Jump to content

Yet another BotNet startup


Wazoo
 Share

Recommended Posts

Having just spent a couple of days on a Dell/Vista (did I mention hw much I dislike Vista?) laptop, the following news item really takes the cake. Laptop had two rootkits running, 17 different virus infections ... one Registry tool removed over 1600 corrupted/bad entries, the next removed another 400+ entries ... none of this really 'bothered' the laptop's owner, it was just that the thing kept crashing to a strange "blue screen" .. BSOD background color but "dancing bar codes" white data .... Vista offered up the fantasticly informative error message at the next boot that 'named' the error as "Blue Screen" ... Wow!! Nothing informative in the error or system logs, checkfisk and defrag both refused to start, none of the anti-virus and anti-malwar tools could reach their home sites to get updates, on and on. The bad part was that some of this stuff had been going on for a "couple of months" (said the owner) .. geeze ...

http://www.cnn.com/2009/TECH/ptech/01/16/v...ref=mpstoryview

A new sleeper virus that could allow hackers to steal financial and personal information has now spread to more than eight million computers in what industry analysts say is one of the most serious infections they have ever seen.

The Downadup or Conficker worm exploits a bug in Microsoft Windows to infect mainly corporate networks, where -- although it has yet to cause any harm -- it potentially exposes infected PCs to hijack.

...........

He said his company had reverse-engineered its program, which they suspected of originating in Ukraine, and is using the call-back mechanism to monitor an exponential infection rate, despite Microsoft's issuing of a patch to fix the bug.

"On Tuesday there were 2.5 million, on Wednesday 3.5 million and today [Friday], eight million," he told CNN. "It's getting worse, not better."

..............

The worm does not spread over email or the Web. However if an infected laptop is connected to your corporate network, it will immediately scan the network looking for machines to infect. These will be machines that have not installed a patch from Microsoft known as MS08-067. The worm will also scan company networks trying to guess your password, trying hundreds and hundreds of common words. If it gets in, even if you are not at your machine, it will infect and begin spreading to other servers. A third method of spreading is via USB data sticks.

..........

How can I prevent it infecting my machine?

The best way is to get the patch and install it company-wide. The second way is password security. Use long, difficult passwords -- particularly for administrators who cannot afford to be locked out of the machines they will have to fix.

What can I do if it has already infected?

Machines can be disinfected. The problem is for companies with thousands of infected machines, which can become re-infected from just one computer even as they are being cleared.

http://www.f-secure.com/weblog/archives/00001579.html

Normally malware uses only one or maybe a handful of websites. Such sites are generally easy to locate and shut down.

Then there is Downadup. It uses a complicated algorithm which changes daily and is based on timestamps from public websites such as Google.com and Baidu.com. With this algorithm, the worm generates many possible domain names every day.

............

This makes it impossible and/or impractical for us good guys to shut them all down — most of them are never registered in the first place.

However, the bad guys only need to predetermine one possible domain for tomorrow, register it, and set up a website — and they then gain access to all of the infected machines. Pretty clever.

But we can play this game as well.

So we've determined the possible domains and have registered some of them for ourselves.

Which means the infected machines will also connect to us.

..............

Right now, we're seeing hundreds of thousands of unique IP addresses connecting to the domains we've registered.

A very large part of that traffic is coming from corporate networks, through firewalls, proxies, and NAT routers. Meaning that one unique IP address that we see could very well be 2,000 infected workstations in real life.

http://isc.sans.org/diary.html?storyid=5671

The storm center handlers mailbox has received a growing number of email inquiries regarding root cause for Windows domain account lockouts which we most likely attribute to the infection base of Downadup/Conficker malware variants. Downadup/Conficker malware (actual naming is dependant upon your AV product) due to the integration of exploit code for the (MS08-067) RPC service vulnerability, if present on even a single host within any private network may quickly result in mass domain account lock outs where failed password attempt policies are in force.

Link to comment
Share on other sites

But, a correction....

"How can I prevent it infecting my machine?"

DON'T USE WINDOWS! :P

Becoming less and less valid. And as in this case, the 'security patch' was actually released over three months ago. Just having done 22 updates on my Debian system, another dozen or so on my Ubuntu system, some of that same (Windows) issue exists in other OSs, it's still up to the end-user (IT manager?) to keep things up to date. As noted by a recent post referencing Secunia's software checking tool, it's not just Windows that's at fault (noting the same issue for *NIX) .. there's all that 'other' software tools and apps that get installed that create yet more openings/vectors for malicious use/abuse.

Link to comment
Share on other sites

Not a good way to primary security IMO but F-Secure has a 'Preemptive Downadup Domain Blocklist' for this one, ref http://www.f-secure.com/weblog/archives/00001578.html current list at http://www.f-secure.com/weblog/archives/do...klist_13_16.txt

But note the comments at http://www.dshield.org/diary.html?storyid=5704 (thanks to paradoX at grc NGs for that link) - particularly the 'windcard' thing, especially

asdioaisuduaisdas.ws (not on list) has address 64.70.19.33, same as wuzth.ws (etc., on list) "If you are blocking any of these domains based on resolution you may want to know that some ccTLD's use wildcard's (sic). I found out while writing some python to perform DNS resolution that the .ws ccTLD does just this. So please do be aware that .ws uses such a setup, and it will always resolve any .ws domain.."

And, of course, not all clicks go to where the clicker thinks they clicked due to all sorts of clickery trickery.

Link to comment
Share on other sites

..."How can I prevent it infecting my machine?"

DON'T USE WINDOWS! :P...

It's getting a bit old now but on topic as far as it applies to botnet 'recruitment' and it is possibly instructive - an account of a hacked Linux server, syptoms, diagnostics and (trying to) trace the perpetrator:

http://blog.gnist.org/article.php?story=HollidayCracking

follow-up

http://blog.gnist.org/article.php?story=Ho...yCracking-redux

No steaming pile of entrails yet, unfortunately :(

Link to comment
Share on other sites

I was talking about the "clients" not the servers.

Most server exploits are cross-platform scripts.... all the forum infestation ones I've dealt with are php for example. To THOSE people, I say STOP USING PHPBB! :rolleyes:

(or at least update the dang things!)

Cheers!

Edited by Geek
Link to comment
Share on other sites

I was talking about the "clients" not the servers.

Most server exploits are cross-platform scripts.... all the forum infestation ones I've dealt with are php for example. To THOSE people, I say STOP USING PHPBB! :rolleyes:

(or at least update the dang things!)

Yeah, yeah cross-platform, like http://ars.userfriendly.org/cartoons/?id=20081217

How 'bout Windows 7? That should be better! - http://www.xkcd.com/528/

Not sure Macintosh has the 'legs' to go on - http://ars.userfriendly.org/cartoons/?id=20090118

Link to comment
Share on other sites

Ahhh! My email notification failed yet again! :o

Yeah, yeah cross-platform, like http://ars.userfriendly.org/cartoons/?id=20081217

How 'bout Windows 7? That should be better! - http://www.xkcd.com/528/

Not sure Macintosh has the 'legs' to go on - http://ars.userfriendly.org/cartoons/?id=20090118

I loved those :lol:

But about this botnet.... it or something is hopping in operation good the last few days with forum spam :angry:

Normally spambots come to the forums in groups of three like clockwork at :22 and :53 past the hour.

The last 48 hours has seen this increase to the point they aren't going away! This is an indication at how many computers are "coming alive" :wacko:

Cheers!

Link to comment
Share on other sites

Ahhh! My email notification failed yet again!

A couple of things. This Forum app has sent e-mails out to you.

Jan 13 04:21:32 status=sent (250 OK id=1LMfSN-0005sa-Po)

Jan 16 23:13:51 status=sent (250 OK id=1LO2Yh-0003Eh-UN)

Jan 17 08:10:53 status=sent (250 OK id=1LOAwP-0007zS-UF)

Jan 17 16:51:32 status=sent (250 OK id=1LOJ4F-0006zE-Rl)

Jan 17 23:19:16 status=sent (250 OK id=1LOP7T-0000Ct-Ga)

Jan 19 00:40:35 status=sent (250 OK id=1LOmsD-0004kB-Jz)

Your single "Forum" subscription to the Lounge area is set for "immediate"

Your eight Topic subscriptions are all set to "delayed" ... as in the past, I suggest you turn those into "immediate"

Your e-mail is "relayed" through web-mania.com .... might there be an issue there with them not actually forwarding stuff?

Link to comment
Share on other sites

...

But about this botnet.... it or something is hopping in operation good the last few days with forum spam :angry:...

I've seen some commentary (unfortunately didn't take note of location) that 'this' trojan didn't seem to 'do anything' - might just be a 'proof of concept'. I don't think that is likely (to the contrary, it actively spreads infection of course, and it does that relatively efficiently) - probably just that nobody 'sees' all of the internet, part-time commentators have selective memories and this one, with its multiple infection vectors, just isn't following precisely the same pattern as previous types. In fact it is spreading far faster than anything previously seen, by all accounts, and the absence of an exactly corresponding surge in reported email spam means nothing, IMO. An increase in forum spam might just be the leading edge of the 'productive' duty cycle (or it might be purely coincidental). I have no doubt we will find out in due course.
Link to comment
Share on other sites

Hi Wazoo,

Odd, I didn't get notification this time either. My web-mania relay has no spam filters or blocks active (so I can get everything and report it through you guys).

Come to think of it, I'm not getting *any* forum topic notifications from anywhere in the last two days :blink:

Hi Farelf,

I read that article too, I know the one you mean.

True that there is so much of the internet we don't see. Just because the thing isn't playing mailserver, doesn't mean it's not doing anything *shrug*

Cheers!

Edited by Geek
Link to comment
Share on other sites

Odd, I didn't get notification this time either. My web-mania relay has no spam filters or blocks active (so I can get everything and report it through you guys).

Come to think of it, I'm not getting *any* forum topic notifications from anywhere in the last two days :blink:

I changed your subscription mode to this Topic to "immediate" as I saw that you hadn't done it yet. You should receive a notification about this post.

Edit: Jan 22 19:01:09 status=sent (250 OK id=1LQ9Tp-0000eU-0m) .. e-mail sent as expected.

Also having to note that you are one of only eight users that has disabled the use of the PM system here. Any special reason for that?

Link to comment
Share on other sites

I've seen some commentary (unfortunately didn't take note of location) that 'this' trojan didn't seem to 'do anything' - might just be a 'proof of concept'. I don't think that is likely (to the contrary, it actively spreads infection of course, and it does that relatively efficiently)

Extra processes started and running, outbound traffic attempted, and of course the networking scanning itself to spread itself around. Nothing earth-shattering this far, but the warnings are based on the fact that these actions are but one step/action below the next stage .... the actual "do something" command ...

just isn't following precisely the same pattern as previous types. In fact it is spreading far faster than anything previously seen, by all accounts,

One of the latest scenarios points to the reappearance of the age-old "sneaker-net" .... back in the days of spreading a virus through the use of inserting an infected floppy into the (usually) stand-alone computer .... the major difference now is the use of a USB memory stick being inserted into a network-connected computer. In the days of the floppy, one had to (on a Windows machine) actually load and run files off the floppy .... inserting a USB stick these days includes the default mode of 'auto-mounting/running' the stick and (some executable) contents. Note Microsoft's latest (updated) instructions at How to correct "disable Autorun registry key" enforcement in Windows .... not for the faint-of-heart to say the least.

Note that for the corporate environment, the use of 'mapped network drives' is also included in the list of available infection sources that this Registry hack is meant to try to contend with.

Link to comment
Share on other sites

...One of the latest scenarios points to the reappearance of the age-old "sneaker-net" .... back in the days of spreading a virus through the use of inserting an infected floppy into the (usually) stand-alone computer .... the major difference now is the use of a USB memory stick being inserted into a network-connected computer. In the days of the floppy, one had to (on a Windows machine) actually load and run files off the floppy .... inserting a USB stick these days includes the default mode of 'auto-mounting/running' the stick and (some executable) contents. Note Microsoft's latest (updated) instructions at How to correct "disable Autorun registry key" enforcement in Windows .... not for the faint-of-heart to say the least.
Thanks - that's some valuable context. There's a thing, I seem to remember the early Apples could be effectively rendered unusable when someone simply didn't demount their floppy disk properly and disappeared with disk in their pocket (the same disk the OS would sooner or later demand to be produced before anything else was going to happen). Just the thing, when PCs were rare and many tended to be shared by a heap of people with very variable skills, knowledge and even work locations. Or did I just dream that, finally maddened past all bearing by the smug superiority of some of the Macintosh persuasion? I suppose one could say the Macs got better, whereas ...
Note that for the corporate environment, the use of 'mapped network drives' is also included in the list of available infection sources that this Registry hack is meant to try to contend with.

Yeah, painfully aware - just wish the rest of the workplaces and workers were.
...I loved those :lol: ...
And of course this one has appeared on these pages before. :D Reminds me, I've got the 'machine code' in a book somewhere for a keyboard-enterable virus for some series of IBM mainframes (it was short enough to be 'stored' and 'retrieved' from a slip of paper) - yes HIDs are and always have been a vector for malice - when one doorway is closed 'they' find another.
Link to comment
Share on other sites

Hi Wazoo,

Thanks muchly! :)

I just got home and they all appeared in my inbox, even the earlier ones. As well as a Web-Mania notice of mail server upgrades.

That means on the weekend I'm going to get bombed with a hundred backed-up emails, as per usual of their "upgrades" :rolleyes:

There's a thing, I seem to remember the early Apples could be effectively rendered unusable when someone simply didn't demount their floppy disk properly and disappeared with disk in their pocket.......

Oh good grief! My old Debian Woody box would complain BITTERLY when I did that :blink:

<OT>

And of course this one has appeared on these pages before. :D

That one is in the top three of my fav's from them! :lol:

</OT>

Cheers!

Link to comment
Share on other sites

Consolidation:

Thursday, January 22, 2009 9:10 PM by mmpc

Centralized Information About The Conficker Worm

Since the time Microsoft released security update MS08-067, we have released information about MS08-067 exploits and specifically about the Conficker worm in our malware encyclopedia and in multiple blog posts for example here. This blog provides a summary of the available information Microsoft has provided on the Conficker worm and the vulnerability it exploits, which Microsoft addressed with MS08-067.

...

http://blogs.technet.com/mmpc/archive/2009...icker-worm.aspx
Link to comment
Share on other sites

  • 3 weeks later...

Microsoft Offers $250,000 Bounty For Worm Authors

Beset by malicious worms after failing to convince enough server administrators to take its out-of-band Security Bulletin, MS08-067, seriously, Microsoft is taking computer security to the streets: It has formed a cybersecurity posse to dismantle the Conficker/Downandup worm's infrastructure and has offered a $250,000 reward for information leading to the arrest and conviction of those responsible for the outbreak.

........

And the problem continues more or less unabated today. Symantec said in the past five days it has seen an average of almost 500,000 infections per day with W32.Downadup.A and more than 1.7 million infections per day with W32.Downadup.B.

.......

So it is that on Thursday, Microsoft announced a partnership with technology companies, academic organizations, and Internet infrastructure companies to fight the worm in the wild. Its partners in this worm hunt include ICANN, Neustar, VeriSign, CNNIC, Afilias, Public Internet Registry, Global Domains International, M1D Global, AOL, Symantec, F-Secure, ISC, researchers from Georgia Tech, Shadowserver Foundation, Arbor Networks, and Support Intelligence.

Together, the coalition is working to seize Internet domains associated with the worm.

........

According to Symantec, researchers have reverse-engineered the algorithm used to generate a daily list of 250 domains that the worm depends on to download updates. Armed with that knowledge, the coalition is taking control of the domains registered through coalition partners and using them to log and track infected systems. The group also is investigating domains overseen by registrars that aren't part of the coalition, though it's not clear how much leverage can be applied in such cases.

The worm won't be entirely stopped by such tactics; it also includes a peer-to-peer update mechanism. But it's a start.

Link to comment
Share on other sites

Something just occured to me... many registrars are spammer controlled. The more domains registered to "take control" of the ones this worm depends on, the more money they make.

Seems to me the owner of this worm is win-win-win no matter what security companies do.

Devastating to Windex computers, but absofreakinloutely brilliant in plan and execution.

Link to comment
Share on other sites

  • 1 month later...

Not wishing to spread 'Fear Uncertainty and Doubt', it appears that even some relatively altruistic observers are believing an April Fools' day manifestation of 'the other shoe dropping' in the Conficker/Downloadup saga:

http://arstechnica.com/security/news/2009/...-activation.ars

http://www.dslreports.com/forum/r22102402-...onficker-C-Worm

Thanks to Randy Knobloch at the grc NGs for the citations (no, no, that's his handle, truly).

Link to comment
Share on other sites

  • 7 months later...

And, of course, there's the fake "Conficker removal tool":

http://isc.sans.org/diary.html?storyid=7402

Which may be down to Zbot phishing, the botnet which now "owns" enough computers to start its own country (or maybe it's the Avalanche botnet which isn't far behind):

http://www.darkreading.com/security/vulner...cleID=220700200

{sigh} Whatever happened to Skynet and its plans for the swift, merciful elimination of the human race?

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

×
×
  • Create New...