The discovery comes from the laboratories Trend Micro:

It appears that on April 7 the virus has changed the road again, evolving yet again.

Ivan Macalintal and his team reported the emergence of a new file suspicion of 119.296 bytes in the Windows temporary folder (% windir% \ temp).
According to data collected it appears that the virus has downloaded that update, thanks to its ability to receive new payload via peer-to-peer network of other infected hosts.

Another curious detail is that after he tried to download a second encrypted file (print.exe) from a host (goodnewsdigital-com) belonging to the botnet to Waledac , an "old" knowledge of the family of Trojans, whose aim is to subtract sensitive data to users.

Besides Waledac, systems still under the control of Conficker are enabled application installations scareware as " Protect Spyware 2009 "(the same family of the most famous Antivirus 2008 and Antivirus 2009), which is nothing but a virus that masquerades from virus to believe you that your computer is infected, then push for this to buy the elusive full version of the program that will clean the PC completely from threats.

And then slowly the motivation of these people it was becoming all too clear: money.

The characteristics of this variant, known as Win32 \ Conficker.E or WORM_DOWNAD.E from TrendMicro, can be found in this analysis described in the Microsoft Malware Protection Center: http://blogs.technet.com/mmpc/archive/2009/ 04/09/win32-conficker-variants-update.aspx

• 0 Comments

(Last Updated: 27/04/2009)

Index:

- ( Info Threat
- ( Avoidance
- ( Recognizing
- ( detect
- ( Remove

These days I work for the farm there was an outbreak of the virus rather than proliferating Conficker , mainly in the forms B and B + +.

While clean-up PCs domino distributing the famous tool MRT (Malicious Software Removal Tool) from Microsoft, we realized that while something else was happening: despite our efforts were proliferating new, special version of the virus, much more annoying for his brothers and apparently unknown on the Internet.

We could not help but notice the difference, since the canonical procedures for cleansing (via MRT or FixDownadup ) showed no longer sufficient: the infected computer because it was impossible to install certain software (eg Unlocker, Philemon, TCPView) and certainly not run cleaning software mentioned above, who vanished into thin air for a while after being recalled.

After we made direct contact with McAfee, with whom we have cooperated by providing a long series of reports (including also the authentic samples for analysis), the house told us to be the discoverers of a new virus variant Conficker!

Currently the last available on the McAfee DAT should implement the detection of this variant, as described on this page (updated Tuesday, March 10: a few hours ago.)

How does the Worm

Considering the matter from the profane, this variant does not differ much from previous, in that mode of infection remains fundamentally its classic configuration:

first of all is the feature to create a copy of itself with the attribute hidden file in c: \% windir% \ system32 \%% nome_random. dll.

This file has permissions Everyone execution-only and as it has a size of 86.016 bytes applicant (compared to the previous 165.600 B).

The library (as usual) is loaded by a system service and then uses the svchost.exe process to hide its presence.

viene infatti iniettata In the netsvcs key under HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Svchost is in fact injected a vicious rumor that can also take great similarity with those features of the Windows default.

As it happened, you might be facing a bogus entry netsvcs TrkTime easy to confuse with the real rather TrkWks (Distributed Link Tracking Client service).

How to Recognize

As I said, this variation occurs in system32 with a. Dll file with a size of 86.016 bytes applicant.

Other dimensions are known: 103.936 bytes | bytes 164.160 | 157.479 bytes | 84.992 bytes (gen.D)

This feature allows us to quickly verify the presence through the dos command

c: \> dir / a: H c: \ windows \ system32 \ *. dll

attribute / A: H extracts only the invisible files in the folder and a clean PC should return the message "File Not Found".

Council also groped the list of files marked "system, like this:

c: \> dir / a: S c: \ windows \ system32 \ *. dll

Why dos command? because Conficker prevents the display of invisible files and advanced system.

The file can also have certain access permissions as the only SYNCHRONIZATION FILE_EXECUTE and for the Everyone group. To check, use the command:

c: \> cacls c: \% windir% \ system32 \%% nome_lib. dll

The conficker also disables some of the following services:

• Automatic Updates (wuauserv)
• Server
• Background Intelligent Transfer (BITS)
• Security Center (wscsvc)
• Error Reporting Service (ERSvc)

With special snap-in windows you can quickly check the status of the latter: Start -> Run -> services.msc

Updated:

From one of the boys conficker working group , Joe Stewart, comes a website (eye chart), which aims to help novice users to identify this virus on their PC:

http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

And here is a second tool for online check written by Leder and Werner, based on the idea of Joe Stewart

http://four.cs.uni-bonn.de/fileadmin/user_upload/werner/cfdetector/

How to Remove

Since there will not be able to install most of the security applications (such as those provided by sysinternals), connect to Microsoft sites and that of several houses virus, but not run various removal tools, we use a small but powerful utility freeware called "File & Folder Unlocker" available at this address . The execution of that fact is not, fortunately, caught the virus (and in any case, just rename the executable "pippo.exe" as the worm blocked processes whose name contains certain words).

As the name suggests, File & Folder Unlocker allows you to search files in use by system processes and release them on the fly. In our case we will look into the box the name of files found in the System32 hostile, restituitaci then clicking on the correspondence with the right button and then click "Unlock Objects".

At this point, having made the library that intercepts all our calls, we can finally do one of the tools listed below.

Updated:

Whether to grant a library with F & F Unlocker is not sufficient to run the software cleaning, I recommend first change the file permissions as follows:

c: \> echo y | cacls c: \% windir% \ system32 \% nome_lib%. dll / C / P Everyone: F

c: \> attrib-h-s-rc: \% windir% \ system32 \%% nome_lib. dll

Then delete the file, reboot the system and use one of the tools listed below for the complete cleaning and scanning local drives because the virus is "copy" in locations such as the temporary and the system (System Volume Information).

In addition (as described unfounded) always recommend the use of software , though developing, developed and shared by Ledner and Werner 's Honeynet Project in light of their latest discoveries.

Removal Tool Released Recently

• BitDefender: http://www.bdtools.net/
• Kaspersky: http://www.kaspersky.com/technews?id=203038750
• Enigma Software: http://www.enigmasoftware.com/support/conficker-removal/
• F-Secure: http://www.f-secure.com/weblog/archives/00001588.html
• Symantec: http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99
• Mcafee: http://service.mcafee.com/faqdocument.aspx?id=TS100621
• TrendMicro: http://www.trendmicro.com/ftp/products/pattern/spyware/fixtool/SysClean-WORM_DOWNAD.zip (needs the updated pattern Ssapiptn.Da5 and lpt $ vpn.XXX )
• Sophos: http://www.sophos.com/kb/54457.html
• Leder and Werner University of Bonn http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/

After cleaning, remember to still run a full scan with your antivirus software, but in particular check that the folders C: \ System Volume Information \ (invisible and system),% TEMP% c: \% programfiles% \ Internet Explorer \ c: \% programfiles% \ Movie Maker \ there are no more traces of viruses.

How to protect yourself from the spread

Since the virus is spreading lately due to its characteristic of infecting any external devices connected to your PC (USB stick, external HD, MP3 players etc. ..), the first sensible thing to do is disable the windows to interpret the Autorun.inf file

To do this simply create a file with. REG containing these lines and run by accepting the changes:

REGEDIT4
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ IniFileMapping \ Autorun.inf]
@ = "@ SYS: DoesNotExist"

Besides this is certainly important:

- Avoid using trivial passwords for the local administrative user: read here .

- Avoid using shared folders with write access Everyone

- Install the security patches available in Security Bulletin MS08-067

Information and Insights on the Threat

• Detailed analysis of SRI International: http://mtc.sri.com/Conficker/
• Another analysis by SRI, dedicated to this variant: http://mtc.sri.com/Conficker/addendumC/index.html
• Instructions for detection: http://www.cert.at/static/conficker/TR_Conficker_Detection.pdf
• As spreads: https: / / forums2.symantec.com/t5/Malicious-Code/Downadup-Locking-Itself-Out/ba-p/389837
• Tiny Honeypot: http://www.sans.org/reading_room/whitepapers/detection/enhancing_ids_using_tiny_honeypot_1665?show=1665.php&cat=detection
• Restoring Safe Mode on infected PCs: http://blog.didierstevens.com/2007/02/19/restoring-safe-mode-with-a-reg-file/
• Manual removal and deployment on Microsoft networks (see: conficker_email_template) http://blogs.msdn.com/nickmac/archive/2009/01/14/malicious-software-removal-tool-removes-win32-conficker-b.aspx
• The conficker prepares for April 1: http://community.ca.com/blogs/securityadvisor/archive/2009/03/11/new-conficker-variant-not-fooling-around.aspx
• FAQ F-Secure: http://www.f-secure.com/weblog/archives/00001636.html

Infection Detection

Tillman must thank Werner and Felix Leder, two researchers are part of ' Honeynet Project , if now you may find this annoying worm easily, even in major networks.

What they discovered these guys is just a small sign that the virus leaves the answers to certain RPC calls. They found that we can define the 'fingerprint of the virus, a feature that now makes it extremely simple procedures for detection: it is possible to detect threats in our network in a totally anonymous (no authentication required during the audit and it is possible do any network or domain), especially remote and very fast.

Found, however, the detailed report of their research at this address .

How do you detect it?

I refer to more authoritative sources, where you'll find detailed information strictly in English:

Detection with the tool Nmap , which incorporates the latest version of virus signatures issued by the Honeynet project:

• http://nmap.org/nsedoc/scripts/smb-check-vulns.html
• http://www.net-security.org/secworld.php?id=7252
• http://www.net-security.org/software.php?id=1
• http://www.skullsecurity.org/blog/?p=209

In the following you find the link to the article written by two researchers at the University of Bonn. Here you will find not only tools and scripts for detection but also a number of utilities for total disinfection ( eg memory ) of infected hosts from the countless variants of the worm:

http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/

Updated:

It 'was recently discovered a technique that exploits the mechanism p2p owner of viruses to detect hosts infected by variants C and above, since it was the first to incorporate this update mechanism. The script for Nmap is already integrated in the ' latest version .

• http://www.skullsecurity.org/blog/?p=230 (New)

• 7 Comments

I already wrote long ago about the netstat command windows in post View the TCP / UDP sessions with the active command prompt .

Today I'll explain how to identify malware or do not like applications with this simple but powerful tool.

Here is how to monitor TCP connections using netstat, and get a detailed log of the processes accessing the internet without our knowledge:

Before starting the monitoring phase is well close all programs that connect to the internet as browsers, chat programs, clients peer 2 peer, etc. .. As we want to get a log file as "clean" as possible.
Make sure that your computer no more active connections , and leaving the PC connected to interntet start the command prompt and type:

netstat -bn [intervallo] >connections.log

the output statistics will be saved in a file connections.log:
all TCP connections will be logged the IP ports (-n) and the name of the processes that have initialized connections (-b). The interval, specified in seconds, is the frequency with which the command is invoked in loop.

netstat -bn 10 >connections.log

This is potentially an infinite loop, but you can stop at any time by pressing Ctrl + C.
Ideally leave listening for several hours or overnight.

And the output, here you see a connection to MSN Messenger:

Active Connections
TCP 192.168.1.1:1031 207.46.108.86:1863 ESTABLISHED 288
[Msnmsgr.exe]

[...]

You could also automate the time tracking using AT to stop the process time favorite:

C:\>time
The current time is: 00.00.00,00
Enter the new time:
C:\>at 06:00 cmd /c "taskkill /F /IM cmd.exe"
C:\>netstat -bn 10 >connections.log


• 0 Comments

PHPIDS Intrusion Detection System

PHPIDS is an Intrusion Detection System for easy installation that allows you to protect all your web applications, websites and php script without affecting the speed of execution of the same.

PHPIDS is free and it is now at version 0.5.3.

How it works

The script, which is included on pages to secure (or responsible in any http requests via a php.ini setting that we will see shortly), analyzes the requests without filtering or "stripping" the input, simply recognizes the code malignant reacting exactly as you want, even according to the severity of the attack, for example you can instruct the IDS to finish loading the page after you logged ip input and the potential intruder.

PHPIDS is able to detect attempted attacks XSS, SQL injection, header injection, directory traversal, RFE / LFI, DoS and LDAP. It can also detect hostile requests that have been obscured, as the code injected into the charset encoding of UTF-7 or unicode entity, decimal and hexadecimal.

Example of UTF-7:

+ ADW-script + AD4-alert ('Hacked!') + + AD4-ADsAPA-/script

that decoded becomes:

<script> alert ('Hacked !');</ script>

The analysis of the inputs is based on a set of filtering rules together in a single XML file in constant development and this helps us a lot in keeping up to date definitions of the attacks.
Each rule is assigned a "impact" in numerical form, which determines the severity of the attack you are experiencing: according to the impact is therefore possible to define and customize the behavior of the PHPIDS neutralize the intrusion attempt.
To keep track of the attacks reported are available logging functions on text files, databases or by sending mail and we can implement these functions simultaneously.

If ($ result-> getImpact ()> = 40) / * Impact * /
(
require_once 'IDS / Log / file.php';
require_once 'IDS / Log / Email.php';
require_once 'IDS / Log / Composite.php';
$ CompositeLog IDS_Log_Composite = new ();
$ CompositeLog-> addLogger (IDS_Log_File:: getInstance ($ init)
IDS_Log_Email:: getInstance ($ init)) / * Lodges file and email * /
/ * Stop loading * /
die ('Your attack was <h1> Logged </ h1>');
)

Read the rest of this entry »

• 1 Comment

To meet the now arcistufi users of Windows Vista, Microsoft has published (July 2008) e-book that aims to provide a hand-rails for system optimization and a substantial increase in performance.

Here is an overview of the topics covered in the tutorial:

• Configure the system to increase the response speed applications.
• Adaptation and optimization of the hardware.
• Speeding up the operating system loads.
• Improve your computer performance by making more "safe."
• Lessons on performance monitoring.

The guide is available in English, but it is very understandable and full of pictures and examples.

Download: Windows Vista ® Performance and Tuning Tutorial

Source | - Scattered Notes

• 0 Comments