Loading。。。

Please Wait。。。

High

Medium

Low

Virus Activities

SIMCommander K-SOC Advisory

Subject: Conficker Worm

Date: 2009-04-10

Download: Download pdf version here

Aliases:

  • Net-Worm.Win32.Kido (Kaspersky)

  • Net-Worm.Win32.Kido.bt (Kaspersky)

  • Net-Worm.Win32.Kido.dv (Kaspersky)

  • Net-Worm.Win32.Kido.fx (Kaspersky)

  • WORM_GIMMIV.A (TrendMicro)

  • TSPY_GIMMIV.A (TrendMicro)

  • WORM_DOWNAD.A (TrendMicro)

  • Trojan.Moo (Symantec)

  • W32.Downadup (Symantec)

  • TrojanSpy:Win32/Gimmiv.A (Microsoft)

  • TrojanSpy:Win32/Gimmiv.A.dll (Microsoft)

  • W32/Conflicker.worm (McAfee)

Also Known as:

 

Microsoft Security Bulletin MS08-067: Vulnerability in Server Service Could Allow Remote Code Execution Vulnerability

 

Description:

 

Conficker is believed to be the most widespread computer worm infection since SQL Slammer in 2003 [1]. CNN reported over eight million computers infected on Jan 8, 2009 [2]. Up to this moment, there are 5 known variants - Conficker A, B, C, D and E, they were discovered 21 November 2008, 29 December 2008, 20 February 2009, 4 March 2009 and 7 April 2009, respectively. One announcement in CNN on 9 April, 2009, the situation is going worse because the infection channel extends to P2P [3]. The 60 minutes mentioned that over millions of worm living mainly in the enterprise computers, waiting for arbitrary code execution through the Conficker [4].

 

[1] http://www.nytimes.com/2009/01/23/technology/internet/23worm.html?_r=1&em

[2] http://edition.cnn.com/2009/TECH/ptech/01/16/virus.downadup/?iref=mpstoryview

[3] http://edition.cnn.com/2009/TECH/04/09/conficker.activated/index.html

[4[ http://www.cbsnews.com/stories/2009/03/27/60minutes/main4897053.shtml

 

How Conficker spreads:

 

The worm propagation is based on NetBIOS or removable media. After a computer is infected, the worm propagates to other computers by the following channels.

  • NetBIOS push

  • HTTP pull/push

  • P2P pull/push

Infection Symptoms:

 

An infected computer will have the following abnormal performance.

  • Users are unable to reach the AntiVirus Software websites or the Microsoft Windows Updates

  • Account lockout policies being reset automatically

  • Certain Microsoft Windows services such as Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender and Error Reporting Services are disabled

  • Domain controllers responding slowly to client requests

  • Congestion on local area networks.

According to US-CERT [5], the presence of a Conficker infection may be detected if a user is unable to surf to the following websites:

http://www.symantec.com/norton/theme.jsp?themeid=conficker_worm&inid=us_ghp_link_conficker_worm

http://www.microsoft.com/protect/computer/viruses/worms/conficker.mspx

http://www.mcafee.com

http://www.kaspersky.com

If a user is unable to reach either of these websites, a Conficker infection may be indicated (the most current variant of Conficker interferes with queries for these sites, preventing a user from visiting them).

 

[5] http://www.us-cert.gov/current/#conficker_worm_information

 

Impact to Enterprises:

 

According to Kaspersky, when a computer infected by Conficker, it cannot access to the Kaspersky website and download the latest antivirus database. In other words, when the infected computer is Kaspersky Administration Kit server, the Administration Kit cannot update the virus database and distribute the virus database to all its client computers.

 

In a large enterprise environment, the Administration Kit servers can be infected easily under the following circumstances and the infected Administration Kit servers generate the ‘virus database update failed’ events.

 

i)                     Administration Kit servers not patched the Microsoft vulnerability MS08-067

ii)                   KAV of the Administration Kit server is not using the updated virus database

iii)                  Variant of the Conficker has appeared but the Administration Kit server is waiting for the virus database update

 

SIMCommander K-SOC provides additional layer of detection to prevent Conficker outbreak

 

As mentioned above, an easy way to verify the Conficker worm infection is to access the Kaspersky web site to update virus database. However, in a large enterprise environment, the virus database update is distributed through the Administration Kit to multiple KAV clients. Thus, the focusing point is to ensure the Administration Kit servers able to update the virus database from Kaspersky web site but not the endpoints.

 

In a large enterprise, it is difficult to control and verify if all the Administration Kit servers are installed up-to-date Microsoft patches and Kaspersky virus database. Nonetheless, K-SOC adds value to provide additional layer of protection to monitor the Administration Kit server behavior proactively and automatically. When the Administration Kit server is infected by Conficker, the Administration Kit cannot update the virus database and generate the ‘virus database update failed’ event as aforesaid. By using K-SOC, you can create a monitoring rule to detect the ‘antivirus database update failed’ in Administration Kit servers via the intelligent Abnormal Behavior Detection technology. The detail procedures to create the rule are documented in next section. When the Conficker worm is spreading among the Administration Kit servers, you can receive real-time notification and see the following screen in the K-SOC console.

 

During the virus outbreak, time-to-respond is the most critical factor to contain the situation. K-SOC allows you to drill down the detail for quick virus response. As shown in the below figure, the events from different Administration Kit servers are consolidated by the K-SOC Advanced Detection Technology.

 

You can also conduct the infection path analysis by accessing the Stateful Path in the K-SOC console to present the Conficker infection graphically. This Stateful Path presentation is to simulate the analysis flow of the rule defined above with the victim IP address. Hence, it is easy for you to identify which Administration Kit servers are under infection as shown below.

 

Click here to see how to create intelligent Abnormal Behavior Detection rule to prevent Conficker worm

 

 

Resolution Procedures:

 

In case of Conficker infected, you can follow the procedures to clear the worm.

 

1.      Follow the instruction in the Viruslist to clear the Windows registry and files in the following link

http://www.viruslist.com/en/viruses/encyclopedia?virusid=21782725

2.      Apply a patch as described in Microsoft Security Bulletin MS08-067.

3.      Update latest antivirus software and signature pattern.

4.      Perform online scan by Kaspersky when necessary, you can visit the Kaspersky scanner under http://www.kaspersky.com/virusscanner.

 

Enquiry:

 

For any feedback or enquiry to this document, please send email to advisory@simc-inc.com.

 

Additional Resources:

CBS News

CNN News

Microsoft Security Bulletin MS08-067

Kaspersky Lab Viruslit

TrendMicro Security Advisories

Symantec Security Response

McAfee Threat Advisories

Computer Associates

CERT Vulnerability Note and Alert

Home | Contact Us | Privacy Policy | Term of Use | Copyright © 2001-2009 SIMCommander All Rights Reserved.
.