Worm, Worm, Worm
Conficker.B is a worm that has been very busy lately and still currently active attacking systems and networks. This nasty threat propagates through network shares, removable drive using autorun.inf and exploits MS08-067 vulnerability.
The infection sequence of this worm (once inside the network) is as follows:
1. Scans network shares such as IPC$, ADMIN$, browse through ActiveDirectory. So, it is going to
work hard to get into other machine in the network. Unfortunately, if you are using weak password, then you are very vulnerable since it uses password dictionary attack.
2. It sends crafted packet exploiting Windows Server Service using NetPathCanonicalize()
3. Any machine that will respond to any of this attack, this worm will transfer the file specifically in ystem32 directory “\System32\<random filename>.dll”
4. Using “NetAddScheduledJob” it creates a scheduled job to execute itself executing its DLL file through rundll32 command. Since the worm cannot check which machine has already infected, scheduled job will continously gets created, flooding it with jobs which is a result of its successful attack.
5. What’s difficult with this worm, is that when installed it creates Access Control Entry for the DLL file which limit users’access rights on the file. As a result, the file will be difficult to scan and delete by most security scanners.
6. Another problem, this worm is not EXE instead a DLL and when running it injects itself to svchost.exe and there after to all running processes. It writes itself on different address space, making it persistent memory resident which means, deleting the file doesn’t mean the worm will successfully get terminated. As an effect, the worm could still attack other machine and so could cause re-infection.
7. It disables or stops services, block access to a list of websites mostly security related and access pre-computed domain names (this is not-hard coded, so you can generate a list) which this worm may attempt to access to download any file.
Zarestel provided good blog article and analysis. The decrypted packet clearly shows that affected machine will turn to be an attacker within the network. Take note of the packet activity as shown in the screenshot and notice that you can monitor your network and check for SMB protocol, network shares enumeration \IPC$, \browser and NetPathCanonicalize request.
Also a collegue in Microsoft, Jireh created good analysis as well.
ShadowServer published a latest list of Waledac active websites. Here’s a partial list: **Do NOT go to these sites, unless you know how to handle malware
Another mass-mailing worm that spams email using a legitimate images from Ikea, Hallmark and perhaps more other sites. It targets IIS web servers and attempts to change the index file to a fake security alert and disguising a fix for MS09-067. What?!? Yes, MS09 (2009) …This worm has sense of humor. Further reading here