Endpoint Protection

View Only

Back to Library

Best Practice for Downadup.B and Additional information on the same.

Recommend

Oct 05, 2009 11:29 AM

Mithun Sanghavi

“Best practice”

for

Win32/Conficker.B [MS]

w32.downadup.B[SYM]

Infection/propagation Method

-Flash drives/open shares/mapped drives [autorun.inf]

-Admin$ - Random brute force password attack on the networked systems

-Exploit MS08-67 – RPC BO vulnerability in netapi32.dll

How it works ?

Initial attack happens on one of the networked systems.

This initial attack and execution can be achieved by visiting any malware hosting website [cracks/music /free download/hacked etc.], plugging infected flash drive in the production network.

Mostly un-patched systems/Browsers are the initial victim of this attack.

Once executed it Installs a service under

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost\ netsvcs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\BadServiceName

This service is most of the time a .dll file [We need to submit this one if not already detected by SEP]

The service uses MS task scheduler to create multiple jobs

These jobs executes a file rundll32.exe random_name.random_ext <args> at random interval

These extensions are not always .dll it could be anything [i.e. .ifs,. jpg, .tmp, .c]

In task manager we’ll see multiple rundll32.exe running

That file in most cases detected by SEP not we need to submit that file.

That’s the file which again may attack other systems or download other threats.

Multiple instance of this file continuously runs in the memory and attack other systems.

The threat tries to plant autorun.inf & random_name.exe file in the mapped drives and open shares to execute itself across the network.

It also disables Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.

What’s the bad part ?

User account lockout policy. As known the threat tries to gain access different systems on the network by brute force password attack.

Because of this activity multiple users accounts get locked up. Apart from that the threat also may download multiple threats like w32.saility [a file infector] which would make the story even worst.

What is the PLAN OF ACTION if I get a case on w32.downadup.B

- Confirm in SEPM that all systems are with SEP up and running and up to date [with all the latest security updates from MS]

This step is very critical because we cannot afford to leave even 1 system in the network unprotected, and as observed it happens most of the time that some systems in the network are without SEP and/or not up to date/not patched and those machines are later found to be the source/attacking machines. We can simply check this in SEPM-clients tab and comparing the number with the total number of clients in the LAN.

- Get the exact number of systems infected and the threats names.

SEPM-Monitors-logs-risk logs would help

- Confirm if server is infected too

Find possible infection in Server..check scheduled tasks/autorun.inf in open shares/unknown services/disabled services [BITS/AU etc.] [analyzing ESUG log would be a good idea]

-Disable Auto play from GPO [across the domain] we can use application device control policy as well. [see the links in the bottom of this article]

-Disable Task Scheduler service [If it’s not being used in the network]

-Back trace the “source systems” from where the attack is being originated

This is one more critical steps to narrow down the network. We need to find that from which systems actually the attack is being originated.

We can find this out by 3 ways ..

1-IPS logs [log only mode coz’ block mode will block the system for 600 secs which the customer may not like]

2-Event viewer-Security logs- Failure Audits [We’ve to enable the Failure audits in GPO if not enabled already]

3-Net logon debug log [see the links in the bottom of this article]

-Once we find the above information we can use Nlparse from Microsoft account lockout tools to analyze Netlogon.log [see the links in the bottom of this article]

-The above logs will give us an idea about the systems which are attacking other systems in the network.

-We need to first target these machines and get the ESUG logs from them.

-We need to avoid logging in to the system as “domain administrator” coz’ by doing this we would make the job of the threat more easy as it uses {impersonates} the currently logged on account to access/infect other systems in the network. IF ‘isolating’ these systems is possible then that would certainly help us.

-We need to confirm the patch KB 958644/AV status /disabled services / registry entries on these systems. [ESUG]

-Once these systems are cleaned hopefully the situation would be under control.

For the MS specific steps[Editing GPO / enabling Netlogon log] we may consult MS tech support if the customer has support contract with MS[To be on the safer side] If not then we can help him as a best effort support.

Links we Need

Below is our write up

http://www.symantec.com/security_response/writeup.jsp?docid=2008-123015-3826-99&tabid=2

here is an article by SRT on 01-09-2009 07:11 AM

https://forums.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/225

Here is another analysis by security Intel analysis team

https://forums.symantec.com/t5/Malicious-Code/W32-Downadup-A-and-W32-Downadup-B-Statistics/ba-p/379940

This is a MS-KB on the removal process/best practice of w32.downadup.B

http://support.microsoft.com/kb/962007

Enabling debug logging for the Net Logon service

http://support.microsoft.com/kb/109626

MS Account Lockout Tools

http://www.microsoft.com/downloads/details.aspx?FamilyId=7AF2E69C-91F3-4E63-8629-B999ADDE0B9E&displaylang=en

MS08-67 patch download [KB 958644]

http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Disable Auto play with GPO

http://support.microsoft.com/kb/953252

Disable Scheduled Tasks with GPO

http://support.microsoft.com/kb/310208

Enable Security Auditing with GPO

http://support.microsoft.com/kb/300549

NOTE: Updating the Systems to MS08-67 patch [KB 958644] is very important without which the threat would not be removed.

Yet another variant of Downadup a.k.a “W32.Downadup.C”

Symantec’s ongoing monitoring of Downadup (a.k.a. Conficker) has resulted in the observation of a completely new variant being pushed out to systems that are already infected with Downadup. After taking into account the hype surrounding some other recent reports of variants of Downadup, Symantec is calling this new variant W32.Downadup.C. [discovered March 6^th 2009 / updated March 8^th 2009]

Note: Some vendors have detected W32.Downadup samples as Conficker.C or Downadup.B++. Symantec's W32.Downadup.C is a different detection and is not to be confused with these Conficker.C and Downadup.B++ detections

http://www.symantec.com/business/security_response/writeup.jsp?docid=2009-030614-5852-99&tabid=1

https://forums2.symantec.com/t5/Malicious-Code/A-New-Downadup-Variant/ba-p/391186

https://forums2.symantec.com/t5/Malicious-Code/W32-Downadup-C-Digs-in-Deeper/ba-p/393245#A249

https://forums2.symantec.com/t5/blogs/blogarticlepage/blog-id/malicious_code/article-id/225

W32.Downadup.C is a modular component for machines currently infected with Downadup. This variant of Downadup, (a.k.a. Downadup.B++ or Conficker.C), is not attempting to self-replicate and appears to behave more like a Trojan than a worm, says Vincent Weafer, vice president of Symantec Security Response.

“Think of it as an updated module that’s more aggressive, more robust in defending itself,” Weafer says. Earlier versions of Downadup did attempt to disable anti-virus software, but the third version represented in the Downadup.C module is designed mainly to provide more protective actions to infected Windows-based machines so they can better defend themselves from anti-virus software and other eradication methods. “It’s more aggressive, it has more services,” says Weafer.

Conficker Cabal

“Conficker Cabal” is the nickname for an ad hoc partnership, led by Microsoft, to fight the Conficker / Downadup virus.

Microsoft Corp. announced a partnership with technology industry leaders and academia to implement a coordinated, global response to the Conficker (aka Downadup) worm. Together with security researchers, Internet Corporation for Assigned Names and Numbers (ICANN) and operators within the Domain Name System, Microsoft coordinated a response designed to disable domains targeted by Conficker.

Microsoft also announced a $250,000 reward for information that results in the arrest and conviction of those responsible for illegally launching the Conficker malicious code on the Internet.

Along with Microsoft, organizations involved in this collaborative effort include Symantec, ICANN, NeuStar, VeriSign, CNNIC, Afilias, Public Internet Registry, Global Domains International Inc., M1D Global, AOL, F-Secure, ISC, researchers from Georgia Tech, the Shadowserver Foundation, Arbor Networks and Support Intelligence

http://www.securityfocus.com/news/11546?ref=rss

http://www.securityfocus.com/news/11546

The Domain-generation algorithm

The worm seeks to update itself by using a long list of pseudo-randomly generated domain names to contact over HTTP and then grab new code. The algorithm for this domain name generation scheme has been cracked [Researchers at Symantec and other security companies were able to reverse-engineer the Downadup code and successfully crack the domain-generation algorithm.]and has been used to pre-compute the names for pre-registration to prevent hostile parties from using this update feature. This has been facilitated - greatly facilitated - by ICANN, TLD operators, and various registrars working together with Microsoft and others to identify the names and grab the ones they need to. These records can then be pointed at sinkholes to discover Conficker-infected hosts checking in.

That sinkhole data is being shared within the “cabal” and shared with customers: ISPs and their customers, enterprises, CERT teams, and others. This, in turn, is being used to try and clean up hosts with tools and information sheets with clear instructions. This is truly a global operation !!

In response to the security industry’s success in cracking the W32.Downadup.B domain-generation algorithm for communicating with the command & control server, the subsequent registration of these domain names for monitoring purposes, and the resulting publication of findings, the Downadup authors have now moved from a 250-a-day domain-generation algorithm to a new 50,000-a-day domain generation algorithm. The new domain generation algorithm also uses one of a possible 116 domain suffixes.

https://forums2.symantec.com/t5/Malicious-Code/Downadup-Small-Improvements-Yield-Big-Returns/ba-p/381717

Yet, the Cabal viewed the efforts to block domains as a stop-gap measure, said Vincent Weafer, vice president of security response for security firm Symantec, which owns SecurityFocus.

"Buying the domains was meant to buy ourselves time," Weafer said. "It was never meant to be a long-term defensive strategy."

Symantec discovered the Conficker module on a honeypot system that the company uses to monitor the worm. Because the Cabal is blocking the domains that the Conficker worm uses to update infected systems, the module will likely not spread quickly, if at all. However, infected hosts on the same network share do update each using a peer-to-peer capability, Weafer said. So, if one infected system gets updated, all other infected computers on the same network will get the new code as well.

Conficker update attempts to foil Cabal
Published: 2009-03-09

http://www.securityfocus.com/brief/923

The Plan of Action of the disinfection process would remain the same as we’ve discussed in the previous thread. [Track-Isolate-Clean]

Below is the Protection and VD details, as per the latest write up on w32.downadup.c