ESET Threat Blog

Archive for the 'kido' Category


September’s Global Threat Report


Tuesday, October 6th, 2009

ESET released its Global Threat Report for the month of September, 2009, identifying the top ten threats seen during the month by ESET’s ThreatSense.Net™ cloud.  You can view the report here and, as always, the complete collection is available here in the Threat Trends section of our web site.  While the report identifies a number of different types of malware, in this article, I’d like to focus on the Conficker worm as well as the class of worms which spread via AutoRun.

Conficker

While the overall percentage of reports is on the decline, the Conficker worm (also known as Win32/Conficker, Downadup and Kido) continues to make its presence known throughout cyberspace, accounting for 10.75% of detections.  This was actually a slightly upswing from August’s 10.12%, but given that many businesses have employees on vacation during the summer, is not unexpected, and still below the 12.58% seen in July.  The Win32/Conficker worm spreads using several vectors, such as unpatched operating systems, vulnerable network shares and via AutoRun on removable media such as USB flash drives.  ESET detects the malicious AUTORUN.INF file used by the worm to spread separately from its Win32 portable executable file, and currently sees a ratio of about one AUTORUN.INF file to every 4.8 executable file detections of the worm.
 
While a substantial number of Conficker infestations are blocked at the removable media infection layer, there are still a large number of networks outs there where the worm is spreading.  While ESET’s software does detect and remove the Conficker worm, it is important to keep in mind that anti-malware is only one component of security, and that other steps need to be taken as well in order to keep a network clean:
  • If you have not already done so, deploy Microsoft’s MS08-067 patch for the vulnerability initially used by the worm to infect systems.  It is also a good idea to install the MS08-068 and MS09-001 patches as well.
  • Disable AutoRun on removable media.  More about this below.
  • Use strong passwords.  The Conficker worm contains a set of commonly-used passwords in order to make it easier for the worm to spread across network shares.  A list is mentioned in this news article.  For more information about choosing good passwords, see these three earlier ThreatBlog articles here, here and here.  We also have a white paper on the subject.
ESET classifies Conficker into several variants, depending upon their behavior and technology.  For more information on each classification, see the following ESET Virus Encyclopedia entries: Conficker.A, Conficker.AA, Conficker.AE, Conficker.AQ, Conficker.AR and Conficker.X.

Worms continue to spread quick as a flash

The AUTORUN.INF file, a technology originally envisioned a decade-and-a-half ago to simplify the deployment of content on CD-ROMs, continues to be a top vector for malware.  ESET uses a variety of heuristic algorithms and generic signatures to detect both the AUTORUN.INF files which contain links to malware—detected as INF/Autorun and coming in at third place with 7.53% detections—as well as the malware which creates them: Win32/Autorun, coming in at ninth place with 0.78%.  Together, they account for 8.31% of detections seen in September, but it is important to keep in mind that other threats which spread via AUTORUN.INF files are first identified as specific threats such as Conficker, so the actual number of threats seen which make use of this technique is higher.
 
In order to block malware which spreads in this fashion, the option to use AutoRun on removable media needs to be disabled.  This has been discussed earlier in ESET’s Threat blog here and here and US CERT, a federal agency responsible for securing the government’s computers give instructions here, as well.
Microsoft’s forthcoming versions of Windows, Windows 7 for desktops and Windows Server 2008 R2 for servers will implement this, and the change has been made available for older versions of Microsoft Windows, such as Windows XP, Vista, Server 2003 and Server 2008.  For more information, including tools to apply the change, see this knowledgebase article on Microsoft’s web site.
 
As mentioned previously, anti-malware software is only part of the security equation.  Removing this un-needed functionality from your PC instantly immunizes it against a technique used by nearly a fifth of malware out there.  The tools and techniques used to disable AutoRun functionality can be applied in under a minute on a single PC and are easily scriptable so they can be employed in a managed computer environment with a minimum amount of effort.  We strongly recommend doing this.

Conclusion

As you can see, malware relies on a number of ways to spread, some of which are solved by updating the operating system and others by changing the less-secure behavior that was chosen in less secure times to more modern secure settings.
 
We’ll discuss the threats we saw last month in further detail, as well as explain how to better defend yourself in a future blog article.
 
Regards,

Aryeh Goretsky MVP, ZCSE
Distinguished Researcher

Posted in Aryeh Goretsky, Conficker, ESET, General, Global Threat Report, INF/Autorun, MS08-067, News, PSW.OnLineGames, Threat Report, ThreatSense, Trojan, Trojan downloader, Win32/Agent, Windows, Worm, admin shares, anti-malware, autoinfect, autorun, botnet, browser security, confiker, downadup, exploit, kido, malware, open shares, patch, patch management, threat trends, top ten, virus | 8 Comments »

Malware Trying to Avoid Some Countries


Thursday, January 15th, 2009

There are different techniques that can be used by a program to identify in which country it has been installed.  It can check for time zone information, public IP addresses or even domain names.  Lately, we have seen two different malware families trying to discover their geographic location in an effort to avoid infecting PCs in specific countries.

We have found some variants of the The Win32/TrojanDownloader.Swizzor using the following code:

 call    GetSystemDefaultLangID ; Indirect Call Near Procedure
[...]
mov     edi, eax
[...]
cmp     di, 419h 
jz      end_function   

This code calls the GetSystemDefaultLangID function and compares the result to a constant, 0×419.  Browsing through MSDN documentation reveals that this constant’s value translates to LANG_RUSSIAN.  It turns out that these variants of Win32/TrojanDownloader.Swizzor will exit before infecting a computer, if they find out that the default system language is Russian.

We have also identified the following code in the earliest variants of the Win32/Conficker malware:

push    edi             ; lpList
push    esi             ; nBuff
call    ebx ; GetKeyboardLayoutList
cmp     esi, eax       
jnz     short list_not_found 
dec     esi
cmp     word ptr [edi+esi*4], 422h
jz      short dont_install

Here, the malware tries to retrieve a list of keyboard layouts and works through   that list.  If a layout is found with the language identifier of 0×422, the routine terminates  and the malware is not installed.  This means that some variants of the Win32/Conficker family will not install on a computer that uses an Ukrainian keyboard layout.  Please note that this behavior is only present in W32/Conficker.A.   Later variants of this malware infect any PC they can access without checking the keyboard layout.


What we are seeing now is probably the beginning of a new trend.  Malware authors will try to avoid infecting PCs in specific countries to limit the risk of legal actions taken against them.  In most countries, there often needs to be a victim or complaint before law enforcement agencies  take legal action against an offender in cases of malware infection.  In cases where an attacker only targets victims outside of his country, it is much harder for law enforcement agencies to take action.

Special thanks to Sebastien Doucet and Volodymyr Pikhur for their help.

Pierre-Marc Bureau

Researcher

Posted in General, MS08-067, Pierre-Marc Bureau, anti-malware, confiker, downadup, kido, malware, programming, swizzor | 4 Comments »