Speak with me...

Get quick support with

USB Infecting Malwares: USB Removable drives are so popular and are so commonly used to transfer/share data between systems, they are becoming a prime target for attackers or Malware authors who use them as a medium for spreading infections from one system to another in a very successful way. Off late there has been a sharp rise in the number of Malwares that are spreading through these USB Mass Storage devices. The moment you plug in the USB Removable drive and try to access it you might probably get infected. (Read Article: USB Infecting Malwares)

Download USB Protect (freeware) from "Utilities" section for complete protection from USB Infecting Malwares.

Web Malwares: Web Malwares have become a major contributor to this growing Malware menace. According to ScanSafe's Annual Threat Report, on an analysis of 200 billion web requests they came to a conclussion that web malware infection surged 582 percent last year, with a significant increase visible toward the last quater of 2008. Security researchers at AVG Technologies have observed that the number of new infected Web sites has grow by 66 percent, from 100,000 to 200,000 per day to 200,000 to 300,000 per day it is expected that this trend would continue in days to come... (Read Article: Web Malwares)

Download USB Protect (freeware) from "Utilities" section for complete protection from USB Infecting Malwares.

Rogue Security Software: Rogue Security Softwares are applications that pretend to be legitimate security applications. They use various kinds of tactics to make the user believe the legitimacy of these applications. They will have a very professional look and feel, almost identical to some of the legitimate Security Softwares available today. They instigate the user to download these Rogue applications. However, at times, they don’t even need the user’s intervention for downloading them into the system. The download can also automatically begin without the user’s knowledge. (Read Article: Rogue Security Software )

W32.Downadup Threat: Of the numerous variants coming out in the wild, Win32/Conficker (Microsoft), also known as W32.Downadup (Symantec), is one of the recent threats that have infected a significant number of computers till date. Initially detected by Microsoft on November 2008, a few more variants were again discovered in the last couple of months.  This is not just another malware, rather, based on the existing variants and characteristics of the code; it is believed that the worm is associated with a well known malware gang that has previously distributed Malwares as well. (Read Article: W32.Downadup Threat)

Since the announcement of the new W32/Conficker.D variant on March 6th (some claims even suggest the date as March 4th or March 5th) and also with the latest Media Hype of yet another Major Conficker Outbreak on April 1st 2009, it is becoming obvious that the W32/Conficker Threat is far from over. Since the worm started its mayhem, 4 moths ago, it has kept the Antivirus Companies and Security Researchers on their toes and has definitely taken them for a roller coaster ride. It is believed that the Conficker Creators are engaged in a game of escalating arms race with the Security Researchers. This new variant can be seen as a response to the creation of the Conficker Working Group and the $250,000 Reward (refer the MMPC Blog) announced by Microsoft. There has been a definite Media Hype over the new variants activities and it is feared that on April 1st 2009 there would, probably be, another major Conficker Mayhem. Instead of spreading a wide spread panic and rumors about the worm, it would be better to dig a little further into mutation that has happened to this new variant and what or how devastating these changes or specifically, this new variant can be.

This new variant W32/Conficker.D presents a third major release of the worm where 85% of the worm’s original code were changed, keeping just 15% of the old code untouched. Although this new variant doesn’t spread by infecting new systems, it has come armed with some significant changes in its architecture. This makes the approach quite similar to what had happened during the transition phase of W32/Conficker.A infections to W32/Conficker.B infections. There are quite a few changes in this new variant. Please refer below for taking a closer look into some of the modifications that have been brought in by the Conficker Creators:
 

o    New Domain Generation Algorithm:

The new algorithm generates a larger pool of possible domains as compared with the previous W32/Conficker.B variant. Till now the W32/Conficker.B has been polling 250 different domain names every day to download and update codes with an intention to update the existent infection binary. From April 1st 2009, it is expected that the latest variant W32/Conficker.D will start to poll 500 out of 50,000 domains per day, instead of 250 domains, to do the same thing. This new variant provides more filtering of the IP addresses produced by the DNS queries. Extra intelligence has been programmed into the DNS Query module so that W32/Conficker.D will not contact an IP more than one time if multiple domains queries resolve to a single IP address.

o    New Peer2Peer Functionality:

One of the most interesting techniques used by this infection is the mechanism to distribute its payloads/updated infection binaries to other infected systems through a raw Peer to Peer kind of infrastructure. There have been some changes in the Peer2Peer Functionality which ensures that the infected computers can communicate with each other without the need for a server. This enables the worm to update itself with an updated infection binary, without the need for any of the 250 or 50,000 domains to be contacted.

This new variant introduces yet another mechanism to coordinate infected hosts. This new coordination strategy employs a P2P protocol, and the Conficker Creators have taken some care to hinder its analysis through code obfuscation. They have also obfuscated the logic that implements P2P binary download validation, HTTP date checking, anti-debugger segments, and other logic. In particular, within the P2P segments, the authors have attempted to impede the identification of Windows API calls, and have applied other code obfuscation to thwart analysis.

o    New MD6 Hash Algorithm:

The MD6 Hash Algorithm is a cryptographic hash algorithm developed at MIT by a team led by Prof. Ronald L. Rivest in response to the call for proposals for a SHA-3 cryptographic hash algorithm by the National Institute of Standards and Technology. The first public presentation of MD6 was made on 9/20/08 at the Crypto'08 Conference, where Prof. Rivest gave an invited talk on MD6. The RC4, RSA encryption and MD6 Hashing algorithm used in Conficker are all from Prof. Rivest. This is a surprising co-incidence that the Conficker Creators are using these algorithms. This new variant is probably the only and the first known cases where this new MD6 algorithm is used in a real world scenario, that too in one of the worst worms till date. Further information about this new MD6 Algorithm can be found from the link given: http://groups.csail.mit.edu/cis/md6

o    New Connect Back Method using Named Pipes:

W32/Conficker.D has added a new method for remote Win32 binary retrieval and execution. This new method entails the use a named pipe to receiving URLs from remote systems, retrieval of Win32 binaries using this URL, validation that the downloaded executable is properly signed by the Conficker authors, and immediate execution of the binary. Since the name is not random, any external host or a local process can connect to this pipe and upload a binary.

This is accomplished through an SMB (TCP/445) connection to the specified pipe. The code repeatedly calls CreateNamedPipe in a loop. If the pipe has been successfully created, then a read from the pipe is attempted. The code reads 0x400 bytes and if the buffer is null-terminated it passes the message to the function "thread_download_file_from_url". The message is interpreted as a string representing a URL that is used to download an executable. This binary is validated using the signature check and RC4 decryption routines before being executed using CreateProcess.

Some Special Characteristics of W32.Downadup.B: Some of the propagation methods used by W32.Downadup, till the discovery of the 2nd variant were:

 .: Exploitation of the Remote Code Execution Vulnerability described in the MS Security Bulletin MS08-067
 .: Creating web servers in the infected systems for other infected systems to downloads the malware’s copy
 .: Sending the URLs created on random ports to already infected systems as a part of the payload
 .: Removable USB Drives by launching the malware executable through Windows Autorun feature

Note: A new variant W32.Downadup.C has been discovered on March 6, 2009. The Antivirus Vendors are keeping a close watch on the activities of this new variant, however, it is recommended that all of you keep your Systems properly patched (especially with MS08-067) and also ensure that the Antivirus Software is updated on a regular basis. For further reference, visit the below links for more information on this new variant:

Symantec: http://www.symantec.com/security_response/writeup.jsp?docid=2009-030614-5852-99

Microsoft: http://www.microsoft.com/security/portal/Entry.aspx?Name=Worm%3aWin32%2fConficker.C

Some new & unique characteristics of W32.Downadup.B or Win32/Conficker.B are:

o    Brute Force of Enumerated User IDs: W32.Downadup.B, apart from the propagation methods mentioned above, uses a mechanism by which it enumerates available ADMIN$ network shares. It tries to retrieve the list of users that have access to these shares with the help of the NetUserEnum API Call. The NetUserEnum API function provides information about all user accounts on a server. Once the user accounts are listed, it will try to access the ADMIN$ share by carrying out a brute force with a list of predefined passwords. In this process, this variant will end up locking the user ids with which it had tried to access the said share. In a domain environment, this will create a DoS scenario, just like what happened with Vancouver School Boards. A sudden rise of user lock outs can be taken as a probable cause of W32.Downadup.B infection.

o    Pseudo-Random Domain Names: Another techniques used by this infection is the creation of fake random domain names. It was revealed by Symantec that this worm creates around 250 of these random domain names each day. These were created with an intension that infected systems will update the malware’s binaries as and when required. This methodology is very successful because it becomes very hard for the Anti-Malware Researchers to take down these domains or even know, which of these domains the malware will communicate with to carry out certain activity. In the case of W32.Downadup (both variants), it uses custom date-based algorithms to generate these fake domain names. These domain names receive a connection back from newly infected systems. Updated binary or actual payload of the malware is sent on the basis of certain strings in the incoming connection request from each infection.

o    API Hooking: It hooks some of the DNS related API’s to monitor DNS Requests and makes sure that a huge list of security sites become inaccessible from the infected system. It monitors the DNS requests to domains containing any of the strings eg. CastleCops, Microsoft, Symantec, Malware, McAfee, F-Secure etc and blocks access to these domains.

o    Peer to Peer Payload Distribution: One of the most interesting techniques used by this infection is the mechanism to distribute its payloads to other infected systems through a raw Peer to Peer kind of infrastructure. The shellcodes that are being targeted to a system don’t just carry the exploit but it also carries a URL in the infected system that can be accessed to download other payload files or updated binaries of the malware. This P2P functionality is definitely making it very much similar to the STORM Attack (also known as peacomm, nuwar) of 2007, in turn making us believe in the fact that the worm is associated with a well known malware gang that has previously created the STORM Botnet which has infected several million computers. 

o    Evading Security Tools: This Malware uses several layers of polymorphism and packing to evade analysis and detection. The infected users may face difficulty in locating the files dropped by this infection. It even replaces the access rights for its registered key under HKLM\SYSTEM\CurrentControlSet\Services, allowing only Local System account to read, traverse or change discretionary ACL (Access Control List). Similar behavior has been observed for the infected DLL files as well. All the NTFS permissions, except file execute, are stripped for all users. It further keeps a system lock on its infected files making it difficult for standard tools to access and/or remove the Malware in case if the Malware process is running.

o    Detecting Virtual Environment: In order to make analysis more difficult, Downadup/Conficker tries to detect if it is running in a virtual machine. During the execution, this Malware calls the SLDT instruction many times. The SLDT instruction stores the Local Descriptor Table in a register which is then compared with certain values. This allows the Malware to detect if it's running in a virtual machine. The LDT of a native system will be 0x0000 while in VMWare or VirtualPC LDT will be relocated (for example, in VMWare it will often be 0x4058). While analyzing this Malware, you can see that it compares the result of the SLDT instruction with 0 (0x0000). If it is 0, the execution continues, else it call a Sleep function with the value of -1 (0xFFFFFFFF) which will cause the Malware process to sleep for 29826 hours. A similar trick was published by Joanna Rutkowska and was further developed by Tobias Klein in his ScoopyNG tool (http://www.trapkit.de/research/vmm/index.html).

The above characteristics shows that this Malware was not created by amateur script kiddies, rather this is a well designed and a very professionally though of creation. Also, as pointed earlier, it is believed that this worm is associated with a well known Malware gang that has previously distributed a variety of other Malwares. Because of its impact and technological superiority, as compared with other infections, it successfully qualifies as a true specimen of 'Malware for Mass Destruction' (MMD).

Download USB Protect (freeware) from "Utilities" section for complete protection from USB Infecting Malwares.