Links

Other Posts

 


Conficker Worm

Posted on January 21st, 2009 by Benjamin Harbin

Recently, researchers have discovered millions of PC’s that have been infected with the Conficker worm, also commonly known as Downup and Downadup.  Conficker is a rather nasty worm that can quickly spread itself around networks once entering in a few possible ways.  The majority of systems are first compromised via a vulnerability in Microsoft’s Server service.  This vulnerability, described in MS08-67, could allow remote code execution through specially crafted NETBIOS traffic.  The worm has also been found on compromised web servers and can be installed when users try to view web pages served by the compromised server.

After infecting one machine on the network, the worm will aggressively try to spread itself in different ways.  First, it will search for other unpatched PCs that are vulnerable to MS08-67 and spread itself using NETBIOS.  Next, the worm will try to brute force passwords on PCs with administrators shares (ADMIN$ shares).  The worm houses a list of the most commonly used passwords and will infect machines it can log into.  Lastly, the worm will try to install a “Windows auto-run” file on all attached storage drives (thumb drives, external hard drives) and network drives.  Any other users who try to access the removable storage devices or network drives could then be infected if they agree to auto-run the file.  Unfortunately, a lot of users have their auto-run settings configured to run the file without asking, so this will spread the infection without user interaction.

The good news is that it is possible to avoid the worm with careful attention to patch management, and good password creation policies.  The MS08-67 vulnerability was actually patched last year in October 2008.  Users who continually patched their machines via Windows Update or WSUS would have received the fix.  Good password policies should always be the standard, and this infection is a great example of why this is a good idea.   Brute force and Social Engineering are the two most popular ways to obtain user passwords, and they are both still widely in use.  It is also a good idea to disable auto-run on PC’s on a secured network.  Some users may be used to the auto-run function (often enabled by default on home PC’s), but the costs far outweigh the benefits for this particular Windows function.  Users may now be requested to run inserted media (CDs, DVDs, or thumb drives), but this is a small annoyance compared to the havoc that worms such as Conficker can cause.

There are a few symptoms that can indicate that a PC may be infected.  The first and most obvious is the fact that the PC will not be able to reach Windows Update or any AV sites.  Attempts to update an AV product, or even Windows Defender, will fail.  This is because the worm is set to block access to sites with certain strings in their address or URL, like “update” or “Norton” (the list of strings is found here).  Another symptom is noticing that some accounts, especially admin accounts, may continuously get locked out.  This fact is due to the worm’s brute force activity.  When multiple devices are infected, the result can be network congestion and even cause Active Directory servers to respond slowly.

It is possible to remove the worm, but the files to address the infection must be downloaded from another machine.  Those files could then be installed (“burned”) onto some form of non-rewritable media like a CD or DVD-ROM (to avoid further infection of media storage devices).  F-Secure, a well known security firm, has released tools that can rid of the infection.  Those tools can be found here on F-Secure’s blog. For servers or other “crown jewel” devices, it is probably best to backup the important information and reinstall the operating system to ensure complete removal of the infection.

Related Links

Tags: , , ,


Reader Comments

Sorry, comments are closed.