Q1 2009 Threat Summary
The Conficker Worm
Quarter 1 of 2009 has been dominated by the Conficker network worm.
The sustained growth of malicious software (malware) during the last few years has been driven by crime. Theft – whether it is of personal information or of computing resources – is obviously more successful when it is silent and therefore the majority of today's computer threats are designed to be stealthy. Network worms are relatively "noisy" in comparison to other threats, and they consume considerable amounts of bandwidth and other networking resources. Worms spread very aggressively and can be quite difficult to control. They are not generally the weapon of choice for today's eCriminal.
Infamous worms of the past such as Blaster, CodeRed, Melissa, and Nimda were authored more by hobbyists than by professional criminals. The Conficker worm, also known as Downadup, is quite different and may perhaps be an indication of threats to come. Analysis of its code reveals that it has in fact been authored by today's "professional" class of malware authors. While some of it is disorganized, the code is clearly not something that was written by an amateur. It is complex code and demonstrates a sophisticated understanding of the security systems that must be circumvented for the worm to spread. Conficker utilizes server-side polymorphism and Access Control List (ACL) modifications to make network disinfection particularly difficult. When Conficker infiltrates a Local Area Network (LAN), removal can be a very time consuming and possibly frustrating task.
Conficker exploits vulnerabilities (MS08-067) in the Windows Server service. (The Windows MS08-067 vulnerability was patched in an out-of-cycle update in October 2008.) It also does much more than this. Conficker uses autorun-worm techniques, spreading itself via removable USB thumb drives. Once it has infected a computer, it attempts to access Network Shares and also attempts to crack local account passwords. If Conficker compromises an administrator account, it uses the Windows Task Scheduler service to spread itself to non-infected computers. Those computers, having received the Scheduled Task from an "administrator" account, proceed to execute and run the worm without question.
Regarding the MS08-067 vulnerability, the Conficker worm needs to determine what language version of Windows it is attacking in order to exploit its victim. Earlier versions of Conficker were somewhat limited in their ability to make this distinction as they made a GeoIP location query via the Internet. The responding GeoIP database then converted the IP addresses, used by all computers, into a geographic location. When attacking a computer located in the USA, the worm attempts to exploit the English language version of Windows. If the IP address of the computer under attack is located in China, the worm then attempts to exploit the Chinese language version of Windows, and so on.
The providers of the GeoIP database being used by Conficker.A renamed and moved their database in order to deny Conficker the ability to locate its victims. Conficker.B responded to this change by integrating a small GeoIP database within its own code. Other small improvements in the worm's code lead to significant results.
The B variant of the Conficker worm spread rapidly during the months of January and February, infecting millions of computers worldwide. Countries such as China, Brazil, Russia, and India topped the list of infection counts. During the same period, there were many reported instances of European networks that were compromised. The out-of-band Windows MS08-067 vulnerability October update shortly before December's holidays helped contribute to a lack of testing resources, and many organizations failed to implement the necessary updates by the time variant B became a serious threat.
With a swiftly growing number of infections and the potential threat of the worm "calling home" to its authors, a number of companies within the antivirus industry, including F-Secure, banded together to form the "Conficker Working Group". The group has successfully worked together with Internet Domain Registars from many countries to block the domain address to which Conficker attempts to communicate. Blocking the worm's attempts to call home limits the worm's authors from using the infected computers for criminal purposes. This successful monitoring of the worm continues against the current variant, Conficker.C, which greatly increased the number of domains to which it attempts to call home.
More information about Conficker is available from our Security Labs Blog:
- MS08-067 Worms
- MS08-067 Worm, Downadup/Conflicker
- How Big is Downadup? Very Big
- Downadup, Good News / Bad News
- Conficker Q&A
- Post April 1st Conficker Q&A
Facebook has become the leading Social Networking website, growing to 175 million accounts during Q1 2009. Estimates project Facebook reaching 300 million accounts by the end of 2009. As its user audience grows, Facebook has become a more attractive target to eCriminals and fraudsters, leading to the development of Facebook specific threats, such as:
Facebook 419 scams – Numerous incidences of 419 style "advance fee frauds" are being reported. Password compromised accounts, resulting either from phishing or password stealing malware, are being used to scam social networking friends of the victim. Typically the compromised account sends out a request for help and assistance, claiming that money is needed. The victim is supposedly stuck abroad without any cash. There have been a number of confirmed reports in which friends have wired money to the scammers.
Error Check System – Some unscrupulous application developers using Facebook's API have attempted to trick users into installing their applications, such as "Error Check System". When installed, "Error Check System" sent messages to the victim's friends. The notification message prompted Facebook users to resolve an "Error" by clicking the notification link. Spam is the likely goal of the people behind the application, though spreading links to malicious external sites is another possibility. Facebook's recent layout changes appear to have limited this issue.
Group defacements – Facebook began to allow the changing of Group names during the month of March. There are already reports of hijacked and defaced groups. Fox news reported in early April that a Group centered on Judaism was defaced with a name referencing Adolf Hitler. There are many other claims of religious focus Groups being renamed. As websites are defaced, hackers also attempt to steal the passwords of Group administrators in order to cause offense.
Other Social Networking sites are emerging and growing rapidly, such as Twitter. These sites are contributing to a rapid sharing of links and other information. What remains to be seen is whether all of the links being shared can be trusted, or if criminals will attempt to inject malicious links into such systems.
Identity theft and credit card fraud issues continue with two notable database breaches that occurred during Q1.
Monster UK (monster.co.uk) was compromised as a result of malware targeting the corporate recruiters. From these corporate accounts, the malware was able to access the applications of those submitting their CVs/resumes. Tens of thousands of individuals had their personal data scraped from the job search site.
In January, Heartland Payment Systems Inc. reported a massive data breach. Heartland processes payments for a large number of U.S. retailers, thus potentially compromising an enormous number of accounts.
Curse – The "Curse of Silence" exploit against several current versions of Symbian S60 phones was demonstrated at the end of December, 2008. The exploit was very easy to utilize and a video demonstrating how to perform it was quickly distributed on the Web. The resulting effect of the exploit jams the victim's SMS messaging.
Many network operators reacted quickly and started filtering their SMS traffic so as to prohibit the exploit message. Nokia later released a free recovery utility called "SMS Cleaner". The exploit was, at best, a potential nuisance with little profit motive, and has not been widely reported to have been used.
Latitude – In February, Google Latitude was introduced for the very popular mobile Google Maps application. Google Maps has the ability to locate the phone based on GPS or cell tower positioning. The Latitude add-on allows users to "broadcast" their location to approved individuals using their Google account IDs. The service is easy to use and is a likely forecaster of things to come. Location based applications are in high demand and many other service providers seek to offer solutions with a Social Networking focus. The introduction of Latitude has alarmed some privacy advocates, but so far users have control over their own information.
FlexiSpy – A well known Spy Tool began offering an iPhone version during Q1, 2009. FlexiSpy for iPhone requires the phone be "jail broken". The software's features include hiding the interface icon as well as hiding the fact that the phone itself has been jail broken. FlexiSpy tracks the phone's usage (SMS, e-mail, GPS, etc.) and sends the collected data to FlexiSpy's website from where the phone's owner, or another party, can view the logged reports.
Sexy View – Worm:SymbOS/Yxe.A was the most significant mobile malware case of Q1. The Yxe worm is the first discovered SMS worm, and is spread largely in China.
Yxe is also the first malware that is compiled to run on Symbian S60 3rd Edition phones. The S60 3rd Edition platform is greatly protected by requiring applications to be Symbian Signed. In the case of Yxe, a leaked, valid certificate was used to sign the worm. Thus, very minimal user interaction was required for installation.
When Yxe infects a phone by sending an SMS message to the victim that promises a "sexy view" and celebrity gossip. The SMS links to a website that then prompts the victim to install the Yxe worm. If the victim does so, the worm uses the victim's Contact list to spread itself further. The victim's Contact will receive a message that appears to be coming from their friend, and so the worm continues to spread via Social Engineering. On installation, the worm reports the phone number back to the website from which it was downloaded.
SMS spam is a large problem in China with hundreds of billions of spam messages reported. This harvesting of phone numbers is very similar to the harvesting of e-mail addresses seen on PCs in 2002. Several network operators have been fined as China works to shut down access points that allow the sending of SMS spam.
In January, "cracked", yet fully working copies, of iWork 2009 were distributed on popular file sharing websites. Those seeking a "free" version of iWork 2009 also received a nasty surprise included with the installation package. Downloading and installing the pirated copy of the software installed a backdoor application called iWorkServ.A.
Installation of software on Mac OSX requires the user to supply his administrative password. Any malicious software must therefore provide some kind of social engineering pretext to trick the user into entering that password. In this case however, the user is already prepared to enter the password in order to install the "free" software. Additionally, the installation does provide functional software as promised, giving the victim very little clue that his system has been compromised.
A version of Adobe Photoshop for Mac was also used as bait by this malware gang.
There is increasing evidence of malware gangs that are interested in and prefer to target Macs.