How to Survive a Zombie Attack, by Acey Duecy

2009 has been a notable year for malware and malicious online activity for a number of reasons and several of them relate to what is known as botnets. A zombie, or a bot, is a PC infected by malware that brings it under the remote control of a criminal. Criminals run networks that can range from thousands to millions of infected machines and they use them to power most of the cybercrime we see today including spam, DDoS, scareware, phishing, and malicious or illegal website hosting. They have a finger in every cybercriminal pie.

In the first half of the year, the Conficker worm (also known as Downadup or Kido) stole all the headlines in the malware world. Eventually the Conficker botnet was seen to deliver standard cybercriminal payloads, such as spambots and Fake AV (or scareware), much to the disappointment of some of the more hysterical commentators. Just because the outbreak received so much coverage that died away just as rapidly, don’t be fooled into thinking this threat has gone away. The Conficker Working Group, an alliance of security vendors, researchers and other commercial organisations is currently showing around 6 million unique IP addresses as appearing to be infected with this malware.

An unrelated, but important trend in 2009 was the exponential increase in the abuse of social networking providers for malicious purposes. The enormous active user populations on sites like Facebook, Twitter and MySpace prove a very attractive lure to organised online crime and its attendant money-making, bot recruitment and Fake AV pushing scams. Facebook has been abused by rogue Apps, designed to fool users into clicking links that reward the creator through pay-per-click affiliate advertising networks. It has also been used to spread malware through many means; malicious links in wall posts and messages, malware designed specifically to hijack accounts and by external compromise of legitimate Facebook Apps. The Koobface family of malware (also a botnet) has evolved over the course of 2009; it was initially spread through malicious messages and wall posts with links to fake YouTube sites punting a supposed codec in order to view the video. The codec of course was nothing of the sort and led to infection and account hijacking. Koobface now though has evolved to the point where it is fully capable of creating its own fake Facebook profile pages, complete with confirmed Gmail address, photo and biographical data. These fake accounts then set about joining networks and sending friend requests again all in a completely automated fashion.

Here’s where it gets interesting, in addition to spamming and malware, web 2.0 sites have been abused in new and concerning ways over the course of 2009. Twitter and Google Reader have been used as the landing page in spam campaigns, to attempt to overcome URL filtering in email messages. In recent months Twitter, Facebook, Pastebin, Google Groups and a Google AppEngine have all been used as surrogate Command & Control servers for botnets, and just last week it was reported that a Zeus botnet was leveraging compromised servers inside Amazon’s EC2 cloud for command and contro. These public forums have been configured to issue obfuscated commands to globally distributed botnets, these commands often contain further URLs which the bot then accesses to download commands or components.

The attraction with these sites and services lies in the fact that they offer a public, open, scalable, highly-available and relatively anonymous means of maintaining a command and control infrastructure, which at the same time further reduces the chance of detection by traditional technologies. Whilst network content inspection solutions could reasonably be expected to pick up on compromised endpoints that are communicating with known-bad sites (command & control servers), or over suspicious or unwanted channels such as IRC; it has been historically safe to assume that a PC making a standard HTTP GET request, over port 80 to a content provider such as Facebook, Google or Twitter, even several times every day, is as acting entirely normally. However, as botnet owners and criminal outfits seek to further dissipate their command and control infrastructure and blend into the general white noise of the internet, that is no longer the case.

It is no coincidence that much the innovation in 2009 has been around command & control systems for botnets. The vast majority of old-school IRC controlled botnets are shut down within 24 hours and peer-to-peer bots often leave visible signatures too, leading to their neutralisation at machine level. One factor of web 2.0 botnet controls that I would expect cybercriminals to be currently evaluating is the single point of failure represented by relying on a single provider such as Facebook or Google–shut down the malicious Facebook page and you disable the botnet. Botnet creators have invested significant amounts of time and code in distributing their management infrastructure, in fast-flux and in peer-to-peer protocols. We can fully expect them to carry these lessons learned into the newer “cloud-enabled” botnet. It is entirely possible that the capability of the latest Koobface variant to create multiple automated profiles could be leveraged to mitigate against the single point of failure inherent in using a single Facebook or Twitter profile as a covert channel.

When it comes to botnets it would be really nice to be able to say “it’s getting better”.  It’s not.  More and more computers are being infected, and they are staying infected for longer.

As well as reactivating the original propogation functionality, this new variant sheds some extra light on possible links with other malware and origins of the worm. This new Downad/Conficker variant is talking to a server which is known already for being associated with the Waledac family of malware, in order to download further malicious components. These components have so far been missing, but could this finally be the “other boot dropping” that we have all been waiting for?

Waledac has, for a while now, been suspected to be the latest offering from the people behind the Storm botnet. Could it be that Downad/Conficker, Waledac and Storm all originate from the same cybercriminal gang?

Please read the TrendLabs Malware blog for a detailed breakdown.

So in anticipation of the “Impending Technological Apocalypse™“. Trend Micro is pleased to bring you a method to outsmart the worm and restore access to those blocked web sites on your infected machines.

1 -In the Start menu, choose Run. (If you cannot see the Run choice in your Start menu you may need to add it. It can be added as follows: Right mouse click the Start button and choose Properties. Hit the Customise button and choose Advanced. In the Start Menu Items section, scroll down until you see the check box for Run Command, check that box as below, and hit OK).

2- Alright, so now you can hit the Start button and choose Run. In the Run window that appears, type cmd as below and hit OK.

3 -In the window that appears, type the command net stop dnscache, and hit Enter, then type exit and hit Enter again. It should appear exactly as show below.

4 – Right, we’re almost done, just a belt-and-braces check to do now. Again click Start and choose Run. This time type services.msc in the Run box and click OK. It brings up a window as shown below

5 – Double-click the DNS Client entry in the list, and if it is not already stopped, hit the Stop button.

Hey presto! You should now be able to access all of those previously blocked sites, of course including the excellent HouseCall for all your cleanup needs.

This service has been brought to you by a large Indian meal, a very long day and a well-known Tennesee Sippin’ Whiskey

As soon as the good news breaks that it is possible to use tools such as the network scanning tool nmap to search for machines infected by Downad/Conficker, then the malicious SEO work starts.

If you need malware removal tools type the URL of your vendor of choice directly into the browser bar and use links on their website. Do not rely on Google search results at this time, as they may have been “optimised”.

Careful what you click on, these Google results are loaded!

According to blogger Dizzy Thinks, the UK Parliament has become the latest institution to fall victim to the spread of Downad/Conficker. In an internal memo, which was subsequently leaked, network users were advised the following:

To: All users connecting directly to the Parliamentary Network

The Parliamentary Network has been affected by a virus known as conficker. This virus affects users by slowing down the Network and by locking out some accounts. We are continuining [sic] to work with our third party partners to manage its removal and we need to act swiftly to clean computers that are infected.

 

We are scanning the Network and if we identify any equipment which we believe is infected with the virus then we will contact you to ensure that the device is either removed from the Network or cleaned and loaded with the correct software to prevent this infection reoccurring.

You can help us to contain this problem and prevent new infection by adhering to the following advice:

• We are unable to clean PCs and portable computers which are either not switched on or which are not authorised devices. We therefore ask that if you are running a PC or portable computer not authorised to be on the Network that you take it off immediately.
• An additional characteristic of this virus is that for some types of files it can skip direct to the Network from a USB memory stick or other portable storage device (e.g. mp3 players) without hitting the virus checker software. We ask that for the time being you do not use memory sticks or any other portable storage devices on the Parliamentary Network.
• If you do identify a problem with the equipment you are running, please contact the PICT Service Desk on 020 xxxx 200x when it reopens on Wednesday 25 March from 8am.
• If you are connecting using one of our remote access services, from a Constituency Office for example, a separate communication will be sent to you.

Director of Parliamentary ICT.

 

This raises several salient questions in my mind…

1- What the expletive are “unauthorised devices” doing on the Parliamentary network in the first place? Of all the organisations in the country you would expect the UK parliament to be using Network Access Control technology to keep the wrong ‘uns out!

2- What kind of anti-malware solution are they running there that allows a worm to “skip direct to the Network from a USB memory stick or other portable storage device (e.g. mp3 players) without hitting the virus checker software” and also, one that doesn’t detect the worm itself?

3- Where’s the port control or DLP solution?Tthe memo itself being made public amply demonstrates (if any proof were needed) that the potential for data leakage exists, and this is Parliament.

4- What kind of message is this “We are unable to clean PCs and portable computers which are not switched on“? Surely this could be interpreted as “We are experiencing an outbreak, please make sure all computers are switched on“. That doesn’t sound like good containment policy to me.

I don’t want this post to be entirely negative though, so, Dear Parliament, if you are having trouble cleaning this up, give us a call we’ll come and do it for nothing.

“This could well be very big, but it will also be very quiet.”

I’m beginning to get a little exercised by many of the verbs I am seeing attached to this malware in recent commentary; words like “virus set to explode”, “erupt”, “blow up” or “will infect 12m computers on April 1st”. I put the following information together to try to clarify exactly what will be “activated” on April the 1st and bring some rationality to the debate.

First Variant

In November 2008, Downad/Conficker was seen for the first time. This first variant was the most simple; it spread by exploiting a vulnerability (MS08-67) that was actually patched by Microsoft back in October of 2008. This variant actively avoided infecting systems that were configured to use a Ukrainian keyboard layout or had IP addresses registered to the Ukraine (which may give some clue as to its origins). This original variant, once it had infected a machine would firstly randomly generate IP addresses and use those to search for new victims to infect and then go on to attempt to download some rogue antivirus “scareware” as a one-time event. From that point on, it would generate a daily list of 250 pseudo-random domain names using the top level domain suffixes com, .net, .org, .info, and .biz and attempt to connect out to those servers and download further malicious content.

Second Variant

January 2009 saw the second Downad/Conficker variant, which was largely a rewrite of the first; it no longer excluded Ukrainian systems and did not try to download the “scareware” as the first variant did. It also used several more mechanisms through which to spread. In addition to exploiting the Microsoft vulnerability, it also spread by writing to any removable drives plugged into infected systems, any shared network drives currently attached and additionally searched for machines on the same network against which it would attempt a brute force password attack using a list of over 240 predefined common passwords. This second variant also attempted to disable many well known anti-virus programs, blocks access to security related web sites, and disabled key Microsoft security services such as Windows Automatic Update. These additional methods of self-propagation are though to have contributed to the worm’s success at infecting large numbers of machines.

This second variant also generates a daily list of 250 domains to try to connect to this time using more top level domain suffixes com, .net, .org, .info, .biz, and adding .ws, .wn and .cc  The domains generated by the two versions do not overlap.

Third Variant

In March 2009, a significant third Downad/Conficker variant surfaced. This new version appears to have been spread by an update pushed out to machines previously infected with the second variant. This new version now generates a daily list of 50,000 Internet domain names instead of the 250 generated previously and rather than the 5 or 8 top level domains used by the first two variants, this version uses 110 different top level domains. Only 500 of these generated domains are queried, and only once per day. It is this mechanism that is coded to begin on 1^st April, and the sheer numbers of domain names involved render redundant the blocking mechanisms used so far to combat the worm.

In addition to this already established HTTP Command & Control infrastructure, this new variant also introduced Peer to Peer communications capabilities between infected hosts, presumably in an effort to get around the security and internet industries attempts to shut down the HTTP connection mechanism.

In this third update, the propagation methods present in the first and second variants have been removed and the stance of the infection has shifted to a more defensive one. This signals perhaps that the cybercriminals behind this feel they have infected enough machines to turn this into a “simple” botnet for distributing whichever malicious code they see fit. Remember though, the propagation functionality could just as easily be switched on again as required by the authors.

It’s really anyone’s guess what the infected hosts will be used for if the command & control infrastructure goes live on April 1st. Pushing rogue AV? Sending Spam? Carrying out Denial of Service attacks on other servers and Internet infrastructure? Hosting Malware and Phishing sites? Or simply creating a very large asset pool of infected PCs for the owners to rent out for cash? Personally I don’t buy into the mass attack scenario, the motivator for mainstream cybercrime is still cash generation, and “bringing down the Internet” wouldn’t be much of an earner. The people behind this piece of code are very skilled, very well informed and resourced. They have invested much time and effort in the creation of this botnet, and will be aiming to see some return on that investment. Making so much noise that every victim knows they’re infected will have entirely the opposite effect. This could well be very big, but it will also be very quiet.

If you believe your system may be infected by Downad/Conficker, then online scanners and tools almost certainly won’t be of any use to you, because the websites will be blocked by the infection. I would recommend you download SysClean, a free tool from Trend Micro to remove any infection.

For a great in-depth analysis of Downad/Conficker, please have a look at the Research Paper written by SRI International