Malware Defense History

by Dr. Nikolai Bezroukov.

Copyright: Dr. Nikolai Bezroukov 1994-2013. Unpublished notes. Version 0.80.October, 2013

Contents : Foreword : Ch01 : Ch02 : Ch03  : Ch04 : Ch05 : Ch06 : Ch07 : Ch08 : Ch09 : Ch10 : Ch11 : Ch12 : Ch13

Ch10: Remote Access Trojans and Zombie Networks

Conficker

• Conficker.A, Conficker.B and Conficker.B++, had a primary focus on spreading infection. Conficker.B and Conficker.B++ were responsible for the major growth in the size of the Conficker botnet, as they were able to spread using Windows file sharing and autorun.inf files on USB media, in addition to the MS08-067 vulnerability used by Conficker.A.
• Conficker.C has primary focus on operation of botnet resulting from infections.  In The peer-to-peer mechanisms in Conficker.C allow an infected machine to:
  • find other Conficker.C peers using a unique IP-to-port address mapping
  •  distribute or receive content, cryptographically signed only by the Con-cker author(s)
  • execute received content, for which the cryptographic signature is verified

Like most complex malware it contains the code to detect whether it's running inside a virtual machine.

Conficker.C have turned the millions of compromised machines from isolated infections to a network of zombies capable of rapid malware distribution and somewhat resilient against infiltration of their communication paths.

Microsoft provided clear disinfection information that can be tuned to your particular situation (Virus alert about the Win32-Conficker worm)

The information in this Knowledge Base article is intended for business environments that have system administrators who can implement the details in this article. There is no reason to use this article if your antivirus program is cleaning the virus correctly and if your systems are fully updated. To confirm that the system is clean of the Conficker virus, perform a quick scan from the following Web page: http://www.microsoft.com/security/scanner/

(http://www.microsoft.com/security/scanner/)

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fConficker

Back to the top | Give Feedback

Symptoms of infection

If your computer is infected with this worm, you may not experience any symptoms, or you may experience any of the following symptoms:

• Account lockout policies are being tripped.
• Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.
• Domain controllers respond slowly to client requests.
• The network is congested.
• Various security-related Web sites cannot be accessed.
• Various security-related tools will not run. For a list of known tools, visit the following Microsoft Web page, and then click the Analysis tab for information about Win32/Conficker.D. For more information, visit the following Microsoft Web page:

  http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.D

  (http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.D)

http://www.microsoft.com/security/portal/Entry.aspx?Name=Win32/Conficker

Back to the top | Give Feedback

Propagation methods

Win32/Conficker has multiple propagation methods. These include the following:

• Exploitation of the vulnerability that is patched by security update 958644 (MS08-067)
• The use of network shares
• The use of AutoPlay functionality

Note The Win32/Conficker.D variant does not spread to removable drives or shared folders over a network. Win32/Conficker.D is installed by previous variants of Win32/Conficker.

Back to the top | Give Feedback

Prevention

• Use strong administrator passwords that are unique for all computers.
• Do not log on to computers by using Domain Admin credentials or credentials that have access to all computers.
• Make sure all systems have the latest security updates applied.
• Disable the Autoplay features. For more information, see step 3 of the "Create a Group Policy object" section.
• Remove excessive rights to shares. This includes removing write permissions to the root of any share.

Mitigation steps

Stop Win32/Conficker from spreading by using Group Policy settings

• Important Make sure that you document any current settings before you make any of the changes that are suggested in this article.
• This procedure does not remove the Conficker malware from the system. This procedure only stops the spread of the malware. You should use an antivirus product to remove the Conficker malware from the system. Or, follow the steps in the "Manual steps to remove the Win32/Conficker virus" section of this Knowledge Base article to manually remove the malware from the system.
• You may be unable to correctly install applications, service packs, or other updates while the permission changes that are recommended in the following steps are in place. This includes, but is not limited to, applying updates by using Windows Update, Microsoft Windows Server Update Services (WSUS) server, and System Center Configuration Manager (Configuration Manager 2007), as these products rely on components of Automatic Updates. Make sure that you change the permissions back to default settings after you clean the system.
• For information about the default permissions for the SVCHOST registry key and the Tasks Folder that are mentioned in the "Create a Group Policy object" section, see the Default permissions table at the end of this article.

Create a Group Policy object

To do this, follow these steps:

1. Set the policy to remove write permissions to the following registry subkey:

   HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost

   This prevents the randomly named malware service from being created in the netsvcs registry value.

   To do this, follow these steps:

   1. Open the Group Policy Management Console (GPMC).
   2. Create a new GPO. Give it any name that you want.
   3. Open the new GPO, and then move to the following folder:

      Computer Configuration\Windows Settings\Security Settings\Registry

   4. Right-click Registry, and then click Add Key.
   5. In the Select Registry Key dialog box, expand Machine, and then move to the following folder:

      Software\Microsoft\Windows NT\CurrentVersion\Svchost

   6. Click OK.
   7. In the dialog box that opens, click to clear the Full Control check box for both Administrators and System.
   8. Click OK.
   9. In the Add Object dialog box, click Replace existing permissions on all subkeys with inheritable permissions.
   10. Click OK.
2. Set the policy to remove write permissions to the %windir%\Tasks folder. This prevents the Conficker malware from creating the Scheduled Tasks that can reinfect the system.

   To do this, follow these steps:

   1. In the same GPO that you created earlier, move to the following folder:

      Computer Configuration\Windows Settings\Security Settings\File System

   2. Right-click File System, and then click Add File.
   3. In the Add a file or folder dialog box, browse to the %windir%\Tasks folder. Make sure that Tasks is highlighted and listed in the Folder dialog box.
   4. Click OK.
   5. In the dialog box that opens, click to clear the check boxes for Full Control, Modify, and Write for both Administrators and System.
   6. Click OK.
   7. In the Add Object dialog box, click Replace existing permissions on all subkeys with inheritable permissions.
   8. Click OK.
3. Set AutoPlay (Autorun) features to disabled. This keeps the Conficker malware from spreading by using the AutoPlay features that are built into Windows.

   NoteDepending on the version of Windows that you are using, there are different updates that you must have installed to correctly disable the Autorun functionality:

   • To disable the Autorun functionality in Windows Vista or in Windows Server 2008, you must have security update 950582

     (http://support.microsoft.com/kb/950582)

     installed (described in security bulletin MS08-038).
   • To disable the Autorun functionality in Windows XP, in Windows Server 2003, or in Windows 2000, you must have security update 950582

     (http://support.microsoft.com/kb/950582)

     , update 967715

     (http://support.microsoft.com/kb/967715)

     , or update 953252

     (http://support.microsoft.com/kb/953252)

     installed.
   To set AutoPlay (Autorun) features to disabled, follow these steps:
   1. In the same GPO that you created earlier, move to one of the following folders:
      • For a Windows Server 2003 domain, move to the following folder:

        Computer Configuration\Administrative Templates\System

      • For a Windows 2008 domain, move to the following folder:

        Computer Configuration\Administrative Templates\Windows Components\Autoplay Policies

   2. Open the Turn off Autoplay policy.
   3. In the Turn off Autoplay dialog box, click Enabled.
   4. In the drop-down menu, click All drives.
   5. Click OK.
4. Close the Group Policy Management Console.
5. Link the newly created GPO to the location that you want it to apply to.
6. Allow for enough time for Group Policy settings to update to all computers. Generally, Group Policy replication takes five minutes to replicate to each domain controller, and then 90 minutes to replicate to the rest of the systems. A couple hours should be enough. However, more time may be required, depending on the environment.
7. After the Group Policy settings have propagated, clean the systems of malware.

   To do this, follow these steps:

   1. Run full antivirus scans on all computers.
   2. If your antivirus software does not detect Conficker, you can use the Microsoft Safety Scanner to clean the malware. For more information, visit the following Microsoft Web page: http://www.microsoft.com/security/scanner/

      (http://www.microsoft.com/security/scanner/)

      Note You may have to follow some manual steps to clean up all the effects of the malware. We recommend that you review the steps that are listed in the "Manual steps to remove the Win32/Conficker virus" section of this article to clean up all the effects of the malware.

Recovery

Run the Microsoft Safety Scanner.

Note The Microsoft Safety Scanner does not prevent reinfection because it is not a real-time antivirus program.

You can download the Microsoft Safety Scanner from the following Microsoft Web site:

http://www.microsoft.com/security/scanner/

Note The Stand-Alone System Sweeper tool will also remove this infection. This tool is available as a component of the Microsoft Desktop Optimization Pack 6.0 or through Customer Service and Support.To obtain the Microsoft Desktop Optimization Pack, visit the following Microsoft Web site:

(http://www.microsoft.com/windows/enterprise/technologies/mdop.aspx)

Manual steps to remove the Win32/Conficker virus

• These manual steps are not required any longer and should only be used if you have no antivirus software to remove the Conficker virus.
• Depending on the Win32/Conficker variant that the computer is infected with, some of these values referred to in this section may not have been changed by the virus.

1. Log on to the system by using a local account.

   Important Do not log on to the system by using a Domain account, if it is possible. Especially, do not log on by using a Domain Admin account. The malware impersonates the logged on user and accesses network resources by using the logged on user credentials. This behavior allows for the malware to spread.

2. Stop the Server service. This removes the Admin shares from the system so that the malware cannot spread by using this method.

   Note The Server service should only be disabled temporarily while you clean up the malware in your environment. This is especially true on production servers because this step will affect network resource availability. As soon as the environment is cleaned up, the Server service can be re-enabled.

   To stop the Server service, use the Services Microsoft Management Console (MMC). To do this, follow these steps:

   1. Depending on your system, do the following:
      • In Windows Vista and Windows Server 2008, click Start, type services.msc in the Start Search box, and then click services.msc in the Programs list.
      • In Windows 2000, Windows XP, and Windows Server 2003, click Start, click Run, type services.msc, and then click OK.
   2. Double-click Server.
   3. Click Stop.
   4. Select Disabled in the Startup type box.
   5. Click Apply.
3. Remove all AT-created scheduled tasks. To do this, type AT /Delete /Yes at a command prompt.
4. Stop the Task Scheduler service.
   • To stop the Task Scheduler service in Windows 2000, Windows XP, and Windows Server 2003, use the Services Microsoft Management Console (MMC) or the SC.exe utility.
   • To stop the Task Scheduler service in Windows Vista or in Windows Server 2008, follow these steps.

     ImportantThis section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

     322756

     (http://support.microsoft.com/kb/322756/ )

     How to back up and restore the registry in Windows

     1. Click Start, type regedit in the Start Search box, and then click regedit.exe in the Programs list.
     2. Locate and then click the following registry subkey:

        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule

     3. In the details pane, right-click the Start DWORD entry, and then click Modify.
     4. In the Value data box, type 4, and then click OK.
     5. Exit Registry Editor, and then restart the computer.

        Note The Task Scheduler service should only be disabled temporarily while you clean up the malware in your environment. This is especially true on Windows Vista and Windows Server 2008 because this step will affect various built-in Scheduled Tasks. As soon as the environment is cleaned up, re-enable the Server service.

5. Download and manually install security update 958644 (MS08-067). For more information, visit the following Microsoft Web site:

   http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

   (http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx)

   Note This site may be blocked because of the malware infection. In this scenario, you must download the update from an uninfected computer, and then transfer the update file to the infected system. We recommend that you burn the update to a CD because the burned CD is not writable. Therefore, it cannot be infected. If a recordable CD drive is not available, a removable USB memory drive may be the only way to copy the update to the infected system. If you use a removable drive, be aware that the malware can infect the drive with an Autorun.inf file. After you copy the update to the removable drive, make sure that you change the drive to read-only mode, if the option is available for your device. If read-only mode is available, it is typically enabled by using a physical switch on the device. Then, after you copy the update file to the infected computer, check the removable drive to see whether an Autorun.inf file was written to the drive. If it was, rename the Autorun.inf file to something like Autorun.bad so that it cannot run when the removable drive is connected to a computer.

6. Reset any Local Admin and Domain Admin passwords to use a new strong password. For more information, visit the following Microsoft Web site:

   http://technet.microsoft.com/en-us/library/cc875814.aspx

   (http://technet.microsoft.com/en-us/library/cc875814.aspx)
7. In Registry Editor, locate and then click the following registry subkey:

   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost

8. In the details pane, right-click the netsvcs entry, and then click Modify.
9. If the computer is infected with the Win32/Conficker virus, a random service name will be listed.

   Note With Win32/Conficker.B, the service name was random letters and was at the bottom of the list. With later variants, the service name may be anywhere in the list and may seem to be more legitimate. If the random service name is not at the bottom, compare your system with the "Services table" in this procedure to determine which service name may have been added by Win32/Conficker. To verify, compare the list in the "Services table" with a similar system that is known not to be infected.

   Note the name of the malware service. You will need this information later in this procedure.

10. Delete the line that contains the reference to the malware service. Make sure that you leave a blank line feed under the last legitimate entry that is listed, and then click OK.

    Notes about the Services table

    • All the entries in the Services table are valid entries, except for the items that are highlighted in bold.
    • The items that are highlighted in bold are examples of what the Win32/Conficker virus may add to the netsvcs value in the SVCHOST registry key.
    • This may not be a complete list of services, depending on what is installed on the system.
    • The Services table is from a default installation of Windows.
    • The entry that the Win32/Conficker virus adds to the list is an obfuscation technique. The highlighted, malicious entry that is supposed to resemble the first letter is a lowercase "L." However, it is actually an uppercase "I." Because of the font that is used by the operating system, the uppercase "I" seems to be a lowercase "L."

NEWS CONTENTS

• 200102 : German Ministry of Education Throws Away PCs For 190,000 € Due To Infection ( German Ministry of Education Throws Away PCs For 190,000 € Due To Infection, )
• 200102 : gbjbaanb ( gbjbaanb, )
• 200102 : Re:Money well spent ( Re:Money well spent, )
• 200102 : AdmV0rl0n ( AdmV0rl0n, )
• 200102 : Re: ( Re:, )
• 200102 : Re:Money well spent ( Re:Money well spent, )
• 200102 : Re:Money well spent ( Re:Money well spent, )

Old News ;-)

German Ministry of Education Throws Away PCs For 190,000 € Due To Infection

April 30, 2013 | Slashdot

gbjbaanb

Re:Money well spent

Conficker.... suddenly it becomes clear. I know an organisation that was infected, and they ended up spending 2 weeks with a Microsoft consultant to clear everything up. The problem is that it spreads too quickly, so when you clear a PC and move on to the next, it re-infects the first one. Silly old Microsoft.

So, if they upgraded their PCs too.... makes perfect sense. I wouldn't have binned the old ones though, I'd have wiped the HDDs and sold them or given them away.

AdmV0rl0n

Re: (Score:3)

This thread is disappointing. So much hate. Hate leads to fear, and fear leads to the dark side.

Anyway. Conflicker. Nasty. Simple. Old. A clean up is not easy, but conflicker requires some bad baselines to be operating for it to get through and thrive. If you fix the baseline issues, the clean up can follow. A clean susyem thats updated properly isn't infectable via conflicker.

So frankly a system sorted put back in should be fine. You'll obviously have to do this step by step and yes, there is a price. Mos

Re:Money well spent (Score:4, Interesting)

No, conflicker has worm elements. So, the hard part of the clean up is not per se an individual machine. Its that you need to solve the baseline problems that allow conflicker to do its thing.

Re-installing 'stuff' won't make this go away. Doing it wrong just reinfects the machine.
So, as I said, what has to be done is the cause and baselines that allow conflicker to replicate have to be solved (harder part) - and then machines with good baselines go through clean up and go back on the network (easier part..)

http://support.microsoft.com/kb/962007 [microsoft.com]

Any tech learning about conflicker can read about it, and start to understand what needs to be fixed. Patch, correct password weakenesses, stop autorun etc etc. Today, this is somewhat simple as a lot of tools and detection tools exist.

People in threat waving around Fdisk and re-install media saying 'they could fix this' - probably in fact are clueless and need to understand the problems involved. Conflicker breeds off poor security and bad baselines. Thats how it gets in. Thats how it replicates. Thats how it hangs around and re-infects.

Re:Money well spent (Score:5, Informative)

The problem is that it spreads too quickly, so when you clear a PC and move on to the next, it re-infects the first one.

Then the first one wasn't really fixed, was it? Microsoft released a patch that blocks re-infection so all you have to do download that and their Malicious Software Removal Tool to a CD, disconnect each machine from the network and run them in order. Problem solved.

The high cost is probably due the cost of certifying that the infection was removed and the PCs are safe to use with sensitive data again. Removal is trivial if somewhat time consuming.

Re:Money well spent

We had an entire department insisting that one of their patch cables was infected and that it was infecting any PC was plugged into it because two different PCs got infected while (coincidentally) plugged into the same jack, several months apart. Maybe we should have removed the patch cable to prevent reinfection.

bickerdyke

Re:Money well spent

well... knowing the gouvernments worldwide a bit, those 13000 were probably the cost to get the malicious software removal kit certified and getting the permission to run it on oh-so-precious office machines....

Recommended Links

Softpanorama Recommended

Top articles

Sites

Malware/Malware_defense_history/Ch10_rats_and_zombies_networks/Reprints/conficker-analysis.pdf

Etc

Society

Groupthink : Two Party System as Polyarchy : Corruption of Regulators : Bureaucracies : Understanding Micromanagers and Control Freaks : Toxic Managers :   Harvard Mafia : Diplomatic Communication : Surviving a Bad Performance Review : Insufficient Retirement Funds as Immanent Problem of Neoliberal Regime : PseudoScience : Who Rules America : Neoliberalism  : The Iron Law of Oligarchy : Libertarian Philosophy

Quotes

War and Peace : Skeptical Finance : John Kenneth Galbraith :Talleyrand : Oscar Wilde : Otto Von Bismarck : Keynes : George Carlin : Skeptics : Propaganda  : SE quotes : Language Design and Programming Quotes : Random IT-related quotes :  Somerset Maugham : Marcus Aurelius : Kurt Vonnegut : Eric Hoffer : Winston Churchill : Napoleon Bonaparte : Ambrose Bierce :  Bernard Shaw : Mark Twain Quotes

Bulletin:

Vol 25, No.12 (December, 2013) Rational Fools vs. Efficient Crooks The efficient markets hypothesis : Political Skeptic Bulletin, 2013 : Unemployment Bulletin, 2010 :  Vol 23, No.10 (October, 2011) An observation about corporate security departments : Slightly Skeptical Euromaydan Chronicles, June 2014 : Greenspan legacy bulletin, 2008 : Vol 25, No.10 (October, 2013) Cryptolocker Trojan (Win32/Crilock.A) : Vol 25, No.08 (August, 2013) Cloud providers as intelligence collection hubs : Financial Humor Bulletin, 2010 : Inequality Bulletin, 2009 : Financial Humor Bulletin, 2008 : Copyleft Problems Bulletin, 2004 : Financial Humor Bulletin, 2011 : Energy Bulletin, 2010 : Malware Protection Bulletin, 2010 : Vol 26, No.1 (January, 2013) Object-Oriented Cult : Political Skeptic Bulletin, 2011 : Vol 23, No.11 (November, 2011) Softpanorama classification of sysadmin horror stories : Vol 25, No.05 (May, 2013) Corporate bullshit as a communication method  : Vol 25, No.06 (June, 2013) A Note on the Relationship of Brooks Law and Conway Law

History:

Fifty glorious years (1950-2000): the triumph of the US computer engineering : Donald Knuth : TAoCP and its Influence of Computer Science : Richard Stallman : Linus Torvalds  : Larry Wall  : John K. Ousterhout : CTSS : Multix OS Unix History : Unix shell history : VI editor : History of pipes concept : Solaris : MS DOS :  Programming Languages History : PL/1 : Simula 67 : C : History of GCC development :  Scripting Languages : Perl history   : OS History : Mail : DNS : SSH : CPU Instruction Sets : SPARC systems 1987-2006 : Norton Commander : Norton Utilities : Norton Ghost : Frontpage history : Malware Defense History : GNU Screen : OSS early history

Classic books:

The Peter Principle : Parkinson Law : 1984 : The Mythical Man-Month :  How to Solve It by George Polya : The Art of Computer Programming : The Elements of Programming Style : The Unix Hater’s Handbook : The Jargon file : The True Believer : Programming Pearls : The Good Soldier Svejk : The Power Elite

Most popular humor pages:

Manifest of the Softpanorama IT Slacker Society : Ten Commandments of the IT Slackers Society : Computer Humor Collection : BSD Logo Story : The Cuckoo's Egg : IT Slang : C++ Humor : ARE YOU A BBS ADDICT? : The Perl Purity Test : Object oriented programmers of all nations : Financial Humor : Financial Humor Bulletin, 2008 : Financial Humor Bulletin, 2010 : The Most Comprehensive Collection of Editor-related Humor : Programming Language Humor : Goldman Sachs related humor : Greenspan humor : C Humor : Scripting Humor : Real Programmers Humor : Web Humor : GPL-related Humor : OFM Humor : Politically Incorrect Humor : IDS Humor : "Linux Sucks" Humor : Russian Musical Humor : Best Russian Programmer Humor : Microsoft plans to buy Catholic Church : Richard Stallman Related Humor : Admin Humor : Perl-related Humor : Linus Torvalds Related humor : PseudoScience Related Humor : Networking Humor : Shell Humor : Financial Humor Bulletin, 2011 : Financial Humor Bulletin, 2012 : Financial Humor Bulletin, 2013 : Java Humor : Software Engineering Humor : Sun Solaris Related Humor : Education Humor : IBM Humor : Assembler-related Humor : VIM Humor : Computer Viruses Humor : Bright tomorrow is rescheduled to a day after tomorrow : Classic Computer Humor

The Last but not Least Technology is dominated by two types of people: those who understand what they do not manage and those who manage what they do not understand ~Archibald Putt. Ph.D

The statements, views and opinions presented on this web page are those of the author (or referenced source) and are not endorsed by, nor do they necessarily reflect, the opinions of the Softpanorama society. We do not warrant the correctness of the information provided or its fitness for any purpose. The site uses AdSense so you need to be aware of Google privacy policy. You you do not want to be tracked by Google please disable Javascript for this site. This site is perfectly usable without Javascript.

Last modified: March 12, 2019