Watch out for the Honda Accords

Monday, March 30th, 2009

Why watch out for the Honda Accords? Well, automobile accidents are one of the leading causes of injury and death and Accords are very common cars. This sounds pretty silly, doesn’t it? I mean, wouldn’t it make sense to drive like any car is a potential threat and drive as best as you can to avoid accidents with all cars? Of course it makes sense. Do you eat or take vitamins only to avoid scurvy, or do you not worry about scurvy because you are taking the steps to prevent all kinds of diseases through proper nutrition?

There is a lot of talk about the Conficker worm. A worm that “triggers” on April 1st, except it doesn’t really do too much that is special or of importance to most users on April 1st. Highly irrational thinking, concerning the Conficker worm is rampant. People see the hype and start to focus on “How do I know if I have Conficker and how do I prevent it?” when the rational approach is how do I make sure I am not infected with anything and how do I make sure I don’t get infected? There are far worse problems out there than Conficker and if you only focus on Conficker then you are diverting attention away from truly being secure. Do you cross the street despite the fact that 1,000 cars that are not Honda Accords are going through the intersection and eachcan kill or maim you, or do you wait until it is safe, regardless of the make and model of the cars?

OK, for those of you who are taking hype intravenously and no amount of rational thought will bring you comfort, go to control panel and open the Windows Security Center. If it is working you are not infected with Conficker.C. If the Security Center is not working then you may be infected with any of a number of different threats, many may be worse than Conficker. If you are an ESET customer, then call us for free tech support. If you are a customer of another vendor call them for tech support.

April 1st your computer is not going to melt down due to Conficker. The only thing that Conficker is going to do on April 1st is re-route communications links between Italy and France causing worldwide pizza orders to be delivered with snails instead of pepperoni. OK, if I said that on April 1st you would have known it is a joke

Yeah, Conficker is a serious problem, but not for home and corporate users who employ best practices already. The real problem is for the security professionals trying to prevent the worm from impacting the millions of people who fail to learn anything about security.

So, you still want to protect against Conficker? Here is what to do. Make sure that the Windows Security center is functioning and you are up to date on your Microsoft security patches. You can go to http://update.microsoft.com to manually check for updates. Make sure you’re antivirus product is up to date. Your antivirus product should be tested by Virus Bulletin (www.virusbtn.com) and/or certified by ICSA Labs, or have West Coast Labs Checkmark certification. Send me an email at askeset@eset.com if you need help determining this. Exercise caution in what websites you visit and never open attachments unless you have verified that you know the person who sent them and that they really meant to send the attachment and that they also know what it is. These instructions are not specifically for Conficker, this is simply part of how you protect against all of the threats out there.

It doesn’t much matter what I drive...if I don’t know how to drive safely, no car out there is as big a threat to me as I am to myself.

Get over the hype and practice security, not irrational fear.

Randy Abrams
Director of Technical Education

Catching Conficker - a New Development

Monday, March 30th, 2009

I can already hear a chorus of "Not ANOTHER Conficker blog?", but some of you will want to know about this development.

The Honeynet Project has announced a new scanning tool for detecting Conficker, which gives network and system administrators a very handy extra tool for detecting Conficker activity on their networks.

Furthermore, the tool is currently being integrated into mainstream vulnerability scanners like nmap, nessus, and products from ncircle, Qualys and Foundstone. It detects all current variants of Conficker by flagging changes they make to NetpwPathCanonicalize(). No doubt Conficker’s authors are already working on this loophole, but in the meantime, the new routines should seriouslymitigate the worm’s impact on corporate networks.

Kudos to Honeynet’s Tillmann Werner and Felix Leder, whose forthcoming "Know your enemy" paper will give a lot more informationon the worm and on the new tool, and to Dan Kaminsky, Rich Mogull,and the Conficker Working Group for all their work on this.

For those who just have one or two machines to check, we still have a free removal tool, and as James Coulter pointed out to us, so does Sophos. In fact, so do Bitdefender, Microsoft, Kaspersky and Symantec, among others, and none of us are charging for such tools. I would stress, though, that we’re making these tools available for emergency use by people who don’t have up-to-date anti-malware on their systems right now and can’t easily get to it because the worm is in memory and won’t let them. (If you can’t get to a removal tool like ours either, our suggestion is to find someone with a clean machine to download it for you and transfer it by (preferably write-protected!) removable media. I certainly wouldn’t recommend that you rely on one-shot tools like this as your primary defence against malware in general!

Incidentally, I happened upon the Wikipedia entry for Conficker a little while ago, which mentions several of these tools, and also mentions a couple of vendors who "can remove it with an on-demand scan." Don’t get confused by this: any mainstream product worth having should be able to detect and remove current Conficker variants by now. It doesn’t mean that products with a one-shot removal tool can’t detect or remove it with their for-fee products.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
http://www.twitter.com/ESETblog

Conficker Removal (Update)

Saturday, March 28th, 2009

[Update: it seems that people whomissed the whole MS-DOS/having fun with the C> prompt and batchfiles thing are still struggling with the fact that vendors are releasing cleaning tools that are really command-line tools, so some step-by-step notes are added below.]

I’m sure you’re almost as bored with this issue as I am with the BBC. (I wonder if it’s contemplating buying the Conficker botnet to add to its collection?)

However, it seems that some people are still confused as to how to remove Conficker if it’s already on their system. So here’s a quick summary: some of it it was actually posted byour labs back in January, but it still applies.

1. Disconnect the infected computer from the network and the Internet.
2. Use an uninfected PC to download the respective Windows patches from the following sites: MS08-067 , MS08-068 and MS09-001
3. Reset your system passwords to admin accounts using more sophisticated ones. [Note that it can spread through shared folders.]
4. Download an one-off ESET application(again, using a non-infected PC) which will remove the worm.
5. Install the updated anti-virus program.
6. Re-connect the PC to the network and the Internet.

You might also want to disable Autorun.

Here’s a bit more information about using the standalone utilitymentioned in step 4.

If you access that link and run it rather than save it, you might be confused by the fact that it’s a text mode application opening in a DOS box (that’s the black window that looks like an old-time DOS PC orsome form ofdumb terminal with a C:\ or C> prompt and text output only), not a Windows application. That’s normal for a standalone utility like this, which doesn’t need a multi-menu graphical interface (GUI).

• If you have more than one PC to check/look after, or a slow connection, or any you might want to save it to the desktop rather than run it from the web site.
• When you run it, it will, hopefully, tell you that "Conficker worm has not been found active in the memory" and ask you if you want to scan and clean anyway. It’s unlikely to do any harm if you do run it, but if Conficker is not in memory, it probably isn’t anyway on your system and certainly poses no immediate threat.It’s more important at thispoint to check that your AV is installed and updating properly.
• It also mentions a couple of options (-autoclean and -reboot).If Conficker isn’t in memory these aren’t very relevant to you. Ifit is, you’ll probably want to carry on scanning and respondwhen the utility prompts you. Those options are more relevant tosystem administrators and power users wanting to run the application from a scriptand/or on more than onePC. If you want to use them, you’ll have to use themfrom the command-line, and if you saved it as EConfickerRemover.exe, use that name at the command line, not removaltool, as the program suggests.
• It may notrun with full functionality if you’re not running with administrator rights. It will detect Conficker, if it’s there, but it won’t be able to clean it properly. Of course, we normally advise people not to run as administrator routinely, but for tasks like this you have to be able to either log in as administrator or "run as" administrator.
• I’ve also hadsomeone mention that if theDOS screen comes and goes to quickly to read if there’s no infection. Ihaven’t been able to replicate that, so have asked for more information.

If you have further questions on this, please visit the support pages at http://www.eset.eu/support.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Conficker: Before the Flood (April Showers)

Thursday, March 26th, 2009

I don’t, of course, know for sure what’s going to happen on April 1st, when Conficker istimed, potentially, togo to its next stage of evolution.We do know, from inspecting code in the variants and subvariants that have comeour way, thatinfected machines will be looking for instructions and updates on that date.

At the very least, as our colleagues in Slovakia have pointed out here, machines infected with the latest variants will have a lot more addresses to "call home" to. The number of domains generated on a daily basis for communication between Conficker-infected machines and the potential botnet’s Command and Control (C&C) servers has increased from 250 a day to 50,000, increasing the difficulty of tracking and the risk of "collisions" with legitimate domains.

While we can only guess at the total number of zombie machines (infected systems that can be used by the botnet), it’s likely tobe over a million. Analysis ofour ThreatSense.netthreat monitoring systemshows that a hair-raising3.88% of PCs owned by our customers were attacked this week by Conficker, and would have been at direct risk of infection, had they not been protected.

This suggests that if and when Conficker starts to act like a real botnet, the chances are that even if it only does the things that botnets usually do (send spam and scams, carry out click fraud and Distributed Denial of Service (DDoS) attacks, and so on), it will have plenty of machines to make use of and no shortage of bandwidth for communicating between the attackers and the "work force". The updating mechanism is notably stealthy and resistant to interference from security researchers.

Many people are panicking about the possibility that these somewhat scary resources will be used to carry out devastating attacks on the infrastructure of the internet. Certainly such coordinated attacks have been carried out (or at least attempted)in the past, for instance against authoritativeDNS servers (the top layer of a network of machinesholding theaddressing and routing information that allows internet-connected machines to find other connected systems).

However, attackers nowadays mostly prefer to misuse such services for their own financial advantage rather than to try to bring them down altogether. For instance, by misdirecting web searches towards malware-hosting URLs, adware sites, fake AV and so on.

In fact, the earliest Conficker variant also had an update mechanism: in that instance, it hadthe very specific purpose of downloading a file called loadav.exe. From its name, it’s likely that this was a fake security application, but no-one ever saw it because the server on which it was to be hosted never went online.And there are reports today of search engine optimization being used to misdirect people googling for Conficker-related information to web sites serving fake AV.

So what is ESET doing about Conficker?

• Well, in terms of detection, we have very decent generic detection for Conficker and all the latest variants have been detected generically without our needing to addspecific signaturesor further generic detection, though we did have to write acompletely separatedisinfection routine for Conficker, as this malware is extremely resistant to detection and removal. (The cleaner is, you’ll remember from previous posts, available as a stand-alone utility: the latest version is here.
• We have a monitoring system in place which allows us to peek over the bot’s shoulder when the new searching algorithm is activated, giving us immediate visibility into what (if anything) happens.
• Juraj Malcho, the Head of ESET Virus Lab, tells us that the lab’s staff are being augmented as April 1st gets closer.
• And we’re working closely with security researchers in other organizations on Conficker-related issues.

What can you do? Well, we’ve covered that ground pretty well already in previous posts, but it does no harm to recap on the main points.

• As Randy suggests, disable Autorun
• Check that you have firewall prevention and antivirus protection, and that they’re still active: Conficker has a nasty habit of disabling security software.
• If you don’t have AV right now, we have a free online scanner here. We don’t advocate that you rely on online scanners for malware protection, but using one now is a quick way of checking whether you might have malware infection at this moment. But whether or not you have an infection, I’d earnestly recommend that you install AV. Real AV, that is: if you don’t like ours, make sure you follow Randy’s suggestions for avoiding scareware (and worse)and fake security applications.
• As Juraj suggests, make sure you’ve applied the patchesthat fix the vulnerabilities used by Conficker. Wetalked about those in some detailhere and here.
• If you find you do have a Conficker infection, try the removal tool linked above.

Finally, here are some useful resources for finding out more about Conficker.

• If you check the blog archives box at the top right of this page, you’ll see a link to "other archives": the page that it links to includes ways of searching by month or by subject (category).
• There’s a very thorough analysis by SRI here.
• There are links to other resources at the Internet Storm Center.

David Harley & Pierre-Marc Bureau
Malware Intelligence Team

Foil Conficker Get Rid of AutoRun

Wednesday, March 25th, 2009

OK, this doesn’t actually foil Conficker, but it does block one of the attack vectors and prevents many other threats from automatically infecting your computer too,

It is the longest standing un-patched Microsoft vulnerability and Microsoft calls it a “feature”. The idea of autorun is to attempt to make it so that a person can use a computer with a minimal amount of knowledge. The way autorun works is that when you use removable media, such as a USB key, a CD, etc., Windows will automatically look for a file called “autorun.inf” and if it is there then Windows will do what the file says to do. The idea was that a user doesn’t have to know how to double click on setup.exe, they just put a CD or USB key in and the program runs itself. The problem is that the bad guys know that and often use autorun to install malicious software as soon as a USB drive is plugged in. Conficker exploits this as well

In 2008 more than 1 out of every 15 threats we detected were using autorun.inf to help infect users. In January, nearly 1 out of every 10 threats we detected at ESET used autorun. Microsoft does not provide a truly effective solution for disabling autorun and the partial solution they suggest is cumbersome. My friend, Michael Horowitz, who blogs at http://blogs.computerworld.com/horowitz, recently shared a real solution with me. You can read more about it on his blog from January 30th (http://blogs.computerworld.com/the_best_way_to_disable_autorun_to_be_protected_from_infected_usb_flash_drives). The fix works with XP and Vista.

Here’s where it gets a little bit techie. The fix involves creating a registry key. Michael provides a link to a program to do this on his blog, but I’ll tell you how to create the file here.

You need to use something like notepad, or if you use Word, then you must save the file as a plain text file, not a document. The file extension must be .reg. alternately, you can create the registry key by hand if you are so inclined.

Here are the contents of the registry file. You can copy and paste everything between the dashed lines into your file. You might name it, noautorun.reg, but the name isn’t as important as the final extension.

Please note, the second line wraps, but it is really a single line.

——————————————————————————————
REGEDIT4
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\IniFileMapping\Autorun.inf]
@="@SYS:DoesNotExist"
——————————————————————————————

When you create and then run the registry file it create a key called Autorun.inf in HKLM/Software/Microsoft/Windows Nt/Currentversion/IniFileMapping . The value of the key is @=@SYS:DoesNotExist.

For extra security you can go to the new autorun.inf key and set some special permissions. I go into the special permissions, add “everyone” and then deny all access except to read and query the key. This should prevent malicious software from changing the value of the key in almost all cases.

The Microsoft solution is ineffective and breaks Windows Media Player. When you use Microsoft’s solution, each time you change a CD for Media player you have to close and re-open Windows Media player for it to recognize the new disk. With the solution I am suggesting Windows media player still recognizes when you change a disc.

Giving credit where it is due, a guy named Emin Atac came up with this approach. There are few known side effects of this approach and none are as bad as the side effects of allowing auto-infect, er... autorun.

To undo the modification you can manually delete the key that was created, or use the same reg file, but place a minus sign in front of the second line... right before [HKEY....

If you have questions about this or any general security topics, feel free to email me at askeset@eset.com

Randy Abrams
Director of Technical Education

Don’t Be An April Fool!

Tuesday, March 24th, 2009

The highly publicized Conficker worm has a new version that is assumed to trigger on April 1st. There are a few steps you should take right now.

First, back up any important data. This is just plain sound advice, regardless of viruses, worms, etc. A hard drive crash can destroy data.

Make sure that the Windows Security Center is working. Check on the status on your firewall and antivirus software. If you do not know how to do this, then get some help, and learn. Despite all the marketing materials from all kinds of security companies, you really can’t safely use the internet if you won’t learn some computer basics.

If you don’t have antivirus, and no, Windows Defender is not antivirus, then get some. We have a fine product here at ESET, but if you want to go the free route, just make sure that the product you choose is tested by Virus Bulletin (www.virusbulletin.com). There are some fake programs that instead infect your computer. For paid programs, they should either be tested by Virus Bulletin or certified by ICSA Labs <http://www.icsalabs.com/icsa/icsahome.php> or have West Coast labs Checkmark certification <http://www.westcoastlabs.org/>.

Find the author of the program... Hey, Microsoft is offering a $250,000 reward!!! Well, perhaps you better first make sure your computer is secure.

Conficker.C is a pretty nasty piece of malware. In addition to disabling the Windows security center and automatic updates, it is reported to prevent booting into safe mode and to delete system restore points. It has a few other nasty tricks up its sleeve too, like disabling lots of other security software.

Before you hyperventilate over this one though, remember, there are thousands of other threats out there as well. If you are taking the right steps to keep your computer secure, then Conficker.C will be no riskier to you than the other threats you have not been getting infected with. If you aren’t sure if you are doing the right things then now might be a great time to check out <http://www.staysafeonline.org> for some easy to digest security education.

As always, if you have general security questions, you can send them to me at askeset@eset.com.

Randy Abrams
Director of Technical Education

Conficker Resurgent

Saturday, March 7th, 2009

It appears there are interesting developments in the Conficker/Downadup development front. Peter Coogan of Symantecdescribes here a variant that doesn’t appear to be interested in infecting new machines, rather more so in updating and protecting itself on systems already infected with previous variants.

(And, yes,ESET’s ThreatSense technologydoes already detect it heuristically!)

It seems to have two particularly interesting characteristics:

• It continues to attempt to disable security software like sysinternals tools and wiresharkby killing processes that contain keywords. Of course, lots of other malwareattempts to evade detection by killingsecurity processes, and we noticed Conficker doing the same thing going back at least as far as January, but this retrospective "hardening" of the program’s self-protective capability is interesting for reasons I’ll come back to shortly.
• The domain name generation algorithm used by the earlier versions, which has been pretty effectively addressed by the industry so far (much credit is dueto collaborative work by ICANN, Microsoft and F-Secure, among many others) has been tweaked to generate many more domain names. How successfully this will evades industry countermeasures based on Conficker’s attempts to register domains is not altogether clear, but the intent is plain.

As Peter suggests, it looks as if the Conficker authors are particularly interested inkeeping their hold onsystems that are already compromised. That doesn’t mean that other systems won’t be targeted, of course. But it does suggest that systems already compromised have by no means been abandoned: furthermore, whatever it isthe Conficker gang have been cooking up with a view to making use of those compromised systems is likely to be served up sooner, rather than later.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Threat Trends In January

Thursday, February 5th, 2009

Here at ESET we have just released our Global ThreatTrends report for January 2009.

Not surprisingly, at the top of the list is a family of programs that exploit Microsoft’s longest unpatched vulnerability. That’s right, Autorun.inf, is an evil “feature” that should have been patched out of existence a long time ago. Since it is so effective for malware there are lots of threats that exploit it.

In the number two position we find a family of threats that steal passwords for online games. This is also pretty logical. There is a lot of money in the sale of “virtual” items and characters for real money.

In third place is the new kid on the block... the Conficker worm. Conficker is truly a tragedy as it is indicative of really poor security practices. Failure to patch your OS will leave you vulnerable to this worm. Autorun is another attack vector. If you disable autorun you take away another avenue of attack for Conficker and the most widespread threats we see. I’ll have a blog up in a day or two that will show you how to really kill autorun. It’s the patch that MS should have disclosed a long time ago. Administrative shares are another avenue of attack and weak passwords are still another security fault that Conficker exploits.

If you decrease the number of security holes you have then your goalie, security software, takes less shots on goal. That is a basic defensive strategy. Prevention is always better than cure, and Conficker highlights that much more work is required in the prevention department.

You can read the whole report at http://www.eset.com/threat-center/threat_trends/Global_Threat_Trends_January_2009.pdf

Randy Abrams
Director of Technical Education

Conficker Statistics

Friday, January 30th, 2009

I just did some work on a report that quotes some of the various statistics - or do I mean guesstimates? - regarding how many machines were likely to have been infected by Conficker. That report has already gone out, but it’s been pointed out to me that the wording makes it sound like we’re estimating somewhere between 10 and 50 million.

That wasn’t, in fact, my intention: I’m not in a position to hazard a meaningful guess on the real figure, though even the much-cited guess of 9-10 million at the low endseems high to me, and I’ve heard some estimates in the past few days at around 1 million-1.5 million which seem likelier. However, the nature of the Internet makes it difficult to generate anystatistics in almost any contextbased on unique IP addresses. Due to factors such as fast flux, NAT, dynamic addressing and so on, a straightforward statistic can mask huge variations either up or down. All credit to F-Secure for trying to establish some kind of ballpark figure: they’re braver than I am.

What I can tell you, for what it’s worth, is that in the report I just mentioned Conficker comes out third highest in our "top ten" for January, behind INF/Autorun and Win32/PWSOnLineGames. Does this give us any sort of clue?

Not really. These figures are based on detections of these threats on machines owned by ESET customers: this suggests malware blocked at the point of entry, though a few of them might be machines that were infected before an ESET scanner was installed. It emphatically doesnot represent asample of the total population of infected PCs in the world.It does tell us that there a lot of instances of attempted infectionstaking place, but it doesn’t give us any meaningful way of quantifying the number of machines that are broadcasting them.

So, sorry. I really have very little idea of how many of the billion or so current users of the Internet are doing so from Conficker-infected PCs. Somewhere between1 million and 50 million, I’d say. Or more. Or possibly less. Would you settle for "quite a lot"?

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

Conficker Clarified

Friday, January 30th, 2009

I just happened upon a blog that made an interesting point about the information that’s been made about Conficker. Essentially, the writer was fulsome in her praise of an article by Gary Hinson here, which gave some simple advice on dealing with Conficker/Downadup. As it happens, I’m familiar with the name Gary Hinson: he alsocontributes toa blog hereto which I also contribute occasionally, and has posted some excellent stuff there. In fact, Randy and I wrote a paper for AVAR last year that cites one of those posts (it should be available on our white papers pagehere soon).

I have to agree that the simpler the better in a case like this. and most people are probably more interested in how to avoid or remove the thing than they are in the complexities of estimating how many infected machines there really are.

(Not that I meanto criticize F-Secure in any way for making that information available: after all, I belong to a community that finds that stuff fascinating. And they’ve certainly provided provided plenty of information more immediately relevant to the man-in-the-street, or perhaps I should say the end-user-on-the-information-superhighway.)

I felt that in this case, Gary had missed one or two essential points and perhaps had slightly oversimplified the issues. So here’s an attempt to be a little less geeky than Pierre-Marc and I were in an earlier post on the topic and boil it down to a more accessible form.

As there’s a great deal of malware around that exploits the autorun facility (autoinfect, as we sometimes rather harshly refer to it round here), it’s an excellent idea to disable it, but to do so effectively is a lot less straightforward than the procedure in Gary’s blog (though even that will lower the risk). Microsoft have revised their procedure for doing so at http://support.microsoft.com/kb/953252, but US CERT’s note at http://www.us-cert.gov/cas/techalerts/TA09-020A.html addresses some weaknesses in the procedure. I agree, though, that if looking at these procedures makes you nervous, you probably need support from someone more confident with PC maintenance.

But there’s a lot more to Conficker than autorun. The main reason that so many -corporate- systems are infected is that they haven’t patched the vulnerability described here, www.microsoft.com/technet/security/Bulletin/MS08-067.mspx and they ought to be patching MS08-068 and MS09-001 at the same time. (See the earlier blog for more details.)

There’s also an issue with weakly passworded network shares that will certainly affect many corporate networks, though few home users, I’d guess. Like so much modern malware, Conficker will slip onto your system by any route it can find.

And because many home users will be using free but unsupported AV software, and in any case Conficker tries to stop infected systems from accessing vendor web sites, contacting the vendor may not be so simple. For cleaning purposes, the best option for many will be to get one of the Conficker-specific tools some vendors have made available, which will probably require access to an uninfected machine. Ours is here, but other vendors have similar tools.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence