / downad / confick / avenger / autoruns
In order to block users access to security-related domains, prevents network access to any domains that contain the following strings:
- windowsupdate / wilderssecurity / virus / virscan / trojan / trendmicro / threatexpert / threat / technet / symantec / sunbelt / spyware / spamhaus / sophos / secureworks / securecomputing / safety.live / rootkit / rising / removal / quickheal / ptsecurity / prevx / pctools / panda / onecare / norton / norman / nod32 / networkassociates / mtc.sri / msmvps / msftncsi / mirage / microsoft / mcafee / malware / kaspersky / k7computing / jotti / ikarus / hauri / hacksoft / hackerwatch / grisoft / gdata / freeav / free-av / fortinet / f-secure / f-prot / ewido / etrust / eset / esafe / emsisoft / dslreports / drweb / defender / cyber-ta / cpsecure / conficker / computerassociates / comodo / clamav / centralcommand / ccollomb / castlecops / bothunter / avira / avgate / avast / arcabit / antivir / anti- / ahnlab / agnitum
Conficker Worm: A new threat to computer
Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in October 2008.
An early variant of the worm propagated through the Internet by exploiting a vulnerability in the network stack of Windows 2000, Windows XP, Windows Vista, Windows Server 2003, Windows Server 2008, Windows 7 Beta, and Windows Server 2008 R2 Beta that was discovered earlier that month.The worm has been unusually difficult for network operators and law enforcement to counter because of its combined use of advanced malware techniques.
Method of Infection:
This worm exploits the MS08-067 Microsoft Windows Server Service vulnerability in order to propagate.
Machines should be patched and rebooted to protect against this worm re-infecting the system after cleaning.
Upon detection of this worm the system should be rebooted to clean memory correctly. May require more than one reboot.
Scheduled tasks have been seen to be created on the system to re-activate the worm.
Autorun.inf files have been seen to be used to re-activate the worm.
Symptoms:
If your computer is infected with this worm, you may not experience any symptoms, or you may experience any of the following symptoms:
- Account lockout policies are being tripped.
- Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.
- Domain controllers respond slowly to client requests.
- The network is congested.
- Various security-related Web sites cannot be accessed.
For more information about Win32/Conficker.b, visit the following Web pages:
LINUX: Introduction
A free, Unix-compatible, 32-bit operating system developed in 1991 by Linus Torvalds while at the University of Helsinki in Finland.
Strictly speaking, Linux is the name of the operating system kernel, the central part of the operating system that manages system services, but many people use the name to refer to the complete operating system package, including utilities, editors and compilers, games, and networking components. Many of these important elements are actually part of the Free Software Foundation’s GNU Project, and others have been written and released by volunteers.
Linux is supported and distributed by companies such as Red Hat Software, Caldera Software, Workgroup Solutions, Walnut Creek Software, and S.u.S.E. of Germany. With the increasing use of Linux in the corporate world, several major companies have announced some level of support for the operating system, including Hewlett-Packard, Silicon Graphics, Sun Microsystems, and Intel, and several major applications packages have been ported to Linux,
Linux: SAMBA
If you rely on Windows for file sharing and print sharing, you probably use Windows in your servers and clients. If so, you can still move to a Linux PC as your server without losing Windows file-sharing and print-sharing capabilities; you can set up Linux as a Windows server.
When you install Linux from DVD-ROM, you also get a chance to install the Samba software package, which performs that setup. All you have to do is select the Windows File Server package group during installation.
-
Configuration file for samba – /etc/samba/smb.conf
-
Samba user’s file – /etc/samba/smbusers
Commands:—
-
nmblookup: This command returns the IP address of a Windows PC identified by its NetBIOS name.
-
smbadduser: This program adds users to the SMB (Server Message Block) password file.
-
smbcacls: This program manipulates Windows NT access control lists (ACLs) on shared files.
-
smbclient: This is the Windows client, which runs on Linux and allows Linux to access the files and printer on any Windows server.
-
smbcontrol: This program sends messages to the smbd, nmbd, or winbindd processes .
-
smbd: This is the SMB server, which accepts connections from Windows clients and provides file-sharing and print-sharing services.
-
smbmount: This program mounts a Samba share directory on a Linux PC.
-
smbpasswd: This program changes the password for an SMB user.
-
smbprint: This script enables printing on a printer on an SMB server.
-
smbstatus: This command lists the current SMB connections for the local host.
-
smbtar: This program backs up SMB shares directly to tape drives on the Linux system.
-
smbumount: This program unmounts a currently mounted Samba share directory.
-
testparm: For checking the correctness of Samba Configuration.
-
winbindd: This server resolves names from Windows NT servers.
leave a comment