IT Security Blog

The folks over at Cisco posted a very interesting blog writeup about the Storm/Waledac botnets and how their marriage to Conficker was consummated in order to start monetizing the enormous computing power of the Conficker botnet. 

What I found most interesting was the part about how Conficker would hook itself between Wireshark and the network driver (likely within the winpcap library) to hide all of the network interfaces from Wireshark, essentially rendering the packet sniffing tool useless.

Looking ahead, this makes me wonder what else malware could do to alter the behavior and functionality of other tools that security researchers use to analyze malware.  We've already seen Conficker introduce signed, encrypted updates to keep researchers from analyzing updates and penetrating its network.  This development of malware physically altering how analysis tools work could be a significant game changer in the cat and mouse game of being able to reverse engineer malicious code.  This is definitely something that warrants continued monitoring to see if this tactic continues to be employed by cyber criminals, or improved upon.

I wanted to take a moment to write about a topic that we discussed during the recording of Episode 29 of the Security Buzz podcast earlier today.  That topic is based off of a post found on DarkReading that discussed Microsoft's decision to release an update to disable the Autorun feature in Windows for USB drives in response to the variant of the Conficker worm which would spread via these devices.  The question at hand was whether or not this move is happening too little too late given Conficker's already large presence.

My opinion is that not only is the move too little too late, but it is also a completely irrelevant one for the main reason that according to the folks over at mtc.sri.com, who have posted in depth research as to how the Conficker worm operates, most of the machines that are infected with this worm are still running versions of the Windows XP operating system with Internet Explorer 6 installed on them.  This means that most of the machines infected are not one or two patch levels behind on their updates from Microsoft.  They are likely years behind and have never been patched, and may in fact be running the original version of Windows XP originally released in October 2001 and have never had a single security patch applied to them meaning that they are vulnerable to every Windows XP vulnerability ever patched.

USB drives, although an important infection avenue to consider (although in my opinion are more of a risk from a data leakage perspective than they are a malware distribution point), are still only a small portion of the infection problem.  Emails with attachments, malicious web sites and compromised legitimate web sites that distribute malware, and peer-to-peer downloads of pirated software with embedded trojans are all far more prevalent issues with respect to current worm and malware propagation than USB drives. 
Unfortunately, this move by Microsoft will do little to solve the Conficker problem or slow its' spread.  It also will not do much overall to prevent further malware propagation in the future because the machines that need to be cleaned up are not the ones that are following best practices by keeping up to date on security patches, running up to date antivirus, and defending in layers.  It's those that aren't are and continue to be the real problem.

It seems lately that if we aren't talking about Conficker, we are talking about Waledac.  To make things even more interesting there have been purported links between the Conficker and Waledac botnets as during the last week the infected machines associated with the former pulled a code update from the latter. 

Today's topic is Waledac specific: a new spam campaign with an SMS Spy theme.  Ever wanted to spy on your girlfriend's SMS messages to see if see is cheating on you?  Curious as to whether or not your significant other is truly in love with you?  Waledac wants to "help" you find out.

Starting earlier this morning our Threat Operations Center began detecting a new spam campaign from the Waledac botnet that contains a link to a web site where users can download a 30 day free trial for a piece of software (read: malware) that when installed on your partner's mobile phone will allow you to read all of the SMS messages that they receive.

The email received looks like the following:




We have seen a number of subject lines associated with this campaign including:

Are you ready to know the truth

Are you sure in your partner

Can your love life be re-ignited

Does your partner truly love you

Have more fun and pleasure in your intimate life

Keep a spy eye on your girlfriend

Make Sure your girlfriend

Now, It's possible to read other people's SMS

Now, you can read any SMS message

possible to read other people

Read his SMS

Read other people's SMS online

The world's most advanced sms reading program

We will teach you to be the master of making love art

What's your hall of shame

You can read anyone's SMS

Are you interested in reading other people's sms?

Do you trust her?

Do you trust your partner blindly?

Do you want to test your partner

Free program for reading sms

Is your partner cheating on you?

Is your partner faithful?

Is your wife or girlfriend cheating on you?

Read her messages

Read your girlfriend sms online

You can download new program for reading sms

Below is a screen shot of the site that the user is directed to when the email link is clicked:


It is important to note that by simply visiting the web site does not infect the user with Waledac.  They must download and execute the file (currently named "sms.exe") after clicking the "Download Free Trial Link"

*** UPDATE 1 4/16/2009 11:20am MST ***  Funny enough there is an article posted on NetworkWorld today which discusses a potential vulnerability with Apple's iPhone which could result in the execution of shellcode on non-jailbroken versions of the device.  Such a vulnerability could result in an exploit that could allow an attacker to see someone's SMS messages according to the article.  Maybe the Waledac authors know more than we are giving them credit for :)

Below is an updated volume graph. 




As you can see from the above graph volumes were in the 2-4k range per hour until about 2am MST this morning before peaking at about 12,000 during the 6am hour.  More updates as they become available.


*** UPDATE 2 4/17/2009 10:40am MST ***  After waning for a bit during the mid-morning hours yesterday, volumes started to pick up again at around Noon MST.  Current averages are between 12-20k messages per hour and have been maintaining in that range for about the last 24 hours.

According to a post on the Microsoft Malware Protection Center site last Friday, Conficker has a copycat cousin named Neeris that has been updated to exploit the same vulnerability that Conficker started targetting in September 2008. 

Neeris is not new on the scene and originally came to be known a couple of years ago by exploiting a different vulnerability, MS06-040 (patched in August 2006 by Microsoft), in the Windows Server service (Conficker also exploits this same service).  This latest Neeris update targets the same vulnerability as Conficker, MS08-067 in addition to MS06-040. 

From the Microsoft blog post, Neeris contains many of the same propagation methods as does Conficker such as spreading via removable drives.  Neeris is primarily an IRC based bot (a dying breed) that spreads via links sent in MSN Messenger instant messages to attempt initial infection.  Once a PC is compromised, it attempts to download the actual worm code via the HTTP protocol.  Once this happens, Neeris then attempts to locate other machines on the network to infect.
It was only a matter of time before the Conficker copycats would start showing up as riding on the coattails of previously successful malware is a fairly common tactic.  It is somewhat interesting that in this case there were not many updates made to the original malware, which made it easy to identify and stop by commercial AV software vendors.  In Microsoft's case, it was identified by generic signatures that they already had in place from the original Neeris launch.  This is another one of those situations though where if computers and servers had been kept up to date on patch levels from the beginning, this attack could have been mitigated.

I had the honor and privilege of representing MX Logic over the past couple of days in some local television stories regarding Conficker.  I did an in office interview with Russell Haythorn from Denver's KMGH Channel 7 on Tuesday which aired as the lead story on their 5pm newscast (and replayed in condensed versions on their 10pm and 6am newscast the next day).  Wednesday morning I did an in-studio interview with CBS 4 Denver with Tom Mustin and Brooke Wagner on their 6am newscast.  The video from that interview is posted here. 

I went to the CBS interview with Charles, our Director of Corporate Communications.   They couldn't possibly have treated us better.  We were taken up to the news area by Duncan Shaw, one of their producers, who in addition to getting me all set up for the interview took us on a tour of the studio, editing area, and the control room.  It was really neat to get to see how all of the backend of everything works (I was geeking out!).  During one of the commercial breaks I had a chance to speak briefly with Tom and Brooke, who were very friendly also and willing to engage in small talk despite the fact that they were obviously preparing for their next segment.  Tom also introduced himself personally after the newscast was over.  All in all, they really treated us well.  I would guess that the fact we were there so early in the morning before the place was really hopping helped.

It's been a fast, wild ride over the past couple of days...now if people in the office would just stop making fun of me and asking me for my autograph :-D 

I am guessing that most people are suffering from Conficker information overload today!  As such, it is very important to be able to separate the Conficker Facts from the FUD.  In case you have not yet seen it, I blogged last week about what I believe will (not) happen when the Conficker.C variant activates tomorrow, April 1st.  Up to this point we still have not yet seen anything that would lead me to believe anything contradictory to that statement.

I read a couple of places yesterday about a flaw in the C variant of the Conficker worm that identifies infected machines on your LAN differently than machines that are not infected.  According to Dan Kaminsky's blog, this flaw causes a function named NetpwPathCanonicalize() to work differently in the infected version than the version in either the patched or unpatched versions of the Windows OS.  This different behavior is what folks like McAfee, Nessus, Qualys, and others are using to key on to develop a scanner to identify infected hosts.

Although a tool is great to identify machines already infected with the Conficker worm, it is more important to emphasize and re-emphasize the importance of patching and multiple defense layers (from out in the cloud all the way down to the network endpoints) to mitigate these types of infections to begin with.  In the interim, if you believe that machines on your network may currently be infected with the latest Conficker variant download the proof of concept scanner and put together a quickly actionable plan to clean these machines up.

There certainly is a lot of attention being paid to the Conficker botnet these days.  Some of this attention is warranted.  What is its purpose?  What is it going to do?  What is it going to be used for?  Will it be split up and sold off to the highest bidders?  All valid questions, but recently most of the attention surrounding Conficker has been around what is being called the "activation" of the botnet on April 1 (April Fool's Day.  Coincidence?). 

Earlier this month a new variant of the Conficker worm, dubbed Conficker.C, was pushed out to update machines that had previously been infected with Conficker.B (the previous variant of the worm).  Several improvements were made in Conficker.C that makes it more difficult to infiltrate than its predecessor.  Firstly, it moved away from a pull model where the infected hosts would ping back to a command and control server (the URL that it would communicate with was randomly generated based on an algorithm within the malware code) to see if it had any updates to be downloaded.  In Conficker.C it has moved to a push based method of update where code changes are sent from a command and control host down to the infected client.  The malware further updated itself to include code signing techniques so that it will only accept updates from itself.  These updates are game changers as it relates to how security researchers had generally infiltrated and analyzed botnets. 

One of the other major changes that was introduced in Conficker.C was the number of domains that are registered by the botnet to distribute code updates.  In Conficker.B there were 250 random URLs being generated on a daily basis that the botnet would use to look for updates.  Researchers were able to crack the URL generation algorithm and figure out what domains were going to be used on what days so that they could register those domains in advance of the botnet attempting to use them.  In response, the Conficker authors seriously upped the ante by changing the number of URLs used by the botnet from 250 daily to 50,000.  A virtual scoff from the worm authors. 
On April 1, the botnet is said to activate its latest variant, Conficker.C, and rumors are running rampant as to what the wide scale implications will be as a result.  All we know at this point is that on April 1, Conficker.C will start using its new code and algorithms to make the botnet much more resilient to penetration by security researchers.  We have spoken several times now about how malware authors are attempting to build the next generation botnet after the McColo shutdown.  Conficker is a clear example of a proof of concept that will likely be used by malware authors until the "next big idea" comes along. 

Will it ever actually be used for anything?  Sure, it will.  Why go through all of this effort to create such a huge botnet then not utilize it for something.  In a financially motivated economy it doesn't make sense to not rent it out or sell it off.  My point is don't buy too much into the April 1 hype.  It very well could be much ado about nothing.