Win32/Conficker.B attacks!
Published:
January 06 2009, 12:28 AM
by
Zarestel Ferrer
We can only assume the malware authors behind the Win32/Conficker.B worm wanted to make sure 2008 went out with a bang! As the final days of last year ticked by, reports of active attacks by the Win32/Conficker.B worm began to accelerate.
Win32/Conficker variants are known to exploit MS08-067, a vulnerability in Windows Server Service. Conficker is also hard to remove from affected systems because it utilizes the Access Control List to lock the malware executable in the system.
Below are some of the noteworthy behaviors for this variant:
- Blocks access to security related websites containing the following strings:
computerassociates
networkassociates
etrust
panda
sophos
trendmicro
mcafee
norton
symantec
microsoft
For a complete list, please see the Win32/Conficker.B description in our Virus Encyclopedia:
http://www.ca.com/us/securityadvisor/virusinfo/virus.aspx?id=76852
- Uses a dictionary attack to try to gain access to network shares (ADMIN$). If successful, Conficker.B drops a copy of itself in the ADMIN$\system32 directory and creates a scheduled job to execute the malware copy.
Below you can see the specific malware code which executes this behavior:
- Sends malformed packet to available vulnerable targets. The packet contains the IP address of the attacker system, while Conficker.A’s malformed packet downloads from http://trafficconverter.biz.
Below is a screen capture of the decrypted packet of Conficker.B:
Note the visible local IP address and port - this is where the malware hosts its executable.
A second screen capture, below, shows the malformed packet downloading Win32/Conficker.B from the source.
In order to protect your systems from Win32/Conficker.B, please make sure you:
- Patch all your systems with the latest Microsoft security updates.
- Keep strong passwords for administrator accounts.
- Have the latest signature updates for your security software.