Security Alert: Update on Conficker.C

Websense Security Labs Researchers, Nicolas Brulez and Elad Sharf have just published a great post to update on the status of the Conficker.C worm.

The entire security alert can be viewed here: http://securitylabs.websense.com/content/Alerts/3329.aspx

A note that Livia Web Protection customers who are utilizing the filtering to block access to all security threat web sites are protected from this worm.

As Livia Web Protection utilizes the industry leading URL database from Websense, the company has the domain name generation algorithm (more on this in a separate update) and Websense is proactively classifying those URLs. Machines already infected with Conficker will be prevented from phoning home for updates. In addition, Websense is actively classifying the malicious binary executables and Web sites through generic and specific detection, and through ThreatSeeker Network Web Reputation.

From Websense Security Labs - - - -

April's approach has created a lot of chatter about Conficker, a worm largely considered to be one of the most widespread infections in recent years. Some estimates put peak infection at over 10,000,000 hosts. A large effort has been made by the white-hat community and the Conficker Cabal Group to mitigate Conficker infections, and with success. The current estimate indicates that the number of infected hosts has fallen to 1 to 2 million, which is still a very large number when factored against recent bot counts.

There is a good deal of speculation about what's going to happen on April 1, a special date that is hard coded into the latest variant of the worm's binary file. The wider Internet community is fortunate in that some very good research has been conducted into the different variants of the worm: A, B, B++ & C.

In this blog entry we're going to focus on and recap the major changes in the C variant, including some ideas on how to deal with it. In addition, we'll draw some conclusions and make a few predictions.

First things first:
Protect yourself The Conficker worm propagates in 3 ways: MS08-67 Propagation, NetBIOS Shares, and Removable Media Drives (USB, FireWire etc.). The first step in protection is to make sure that you're patched by going to Windows Add/Remove Programs and verifying that update KB958644 is installed (a shortcut for going there is going to RUN and typing 'appwiz.cpl' ).

If you're a system admin, verify that you applied the patch to all of your systems. The NetBIOS propagation is done through brute-forcing administrator shares (ADMIN$ shares). The worm uses a pre-defined list of commonly used passwords and if successful in brute forcing a machine, it then creates a scheduled task to run itself. So make sure you use a strong password and that strong password policies are in place.

The last propagation technique, and one of the most frustrating, is removable media drive propagation. The worm copies itself from the infected host to its local removable media drives and when an infected drive is attached to another computer that has Autorun and Autoplay enabled, it might social engineer the user into running the worm. This is best resolved by disabling AutoPlay and AutoRun (which aren't the same thing).

If you suspect you're infected you can check for symptoms. (Recovery and more preemptive measures here.)

Conficker blocks access to URLs and sites with specific strings in them to stop the user from downloading any detection or removal tools, so a good way to verify a suspected infection is to attempt to access sites from the list below. For example: microsoft.com or virusscan.jotti.org.

Confirm that you have Internet access before testing access to a blocked site. Be cautious about jumping to quick and possibly incorrect conclusions.

Preserve the investment
Curiously, the Conficker C variant doesn't have any propagation methods. The updating process to the C variant from the previous variants, which began around March 4, doesn't include the propagation functionality mentioned earlier.

So the latest variant just sits there, you ask? In a way, yes. It waits on infected machines for orders to come through. Bear in mind that most of the Conficker variants on infected hosts haven't been updated to the C variant. Of course, A, B, and B++ still propagate. And there are more changes.

The authors made some important updates to the C variant, including adding more protection mechanisms and Peer to Peer functionality. It's estimated that only 15% of the previous code variants was preserved. This makes sense if the first purpose of the worm was to infect as many machines as possible, while the new variant is aimed at preserving and protecting the investment, keeping the number of infected hosts as large as possible.

The new functionalities in the C variant are simply countermeasures to the efforts the security community, like the Conficker Cabal, against the worm. The latest variant of the worm shifted to a propagative mode from a preservation mode--for now, although not having a propagation functionality doesn't mean the authors can't update it, at will, to have one.

Domain Generation Algorithm (DGA): What's going to happen April 1?
What's going to happen in April 1? This date is hard coded in Conficker.C variants and this is why a lot of attention is focused on it. On that date, Conficker is going to update its domain generation algorithm to 50,000 domains per day and will try to access 500 of those once a day. This is one of the countermeasures and protections the authors of the worm introduced to the successful efforts of the Cabal group to stop the registration of 250 domains that the older variants (A, B, and B++) try to access each day. This change, starting April 1, 2009, will only affect already infected machines. It also means that Conficker C variants on those machines will generate a list of 50,000 domains a day. The worm will actually try and access 500 of those domains. Only the people behind Conficker know which domains they're actually going to register and activate. They could, in fact, only register one domain a day (or fewer, or more), but when they do that--if they don't get interrupted by the Cabal Group again--the infected machines will try to access those domains, potentially getting updates to do something - potentially. It doesn't necessarily mean that the worm is going to do something bad that day since it all depends if an update will be available for the worm to download. Besides the latest variants are equipped with a P2P mechanism, so orders may have already been relayed to the bots.

When the people behind Conficker decide it's time to do something that will earn them some money, like stealing data, issuing DDOS attacks, sending spam, etc., they will be able to do so at will. It doesn't have to be on April 1. Our assumption is that the people behind Conficker are waiting for sometime after that date to achieve a maximum bot update. Time equals money and it's logical to assume that something is going to happen soon enough. It also seems that those who are behind the worm are examining their options carefully and might be even trying more "business" relations to decide which path will be most safe and profitable.

Reverse-engineering the Domain Generation Algorithm
At Websense Security Labs, we reverse-engineered the different Conficker variants to discover the domains the worm will try to contact each day. As mentioned, the latest C variant generates a list of 50,000 domains a day. Of those, the worm will try to access 250 domains.

Predictions
Given the industry efforts to mitigate this problem, one of the obvious predictions is that the worm's authors will try to preserve the number of infected bots as much as possible. One of the potential options is to actually update the worm to download instructions from compromised web sites. This move could actually disrupt the Cabal group efforts, since it's easier to stop the registration of new domains, and harder to take down and stop compromised domains with good reputations. We also predict that Conficker will re-start and continue propagation through a spam based mechanism. We don't believe that the worm's authors will stick to only updates via the P2P mechanism, but will also strive to keep using the HTTP-based update mechanism, so the worm on infected hosts will be accessible to updates within networks that use Firewalls and Network Address Translation (NAT), which disrupt P2P traffic. It seems that the group behind Conficker is considering their moves carefully. If they're indeed a China based group they'll need some Western-based connections to commit cyber crimes more effectively. Establishing these connections is what we suspect they have been doing in the meantime.

Summary
Conficker is a large botnet that has a lot of potential to do harm. It hasn't happened just yet, and most security vendors predict it won't happen necessarily on April 1, and we agree. However, the bot gives its perpetrators a lot of power, and at some point, we believe, that Conficker will do something "bad" on infected machines like, stealing data, sending spam, issuing DDOS attacks, and more. The worm might already do some harm by attempting to access the 50K domains it generates each day and thus DDoS'ing some legitimate sites that the Worm's DGA happen to generate. Reverse-engineering the DGA algorithm and knowing all the domains the worm will try and contact gives us the ability to be proactive. The domain generation algorithm and the way the worm operates can be updated at any time.

APWG issues latest Phishing Trends Report

The Anti-Phishing Working Group today issued their latest phishing trends report that covers the second half of 2008. There are some very startling statistics on the state of Internet security and online crime.

For example -

- The number of crimeware-spreading sites infecting PCs with password-stealing crimeware reached an all time high of 31,173 in December, and 827% increase from January 2008 - see chart below
- Unique phishing reports submitted to APWG recorded a yearly high of 34,758 in December.
- The number of unique keyloggers and crimeware-oriented malicious applications reached an all-time high in July reaching 1,519 in July.
- Rogue anti-malware began to rise in July, skyrocketing in December to 9,287.

With all of this fraudulent activity, please be careful when surfing online, and never give your personal information out unless you are 100% sure that the site is legitimate.

To learn more about the APWG and view the full report, please visit - http://www.apwg.com/reports/apwg_report_H2_2008.pdf

Keep your eyes open for March Madness related online attacks

With the NCAA tourney starting, it is truly one of the best times of the year to watch hours of competitive and captivating sports play. Unfortunately, while this is one of our favorite times of the year, hackers and online criminals will try to take advantage of home and SMB Internet users and utilize this time to unleash web-based attacks. Just this week, Websense Security Labs (http://securitylabs.websense.com/) issued two separate warnings regarding March Madness related attacks.


The first alert warned of a Google search attack. If a user searched for popular March Madness-related terms in Google, malicious URLs as high as the first result are returned. Search terms that currently exist within the Top 10 of Google's Hot Trends (the most popular search results) return these malicious URLs.

If a user were to click through these links (such as hxxp:/[removed].de/news/nit_bracket_2009.html) they were redirected, via Javascript code, to a Web site advising the user that their machine is infected. The rogue AV Web site encourages the user to install a file called install.exe. The technique of search engine optimization (SEO) poisoning pushes the infected URLs to the top of the search results, to increase the likelihood of a user clicking through to the malicious link. Ask.com was also confirmed to be affected in this way - Other search engines may have been affected in a similar manner.

The second alert this week discovered a massive malicious comment spam campaign brewing in the blogosphere, made to coincide with the NCAA's "March Madness" basketball tournament. Clicking on the URLs that were in the blog comments associated with this spam campaign took users to a malicious Web site masquerading as a fake anti-virus scanner, or a Web site that serves up a fake video codec download.

It should be noted that those who are utilizing Livia Web Protection for Web filtering and Web security were protected from these attacks as the Websense database of dangerous Web sites and blog comments were blocked in real-time.

For all of you NCAA basketball fans out there that aren’t using Web filtering, if you choose to go online to research teams while filling out your brackets this year, please be very cautious when clicking on March Madness related hyperlinks. Good luck with your brackets!!

Livia's CEO Ken Hamilton quoted in Websense release about March Madness

As hoops fans and businesses prepare for the March Madness season, Websense, Inc. (NASDAQ: WBSN), a leader in secure Web gateway technology, today reported double-digit increases in the number of sports and gambling Web sites from a year ago, as well as a trend among attackers to use major events like March Madness to spread information-stealing malware through the Web and email....

..."March Madness is an annual event that sparks management discussion about work-life balance and often puts a burden on IT to maintain business-as-usual status," said TotalTech President Ken Hamilton. "Even for companies that allow or encourage participation online during these events, having visibility and control of Internet use is critical to security. Bandwidth is also a critical concern as businesses need to ensure the network is not taxed to the point that it interferes with daily operations and business goals."

- - Livia Web Protection provides a great defense for the home user to block access to gambling Web sites and also protects against Web sites spreading information-stealing malware - -

To check out the full release from Websense visit - http://investor.websense.com/releasedetail.cfm?ReleaseID=370268

Some very interesting trends and statistics can be taken from this release regarding the growth of sports related and gambling web sites.

• Trend among attackers to target major sporting events -- Major sporting events' Web sites are attractive to online criminals. Attackers have recently exploited the Super Bowl, Olympics and the World Cup sites. This trend, coupled with the immense popularity of March Madness, presents a risk for organizations that are not properly protected from information-stealing malicious code, spyware and other Web and e-mail threats. Even "good" sites aren't immune: in the second half of 2008 more than 77 percent of the Web sites Websense classified as malicious were actually sites with seemingly "good" reputations that had been compromised by attackers. Additionally, many sites feature Web 2.0 capabilities, allowing anyone to post user-generated content in blogs, forums and wikis, giving attackers a place to embed links to malicious Web sites and other unwanted content.
• 23.9 percent growth in sports-related Web sites -- Since March of 2008, sports-related Web sites have grown almost one fourth, with many offering real-time game scores, player statistics and up-to-the-minute analysis. With the massive number of sports Web sites and streaming games available, mid-sized companies can expect to see a considerable drain on employee productivity and network bandwidth during the NCAA Tournament.
• 23.7 percent growth in gambling Web sites -- Since March of 2008, gambling-related Web sites have also grown almost a quarter, creating another issue for organizations during high profile sporting events. These gambling Web sites, coupled with the wagering attraction of the 2009 NCAA Tournament, introduce additional productivity issues that often violate organizations' Internet use policies.
  
  Will you be watching this year's tournament online??

Why is Livia Web Protection award winning software?

In the time since Livia Web Protection launch last July, the software has been awarded both the 2008 PTPA Media Seal of Approval and the 2008 Seal of Approval from The National Parenting Center for the software’s excellence in parenting products.

We consider both of these awards a great honor, recognizing the software as a powerful tool to help families keep their children safe online.

What did they have to say??

The National Parenting Center - Seal of Approval - http://www.ptpamedia.com/winner_large.php?id=167

The National Parenting Center was founded in July of 1989 with the intention of providing the most comprehensive and responsible parenting advice to parents everywhere. The advice provided is furnished by some of the world's most respected authorities in the field of child rearing and development.

"The National Parenting Center's Seal of Approval program provides an independent testing procedure conducted to judge products introduced and marketed to the parent and child consumer market," said David Katzner, president, The National Parenting Center. "With this filtering software, our testers told us how relieved they felt knowing that Livia was working even when they could not always be monitoring their child's Web activity. That's worth the subscription right there."

Parent Tested Parent Approved - Seal of Approval - http://www.tnpc.com/

PTPA Media’s mission is to discover and appraise new products designed for children and families.We research new products and coordinate testing with parents. Award winning products are selected based on value, functionality, quality and appeal.

“Livia Web Protection is honored to have won the Seal of Approval for excellence from Parent Test Parent Approved,” said Ken Hamilton, CEO for Total Tech. “It’s imperative to provide parents with the best possible protection for their families and children while online. Receiving such an award directly from parents who test and utilize our software speaks highly on Livia’s performance and ease-of-use to defend children from the thousands of dangerous and objectionable Web sites that are discovered each day.”

-------------------------------------

Also, the latest version of Livia Web Protection is coming soon, extending on the already powerful content filtering framework to further aid parents in keeping children from accessing explicit online material, while protecting the entire family from new online dangers such as spyware, viruses and the constantly growing number of Web-based threats.

The launch of the Livia Web Protection blog

In July of last year, we introduced Livia Web Protection, a new web filtering solution for the home that safeguards families from online dangers while helping parents manage how their children use the Internet. Livia was developed to help parents keep children from accessing explicit online material, while protecting the entire family from new Web-based dangers such as spyware, malicious code and other threats.

This blog will update on the latest happenings that are going on with Livia Web Protection, from new product updates and enhancements, to awards and honors, as well as online safety tips and news stories.

We launched Livia Web Protection as the first home filtering product of its kind that was powered by industry-leading Web security technology from Websense, Inc. (NASDAQ: WBSN). Websense currently safeguards more than 42 million employees worldwide, and now Livia provides the same filtering power, delivered in a secure, simple to use home product. With a few clicks of the mouse, Livia allows families to set Web filtering policies by restriction level. Within minutes, parents can protect their children from pornographic and violent content, while securing their home systems from threats such as identity theft, phishing, and malicious code or malware.

With Livia Web Protection, parents have the option to select from pre-defined Web filtering policies that are based on different levels of protection relative to the age of their children and overall browsing habits. Once filtering levels are set, browsing to specific Web pages is either allowed or blocked, based on the category of a Web site. For example, if pornography is blocked and a child accidentally browses to an adult Web site, access to that Web site will be automatically denied and a block Web page will appear on the screen.

Should parents prefer to block or allow more access, making changes to filtering policies is quick and easy.

Once downloaded, an installation wizard goes step-by-step through policy settings and user accounts on an end-user’s computer. Because there is no complex installation associated with Livia, the software automatically configures the computer and Web filtering is active. And, since Livia is a managed solution, parents don’t have to worry about performance issues caused by a large application or a cumbersome Web site database download.

Benefits of Livia Web Protection:

• Ease of installation - up and running in minutes, instantly protecting your home computer and family Internet access


• Streamlined setup and deployment - using a Web-based user interface, quickly change which Web filtering policies are active and running


• Intuitive and Easy to use – once policies are set, families can rest assured that Livia is working hard to provide the best home protection available


• Customizable Web filtering policies - use pre-set Web filtering levels based on age group for individual family members


• Comprehensive, accurate management of Web usage - receive the most comprehensive, accurate Web protection available using the Websense database of more than 40 million Web sites


• Real-Time Security Updates™ – Livia uses up-to-date Web protection with Real-Time Security Updates™ from Websense and free product upgrades


• Browsing activity reporting - create detailed reports that show sites visited, time spent online and more

We look forward to updating this blog, getting your feedback on Livia Web Protection, and hearing from our valued customers.. Happy surfing...