Varian Virus Downadup.C , Conficker , Kido

Pada bulan Maret 2009 ini beberapa perusahaan antivirus melaporkan munculnya varian baru dari virus conficker / kido / downadup. Pada varian baru ini, ada perbedaan dengan sebelumnya yaitu, adanya funsi trojan yangada di dalamnya.

Perusahaan anti virus Kaspersky Lab, memberi nama varian virus ini Net-Worm.Win32.Kido.ip dan Net-Worm.Win32.Kido.iq .
Sedangkan perusahaan antivirus Symantec, memberi nama varian virus ini w32.downadup.c
Nama lain : Mal/Conficker-B [Sophos], Worm:W32/Downadup.DY [F-Secure]
Varian ini, sangat jahat dari versi sebelumnya. Dia mampu identifikasi piranti antivirus dari perusahaan-perusahaan antivirus terkenal. Varian virus ini tidak hanya menginfeksi, tetapi juga curi uang dan data.
Selain itu varian virus ini akan menambah jumlah nama domain yang unik dan dapat meng update nya menjadi 50.000 yang awalnya cuma 250 saja, pada versi sebelumnya. Pesatnya perubahan domain tersebut tak terlepas dari usaha perusahaan yang memblokir domain yang digunakan.

Sampai saat ini, Symantec masih dalam proses penyelidikan terhadap varian virus baru ini. Kemungkinan masih akan ditemukan trik baru lainnya yang dilakukan oleh varian ini. Untuk itulah, Symantec menyarankan agar pengguna mengupdate patch-nya pada Microsoft Server Service. Selain itu, menggunakan paswword yang kuat merupakan cara yang terbaik untuk melindungi jaringan.

Technical Detail

Systems Affected : Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP

Once executed, the threat disables the following services :

* BITS
* ERSvc
* WerSvc
* WinDefend
* wscsvc
* wuauserv

It then lower security settings by deleting the following registry entry to prevent automatic startup of certain software :

• HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun”Windows Defender”

It then disables Windows Security Alert notifications by deleting the following registry subkey :

• HKLMSOFTWAREMicrosoftWindowsCurrentVersionexplorerShellServiceObjects{FD6905CE-952F-41F1-9A6F-135D9C6622CC}

It also deletes the following registry subkey to prevent the compromised computer from restarting in safe mode :

• HKLMSYSTEMCurrentControlSetControlSafeBoot

The threat may create the following registry subkeys :

• HKCUSoftwareMicrosoftWindowsCurrentVersionExplorer[CLSID 1]
• HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorer[CLSID 1]

Note: [CLSID 1] is generated from the serial number of the compromised computer and hence will vary.

It may then create the following registry entries :

• HKCUSoftwareMicrosoftWindowsCurrentVersionExplorer[CLSID 2]”[WORD 1][WORD 2]” = “[BINARY DATA]“
• HKCUSoftwareMicrosoftWindowsCurrentVersionExplorer[CLSID 2]”[WORD 1][WORD 2]” = “[BINARY DATA]“
• HKCUSoftwareMicrosoftWindowsCurrentVersionExplorer[CLSID 2]”[WORD 1][WORD 2]” = “[BINARY DATA]“
• HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorer[CLSID 2]”[WORD 1][WORD 2]” = “[BINARY DATA]“
• HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorer[CLSID 2]”[WORD 1][WORD 2]” = “[BINARY DATA]“
• HKLMSOFTWAREMicrosoftWindowsCurrentVersionExplorer[CLSID 2]”[WORD 1][WORD 2]” = “[BINARY DATA]“

Note :
[CLSID 2] is generated from the serial number of the compromised computer and hence will vary.

[WORD 1] and [WORD 2] are randomly selected from the following list:

* 64
* Adobe
* Agent
* App
* Assemblies
* assembly
* Boot
* Build
* Calendar
* Collaboration
* Common
* Components
* Cursors
* Debug
* Defender
* Definitions
* Digital
* Distribution
* Documents
* Downloaded
* en
* Explorer
* Files
* Fonts
* Gallery
* Games
* Globalization
* Google
* Help
* IME
* inf
* Installer
* Intel
* Inter
* Internet
* Java
* Journal
* Kernel
* L2S
* Live
* Logs
* Mail
* Maker
* Media
* Microsoft
* Mobile
* Modem
* Movie
* MS
* msdownld
* NET
* New
* Office
* Offline
* Options
* Packages
* Pages
* Patch
* Performance
* Photo
* PLA
* Player
* Policy
* Prefetch
* Profiles
* Program
* Publish
* Reference
* Registered
* registration
* Reports
* Resources
* schemas
* Security
* Service
* Setup
* Shell
* Software
* Speech
* System
* Tasks
* Temp
* tmp
* tracing
* twain
* US
* Video
* Visual
* Web
* winsxs
* Works
* Zx

Next, it stops any process containing the following strings in the name :

* autoruns
* avenger
* confick
* downad
* filemon
* gmer
* hotfix
* kb890
* kb958
* kido
* klwk
* mbsa.
* mrt.
* mrtstub
* ms08-06
* procexp
* procmon
* regmon
* scct_
* sysclean
* tcpview
* unlocker
* wireshark

The threat then copies itself to one of the following locations:

• %ProgramFiles%Internet Explorer[RANDOM FILE NAME].dll
• %ProgramFiles%Movie Maker[RANDOM FILE NAME].dll
• %ProgramFiles%Windows Media Player[RANDOM FILE NAME].dll
• %System%Windows NT[RANDOM FILE NAME].dll

It may then create the following file :

• Temp%[CLSID 3][NUMBER].tmp

Note :

* [CLSID 3] is generated from the serial number of the compromised computer and hence will vary.
* [1 NUMBER] is a decimal number between 0 and 63 inclusive.

The threat creates the following registry entry, so that it runs every time Windows starts:

• HKCUSoftwareMicrosoftWindowsCurrentVersionRun”[RANDOM CHARACTERS]” = “rundll32.exe “[RANDOM DLL FILE NAME]“, [RANDOM PARAMETER STRING]“

..

It creates a service with the following characteristics :
Name : [SERVICE NAME]
Startup Type : Automatic

[SERVICE NAME] is a two word combination taken from the following two lists :

List 1 :

* DM
* ER
* Event
* help
* Ias
* Ir
* Lanman
* Net
* Ntms
* Ras
* Remote
* Sec
* SR
* Tapi
* Trk
* W32
* win
* Wmdm
* Wmi
* wsc
* wuau
* xml

List 2 :

* access
* agent
* auto
* logon
* man
* mgmt
* mon
* prov
* serv
* Server
* Service
* Srv
* srv
* svc
* Svc
* System
* Time

It registers the service by creating the following registry entries :

• HKLMCurrentControlSetServices[RANDOM CHARACTERS]”ImagePath” = “%System%svchost.exe -k netsvcs”
• HKLMSYSTEMCurrentControlSetServices[RANDOM CHARACTERS]Parameters”ServiceDll” = “[PATH TO THE THREAT]“

The threat patches the following APIs that are used by Windows to make DNS requests or request URLs :

* DNS_Query_A
* DNS_Query_UTF8
* DNS_Query_W
* Query_Main
* sendto

The threat monitors DNS requests to domains containing any of the following strings and blocks access to these domains so that the DNS request appears to have timed out:

* agnitum
* ahnlab
* anti-
* antivir
* arcabit
* avast
* avg.
* avgate
* avira
* avp.
* bit9.
* bothunter
* ca.
* castlecops
* ccollomb
* centralcommand
* cert.
* clamav
* comodo
* computerassociate
* conficker
* cpsecure
* cyber-ta
* defender
* drweb
* dslreports
* emsisoft
* esafe
* eset
* etrust
* ewido
* f-prot
* f-secure
* fortinet
* free-av
* freeav
* gdata
* gmer.
* grisoft
* hackerwatch
* hacksoft
* hauri
* ikarus
* jotti
* k7computing
* kaspersky
* kav.
* llnw.
* llnwd.
* malware
* mcafee
* microsoft
* mirage
* msdn.
* msft.
* msftncsi
* msmvps
* mtc.sri
* nai.
* networkassociates
* nod32
* norman
* norton
* onecare
* panda
* pctools
* prevx
* ptsecurity
* quickheal
* removal
* rising
* rootkit
* safety.live
* sans.
* securecomputing
* secureworks
* sophos
* spamhaus
* spyware
* sunbelt
* symantec
* technet
* threat
* threatexpert
* trendmicro
* trojan
* vet.
* virscan
* virus
* wilderssecurity
* windowsupdate

It also connects to the following Web sites to to obtain the current date and time:

* ask.com
* baidu.com
* facebook.com
* google.com
* imageshack.us
* rapidshare.com
* w3.org
* yahoo.com

If the date and time is on or after 1st April 2009, it uses the date information to generate a list of domain names. The threat then contacts these domains in an attempt to download additional files onto the compromised computer.
Recommendations

Symantec Security Response encourages all users and administrators to adhere to the following basic security “best practices” :

• Use a firewall to block all incoming connections from the Internet to services that should not be publicly available. By default, you should deny all incoming connections and only allow services you explicitly want to offer to the outside world.
• Enforce a password policy. Complex passwords make it difficult to crack password files on compromised computers. This helps to prevent or limit damage when a computer is compromised.
• Ensure that programs and users of the computer use the lowest level of privileges necessary to complete a task. When prompted for a root or UAC password, ensure that the program asking for administration-level access is a legitimate application.
• Disable AutoPlay to prevent the automatic launching of executable files on network and removable drives, and disconnect the drives when not required. If write access is not required, enable read-only mode if the option is available.
• Turn off file sharing if not needed. If file sharing is required, use ACLs and password protection to limit access. Disable anonymous access to shared folders. Grant access only to user accounts with strong passwords to folders that must be shared.
• Turn off and remove unnecessary services. By default, many operating systems install auxiliary services that are not critical. These services are avenues of attack. If they are removed, threats have less avenues of attack.
• If a threat exploits one or more network services, disable, or block access to, those services until a patch is applied.
• Always keep your patch levels up-to-date, especially on computers that host public services and are accessible through the firewall, such as HTTP, FTP, mail, and DNS services.
• Configure your email server to block or remove email that contains file attachments that are commonly used to spread threats, such as .vbs, .bat, .exe, .pif and .scr files.
• Isolate compromised computers quickly to prevent threats from spreading further. Perform a forensic analysis and restore the computers using trusted media.
• Train employees not to open attachments unless they are expecting them. Also, do not execute software that is downloaded from the Internet unless it has been scanned for viruses. Simply visiting a compromised Web site can cause infection if certain browser vulnerabilities are not patched.
• If Bluetooth is not required for mobile devices, it should be turned off. If you require its use, ensure that the device’s visibility is set to “Hidden” so that it cannot be scanned by other Bluetooth devices. If device pairing must be used, ensure that all devices are set to “Unauthorized”, requiring authorization for each connection request. Do not accept applications that are unsigned or sent from unknown sources.
• For further information on the terms used in this document, please refer to the Security Response glossary.

Detail from symantec

Similiar Post

• Remove Virus Downadup.C , Conficker , Kido
• Messenger – nhattruongquang.0catch.com
• Remove Downadup , Kido dan Conficker di Network
• Microsoft vs Virus Downadup, Conficker, Kido
• Alert Conficker / Downadup / Kido on 1 April ?
• Sality Virus Terkenal di Indonesia
• Remove Virus / worm W32.Downadup.B
• Free Antivirus for Windows 7
• Remove Malware LCASS.EXE
• Top 10 Virus di Indonesia, Juni 2009

Popular Post

• HP Modem Smart Haier C700 dan ZTE C261, Internet Gratis 90 hari
• Mempercepat Akses Internet Smart Telecom
• Internet Gratis Indosat dan IM3
• Internet Unlimited Smart Jump dari Smart Telecom
• Mempercepat Akses Internet dengan cFosSpeed
• Internet Gratis PRO-XL, Your-Freedom & cFosSpeed
• Uji Coba Fitur BREW HP Haier C700 dan ZTE C261
• HP 3G Modem & Internet Akses CDMA dari Smart Telecom
• Install dan Setting Your Freedom
• Opera Mini Mod v.3.10

Random Post

• Kumpulan Puisi Rudi Setiawan di Kompas
• Customer Care Smart Telecom Tidak Tahu Tentang BREW – MobileShop
• Optimization of Keywords for SEO
• Zune HD Video MP3 Player
• PENGATURAN TEXT HTML
• HP Nokia Untuk Internet Modem CDMA dan Kabel Data
• Permasalahan Pada Pengaktifan GPRS XL
• Setting Manual Affiliate Amazon di Posting Website
• Domain settings – URL Forwarding
• Perhitungan Matahari dan Bulan – Astronomical Algorithms

Save Children

Ad by AdsMedia.cc

All about FaceBook

Comments