Security Now 193
Recorded: April 22, 2009
Published: April 23, 2009
Security Now 193: Conficker
News & Errata
01:30 - 02:14
- Security Now is 7 away from Episode 200 and Steve is looking forward to episode 208 -- a milestone which ends their fourth year of podcasting.
- Steve has never missed an episode in four years.
07:27 - 09:50
- The defendants in the Pirate Bay case were found guilty.
- They were sentenced to 1 year in prison and ordered to pay 30 million Kroner to various media companies who brought the suit.
09:51 - 13:05
- Amazon UK is going to block Phorm from scanning its pages.
13:06 - 14:49
- Verizon has said it responded in 2008 to at least 90 confirmed data breaches involving on the order of 285 million consumer records.
- The size of the breaches in total was larger than all of the breaches in 2004, 2005, 2006, and 2007
- Breaches at banks and financial institutions were responsible for 93 percent of all such records compromised last year
- Due to the increased supply in stolen details the price of them has fallen on the black market
14:50 - 26:55
- The Pentagon found spies in the network for the Joint Strike Fighter project
- The network was hacked and several terabytes of files which were encrypted by the bad guys before leaving the network were stolen
- They know that it was the design and the avionics material which was taken.
26:57 - 31:58
- Printer and file sharing is enabled by default on Vista and XP for the local network only
- Which means if your on open Wifi all of your file and printer sharing ports are open to each other by default
- To counter this unbind printer and file sharing from Wifi
31:59 - 33:26 (Jerry)
A listener couldnt make a image of his harddrive due to write errors. Check disk found no errors but it still wouldn't work. He ran Spinrite in level 2 and it didn't fix the problem, so he ran it again in level 4 and it fixed the problem.
36:06 - 01:42:48
36:06 - 48:25
- Whoever wrote Conficker really understands the technology and isnt a script kiddy
- The way Conficker generates domain names hasn't been seen before
- Conficker is highly multi threaded
- A computer does one thing at a time
- As computer science evolved it was nice to have a program do more than one thing at once
- Windows had one approach called a messaging paradigm, where you'd have message loop, and it would go and do something, then come back to the message loop and get the next thing to do and go do that and then come back. this was one way of creating a feeling of asynchronous events.
- Another way to do it is with threads
- A thread is a chain of instructions (thread of execution) such as add, compare, jump, store, load.
- Its possible to start multiple threads at once
- But as a computer can only do one thing at once, when a thread is running the operating system will halt it and let the other thread run.
- This switching happens so quickly and so often that the effect is that two things are being done at once.
- There's no practical limit to how many you can have. At some point, if you have thousands of threads, or maybe tens of thousands of threads, switching among them all becomes a problem because it takes so long to get back to any one thread, and then you begin to have some overhead associated with switching threads.
- If you have multiple cores you can run multiple threads at the same time
48:26 - 52:03
- On October 23rd 2008 Microsoft patched a remote execution flaws
- This exploit meant a packet could come in on port 445 connect to the RPC service and it was then able to take advantage of a small defect in Windows that would cause the payload that it provided with a packet to be executed.
- Conficker caused the computer that had received this packet to open a reverse connection in the other direction, back to the IP provided in the packet, and establish a connection to a service that Conficker was also running in that attacking machine that would cause the victim to download all of Conficker.
- The first arriving infection was not Conficker, it was a packet that only had enough code in it to cause that victim machine to reach out and download Conficker from that source target.
- Many computers were automatically protected from this exploit as ISP's block port 445 at their borders.
52:04 - 55:15
- A NAT router would also prevent this if it had UPNP disabled.
55:16 - 57:03
- Conficker is a worm because without any user interaction it can infect other computers.
- The difference between Conficker and MSBlast or Code Red is that they tried to find other computers to infect really rapidly.
- Conficker only sends out about 4 packets a second.
57:04 - 01:01:25
- This is so users wont notice it using lots of bandwith and makes it harder to find
- Conficker A would immediately abort if the keyboard layout of the computer it had entered was Ukrainian
- This suggests it may have been made by someone in the Ukraine
- Baka software is a suspect as:
- A would use A's protocol to spread version A. B would use B's variant protocol to spread version B
- But in this case it was using A's protocol to spread version B and it was from an IP known to be used by Baka software
01:01:26 - 01:07:56
- It started taking advantage of the vulnerability in windows on November 10th
- This was 18 days after the patch had been released and Conficker is too big to have been written in that short amount of time so it must have been already written waiting for a vulnerability to be found.
- The payload of Conficker is a DLL that is compressed with UPX
- Even if you decompress the EXE it doesnt look like regular code as it doesnt decrypt itself until it is in RAM.
- It installs itself in the svchost.exe process
- Conficker injects itself into an existing instance of svchost.exe by injecting a thread and causing the thread to run load library, that loads the DLL into the process.
- The way a DLL loads is there's an initialization stub at the beginning of the DLL that Windows calls in order to let the DLL set itself up.
- That stub is always returned from. And after that returns, there's a return code, success or fail.
- So it's possible for the DLL to say, whoops, whatever it is I needed I didn't find here, so terminate me.
- Or the DLL is able to say, hey, everything's fine, I'm ready to stay resident here in this process. So Windows waits for that return in order to list the DLL among those that are part of this process.
- Conficker never returns from that initialization. It accepts the fact that it's running, and it spawns a bunch of threads to do all kinds of things, never goes back to Windows.
- So Windows never lists it as a DLL that's part of the process.
- It also has a null string name when it registers as a process.
- It does so with an empty string name, and it flags itself as "Make me invisible," which is one of the status bits that a process is able to set.
01:07:57 - 01:17:07
- Conficker look's up its public IP on sites such as www.getmyip.org
- Then does a geo location look up and uses this to avoid attacking computers in Ukraine.
- The A variant of Conficker was the first malware to use a pseudo random number generator to generate psudeorandom domain names.
- It would use the UTC time stamp on the header of a page to seed the number generator.
- It would then attempt to connect to port 80 on the webserver and if it downloaded a binary file verify it.
- The B variant removed the keyboard detection feature, but still filtered out Ukrainian IP's
- Also it began blocking access to antivirus websites.
- All versions of Conficker prevent other malware from exploiting the exploit it used to get in by patching it.
- The B version also started using anti debugging and reverse engineering technology.
- The B version also includes the geo IP database internally.
01:17:08 - 01:25:31
- Conficker digitally signs updates
- The block of executable code is hashed A uses SHA1, B uses MD6
- MD6 was released two weeks before Conficker B used it
- There was a buffer overun glitch in the first release of MD6
- Code hashed 512 bit hash
- Hash used as symmetric encryption key for RC4 stream cipher
- Then signed using public key
- Hash raised to power of private key taken Mod N to create the signature
- The signature is then append to end of the package
- When the package is received by the victims computer it reverses the process to decrypt it
- This will only work if the author with the private key signs the update
- A uses 1K bit modulus
- B uses 4K bit modulus
- The A variant generates 250 domains a day
- This made it easy for anti Conficker people to preregister the domains.
01:25:32 - 01:28:00
- On April 1st 2009 Conficker started generating 50,000 domains name up from 250
- 500 from this list are randomly selected to check for updates
- The C variant uses 110 different top level domains.
01:28:01 - 01:33:30
- The only way for the A variant to cause infections was to send a SMB packet to port 445 and try to exploit the vulnerability.
- The B variant added two other ways to cause infections which were removed from C.
- B would use NetBios shares and try 240 common passwords to try and get in
- In corporate networks this would cause accounts to be locked out due to many failed login attempts
- If B found a removable drive it would copy itself to the removable drive and edit the autorun file to make it run when plugged in again.
- C would try and propogate by using a 'Named Pipe' in the Windows API.
- Conficker gives itself a random name in the system 32 directory
- It also sets it date stamp to the same time as Kernel32.dll
01:33:31 - 01:42:48
- Conficker sets up multiple threads
- One thread to disable known security product services such as windows update
- If a DNS look up returns more than one IP it ignores it.
- If it returns a stub IP it also ignores it.
- If it ever gets the same IP for two domains it ignores it
- It also maintains a list of blacklisted IP's
- It also ignores invalid IP's
- The E variant installs scareware onto computers
Leo: Steve, how do you explain this? This is not something that is hard to protect. These are valuable, hundreds of billions of dollars' worth of valued state secrets. First of all, why is this stuff even on Internet-connected computers?
- Ad Time: 00:33 - 00:44 and 04:19 - 07:20
- Ad time: 00:46 - 00:59 and 33:30 - 36:05
- Recorded Date: April 22, 2009
- Release Date: April 23, 2009
- Duration: 01:43:59
- Log line:
- Edited by: Tony
- Notes:Re edited due to background noise from Leo's track. Part of his phone conversation was also recorded.
|This area is for use by TWiT staff only. Please do not add or edit any content within this section.|