Yesterday, my colleague Dave Marcus quoted for you the new graphs and stats posted by Shadowserver. Indeed, since November 2008, W32/Conficker (alias Downup, Downadup, Kido) has frequently made headlines. This computer worm has five main variants, which have appeared during the last year. Wikipedia lists the dates: 

• A variant: First appeared 21 November 2008
• B variant: First appeared 29 December 2008
• C variant: First appeared 20 February 2009
• D variant: First appeared 4 March 2009
• E variant: First appeared 7 April 2009  (self-destruction on 3 May 2009)

W32/Conficker spreads via Windows AutoRun feature, drive sharing, and Microsoft vulnerabilities. At the end of 2008, the A and B versions took advantage of a newly discovered Window’s Remote Procedure Call service vulnerability (MS08-067). That’s how Conficker’s masters created a large botnet involving one million unique IPs on a daily basis. The worm used a date-based algorithm to generate 250 domains per day under the generic top-level domain standard. Then infected machines attempted to contact one of these domains in order to install specific malware.

In a similar manner, hosts infected with the C variant generated 50,000 unique URLs ending with a country-code top-level domain and attempted to connect to the first URL that was ready to distribute a digitally signed payload. This third variant also contained peer-to-peer functionality.

The D and E variants were not so prolific; they helped spread the C version as well as other malware (W32/Waledec) and fake anti-virus software.

Estimating the size of the Conficker population is almost impossible. In January, a 10-million hosts figure was frequently quoted in the media. McAfee announced one million unique IPs were alive (or online) each 24 hours, while another security company claimed that at least one out of every 16 PCs worldwide were infected. In March another source said that more than 35 million unique IPs had been botnet zombies since November 2008.

Today the A, B, and C variants maintain a huge foothold worldwide. In October, researchers estimated the number of systems infected topped seven million. Following Dave’s advice, I visited the new Shadowserver statistics page. To illustrate the extent of how this malware affects the world, the organization monitored the Autonomous System Number blocks that have at least one Conficker IP in their network space. The charts highlight the widespread infection and propagation as well as the ratio of infected IP addresses for each autonomous system block.

Shadowserver names 183 country codes and 5994 autonomous systems with Conficker IP in their network space:

• 1086 for the Russian Federation (RU)
• 597 for the United States (US)
• 422 for Ukraine (UA)
• 271 for Romania (RO)
• 244 for Brazil (BR)
• 243 for Republic of Korea (KR)
• 184 for Poland (PL)
• 166 for Bulgaria (BG)
• 147 for Europe (EU)
• 129 for Indonesia (ID)
• 113 for Japan (JP)
• 95 for China (CN)
• 94 for India (IN)

You can also find a Top 500 list for the autonomous systems hosting the largest number of infected IPs as well as the percentage of their entire routed space that is affected by the worm. CHINANET and CHINA169 take the top positions, but with only 1.1 percent and 1.2 percent of unique aggregate IPs. In the 420th position, we discover that 26.36 percent of CHILE S.A.’s routed space is affected by the worm.

If you want to know how your autonomous systems or your country-code top-level domain are positioned, check out the Shadowcrew website.

We don’t really know the objectives of Conficker attacks, even though we can guess the motivations are financial. The consensus in the security community is that it was created to make botnets for hire. The botnet can be rented to criminals who want to send spam, distribute rogue spyware products, steal credentials, and direct users to online scams and phishing sites.

In May, Mike Steward from the Canadian Internet Registration Authority suggested that in the worst case Conficker could become a powerful weapon for causing cyberwarfare that could disrupt not just countries, but the Internet itself.

Our good friends at Shadowserver have recently added some excellent graphs and stats that highlight the continued infections and propagation by the Conficker worm.

Conficker, although it actually does very little, continues to be a major annoyance worldwide, so let’s use these excellent charts and graphs as a reason to revisit two important points:

• Update your systems to current patch levels
• Use up-to-date and properly configured security software. Deploy these at a variety of levels whenever possible. (Layers of defense work better than a single solution.)

Take these two steps and you will be protected against Conficker and a whole lot more. Threats are complex, and combating them really does take layers of defense along with appropriate security technologies. In this age of “blended” and “Web 2.0″ threats, it is wise to incorporate host IPS, network IPS, reputational technologies, and cloud technologies.

The bad guys are always looking for new ways to make their malware and attacks more successful. The good news is we are always working on new technologies to make them less successful.

Two weeks ago I blogged about a new virus–W32/Xpaj–found in the wild by McAfee researchers and actively spreading around the world. Since then we have closely monitored the change in spread and severity of the virus, improved generic detection for future W32/Xpaj instances, and added cleaning and proper repair for all the files infected by the virus. Today I want to share more news related to this threat.

Further analysis has revealed some interesting details about the malicious behavior of W32/Xpaj. The Virus is building a widespread “zombie” network, by taking control thousands of Internet-connected computers. The new botnet is in its infancy, although thousands of machines have been infected during last two weeks. The botnet infects computers around the world and has spread across many countries. The attacks are mostly aimed at enterprises, but they have now spread to consumer machines as well. Based on multiple characteristics and our own research, the virus is most probably the work of eastern European cybercriminals.

Most bots are connected to a central location from where one machine can control the entire botnet. W32/Xpaj, on the other hand, deploys several control channels to communicate and control its bots. It employs the same techniques used by Srizbi and Conficker; that is, it uses randomly generated DNS names for backup control servers. Even though W32/Xpaj does not know where the control server is, it knows how to search for it, making it possible to predict which host is in use on a given day.

To prevent botnet hijacking, W32/Xpaj accepts only digitally signed payloads and commands. Malware authors use a cryptographic hash (MD5 algorithm) to validate the authenticity of any payload received from the control server).

Our analysis has not revealed any cryptology system to protect the payload, thus there is a chance for a rival to take control of the entire botnet.

The W32/Xpaj variants we analyzed use a sophisticated domain-generation algorithm to create and query the list of random domains starting on September 24. The virus first tries to resolve the domain name to an IP address. If that succeeds, it sends an HTTP request in the form of a string:

/GET /up.php?a=g2&cm=15A91F71

The malicious host responds with the path to a binary containing further instructions and code to be executed:

http://[infected]/stamm/stamm.dat
http://[infected]/plugin/plugin.dat

The first binary containing malicious instruction has already been received by all W32/Xpaj-infected machines. The virus stores the downloaded encrypted binary in the Windows folder. After decryption, the malicious code executes and instructs the virus to gather information about the infected machine and report to the server, sending the victim’s IP address, machine name, host process, registry records, current home page, and even fonts and path variables.

Every time an infected machine receives a payload and executes malicious code, a marker (a file with a random name) is created in the Windows folder, preventing the virus from executing the same payload twice.

Botnets grow and evolve quickly. We measure them by the number of compromised computers under their control. However, proactive virus detection and following these simple recommendations will help prevent your computer from becoming a part of a botnet:

• Keep your anti-virus software up to date
• Apply all the latest security patches and keep your operating system up to date
• Set up a firewall to block unauthorized access while you are connected to the Internet. Use strict firewall policies and allow only those connections–both incoming and outgoing–that are absolutely necessary for your business.

Although many security vendors struggled to release new signatures and cleaning support for this virus, McAfee customers are already protected. You will hear a lot more from us in the coming months, so stay tuned and keep reading our blogs.

Thanks to Abhishek Karnik, Rachit Mathur, Di Tian, Ivan Teblin, and Adrian Dunbar for their help in analyzing and defeating this threat.

Another celebrity death.  Another recycled scareware tactic attempting to lure users to download malware by telling them that their PC is infected with a virus.  We saw it after the deaths of Michael Jackson, Farrah Fawcett, and Natasha Richardson earlier this year.  Now the attention of cyber criminals has turned to Monday’s death of Patrick Swayze as the soup du jour for malware distribution.

Queries for information on the death of the popular actor may lead to news stories that look legitimate when returned in search results, but when followed may lead users to a site that looks like this:

This similar tactic of presenting a window to the user that looks very much like a legitimate Windows popup has been used many times before in various forms.  The Windows Explorer-like screen presented to the user also uses geolocation in an attempt to identify the country and city that the user is coming from in to make the user believe that their data is actively under attack.  Popups with phrases like “Scan procedures finished.  34 Potential aggressive items was found!” and “Your computer remains infected by threats!  They might lead to data loss and file structure damage, and needed to be heal as soon as possible.  Return to Total Security and download it secure to your PC” also attempt to trick users into believing that the only way that they can protect themselves from infection is by downloading bogus security software.

Clearly scareware tactics are something that cyber criminals have latched onto as a popular method for malware distribution as it continues to be a recurring and evolving theme.  Conficker/Downadup largely popularized scareware with its success (although it wasn’t the first to use it) and now others are riding of that popularity to re-purpose it for their own scams.

As reported by Adobe in July, a Flash vulnerability is being actively exploited by targeted attacks against Adobe Reader. Yes, embedding Flash movies in PDF documents is supported in Adobe Acrobat 9. The idea of allowing Flash movies to be displayed within PDFs isn’t bad if you like your documents spiced up with a bit of interactivity or training videos. From a security perspective, however, this poses yet another attack vector for criminals to take control of vulnerable systems. As history has shown, complexity and feature richness go hand in hand with remotely exploitable vulnerabilities. It is unfortunately no different with this latest PDF feature.

The exploitation of this vulnerability continues. Below are screenshots from one such malicious PDF document, discovered in a targeted attack this week. The attack contains several compressed streams and at least two embedded Flash movies. The first embedded Flash movie is clean, the second 6exploits CVE-ID 2009-1862, which causes a memory corruption and allows an attacker’s code to execute. Underneath the compression layer, JavaScript code is embedded in the PDF document. This code fills heap memory with the attacker’s shellcode. Apart from the PDF acting as an additional obfuscation layer around the exploit, the JavaScript code, once unpacked, contains another function that attempts to evade detection.

The FileInsight screenshot above shows the JavaScript function “lololo(),” which deobfuscates a string holding the actual malicious payload at run time. The function simply replaces any occurrence of the substring “XX” found in “payLoadCode” with the substring “%u,” converting the previously obfuscated string into one that can be “unescaped” to x86 shellcode. Its purpose is to prevent security products from detecting escaped strings that might be an indicator for an exploit. To find out about the payload’s final purpose, we load the final unescaped string into a disassembler:

This shellcode decodes a certain area found within the PDF document, using XOR operation and key 0xF4, writes every piece of decoded data to a file, and finally executes it by calling the WinExec() API function. The resulting file is a UPX-packed executable with an additional layer of a custom packer on top, complicating static analysis of the binary (proactively blocked as “BehavesLike.Win32.ModifiedUPX.J” by McAfee Gateway Anti-Malware). In order to analyze the executable, it first needs to be freed from its packer layers. What we see then is the executable’s ability to drop the DLL mscvr.dll to disk, with file attributes set to “hidden,” so it can’t be seen in Windows Explorer with default settings enabled. And before the malware injects this DLL into memory of the running explorer.exe process, it infects the network diagnostic utility netstat.exe on disk, so the utility will load msvcr.dll each time it runs. The DLL contains a configuration file embedded as a resource, telling the netstat utility to not display certain Chinese hostnames that the DLL is about to phone home to.

The DLL component is aware of several desktop security products. It attempts to terminate them before it collects private data–such as information about the operating system, CPU speed and type, the list of available drives, the logged-in user’s account name, and credentials for several programs (such as MSN Messenger). What is really bad about this piece of malware is its backdoor component. The sneaky code is capable of connecting to its creators, and waiting for instructions telling it what to do next. Next to common backdoor functionality like uploading, downloading, and moving files–which allow data theft and modification–the backdoor also contains a command to instruct the malware to spread to removable drives (as a worm does). This behavior can infect a corporate network, as we all know from the Conficker incident. McAfee Gateway Anti-Malware protects against this targeted attack, proactively blocking the malicious PDF document as “BehavesLike.PDF.CodeExec.EPEO.”

Today we released our Q2 Threats Report. Some old trends have continued. Some new trends and threats have been established, and some old “friends” have even outdone themselves. Spam volumes have increased 141 percent since March, continuing the longest ever streak of increasing spam volumes. We also highlight the dramatic expansion of botnets and the threat from AutoRun malware.

More than 14 million computers have been enslaved by cybercriminal botnets, a 16 percent increase over last quarter’s rise. The report confirmed our first-quarter prediction that the surge in botnet growth would send spam levels to new heights, surpassing their previous peak in October 2008 before the takedown of the spam-hosting ISP McColo.

Our researchers also found that over the course of 30 days AutoRun malware had troubled more than 27 million files. AutoRun malware, which exploits Windows’ AutoRun capabilities, does not require any user clicks to activate, and is most often spread through portable USB and storage devices. The rate of detection surpasses even that of the infamous Conficker worm by 400 percent, making AutoRun one of the most prevalent pieces of malware in the world.

Some of the other areas we cover and discuss:

Cybercrime as a Service
As the number of botnets continues to grow, malware writers have begun to offer malicious software as a service to those who control these bots. By exchanging or selling resources, cybercriminals distribute new malware to wider audiences instantaneously. Programs like Zeus–an easy-to-use Trojan creation tool–continue to make the creation and management of malware even easier.

Cybercriminals Target Twitter, Social Networks
Twitter’s growth in popularity has made it a new target for cybercriminals in the last three months. Malware like the “Mikeey” worm and new variations of the Koobface Trojan attack users through tweets and abbreviated URLs. Spam Twitter accounts are becoming increasingly prevalent. Twitter administrative accounts have also been hacked on multiple occasions, giving cybercriminals access to the private accounts of celebrities and politicians, such as Britney Spears and Barack Obama and even allowing for the publication of sensitive internal strategy documents on the Web. Facebook and MySpace remain strong attack vectors for cybercriminals. In May, spam messages on social networks pointed users to more than 4,000 new Koobface binaries!

To view the McAfee Q2 Threats Report, go here.

The fight against cybercrime is showing some very promising progress over the last few years. We are certainly not where we want to be, but we’re on a good path. McAfee’s own Inititiative to Fight Cybercrime has been in force for more than a half-year. Recently our Cybercrime Response Unit was launched; it’s an online help center designed to assist victims (and people who suspect they may be victims) of cybercrime. But best of all: We are not alone!

McAfee has teamed with many other companies and institutions to form the Conficker Working Group and has set a precedent that raises hope for the future. Just this week I attended the Counter eCrime Operations Summit (CeCOS) in Barcelona, Spain. The event was hosted by the Anti-Phishing Working Group (APWG). This year’s meeting focused on the development of response paradigms and resources for managers and forensic professionals who fight ecrime. There were a number of very useful presentations and panels on user education, better interaction among various entities, and case studies on how successful this can be.

Even more important were the small meetings outside the offical program, connecting researchers from security companies, CERTs, and law enforcement agencies throughout the world with each other and talking over how we can improve the current situation. This has been a very productive week. At least I now have some hope for the future!

Today McAfee Avert Labs released its Threats Report for the first quarter of 2009. In it we reveal that cybercriminals have taken control of almost 12 million new IP addresses since January, a 50 percent increase since 2008. The United States is now home to the largest percentage of botnet-infected computers, currently hosting 18 percent of all zombie machines. Seems the bad guys are attempting to recover from last November’s takedown of a central spam-hosting ISP by rebuilding their army.

Other Key Findings

The Koobface virus has made a resurgence, and more than 800 new variants of the virus were discovered in March alone.

Servers hosting legitimate content have increased in popularity with malware writers as a means for distributing malicious and illegal content.

Cybercriminals are increasing their use of URL redirects and Web 2.0 sites to disguise their locations.

Compared with the overall landscape, the Conficker worm represents a small subset of all threat reports. AutoRun malware, on the other hand, represented 10 percent of reported detections during the first quarter–quite a bit more than Conficker itself.

You can find the full text of the “McAfee Threats Report: First Quarter 2009″ here.

So April 1st came and went, and it seemed that all might be right in the post-Conficker world…

Of course, nothing is that easy. With the latest activity, there is also a continual flood of information out there. Below, I have attempted to aggregate the new functionality.

Around April 7th/8th Conficker started to move again. Our peers were able to confirm this new update functionality.

When it did wake, it used the peer-to-peer (P2P) communication channel to call home rather than the HTTP rendez-vous to start its latest escapade. In this case, the infected host will be contacted initially by another host over an ad-hoc P2P connection. Kind of like an alarm clock. Then, after hitting the snooze button over a period of several hours, the communication begins again – starting this time from the infected host.

Conficker is definitely not in any rush to tango. Communication is done in such a manner that this traffic (aka update) may go unseen – or at least mostly under the radar, by using fragmented and irregular UDP communication.

So what happens next? When this P2P communication stream ends, our host is basically told to go to a domain and download a file. This is when TCP comes into play. Our infected host goes out to an address and an encrypted executable file is downloaded. Once executed, it could contain malware such as the ever-changing FakeAlert or even Waledac. So at the end of this round, we may be left looking at something similar to the below screenshots:

We have also seen some hosts serving up a Waledac payload.(Realistically, it may contain anything that the bad guys are serving up on those domains.)

These downloads are detected as FakeAlert-SpywareProtect and Waledac.gen.b respectively.

Also downloaded as part of the payload, we again have the MS08-067-like “hot” patch. This time however, it is closer to the original patch – so as to elude detection. (Note: our McAfee Conficker Detection tool is in process of being redesigned to allow detection of the latest variants).

There are also two other notes of interest. The first of which is that we have a new deadline to watch. On May 3rd this latest variant is set to expire.

Thinking aloud, this point brings some interesting questions to mind. Such as – Is this just a test from the Conficker crew who are serving up Waledac incidentally? Or is this done for other self-serving reasons? (i.e. – Attention diversion) Maybe it’s just a deadline for a rented botnet? Interesting questions I am sure the security community at large is wondering.

Second, when an infected host resolves a HTTP rendez-vous domain name, it compares the IP resolved with the list of IPs it already queried, if the new IP is in the list, it will move on to the next domain in its list.

Of course, we will update if anything else comes along…

McAfee Avert Labs has received a new variant of the infamous Conficker worm. Like the previous variants, this one also spreads using the MS08-067 vulnerability in Microsoft Windows Server Service. But unlike the previous variants, which arrived as a Windows DLL file, this variant seems to arrive as an .EXE file.

Detection for this variant of the worm will be available as W32/Conficker.worm.gen.d from the upcoming 5579 DAT release. Users of McAfee Artemis Technology are already protected in real time against this threat.

We have also updated our stand-alone cleaning tool–Stinger–to detect and clean this variant.

More information on this variant of the Conficker worm is available here. McAfee’s coverage and protection for the MS08-067 vulnerability, is available here.

For measures to protect yourself and your organization against Conficker, please visit:

• http://www.mcafee.com/us/threat_center/conficker.html

We will continue to monitor this threat in our labs, and will update our blog with any new findings.