Home > Daily Thoughts, Emerging Threats > Worm, Worm, Worm

Worm, Worm, Worm

Conficker.B is a worm that has been very busy lately and still currently active attacking systems and networks.  This nasty threat propagates through network shares,  removable drive using autorun.inf and exploits MS08-067 vulnerability.
The infection sequence of this worm (once inside the network)  is as follows:

1. Scans network shares such as IPC$, ADMIN$, browse through ActiveDirectory. So, it is going to
work hard to get into other machine in the network. Unfortunately, if you are using weak password, then you are very vulnerable since it uses password dictionary attack.

2. It sends crafted packet exploiting Windows Server Service using NetPathCanonicalize()

3. Any machine that will respond to any of this attack, this worm will transfer the file specifically in ystem32 directory “\System32\<random filename>.dll”

4. Using “NetAddScheduledJob” it creates a scheduled job to execute itself executing its DLL file through rundll32 command. Since the worm cannot check which machine has already infected, scheduled job will continously gets created, flooding it with jobs which is a result of its  successful attack.

5. What’s difficult with this worm, is that when installed it creates Access Control Entry for the DLL file which limit users’access rights on the file. As a result, the file will be difficult to scan and delete by most security scanners.

6. Another problem, this worm is not EXE instead a DLL and when running it injects itself to svchost.exe and there after to all running processes. It writes itself on different address space, making it persistent memory resident which means, deleting the file doesn’t mean the worm will successfully get terminated. As an effect, the worm could still attack other machine and so could cause re-infection.

7. It disables or stops services, block access to a list of websites mostly security related and access pre-computed domain names (this is not-hard coded, so you can generate a list) which this worm may attempt to access to download any file.

Zarestel provided good blog article and analysis. The decrypted packet clearly shows that affected machine will turn to be an attacker within the network.  Take note of the packet activity as shown in the screenshot and notice that you can monitor your network and check for SMB protocol, network shares enumeration \IPC$, \browser and NetPathCanonicalize request.

Also a collegue in Microsoft, Jireh created good analysis as well.

Another worm, Waledac sounds like wild-duck =)  Yes it is a wild for being active on sending us with eCard.exe.  Further reading:  TrendMicro, CA, ThreatFire

ShadowServer published a latest list of Waledac active websites. Here’s a partial list:  **Do NOT go to these sites, unless you know how to handle malware

bestyearcard.com
blackchristmascard.com
cardnewyear.com
cheapdecember.com
christmaslightsnow.com
decemberchristmas.com
directchristmasgift.com
eternalgreetingcard.com
freechristmassite.com
freechristmasworld.com
freedecember.com
funnychristmasguide.com
greatmirabellasite.com
greetingcardcalendar.com
greetingcardgarb.com
greetingguide.com
greetingsupersite.com

Another  mass-mailing worm that spams email using a legitimate images from Ikea, Hallmark and perhaps more other sites.  It targets IIS web servers and attempts to change the index file to a fake security alert and disguising a fix for MS09-067. What?!? Yes, MS09 (2009) …This worm has sense of humor. Further reading here

  1. No comments yet.
  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Follow

Get every new post delivered to your Inbox.

%d bloggers like this: