W32.Neeris.C is yet another Worm that exploits the Microsoft Server Service RPC buffer overflow vulnerability described in the Security Advisory MS08-067 (KB958644). It also targets the USB Removable drives to propagate.
W32.Neeris.C drops a driver %System%\drivers\sysdrv32.sys that works as a rootkit. It starts a Service called "Play Port I/O Driver" by creating the below registry key:
This is a MUCH REQUIRED modification in Windows OS.
This is definitely a very positive move and would help the entire Microsoft User Base. Protection from a third party Antivirus software is required only when we have no other option to fight back the ever changing / increasing Malware Threat. However, if the Windows OS keeps on evolving like this and provides us with some much needed protection from basic threat vectors, we as end users will be benefited to a great extent. This would significantly bring down the propagation of a vast majority of active Malwares running loose in the wild.
I hope that we get a Win XP and Vista update for this at the earliest. Updated - 06 May 2009 Nice post about the Autorun Menace and why Microsoft is willing to change the Autorun feature:
“Malware Calling Home” is an activity where an infected system tries to connect to a remote host, often the command control or Malware update center, from where it can download either an undated binary for the infection or it will connect back to this host to receive commands passed on by the Malware herder. This scenario is typically true for Malwares that create Bot Nets. One of the most common symptoms in such a scenario is where multiple infected systems try to connect to this remote host simultaneously. During such an event, there may be complaints of unnecessary and high network usage, CPU utilization of certain Servers like the DNS Server or devices like the Network Routers etc may spike up for apparently unknown reasons.
The below figure shows a pictorial representation of the components and activities of a DNS Server. Some of the components are knowingly left out from this figure to keep it simple.
Now these details can help us to track Malware activities of a specific kind in the network during its initial stages if we know a few things about the Malware’s tendencies to connect to its parent source and correlate it with the DNS Domain Name Resolution methodology. In this way we would know what things to look for and where to look for so that we can get sure of the presence of infected systems in the network.
As an infected system tries to connect to a remote host say for e.g. abc.bad-domain. biz then the first thing that would happen is, it would try to resolve the IP Address of this remote host and will query the DNS Server. Once the DNS Server finds out that its namespace doesn’t have the said domain (in case of authoritative servers) then it tries to use the Root Hints so that the respective Servers can try to forward the request to an authoritative server which in turn will respond back with the requested IP Address.
If we smell that there is probably some Malware related activity happening, which has infected maybe a chunk of systems in the network infrastructure, then we can try to locate these rogue systems by monitoring the traffic in the DNS Server. We can use a network sniffer, you can use WireShark, Ethereal etc, and try to identify if there is a pattern where more than one system is trying to access this abc.bad-domain. biz. We may not know that abc.bad-domain. biz is in reality a bad host so we can try to find out more details about this host, we can try to find out how many systems are trying o resolve this host name. The source systems from where these resolution requests are coming have to be checked thoroughly and manually. The DNS Server is one of the hot spots from where we can, from time to time monitoring, identify and stop a possible outbreak situation proactively.
Another hot spot for a similar kind of scenario is the Network Router. We can also occasionally monitor the Router Cache for Null traffic or traffic that’s targeted to remote destination port 01BD (445 - RPC). If there are multiple and frequent instances this kind of traffic in the Router Cache, then these can be indicators for a possible Malware Activity. Refer t the figure below.
I welcome any comments or suggestions about this post. If anyone of you feel that certain things can be pointed out/corrected/ explained further, then please feel free to send a mail to me and let me know. I would definitely try to make the changes to this article.
Microsoft Tech.Ed-India 2009 will be held at the Hyderabad International Convention Center (HICC) in Hyderabad, India (May 13th - 15th)
This is an opportunity of a lifetime to interact with some of the leading lights in the business and technology space globally, talk to Microsoft product development teams directly, and get in-depth hands-on-trainings and certifications in some of the most coveted and anticipated technologies.
The concept of Zombies has haunted mankind since the dawn of civilization.
Zombies are generally corpses brought back from the dead by supernatural means, and are under someone’s direct control.
Zombies are not the stuff of Hollywood storyline, voodoo witchcraft or black magic anymore. The Night of the Living Dead has come alive in the world of Information Technology. Zombies are no longer fiction; they have come to haunt the tech savvy lives of the 21st century.
Online criminals are harvesting on the concepts of the Zombies. They can use viruses to take control of a large numbers of computers over a period of time, and then turn them into "Zombies" that can work together as a powerful army of infested system called "Bots" to perform malicious activities. The term "Botnet" is used to refer to any group of such bots.
Botnet is a term for a collection of software robots, or bots, which run autonomously and automatically. They run on groups of "Zombie" computers controlled remotely. This can also refer to the network of computers using distributed computing software.
The viruses or Malwares that turn a system into a Zombie and make it a part of the global network of botnets do not usually harm the infested system. The reason is Zombie computers must be up and running and connected to the Internet for the botnets to be active so that they can be used for some more devastating activities.
With Conficker around, the Storm of 2008, Rustock, Srizbi and many more, they have become a serious threat on the Internet. Now these attacks are more targetted and usually financial gain is the motive behind them. Gone are the days when DDoS was in the menu. Offlate, Malware Activity is aiding a million $ fraud industry. Botnets comprising of Millions of individual "Zombie" computers (BOTS) or more, can distribute spam, transmit viruses, attack other computers or servers, carry out DDoS as part of Hactivism and commit various other sinister crimes.
Most of us know why Conficker Worm was named CONFICKER but for those who don’t know why the name CONFICKER was chosen for this Worm, here is a little information.
The name of this Worm was kept as Con-Fic-K-Er because the Reversers who were analyzing this Worm’s first variant (W32/Conficker.A) found the presence of a string called “trafficconverter .biz”. The name of this Worm was taken fro this string by rearranging portions of this string.
The purpose of “trafficconverter .biz”, which later became “traffic-converter .biz” and “trafficconverter2 .biz”, was to increase affiliates so that the already existing misleading applications or better known as Rogue Applications can be installed in more and more systems around the world. A quote from “trafficconverter .biz” about the affiliate program is below:
What is Traffic Converter?
Traffic Converter is affiliate program that helps webmasters to convert their traffic into cash.
How it works?
We are selling popular antispyware and security software products to surfers which you send to us. You receive $30 for each sale of our products.
Why does it work so good?
With our direct-marketing approach, aggressive promotion materials and advanced software products you can earn much more than with other affiliate or advertising programs.
The owners of “trafficconverter .biz” were very much involved in spreading these misleading applications or commonly known as Rogue AntiSpyware. Even the Conficker.A variant also attempted to download a payload from their domain. However, this variant was never able to download the payload file hxxp://trafficconverter .biz/4vir/antispyware/loadadv.exe because the “trafficconverter.biz” domain was shut down as an early response to the Conficker Threat.
Also, mentioned below is the WhoIs detail of the “trafficconverter .biz” domain:
Domain Name:TRAFFICCONVERTER .BIZ
Domain ID:D22305317-BIZ
Sponsoring Registrar:DIRECTI INTERNET SOLUTIONS PVT. LTD. D/B/A PUBLICDOMAINREGISTRY .COM
Registrant Name:Daniel Adams
Registrant Organization:eosads
Registrant Address1:13 Baterman Street
RegistrantCity:London
Registrant Postal Code:W1D 3AF
Registrant Country:UNITED KINGDOM
Registrant Country Code:GB
Registrant Phone Number:+41.225349854
Registrant Email:ddarkmaster@gmail .com
Last Transferred Date:Mon Dec 01 14:04:54 GMT 2008
Status:SUSPENDED (This Domain Name is Suspended)
The “trafficconverter .biz” domain operated along with various sister domains viz.
Domain Name: XPANTIVIRUS .COM
Registrant:VerifiedSofts
John Davidson ddarkmaster@gmail .com
London.Barnet str. 12/22
London, Barnet, 12012, GB
Tel. +44.7917722025
Creation Date: 20-Sep-2007
Expiration Date: 20-Sep-2010
Status:SUSPENDED (This Domain Name is Suspended)
Domain Name: ANTISPYGUARD .COM
Registrant:Verified Software
Victor Temchenko verifiedsoftware@gmail .com
Geroev Truda 68 - 136
Kharkov, 61038, UA
Tel. +38.0638550739
Creation Date: 23-Aug-2007
Expiration Date:23-Aug-2009
Status:SUSPENDED (This Domain Name is Suspended)
Domain Name: ANTIVIRUS2009ONLINE .COM
Registrant:eosads
Daniel Adams ddarkmaster@gmai l.com
13 Baterman Street
London, W1D 3AF, GB
Tel. +41.225349854
Creation Date: 15-Aug-2008
Expiration Date: 15-Aug-2009
Status:SUSPENDED (This Domain Name is Suspended)
Domain Name:TRAFFIC-CONVERTER .BIZ
Sponsoring Registrar:ENOM, INC.
Registrant ID:DI_8661402
Registrant Name:John Davidson
Registrant Organization:VerifiedSofts
Registrant Address1:London. Barnet str. 12/22
Registrant Postal Code:12012
Registrant Country:UNITED KINGDOM
Registrant Country Code:GB
Registrant Phone Number:+44.7917722025
Registrant Email:ddarkmaster@gmail .com
Refer to McAfee Site Advisor’s details about the online affiliations for “traffic-converter .biz”:
Billing Contact Address2:Software Technology Service Builing,
BillingContactCity:XiaMen, FuJian
Billing Contact Postal Code:361004
Billing Contact Country:China
Billing Contact Phone Number:+1.865922577
Billing Contact Email:domain@bizcn .com
Domain Registration Date:Mon Dec 15 18:29:57 GMT 2008
Domain Expiration Date:Mon Dec 14 23:59:59 GMT 2009
Soon after “trafficconverter .biz” was taken down, the owners came back with a domain “trafficconverter2. biz”. However, they again went down saying that their payment processor had blocked them. Further to plead “Not Guilty” they issued a notice that they had no connection with the Conficker Mayhem. Read the disclaimer below:
This is absolutely unprecedented case when two of the largest payment system called the requirement to block the Merchant. We also have a reason to believe that the situation was caused by the recent publication about us and our products in Washington Post:
http://voices.washingtonpost.com/securityfix
There are, as you can see, some very serious accusations. Including the relation to Conficker, which we actually are not implicated with (and can prove it if necessary).
As a result of this situation:
- No money to pay;
- No capacity to process products (not because we're not working, but because this volume is not endure any processor)
- There is a chance to get ourselves under prosecution and let down Webmasters.
So, the decision was made to default and shut down the Traffic Converter. In case we resolve this issue and manage to refund the money from the bank, we will pay you off all debts as quickly as possible.
If we manage to get the stable traffic conversions we have demonstrated during the year and a half, we will contact you on individual basis.
Thanks to everyone for succesful business cooperation.
These sites are instrumental in distributing Rogue Applications and once a system is infected, they would go to every possible extent to apply the scare tactics and fooling the users to cough out money for applications that are anything but Security Softwares. These rogue applications can also inject code into the search results of Google or the homepage of Google itself (this means that the client system from where we are doing the search or opening the Google homepage is infected). Refer to the screen below:
For more information about these Rogue AntiSpyware Applications refer to the below article:
Yet another variant of Downadup has been detected in the wild. Symantec has called it the W32.Downadup.E variant. Again rated as a Level 2 Threat.
Refer below for the technical details of the worm:
The worm may be downloaded or delivered silently through Web exploits and then executed.
> It patches “tcpip.sys” in order to increase the number of concurrent network connections available on the system.
> The exploitation of the MS08-067 vulnerability, which had not featured in W32.Downadup.C, is now included in W32.Downadup.E.
> This variant also uses the SMB protocol to identify the target system before attempting to exploit it. This is most likely an attempt to increase the chances of successful exploitation.
> The threat exploits weaknesses in certain routers to allow access to compromised machines from external networks. This variant has the UPnP capabilities that that has been seen in previous versions of Downadup.
> It shows a strange behavior as on May 3, 2009, the worm sets itself to be removed when the computer restarts. However, it does not removes the dropped W32.Downadup.C infection.
Products affected: Microsoft Office PowerPoint 2000 Service Pack 3 Microsoft Office PowerPoint 2002 Service Pack 3 Microsoft Office PowerPoint 2003 Service Pack 3 Microsoft Office 2004 for Mac.
Product not affected: Microsoft Office PowerPoint 2007
Microsoft will take the appropriate action to protect their customers, which may include providing a solution through their monthly security update release process, or an out-of-cycle security update, depending on customer needs.
There are three viruses in the wild that exploits this vulnerability.
Please refer below for more details:
Detection:
> Symantec detects the malicious PowerPoint file as: Trojan.PPDropper.H.
> Trend Micro detects the malicious PowerPoint file as TROJ_PPDROP.AB. The files dropped are detected as TROJ_KUPS.F and BKDR_KUPS.F
> Microsoft detects the malicious PPT as Exploit:Win32/Apptom.gen. The dropped files are detected by Microsoft as TrojanDropper:Win32/Apptom.A, TrojanDropper:Win32/Apptom.B, TrojanDropper:Win32/Apptom.C and Trojan:Win32/Cryptrun.A.
Behavior:
The Trojan arrives as the following email attachment: [RANDOM FILE NAME].ppt
Once the .ppt is opened, it drops and executes an additional file by exploiting the following Microsoft Power Point vulnerability: Microsoft PowerPoint File Parsing Remote Code Execution Vulnerability (BID 34351)
The dropped file may create additional files on to the compromised computer and then the Trojan deletes the dropped file. At the time of writing, the following files were created:
The purpose of MalwareInfo.Org is to help interested users learn how to analyze Malwares themselves. Although the actual process of Malware Analysis is for the most advanced users with in-depth knowledge about the system internals, but there are ways by which we can go ahead with the process of initiation.
Learn more about Malwares and the actual processes involved in identifying & analyzing them @ MalwareInfo.Org