Thursday, November 19, 2009

W32/Conficker.worm Infection Cycle

The W32/Conficker.worm can infect systems via three infection vectors, via exploit MS08-067, an Autorun mechanism or by exploiting weak passwords. In addition the worm has an auto update routine to update previously infected systems .

These Infections are all multi stage processes. Involving the initial compromise,
copy files and then executing the malware.

Exploit Vector
Local network is scanned for susceptible computers. Once a susceptible computer is located the exploit is then attempted against the machine. If successful the process is hijacked and malware is copied from remote attacking machines HTTP server (random port # is used) to the localhost. At this point the machine is compromised.

Malware is then dropped onto the system and a new service created and started. The machine is now infected. Cleaning requires an On Demand Scan (ODS) anda reboot, possibly another ODS run to clean any dormant infected files or reinfection style files from the system. Machine must be patched and rebooted.

Weak Passwords
An infected machine attempts to access other remote systems shares using the password list that is listed in the VIL description. If you have a lockout policy in place, accounts will become locked as the thresholds are exceeded. Upon a weak password being found, files are copied to the system, generally at#.job file to the tasks folder and a dll to the system32 folder. System is now compromised. Upon execution of the scheduled job, rundll32.exe is used to load the dll file which then creates the malware service and starts it.

System is now infected. Cleaning requires an On Demand Scan (ODS) and a reboot, possibly another ODS run to clean any dormant infected files or reinfection style files from the system. Weak passwords need to changed.

Autorun Worm Vector
Two files are dropped by an infected host onto root of accessible shares or piece of removable writable media (USB stick for example). Autorun.inf (described in detail below) xxxxxxx.vmx (xxxxxxx = random name) These shares or pieces of media are now in a compromised state.

When the share or media is accessed and autorun mechanism is enabled on the remote system, the autorun.inf file is opened and the rundll32.exe process is used to load the malware from the recycled folder in the root of the share or piece of media. Rundll32.exe will then load the dll and the dll will create the malware service and
start it.

Download Antivirus Internet Security And Firewall Software
at
Labels: , , , , , , ,

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)