The discovery comes from the laboratories Trend Micro:

It appears that on 7 April, the virus has changed the road again, evolving yet again.

Ivan Macalintal and his team reported the emergence of a new suspicious file of 119.296 bytes in the Windows temporary folder (% windir% \ temp).
According to data collected it appears that the virus has downloaded this last update due to its ability to receive new payload via peer-to-peer network of other infected hosts on the network.

Another curious detail is that after he tried to download a second encrypted file (Print.exe) from a host (goodnewsdigital-com) belonging to the botnet for Waledac, an "old" knowledge of the family of Trojans, whose objective is to subtract sensitive data to users.

Besides Waledac, systems still under the control of Conficker have enabled application installations scareware as "Protect Spyware 2009" (of the same family as the most popular Antivirus 2008 and Antivirus 2009), which is nothing but a virus that disguises itself from antivirus to believe you that your computer is infected, this to push it then to buy the full version of the phantom program that will clean the entire PC from threats.

And then slowly the motivation of these people starts to become all too clear: money.

The characteristics of the latter variant, known as Win32 \ Conficker.E or WORM_DOWNAD.E from TrendMicro, the find described in this analysis of the Microsoft Malware Protection Center: http://blogs.technet.com/mmpc/archive/2009/ 04/09/win32-conficker-variants-update.aspx

• 0 Comments

(Updated: 27/04/2009)

Index:

- (Info on Threat
- (Avoid it
- (Recognizing
- (Pointing
- (Remove

These days I work for the farm there was an outbreak of the proliferating rather Virus Conficker, mainly in the forms B and B + +.

While healed PCs domino distributing the popular tool MRT (Malicious Software Removal Tool) from Microsoft, we realized that while something else was happening, and although our efforts were proliferating, a new, special version of the virus, much to the chagrin of his brothers, and apparently unknown on the Internet.

We could not help but notice the difference, since the canonical procedures for cleansing (via MRT or FixDownadup) showed no longer enough on the infected computer because it was impossible to install certain types of software (such as Unlocker, Philemon, TCPView), nor even run the software cleaning mentioned above, which vanished for a while after being recalled.

After we put directly in touch with McAfee, with whom we cooperate to make a long series of reports (including also the authentic samples for analysis), the house has informed us that they are the discoverers of a new virus variant Conficker!

Currently, the latest available at the McAfee DAT should implement the detection of the latter variant, as described in this page (updated Tuesday, 10 March: a few hours ago.)

How does the Worm

Considering the matter from the profane, this variant does not differ much from previous, in that mode of infection remains fundamentally its classic configuration:

first of all is the characteristic of creating a copy of itself with the attribute hidden file in c: \% windir% \ system32 \%% nome_random. dll.

This file has permissions for Everyone and execution only in the latter as the applicant has a size of 86.016 bytes (compared to the previous 165.600 B).

The library (as usual) is loaded from a system service and then uses the svchost.exe process to hide its presence.

viene infatti iniettata In Netsvcs key under HKEY_LOCAL_MACHINE \ Software \ Microsoft \ WindowsNT \ CurrentVersion \ Svchost is in fact injected a voice that can take even malignant features of great similarity with the default Windows.

As it happened, you might even find yourself facing a bogus entry Netsvcs TrkTime, easy to be confused with the real rather TrkWks (Distributed Link Tracking Client service).

How to recognize

As I said, this variant occurs in system32 with a. Dll file with a size of 86.016 bytes applicant.

Other known size are: 103.936 bytes | bytes 164.160 | 157.479 bytes | 84.992 bytes (gen.D)

This feature allows us to quickly check the presence thanks to the DOS command

c: \> dir / A: H c: \ windows \ system32 \ *. dll

attribute / A: H extracts only the invisible files in the folder and a clean PC should return the message "File not found".

Council also groped the enumeration of the file marked "system, in this way:

c: \> dir / A: S c: \ windows \ system32 \ *. dll

Because the DOS command? because Conficker prevents the enhanced display of invisible files and system.

The file can also have certain access permissions as the only SYNCHRONIZATION and FILE_EXECUTE for Everyone. To check, use the command:

c: \> cacls c: \% windir% \ system32 \%% nome_lib. dll

The conficker also disables some of the following services:

• Automatic Updates (wuauserv)
• Server
• Background Intelligent Transfer (BITS)
• Security Center (wscsvc)
• Error Reporting Service (ERSvc)

With the appropriate snap-in windows you can quickly view the status of the latter: Start -> Run -> services.msc

Updated:

From one of the boys conficker working group, Joe Stewart, also comes a website (eye chart), which aims to help novice users to identify this virus on your PC:

http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

And here is a second tool for online check written by Leder and Werner, based on the idea of Joe Stewart

http://four.cs.uni-bonn.de/fileadmin/user_upload/werner/cfdetector/

How to Remove it

Since there will not be able to install most of the security applications (such as those provided by sysinternals), connect to Microsoft sites and those of the various houses virus, but not run various tools of repression, we must resort to a small but powerful utility freeware called "File & Folder Unlocker" available at this address. The execution of that fact is not, fortunately intercepted by the virus (and in any case, just rename the executable "pippo.exe" as the worm blocks the processes whose name contains certain words).

As the name suggests, File & Folder Unlocker allows you to search files in use by system processes and releasing them on the fly. In our case we will look in the box the name of hostile files found in System32 restituitaci then clicking on the correspondence with the right button and then click "Unlock Object.

At this point, having issued a library that intercepts all our calls, we can finally do one of the tools listed below.

Updated:

Whether to grant a library with F & F Unlocker is not sufficient to run the software for cleaning, I suggest to first change the permissions of files in this way:

c: \> echo y | cacls c: \% windir% \ system32 \%% nome_lib. dll / C / P Everyone: F

c: \> attrib-s-h-rc: \% windir% \ system32 \%% nome_lib. dll

Then delete the file, reboot the system and use one of the tools listed below for the complete cleaning and scanning of the local units as the virus will "copy" in folders such as temporary and system (System Volume Information).

In addition (as described unfounded) I always recommend the use of software, though developing, developed and shared by Ledner and Werner 's Honeynet Project in light of their latest discoveries.

Recently Released Removal Tool

• Bitdefender: http://www.bdtools.net/
• Kaspersky: http://www.kaspersky.com/technews?id=203038750
• Enigma Software: http://www.enigmasoftware.com/support/conficker-removal/
• F-Secure: http://www.f-secure.com/weblog/archives/00001588.html
• Symantec: http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99
• Mcafee: http://service.mcafee.com/faqdocument.aspx?id=TS100621
• TrendMicro: http://www.trendmicro.com/ftp/products/pattern/spyware/fixtool/SysClean-WORM_DOWNAD.zip (requires updated pattern Ssapiptn.Da5 and lpt $ vpn.XXX)
• Sophos: http://www.sophos.com/kb/54457.html
• Leder and Werner University of Bonn: http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/

After cleaning, remember to still run a full scan with your antivirus software, but in particular check that the folder C: \ System Volume Information \ (invisible and system),% TEMP%, c: \% programfiles% \ Internet Explorer \ c: \% programfiles% \ Movie Maker \ there are no more traces of the virus.

How to protect themselves from the spread

Since the virus is spreading lately due to its characteristic of infecting any external devices connected to your PC (USB stick, external HD, MP3 players, etc. ..), the first sensible thing to do is disable the Windows feature to interpret the Autorun.inf file

To do this simply create a file with a. REG containing these lines and run it by accepting the changes:

REGEDIT4
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ IniFileMapping \ Autorun.inf]
@ = "@ SYS: DoesNotExist"

Besides this is certainly important:

- Avoid the use of trivial passwords for the local administrative user: read here.

- Avoid using shared folders with write access Everyone

- Install the security patch available in Security Bulletin MS08-067

Information and Insights on the threat

• Depth analysis of SRI International: http://mtc.sri.com/Conficker/
• Another analysis by SRI, dedicated to the latter variant: http://mtc.sri.com/Conficker/addendumC/index.html
• Instructions for the detection: http://www.cert.at/static/conficker/TR_Conficker_Detection.pdf
• How propagates: https: / / forums2.symantec.com/t5/Malicious-Code/Downadup-Locking-Itself-Out/ba-p/389837
• Tiny Honeypot: http://www.sans.org/reading_room/whitepapers/detection/enhancing_ids_using_tiny_honeypot_1665?show=1665.php&cat=detection
• Restoring Safe Mode on infected PCs: http://blog.didierstevens.com/2007/02/19/restoring-safe-mode-with-a-reg-file/
• Manual removal and deployment on Microsoft networks (see: conficker_email_template): http://blogs.msdn.com/nickmac/archive/2009/01/14/malicious-software-removal-tool-removes-win32-conficker-b.aspx
• The conficker prepares for the first of April: http://community.ca.com/blogs/securityadvisor/archive/2009/03/11/new-conficker-variant-not-fooling-around.aspx
• FAQ for F-Secure: http://www.f-secure.com/weblog/archives/00001636.html

Infection Detection

We thank Werner Tillman and Felix Leder, two researchers are part of 'Honeynet Project, if now you may find this annoying worm easily even in large networks.

What we have discovered these guys is just a small sign that the virus leaves the answers to certain RPC calls. They found that we can define the 'fingerprint of the virus, a feature that now makes it extremely simple detection procedures: it is possible to detect threats to our network in a completely anonymous (no authentication required during the testing, and it is possible do any network or domain), remote and mostly very fast.

Found, however, the detailed report of their research at this address.

How do you detect?

I refer you to more authoritative sources, where you'll find detailed information strictly in English:

Detection tool Nmap, which incorporates the latest version of the virus signatures issued by the Honeynet Project:

• http://nmap.org/nsedoc/scripts/smb-check-vulns.html
• http://www.net-security.org/secworld.php?id=7252
• http://www.net-security.org/software.php?id=1
• http://www.skullsecurity.org/blog/?p=209

Below find the link to the article instead drafted by two researchers at the University of Bonn. Here you will find not only tools and scripts for the detection, but also a number of utilities for total disinfection (eg memory) of hosts infected by the many variants of the worm:

http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/

Updated:

E 'was recently discovered a technique that exploits the mechanism p2p owner of viruses to detect hosts infected by the variants C and over, because that was the first to incorporate this update mechanism. The script for Nmap is already in the 'latest version.

• http://www.skullsecurity.org/blog/?p=230 (New)

• 7 Comments

I have written recently about the netstat command in Windows, in the post Viewing sessions TCP / UDP working with the command prompt.

Today I will explain how to identify malware or applications do not like with this simple but powerful tool.

Here is how to monitor TCP connections using netstat, and get a detailed log of the processes that access the Internet without our knowledge:

Before starting the monitoring phase is well close all programs that connect to the internet as browsers, chat programs, clients peer 2 peer, etc. .. As we want to get a log file as "clean" as possible.
Make sure that your computer there are no more active connections, and leaving the PC connected to interntet start the command prompt and type:

netstat -bn [intervallo] >connections.log

the output statistics will be saved in a file connections.log:
all TCP connections will be logged IP addresses, ports (-n) and the name of the processes that have initialized connections (-b). The interval, specified in seconds, is the frequency with which the command is invoked in loop.

netstat -bn 10 >connections.log

This is potentially an infinite loop, but you can stop at any time by pressing CTRL + C.
Ideally leave listening for a few hours or overnight.

And the output, here you see a connection to MSN Messenger:

Active Connections
TCP 192.168.1.1:1031 207.46.108.86:1863 ESTABLISHED 288
[msnmsgr.exe]

[...]

You could also automate the time tracking using AT to stop the process time favorite:

C:\>time
The current time is: 00.00.00,00
Enter the new time:
C:\>at 06:00 cmd /c "taskkill /F /IM cmd.exe"
C:\>netstat -bn 10 >connections.log


• 0 Comments

PHPIDS Intrusion Detection System

PHPIDS is an Intrusion Detection System for easy installation that allows you to protect all your web applications, websites and php script without affecting the speed of execution of the same.

PHPIDS is free and it is now to version 0.5.3.

How it works

The script, which is included on pages to secure (or responsible in all HTTP requests via a php.ini setting that we discuss below), analyzes the requests without filtering or "stripping" input, simply recognizes the code Malignant reacting exactly as you want, even according to the severity of the attack, for example you can instruct the IDS to finish loading the page after you logged IP and input of the potential intruder.

PHPIDS is able to recognize attempts to XSS attacks, SQL injection, header injection, directory traversal, RFE / LFI, DoS and LDAP. It can also detect hostile requests that have been tarnished, as the encoding of the code injected into the charset UTF-7 or entity Unicode, decimal, and hexadecimal.

Example of UTF-7:

+ ADw-script + AD4-alert ( 'Hacked!') + + AD4-ADsAPA-/script

that decoded becomes:

<script> alert ( 'Hacked !');</ script>

The analysis of the inputs is based on a set of filtering rules together in a single XML file which is constantly developing and this helps us a lot in keeping up to date definitions of the attacks.
For each rule is also assigned an "impact" in numerical form, which determines the severity of the attack you are experiencing: Under impacts is therefore possible to define and customize the behavior phpids to neutralize the attempt of intrusion.
To keep track of the attacks reported are available logging functions on text files, databases or by sending mail and we can implement these functions simultaneously.

If ($ result-> getImpact ()> = 40) / * Impact * /
(
require_once 'IDS / Log / file.php';
require_once 'IDS / Log / Email.php';
require_once 'IDS / Log / Composite.php';
$ compositeLog = new IDS_Log_Composite ();
$ compositeLog-> addLogger (IDS_Log_File:: getInstance ($ init)
IDS_Log_Email:: getInstance ($ init)) / * mail and dumps it to file * /
/ * Stop loading * /
die ( '<h1> Your attack was logged! </ h1>');
)

Read the rest of this entry »

• 1 Comment

To support ARCISTUFI now Windows Vista users, Microsoft has published (July 2008) an e-book that aims to provide a hand-guide for optimizing the system and a substantial increase in performance.

Here's an overview of the topics covered in the tutorial:

• Configure the system for increasing the responsiveness of applications.
• Adaptation and optimization of the hardware.
• Speeding up the loading of the operating system.
• Improve performance by making their computers more "safe".
• Lessons tracking performance.

The guide is available only in English, but it is very understandable and full of pictures and examples.

Download: Windows Vista ® Performance and Tuning Tutorial

Source | - Scattered Notes

• 0 Comments