We wrote several diaries about Conficker (or Downadup, depending on the AV tool you are using). F-Secure posted some interesting information about the number of infections which is almost certainly in millions (and who knows how many machines will stay infected as the owners will not even notice anything).
One of the reasons for infecting so many machines is that Conficker uses multiple infection vectors:
1. It exploits the MS08-067 vulnerability,
2. It brute forces Administrator passwords on local networks and spreads through ADMIN$ shares and finally
3. It infects removable devices and network shares by creating a special autorun.inf file and dropping its own DLL on the device.
F-Secure also blogged about the autorun.inf file where they noticed that it contained a lot of garbage (about 60 kb of random binary data). This fooled some AV programs so they didn't scan the device properly (otherwise, they would have picked up the referenced DLL also stored on the device).
F-Secure also blogged about the autorun.inf file where they noticed that it contained a lot of garbage (about 60 kb of random binary data). This fooled some AV programs so they didn't scan the device properly (otherwise, they would have picked up the referenced DLL also stored on the device).
After removing garbage, one can see a nice autorun.inf file containing all important keywords. This grabbed my attention:
[Autorun]
Action=Open folder to view files
Icon=%systemroot%\system32\shell32.dll,4
Shellexecute=.\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
Full article:
http://isc.sans.org/diary.html?storyid=5695
Atleast we now have some idea of where the dropper/infecter hides.
............................................................................................
Site Admin / Security Administrator
Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
One of the reasons for infecting so many machines is that Conficker uses multiple infection vectors:
1. It exploits the MS08-067 vulnerability,
2. It brute forces Administrator passwords on local networks and spreads through ADMIN$ shares and finally
3. It infects removable devices and network shares by creating a special autorun.inf file and dropping its own DLL on the device.
F-Secure also blogged about the autorun.inf file where they noticed that it contained a lot of garbage (about 60 kb of random binary data). This fooled some AV programs so they didn't scan the device properly (otherwise, they would have picked up the referenced DLL also stored on the device).
F-Secure also blogged about the autorun.inf file where they noticed that it contained a lot of garbage (about 60 kb of random binary data). This fooled some AV programs so they didn't scan the device properly (otherwise, they would have picked up the referenced DLL also stored on the device).
After removing garbage, one can see a nice autorun.inf file containing all important keywords. This grabbed my attention:
[Autorun]
Action=Open folder to view files
Icon=%systemroot%\system32\shell32.dll,4
Shellexecute=.\RECYCLER\S-5-3-42-2819952290-8240758988-879315005-3665\jwgkvsq.vmx,ahaezedrn
Full article:
http://isc.sans.org/diary.html?storyid=5695
Atleast we now have some idea of where the dropper/infecter hides.
Site Admin / Security Administrator
Virus Removal ~ OS Support ~ Have we helped you? Help us! ~ GeekChat
- Please PM me if I fail to respond within 24hrs.
