(Last Updated: 27/04/2009)

Index:

- ( Info Threat
- ( Avoidance
- ( Recognizing
- ( detect
- ( Remove

These days I work for the farm there was an outbreak of the virus rather than proliferating Conficker , mainly in the forms B and B + +.

While clean-up PCs domino distributing the famous tool MRT (Malicious Software Removal Tool) from Microsoft, we realized that while something else was happening: despite our efforts were proliferating new, special version of the virus, much more annoying for his brothers and apparently unknown on the Internet.

We could not help but notice the difference, since the canonical procedures for cleansing (via MRT or FixDownadup ) showed no longer sufficient: the infected computer because it was impossible to install certain software (eg Unlocker, Philemon, TCPView) and certainly not run cleaning software mentioned above, who vanished into thin air for a while after being recalled.

After we made direct contact with McAfee, with whom we have cooperated by providing a long series of reports (including also the authentic samples for analysis), the house told us to be the discoverers of a new virus variant Conficker!

Currently the last available on the McAfee DAT should implement the detection of this variant, as described on this page (updated Tuesday, March 10: a few hours ago.)

How does the Worm

Considering the matter from the profane, this variant does not differ much from previous, in that mode of infection remains fundamentally its classic configuration:

first of all is the feature to create a copy of itself with the attribute hidden file in c: \% windir% \ system32 \%% nome_random. dll.

This file Everyone has permission to run alone and presents it as a dimension of applicant 86.016 bytes (165.600 against the former B).

The library (as usual) is loaded by a system service and then uses the svchost.exe process to hide its presence.

viene infatti iniettata In the netsvcs key under HKEY_LOCAL_MACHINE \ Software \ Microsoft \ Windows NT \ CurrentVersion \ Svchost is in fact injected a vicious rumor that can also take great similarity with those features of the Windows default.

How it happened, you might be facing a bogus entry netsvcs TrkTime easy to confuse with the real rather TrkWks (Distributed Link Tracking Client service).

How to Recognize

As I said, this variation occurs in system32 with a. Dll file with a size of 86.016 bytes applicant.

Other dimensions are known: 103.936 bytes | bytes 164.160 | 157.479 bytes | 84.992 bytes (gen.D)

This feature allows us to quickly check the presence thanks to the dos command

c: \> dir / a: H c: \ windows \ system32 \ *. dll

attribute / A: H extracts only the invisible files in the folder and a clean PC should return the message "File Not Found".

Council also groped the list of files marked "system, like this:

c: \> dir / a: S c: \ windows \ system32 \ *. dll

Why dos command? because Conficker prevents the display of invisible and advanced file system.

The file can also have certain access permissions as the only SYNCHRONIZATION FILE_EXECUTE and for the Everyone group. To check, use the command:

c: \> cacls c: \% windir% \ system32 \%% nome_lib. dll

The conficker also disables some of the following services:

• Automatic updates (wuauserv)
• Server
• Background Intelligent Transfer (BITS)
• Security Center (wscsvc)
• Error Reporting Service (ERSvc)

With special snap-in windows you can quickly check the status of the latter: Start -> Run -> services.msc

Updated:

From one of the boys conficker working group , Joe Stewart, comes a website (eye chart), which aims to help novice users to identify this virus on their PC:

http://www.confickerworkinggroup.org/infection_test/cfeyechart.html

And here is a second tool for online check written by Leder and Werner, based on the idea of Joe Stewart

http://four.cs.uni-bonn.de/fileadmin/user_upload/werner/cfdetector/

How to Remove

Since there will not be able to install most of the security applications (such as those provided by sysinternals), connect to Microsoft sites and those of the various houses virus, but not run various removal tools, we use a small but powerful utility freeware called "File & Folder Unlocker" available at this address . The execution of that fact is not fortunately intercepted by the virus (and in any case, just rename the executable "pippo.exe" as the worm blocked processes whose name contains certain words).

As the name suggests, File & Folder Unlocker allows you to search files in use by system processes and release them on the fly. 're Going to seek at our event into boxes on behalf of files found in the System32 hostile, restituitaci then clicking on the correspondence with the right button and then click "Unlock Objects".

At this point, having made the library that intercepts all our calls, we can finally do one of the tools listed below.

Updated:

Whether to grant a library with F & F Unlocker is not sufficient to run the software cleaning, I recommend first change the file permissions as follows:

c: \> echo y | cacls c: \% windir% \ system32 \%% nome_lib. dll / C / P Everyone: F

c: \> attrib-s-h-rc: \% windir% \ system32 \%% nome_lib. dll

Then delete the file, reboot the system and use one of the tools listed below for the complete cleaning and scanning local drives because the virus is "copy" in locations such as the temporary and the system (System Volume Information).

In addition (described as unfounded) always recommend the use of software , though developing, developed and shared by Ledner and Werner 's Honeynet Project in light of their latest discoveries.

Removal Tool Released Recently

• BitDefender: http://www.bdtools.net/
• Kaspersky: http://www.kaspersky.com/technews?id=203038750
• Enigma Software: http://www.enigmasoftware.com/support/conficker-removal/
• F-Secure: http://www.f-secure.com/weblog/archives/00001588.html
• Symantec: http://www.symantec.com/security_response/writeup.jsp?docid=2009-011316-0247-99
• Mcafee: http://service.mcafee.com/faqdocument.aspx?id=TS100621
• TrendMicro: http://www.trendmicro.com/ftp/products/pattern/spyware/fixtool/SysClean-WORM_DOWNAD.zip (needs the updated pattern Ssapiptn.Da5 and lpt $ vpn.XXX )
• Sophos: http://www.sophos.com/kb/54457.html
• Leder and Werner University of Bonn http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/

After cleaning remember to run a full scan anyway with your antivirus software, but in particular check that the folders C: \ System Volume Information \ (invisible and system),% TEMP% c: \% programfiles% \ Internet Explorer \ c: \% programfiles% \ Movie Maker \ there are no more traces of the virus.

How to protect yourself from the spread

Since the virus is spreading lately due to its characteristic of infecting any external devices connected to your PC (USB stick, external HD, MP3 players etc. ..), the first sensible thing to do is disable the Windows feature to interpret Autorun.inf file

To do this simply create a file with. REG containing these lines and run by accepting the changes:

REGEDIT4
[HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Windows NT \ CurrentVersion \ IniFileMapping \ Autorun.inf]
@ = "@ SYS: DoesNotExist"

Besides this is certainly important:

- Avoid the use of trivial passwords for the local administrative user: read here .

- Avoid using shared folders with write access Everyone

- Install the security patches available in Security Bulletin MS08-067

Information and Insights on the Threat

• Detailed analysis of SRI International: http://mtc.sri.com/Conficker/
• Another analysis by SRI, dedicated to this variant: http://mtc.sri.com/Conficker/addendumC/index.html
• Instructions for detection: http://www.cert.at/static/conficker/TR_Conficker_Detection.pdf
• As spreads: https: / / forums2.symantec.com/t5/Malicious-Code/Downadup-Locking-Itself-Out/ba-p/389837
• Tiny Honeypot: http://www.sans.org/reading_room/whitepapers/detection/enhancing_ids_using_tiny_honeypot_1665?show=1665.php&cat=detection
• Restoring Safe Mode on Infected PC: http://blog.didierstevens.com/2007/02/19/restoring-safe-mode-with-a-reg-file/
• Manual removal and deployment on Microsoft networks (see: conficker_email_template) http://blogs.msdn.com/nickmac/archive/2009/01/14/malicious-software-removal-tool-removes-win32-conficker-b.aspx
• The conficker prepares for April 1: http://community.ca.com/blogs/securityadvisor/archive/2009/03/11/new-conficker-variant-not-fooling-around.aspx
• FAQ F-Secure: http://www.f-secure.com/weblog/archives/00001636.html

Infection Detection

Tillman must thank Werner and Felix Leder, two researchers are part of ' Honeynet Project , now if you can detect this annoying worm easily even in large networks.

What they discovered these guys is just a small sign that the virus leaves the answers to certain RPC calls. They found that we can define the 'fingerprint of the virus, a feature that now makes it extremely simple procedures for detection: it is possible to detect threats in our network in a totally anonymous (no authentication required during the audit and it is possible do any network or domain), especially remote and very fast.

Found, however, the detailed report of their research at this address .

How do you detect it?

I refer to more authoritative sources, where you'll find detailed information strictly in English:

Detection with the tool Nmap , which incorporates the latest version of the virus signatures issued by Honeynet Project:

• http://nmap.org/nsedoc/scripts/smb-check-vulns.html
• http://www.net-security.org/secworld.php?id=7252
• http://www.net-security.org/software.php?id=1
• http://www.skullsecurity.org/blog/?p=209

In the following you find the link to the article written by two researchers at the University of Bonn. Here you will find not only tools and scripts for detection but also a number of utilities for total disinfection ( eg memory ) of infected hosts from the countless variants of the worm:

http://iv.cs.uni-bonn.de/wg/cs/applications/containing-conficker/

Updated:

It 'was recently discovered a technique that exploits the mechanism p2p owner of viruses to detect hosts infected by the variants C and above, since it was the first to incorporate this update mechanism. The script for Nmap is already integrated in the ' latest version .

• http://www.skullsecurity.org/blog/?p=230 (New)

• 7 Comments

If you are having problems with the cancellation, alteration or moving files Excel files on your Windows server, typically with errors like this:

The file can not be deleted: It Is Being Used by Another person or program

and maybe the system is installed Viruscan McAfee Enterprise 8.0i with patch 16 (or 15 + HotFix 311933) does not know where to turn and your users want in the meantime hang from a pole may be interested in this Knowledge Base article that describes the problem on the same version and offers both a workaround that a decisive patch , a fix of the hotfix.

After installing the patch, reboot the server and the problem should be solved.

If for any reason at the moment you can update your Viruscan, McAfee recommends that you disable Opportunistic file locking , which allows the first client to lock a file in order to have exclusive access to a resource, to avoid loss of data if the same an application is modified by other concurrent clients.

Read the rest of this entry »

• 0 Comments