ESET Threat Blog

So, nothing happened?

Well, yes. Our labs, who’ve been monitoring carefully, note that Conficker changed communication protocols, just as the code said it would.

No doubt in the fullness of time, the botnet will start doing what botnets do: it would be bizarre to put this much effort into a project and then not try to make some profit out of it. And we’ll still be watching.

In the meantime, I suspect, based on past experience, that two things will happen.

• The very people outside this industry who hyped the issue out of all proportion will now dismiss it as vendor hype, and may even suggest that the whole thing is an urban myth. I do wonder whether by acknowledging and trying to counter the hype, we nevertheless fed it, but the alternative would have been to allow the panic merchants a clear field.
• A few people within this industry, especially those with one of those products that is going to mean the death of antivirus (again), will claim credit for our dodging some sort of bullet.

And life will go on. Whatever. I’m on my way to Cambridge, so any controversies today will have to start without me.

Have a nice day, and don’t pay too much attention to the April Fools.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

…as I write, it’s past midnight here in the UK. In some parts of the world it’s already been April 1st for nearly 14 hours.

I have yet to hear any reports of melted PCs, disappearing internets, or institutions DDoS-ed into insolvency by Conficker.

I’ve just received email from a colleague in Sydney, where it’s business as usual, so I guess there’s no internet blackout working its way westward.

In another hour or so, Conficker will move onto its new search algorithm. That will make it more viable as a botnet, but there’s no indication that it will be doing anything else, at least not in the immediate future. However, we have a monitoring system to let us know immediately if by some remote chance it does, and we’ll put up a blog here if the internet is still {#`%${%&{`%`+’$&NO CARRIER

*Just kidding.  

TTYL.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

* Yes, I know, that joke is almost as old as the internet. Nonetheless, thanks to Rob Slade for reminding me of it!

In an apparent effort to cause British commuters to miss their trains, Chinese hackers have ordered the Conficker.C botnet to randomly change the time on the venerable and vulnerable Big Ben. This has caused millions of Londoners to be late for work this morning.

Hey, this is no more ridiculous than trying to protect against Conficker. Why is it ridiculous? Because Conficker is only a symptom of poor security. If you disable autorun you protect against thousands of threats, including Conficker. Your aim should be to prevent the vulnerability, not the exploitation of the vulnerability. If you have strong passwords you protect against lots of attacks, including Conficker. Weak passwords leave you exposed to much more than Conficker. If you keep your operating system patched and your anti-virus up to date you protect against hundreds of thousands of threats, including Conficker.

So, you have an army about to attack you. Do you ask how to defend against a single soldier or do you defend against the army?

The interesting thing about Conficker.C is that by registering 50,000 domains each day it is making a lot of noise. An incredible amount of noise. It occurs to me that perhaps the purpose of this is to draw attention away from another attack. Perhaps Conficker.C is a decoy. Are you going to fall for the decoy or protect against the other 99.9% of the threats out there in addition to Conficker?

Education is essential to security. I recommend you go to http://www.staysafeonline.org and start reading and getting educated. You can also find tips for good passwords, disabling autorun, and other advice from me at http://www.sdchamber-members.org/TechTip.htm.

Randy Abrams
Director of Technical Education

Why watch out for the Honda Accords?  Well, automobile accidents are one of the leading causes of injury and death and Accords are very common cars. This sounds pretty silly, doesn’t it? I mean, wouldn’t it make sense to drive like any car is a potential threat and drive as best as you can to avoid accidents with all cars? Of course it makes sense. Do you eat or take vitamins only to avoid scurvy, or do you not worry about scurvy because you are taking the steps to prevent all kinds of diseases through proper nutrition?

There is a lot of talk about the Conficker worm. A worm that “triggers” on April 1st, except it doesn’t really do too much that is special or of importance to most users on April 1st.  Highly irrational thinking, concerning the Conficker worm is rampant. People see the hype and start to focus on “How do I know if I have Conficker and how do I prevent it?” when the rational approach is how do I make sure I am not infected with anything and how do I make sure I don’t get infected? There are far worse problems out there than Conficker and if you only focus on Conficker then you are diverting attention away from truly being secure. Do you cross the street despite the fact that 1,000 cars that are not Honda Accords are going through the intersection and each can kill or maim you, or do you wait until it is safe, regardless of the make and model of the cars?

OK, for those of you who are taking hype intravenously and no amount of rational thought will bring you comfort, go to control panel and open the Windows Security Center. If it is working you are not infected with Conficker.C. If the Security Center is not working then you may be infected with any of a number of different threats, many may be worse than Conficker. If you are an ESET customer, then call us for free tech support. If you are a customer of another vendor call them for tech support.

April 1st your computer is not going to melt down due to Conficker. The only thing that Conficker is going to do on April 1st is re-route communications links between Italy and France causing worldwide pizza orders to be delivered with snails instead of pepperoni. OK, if I said that on April 1st you would have known it is a joke

Yeah, Conficker is a serious problem, but not for home and corporate users who employ best practices already. The real problem is for the security professionals trying to prevent the worm from impacting the millions of people who fail to learn anything about security.

So, you still want to protect against Conficker? Here is what to do.  Make sure that the Windows Security center is functioning and you are up to date on your Microsoft security patches. You can go to http://update.microsoft.com to manually check for updates. Make sure you’re antivirus product is up to date. Your antivirus product should be tested by Virus Bulletin (www.virusbtn.com) and/or certified by ICSA Labs, or have West Coast Labs Checkmark certification. Send me an email at askeset@eset.com if you need help determining this. Exercise caution in what websites you visit and never open attachments unless you have verified that you know the person who sent them and that they really meant to send the attachment and that they also know what it is.  These instructions are not specifically for Conficker, this is simply part of how you protect against all of the threats out there.

It doesn’t much matter what I drive…if I don’t know how to drive safely, no car out there is as big a threat to me as I am to myself.

Get over the hype and practice security, not irrational fear.

Randy Abrams
Director of Technical Education

I can already hear a chorus of "Not ANOTHER Conficker blog?", but some of you will want to know about this development.

The Honeynet Project has announced a new scanning tool for detecting Conficker, which gives network and system administrators a very handy extra tool for detecting Conficker activity on their networks.

Furthermore, the tool is currently being integrated into mainstream vulnerability scanners like nmap, nessus, and products from ncircle, Qualys and Foundstone. It detects all current variants of Conficker by flagging changes they make to NetpwPathCanonicalize(). No doubt Conficker’s authors are already working on this loophole, but in the meantime, the new routines should seriously mitigate the worm’s impact on corporate networks.

Kudos to Honeynet’s Tillmann Werner and Felix Leder, whose forthcoming "Know your enemy" paper will give a lot more information on the worm and on the new tool, and to Dan Kaminsky, Rich Mogull, and the Conficker Working Group for all their work on this. 

For those who just have one or two machines to check, we still have a free removal tool, and as James Coulter pointed out to us, so does Sophos. In fact, so do Bitdefender, Microsoft, Kaspersky and Symantec, among others, and none of us are charging for such tools. I would stress, though, that we’re making these tools available for emergency use by people who don’t have up-to-date anti-malware on their systems right now and can’t easily get to it because the worm is in memory and won’t let them. (If you can’t get to a removal tool like ours either, our suggestion is to find someone with a clean machine to download it for you and transfer it by (preferably write-protected!) removable media. I certainly wouldn’t recommend that you rely on one-shot tools like this as your primary defence against malware in general!

Incidentally, I happened upon the Wikipedia entry for Conficker a little while ago, which mentions several of these tools, and also mentions a couple of vendors who "can remove it with an on-demand scan." Don’t get confused by this: any mainstream product worth having should be able to detect and remove current Conficker variants by now. It doesn’t mean that products with a one-shot removal tool can’t detect or remove it with their for-fee products.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence
http://www.twitter.com/ESETblog

I thought I’d blogged myself to a standstill over the weekend, but it seems there’s plenty of life left in the Tibet/China story, even if it’s only the East and the West exchanging accusations.

A China Daily headline claims that "Analysts dismiss ‘cyber spy’ claims", though in fact the quotes in the article talk about exaggeration rather than absolute denial. Most of China Daily’s readers (or at any rate those who’ve commented on the article) have written it off as "China-bashing", or as an attempt by the West to deflect attention from its economic problems.

Meanwhile, closer to home (well, my home…), the Times reports that a "confidential" memo (not any more it isn’t…) circulating in Whitehall expresses concern by the chairman of the Joint Intelligence Committee that BT’s buy-in of components for its new £10 billion network from the Chinese telecoms supplier Huawei would expose the UK’s communications to deliberate attack from China, though it concedes that ‘there is at present a “low” risk of China exploiting its capability’.

Nevertheless, the report points out the impact of such an attack would have a serious impact. I don’t have enough data to assess the seriousness of such an attack in practical terms, but it seems unfortunate that "government departments, the intelligence services and the military" are apparently committed to the use of the new BT network if that network cedes significant potential control, even at component level, to a nation that clearly isn’t trusted at high levels of government.

I have to wonder how many elements of the UK’s Critical National Infrastructure (CNI) are labelled "made in China". Not that I want to buy into the universal xenophobia that seems to dominate this story, but if you’re building or maintaining a CNI, don’t you try to keep it in-house, even if it costs more to buy from trusted sources?

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

I have an email address, askeset@eset.com that I use to field general security questions. I can’t use this for support questions, or licensing questions though. We have trained support people who do product support full time and these people have the most up to the minute information required to support our products.

For general security questions I am delighted to explain what things mean, and how they work though.

Emails advertising products and services that are received at that address are automatically flagged as the spam they are!

Randy Abrams
Director of Technical Education

Around the end of the last decade, when I was working for a research organization in the UK, I used to write a monthly column on security for an in-house newspaper, and was rapped over the knuckles for telling this little story. I’ve probably changed the detail since then: I don’t keep everything I’ve written including shopping lists and notes to the milkman. (Unlike novelist Jack Trevor Story, or so he claimed in one of his more overtly autobiographical books.)

A man goes to collect his motor-car from a hypermarket parking lot  in Helsinki. (Just trying for an international flavour here) As he walks in, he notices one of the market’s employees scattering large clumps of catnip round the car-park perimeter.

"Why are you doing that?" he asks.

"To keep the lions away," the employee answers.

"But there aren’t any lions in Helsinki!*"

"See how effective it is?"

I was talking about Y2K, of course, Common sense suggested that most of the dire prognostications of hundreds of thousands of Y2K viruses and other malicious activity were either taken out of context, misguided or intentional fearmongering, and that as long as you took every possible countermeasure against problems you could predict and anything you could think of that would mitigate what you couldn’t predict, the chances were that it would be OK. As, indeed, it mostly was. And I guess we’ll never know whether all those updates and expensive consultancies were worth the money many of us paid out, because we can’t rewind and try it again without all the outlay.

So here we are again. Another year, another round of prophecies of disaster, a few from the fringes of the AV industry, but most from outside it. Expressions of sympathy here to Graham Cluley of Sophos and Mikko Hypponen of F-Secure, who were "quoted" in a Doom and Gloom story by an English tabloid claiming that "Millions of computers around the world could go into meltdown on April 1 because of a deadly virus." Apparently the journalist concerned didn’t actually bother to contact Graham or Mikko, presumably because he knew they’d be too busy getting ready to rescue all those melting PCs.

The sad thing is that "old guard" researchers like Graham and Mikko, mindful of the over-hyped "media viruses" of the past (Friday 13th, Columbus Day), have actually gone out of their way to present a balanced view of the issue, which I’d probably define as "Take all reasonable precautions, but don’t panic." Whatever happens, it’s unlikely to be as dramatic as expected, like the comparatively few systems affected by the triggering of Michelangelo or CIH/Chernobyl. (By comparatively few, I mean hundreds or thousands rather than millions.) In this case, there may be no immediately noticeable impact at all.

What’s the betting that if there’s no drama, it will be taken as another example of hype from the very industry whose public representatives have been trying to "un-hype" the issue?

By the way, here’s a nice bit of unhyping from Joe Stewart. And it’s nice to see the industry get some credit for "calm-mongering" from Thomas Claburn and George Hulme of Information Week. To pick up on something George referred to, the reason that we don’t know exactly what, if anything, will happen on April 1st, despite having the code to analyse, is that the code doesn’t tell us. I guess that’s exactly what is piquing our curiosity.

* I’ve never been to Helsinki, but yes, it does have a zoo. However, I don’t think it has any large African mammals, as they don’t do well in that climate.

** Why did I get my knuckles rapped? Because the chief librarian*** objected to any hint that her team might not be in absolute control of the situation. A friend of mine was actually fired for talking about how the issue was being addressed in the same organization on a public mailing list, so I guess what saved me was the fact that the article didn’t make it to print. 

*** No, I don’t know why the library were running the project rather than the IT team who looked after the computer systems, or the estates team who looked after the laboratory equipment. Feel free to make suggestions below, but there are no prizes on offer. .

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence.

I’ve mentioned here before that targeted malware, often delivered by "spear phishing" carried by apparently "harmless" documents such as PDFs, .DOCs and spreadsheets rather than overt programs, can have much more impact than the raw numbers of such attacks suggest. In fact, some sources now use the term "whaling" rather than "spear phishing" to reflect the size of the organizations targeted (and, presumably, the scale of the potential impact).

This impact can be so great because instead of being distributed to huge numbers of random people, the social engineering messages are distributed to a few people who have particular influence, or access to particularly interesting and/or valuable information. Today’s Big Issue is concerned with what are alleged to be attacks largely originating in China, against various diplomatic and governmental organizations and the Dalai Lama’s Tibetan exile centres, following the simultaneous release of an article in the New York Times, a paper from the University of Toronto, and another from the University of Cambridge in the UK. At the time of writing, the Toronto paper is unavailable because of a problem with the site, but it’s currently mirrored here.

While I haven’t come across these attacks against the exiled Dalai Lama’s supporters before, both the mechanisms and the far-East connection have been known for some years, even before the UK Centre for the Protection of National Infrastructure (then called NISCC) and security services went semi-public with an advisory. And I’ve referred here before to a chapter section in my "AVIEN Malware Defense Guide" where Ken Dunham and Jim Melnick describe zero-day attacks by "Wicked Rose" and the NCPH group centred on Trojans targeting such organizations as the Department of Defense.

Even if you’ve no particular interest in the locales and organizations named in these reports, there’s an issue touched on in the Cambridge paper by Shishir Nagaraja and Ross Anderson that demands further consideration, when they suggest that "What Chinese spooks did in 2008, Russian Crooks will do in 2010, and even low-budget criminals from less developed countries will follow in due course." Here’s why I think they’re right.

What Nagaraja and Anderson call social malware – what I’d call a combination of sophisticated Trojan malware and effective, targeted social engineering - is not the sole preserve of governments spying on governments. (In fact, government contractors and other organizations with significant political interest have been targeted from the beginning: it’s naive to think that a Critical National Intrastructure (CNI) is just an aggregation of government departments.)

The on-line world is full of crooks trying to make money from some form of phishing or other forms of fraud. There are plenty of potential victims out there, but maybe not as many as there were:

• global recession has made the world poorer
• the level of awareness of criminal activity among internet users in general is rising, albeit painfully slowly

So criminals may have to share smaller pots between more people.

Furthermore, random dissemination of phishing and similar scams has a fatal weakness: massive random mailouts don’t lend themselves to personalized content.

For instance, I’m not likely to fall for -any- Bank of America phish because I don’t have an account with BoA, and hopefully you won’t send your credit card details to someone who addresses you as "Dear American Express User".

But even a sceptic like me might fall for an email that looks (and sounds) as if it comes from someone I trust, and includes or directs me to a document rather than a program file. Right now, you are most likely to get such a mail if you’re working in certain sectors. But as more blackhats get into the game who are more interested in cash than ideology, the more enterprising among them will spend more time on customizing and targeting, in the hope of getting a better hit rate and higher profits.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence

[Update: it seems that people who missed the whole MS-DOS/having fun with the C> prompt and batchfiles thing are still struggling with the fact that vendors are releasing cleaning tools that are really command-line tools, so some step-by-step notes are added below.]

I’m sure you’re almost as bored with this issue as I am with the BBC. (I wonder if it’s contemplating buying the Conficker botnet to add to its collection?)

However, it seems that some people are still confused as to how to remove Conficker if it’s already on their system. So here’s a quick summary: some of it it was actually posted by our labs back in January, but it still applies.

1. Disconnect the infected  computer from the network and the Internet.
2. Use an uninfected PC to download the respective Windows patches from the following sites: MS08-067 , MS08-068 and MS09-001
3. Reset your system passwords to admin accounts using more sophisticated ones. [Note that it can spread through shared folders.]
4. Download an  one-off ESET application (again, using a non-infected PC) which will remove the worm.
5. Install the updated anti-virus program.
6. Re-connect the PC to the network and the Internet. 

You might also want to disable Autorun.

Here’s a bit more information about using the standalone utility mentioned in step 4.  

If you access that link and run it rather than save it, you might be confused by the fact that it’s a text mode application opening in a DOS box (that’s the black window that looks like an old-time DOS PC or some form of dumb terminal with a C:\  or C> prompt and text output only), not a Windows application. That’s normal for a standalone utility like this, which doesn’t need a multi-menu graphical interface (GUI).

• If you have more than one PC to check/look after, or a slow connection, or any you might want to save it to the desktop rather than run it from the web site.
• When you run it, it will, hopefully, tell you that "Conficker worm has not been found active in the memory" and ask you if you want to scan and clean anyway. It’s unlikely to do any harm if you do run it, but if Conficker is not in memory, it probably isn’t anyway on your system and certainly poses no immediate threat. It’s more important at this point to check that your AV is installed and updating properly.
• It also mentions a couple of options (-autoclean and -reboot). If Conficker isn’t in memory these aren’t very relevant to you. If it is, you’ll probably want to carry on scanning and respond when the utility prompts you. Those options are more relevant to system administrators and power users wanting to run the application from a script and/or on more than one PC. If you want to use them, you’ll have to use them from the command-line, and if you saved it as EConfickerRemover.exe, use that name at the command line, not removaltool, as the program suggests.
• It may not run with full functionality if you’re not running with administrator rights. It will detect Conficker, if it’s there, but it won’t be able to clean it properly. Of course, we normally advise people not to run as administrator routinely, but for tasks like this you have to be able to either log in as administrator or "run as" administrator.
• I’ve also had someone mention that if the DOS screen comes and goes to quickly to read if there’s no infection. I haven’t been able to replicate that, so have asked for more information. 

If you have further questions on this, please visit the support pages at http://www.eset.eu/support.

David Harley BA CISSP FBCS CITP
Director of Malware Intelligence