My Casual Scribble

The attack on the vulnerability on the Microsoft software seems to be an easy target as there are new variants detected and being announced on the McAfee website.

This is the link to the first variant.
http://vil.nai.com/vil/content/v_153711.htm
This is the link to the second variant.
http://vil.nai.com/vil/content/v_153710.htm

There is another guide provided by f-secure.
http://www.f-secure.com/weblog/archives/00001574.html

When you read the description, do note the discovery date. ;)

So, to ensure you are properly protected, do the following.

1. Download the MS08-067 patch from Microsoft.

2. Ensure that your antivirus pattern file is up to the latest version from your antivirus vendor website (dated later than 9th Jan 2009, the closer to today's date, the better).

3. Ensure that you scan your computer regularly (at least once a day at this stage)

4. Taking preventive measures as highlighted by the document above, or follow the guideline from your antivirus vendor.

This is an instruction received from Symantec. If you are not using Symantec Antivirus but another brand, you can still follow the instruction, but replace the product specific information with the brand you use on your computer.

Log a case to Symantec Technical Support (if you have not done so)

1. Verify all the servers and workstations have Microsoft KB958644 installed. If not, you may download from Microsoft.com website http://www.microsoft.com/downloads/details.aspx?familyid=0D5F9B6E-9265-44B9-A376-2067B73D6A03&displaylang=en

2. Disconnect the servers and workstations from the network

3. Disable any schedule task: During this period, we strongly advise customer to disable this functionality during this worm outbreak.

4. Installed the latest Symantec Rapid Release update (symrapidreleasedefsx86.exe). This update is daily and update can be download from www.symantec.com/avcenter/rapidrelease.download.html

5. Disable System Restore.

6. Boot the workstation in safe mode.

7. Perform a full system scan and remove any viruses or worm if infected.

8. Once the scan is completed, reboot the workstation into normal mode.

9. Perform a full system scan again to verify the virus is properly removed.

If after performing above steps and the worm still persist, our Security Response Center advise you to perform the step below:

1. Please use the ESUG LPDU version 2.0.3 if you are dealing with W32.Downadup.B threat. This version of loadpoint will create an additional file called “JobList.txt” which should be useful for identifying files for submission. New version located at:

http://rpsinfo/files/ESUGLPDU_2.03.exe

Please provide the case ID and feel free to contact us if you need any further assistant.

This worm marks a new era for malware distribution and thus in future you may encounter more of similar kind of attack, do play play.

This morning, Microsoft Malaysia has issued a memo to its partners on the Conflicker.B virus. It seems that the worm has claimed more casualties.

The memo does not add anything new from what I have mentioned earlier, the principle is the same, you MUST patch your system with MS08-067 immediately to avoid casualties. By the way, at least 3 variants of the worm had been detected so far, and each variant is more damaging or more powerful than its predecessor.

A virus known as Conficker.B has been detected in Malaysia.
A patch has been available to help protect against this virus since October 2008.

We are reaching out to you in order to provide information to help prevent the spread of this virus to your systems.
This virus affects Windows 2000, XP, Vista as well as Windows Server 2003 and 2008.

Prevention:

Worm:Win32/Conficker.B is a worm that infects other computers across a network by exploiting a vulnerability in the Windows Server service (SVCHOST.EXE). If the vulnerability is successfully exploited, it could allow remote code execution when file sharing is enabled. It may also spread via removable drives and weak administrator passwords. It disables several important system services and security products.

Microsoft strongly recommends that users apply the update referred to in Security Bulletin MS08-067 immediately.
http://www.microsoft.com/technet/security/Bulletin/MS08-067.mspx

Microsoft also recommends that users ensure that their network passwords are strong to prevent this worm from spreading via weak administrator passwords. More information is available here.
http://technet.microsoft.com/en-us/library/cc512606.aspx

If you are currently using any antivirus software, chances are they have the pattern file that will be able to detect and remove the traces of the worm, however, if you don't patch up your system with the Microsoft patch mentioned above, the worm will reinfect you.

As information obtained from antivirus bulletin shows that this worm is now network aware, and once infected, it will scan the entire subnet for computers that is not patched, and try to copy itself to the target computer and repeats the process again.

Don't think that you are safe because your computer/network is not infected (yet) until you are sure that all the computers you have or under your care has the MS08-067 patched.

This is the best time to turn on Automatic Update for your Windows Update (Windows XP, 2003, Vista) and set it to automatic download and install. At least, patches marked as critical will be downloaded and install on your computer once it is available.

This is a simple guide in removing the Conflicker worm (McAfee) or Downadup (Symantec).

The worm is a piece of program that replicates itself across network and broadcast itself to find a new host and in the process, create a large network traffic and destructs the normal operation of a network. In a more advance worm, it may contain payloads that will create a backdoor on the host system and turn the host to a zombie in the botnet and later use it to launch attack against another target.

This worm is taking advantage of the vulnerability that was released by Microsoft in an out of band patch cycle (MS08-067) on October 23, 2008. The first in the wild attack was recorded since November 21 2008.

The recommanded action, if you have not done so, is to patch your system with the MS08-067 patch which can be downloaded from the Microsoft Website. In fact, this is vital in protecting your system from become a zombie in a possible future attack. To be safe, you should enable Automatic Update in your system so that your computer will always download the latest update from Microsoft, as the attack will start really soon after the patch is released.

To date, there are other mutations of the worm and you will need to ensure that you run the latest virus pattern file on your system to properly protect your computer. It is easier to prevent than cleaning, this is true and you can tell from the following procedure, if you found the worm in your network, or your computer.

1. Go to your Computer Management and than Services, look for a two words Service name, from the list below. Do note that some combinations from list below does have a valid service running behind. So, proceed with caution.

Boot
Center
Config
Driver
Helper
Image
Installer
Manager
Microsoft
Monitor
Network
Security
Server
Shell
Support
System
Task
Time
Universal
Update
Windows

2. To identify the culprit, you will need to look for the Service Name, which you can get it by opening the individual services properties from the services window. You should find a service name that comprises of random names. Another word of caution here, there ARE services that have a name that looks random but in actual fact, legit. You will need to be sure that you know what you are looking for. To be sure, you can compare with another similar system which is clean, or go into Microsoft website and search for the service name. Some of the random name are obvious, some are trival.

3. Once you found it, launch your Regedit or Regedit32, go to HKLM\System\CurrentControlSet\Services\ and look for the random name that you found. A clue that you use to ensure that you found the culprit, is that the culprit do not allow you to change the key, it is set to Read Only. You will than need to give yourself permission to delete the key and the subkey below it.

Ensure that you backup your registry before you do this, so that you have a chance of recovering if you delete the WRONG key.

A word of caution here.

Edit Registy is a risky business. You must know what you are doing before attempt the steps above. If you are not sure, do seek for experts help. If not, you may risk damaging your system.

4. Once you done that, install the MS08-067 immediately.

5. Restart your computer and run the virus scanner to check if there are still traces of the worm. If nothing found, you are clean.

This is a simple guide and I will not guarantee that it will work 100%. The best deal is still apply the patch immediately once the patch is released. Another method, but more drastic, is to wipe your machine clean and reinstall from scratch.

Microsoft has fixed the first Tuesday of every month as the Patch Tuesday which they will release the patches for all the vulnerability that made known to them before that. So, if you can run Automatic Updates or visit http://update.microsoft.com/microsoftupdate on Wednesday to download the released patches, your computer should be relatively safe.